NIST Framework PowerPoint presentation
advertisement
The NIST Framework for Cybersecurity Matthew Todd SF Bay InfraGard Get the Framework The National Institute of Standards and Technology [NIST] Framework for Improving Critical Infrastructure Cybersecurity http://www.nist.gov/cyberframework/ The Executive Order “It is the Policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” Executive Order 13636, February 12, 2013 This Executive Order calls for the development of a voluntary Cybersecurity Framework (“Framework”) that provides a “prioritized, flexible, repeatable, performance-based, and costeffective approach” to manage cybersecurity risk. What is it, exactly? • Voluntary • Risk-based framework • Industry standards and best practices • Provides organization, structure, and language • Cost-effective • Based on business needs • Considers privacy • Can complement or test existing programs Key Goals of the Framework “Lifetime” 1. Describe the current cybersecurity risk management posture 2. Describe the target posture 3. Identify and prioritize gaps 4. Assess progress towards the target state 5. Communicate with internal and external stakeholders 6. Iterate It may be used outside of a cyclic process, as with a vendor. The Framework: The Parts • The Core • The essential elements of a cybersecurity program • A common language • The Implementation Tiers • A way to talk about the extent and sophistication of risk management • The Profiles • A description of current or target risk management programs The Framework: Core • A matrix of: • Functions • Categories • Subcategories • Informative references • Describes activities and desired outcomes • Functional areas: • Identify • Protect • Detect • Respond • Recover Function Unique Identifier Function Function Identify Category Unique Identifier Category Subcategory Category Asset Management ID.AM ID PR Identify Protect RS Function Recover RC ID.RA Risk Assessment ID.RM Risk Management Strategy PR.AC Access Control PR.AT Awareness and Training PR.DS Data Security PR.IP Information Protection Processes and Procedures PR.MA Maintenance PR.PTCategoryProtective Technology Function Detect DE Subcategory Asset Management ID.AM-1: Physical devices and ID.BE Business Environment systems within the organization ID.GV Governance are inventoried Detect Subcategory DE.AESecurity Continuous AnomaliesMonitoring and Events DE.CM-6: External service provider activity is monitored to DE.CM Security Continuous Monitoring detect potential cybersecurity DE.DP Detection Processes events RS.RP Response Planning RS.CO Communications Respond RS.AN Mitigation RS.IM Improvements Category RC.RP Recovery Planning Improvements RC.CO References CCS CSC 1 COBIT 5 BAI09.01, BAI09.02 ISA 62443-2-1:2009 4.2.3.4 ISA 62443-3-3:2013 SR 7.8 ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 NIST SP 800-53 Rev. 4 CM-8 References COBIT 5 APO07.06 ISO/IEC 27001:2013 A.14.2.7, A.15.2.1 NIST SP 800-53 Rev. 4 CA-7, PS-7, SA-4, SA-9, SI-4 Analysis RS.MI Recover RC.IM References Improvements Communications Subcategory RC.IM-1: Recovery plans incorporate lessons learned References COBIT 5 BAI05.07 ISA 62443-2-1:2009 4.4.3.4 NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8 The Framework: Implementation Tiers • Perspective on risks, and the extent of mitigation • Organization-wide • Four Tiers: 1. 2. 3. 4. Partial Risk-informed Repeatable Adaptive • Can be used with executive management How to use the Tiers is not clearly defined in the Framework! The Framework: Profiles • A Profile is a description of a risk management program • Current Profile is an assessment of the current state • Target Profile is a goal state, considering: • Risks • Business requirements • Available resources • Regulatory or other requirements • Current vs. Target is the gap Organizational Structure Risk Management Executive Level BIA/ Risk Assessment Budget and Priorities Business/Process Level Desired Profile Progress to Goal Implementation/Operations Level Implementation Put it All Together: A Basic Security Program 1. 2. 3. 4. 5. 6. 7. 8. Identify Business Objectives and Scope Identify Context (environment, regulations, etc.) Create a Current Profile Conduct a Risk Assessment Create a Target Profile Identify and prioritize gaps Create and implement an Action Plan Iterate! Caution • The framework relies on your ability to objectively: • Identify current risk • Assess mitigating controls Seek independent counsel • Acknowledged risks can be used against you. Prioritize: “What” and “Why” • Privacy risks Ensure that privacy requirements are considered • Competing risks Identify and empower the right business owner to make key risk decisions Other Sources • SANS Critical Security Controls • 20 key controls • Available at http://www.sans.org/critical-security-controls • ISO/IEC 27000-series • International standard for information security • Certifications are available, but non-US based (generally) • Federal Financial Institution Examination Council (FFIEC) • Examination “handbooks” • “…uniform principles, standards, and report forms for the federal examination of financial institutions “ • http://ithandbook.ffiec.gov/ • US-CERT C-Cubed • http://www.us-cert.gov/ccubedvp/getting-started-business • PCI/DSS • SSAE 16/SOC 2 The Framework Template • An Excel spreadsheet • Set high/low water marks • Highlights areas in yellow and red • Rolls up to categories • Can be used internally or with vendors Available at member site or on request Q&A
