Presentation is loading. Please wait.

Presentation is loading. Please wait.

The NIST Framework for Cybersecurity

Published byMercy Foster Modified over 8 years ago

Similar presentations

Presentation on theme: "The NIST Framework for Cybersecurity"— Presentation transcript:

1 The NIST Framework for Cybersecurity
Matthew Todd SF Bay InfraGard

2 Get the Framework The National Institute of Standards and Technology [NIST] Framework for Improving Critical Infrastructure Cybersecurity

3 The Executive Order “It is the Policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” Executive Order 13636, February 12, 2013 This Executive Order calls for the development of a voluntary Cybersecurity Framework (“Framework”) that provides a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” to manage cybersecurity risk.

4 Industry standards and best practices
What is it, exactly? Voluntary Risk-based framework Industry standards and best practices Provides organization, structure, and language Cost-effective Based on business needs Considers privacy Can complement or test existing programs

5 Key Goals of the Framework “Lifetime”
Describe the current cybersecurity risk management posture Describe the target posture Identify and prioritize gaps Assess progress towards the target state Communicate with internal and external stakeholders Iterate It may be used outside of a cyclic process, as with a vendor.

6 The Framework: The Parts
The Core The essential elements of a cybersecurity program A common language The Implementation Tiers A way to talk about the extent and sophistication of risk management The Profiles A description of current or target risk management programs

7 Describes activities and desired outcomes Functional areas:
The Framework: Core A matrix of: Functions Categories Subcategories Informative references Describes activities and desired outcomes Functional areas: Identify Protect Detect Respond Recover

8 Function Unique Identifier Category Unique Identifier
Subcategory References ID Identify ID.AM Asset Management ID.BE Business Environment ID.GV Governance ID.RA Risk Assessment ID.RM Risk Management Strategy PR Protect PR.AC Access Control PR.AT Awareness and Training PR.DS Data Security PR.IP Information Protection Processes and Procedures PR.MA Maintenance PR.PT Protective Technology DE Detect DE.AE Anomalies and Events DE.CM Security Continuous Monitoring DE.DP Detection Processes RS Respond RS.RP Response Planning RS.CO Communications RS.AN Analysis RS.MI Mitigation RS.IM Improvements RC Recover RC.RP Recovery Planning RC.IM RC.CO Function Category Subcategory References Identify Asset Management ID.AM-1: Physical devices and systems within the organization are inventoried CCS CSC 1 COBIT 5 BAI09.01, BAI09.02 ISA : ISA :2013 SR 7.8 ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 NIST SP Rev. 4 CM-8 Function Category Subcategory References Detect Security Continuous Monitoring DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events COBIT 5 APO07.06 ISO/IEC 27001:2013 A , A NIST SP Rev. 4 CA-7, PS-7, SA-4, SA-9, SI-4 Function Category Subcategory References Recover Improvements RC.IM-1: Recovery plans incorporate lessons learned COBIT 5 BAI05.07 ISA : NIST SP Rev. 4 CP-2, IR-4, IR-8

9 The Framework: Implementation Tiers
Perspective on risks, and the extent of mitigation Organization-wide Four Tiers: Partial Risk-informed Repeatable Adaptive Can be used with executive management How to use the Tiers is not clearly defined in the Framework!

10 The Framework: Profiles
A Profile is a description of a risk management program Current Profile is an assessment of the current state Target Profile is a goal state, considering: Risks Business requirements Available resources Regulatory or other requirements Current vs. Target is the gap

11 Organizational Structure
Risk Management Executive Level BIA/ Risk Assessment Budget and Priorities Implementation Business/Process Level Desired Profile Progress to Goal Implementation/Operations Level

12 Put it All Together: A Basic Security Program
Identify Business Objectives and Scope Identify Context (environment, regulations, etc.) Create a Current Profile Conduct a Risk Assessment Create a Target Profile Identify and prioritize gaps Create and implement an Action Plan Iterate!

13 The framework relies on your ability to objectively:
Caution The framework relies on your ability to objectively: Identify current risk Assess mitigating controls Acknowledged risks can be used against you. Privacy risks Competing risks Seek independent counsel Prioritize: “What” and “Why” Ensure that privacy requirements are considered Identify and empower the right business owner to make key risk decisions

14 Other Sources SANS Critical Security Controls ISO/IEC 27000-series
20 key controls Available at ISO/IEC series International standard for information security Certifications are available, but non-US based (generally) Federal Financial Institution Examination Council (FFIEC) Examination “handbooks” “…uniform principles, standards, and report forms for the federal examination of financial institutions “ US-CERT C-Cubed PCI/DSS SSAE 16/SOC 2

15 The Framework Template
An Excel spreadsheet Set high/low water marks Highlights areas in yellow and red Rolls up to categories Can be used internally or with vendors Available at member site or on request

16 Q&A

Download ppt "The NIST Framework for Cybersecurity"

Similar presentations

Tenace FRAMEWORK and NIST Cybersecurity Framework Block IDENTIFY.

Tenace FRAMEWORK and NIST Cybersecurity Framework Block IDENTIFY.
NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.
Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Andrew Yang, Ph.D., CISSP Executive director, Cyber Security Institute Associate Professor of CS, CIS, IT NIST Cybersecurity Framework (CSF) for Critical.

Andrew Yang, Ph.D., CISSP Executive director, Cyber Security Institute Associate Professor of CS, CIS, IT NIST Cybersecurity Framework (CSF) for Critical.
National Infrastructure Protection Plan

National Infrastructure Protection Plan
1 Cyber Security Framework: Intel’s Implementation Pilot Tim Casey, CISSP Senior Strategic Risk

1 Cyber Security Framework: Intel’s Implementation Pilot Tim Casey, CISSP Senior Strategic Risk
National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]

National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.

Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.
SEM Planning Model.

SEM Planning Model.
1 Federal Communications Commission Public Safety and Homeland Security Bureau NARUC Summer Committee Meetings Dallas, Texas July 13, 2014 Clete D. Johnson.

1 Federal Communications Commission Public Safety and Homeland Security Bureau NARUC Summer Committee Meetings Dallas, Texas July 13, 2014 Clete D. Johnson.
IT Governance and Management

IT Governance and Management
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Cybersecurity Framework October 7, 2014

Cybersecurity Framework October 7, 2014
1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.

1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.
A District Perspective Thomas Purwin, Jersey City Public Schools

A District Perspective Thomas Purwin, Jersey City Public Schools
Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order 13636 “Improving Critical Infrastructure Cybersecurity”

Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order “Improving Critical Infrastructure Cybersecurity”
Control environment and control activities. Day II Session III and IV.

Control environment and control activities. Day II Session III and IV.

Similar presentations

Ads by Google