Cyber security standards

Slides:

Advertisements

Similar presentations

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

Advertisements

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Security Controls – What Works

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Computer Security: Principles and Practice

Stephen S. Yau CSE , Fall Security Strategies.

Session 3 – Information Security Policies

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

OHT 2.1 Galin, SQA from theory to implementation © Pearson Education Limited 2004 Software Quality assurance (SQA) SWE 333 Dr Khalid Alnafjan

SEC835 Database and Web application security Information Security Architecture.

Evolving IT Framework Standards (Compliance and IT)

Information Systems Security Computer System Life Cycle Security.

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Presented by : Miss Vrindah Chaundee

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

CIP 2015 Smart Grid Vulnerability Assessment Using National Testbed Networks IHAB DARWISHOBINNA IGBETAREQ SAADAWI.

ISPE Cyber Security S99 Update December 08, 2009.

SecSDLC Chapter 2.

International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.

1 1 Cybersecurity : Optimal Approach for PSAPs FCC Task Force on Optimal PSAP Architecture Working Group 1 Final Report December 10 th, 2015.

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

NIST Computer Security Framework and Grids Original Slides by Irwin Gaines (FNAL) 20-Apr-2006 Freely Adapted by Bob Cowles (SLAC/OSG) for JSPG 13-Mar-2007.

SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:

ISA99 - Industrial Automation and Controls Systems Security

Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

Information Security tools for records managers Frank Rankin.

The NIST Special Publications for Security Management By: Waylon Coulter.

Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.

Collaboration Process 1. IC Objectives and Risk Tolerances Define, document, and implement top-down internal control objectives and risk tolerances: 

Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Standards Certification Education & Training Publishing Conferences & Exhibits 1 Copyright © ISA, All Rights reserved ISA99 - Industrial Automation and.

Information Security Management Goes Global

Principles Identified - UK DfT -

Society for Maintenance and Reliability Professionals (SMRP)

Safeguarding CDI - compliance with DFARS

Quality Management System Deliverable Software 9115 revision A Key changes presentation IAQG 9115 Team March 2017.

Introduction for the Implementation of Software Configuration Management I thought I knew it all !

Presenter: Mohammed Jalaluddin

Risk management.

Security measures deployed by e-communication providers

Lecture 09 Network Security Management through the ISMS

Cybersecurity Policies & Procedures ICA

Introduction to the Federal Defense Acquisition Regulation

What are ISO 9000 Standards? ISO 9000 Standards

Need for ISO 9000 & other Q Systems Swamynathan.S.M AP/ECE/SNSCT

I have many checklists: how do I get started with cyber security?

BU IS GIG Chemical, Oil & Gas

Quality management standards

Understanding Existing Standards:

ISO/IEC 27001:2005 A brief introduction Kaushik Majumder

UConn NIST Compliance Project

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

Cyber security Policy development and implementation

EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO

Cybersecurity ATD technical

Continuous Monitoring

Group Meeting Ming Hong Tsai Date :

Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.

IT Management Services Infrastructure Services

Presentation transcript:

Cyber security standards Controls by Erlan Bakiev, Ph.D.

Cybersecurity standards Cybersecurity standards are techniques generally set forth in published materials that attempt to protect the cyber environment of a user or organization. This environment includes: users themselves networks devices all software processes information in storage or transit applications services systems that can be connected directly or indirectly to networks

Cybersecurity standards cont. The principal objective: to reduce the risks including prevention or mitigation of cyber-attacks. These published materials consist of collections of: tools, Policies security concepts security safeguards guidelines, risk management approaches, actions, training, best practices, assurance and technologies.

Cybersecurity standards cont. The principal objective: to reduce the risks including prevention or mitigation of cyber-attacks. These published materials consist of collections of: tools, Policies security concepts security safeguards guidelines, risk management approaches, actions, training, best practices, assurance and technologies.

Cybersecurity standards cont. Cybersecurity standards have existed over several decades as users and providers have collaborated in many domestic and international forums to effect the necessary capabilities, policies, and practices - generally emerging from work at the Stanford Consortium for Research on Information Security and Policy in the 1990s. Also many tasks that were once carried out by hand are now carried out by computer; therefore there is a need for information assurance (IA) and security. Around 70% of the surveyed organizations see the NIST Cybersecurity Framework as the most popular best practice for computer security, but many note that it requires significant investment (US SFA study report, 2016)

NIST Cybersecurity Framework (NIST CSF) The NIST Cybersecurity Framework (NIST CSF) provides a policy framework of computer security guidance for how private sector organizations in the US can assess and improve their ability to prevent, detect, and respond to cyber attacks. It provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes. It is intended to help private sector organizations that provide critical infrastructure with guidance on how to protect it, along with relevant protections for privacy and civil liberties.

ETSI Cyber Security Technical Committee (TC CYBER) TC CYBER is responsible for the standardization of Cyber Security internationally and for providing a center of relevant expertise for other ETSI committees. Growing dependence on networked digital systems has brought with it an increase in both the variety and quantity of cyber-threats. The different methods governing secure transactions in the various Member States of the EU sometimes make it difficult to assess the respective risks and to ensure adequate security. Building on ETSI's world-leading expertise in the security of Information and Communications Technologies (ICT), it set up a new Cyber Security committee (TC CYBER) in 2014 to meet the growing demand for standards to protect the Internet and the communications and business it carries.

ETSI Cyber Security Technical Committee (TC CYBER) Cont TC CYBER is working closely with relevant stakeholders to develop appropriate standards to increase privacy and security for organizations and citizens across Europe. The committee is looking in particular at the security of infrastructures, devices, services and protocols, as well as security tools and techniques to ensure security. It offers security advice and guidance to users, manufacturers and network and infrastructure operators. Its standards are freely available on-line. A principal work item effort is the production of a global cyber security ecosystem of standardization and other activities

ISO/IEC 27001 and 27002 SO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an information security management system (ISMS) standard, of which the last revision was published in October 2013 by the International Organization for Standardization (ISO) and the International Electro technical Commission (IEC). Its full name is ISO/IEC 27001:2013 – Information technology – Security techniques – Information security management systems – Requirements. ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control.

ISO/IEC 27001 and 27002 Cont. ISO/IEC 27002 incorporates mainly part 1 of the BS 7799 good security management practice standard. The latest versions of BS 7799 is BS 7799-3. ISO/IEC 27002 is a high level guide to cybersecurity. It is most beneficial as explanatory guidance for the management of an organization to obtain certification to the ISO/IEC 27001 standard. The certification once obtained lasts three years. Depending on the auditing organization, no or some intermediate audits may be carried out during the three years.

CISQ CISQ develops standards for automating the measurement of software size and software structural quality. CISQ is a special interest group of the Object Management Group that submits specifications for approval as OMG international standards. The measurement standards are used for the static program analysis of software, a software testing practice that identifies critical vulnerabilities in the code and architecture of a software system. CISQ-developed standards are used to manage the Security, Reliability, Performance Efficiency and Maintainability characteristics of software risk.

CISQ Cont. The Automated Source Code Security standard is a measure of how easily an application can suffer unauthorized penetration which may result in stolen information, altered records, or other forms of malicious behavior. The Security standard is based on the most widespread and frequently exploited security weaknesses in software as identified in the Common Weakness Enumeration, SANS Top 25, and OWASP Top 10. The Automated Source Code Reliability standard is a measure of the availability, fault tolerance, recoverability, and data integrity of an application.

Standard of Good Practice In the 1990s, the Information Security Forum (ISF) published a comprehensive list of best practices for information security, published as the Standard of Good Practice (SoGP). The ISF continues to update the SoGP every two years (with the exception of 2013-2014); the latest version was published in 2016. Originally the Standard of Good Practice was a private document available only to ISF members, but the ISF has since made the full document available for sale to the general public. Among other programs, the ISF offers its member organizations a comprehensive benchmarking program based on the SoGP.

NERC The North American Electric Reliability Corporation (NERC) addresses patching in NERC CIP 007-6 Requirement 2. It requires Bulk Power System (BPS) Operators/Owners to identify the source or sources utilized to provide Entiter Security related patches for Cyber Assets utilized in the operation of the Registered Entities are required to check for new patches once every thirty five calendar days. Upon identification of a new patch, entities are required to evaluate applicability of a patch and then complete mitigation or installation activities within 35 calendar days of completion of assessment of applicability The bulk electric system standards also provide network security administration while still supporting best-practice industry processes.

ISA/IEC-62443 (formerly ISA-99) It is a series of standards, technical reports, and related information that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS). This guidance applies to end-users (i.e. asset owner), system integrators, security practitioners, and control systems manufacturers responsible for manufacturing, designing, implementing, or managing industrial automation and control systems.

ISA/IEC-62443 (formerly ISA-99) Cont. These documents were originally referred to as ANSI/ISA-99 or ISA99 standards, as they were created by the International Society for Automation (ISA) and publicly released as American National Standards Institute (ANSI) documents. In 2010, they were renumbered to be the ANSI/ISA-62443 series. This change was intended to align the ISA and ANSI document numbering with the corresponding International Electrotechnical Commission (IEC) standards.

ISA/IEC-62443 (formerly ISA-99) Cont. ISA99 remains the name of the Industrial Automation and Control System Security Committee of the ISA. Since 2002, the committee has been developing a multi-part series of standards and technical reports on the subject. These work products are then submitted to the ISA approval and publishing under ANSI. They are also submitted to IEC for review and approval as standards and specifications in the IEC 62443 series.

IEC 62443 Conformity Assessment Program The ISA Security Compliance Institute (ISCI) www.isasecure.org operates the first conformity assessment scheme for IEC 62443 IACS cybersecurity standards. This program certifies Commercial Off-the-shelf (COTS) IACS products and systems, addressing securing the IACS supply chain.

Security controls Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets.

Classification of Security controls According to the time that they act, relative to a security incident: Before the event, preventive controls are intended to prevent an incident from occurring e.g. by locking out unauthorized intruders; During the event, detective controls are intended to identify and characterize an incident in progress e.g. by sounding the intruder alarm and alerting the security guards or police; After the event, corrective controls are intended to limit the extent of any damage caused by the incident e.g. by recovering the organization to normal working status as efficiently as possible.

Classification of Security controls Cont. According to their nature: Physical controls e.g. fences, doors, locks and fire extinguishers; Procedural controls e.g. incident response processes, management oversight, security awareness and training; Technical controls e.g. user authentication (login) and logical access controls, antivirus software, firewalls; Legal and regulatory or compliance controls e.g. privacy laws, policies and clauses.

International information security standards ISO/IEC 27001 specifies 114 controls in 14 groups: A.5: Information security policies A.6: How information security is organized A.7: Human resources security - controls that are applied before, during, or after employment. A.8: Asset management A.9: Access controls and managing user access A.10: Cryptographic technology A.11: Physical security of the organization's sites and equipment A.12: Operational security A.13: Secure communications and data transfer A.14: Secure acquisition, development, and support of information systems A.15: Security for suppliers and third parties A.16: Incident management A.17: Business continuity/disaster recovery (to the extent that it affects information security) A.18: Compliance - with internal requirements, such as policies, and with external requirements, such as laws.

U.S. Federal Government information security standards From NIST Special Publication SP 800-53 revision 4. AC Access Control. AT Awareness and Training. AU Audit and Accountability. CA Security Assessment and Authorization. (historical abbreviation) CM Configuration Management. CP Contingency Planning. IA Identification and Authentication. IR Incident Response. MA Maintenance. MP Media Protection. PE Physical and Environmental Protection. PL Planning. PS Personnel Security. RA Risk Assessment. SA System and Services Acquisition. SC System and Communications Protection. SI System and Information Integrity. PM Program Management.

U.S. Department of Defense information security standards From DoD Instruction 8500.2 there are 8 Information Assurance (IA) areas and the controls are referred to as IA controls: DC Security Design & Configuration IA Identification and Authentication EC Enclave and Computing Environment EB Enclave Boundary Defense PE Physical and Environmental PR Personnel CO Continuity VI Vulnerability and Incident Management