Presentation is loading. Please wait.

Presentation is loading. Please wait.

NIST Cybersecurity Framework

Published byStine Jenssen Modified over 4 years ago

Similar presentations

Presentation on theme: "NIST Cybersecurity Framework"— Presentation transcript:

1 NIST Cybersecurity Framework
February, 2016 Bryan Sacks, Director Risk & Compliance

2 Agenda Risk and Compliance Update
NIST Cybersecurity Framework Introduction Initial Steps and Agency Impact Internal Use Only

3 Risk & Compliance Updates
IOT Governance (Role Update) ISO to NIST Three project phases Governance & Compliance Risk Management Vendor/Supplier Risk Management Archer – Governance, Risk and Compliance Tool will house policies, standards, assessments and more Reporting will be made available to each agency Training documentation will be provided and workshops held (when needed) Goal: Introduce and improve end-to-end risk management, while reducing compliance burden to the extent possible

4 Reducing Compliance Burden with Auth. Source Mapping

5 Agenda Risk and Compliance Update
NIST Cybersecurity Framework Introduction Initial Steps and Agency Impact Internal Use Only

6 NIST Cybersecurity Framework (CSF) Background
President issued Executive Order (EO) 13636, ‘Improving Critical Infrastructure Cybersecurity’, in February 2013 The order directed the National Institute of Standards and Technology (NIST) to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices – for reducing cyber risks to critical infrastructure NIST published the Cybersecurity Framework (CSF), in February 2014 CSF provides a ‘common language’ that can be used across agencies to measure risk and understand where control gaps exist CSF maps to multiple frameworks, including ISO27001, COBIT and more. Therefore, it is not ‘prescriptive’, rather it is a guideline that can be adapted Many states are now adopting the framework, some known examples: Virginia Pennsylvania Mississippi Idaho New York Texas Florida Indiana IOT will lead the initiative to move to NIST based policy, standards (and controls), using NIST CSF as a baseline Internal Use Only

7 NIST CSF Structure Core Tiers Profiles
The Framework was designed to enhance cybersecurity posture, providing a scalable format for executives, management, and staff. Shown are the components of the framework: Core Tiers Profiles 5 ‘Functions’ 22 ‘Categories’ 98 ‘Subcategories’ Partial Risk Informed Repeatable Adaptive Current Target NIST CSF Core Recover Protect Identify Respond Detect T Adaptive Repeatable C Risk Informed Partial Internal Use Only

8 Agenda Risk and Compliance Update
NIST Cybersecurity Framework Introduction Initial Steps and Agency Impact Internal Use Only

9 Initial Steps Build and roll-out Agency Maturity Profile Assessment (March/April, 2016) Determine assessment context questions Policy/Standards (Mid-Year) Update methodology Understand controls Build/update policy documents Compliance Self-Assessments Develop process Determine scope Roll-out More to come… Internal Use Only

10 Agency Impact Agency Maturity Profile Inherent Risk Profile
Each agency will be required to complete items, results will be reported to Agency Heads, CIO and possibly the Governor. Risk & Control Self Assessment Compliance Self Assessment 5 Agency Maturity Profile Inherent Risk Profile Application Risk Questionnaire Compliance Self-Assessment Risk & Control Self-Assessment 1 4 Application Risk Questionnaire 2 Inherent Risk Profile 3 2 3 Agency Maturity Profile 4 1 5 Bite sized chunks allow for better consumption and digestion Internal Use Only

11 IOT’s ask… Be patient Come along this journey with us
Assist with development, communication, training where you can (contact Tad/Bryan if you have available resources to develop documentation) Internal Use Only

12 Appendix Internal Use Only

13 Additional Resources Key Links: NIST Home NIST Cybersecurity Framework
State of Indiana - NIST RFI Response NIST Special Publications (Includes Rev 4) Archer Home Internal Use Only

14 NIST CSF Structure: Core
Tiers Profile The Framework was designed to enhance cybersecurity posture, providing a scalable format for executives, management, and staff. Shown are the components of the framework: 5 ‘Functions’ 22 ‘Categories’ 98 ‘Subcategories’ (not shown) Core Internal Use Only

15 NIST CSF Structure: Tiers
Core Tiers Profile The 4 Tier Definitions span across three areas, detailed definitions are found below: Tiers Risk Management Process Integrated Risk Management Program External Participation Tier 1: Partial Organizational cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc and sometimes reactive manner. Prioritization of cybersecurity activities may not be directly informed by organizational risk objectives, the threat environment, or business/mission requirements There is limited awareness of cybersecurity risk at the organizational level and an organization-wide approach to managing cybersecurity risk has not been established. The organization implements cybersecurity risk management on an irregular, case-by-case basis due to varied experience or information gained from outside sources. The organization may not have processes that enable cybersecurity information to be shared within the organization An organization may not have the processes in place to participate in coordination or collaboration with other entities Tier 2: Risk Informed Risk management practices are approved by management but may not be established as organizational-wide policy. Prioritization of cybersecurity activities is directly informed by organizational risk objectives, the threat environment, or business/mission requirements There is an awareness of cybersecurity risk at the organizational level but an organization-wide approach to managing cybersecurity risk has not been established. Risk-informed, management-approved processes and procedures are defined and implemented, and staff has adequate resources to perform their cybersecurity duties. Cybersecurity information is shared within the organization on an informal basis The organization knows its role in the larger ecosystem, but has not formalized its capabilities to interact and share information externally Tier 3: Repeatable The organization’s risk management practices are formally approved and expressed as policy. Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape There is an organization-wide approach to manage cybersecurity risk. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Consistent methods are in place to respond effectively to changes in risk. Personnel possess the knowledge and skills to perform their appointed roles and responsibilities The organization understands its dependencies and partners and receives information from these partners that enables collaboration and risk-based management decisions within the organization in response to events Tier 4: Adaptive The organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities. Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organization actively adapts to a changing cybersecurity landscape and responds to evolving and sophisticated threats in a timely manner There is an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. Cybersecurity risk management is part of the organizational culture and evolves from an awareness of previous activities, information shared by other sources, and continuous awareness of activities on their systems and networks The organization manages risk and actively shares information with partners to ensure that accurate, current information is being distributed and consumed to improve cybersecurity before a cybersecurity event occurs CSF Tiers are guidelines, IOT has developed a simpler model Internal Use Only

16 NIST CSF Structure: Tiers
Core Tiers Profile The 4 Tier Definitions span across three areas, detailed definitions are found below: Maturity Tier Description Tier 0: Non-Existent Appropriate processes and controls do not exist, lack of awareness and knowledge Tier 1: Initial Processes and controls are ad-hoc, not documented (informal), poorly controlled and not repeatable Tier 2: Developing Processes and controls are managed and documented. Implementation and execution is inconsistent Tier 3: Defined Processes and controls are standardized, well established, consistently used, repeatable, periodically reviewed and updated Tier 4: Advanced Processes and controls are continuously assessed for improvements. Could be considered best in class or leading practice. Sharable and adopted by others. CSF Tiers can be used to understand current and target profiles for each category and subcategory Internal Use Only

17 Illustrative NIST CSF Structure: Profile Profiles
Core Tiers Profile How do we know our biggest gaps? Using Current and Target Profiles across Subcategories can help identify and prioritize focus areas Profiles Current Target Illustrative T C Internal Use Only

18 NIST CSF Structure: Core Cont’d
Tiers Profile Hierarchy is useful for reporting purposes Alignment to ‘Informative References’, commonly referred to as Authoritative Sources NIST SP Rev. 4 Alignment Internal Use Only

19 NIST CSF Example (Protect)
Internal Use Only

20 NIST CSF Example (Detect)
Internal Use Only

21 NIST CSF Example (Respond)
Internal Use Only

22 NIST CSF Example (Recover)
Internal Use Only

Download ppt "NIST Cybersecurity Framework"

Similar presentations

ENTITIES FOR A UN SYSTEM EVALUATION FRAMEWORK 17th MEETING OF SENIOR FELLOWSHIP OFFICERS OF THE UNITED NATIONS SYSTEM AND HOST COUNTRY AGENCIES BY DAVIDE.

ENTITIES FOR A UN SYSTEM EVALUATION FRAMEWORK 17th MEETING OF SENIOR FELLOWSHIP OFFICERS OF THE UNITED NATIONS SYSTEM AND HOST COUNTRY AGENCIES BY DAVIDE.
NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.
Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST.

CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST.
Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.

Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.
Federal Transit Administration Office of Safety and Security FTA BUS SAFETY & SECURITY PROGRAM 18 th NATIONAL CONFERENCE ON RURAL PUBLIC AND INTERCITY.

Federal Transit Administration Office of Safety and Security FTA BUS SAFETY & SECURITY PROGRAM 18 th NATIONAL CONFERENCE ON RURAL PUBLIC AND INTERCITY.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
The NIST Framework for Cybersecurity

The NIST Framework for Cybersecurity
Cybersecurity Framework October 7, 2014

Cybersecurity Framework October 7, 2014
Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order 13636 “Improving Critical Infrastructure Cybersecurity”

Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order “Improving Critical Infrastructure Cybersecurity”
Chicagoland IASA Spring Conference

Chicagoland IASA Spring Conference
Project Human Resource Management

Project Human Resource Management
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.

Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
GBA 573 - IT Project Management Final Project - Establishment of a Project Management Management Office 10 July, 2003.

GBA IT Project Management Final Project - Establishment of a Project Management Management Office 10 July, 2003.
Assessing The Development Needs of the Statistical System NSDS Workshop, Trinidad and Tobago, July 27-29, 2009 Presented by Barbados.

Assessing The Development Needs of the Statistical System NSDS Workshop, Trinidad and Tobago, July 27-29, 2009 Presented by Barbados.
Holistic Approach to Security

Holistic Approach to Security
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
1 1 Cybersecurity : Optimal Approach for PSAPs FCC Task Force on Optimal PSAP Architecture Working Group 1 Final Report December 10 th, 2015.

1 1 Cybersecurity : Optimal Approach for PSAPs FCC Task Force on Optimal PSAP Architecture Working Group 1 Final Report December 10 th, 2015.

Similar presentations

Ads by Google