SlideShare uma empresa Scribd logo

NISTs Cybersecurity Framework -- Comparison with Best Practice

David Ochel
David Ochel

A presentation given to the Central Texas chapter of the ISSA. We introduce the Cybersecurity Framework, compare it to an existing standard defining information security controls and management system requirements (ISO/IEC 27001), and provide some thoughts on what's next and where to find accompanying resources.

Tecnologia
1 de 23
Baixar para ler offline
Comparing  NIST's  Cybersecurity   Framework  with  Best  Prac3ce   David  Ochel   email:  david@secuilibrium.com   Twi?er:  @lostgravity   2014-­‐03-­‐31   This  work  is  licensed  under  a  Crea3ve  Commons  A?ribu3on  4.0  Interna3onal  License.  
Agenda   •  Introduc3on  to  the  Cybersecurity  Framework  (CSF)   –  Mo3va3on   –  Organiza3on   –  Major  elements  and  core  principles   •  CSF  and  Best  Prac3ce   –  What  is  Best  Prac3ce?   –  Comparing  CSF  with  ISO/IEC  27001   –  Par3culari3es  of  cri3cal  infrastructure  protec3on   •  Some  Musings   –  Future  of  the  CSF   –  Resources   –  Texas   –  Informa3on  Security  Management  Maturity   Page  2  Cybersecurity  Framework  /  Best  Prac3ce  
INTRODUCTION  TO  THE   CYBERSECURITY  FRAMEWORK  (CSF)   CSF  /  Best  Prac3ce   Page  3  
Mo3va3on   •  Cri3cal  Infrastructure   –  Vital  infrastructure  –  private  and  public  operators   –  Lack  of  availability  would  have  “debilita3ng  impact”  on  the   na3on’s  security,  economy,  public  health,  safety…   •  Execu3ve  Order  13636;  February  12,  2013   –  Threat  informa3on  sharing   –  NIST:  Baseline  Framework  to  reduce  cyber  risk   •  “Standards,  methodologies,  procedures  and  processes  that  align   policy,  business,  and  technological  approaches…”   –  Voluntary  Cri3cal  Infrastructure  Cybersecurity  Program   –  …   CSF  /  Best  Prac3ce   4  
Organiza3on     •  Framework  parts:   – Core   – Profiles   – Implementa3on  Tiers   CSF  /  Best  Prac3ce   Page  5  
Framework  Core  –  a  Controls  Catalog   •  5  core  func3ons,  split  into:   –  Categories   –  Subcategories   •  “technology  neutral”   •  Cross-­‐references  to:   –  COBIT   –  CCS  CSC   –  ANSI/ISA-­‐62443-­‐2-­‐1  and  -­‐3-­‐3   –  ISO/IEC  27001   –  NIST  SP  800-­‐53   CSF  /  Best  Prac3ce   Page  6  
Framework  Core  –  Example   CSF  /  Best  Prac3ce   Page  7  
Framework  Profiles   •  Describe  current  or  desired  state  of   “cybersecurity  ac3vi3es”   •  Align  controls  with  “business  requirements,   risk  tolerance,  and  resources”   •  No  templates  or  format  provided   CSF  /  Best  Prac3ce   Page  8  
Framework  Tiers   •  Tiers  indicate  maturity  of:   –  Risk  management  process   –  Integrated  Risk  Management  Program   –  External  Par3cipa3on   •  “do  not  represent  maturity  levels”!?   •  Tiers  (defined  on  1/3  of  a  page  each)   –  1:  Par3al   –  2:  Risk  Informed   –  3:  Repeatable   –  4:  Adap3ve   CSF  /  Best  Prac3ce   Page  9  
CSF  AND  BEST  PRACTICE     Page  10  CSF  /  Best  Prac3ce  
Informa3on  Security  Controls  –     A?ributes  of  Best  Prac3ce?!   •  Benchmark   •  Requirements  catalog   •  Comprehensive   •  Accepted   •  Industry  standard   •  But  not  cujng  edge  /     best  in  class?   •  Auditable   •  …?   CSF  /  Best  Prac3ce   Page  11  
IT  Security:  Control  Frameworks     Regulatory   (mostly  industry-­‐specific?)   “Pseudo  Regulatory”   (contractually  enforced)   Voluntary   •  HIPAA   •  SOX  (arguably)   •  NERC  CIP   •  …   •  PCI  DSS  (etc.)   •  SSAE  16   •  …   •  NIST  Cybersecurity   Framework   •  Texas  Cybersecurity   Framework*   •  NIST  SP  800-­‐53*   •  ISO/IEC  27001   •  ISF  Standard  of  Good   Prac3ce   •  …   CSF  /  Best  Prac3ce   Page  12   *  Mandatory  for  certain  government  agencies.  
ISO/IEC  27001   •  Informa3on  technology  –  Security  techniques  –   InformaXon  security  management  systems  –   Requirements     –  System  requirements:   •  Organiza3on  context   •  Leadership   •  Planning   •  Opera3on   •  Performance  evalua3on   •  Improvement   –  Reference  control  objec3ves  &  controls   •  “best  prac3ce”  catalog  of  baseline  controls   CSF  /  Best  Prac3ce   Page  13  
CSF  and  27001  –  Commonali3es   •  Voluntary   •  Catalog  of  informa3on  security  controls   – Small  differences  in  emphasis   – Method  to  document  control  selec3on     (“profile”  vs.  “statement  of  applicability”)   •  No  built-­‐in  risk  assessment  methodology   •  Scope  defini3on  expected/required   CSF  /  Best  Prac3ce   Page  14  
CSF  and  27001  –  Differences   Cybersecurity  Framework   ü Rudimentary  maturity   3ers   ü Even  basic  requirements   are  op3onal   ü Poten3al  for  agility   ISO/IEC  27001   ü Clear  documenta3on   requirements   ü Mandatory  management   system  requirements   ü Exclusion  of  controls   requires  jus3fica3on   ü Established  cer3fica3on   schemes   ü Well-­‐defined  terminology   CSF  /  Best  Prac3ce   Page  15  
Which  parts  of  the  CSF  are     unique  to  ICS  environments?   •  Tiers?   – Nope.  (Generic  descrip,on  of  risk  management  and   informa,on  sharing  “maturity”.)   •  Core?   – Nope.  (Introduc,on  acknowledges  that  IT  and  ICS   environments  and  considera,ons  differ.  But  the   (sub-­‐)categories  do  not  specifically  address  this.)   •  Profiles?   – Nope.  (Just  a  way  to  catalog  current  and  desired  selec,on   of  controls.)   CSF  /  Best  Prac3ce   Page  16  
Which  parts  of  the  CSF  are     unique  to  ICS  environments?   •  Tiers?   – Nope.  (Generic  descrip,on  of  risk  management  and   informa,on  sharing  “maturity”.)   •  Core?   – Nope.  (Introduc,on  acknowledges  that  IT  and  ICS   environments  and  considera,ons  differ.  But  the   (sub-­‐)categories  do  not  specifically  address  this.)   •  Profiles?   – Nope.  (Just  a  way  to  catalog  current  and  desired  selec,on   of  controls.)   CSF  /  Best  Prac3ce   Page  17  
SOME  MUSINGS   18  CSF  /  Best  Prac3ce  
The  Future  of  the  CSF…   •  …might  be  bright?   –  Just  another  controls  framework   –  But  with  poten3al!   •  Incen3ves   –  So  far  DHS  offers  managed  services  to  local/state   governments   –  Private  industry…  yet  to  come?   •  NIST  Roadmap  for  framework  development   –  Areas  for  development,  alignment,  and  collabora3on   CSF  /  Best  Prac3ce   Page  19  
Resources   •  Informa3on  Sharing   – Informa3on  Sharing  and  Analysis  Centers  (ISACs)   – InfraGard  partnership   •  US-­‐CERT’s  Cri3cal  Infrastructure  Cyber   Community  (C3)  Voluntary  Program   – Tools  and  resources   – (self)  assessment,  (ICS-­‐)CERTs,  training/educa3on,   …   •  Sector-­‐specific  resources!   CSF  /  Best  Prac3ce   Page  20  
Texas…  Since  We  Are  Here   •  Texas  Cybersecurity  Framework   – Requirements  for  security  governance     and  management   – Mandatory  for  state  agencies   – Controls  based  on  800-­‐53  controls   •  DIR  Resources   – h?p://www2.dir.state.tx.us/security/Pages/ security.aspx   CSF  /  Best  Prac3ce   Page  21  
Security  Management  –     Compliance  Is  a  Start,  But…   CSF  /  Best  Prac3ce   Page  22           Negligence?       Controls-­‐Focused   (Due  Diligence?)   Risk-­‐Informed   (Good  Prac3ce)   Risk-­‐   Governed     Where  compliance   with  most  control   frameworks  might     get  you…     (Technology  /  IT)  Risk   is  organiza3on-­‐specific;     compliance  with  control   frameworks  rarely  is!   Compare  to  SSE-­‐CMM  (or  others)?   •  Con3nuously   Improving   •  Quan3ta3vely   Controlled     •  Well  Defined     •  Planned  and   Tracked     •  Performed   Informally  
Resources   •  NIST  Cybersecurity  Framework   –  h?p://www.nist.gov/cyberframework/   •  US-­‐CERT  C3  Voluntary  Program   –  h?p://www.us-­‐cert.gov/ccubedvp   •  Mapping  of  27001  to  the  CSF   –  h?p://www.secuilibrium.com/1/post/2014/02/ comparing-­‐isoiec-­‐27001-­‐with-­‐nists-­‐cybersecurity-­‐ framework.html   •  Contact:   –  David  Ochel  <david@secuilibrium.com>   CSF  /  Best  Prac3ce   Page  23  

Recomendados

NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterTuan Phan
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 Erick Kish, U.S. Commercial Service
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) Priyanka Aash
 

Recomendados

NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterTuan Phan
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 Erick Kish, U.S. Commercial Service
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) Priyanka Aash
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Priyanka Aash
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationExigent Technologies LLC
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centersBrencil Kaimba
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos, Inc.
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Cybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopCybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopLife Cycle Engineering
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningRisk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningKeyaan Williams
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehReZa AdineH
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCPriyanka Aash
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Building Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & MetricsBuilding Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & MetricsRob Arnold
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchMcKonly & Asbury, LLP
 

Mais conteúdo relacionado

Mais procurados

Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Priyanka Aash
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationExigent Technologies LLC
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centersBrencil Kaimba
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos, Inc.
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Cybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopCybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopLife Cycle Engineering
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningRisk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningKeyaan Williams
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehReZa AdineH
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCPriyanka Aash
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 

Mais procurados (20)

Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organization
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations Center
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Cybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopCybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy Workshop
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningRisk Management and Security in Strategic Planning
Risk Management and Security in Strategic Planning
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
 
Security architecture
Security architectureSecurity architecture
Security architecture
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOC
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 

Semelhante a NISTs Cybersecurity Framework -- Comparison with Best Practice

Building Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & MetricsBuilding Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & MetricsRob Arnold
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchMcKonly & Asbury, LLP
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Ulf Mattsson
 
2014-12-16 defense news - shutdown the hackers
2014-12-16 defense news - shutdown the hackers2014-12-16 defense news - shutdown the hackers
2014-12-16 defense news - shutdown the hackersShawn Wells
 
Supply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorSupply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorKaspersky
 
5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management Program5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management ProgramTripwire
 
Cyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply ChainCyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply Chainaletarw
 
Cissp exam-outline
Cissp exam-outlineCissp exam-outline
Cissp exam-outlineAhmet E
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtJohn D. Johnson
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersDenim Group
 
CyberSecurity Portfolio Management
CyberSecurity Portfolio ManagementCyberSecurity Portfolio Management
CyberSecurity Portfolio ManagementPriyanka Aash
 
NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)April Mardock CISSP
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
 

Semelhante a NISTs Cybersecurity Framework -- Comparison with Best Practice (20)

Building Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & MetricsBuilding Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & Metrics
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 
3 Reasons Why the Cloud is More Secure than Your Server
3 Reasons Why the Cloud is More Secure than Your Server3 Reasons Why the Cloud is More Secure than Your Server
3 Reasons Why the Cloud is More Secure than Your Server
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
 
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
 
2014-12-16 defense news - shutdown the hackers
2014-12-16 defense news - shutdown the hackers2014-12-16 defense news - shutdown the hackers
2014-12-16 defense news - shutdown the hackers
 
Supply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorSupply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy Sector
 
5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management Program5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management Program
 
Institute of Internal Auditors Presentation 2014
Institute of Internal Auditors Presentation 2014Institute of Internal Auditors Presentation 2014
Institute of Internal Auditors Presentation 2014
 
Cyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply ChainCyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply Chain
 
Cissp exam-outline
Cissp exam-outlineCissp exam-outline
Cissp exam-outline
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
 
A Strategy for Addressing Cyber Security Challenges
A Strategy for Addressing Cyber Security Challenges A Strategy for Addressing Cyber Security Challenges
A Strategy for Addressing Cyber Security Challenges
 
GRC Dynamics in Securing Cloud
GRC Dynamics in Securing CloudGRC Dynamics in Securing Cloud
GRC Dynamics in Securing Cloud
 
CyberSecurity Portfolio Management
CyberSecurity Portfolio ManagementCyberSecurity Portfolio Management
CyberSecurity Portfolio Management
 
NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 

Último

Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Último (20)

Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

NISTs Cybersecurity Framework -- Comparison with Best Practice

  • 1. Comparing  NIST's  Cybersecurity   Framework  with  Best  Prac3ce   David  Ochel   email:  david@secuilibrium.com   Twi?er:  @lostgravity   2014-­‐03-­‐31   This  work  is  licensed  under  a  Crea3ve  Commons  A?ribu3on  4.0  Interna3onal  License.  
  • 2. Agenda   •  Introduc3on  to  the  Cybersecurity  Framework  (CSF)   –  Mo3va3on   –  Organiza3on   –  Major  elements  and  core  principles   •  CSF  and  Best  Prac3ce   –  What  is  Best  Prac3ce?   –  Comparing  CSF  with  ISO/IEC  27001   –  Par3culari3es  of  cri3cal  infrastructure  protec3on   •  Some  Musings   –  Future  of  the  CSF   –  Resources   –  Texas   –  Informa3on  Security  Management  Maturity   Page  2  Cybersecurity  Framework  /  Best  Prac3ce  
  • 3. INTRODUCTION  TO  THE   CYBERSECURITY  FRAMEWORK  (CSF)   CSF  /  Best  Prac3ce   Page  3  
  • 4. Mo3va3on   •  Cri3cal  Infrastructure   –  Vital  infrastructure  –  private  and  public  operators   –  Lack  of  availability  would  have  “debilita3ng  impact”  on  the   na3on’s  security,  economy,  public  health,  safety…   •  Execu3ve  Order  13636;  February  12,  2013   –  Threat  informa3on  sharing   –  NIST:  Baseline  Framework  to  reduce  cyber  risk   •  “Standards,  methodologies,  procedures  and  processes  that  align   policy,  business,  and  technological  approaches…”   –  Voluntary  Cri3cal  Infrastructure  Cybersecurity  Program   –  …   CSF  /  Best  Prac3ce   4  
  • 5. Organiza3on     •  Framework  parts:   – Core   – Profiles   – Implementa3on  Tiers   CSF  /  Best  Prac3ce   Page  5  
  • 6. Framework  Core  –  a  Controls  Catalog   •  5  core  func3ons,  split  into:   –  Categories   –  Subcategories   •  “technology  neutral”   •  Cross-­‐references  to:   –  COBIT   –  CCS  CSC   –  ANSI/ISA-­‐62443-­‐2-­‐1  and  -­‐3-­‐3   –  ISO/IEC  27001   –  NIST  SP  800-­‐53   CSF  /  Best  Prac3ce   Page  6  
  • 7. Framework  Core  –  Example   CSF  /  Best  Prac3ce   Page  7  
  • 8. Framework  Profiles   •  Describe  current  or  desired  state  of   “cybersecurity  ac3vi3es”   •  Align  controls  with  “business  requirements,   risk  tolerance,  and  resources”   •  No  templates  or  format  provided   CSF  /  Best  Prac3ce   Page  8  
  • 9. Framework  Tiers   •  Tiers  indicate  maturity  of:   –  Risk  management  process   –  Integrated  Risk  Management  Program   –  External  Par3cipa3on   •  “do  not  represent  maturity  levels”!?   •  Tiers  (defined  on  1/3  of  a  page  each)   –  1:  Par3al   –  2:  Risk  Informed   –  3:  Repeatable   –  4:  Adap3ve   CSF  /  Best  Prac3ce   Page  9  
  • 10. CSF  AND  BEST  PRACTICE     Page  10  CSF  /  Best  Prac3ce  
  • 11. Informa3on  Security  Controls  –     A?ributes  of  Best  Prac3ce?!   •  Benchmark   •  Requirements  catalog   •  Comprehensive   •  Accepted   •  Industry  standard   •  But  not  cujng  edge  /     best  in  class?   •  Auditable   •  …?   CSF  /  Best  Prac3ce   Page  11  
  • 12. IT  Security:  Control  Frameworks     Regulatory   (mostly  industry-­‐specific?)   “Pseudo  Regulatory”   (contractually  enforced)   Voluntary   •  HIPAA   •  SOX  (arguably)   •  NERC  CIP   •  …   •  PCI  DSS  (etc.)   •  SSAE  16   •  …   •  NIST  Cybersecurity   Framework   •  Texas  Cybersecurity   Framework*   •  NIST  SP  800-­‐53*   •  ISO/IEC  27001   •  ISF  Standard  of  Good   Prac3ce   •  …   CSF  /  Best  Prac3ce   Page  12   *  Mandatory  for  certain  government  agencies.  
  • 13. ISO/IEC  27001   •  Informa3on  technology  –  Security  techniques  –   InformaXon  security  management  systems  –   Requirements     –  System  requirements:   •  Organiza3on  context   •  Leadership   •  Planning   •  Opera3on   •  Performance  evalua3on   •  Improvement   –  Reference  control  objec3ves  &  controls   •  “best  prac3ce”  catalog  of  baseline  controls   CSF  /  Best  Prac3ce   Page  13  
  • 14. CSF  and  27001  –  Commonali3es   •  Voluntary   •  Catalog  of  informa3on  security  controls   – Small  differences  in  emphasis   – Method  to  document  control  selec3on     (“profile”  vs.  “statement  of  applicability”)   •  No  built-­‐in  risk  assessment  methodology   •  Scope  defini3on  expected/required   CSF  /  Best  Prac3ce   Page  14  
  • 15. CSF  and  27001  –  Differences   Cybersecurity  Framework   ü Rudimentary  maturity   3ers   ü Even  basic  requirements   are  op3onal   ü Poten3al  for  agility   ISO/IEC  27001   ü Clear  documenta3on   requirements   ü Mandatory  management   system  requirements   ü Exclusion  of  controls   requires  jus3fica3on   ü Established  cer3fica3on   schemes   ü Well-­‐defined  terminology   CSF  /  Best  Prac3ce   Page  15  
  • 16. Which  parts  of  the  CSF  are     unique  to  ICS  environments?   •  Tiers?   – Nope.  (Generic  descrip,on  of  risk  management  and   informa,on  sharing  “maturity”.)   •  Core?   – Nope.  (Introduc,on  acknowledges  that  IT  and  ICS   environments  and  considera,ons  differ.  But  the   (sub-­‐)categories  do  not  specifically  address  this.)   •  Profiles?   – Nope.  (Just  a  way  to  catalog  current  and  desired  selec,on   of  controls.)   CSF  /  Best  Prac3ce   Page  16  
  • 17. Which  parts  of  the  CSF  are     unique  to  ICS  environments?   •  Tiers?   – Nope.  (Generic  descrip,on  of  risk  management  and   informa,on  sharing  “maturity”.)   •  Core?   – Nope.  (Introduc,on  acknowledges  that  IT  and  ICS   environments  and  considera,ons  differ.  But  the   (sub-­‐)categories  do  not  specifically  address  this.)   •  Profiles?   – Nope.  (Just  a  way  to  catalog  current  and  desired  selec,on   of  controls.)   CSF  /  Best  Prac3ce   Page  17  
  • 18. SOME  MUSINGS   18  CSF  /  Best  Prac3ce  
  • 19. The  Future  of  the  CSF…   •  …might  be  bright?   –  Just  another  controls  framework   –  But  with  poten3al!   •  Incen3ves   –  So  far  DHS  offers  managed  services  to  local/state   governments   –  Private  industry…  yet  to  come?   •  NIST  Roadmap  for  framework  development   –  Areas  for  development,  alignment,  and  collabora3on   CSF  /  Best  Prac3ce   Page  19  
  • 20. Resources   •  Informa3on  Sharing   – Informa3on  Sharing  and  Analysis  Centers  (ISACs)   – InfraGard  partnership   •  US-­‐CERT’s  Cri3cal  Infrastructure  Cyber   Community  (C3)  Voluntary  Program   – Tools  and  resources   – (self)  assessment,  (ICS-­‐)CERTs,  training/educa3on,   …   •  Sector-­‐specific  resources!   CSF  /  Best  Prac3ce   Page  20  
  • 21. Texas…  Since  We  Are  Here   •  Texas  Cybersecurity  Framework   – Requirements  for  security  governance     and  management   – Mandatory  for  state  agencies   – Controls  based  on  800-­‐53  controls   •  DIR  Resources   – h?p://www2.dir.state.tx.us/security/Pages/ security.aspx   CSF  /  Best  Prac3ce   Page  21  
  • 22. Security  Management  –     Compliance  Is  a  Start,  But…   CSF  /  Best  Prac3ce   Page  22           Negligence?       Controls-­‐Focused   (Due  Diligence?)   Risk-­‐Informed   (Good  Prac3ce)   Risk-­‐   Governed     Where  compliance   with  most  control   frameworks  might     get  you…     (Technology  /  IT)  Risk   is  organiza3on-­‐specific;     compliance  with  control   frameworks  rarely  is!   Compare  to  SSE-­‐CMM  (or  others)?   •  Con3nuously   Improving   •  Quan3ta3vely   Controlled     •  Well  Defined     •  Planned  and   Tracked     •  Performed   Informally  
  • 23. Resources   •  NIST  Cybersecurity  Framework   –  h?p://www.nist.gov/cyberframework/   •  US-­‐CERT  C3  Voluntary  Program   –  h?p://www.us-­‐cert.gov/ccubedvp   •  Mapping  of  27001  to  the  CSF   –  h?p://www.secuilibrium.com/1/post/2014/02/ comparing-­‐isoiec-­‐27001-­‐with-­‐nists-­‐cybersecurity-­‐ framework.html   •  Contact:   –  David  Ochel  <david@secuilibrium.com>   CSF  /  Best  Prac3ce   Page  23