Intel Presentation from NIST Cybersecurity Framework Workshop 6
3 likes1,903 views
Intel's Security and Privacy Office implemented the Cyber Security Framework (CSF) to align risk management practices and inform budget planning for 2015. Their three-phase approach included infrastructure assessment, supply chain updates, and stakeholder engagement to improve visibility into risk landscape. The process is characterized as low-cost and impactful, facilitating internal discussions and harmonization of risk methodologies.
![Intel Security and Privacy Office
Infrastructure Assessment Process
Set Targets
•Establish Core Group (key SME’s and Managers)
•Evaluate and modify Categories and Subcategories
•F2F Session with Core Group to set targets and score actuals (2x4 hour sessions/8-10 SME’s)
•Validate Targets with Decision Makers (CISO & Staff)
Assess
Current State
•Identify Key SME Scorers
•Train SMEs (virtual 1 hour sessions)
•SME Use Tools to self score [note: SME’s do not know Targets]
Analyze
Results
•Aggregate Individual SME roll-up with Core Team Actuals and compare to Targets
•Use simple heat map to identify gaps >1
•Drill down on subcategories for identified gaps >1 to identify key issues
Communicate
Results
• Review findings & recommendations with CISO & Staff
• Inform impacted Managers to ensure prioritization feed into budget and planning cycles
• Brief Senior Leadership on findings and resulting recommendations](https://image.slidesharecdn.com/intelcorpcsfutilizationws620141028-141213055334-conversion-gate02/85/Intel-Presentation-from-NIST-Cybersecurity-Framework-Workshop-6-4-320.jpg)
Intel Presentation from NIST Cybersecurity Framework Workshop 6
- 1. Intel Security and Privacy Office Cyber Security Framework: Intel’s Implementation Tools & Approach Tim Casey Senior Strategic Risk Analyst @timcaseycyber NIST Workshop #6 October 29, 2014
- 2. Intel Security and Privacy Office Intel’s Goals in Using the CSF 2 Establish alignment on risk tolerance Inform budget planning for 2015 Communicate risk heat map to Senior Leadership CSF as risk management approach – NOT a compliance checklist!
- 3. Intel Security and Privacy Office Strategy: 3-Phase Approach Infrastructure Align Macro-level risk management practices to CSF Focus initially on OFFICE and ENTERPRISE Perform initial CSF assessment against infrastructure Product Explore mapping of products and services capabilities to CSF Examine product assurance initiatives (SDL, etc.) through CSF lens Supply Chain/Third Party Contracting Examine and potentially pilot contracting updates to align to CSF language We are here
- 4. Intel Security and Privacy Office Infrastructure Assessment Process Set Targets •Establish Core Group (key SME’s and Managers) •Evaluate and modify Categories and Subcategories •F2F Session with Core Group to set targets and score actuals (2x4 hour sessions/8-10 SME’s) •Validate Targets with Decision Makers (CISO & Staff) Assess Current State •Identify Key SME Scorers •Train SMEs (virtual 1 hour sessions) •SME Use Tools to self score [note: SME’s do not know Targets] Analyze Results •Aggregate Individual SME roll-up with Core Team Actuals and compare to Targets •Use simple heat map to identify gaps >1 •Drill down on subcategories for identified gaps >1 to identify key issues Communicate Results • Review findings & recommendations with CISO & Staff • Inform impacted Managers to ensure prioritization feed into budget and planning cycles • Brief Senior Leadership on findings and resulting recommendations
- 5. Intel Security and Privacy Office SME Rollup 5 Mapping highlighted outliers and major differences 1 1
- 6. Intel Security and Privacy Office SME-Core Target Roll Up 6 High 2’s – Focus Areas stand out Significant differences between Core and Individual scores can highlight visibility issues Results matched “Gut Check” expectations
- 7. Intel Security and Privacy Office Management Outcomes Program Management CSF utilization has progressed with no major deviations from plan of record Very light-weight organizationally—leveraged existing processes & org structures Estimated Cost Less than 150 work-hours invested to date with 2 focus areas (Office & Enterprise) complete Repeatable tools & techniques developed so additional areas may be less overhead Feedback from Participants Easy to understand and score No push back on resourcing or time commits Participants see value, with key concerns being granularity and repeatability
- 8. Intel Security and Privacy Office Key Learnings Setting Targets is a very valuable exercise Discussions on Tiers and Targets was enlightening and furthered intra-company alignment Categories Categories were useful and for our initial use only one additional Category added – DETECT: THREAT INTELLIGENCE We expect additional Categories to emerge as we move through Design, Manufacturing, and Services environments Sub Categories Still a bit of a puzzle on how to optimally use this granularity while balancing overhead Next rev of tool will do away with scoring subcategories and use over/under model for heat mapping inputs
- 9. Intel Security and Privacy Office Summary “This is a journey.” Informed internal discussion is a key aspect of any risk management program—the CSF fosters this well For Intel, a relatively low-cost and low-impact process modification Improved harmonization of risk management methodologies and a common language across internal stakeholder communities Improved visibility into our risk landscape
- 10. Intel Security and Privacy Office This presentation is for informational purposes only. INTEL MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. BunnyPeople, Celeron, Celeron Inside, Centrino, Centrino Inside, Core Inside, i960, Intel, the Intel logo, Intel AppUp, Intel Atom, Intel Atom Inside, Intel Core, Intel Inside, the Intel Inside logo, Intel NetBurst, Intel NetMerge, Intel NetStructure, Intel SingleDriver, Intel SpeedStep, Intel Sponsors of Tomorrow., the Intel Sponsors of Tomorrow. logo, Intel StrataFlash, Intel Viiv, Intel vPro, Intel XScale, InTru, the InTru logo, InTru soundmark, Itanium, Itanium Inside, MCS, MMX, Moblin, Pentium, Pentium Inside, skoool, the skoool logo, Sound Mark, The Journey Inside, vPro Inside, VTune, Xeon, and Xeon Inside are trademarks of Intel Corporation in the U.S. and other countries. *Other names and brands may be claimed as the property of others. Copyright © 2014, Intel Corporation. All rights reserved.