SlideShare a Scribd company logo

NIST critical_infrastructure_cybersecurity.pdf

S
ssuserb3094b

The document presents the NIST Cybersecurity Framework aimed at enhancing the cybersecurity of critical infrastructure in the U.S., as initiated by Executive Order 13636. It details a flexible and performance-based approach for organizations to identify, assess, and manage cyber risks while aligning with international standards and best practices. The framework provides comprehensive guidance on managing cybersecurity risk through components such as identification, protection, detection, response, and recovery.

Internet
1 of 35
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Framework for Improving Critical Infrastructure Cybersecurity June 2016 cyberframework@nist.gov
About NIST • NIST’s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. • 3,000 employees • 2,700 guest researchers • 1,300 field staff in partner organizations • Two main locations: Gaithersburg, MD and Boulder, CO NIST Priority Research Areas National Institute of Standards and Technology (NIST) Advanced Manufacturing IT and Cybersecurity Healthcare Forensic Science Disaster Resilience Cyber-physical Systems Advanced Communications
Improving Critical Infrastructure Cybersecurity “It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties” President Barack Obama Executive Order 13636, 12 February 2013 3
Based on the Executive Order, the Cybersecurity Framework Must... • Include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks • Provide a prioritized, flexible, repeatable, performance- based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk • Identify areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations • Be consistent with voluntary international standards 4
5 Development of the Framework Engage the Framework Stakeholders Collect, Categorize, and Post RFI Responses Analyze RFI Responses Identify Framework Elements Prepare and Publish Framework EO 13636 Issued – February 12, 2013 NIST Issues RFI – February 26, 2013 1st Framework Workshop – April 03, 2013 Completed – April 08, 2013 Identify Common Practices/Themes – May 15, 2013 2nd Framework Workshop at CMU – May 2013 Draft Outline of Preliminary Framework – June 2013 3rd Workshop at UCSD – July 2013 4th Workshop at UT Dallas – Sept 2013 5th Workshop at NC State – Nov 2013 Published Framework – Feb 2014 Ongoing Engagement: Open public comment and review encouraged and promoted throughout the process… and to this day
The Cybersecurity Framework Is for Organizations… 6 • Of any size, in any sector in (and outside of) the critical infrastructure • That already have a mature cyber risk management and cybersecurity program • That don’t yet have a cyber risk management or cybersecurity program • With a mission of helping keep up-to-date on managing risk and facing business or societal threats
Cybersecurity Framework Components Describes how cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics Aligns industry standards and best practices to the Framework Core in a particular implementation scenario Supports prioritization and measurement while factoring in business needs Cybersecurity activities and informative references, organized around particular outcomes Enables communication of cyber risk across an organization Framework Core Framework Implementation Tiers Framework Profile 7
Key Properties of Cyber Risk Management 8       Risk  Management   Process   Integrated  Risk  Management  Program   External   Par6cipa6on  
Implementation Tiers 9 1   2   3   4   Par6al   Risk   Informed   Repeatable   Adap6ve   Risk   Management   Process   The  func)onality  and  repeatability  of  cybersecurity  risk   management   Integrated  Risk   Management   Program   The  extent  to  which  cybersecurity  is  considered  in  broader   risk  management  decisions   External   Par6cipa6on   The  degree  to  which  the  organiza)on  benefits  my  sharing  or   receiving  informa)on  from  outside  par)es   9
Intel Adaptation of Implementation Tiers 10 1   2   3   4   Par6al   Risk   Informed   Repeatable   Adap6ve   People   Whether  people  have  assigned  roles,  regular  training,  take   ini)a)ve  by  becoming  champions,  etc.   Process   NIST  Risk  Management  Process  +   NIST  Integrated  Risk  Management  Program   Technology   Whether  tools  are  implemented,  maintained,  evolved,   provide  effec)veness  metrics,  etc.   Ecosystem   NIST  External  Par9cipa9on  +   Whether  the  organiza)on  understands  its  role  in  the   ecosystem,  including  external  dependencies  with  partners   10
Taxonomy  Value  Proposi)on   Plant classification is the placing of known plants into groups or categories to show some relationship. Scientific classification follows a system of rules that standardizes the results, and groups successive categories into a hierarchy. For example, the family to which lilies belong is classified as: • Kingdom: Plantae • Phylum: Magnoliophyta • Class: Liliopsida • Order: Liliales • Family: Liliaceae • Genus: ...... • Species: ...... Value Proposition • Accurate communication • Quickly categorize known • Logically name unknown • Inherent properties understood based on name
Core Cybersecurity Framework Component Func6on   Category   ID   What  processes  and   assets  need   protec6on?   Iden6fy   Asset  Management   ID.AM   Business  Environment   ID.BE   Governance   ID.GV   Risk  Assessment   ID.RA   Risk  Management  Strategy   ID.RM   What  safeguards  are   available?   Protect   Access  Control   PR.AC   Awareness  and  Training   PR.AT   Data  Security   PR.DS   Informa)on  Protec)on  Processes  &  Procedures   PR.IP   Maintenance   PR.MA   Protec)ve  Technology   PR.PT   What  techniques  can   iden6fy  incidents?   Detect   Anomalies  and  Events   DE.AE   Security  Con)nuous  Monitoring   DE.CM   Detec)on  Processes   DE.DP   What  techniques  can   contain  impacts  of   incidents?   Respond   Response  Planning   RS.RP   Communica)ons   RS.CO   Analysis   RS.AN   Mi)ga)on   RS.MI   Improvements   RS.IM   What  techniques  can   restore  capabili6es?   Recover   Recovery  Planning   RC.RP   Improvements   RC.IM   Communica)ons   RC.CO   12
Core Cybersecurity Framework Component 13 Func6on   Category   ID   Iden6fy   Asset  Management   ID.AM   Business  Environment   ID.BE   Governance   ID.GV   Risk  Assessment   ID.RA   Risk  Management   Strategy   ID.RM   Protect   Access  Control   PR.AC   Awareness  and  Training   PR.AT   Data  Security   PR.DS   Informa)on  Protec)on   Processes  &  Procedures   PR.IP   Maintenance   PR.MA   Protec)ve  Technology   PR.PT   Detect   Anomalies  and  Events   DE.AE   Security  Con)nuous   Monitoring   DE.CM   Detec)on  Processes   DE.DP   Respond   Response  Planning   RS.RP   Communica)ons   RS.CO   Analysis   RS.AN   Mi)ga)on   RS.MI   Improvements   RS.IM   Recover   Recovery  Planning   RC.RP   Improvements   RC.IM   Communica)ons   RC.CO   Subcategory Informative References ID.BE-­‐1:  The   organiza)on’s  role  in   the  supply  chain  is   iden)fied  and   communicated   COBIT  5  APO08.04,  APO08.05,   APO10.03,  APO10.04,  APO10.05   ISO/IEC  27001:2013  A.15.1.3,  A. 15.2.1,  A.15.2.2   NIST  SP  800-­‐53  Rev.  4  CP-­‐2,  SA-­‐12   ID.BE-­‐2:  The   organiza)on’s  place  in   cri)cal  infrastructure   and  its  industry  sector   is  iden)fied  and   communicated   COBIT  5  APO02.06,  APO03.01   NIST  SP  800-­‐53  Rev.  4  PM-­‐8   ID.BE-­‐3:  Priori)es  for   organiza)onal   mission,  objec)ves,   and  ac)vi)es  are   established  and   communicated   COBIT  5  APO02.01,  APO02.06,   APO03.01   ISA  62443-­‐2-­‐1:2009  4.2.2.1,   4.2.3.6   NIST  SP  800-­‐53  Rev.  4  PM-­‐11,   SA-­‐14   ID.BE-­‐4:   Dependencies  and   cri)cal  func)ons  for   delivery  of  cri)cal   services  are   established   ISO/IEC  27001:2013  A.11.2.2,  A. 11.2.3,  A.12.1.3   NIST  SP  800-­‐53  Rev.  4  CP-­‐8,  PE-­‐9,   PE-­‐11,  PM-­‐8,  SA-­‐14   ID.BE-­‐5:  Resilience   requirements  to   support  delivery  of   cri)cal  services  are   established   COBIT  5  DSS04.02   ISO/IEC  27001:2013  A.11.1.4,  A. 17.1.1,  A.17.1.2,  A.17.2.1   NIST  SP  800-­‐53  Rev.  4  CP-­‐2,   CP-­‐11,  SA-­‐14   13
Profile Cybersecurity Framework Component 14 Iden)fy   Protect   Detect   Respond   Recover   Ways  to  think  about  a  Profile:   • A  customiza)on  of  the  Core  for  a   given  sector,  subsector,  or   organiza)on   • A  fusion  of  business/mission  logic   and  cybersecurity  outcomes   • An  alignment  of  cybersecurity  requirements  with   opera)onal  methodologies   • A  basis  for  assessment  and  expressing  target  state   • A  decision  support  tool  for  cybersecurity  risk   management  
Supporting Risk Management with Framework 15  
Building a Profile A Profile Can be Created in Three Steps 16 Subcategory 1   2   3   …   98   Mission Objective A   B   C   Cybersecurity   Requirements   Legisla)on   Regula)on   Internal  &  External  Policy   Best  Prac)ce   Opera6ng   Methodologies   Guidance  and  methodology   on  implemen)ng,   managing,  and   monitoring   1   2   3  
Set Priorities Use Cybersecurity Framework Profiles to determine Priorities 17 Subcats   Requirements   1   High   High   High   2   Mod   High   Mod   Mod   3   Low   Low   Low   ...   ...   ...   ...   ...   98   Mod   Mod   Law   Regula)on   Business   Objec)ves   Threat  Profile   Dynamic   Sta9c  
Resource and Budget Decisioning What Can You Do with a CSF Profile 18 Sub- category Priority Gaps Budget Year 1 Activities Year 2 Activities 1   moderate   small   $$$   X   2   high   large   $$   X   3   moderate  medium   $   X   …   …   …   …   98   moderate   none   $$   reassess   As-­‐Is   Year  1   To-­‐Be   Year  2   To-­‐Be   …and  supports  on-­‐going  opera)onal  decisions  too  
Operate Use Cybersecurity Framework Profiles to distribute and organize labor 19 Subcats   Reqs   Priori6es   Who   What  When  Where   How   1   A,  B   High   2   C,  D,  E,  F   High   3   G,  H,  I,  J   Low   ...   ...   ...   98   XX,  YY,  ZZ   Mod   Reqs   Priori)es  
Profile Ecosystem 20 Na)onal  Ins)tute  of   Standards  and   Technology   TAXONOMY   1   2   3   ...   98   1   Req  A   2   Req  B   3   Req  C   ...   ...   98   Req  ZZ   1   Req  A   High   2   Req  B   Mod   3   Req  C   Low   ...   ...   ...   98   Req  ZZ   High   REQUIREMENTS   PRIORITIES   Community  or   Organiza)on   Organiza9on  or   Community   Cybersecurity   Framework  Core   Cybersecurity   Framework  Profile   Crosswalks   Mappings  
Using Profiles to Drive Incident Resourcing 21 Func6on   Category   ID   Respond   Recover   Iden6fy   Asset  Management   ID.AM   X   Business  Environment   ID.BE   Governance   ID.GV   Risk  Assessment   ID.RA   Risk  Management  Strategy   ID.RM   X   Protect   Access  Control   PR.AC   X   Awareness  and  Training   PR.AT   X   Data  Security   PR.DS   X   Informa)on  Protec)on  Processes  &   Procedures   PR.IP   X   Maintenance   PR.MA   Protec)ve  Technology   PR.PT   X   X   Detect   Anomalies  and  Events   DE.AE   X   Security  Con)nuous  Monitoring   DE.CM   X   Detec)on  Processes   DE.DP   X   Respond   Response  Planning   RS.RP   X   Communica)ons   RS.CO   X   Analysis   RS.AN   X   Mi)ga)on   RS.MI   X   Improvements   RS.IM   X   Recover   Recovery  Planning   RC.RP   X   Improvements   RC.IM   X   Communica)ons   RC.CO   X  
Key Attributes • It’s a framework, not a prescription • It provides a common language and systematic methodology for managing cyber risk • It is meant to be adapted • It does not tell a company how much cyber risk is tolerable, nor does it claim to provide “the one and only” formula for cybersecurity • Having a common lexicon to enable action across a very diverse set of stakeholders will enable the best practices of elite companies to become standard practices for everyone • The framework is a living document • It is intended to be updated over time as stakeholders learn from implementation, and as technology and risks change • That’s one reason why the framework focuses on questions an organization needs to ask itself to manage its risk. While practices, technology, and standards will change over time—principals will not 22
Where Should I Start? 23 Framework Version 1.0, Section 3.2, Step 1: Prioritize and Scope. The organization identifies its business/mission objectives and high-level organizational priorities. With this information, the organization makes strategic decisions regarding cybersecurity implementations and determines the scope of systems and assets that support the selected business line or process. The Framework can be adapted to support the different business lines or processes within an organization, which may have different business needs and associated risk tolerance. (2b) Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.   (1) Business Environment (ID.BE): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.   (2a) Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk   Operate  &  Maintain  
Common Patterns of Use • Integrate the Functions into Your Leadership Vocabulary and Management Tool Sets • Determine Optimal Risk Management Using Implementation Tiers • Measure Current Risk Management Using Implementation Tiers • Reflect on Business Environment, Governance, and Risk Management Strategy Categories • Develop a Profile of Cybersecurity Priorities, Leveraging (Sub)Sector Profiles When Available 24
Examples of Framework Industry Resources The Cybersecurity Framework in Action: An Intel Use Case Energy Sector Cybersecurity Framework Implementation Guidance Cybersecurity Guidance for Small Firms Cybersecurity  Risk  Management  and  Best  Prac)ces   Working  Group  4:  Final  Report 25 Italy’s National Framework for Cybersecurity
Examples of U.S. State & Local Use 26 Texas, Department of Information Resources • Aligned Agency Security Plans with Framework • Aligned Product and Service Vendor Requirements with Framework Houston, Greater Houston Partnership • Integrated Framework into their Cybersecurity Guide • Offer On-Line Framework Self-Assessment North Dakota, Information Technology Department • Allocated Roles & Responsibilities using Framework • Adopted the Framework into their Security Operation Strategy National Association of State CIOs • 2 out of 3 CIOs from the 2015 NASCIO Awards cited Framework as a part of their award-winning strategy New Jersey • Developed a cybersecurity framework that aligns controls and procedures with Framework
Roadmap Items 27 Authenication Automated Indicator Sharing Conformity Assessment Cybersecurity Workforce Data Analytics Federal Agency Cybersecurity Alignment International Aspects, Impacts, and Alignment Supply Chain Risk Managment Technical Privacy Standards Cybersecurity   Framework  
Framework Roadmap Items Authentication Automated Indicator Sharing Conformity Assessment Cybersecurity Workforce Data Analytics Federal Agency Cybersecurity Alignment International Aspects, Impacts, and Alignment Supply Chain Risk Management Technical Privacy Standards 28
Recent Framework Related Policy and Legislation 29 Cybersecurity Enhancement Act of 2014 • Codified NIST’s on-going role facilitating Framework evolution • Asked NIST to facilitate less redundancies in regulation Maritime Transportation Security Act of 2002 • Originally authored with physical security in mind • Recently clarified to apply to cybersecurity • Coast Guard publishing Framework Profile to help industry adapt OMB Memorandum M-16-03 & 04 • M-16-03: FY 2015-16 Guidance on Federal Information Security and Privacy Management Requirements • M-16-04: Cybersecurity Strategy and Implementation Plan Circular A-130 Update • Provides generalized guidance for use of pre-existing FISMA-based guidance like Risk Management Framework with Cybersecurity Framework • NIST publishing guidance on using Risk Management Framework and Cybersecurity Framework together
Framework Roadmap Items Authentication Automated Indicator Sharing Conformity Assessment Cybersecurity Workforce Data Analytics Federal Agency Cybersecurity Alignment International Aspects, Impacts, and Alignment Supply Chain Risk Management Technical Privacy Standards 30
National Initiative for Cybersecurity Education • Early stages of collaboration to show the connection points between Cybersecurity Framework and National Initiative for Cybersecurity Education • Anticipate use cases for • Organizing academic curriculum • Workforce roles and responsibilities • Professional certifications 31
Recent and Near-Term Framework Events Cybersecurity Framework Workshop 2016 Goal: Highlight examples of Framework use, gather feedback on timing and content of an update, governance, and best practice sharing A p r i l 6 - 7 , 2 0 1 6 N I S T G a i t h e r s b u r g RFI Analysis Summary posted that includes analysis of topic trends in RFI responses and continued discussion topics for Workshop break-out sessions M a r c h 2 0 1 6 RFI: Views on the Framework for Improving Critical Infrastructure Cybersecurity Questions focused on: experiences, update, governance, and best practice sharing D e c 1 1 , 2 0 1 5 Workshop Summary Publication on the topics that evoked the most consensus and dissonance at Cybersecurity Framework Workshop 2016 M a y 2 0 1 6 32
RFI Questions and Workshop Discussion Threads • ways in which the Framework is being used to improve cybersecurity risk management, • how best practices for using the Framework are being shared, • the relative value of different parts of the Framework, • the possible need for an update of the Framework, and • options for long-term governance of the Framework. Request  for  Informa6on   11  December  2015  –  23  February  2016   hlps://www.federalregister.gov/ar)cles/2015/12/11/2015-­‐31217/views-­‐on-­‐the-­‐framework-­‐for-­‐ improving-­‐cri)cal-­‐infrastructure-­‐cybersecurity   RFI  Responses:    hlp://csrc.nist.gov/cyberframework/rfi_comments_02_09_16.html   Cybersecurity  Framework  Workshop  2016   6  &  7  April  2016   Registra)on:    hlps://appam.certain.com/profile/form/index.cfm?PKformID=0x29774a453   More  Info:    hlp://www.nist.gov/cyberframework   33
Program Eras 34 Develop   Support   Update   Key   Milestones   Five  Workshops   Request  for   Informa)on   Request  for  Comment   Publica)on   Request  for  Informa)on   Workshop   Speaking  Events   Request  for  Informa)on   Workshop   Request  for  Comment   Publica6on   NIST  is:   Adjudica)ng   Stakeholder  Input   Craqing  Version  1.0   Educa)ng   Building  a  Knowledge   Base  and  Resource   Catalog   Adjudica)ng   Stakeholder  Input   Craqing  Version  Next   Stakeholders   are:   Par)cipa)ng  in  the   development  process   Understanding  and   Pilo)ng  Framework   Sharing  Work  Products   Expanding  Framework   Implementa)ons   Par)cipa)ng  in  the   Update  Process   Feb  2013   Feb  2014   Feb  2016  
The National Institute of Standards and Technology Web site is available at http://www.nist.gov NIST Computer Security Division Computer Security Resource Center is available at http://csrc.nist.gov/ The Framework for Improving Critical Infrastructure Cybersecurity and related news and information are available at www.nist.gov/cyberframework For additional Framework info and help cyberframework@nist.gov Resources Where to Learn More and Stay Current

More Related Content

PPTX
cybersecurity_framework_webinar_2017.pptx
MuhammadAbdullah311866
 
PPTX
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
PDF
A Major Revision of the CISRCP Program
GoogleNewsSubmit
 
PDF
Nist cybersecurity framework isc2 quantico
Tuan Phan
 
PDF
Introduction to NIST Cybersecurity Framework
Tuan Phan
 
PDF
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
PPTX
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
robbiesamuel
 
PDF
NIST Cybersecurity Framework (CSF) 2.0 Workshop
Bachir Benyammi
 
cybersecurity_framework_webinar_2017.pptx
MuhammadAbdullah311866
 
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
A Major Revision of the CISRCP Program
GoogleNewsSubmit
 
Nist cybersecurity framework isc2 quantico
Tuan Phan
 
Introduction to NIST Cybersecurity Framework
Tuan Phan
 
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
robbiesamuel
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
Bachir Benyammi
 

Similar to NIST critical_infrastructure_cybersecurity.pdf (20)

PDF
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
PPTX
NIST CSF review - Essential Protections (a K12 perspective)
April Mardock CISSP
 
DOCX
Assignment You will conduct a systems analysis project by .docx
festockton
 
PPT
Sap Security Assessment V3 English
guest5bd7a1
 
PDF
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
360 BSI
 
PPTX
Cybersecurity_Academy_NIST-NICE_Mapping_March_2021 (1).pptx
Akttripathi
 
PDF
New technologies - Amer Haza'a
Fahmi Albaheth
 
PDF
Information assurance /Information security
jorgenajarro3
 
PPTX
CONTEXTUAL ARCHITECTURE.pptx
Pandiya Rajan
 
PDF
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...
CompTIA
 
PDF
Cissp exam-outline
Ahmet E
 
DOCX
Project 1CST630 Project ChecklistStudent Name DateNote This che
davieec5f
 
PPTX
PPT-Security-for-Management.pptx
RSAArcher
 
PPTX
Building Your Information Security Program: Frameworks & Metrics
Rob Arnold
 
PPTX
Cyber Security IT GRC Management Model and Methodology.
360factors
 
PDF
Multi-vocal Review of security orchestration
Chadni Islam
 
PDF
Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...
360 BSI
 
PPTX
Why ISO 27001 for an Organisation
Syed Azher
 
PDF
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
Tuan Phan
 
PPT
Developing an Information Security Program
Shauna_Cox
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
NIST CSF review - Essential Protections (a K12 perspective)
April Mardock CISSP
 
Assignment You will conduct a systems analysis project by .docx
festockton
 
Sap Security Assessment V3 English
guest5bd7a1
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
360 BSI
 
Cybersecurity_Academy_NIST-NICE_Mapping_March_2021 (1).pptx
Akttripathi
 
New technologies - Amer Haza'a
Fahmi Albaheth
 
Information assurance /Information security
jorgenajarro3
 
CONTEXTUAL ARCHITECTURE.pptx
Pandiya Rajan
 
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...
CompTIA
 
Cissp exam-outline
Ahmet E
 
Project 1CST630 Project ChecklistStudent Name DateNote This che
davieec5f
 
PPT-Security-for-Management.pptx
RSAArcher
 
Building Your Information Security Program: Frameworks & Metrics
Rob Arnold
 
Cyber Security IT GRC Management Model and Methodology.
360factors
 
Multi-vocal Review of security orchestration
Chadni Islam
 
Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...
360 BSI
 
Why ISO 27001 for an Organisation
Syed Azher
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
Tuan Phan
 
Developing an Information Security Program
Shauna_Cox
 
Ad

Recently uploaded (20)

PPTX
innovation process that make everything different.pptx
SoumyadipPaul18
 
PDF
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 
PDF
LABUAN4D EXCLUSIVE SERVER STAR GAMING ASIA NO.1
LABUAN 4D
 
PPTX
Internet___Basics___Styled_ presentation
poonam62133
 
PDF
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
PDF
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
PDF
“Google Algorithm Updates in 2025 Guide”
soohhhnah
 
PPTX
Funds Management Learning Material for Beg
NKKumar16
 
PDF
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
PPTX
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
 
PDF
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
PDF
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
PPTX
Digital Literacy And Online Safety on internet
riksa rifqi
 
PPTX
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
PDF
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
PPTX
CSharp_Syntax_Basics.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxx
nhdqw45qfd
 
PPTX
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
PPTX
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
PDF
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
PPTX
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
innovation process that make everything different.pptx
SoumyadipPaul18
 
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 
LABUAN4D EXCLUSIVE SERVER STAR GAMING ASIA NO.1
LABUAN 4D
 
Internet___Basics___Styled_ presentation
poonam62133
 
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
“Google Algorithm Updates in 2025 Guide”
soohhhnah
 
Funds Management Learning Material for Beg
NKKumar16
 
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
 
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
Digital Literacy And Online Safety on internet
riksa rifqi
 
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
CSharp_Syntax_Basics.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxx
nhdqw45qfd
 
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
Ad

NIST critical_infrastructure_cybersecurity.pdf

  • 1. Framework for Improving Critical Infrastructure Cybersecurity June 2016 cyberframework@nist.gov
  • 2. About NIST • NIST’s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. • 3,000 employees • 2,700 guest researchers • 1,300 field staff in partner organizations • Two main locations: Gaithersburg, MD and Boulder, CO NIST Priority Research Areas National Institute of Standards and Technology (NIST) Advanced Manufacturing IT and Cybersecurity Healthcare Forensic Science Disaster Resilience Cyber-physical Systems Advanced Communications
  • 3. Improving Critical Infrastructure Cybersecurity “It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties” President Barack Obama Executive Order 13636, 12 February 2013 3
  • 4. Based on the Executive Order, the Cybersecurity Framework Must... • Include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks • Provide a prioritized, flexible, repeatable, performance- based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk • Identify areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations • Be consistent with voluntary international standards 4
  • 5. 5 Development of the Framework Engage the Framework Stakeholders Collect, Categorize, and Post RFI Responses Analyze RFI Responses Identify Framework Elements Prepare and Publish Framework EO 13636 Issued – February 12, 2013 NIST Issues RFI – February 26, 2013 1st Framework Workshop – April 03, 2013 Completed – April 08, 2013 Identify Common Practices/Themes – May 15, 2013 2nd Framework Workshop at CMU – May 2013 Draft Outline of Preliminary Framework – June 2013 3rd Workshop at UCSD – July 2013 4th Workshop at UT Dallas – Sept 2013 5th Workshop at NC State – Nov 2013 Published Framework – Feb 2014 Ongoing Engagement: Open public comment and review encouraged and promoted throughout the process… and to this day
  • 6. The Cybersecurity Framework Is for Organizations… 6 • Of any size, in any sector in (and outside of) the critical infrastructure • That already have a mature cyber risk management and cybersecurity program • That don’t yet have a cyber risk management or cybersecurity program • With a mission of helping keep up-to-date on managing risk and facing business or societal threats
  • 7. Cybersecurity Framework Components Describes how cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics Aligns industry standards and best practices to the Framework Core in a particular implementation scenario Supports prioritization and measurement while factoring in business needs Cybersecurity activities and informative references, organized around particular outcomes Enables communication of cyber risk across an organization Framework Core Framework Implementation Tiers Framework Profile 7
  • 8. Key Properties of Cyber Risk Management 8       Risk  Management   Process   Integrated  Risk  Management  Program   External   Par6cipa6on  
  • 9. Implementation Tiers 9 1   2   3   4   Par6al   Risk   Informed   Repeatable   Adap6ve   Risk   Management   Process   The  func)onality  and  repeatability  of  cybersecurity  risk   management   Integrated  Risk   Management   Program   The  extent  to  which  cybersecurity  is  considered  in  broader   risk  management  decisions   External   Par6cipa6on   The  degree  to  which  the  organiza)on  benefits  my  sharing  or   receiving  informa)on  from  outside  par)es   9
  • 10. Intel Adaptation of Implementation Tiers 10 1   2   3   4   Par6al   Risk   Informed   Repeatable   Adap6ve   People   Whether  people  have  assigned  roles,  regular  training,  take   ini)a)ve  by  becoming  champions,  etc.   Process   NIST  Risk  Management  Process  +   NIST  Integrated  Risk  Management  Program   Technology   Whether  tools  are  implemented,  maintained,  evolved,   provide  effec)veness  metrics,  etc.   Ecosystem   NIST  External  Par9cipa9on  +   Whether  the  organiza)on  understands  its  role  in  the   ecosystem,  including  external  dependencies  with  partners   10
  • 11. Taxonomy  Value  Proposi)on   Plant classification is the placing of known plants into groups or categories to show some relationship. Scientific classification follows a system of rules that standardizes the results, and groups successive categories into a hierarchy. For example, the family to which lilies belong is classified as: • Kingdom: Plantae • Phylum: Magnoliophyta • Class: Liliopsida • Order: Liliales • Family: Liliaceae • Genus: ...... • Species: ...... Value Proposition • Accurate communication • Quickly categorize known • Logically name unknown • Inherent properties understood based on name
  • 12. Core Cybersecurity Framework Component Func6on   Category   ID   What  processes  and   assets  need   protec6on?   Iden6fy   Asset  Management   ID.AM   Business  Environment   ID.BE   Governance   ID.GV   Risk  Assessment   ID.RA   Risk  Management  Strategy   ID.RM   What  safeguards  are   available?   Protect   Access  Control   PR.AC   Awareness  and  Training   PR.AT   Data  Security   PR.DS   Informa)on  Protec)on  Processes  &  Procedures   PR.IP   Maintenance   PR.MA   Protec)ve  Technology   PR.PT   What  techniques  can   iden6fy  incidents?   Detect   Anomalies  and  Events   DE.AE   Security  Con)nuous  Monitoring   DE.CM   Detec)on  Processes   DE.DP   What  techniques  can   contain  impacts  of   incidents?   Respond   Response  Planning   RS.RP   Communica)ons   RS.CO   Analysis   RS.AN   Mi)ga)on   RS.MI   Improvements   RS.IM   What  techniques  can   restore  capabili6es?   Recover   Recovery  Planning   RC.RP   Improvements   RC.IM   Communica)ons   RC.CO   12
  • 13. Core Cybersecurity Framework Component 13 Func6on   Category   ID   Iden6fy   Asset  Management   ID.AM   Business  Environment   ID.BE   Governance   ID.GV   Risk  Assessment   ID.RA   Risk  Management   Strategy   ID.RM   Protect   Access  Control   PR.AC   Awareness  and  Training   PR.AT   Data  Security   PR.DS   Informa)on  Protec)on   Processes  &  Procedures   PR.IP   Maintenance   PR.MA   Protec)ve  Technology   PR.PT   Detect   Anomalies  and  Events   DE.AE   Security  Con)nuous   Monitoring   DE.CM   Detec)on  Processes   DE.DP   Respond   Response  Planning   RS.RP   Communica)ons   RS.CO   Analysis   RS.AN   Mi)ga)on   RS.MI   Improvements   RS.IM   Recover   Recovery  Planning   RC.RP   Improvements   RC.IM   Communica)ons   RC.CO   Subcategory Informative References ID.BE-­‐1:  The   organiza)on’s  role  in   the  supply  chain  is   iden)fied  and   communicated   COBIT  5  APO08.04,  APO08.05,   APO10.03,  APO10.04,  APO10.05   ISO/IEC  27001:2013  A.15.1.3,  A. 15.2.1,  A.15.2.2   NIST  SP  800-­‐53  Rev.  4  CP-­‐2,  SA-­‐12   ID.BE-­‐2:  The   organiza)on’s  place  in   cri)cal  infrastructure   and  its  industry  sector   is  iden)fied  and   communicated   COBIT  5  APO02.06,  APO03.01   NIST  SP  800-­‐53  Rev.  4  PM-­‐8   ID.BE-­‐3:  Priori)es  for   organiza)onal   mission,  objec)ves,   and  ac)vi)es  are   established  and   communicated   COBIT  5  APO02.01,  APO02.06,   APO03.01   ISA  62443-­‐2-­‐1:2009  4.2.2.1,   4.2.3.6   NIST  SP  800-­‐53  Rev.  4  PM-­‐11,   SA-­‐14   ID.BE-­‐4:   Dependencies  and   cri)cal  func)ons  for   delivery  of  cri)cal   services  are   established   ISO/IEC  27001:2013  A.11.2.2,  A. 11.2.3,  A.12.1.3   NIST  SP  800-­‐53  Rev.  4  CP-­‐8,  PE-­‐9,   PE-­‐11,  PM-­‐8,  SA-­‐14   ID.BE-­‐5:  Resilience   requirements  to   support  delivery  of   cri)cal  services  are   established   COBIT  5  DSS04.02   ISO/IEC  27001:2013  A.11.1.4,  A. 17.1.1,  A.17.1.2,  A.17.2.1   NIST  SP  800-­‐53  Rev.  4  CP-­‐2,   CP-­‐11,  SA-­‐14   13
  • 14. Profile Cybersecurity Framework Component 14 Iden)fy   Protect   Detect   Respond   Recover   Ways  to  think  about  a  Profile:   • A  customiza)on  of  the  Core  for  a   given  sector,  subsector,  or   organiza)on   • A  fusion  of  business/mission  logic   and  cybersecurity  outcomes   • An  alignment  of  cybersecurity  requirements  with   opera)onal  methodologies   • A  basis  for  assessment  and  expressing  target  state   • A  decision  support  tool  for  cybersecurity  risk   management  
  • 15. Supporting Risk Management with Framework 15  
  • 16. Building a Profile A Profile Can be Created in Three Steps 16 Subcategory 1   2   3   …   98   Mission Objective A   B   C   Cybersecurity   Requirements   Legisla)on   Regula)on   Internal  &  External  Policy   Best  Prac)ce   Opera6ng   Methodologies   Guidance  and  methodology   on  implemen)ng,   managing,  and   monitoring   1   2   3  
  • 17. Set Priorities Use Cybersecurity Framework Profiles to determine Priorities 17 Subcats   Requirements   1   High   High   High   2   Mod   High   Mod   Mod   3   Low   Low   Low   ...   ...   ...   ...   ...   98   Mod   Mod   Law   Regula)on   Business   Objec)ves   Threat  Profile   Dynamic   Sta9c  
  • 18. Resource and Budget Decisioning What Can You Do with a CSF Profile 18 Sub- category Priority Gaps Budget Year 1 Activities Year 2 Activities 1   moderate   small   $$$   X   2   high   large   $$   X   3   moderate  medium   $   X   …   …   …   …   98   moderate   none   $$   reassess   As-­‐Is   Year  1   To-­‐Be   Year  2   To-­‐Be   …and  supports  on-­‐going  opera)onal  decisions  too  
  • 19. Operate Use Cybersecurity Framework Profiles to distribute and organize labor 19 Subcats   Reqs   Priori6es   Who   What  When  Where   How   1   A,  B   High   2   C,  D,  E,  F   High   3   G,  H,  I,  J   Low   ...   ...   ...   98   XX,  YY,  ZZ   Mod   Reqs   Priori)es  
  • 20. Profile Ecosystem 20 Na)onal  Ins)tute  of   Standards  and   Technology   TAXONOMY   1   2   3   ...   98   1   Req  A   2   Req  B   3   Req  C   ...   ...   98   Req  ZZ   1   Req  A   High   2   Req  B   Mod   3   Req  C   Low   ...   ...   ...   98   Req  ZZ   High   REQUIREMENTS   PRIORITIES   Community  or   Organiza)on   Organiza9on  or   Community   Cybersecurity   Framework  Core   Cybersecurity   Framework  Profile   Crosswalks   Mappings  
  • 21. Using Profiles to Drive Incident Resourcing 21 Func6on   Category   ID   Respond   Recover   Iden6fy   Asset  Management   ID.AM   X   Business  Environment   ID.BE   Governance   ID.GV   Risk  Assessment   ID.RA   Risk  Management  Strategy   ID.RM   X   Protect   Access  Control   PR.AC   X   Awareness  and  Training   PR.AT   X   Data  Security   PR.DS   X   Informa)on  Protec)on  Processes  &   Procedures   PR.IP   X   Maintenance   PR.MA   Protec)ve  Technology   PR.PT   X   X   Detect   Anomalies  and  Events   DE.AE   X   Security  Con)nuous  Monitoring   DE.CM   X   Detec)on  Processes   DE.DP   X   Respond   Response  Planning   RS.RP   X   Communica)ons   RS.CO   X   Analysis   RS.AN   X   Mi)ga)on   RS.MI   X   Improvements   RS.IM   X   Recover   Recovery  Planning   RC.RP   X   Improvements   RC.IM   X   Communica)ons   RC.CO   X  
  • 22. Key Attributes • It’s a framework, not a prescription • It provides a common language and systematic methodology for managing cyber risk • It is meant to be adapted • It does not tell a company how much cyber risk is tolerable, nor does it claim to provide “the one and only” formula for cybersecurity • Having a common lexicon to enable action across a very diverse set of stakeholders will enable the best practices of elite companies to become standard practices for everyone • The framework is a living document • It is intended to be updated over time as stakeholders learn from implementation, and as technology and risks change • That’s one reason why the framework focuses on questions an organization needs to ask itself to manage its risk. While practices, technology, and standards will change over time—principals will not 22
  • 23. Where Should I Start? 23 Framework Version 1.0, Section 3.2, Step 1: Prioritize and Scope. The organization identifies its business/mission objectives and high-level organizational priorities. With this information, the organization makes strategic decisions regarding cybersecurity implementations and determines the scope of systems and assets that support the selected business line or process. The Framework can be adapted to support the different business lines or processes within an organization, which may have different business needs and associated risk tolerance. (2b) Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.   (1) Business Environment (ID.BE): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.   (2a) Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk   Operate  &  Maintain  
  • 24. Common Patterns of Use • Integrate the Functions into Your Leadership Vocabulary and Management Tool Sets • Determine Optimal Risk Management Using Implementation Tiers • Measure Current Risk Management Using Implementation Tiers • Reflect on Business Environment, Governance, and Risk Management Strategy Categories • Develop a Profile of Cybersecurity Priorities, Leveraging (Sub)Sector Profiles When Available 24
  • 25. Examples of Framework Industry Resources The Cybersecurity Framework in Action: An Intel Use Case Energy Sector Cybersecurity Framework Implementation Guidance Cybersecurity Guidance for Small Firms Cybersecurity  Risk  Management  and  Best  Prac)ces   Working  Group  4:  Final  Report 25 Italy’s National Framework for Cybersecurity
  • 26. Examples of U.S. State & Local Use 26 Texas, Department of Information Resources • Aligned Agency Security Plans with Framework • Aligned Product and Service Vendor Requirements with Framework Houston, Greater Houston Partnership • Integrated Framework into their Cybersecurity Guide • Offer On-Line Framework Self-Assessment North Dakota, Information Technology Department • Allocated Roles & Responsibilities using Framework • Adopted the Framework into their Security Operation Strategy National Association of State CIOs • 2 out of 3 CIOs from the 2015 NASCIO Awards cited Framework as a part of their award-winning strategy New Jersey • Developed a cybersecurity framework that aligns controls and procedures with Framework
  • 27. Roadmap Items 27 Authenication Automated Indicator Sharing Conformity Assessment Cybersecurity Workforce Data Analytics Federal Agency Cybersecurity Alignment International Aspects, Impacts, and Alignment Supply Chain Risk Managment Technical Privacy Standards Cybersecurity   Framework  
  • 28. Framework Roadmap Items Authentication Automated Indicator Sharing Conformity Assessment Cybersecurity Workforce Data Analytics Federal Agency Cybersecurity Alignment International Aspects, Impacts, and Alignment Supply Chain Risk Management Technical Privacy Standards 28
  • 29. Recent Framework Related Policy and Legislation 29 Cybersecurity Enhancement Act of 2014 • Codified NIST’s on-going role facilitating Framework evolution • Asked NIST to facilitate less redundancies in regulation Maritime Transportation Security Act of 2002 • Originally authored with physical security in mind • Recently clarified to apply to cybersecurity • Coast Guard publishing Framework Profile to help industry adapt OMB Memorandum M-16-03 & 04 • M-16-03: FY 2015-16 Guidance on Federal Information Security and Privacy Management Requirements • M-16-04: Cybersecurity Strategy and Implementation Plan Circular A-130 Update • Provides generalized guidance for use of pre-existing FISMA-based guidance like Risk Management Framework with Cybersecurity Framework • NIST publishing guidance on using Risk Management Framework and Cybersecurity Framework together
  • 30. Framework Roadmap Items Authentication Automated Indicator Sharing Conformity Assessment Cybersecurity Workforce Data Analytics Federal Agency Cybersecurity Alignment International Aspects, Impacts, and Alignment Supply Chain Risk Management Technical Privacy Standards 30
  • 31. National Initiative for Cybersecurity Education • Early stages of collaboration to show the connection points between Cybersecurity Framework and National Initiative for Cybersecurity Education • Anticipate use cases for • Organizing academic curriculum • Workforce roles and responsibilities • Professional certifications 31
  • 32. Recent and Near-Term Framework Events Cybersecurity Framework Workshop 2016 Goal: Highlight examples of Framework use, gather feedback on timing and content of an update, governance, and best practice sharing A p r i l 6 - 7 , 2 0 1 6 N I S T G a i t h e r s b u r g RFI Analysis Summary posted that includes analysis of topic trends in RFI responses and continued discussion topics for Workshop break-out sessions M a r c h 2 0 1 6 RFI: Views on the Framework for Improving Critical Infrastructure Cybersecurity Questions focused on: experiences, update, governance, and best practice sharing D e c 1 1 , 2 0 1 5 Workshop Summary Publication on the topics that evoked the most consensus and dissonance at Cybersecurity Framework Workshop 2016 M a y 2 0 1 6 32
  • 33. RFI Questions and Workshop Discussion Threads • ways in which the Framework is being used to improve cybersecurity risk management, • how best practices for using the Framework are being shared, • the relative value of different parts of the Framework, • the possible need for an update of the Framework, and • options for long-term governance of the Framework. Request  for  Informa6on   11  December  2015  –  23  February  2016   hlps://www.federalregister.gov/ar)cles/2015/12/11/2015-­‐31217/views-­‐on-­‐the-­‐framework-­‐for-­‐ improving-­‐cri)cal-­‐infrastructure-­‐cybersecurity   RFI  Responses:    hlp://csrc.nist.gov/cyberframework/rfi_comments_02_09_16.html   Cybersecurity  Framework  Workshop  2016   6  &  7  April  2016   Registra)on:    hlps://appam.certain.com/profile/form/index.cfm?PKformID=0x29774a453   More  Info:    hlp://www.nist.gov/cyberframework   33
  • 34. Program Eras 34 Develop   Support   Update   Key   Milestones   Five  Workshops   Request  for   Informa)on   Request  for  Comment   Publica)on   Request  for  Informa)on   Workshop   Speaking  Events   Request  for  Informa)on   Workshop   Request  for  Comment   Publica6on   NIST  is:   Adjudica)ng   Stakeholder  Input   Craqing  Version  1.0   Educa)ng   Building  a  Knowledge   Base  and  Resource   Catalog   Adjudica)ng   Stakeholder  Input   Craqing  Version  Next   Stakeholders   are:   Par)cipa)ng  in  the   development  process   Understanding  and   Pilo)ng  Framework   Sharing  Work  Products   Expanding  Framework   Implementa)ons   Par)cipa)ng  in  the   Update  Process   Feb  2013   Feb  2014   Feb  2016  
  • 35. The National Institute of Standards and Technology Web site is available at http://www.nist.gov NIST Computer Security Division Computer Security Resource Center is available at http://csrc.nist.gov/ The Framework for Improving Critical Infrastructure Cybersecurity and related news and information are available at www.nist.gov/cyberframework For additional Framework info and help cyberframework@nist.gov Resources Where to Learn More and Stay Current