nist cybersecurity framework explained · 2019-07-26 · framework for improving critical...
TRANSCRIPT
NIST Cybersecurity Framework Explained
© 2018 RSA Conference. All rights reserved.
Introduction
2
Tom ConkleG2 Inc, Cybersecurity Engineer & CForum Founding Member
Kelly HoodG2 Inc, Cybersecurity Engineer & CForum Member
© 2018 RSA Conference. All rights reserved.
Agenda
• Framework for Improving Critical Infrastructure Cybersecurity (the “Cybersecurity Framework”)
• Framework Overview• Framework Core Categories
Framework for Improving Critical Infrastructure
Cybersecurity
Version 1.1
4
© 2018 RSA Conference. All rights reserved.
Risk Management Framework (RMF)
Workforce Framework (NICE)
Privacy Engineering Framework (PEF)
Cyber Physical Systems (CPS) Framework
Cybersecurity Framework (CSF)
The Cybersecurity Framework helps organizes and communicate about cybersecurity improvements
NIST Frameworks
5
© 2018 RSA Conference. All rights reserved.
Framework Core
Framework Profiles
Implementation Tiers
The Cybersecurity Framework established three primary components
6
© 2018 RSA Conference. All rights reserved.
The Framework Core establishes a common language for describing a cybersecurity program
Framework Core
• Common set of cybersecurity• activities, • desired outcomes, and • applicable references
• Used across critical infrastructure sectors
• Provides a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk
7
© 2018 RSA Conference. All rights reserved.
Framework Core
The subcategories describe expected outcomes of a cybersecurity program
8
© 2018 RSA Conference. All rights reserved.
Each subcategory is matched with relevant Informative References
Framework Core
9
© 2018 RSA Conference. All rights reserved.
Implementation Tier Characteristics• Tier 1: Partial
• Cybersecurity program is ad-hoc
• Tier 2: Risk Informed• Cybersecurity roles are beginning to be
informally defined
• Tier 3: Repeatable• Cybersecurity program is defined in
formal, approved policies
• Tier 4: Adaptive• Cybersecurity program is robust with formal, approved policies and roles• Organization is seeking out information on new threats before they occur to
help stay ahead
10
© 2018 RSA Conference. All rights reserved.
Profiles help organizations align & prioritize cybersecurity activities
11
© 2018 RSA Conference. All rights reserved.
Current and Target state Profiles help organizations capture their cybersecurity program
• Current State Profile• Present state of the
organization’s unique cybersecurity program
• Target State Profile• Captures the to-be state
for the organization’s cybersecurity program
12
© 2018 RSA Conference. All rights reserved.
Category updates in the Framework Version 1.1
13
• Functions: 5 5• Categories: 22 23• Subcategories: 98 108
Supply Chain Risk
Management
Identity Management & Access Control
© 2018 RSA Conference. All rights reserved.
Version 1.1 clarified and enhanced the Core
14
© 2018 RSA Conference. All rights reserved.
Asset Management is the first category in the Identify Function
(ID.AM)
15
© 2018 RSA Conference. All rights reserved.
Business Environment is the second category in the Identify Function.
(ID.BE)
16
© 2018 RSA Conference. All rights reserved.
Governance is the third category in the Identify Function.
(ID.GV)
17
© 2018 RSA Conference. All rights reserved.
Risk Assessment is the forth category in the Identify Function.
(ID.RA)
18
© 2018 RSA Conference. All rights reserved.
Risk Management Strategy is the fifth category in the Identify Function.
(ID.RM)
19
© 2018 RSA Conference. All rights reserved.
Supply Chain Risk Management was added as the sixth category in the Identify Function.
(ID.SC)
20
© 2018 RSA Conference. All rights reserved.
Identity Management, Authentication, and Access Control is the first category in the Protect Function.
(PR.AC)
21
© 2018 RSA Conference. All rights reserved.
Awareness and Training is the second category in the Protect Function.
(PR.AT)
22
© 2018 RSA Conference. All rights reserved.
Data Security is the third category in the Protect Function.
(PR.DS)
23
© 2018 RSA Conference. All rights reserved.
Information Protection Processes and Procedures is the forth category in the Protect Function.
(PR.IP)
24
© 2018 RSA Conference. All rights reserved.
Maintenance is the fifth category in the Protect Function.
(PR.MA)
25
© 2018 RSA Conference. All rights reserved.
Protective Technology is the sixth category in the Protect Function.
(PR.PT)
26
© 2018 RSA Conference. All rights reserved.
Anomalies and Events is the first category in the Detect Function.
(DE.AE)
27
© 2018 RSA Conference. All rights reserved.
Security Continuous Monitoring is the second category in the Detect Function.
(DE.CM)
28
© 2018 RSA Conference. All rights reserved.
Detection Processes is the third category in the Detect Function.
(DE.DP)
29
© 2018 RSA Conference. All rights reserved.
Response Planning is the first category in the Respond Function.
(RS.RP)
30
© 2018 RSA Conference. All rights reserved.
Communications is the second category in the Respond Function.
(RS.CO)
31
© 2018 RSA Conference. All rights reserved.
Analysis is the third category in the Respond Function.
(RS.AN)
32
© 2018 RSA Conference. All rights reserved.
Mitigation is the forth category in the Respond Function.
(RS.MI)
33
© 2018 RSA Conference. All rights reserved.
Improvements is the fifth category in the Respond Function.
(RS.IM)
34
© 2018 RSA Conference. All rights reserved.
Recovery Planning is the first category in the Recover Function.
(RC.RP)
35
© 2018 RSA Conference. All rights reserved.
Improvements is the second category in the Recover Function.
(RC.IM)
36
© 2018 RSA Conference. All rights reserved.
Communications is the third category in the Recover Function.
(RC.CO)
37
© 2018 RSA Conference. All rights reserved.
There are several benefits for using the NIST Cybersecurity Framework
• Common Language• Collaboration Opportunities• Maintain Compliance• Demonstrate Due Care• Secure Supply Chain• Measuring Cybersecurity Status• Cost Efficiency
39
Compliance Secure
© 2018 RSA Conference. All rights reserved.
Resources to aid in understanding & implementation of the NIST Cybersecurity Framework
Cybersecurity Framework Websitewww.NIST.gov/CyberFramework
CForum Websitewww.Cyber.securityFramework.org
G2 Templates & Implementation Assistance
www.ManageTheRisk.com
40
© 2018 RSA Conference. All rights reserved.
Questions?
41
Tom ConkleCybersecurity [email protected](443) 292-6679
Kelly HoodCybersecurity [email protected](443) 741-1968