protecting vital data with nist framework

Protecting vital data with NIST Framework

Tweet along: #Sec360 @pjktech @cohesivenet

About me

Patrick Kerpan CEO at Cohesive Networks @pjktech

BANKS


About Cohesive Networks

2,000+ customers protect cloud-

based applications

User-controlled security &

connectivity at the top of the cloud

Cloud is creating demand for more connectivity and

security

honest approach to cloud security


Agenda

• standards, teaching, testing and certifying • sustained cyber sieges • priority shifts toward risk-based models • NIST Cybersecurity Framework overview • applying risk based cybersecurity • NIST Cybersecurity Framework for all


standards, teaching, testing and certifying


Pre-NIST Cybersecurity Framework• International Organization for Standardization ISO/

IEC 27005:2011 • Electricity Sub-Sector Cybersecurity Risk

Management Process (RMP) guideline • Committee of Sponsoring Organizations

(Accounting Orgs) (COSO) • American Institute of CPA's (AICPA) SOC 2 & SAS70 • American Institute of CPA's (AICPA) - Generally

Accepted Privacy PrinciplesGAPP (August 2009) • Shared Assessments ORG Vendor Assessments

(AUP v5.0 & SIG v6.0) • FTC Children's Online Privacy Protection Rule

(COPPA) • European Union Agency for Network and

Information Security (ENISA) IAF

• European Union Data Protection Directive 95/46/EC

• GSA's Federal Risk and Authorization Management Program (FedRAMP) Cloud Security Controls

• Family Educational and Privacy Rights Act (FERPA) • Health Insurance Portability and Accountability Act

(HIPAA) • Health Information Technology for Economic and

Clinical Health (HITECH) Act • Dept. of State International Traffic in Arms

Regulations ITAR • UK Royal Mail - Jericho Forum on De-

Perimeterisation • and on and on…


The Big 10International Organization for Standardization ISO 31000:2009

International Organization for Standardization ISO/IEC 27001 2013

NIST Special Publication NIST 800-53r3 & r4

Payment Card Industry Security Standards Council Data Data Security Standard PCI DSS v3.0

International Society of Automation Industrial Automation And Controls ISA-IAC 62443-2-1:2009

Information Systems Audit and Control Association (ISACA) COBIT 5

Cloud Security Alliance - Enterprise Architecture & Guidance CSA EAG v3.0

SANS Institute Council on Cybersecurity's Critical Security Controls for Effective Cyber Defense v5

DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)

Cybersecurity Evaluation Tool (CSET®)

Department of Energy (DOE) Cybersecurity Capability Maturity Model C2M2


Certification is expensive Class Test


the fog of more

Software Tools Standards Training Classes Certification Badges Certification, PenTest, & Audit Services Vulnerability Databases Guidance & Best Practices Catalogs of Controls

Checklists Vendor Benchmarks Recommendations, Regulations & Requirements Threat Information Feeds Risk Management Frameworks

Competing Options, Priorities, Opinions, and Claims


sustained cyber siege


new cyber realities

Attacks have become professional: hackers,

criminals or foreign governments.

In the post-Sony era, all servers “on a wire” are compromised or

targets.

Regulatory implementation and reporting demands

are increasing.


target: governments


target: healthcare


target: retail


target: you


shifting priorities


DHS mandate: organize & coordinate

Image credit: Beldin

Executive Order 13636: Improving Critical Infrastructure Cybersecurity

• Increase Information Sharing

• Protect Privacy & Civil Liberties

• Consult with Everyone

• Have Commerce / NIST Create Cybersecurity Framework

• Voluntary Adoption Program w/ Incentives

• Identify Greatest Risks

• Determine Need for More Regulation


Why: NIST Cybersecurity FrameworkPros•Organized

•One standard format

•Common language

•Unifying process

•Defense in breadth & depth

•Incentives

•Risk management focused

•Free

Cons•Redundant

•Yet another framework

•Enforcement & penalties

•Sustained cyber-siege

•Not technical

•Not designed for small firms

•Technology debt?


NIST Cybersecurity Framework


Who: 16 critical infrastructure sectors

Nuclear Chemical Facilities CommsManufacturing Emergency DamsDefense

Financial Energy Agriculture HealthWater IT Gov Facilities

Transportation

Image credit: dhs.gov


NIST Framework core


just one subcategory:


NIST Framework tiers of maturity

source: PwC Why you should adopt the NIST Cybersecurity Framework

https://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/adopt-the-nist.pdf


NIST Cybersecurity Framework

NIST Cybersecurity Framework is *voluntary* 82% of US federal agencies fully or partially adopting it 53% of organizations outside the federal government adopted it

2016 PwC State of Information Security: the 2 most frequently implemented risk-based guidelines are ISO 27001 and NIST Cybersecurity Framework


applying risk based cybersecurity


traditional vs. risk-based securityTraditional Risk-Based

Audit focus Business focusTransation-based Process-basedCompliance objective Customer focusPolicies & procedures focus Risk management focusMulti-year audit coverage Continual risk-reassessment coveragePolicy adherence Change facilitatorBudgeted cost center Accountability for performance improvement

resultsCareer auditors Diversified knowledge and experienceMethodology: Focus on policies, transactions, and compliance

Methodology: Focus on goals, strategies, and risk management processes


risk-based security frameworks

2016 PwC State of Information Security: 91% of companies have already adopted a risk-based cybersecurity framework

Risk-based security can help: • identify and prioritize risks • gauge the maturity of cybersecurity practices • better communicate internally and externally • design, measure and monitor goals • build program that centers around safety and security of data


NIST Cybersecurity Framework for all


how: NIST Cybersecurity for allStep 1: Prioritize and Scope

Step 2: Orient

Step 3: Create a Current Profile

Step 4: Conduct a Risk Assessment

Step 5: Create a Target Profile

Step 6: Determine, Analyze, and Prioritize Gaps

Step 7: Implement Action Plan

Repeat The Steps As Needed (Rinse and Repeat)


Chicago style cybersecurityInnovative blend proven style with new technologies Pragmatic work within constraints - shifting sand (literally!) Transparent more opportunities to allow more light internally Tenacious driven by the Mid-Western work ethic Creative willingness to build solutions rather than empires The Marquette Building

Image via the MacArthur Foundation


roll your own NIST Manual

INTRODUCTION RISK MANAGEMENT STRATEGY STATEMENT Risk Management Process Integrated Risk Management Program External Participation SCOPE OF RISK MANAGEMENT PROGRAM Asset, Change, and Configuration Management Cybersecurity Program Management Supply Chain and External Dependencies Management Identity and Access Management Event and Incident Response, Continuity of Operations Information Sharing and Communications

Risk Management Situational Awareness Threat and Vulnerability Management Workforce Management INFRASTRUCTURE UPGRADE PRIORITIES Current CyberSecurity Profile Target Profile Technology Debt CYBERSECURITY ROADMAP & MILESTONES Appendix 1: REGISTRY OF PRIMARY CYBERSECURITY RISKS Appendix 2: REGISTRY OF STAKEHOLDERS AND USERS Etc.

Cybersecurity Risk Management & Network Operations Center Manual


conduct app-specific self-evaluations

Self evaluations available -

Just go download a template!


case study: LocusViewNatural gas SaaS provider streamlines audit processes

customer network

Public Cloud

Overlay Network

IPsec Tunnel

Firewall / IPsec

Cloud ServerAWS ELB

VNS3 Controller

public internet user traffic

“We wanted to look at a bigger picture than just natural gas and current regulations.”

Tim Hopper - GIS Professional LocusView

Challenge An increasing stream of requests for documentation, certifications, and penetration test results Solution Used NIST Framework to map the compliance areas that matter most to their organization, clients Outcome LocusView has passed initial audits and the first of several penetration tests


conclusions

• Standards are still relevant — Map from standards, not to • Shift from audit-heavy compliance to risk-based prevention • Prioritize current compliance over post-mortem disaster

recovery • Holistic security for each business unit • NIST Framework can make everyone’s jobs less complicated


Q&A

Stay in touch: @pjktech @cohesivenet

[email protected]

protecting vital data with nist framework

Documents