what are best practices? making sense of nist and other...
TRANSCRIPT
![Page 1: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/1.jpg)
What Are Best Practices? Making Sense of NIST
and Other IT Security Frameworks April 27, 2017
Sarah Ackerman and Carly Devlin
Clark Schaefer Consulting
Our webinar will begin shortly.
![Page 2: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/2.jpg)
What Are Best Practices? Making Sense of NIST
and Other IT Security Frameworks April 27, 2017
Sarah Ackerman and Carly Devlin
Clark Schaefer Consulting
![Page 3: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/3.jpg)
Questions
3
How to ask a question during today’s webinar?
Use the “Chat” or “Question” feature on the
GoToWebinar panel.
You can also email DeAnna Bird at
Questions will be addressed at the end of the
webinar.
![Page 4: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/4.jpg)
CPE
4
CPE is available for this event.
You will receive an email by the end of the day that
will contain today’s presentation & CPE form.
You will receive 3 CPE codes during today’s
presentation.
Record those 3 CPE codes to complete the CPE
form.
![Page 5: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/5.jpg)
Introductions
Sarah Ackerman, CISSP, CISA, CICP
Managing Director, Cincinnati Office
Responsible for overall engagement quality and
oversight of projects
Areas of expertise include information security;
risk management; and IT governance, audit, and
compliance
Works with wide variety of clients and industries
across Ohio and Kentucky
In-depth knowledge of IT and security
frameworks, regulations, and standards,
including ISO, NIST, COBIT, GLBA, FDA,
HIPAA, PCI
![Page 6: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/6.jpg)
Introductions
Carly Devlin, CISSP, CISA
Director, Columbus Office
Responsible for management of client
relationships, projects, and consultants
Areas of expertise include information security,
IT audit, IT operations, and risk management
Works with wide variety of clients and industries
across Ohio and Kentucky
In-depth knowledge of IT and security
frameworks, regulations, and standards,
including ISO, NIST, COBIT, GLBA, PCI
![Page 7: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/7.jpg)
7
CPE Code 1
35764
![Page 8: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/8.jpg)
Agenda
Regulatory vs. Security Frameworks
Overview of HIPAA, PCI, GLBA, ISO, NIST
NIST Deep Dive: Top 10
8
![Page 9: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/9.jpg)
Regulatory Frameworks
PCI
HIPAA
GLBA
Security Frameworks
ISO
NIST
Regulatory vs. Security Frameworks
9
![Page 10: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/10.jpg)
Overview of Regulatory Frameworks
10
PCI DSS Payment Card Industry Data Security Standard
What is it? Standards for protecting payment systems from breaches and theft of cardholder data
Who does it apply to? Merchants, financial institutions, point-of-sale vendors
Who enforces it? Individual payment brands or acquiring banks
![Page 11: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/11.jpg)
Overview of Regulatory Frameworks
11
HIPAA Health Insurance Portability and Accountability Act of 1996
What is it? Legislation that provides data privacy and security provisions for safeguarding medical information
Who does it apply to? Healthcare providers, health plans, and healthcare clearing houses
Who enforces it? United States Department of Health and Human Services (HHS)
![Page 12: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/12.jpg)
Overview of Regulatory Frameworks
12
GLBA Gramm-Leach-Bliley Act (Financial Modernization Act of 1999)
What is it? Regulation that requires disclosure of information-sharing practices to customers and safeguarding of sensitive data.
Who does it apply to? Financial Institutions
Who enforces it? FRB, FTC, FDIC, NCUA, OCC, CFPB, FTC
![Page 13: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/13.jpg)
ISO Overview
13
International Organization for Standardization
ISO began operations in 1947
Independent, non-governmental international organization with a membership of 162 national
standards bodies
ISO has published 21,599 international standards and related documents for every industry
![Page 14: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/14.jpg)
NIST Overview
14
National Institute of Standards and Technology
NIST was founded in 1901 and is now part of the U.S. Department of Commerce.
Mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science,
standards, and technology
Standards and guidelines developed by NIST for computer systems are issued as Federal Information
Processing Standards (FIPS)
![Page 15: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/15.jpg)
15
CPE Code 2
13893
![Page 16: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/16.jpg)
NIST: Special Publications
16
http://csrc.nist.gov/publications/PubsSPs.html
800-53: Security and Privacy Controls for Federal Information Systems and
Organizations
800-161: Supply Chain Risk Management Practices
800-61: Computer Security Incident Handling Guide
800-124: Guidelines for Managing the Security of Mobile Devices in the
Enterprise
800-50: Building an Information Technology Security Awareness and
Training Program
800-122: Guide to Protecting the Confidentiality of Personally Identifiable
Information (PII)
800-30: Guide for Conducting Risk Assessments
800-115: Technical Guide to Information Security Testing and Assessment
800-34: Contingency Planning Guide for Federal Information Systems
Cybersecurity Framework
1800 series: Cyber Security Practice Guides
![Page 17: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/17.jpg)
800-53: Security and Privacy Controls for Federal
Information Systems and Organizations
18 security areas
– Management/enterprise
– Operational
– Technical
8 privacy areas
17
![Page 18: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/18.jpg)
800-53: Security – Technical
AC: Access Control
AU: Audit and Accountability
CM: Configuration Management
IA: Identification and Authentication
SC: System and Communications Protection
SI: System and Information Integrity
18
![Page 19: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/19.jpg)
800-53: Security – Operational
CA: Security Assessment and Authorization
CP: Contingency Planning
IR: Incident Response
MA: System Maintenance
MP: Media Protection
PE: Physical and Environmental Protection
19
![Page 20: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/20.jpg)
800-53: Security – Management/ Enterprise
AT: Security Awareness and Training
PL: Security Planning
PM: Program Management
PS: Personnel Security
RA: Risk Assessment
SA: System and Services Acquisition
20
![Page 21: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/21.jpg)
800-53: Privacy
AP: Authority and Purpose
AR: Accountability, Audit, and Risk Management
DI: Data Quality and Integrity
DM: Data Minimization and Retention
IP: Individual Participation and Redress
SE: Security
TR: Transparency
UL: Use Limitation
21
![Page 22: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/22.jpg)
800-53: Example Control
22
![Page 23: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/23.jpg)
800-53: Security and Privacy Controls for Federal
Information Systems and Organizations
Benefits:
– Comprehensive
– Supplemental guidance useful
– Baselines allow risk-based approach
– Supported by 53A, allowing for corresponding assessment
– Cross references throughout and to other NIST SPs
Challenges:
– Comprehensive! (Complex)
– Focus on Federal systems
• Private entities? State/Local government?
– Focus on information systems
• IoT devices, industrial control systems, weapons systems
23
![Page 24: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/24.jpg)
24
800-53: What’s Next?
Revision 5 - 3/28/17
Not yet published
Proposed changes can be found here
All drafts of computer security publications can be
found here
![Page 25: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/25.jpg)
Revision 4, April 2013:
http://nvlpubs.nist.gov/nistpubs/SpecialPublic
ations/NIST.SP.800-53r4.pdf
Excel, XML available:
https://web.nvd.nist.gov/view/800-53/home
25
800-53: Security and Privacy Controls for Federal
Information Systems and Organizations
![Page 26: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/26.jpg)
26
Information and communications technology (ICT)
supply chain risks
Includes the following:
Integration of ICT supply chain risks management (SCRM)
into organization-wide risk management
ICT SCRM Controls (enhanced overlay of NIST 800-53)
ICT Supply Chain Threat Events
Supply Chain Threat Scenarios and Analysis Framework
ICT SCRM Plan Template
800-161: Supply Chain Risk Management Practices for
Federal Information Systems and Organizations
![Page 27: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/27.jpg)
27
Benefits:
Overlay of NIST 800-53
Developed with diverse input
Guidance for each organizational tier, organizational
functions, and system development life cycle
Challenges:
Cyber supply chain risks cut across every major function
and business line
800-161: Supply Chain Risk Management Practices for
Federal Information Systems and Organizations (cont.)
![Page 28: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/28.jpg)
28
800-161: Supply Chain Risk Management Practices
for Federal Information Systems and Organizations
April 2015:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/N
IST.SP.800-161.pdf
![Page 29: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/29.jpg)
29
800-61: Computer Security Incident
Handling Guide
Organizing a Computer Security Incident Response
Capability
Understanding Events and Incidents
Incident Response Policy, Plan, Procedures
Incident Response Team Structure
Handing an Incident
Preparation
Detection and Analysis
Containment, Eradication, and Recovery
Post-Incident Activity
![Page 30: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/30.jpg)
30
800-61: Computer Security Incident
Handling Guide (cont.)
Benefits:
Easy to understand for detection, analyzing, prioritizing,
handling incidents
Provides checklists, scenarios, examples, recommendations
Challenges:
Less focus on establishing incident response program
Doesn’t provide specific template for Incident Response
Policy or Plan
![Page 31: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/31.jpg)
31
800-61: Computer Security Incident
Handling Guide
Revision 2, August 2012:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/N
IST.SP.800-61r2.pdf
![Page 32: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/32.jpg)
32
800-124: Guidelines for Managing the Security of
Mobile Devices in the Enterprise
Organization-provided and BYOD mobile devices
Includes the following:
Mobile Device Overview
Technologies for Mobile Device Management
Security for the Enterprise Mobile Device Solution Life
Cycle
Supporting NIST 800-53 Security Controls
![Page 33: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/33.jpg)
33
800-124: Guidelines for Managing the Security of
Mobile Devices in the Enterprise (cont.)
Benefits:
Recommendations for selecting, implementing and using
centralized management technologies for securing mobile
devices
Refers to applicable NIST 800-53 controls
Challenges:
Addressing BYOD
![Page 34: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/34.jpg)
34
800-124: Guidelines for Managing the Security of
Mobile Devices in the Enterprise
Revision 1, June 2013:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/N
IST.SP.800-124r1.pdf
![Page 35: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/35.jpg)
35
800-50: Building an Information Technology
Security Awareness and Training Program
Components: Awareness,
Training, Education
Designing the Program
Conducting Needs
Assessment
Developing Strategy and
Plan
Establishing Priorities
Setting the Bar
Funding the Program
Developing Material
Selecting Topics
Sources of Material
Implementing the Program
Communicating the Plan
Techniques for Delivering
Material
Post-Implementation
Monitoring Compliance
Evaluation and Feedback
Managing Change
Ongoing Improvement
Program Success Indicators
![Page 36: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/36.jpg)
36
800-50: Building an Information Technology Security
Awareness and Training Program (cont.)
Appendices
Sample needs assessment interview and questionnaire
Sample metric
Sample program plan template
Sample awareness posters
![Page 37: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/37.jpg)
37
800-50: Building an Information Technology
Security Awareness and Training Program (cont.)
Benefits:
Good starting point
• Comprehensive list of awareness topics
Incorporates various roles from CIO to user
Different program models (centralized, partially/fully
decentralized)
Cross references to other NIST SPs
• Awareness and Training Metric => SP 800-55 Security
Metrics Guide for IT Systems
Challenges:
Outdated
Doesn’t incorporate tools (e.g., phishing)
Awareness and Training Plan template very high level, not
detailed
![Page 38: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/38.jpg)
38
800-50: Building an Information Technology
Security Awareness and Training Program
October 2003:
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecial
publication800-50.pdf
![Page 39: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/39.jpg)
39
800-122: Guide to Protecting the Confidentiality
of Personally Identifiable Information (PII)
Confidentiality of PII
Includes the following:
Introduction to PII
PII Confidentiality Impact Levels
PII Confidentiality Safeguards
Incident Response for Breaches Involving PII
Scenarios for PII Identification and Handling
![Page 40: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/40.jpg)
40
800-122: Guide to Protecting the Confidentiality
of PII (cont.)
Benefits:
Categorizing PII by the confidentiality impact level
Other terms and definitions used to describe personal
information
Challenges:
Identifying all PII residing in environment
Organizations subject to a different combination of laws,
regulations, and other mandates
![Page 41: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/41.jpg)
41
800-122: Guide to Protecting the Confidentiality
of PII
April 2010:
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecial
publication800-122.pdf
![Page 42: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/42.jpg)
42
800-30: Guide for Conducting Risk Assessments
The Fundamentals
Risk management process
Risk assessment
Key risk concepts
Application of risk assessments
![Page 43: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/43.jpg)
43
800-30: Guide for Conducting Risk Assessments
(cont.)
The Risk Assessment Process
![Page 44: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/44.jpg)
44
800-30: Guide for Conducting Risk Assessments
(cont.)
Appendices
Threat Sources
Threat Events
Vulnerabilities and Predisposing Conditions
Likelihood of Occurrence
Impact
Risk Determination
Informing Risk Response
Risk Assessment Reports
Summary of Tasks
![Page 45: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/45.jpg)
45
800-30: Guide for Conducting Risk Assessments
(cont.)
Benefits:
Comprehensive, detailed
Lots of examples
Good summaries of key activities throughout
Flexible
• Different approaches: threat, asset/impact, vulnerability
Challenges:
Complex
Overly granular
![Page 46: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/46.jpg)
46
800-30: Guide for Conducting Risk Assessments
Revision 1, September 2012:
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspeci
alpublication800-30r1.pdf
![Page 47: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/47.jpg)
47
800-115: Technical Guide to Information
Security Testing and Assessment
Security testing and assessments
Includes the following:
Security Testing and Examination Overview
Review Techniques
Target Identification and Analysis Techniques
Target Vulnerability Validation Techniques
Security Assessment Planning
Security Assessment Execution
Post-Testing Activities
![Page 48: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/48.jpg)
48
800-115: Technical Guide to Information
Security Testing and Assessment (cont.)
Benefits:
Includes two live operating system CD distributions
Techniques can be leveraged with the NIST 800-53A
methodology
Challenges:
Technically oriented
Dozens of security testing and examination techniques exist
![Page 49: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/49.jpg)
49
800-115: Technical Guide to Information Security
Testing and Assessment
September 2008:
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecial
publication800-115.pdf
![Page 50: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/50.jpg)
50
800-34: Contingency Planning Guide for
Federal Information Systems
Information system contingency plan (ISCP) development
Includes the following:
Types of Contingency Planning
Information System Contingency Planning Process
Information System Contingency Plan Development
Technical Contingency Planning Considerations
Sample Information System Contingency Plan Templates
![Page 51: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/51.jpg)
51
800-34: Contingency Planning Guide for
Federal Information Systems (cont.)
Benefits:
Integrated with NIST 800-53 contingency planning related
controls
Purpose, scope, and plan relationship for various types of
plans
3 sample formats
Challenges:
Independent of specific hardware platforms, operating
systems, and applications
Does not address facility-level information system planning
(DR plan)
![Page 52: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/52.jpg)
52
800-34: Contingency Planning Guide for Federal
Information Systems
Revision 1, May 2010:
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecial
publication800-34r1.pdf
![Page 53: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/53.jpg)
Cybersecurity Framework (CSF)
Three parts:
– Framework Core
– Framework Implementation Tiers
– Framework Profiles
Framework Core:
53 53
![Page 54: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/54.jpg)
CSF Core
54
![Page 55: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/55.jpg)
CSF: Tiers/Profiles
Tiers
– Tier 1: Partial
– Tier 2: Risk Informed
– Tier 3: Repeatable
– Tier 4: Adaptive
Profiles
– Current profile (“as is”)
– Target profile (“to be”)
55
![Page 56: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/56.jpg)
CSF: Applying The Framework
Develop the “As-Is” profile
Develop the “To-Be” profile
Identify gaps and opportunities
Develop a prioritized action plan
56
Rep
eata
ble
![Page 57: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/57.jpg)
CSF: Benefits, Challenges
Benefits:
– Voluntary
– Expose new risks
– Sharing, collaboration
– Layered approach
Challenges:
– Not “set it and forget it”
– Requires “buy-in”
– Communicating risks
– Large, complex organizations
– Lack of quantifiable metrics
57
![Page 58: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/58.jpg)
58
CSF: What’s Next?
Draft update (v1.1) has been issued
Comments were due 4/10/17
Proposed changes can be found here
![Page 59: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/59.jpg)
Cybersecurity Framework
59
Framework available as PDF, additional support via
Excel
Draft Version 1.1, January 2017:
https://www.nist.gov/cyberframework/draft-
version-11
Version 1, February 2014:
https://www.nist.gov/sites/default/files/documents/c
yberframework/cybersecurity-framework-
021214.pdf
![Page 60: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/60.jpg)
60
1800 Series: Cybersecurity Practice Guides
SP 1800-7
(Draft)
February
2017
Situational Awareness for Electric Utilities
Announcement and Draft Publication
SP 1800-6
(Draft)
November
2016
Domain Name Systems-Based Electronic Mail Security
Announcement and Draft Publication
SP 1800-5
(Draft)
October
2015
IT Asset Management: Financial Services
Announcement and Draft Publication
SP 1800-4
(Draft)
November
2015
Mobile Device Security: Cloud and Hybrid Builds
Announcement and Draft Publication
SP 1800-3
(Draft)
September
2015
Attribute Based Access Control
Announcement and Draft Publication
SP 1800-2
(Draft)
August
2015
Identity and Access Management for Electric Utilities
Announcement and Draft Publication
SP 1800-1
(Draft)
July
2015
Securing Electronic Health Records on Mobile Devices
Announcement and Draft Publication
![Page 61: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/61.jpg)
61
CPE Code 3
56932
![Page 62: What Are Best Practices? Making Sense of NIST and Other …clarkschaefer.com/wp-content/uploads/2017/05/What-Are-Best... · What Are Best Practices? Making Sense of NIST ... Cybersecurity](https://reader033.vdocument.in/reader033/viewer/2022042619/5a7934387f8b9ad3658b6662/html5/thumbnails/62.jpg)
Questions?
62
Sarah Ackerman
(513) 371-5613
Carly Devlin
(614) 607-5132
If you wish to discuss any aspect of this presentation in
more detail, please feel free to contact us: