Post on 20-Jul-2015
Cyber Security FrameworkOverview of NIST Security Guidelines
CS684 IT Security Policies & Procedures
Tandhy Simanjuntak
NIST
History
Other frameworks
Cyber Security Framework
Study Case
Conclusion
Agenda
NIST
National Institute of Standard and Technology
1901
Non-regulatory Federal Agency
U.S. Dept. of Commerce
NIST
Mission
NIST Innovation
Industrial Competitiveness
•Measurement Science
•Measurement Standards
•Measurement Technology
= Economic security
= Quality of Life
Areas
NIST Bioscience & Health
Building & Fire Research
ChemistryElectronics &
Telco.
EnergyEnvironment /
ClimateInformation Technology
Manufacturing
Materials Science
Math Nanotechnology Physics
Public Safety & Security
Quality Transportation
History
Feb 12, 2013Executive Order 13636 “Improving Critical Infrastructure Cybersecurity”
http://blogs.reuters.com/great-debate/2013/07/08/obamas-key-nuclear-deal-with
Critical Infrastructure[1]
“systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
http://www.iprem.ca/initiatives/InitiativesPics/CriticalInfrastructureSectors.jpg
Other Frameworks
OthersSecurity Framework
ISO/IEC 27002:2013
COBIT
COSO
HITRUST CSF
ISO/IEC 27002:2013
COBIT
COSO
HITRUST CSF
ISO: International Organization for Standardization
IEC: International ElectrotechnicalCommission
Best practice recommendations
• Information Security Management
• Information Security Program elements
OthersSecurity Framework
ISO/IEC 27002:2013
COBIT
COSO
HITRUST CSF
Control Objectives for Information and related Technology
Best practices for IT management
Defines program and management control functions
OthersSecurity Framework
ISO/IEC 27002:2013
COBIT
COSO
HITRUST CSF
Committee of Sponsoring Organizations of the Treadway Commission
Thought of Leadership for frameworks development
Guidance
• Enterprise risk management
• Internal control
• Fraud deterrence
OthersSecurity Framework
ISO/IEC 27002:2013
COBIT
COSO
HITRUST CSF
Healthcare and Information Security Professionals
First IT Security for Healthcare
Leverages existing standards
• HIPAA, NIST, ISO, PCI, FTC and COBIT
OthersSecurity Framework
NIST vs Other Framework
Other Frameworks NIST
Specific to industrySpecific to management
Any industry
Standards & Guidelines Guidelines
Cyber Security Framework
Framework
Introduction
Feb 13 Feb 14
Voluntary risk-based framework
• Government and private sectors
Standards and best practices
• Manage cyber security risks
Protect individual privacy and civil liberties
Framework Core
Framework Implementation Tiers
Framework Profile
Framework
Framework Core
Framework Implementation Tiers
Framework Profile
Activities, outcomes & applicable references
Industry standards, guidelines & practices
5 concurrent and continuous Functions
Identify Protect Detect Respond Recover
Framework
Framework Core
Framework Implementation Tiers
Framework Profile
Understanding to manage cybersecurity risk to systems, assets, data, and capabilities
Identify the occurrence of a cybersecurity event
Safeguards to ensure delivery of critical infrastructure services
Action regarding a detected cybersecurity event
• Maintain plans for resilience • Restore any capabilities or services
Identify
Protect
Detect
Respond
Recover
Framework
Framework Core
Framework Implementation Tiers
Framework Profile
FrameworkFunctions Categories Subcategories Informative Reference
IDENTIFYID
PROTECTPR
DETECTDE
RESPONDRS
RECOVERRC
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
Framework Function Category Identifier Category
IDENTIFY(ID)
ID.AM Asset Management
ID.BE Business Environment
ID.GV Governance
ID.RA Risk Assessment
ID.RM Risk Management Strategy
Framework Function Category Identifier Category
PROTECT(PR)
PR.AC Access Control
PR.AT Awareness and Training
PR.DS Data Security
PR.IPInformation Protection Processes and Procedures
PR.MA Maintenance
PR.PT Protective Technology
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
Framework Function Category Identifier Category
DETECT(DE)
DE.AE Anomalies and Events
DE.CM Security Continuous Monitoring
DE.DP Detection Processes
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
Framework Function Category Identifier Category
RESPOND(RS)
RS.RP Response Planning
RS.CO Communications
RS.AN Analysis
RS.MI Mitigation
RS.IM Improvements
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
Framework Function Category Identifier Category
RECOVER(RC)
RC.RP Recovery Planning
RC.IM Improvements
RC.CO Communications
Cybersecurity Risks
Manage Risks
Partial Risk Informed
Repeatable Adaptive
Framework Core
Framework Implementation Tiers
Framework Profile
Framework
Consideration• Risk management practices, threat environment,
legal & regulatory req., objectives & constraints
Elements:
•Risk Management Process
•Integrated Risk Management Program
•External Collaboration
Framework Core
Framework Implementation Tiers
Framework Profile
Framework
Risk Management
Process
Integrated Risk Management Program
External Participation
Partial • Not formalized• Reactive
• Limited awareness• Irregular risk management
• Private informationNo external collaboration
Risk Informed• Approved practices• Not widely use as
policy
• More awareness• Risk-informed, processes &
procedures• Adequate resources• Internal sharing
Not formalized to interact & share information
Repeatable • Approved as Policy• Update regularly
• Organization approach• Risk-informed, processes &
procedures defined & implemented as intended, and reviewed• Knowledge & skills
• Collaborate• Receive information
Adaptive Continuous improvement
• Risk-informed, processes & procedures for potential events• Continuous awareness
• Actively
Actively shares information
Framework Core
Framework Implementation Tiers
Framework Profile
Alignment of Framework Core and business requirements, risk tolerance & resources
Establish roadmap to reduce risk aligned with organizational and sector goals
Describe current and desired state of specific events
Action plan to address gaps
Framework
Create or improve a program
1. Prioritize and Scope
2. Orient
3. Create current profile
4. Conduct Risk assessment
5. Create target profile
6. Determine, Analyze &
Prioritize Gaps
7. Implement Action Plan
Study Case
http://www.intel.com/content/www/us/en/government/cybersecurity-framework-in-action-use-case-brief.html
Conclusion
Conclusion Reduce and better manage cybersecurity risks
Not a one-size-fits-all approach
Reference1. NIST (2014). Framework for Improving Critical Infrastructure Cybersecurity. Retrieved from NIST site:
http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
2. ISF (2007). The Standard of Good Practice for Information Security. Retrieved from Security Forum site: https://www.securityforum.org/userfiles/public/SOGP.pdf
3. IASME (2015) IASME Self-Assessment Questionnaire. Retrieved from IASME site: https://www.iasme.co.uk/index.php
4. Johnson, S. (2008). NERC Cyber Security Standards. SANS. Retrieved from SANS site: https://files.sans.org/summit/scada08/Stan_Johnson_NERC_Cyber_Security_Standards.pdf
5. Center for Internet Security. Retrieved from http://www.cisecurity.org/.
6. Solutionary (n.d.) Security Frameworks. Retrieved from Solutionary site: http://www.solutionary.com/compliance/security-frameworks/
7. Intel (2015). The Cybersecurity Framework in Action: An Intel Use Case. Retrieved from Intel site: http://www.intel.com/content/www/us/en/government/cybersecurity-framework-in-action-use-case-brief.html