formalism in economics, rhetorically speaking - Deirdre McCloskey
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitigate and Minimize the...
-
Upload
government-technology-and-services-coalition -
Category
Government & Nonprofit
-
view
272 -
download
0
Transcript of Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitigate and Minimize the...
HomelandSecurity
Office of Cybersecurity and Communications
1
CYBER RESILIENCE REVIEW:CAPABILITY MATURITY EVALUATION METHOD FOR CRITICAL
INFRASTRUCTURE
Sean McCloskey October 2014
Program Manager, Cybersecurity Evaluation ProgramOffice of Cybersecurity and Communications (CS&C)U.S. Department of Homeland Security (DHS)
HomelandSecurity
Office of Cybersecurity and Communications
2
Overview
What is the Cyber Resilience Review (CRR)?
• A voluntary assessment
• A method that examines cybersecurity practices in critical infrastructure
organizations
• Evaluates the operational resilience of a specific critical service
• Measures the execution of key practices and the institutionalization of
processes
• Provides participants with a detailed report containing options for
consideration
• Utilizes the goals and practices found in the CERT Resilience
Management Model (CERT-RMM)
• Available in two versions:
- A self-assessment kit
- A facilitated workshop conducted in one day (typically 6–8 hours)
[data gathered on-site is protected under the DHS PCII] Program]
HomelandSecurity
Office of Cybersecurity and Communications
3
Cyber Resilience Value Proposition: What’s in It for Me?
Resilience management provides support to simplify the management of
complex cybersecurity challenges.
Efficiency: not too much and not too little; resilience equilibrium
• balancing risk and cost
• getting the most bang for your buck
• achieving compliance as a by-product of resilience management
Roadmap: what to do to manage cybersecurity; flexibility and scalability
• using an overarching approach - which standard is best
• deciding what versus how to manage cybersecurity risk
Cybersecurity ecosystem: addressing the interconnectedness challenge
• managing dependencies
• addressing both internal and external organizational challenges and silos
HomelandSecurity
Office of Cybersecurity and Communications
4
CRR Data Analysis: Selected Highlights
Summary Findings (115 organizations, 43 states, 12 sectors)
Asset Management: More than 70% of organizations identify critical services; however,
less than 50% of organizations assessed have identified the assets that support critical
services.
Vulnerability Management: More than 55% of organizations have not developed a
strategy to guide their vulnerability management efforts.
Incident Management: 65% of organizations lack a process to escalate and resolve
incidents.
External Dependencies Management: More than 80% of the organizations assessed
identify external dependencies that are vital to the delivery of critical services.
Risk Management: 70% of organizations do not have a documented risk management
plan.
Situational Awareness: 86% of organizations do not have a plan for performing situational
awareness activities.
HomelandSecurity
Office of Cybersecurity and Communications
5
Cyber Resilience Review and the Framework
Relationship between DHS’ Cyber Resilience Review and the NIST Cybersecurity
Framework [CRR to NIST CSF crosswalk available]
Identify
Services
Create Asset
Inventory
Protect
& Sustain
Assets
Disruption
Management
Cyber
Exercise
Identify and
prioritize
services
Identify assets,
align assets to
services, and
inventory assets
Establish risk
management,
resilience
requirements,
control objectives,
and controls
Establish
continuity
requirements
for assets
and develop
service
continuity
plans
Define objectives
for cyber exercise,
perform
exercises, and
evaluate results
Process Management and Improvement
HomelandSecurity
Office of Cybersecurity and Communications
6
What Is Cyber Resilience?
“… the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents…”
- Presidential Policy Directive – PPD 21
February 12, 2013
Protect (Security) Sustain (Continuity)
Perform (Capability) Repeat (Maturity)
HomelandSecurity
Office of Cybersecurity and Communications
7
Operational Resilience Defined
Resilience: The physical property of
a material when it can return to its
original shape or position after
deformation that does not exceed
its elastic limit [wordnet.princeton.edu]
Operational resilience: The emergent
property of an organization that can
continue to carry out its mission after
disruption that does not exceed its
operational limit [CERT-RMM]
Where does the disruption come from? Realized risk.
HomelandSecurity
Office of Cybersecurity and Communications
8
Establishing a Critical Service Focus
Service
MissionService
Mission
people information technology facilities
Service
Mission
Organization
Mission
HomelandSecurity
Office of Cybersecurity and Communications
9
Ten Domains of Cybersecurity Capability
CRR Domains
AM Asset Management
CCMConfiguration and Change Management
RM Risk Management
CTRL Controls Management
VM Vulnerability Management
IM Incident Management
SCM Service Continuity Management
EXDExternal Dependencies Management
TA Training and Awareness
SA Situational Awareness
The ten domains in CRR v2
represent important areas
that contribute to the cyber
resilience of an
organization.
The domains focus on
practices an organization
should have in place to
assure the protection and
sustainment of its critical
service.
HomelandSecurity
Office of Cybersecurity and Communications
10
Cyber Resilience Review by the Numbers
HomelandSecurity
Office of Cybersecurity and Communications
11
CRR Domain Architecture
Focused Activity
Required
What to do to achieve
the capability
Expected
How to accomplish
the goal
Domain
Domain
Goals
Domain
Questions
Institutionalization Elements
MIL Goals
MIL
Questions
HomelandSecurity
Office of Cybersecurity and Communications
12
Practices are performed
Process Institutionalization in the CRR
Processes are acculturated,
defined, measured,
and governed
Maturity indictor levels (MIL) are used in CRR v2 to measure process institutionalization
Practices are incomplete
Higher degrees of
institutionalization
translate to more
stable processes
that
• produce
consistent results
over time
• are retained
during times of
stressLevel 0-Incomplete
Level 1-Performed
Level 2-Planned
Level 3-Managed
Level 4-Measured
Level 5-Defined
HomelandSecurity
Office of Cybersecurity and Communications
13
CRR Self-Assessment Kit
Released in February 2014 to complement the launch of the NIST CSF
The CRR Self-Assessment Kit allows organizations to conduct a review without outside facilitation.
Contains the same questions, scoring, and reporting as the facilitated assessment.
The kit contains the following resources:
Method Description and User Guide
Complete CRR Question Set with Guidance
Self-Assessment Package (automated toolset)
CRR to NIST CSF Crosswalk
CRR Self-Assessment Kit website:
http://www.us-cert.gov/ccubedvp/self-service-crr
HomelandSecurity
Office of Cybersecurity and Communications
14
Cyber Resilience Review – Self Assessment Getting Started
• Review the CRR Method Description and User Guide
• Identify the scope of the CRR Self-Assessment
Identify critical services to the organization and identify which parts of the organization deliver those services
Choose a critical service that will be the focus of the self-assessment
Determine which assets (people, information, technology, and facilities) are required for the delivery of the service
• Identify key participants in the self-assessment
Managers and senior staff-members responsible for the areas of operations and service being assessed (i.e., CIO, CISO, Director of IT, Director of Ops., etc)
Other stakeholders that can provide answers that best represent the organization’s capabilities in a given CRR domain (i.e., office managers, senior owners and operators, subject matter experts, policy writers, etc.)
typically 7-10 participants
1
HomelandSecurity
Office of Cybersecurity and Communications
15
Cyber Resilience Review: Self Assessment
Conduct CRR Self-Assessment
• Download and open the CRR Self-Assessment Package
• Introduction from sponsor/ executive management, hand-off to facilitator
• Facilitator guides participants through the CRR
Reviews CRR domains, methodology, agenda and the agreed upon assessment scope with the participants
Directs questions to pre-identified participants and confirms with others
Encourages and maintains dialogue throughout the CRR
Manages time, breaks and the overall flow of the CRR
1
HomelandSecurity
Office of Cybersecurity and Communications
16
Generate and Review Report
• Complete the CRR self-assessment and generate a CRR report
Click the “Generate Report” button at the bottom of page 37
Optionally, can print and save as PDF
• Distribute the CRR report to key personnel and interpret the results
• Identify gaps, prioritize and implement plans for improvement
1
Cyber Resilience Review: Self Assessment
HomelandSecurity
Office of Cybersecurity and Communications
17
DHS PCII Program
• The information provided by the organization during the CRR is afforded protections
under the DHS Protected Critical Infrastructure Information (PCII) Program
• What does this mean for you?
• DHS cannot publicly disclose PCII, it is protected from:
• The Freedom of Information Act (FOIA)
• State and local disclosure laws
• Use in civil litigation
• DHS employees (and its contractors) who access PCII must be certified as PCII
Authorized Users
• DHS employees (and its contractors) may only access PCII in accordance with strict
safeguarding and handling requirements
• PCII cannot be used for regulatory purposes
• More information: http://www.dhs.gov/pcii
HomelandSecurity
Office of Cybersecurity and Communications
18
Questions?
P R O G R A M O V E R V I E W Welcome to the community.
“Repeated cyber intrusions into critical
infrastructure demonstrate the need for
improved cybersecurity.”
- The White House, Executive Order 13636
o NIST to develop a Cybersecurity Framework
o A voluntary program for critical infrastructure
cybersecurity to promote use of the Framework
o A whole of community approach to risk management,
security and resilience.
o Joint action by all levels of government and the owners and operators of critical infrastructure
SOLUTION PROPOSED BY EO 13636
The C3 Voluntary Program is the
coordination point within the Federal
Government for members of the
critical infrastructure community
interested in improving their cyber
resilience.
R O L E O F T H E C R I T I C A L
I N F R A S T R U C T U R E C Y B E R
C O M M U N I T Y V O L U N T A R Y P R O G R A M
Administration Policies
Cybersecurity Framework
Critical Infrastructure
EO 13636 highlights the need for improved cybersecurity among critical infrastructure. PPD-21 calls for efforts to strengthen the physical and cyber security and resilience of our Nation’s critical infrastructure.
Ranging from emergency services and transportation systems to small and medium sized businesses, the U.S. critical infrastructure provides the essential services that underpin American society.
One of the major components of the EO is the development of the Framework by NIST to help critical infrastructure sectors and organizations reduce and manage their cyber risk as part of their approach to enterprise risk management.
• Framework implementation guidance
• Focal point for resources and tools
• Relationship management• Feedback collection
OUR ROLE
o Support increasing critical infrastructure cyber resilience
o Increase awareness and use of the Framework
o Encourage organizations to manage cybersecurity as part
of an all hazards approach to enterprise risk management
GOALS
o Converging critical infrastructure community resources to
support cybersecurity risk management and resilience
through use of the Framework;
o Connecting critical infrastructure stakeholders to the
national resilience effort through cybersecurity resilience
advocacy, engagement and awareness; and
o Coordinating critical infrastructure cross sector efforts to maximize national cybersecurity resilience.
CONVERGING
CONVERGINGC O N V E R G I N G
C O N N E C T I N G
C O O R D I N A T I N G
There are three key activities the program is
supporting, which we emphasize as the Three C’s:
• C3 Voluntary Program website offers an overview of the
program, downloadable tools, and outreach materials
• Links to the US-CERT C3 Voluntary Program gateway• Existing programs/resources have been aligned with the Framework
Core Function Areas (Identify, Protect, Detect, Respond, Recover)
• Broken out by stakeholder type
• Demonstrates offerings to support the Framework’s principles
• As they become available, cross sector, private sector, S/L
resources will be referenced
CONVERGING RESOURCES
• DHS will support use of the Cybersecurity Framework
primarily through the Cyber Resiliency Review (CRR). • No-cost, voluntary, non-technical assessment to evaluate an
organization’s information technology resilience.
• The CRR may be conducted as a self-assessment or in-person.
• To date, DHS has conducted more than 330 CRRs at the request of
critical infrastructure entities nationwide.
• The inherent principles and recommended practices within the CRR
align closely with the central tenets of the Cybersecurity Framework.
• Analyzes current practices and how they compare to the
principles of the Cybersecurity Framework.
CONVERGING RESOURCES, cont.
Government-to-Business
▶ Engage each of the sectors
through the CIPAC Framework
to establish sector-specific
approaches and guidance, utilizing established partnership
mechanisms, models, and
approaches
▶ Work directly with organizations
interested in receiving
information about the
Framework, resources, and
initiatives
Business-to-Business
▶ Encourage organizations to
develop use cases or to work
with their industry peers and
business partners to promote
the Framework (the
Framework)
Government-to-Government
▶ Federal – Work with Federal
departments and agencies to
understand use of the
Framework
▶ SLTT outreach – Work with state
and local governments to
promote government use of
the Framework and to reach
businesses in their localities
CONNECTING STAKEHOLDERS
•Contact us at [email protected]•Contact the C3 Voluntary Program to send feedback or for
any questions about what resources DHS is offering or how
to engage different programs
NEXT STEPS•Get engaged
•The C3 Voluntary Program will be supporting engagement during the coming
year
•The program will visit sector by sector events, potentially regional
events/workshops utilizing our CSAs, and will potentially look into RFIs for broad
public engagement
•Visit us at www.dhs.gov/ccubedvp, or www.us-
cert.gov/ccubedvp•Check out the website, download and use the messaging kit, and reach out
to the different programs for support
•Try out the CRR and reach out to CSEP if you have questions on the
methodology or need assistance
#ccubedvpdhs.gov/ccubedvp
Welcome to the community.