Working Group 11: Consensus Cyber Security Controls March 14, 2013 Alan Paller, SANS Institute...
-
Upload
arabella-hardy -
Category
Documents
-
view
213 -
download
0
Transcript of Working Group 11: Consensus Cyber Security Controls March 14, 2013 Alan Paller, SANS Institute...
Working Group 11: Consensus Cyber Security Controls
March 14, 2013
Alan Paller, SANS InstituteMarcus Sachs, Verizon CommunicationsWG 11 Co-Chairs
2
Working Group 11: Consensus Cyber Security Controls
Description: This Working Group will examine and make recommendations to the Council regarding technical cyber security controls that can provide the most effective possible mitigation of known cyber risks to the business systems and networks maintained by communications providers and to the data maintained on and processed by those systems. In carrying out its work, the working group will evaluate and contrast the “critical cyber security controls” adopted by the National Security Agency, the Department of Homeland Security in the United States, and the UK Centre for the Protection of National Infrastructure and the Australian Defense Signals Directorate, with the existing set of CSRIC cyber security best practices. The working group will assess the degree to which the consensus lists of critical controls are applicable to the communications industry, identify gaps between the critical controls and the existing CSRIC best practices, and recommend a superset of the most critical controls for application in the communications industry. The Working Group will recommend updates to the best practices list compiled by CSRIC II with a prioritized list of critical cyber security controls that are applicable to the communications industry.
Duration: Revised, prioritized list of critical cyber security controls - March 6, 2013
http://transition.fcc.gov/pshs/advisory/csric3/wg-descriptions.pdf
Working Group 11 – Participants
3
Co-chairs*Alan Paller, SANS InstituteMarc Sachs, Verizon Communications
Active members, sorted by employer name
*Members of the FCC’s Communications Security, Reliability, and Interoperability Council
Working Group 11 – Participants
4*Members of the FCC’s Communications Security, Reliability, and Interoperability Council
Active members, sorted by employer name (continued)
Working Group 11 - Current Work Activity
Group formed on September 5, 2012 with a deadline of March 6, 2013 (six month project)
Approach: Analyze the 20 Critical Security Controls for applicability to the
Communications Sector Analyze the CSRIC II WG 2A cyber security best practices
Correlate all 397 best practices with the 20 Critical Security Controls Determine uniqueness and applicability to the comms sector, and challenges of
implementation Determine which of the 397 best practices should be classified as essential for stopping
or mitigating the impact of known attack vectors
Consolidate inputs and write report Calls held every Monday afternoon during the six month period
5
Working Group 11 - Work Completed
Working Group 11 accomplished four tasks: Task 1: Assessed the degree to which the 20 Controls are applicable to
the communications industry Tasks 2: Identified gaps between the 20 Controls and the existing
CSRIC best practices Task 3: Recommended a superset of the most critical controls for
application in the communications industry Task 4: Recommended updates to the best practices list compiled by
CSRIC II with a prioritized list of critical cyber security controls that are applicable to the communications industry
6
Working Group 11 - Next Steps
Working Group 11 finished its work on March 6, 2013 We expect our findings and recommendations will be
transferred to the Communications Sector Coordinating Council (or similar industry group) for further refinement Conclusions need to be independently vetted The 397 best practices need to be further updated and prioritized Some of the 397 best practices could be recommended as essential
due to their ability to stop or mitigate the impact of known attack methods
Integrate these findings into the cyber security framework called for in the President’s Cyber Security Executive Order
7
Working Group 11 - Project Timeline
Working Group 11 began its work on September 5, 2012Working Group 11 concluded its work on March 6, 2013
8