NISTs Cybersecurity Framework -- Comparison with Best Practice

50 %
50 %
Information about NISTs Cybersecurity Framework -- Comparison with Best Practice
Technology

Published on March 28, 2014

Author: lostgravity

Source: slideshare.net

Description

A presentation given to the Central Texas chapter of the ISSA. We introduce the Cybersecurity Framework, compare it to an existing standard defining information security controls and management system requirements (ISO/IEC 27001), and provide some thoughts on what's next and where to find accompanying resources.

Comparing  NIST's  Cybersecurity   Framework  with  Best  Prac3ce   David  Ochel   email:  david@secuilibrium.com   Twi?er:  @lostgravity   2014-­‐03-­‐28  

Agenda   •  Introduc3on  to  the  Cybersecurity  Framework  (CSF)   –  Mo3va3on   –  Organiza3on   –  Major  elements  and  core  principles   •  CSF  and  Best  Prac3ce   –  What  is  Best  Prac3ce?   –  Comparing  CSF  with  ISO/IEC  27001   –  Par3culari3es  of  cri3cal  infrastructure  protec3on   •  Some  Musings   –  Future  of  the  CSF   –  Resources   –  Texas   –  Informa3on  Security  Management  Maturity   Page  2  Cybersecurity  Framework  /  Best  Prac3ce  

INTRODUCTION  TO  THE   CYBERSECURITY  FRAMEWORK  (CSF)   CSF  /  Best  Prac3ce   Page  3  

Mo3va3on   •  Cri3cal  Infrastructure   –  Vital  infrastructure  –  private  and  public  operators   –  Lack  of  availability  would  have  “debilita3ng  impact”  on  the   na3on’s  security,  economy,  public  health,  safety…   •  Execu3ve  Order  13636;  February  12,  2013   –  Threat  informa3on  sharing   –  NIST:  Baseline  Framework  to  reduce  cyber  risk   •  “Standards,  methodologies,  procedures  and  processes  that  align   policy,  business,  and  technological  approaches…”   –  Voluntary  Cri3cal  Infrastructure  Cybersecurity  Program   –  …   CSF  /  Best  Prac3ce   4  

Organiza3on     •  Framework  parts:   – Core   – Profiles   – Implementa3on  Tiers   CSF  /  Best  Prac3ce   Page  5  

Framework  Core  –  a  Controls  Catalog   •  5  core  func3ons,  split  into:   –  Categories   –  Subcategories   •  “technology  neutral”   •  Cross-­‐references  to:   –  COBIT   –  CCS  CSC   –  ANSI/ISA-­‐62443-­‐2-­‐1  and  -­‐3-­‐3   –  ISO/IEC  27001   –  NIST  SP  800-­‐53   CSF  /  Best  Prac3ce   Page  6  

Framework  Core  –  Example   CSF  /  Best  Prac3ce   Page  7  

Framework  Profiles   •  Describe  current  or  desired  state  of   “cybersecurity  ac3vi3es”   •  Align  controls  with  “business  requirements,   risk  tolerance,  and  resources”   •  No  templates  or  format  provided   CSF  /  Best  Prac3ce   Page  8  

Framework  Tiers   •  Tiers  indicate  maturity  of:   –  Risk  management  process   –  Integrated  Risk  Management  Program   –  External  Par3cipa3on   •  “do  not  represent  maturity  levels”!?   •  Tiers  (defined  on  1/3  of  a  page  each)   –  1:  Par3al   –  2:  Risk  Informed   –  3:  Repeatable   –  4:  Adap3ve   CSF  /  Best  Prac3ce   Page  9  

CSF  AND  BEST  PRACTICE     Page  10  CSF  /  Best  Prac3ce  

Informa3on  Security  Controls  –     A?ributes  of  Best  Prac3ce?!   •  Benchmark   •  Requirements  catalog   •  Comprehensive   •  Accepted   •  Industry  standard   •  But  not  cujng  edge  /     best  in  class?   •  Auditable   •  …?   CSF  /  Best  Prac3ce   Page  11  

IT  Security:  Control  Frameworks     Regulatory   (mostly  industry-­‐specific?)   “Pseudo  Regulatory”   (contractually  enforced)   Voluntary   •  HIPAA   •  SOX  (arguably)   •  NERC  CIP   •  …   •  PCI  DSS  (etc.)   •  SSAE  16   •  …   •  NIST  Cybersecurity   Framework   •  Texas  Cybersecurity   Framework*   •  NIST  SP  800-­‐53*   •  ISO/IEC  27001   •  ISF  Standard  of  Good   Prac3ce   •  …   CSF  /  Best  Prac3ce   Page  12   *  Mandatory  for  certain  government  agencies.  

ISO/IEC  27001   •  Informa3on  technology  –  Security  techniques  –   InformaXon  security  management  systems  –   Requirements     –  System  requirements:   •  Organiza3on  context   •  Leadership   •  Planning   •  Opera3on   •  Performance  evalua3on   •  Improvement   –  Reference  control  objec3ves  &  controls   •  “best  prac3ce”  catalog  of  baseline  controls   CSF  /  Best  Prac3ce   Page  13  

CSF  and  27001  –  Commonali3es   •  Voluntary   •  Catalog  of  informa3on  security  controls   – Small  differences  in  emphasis   – Method  to  document  control  selec3on     (“profile”  vs.  “statement  of  applicability”)   •  No  built-­‐in  risk  assessment  methodology   •  Scope  defini3on  expected/required   CSF  /  Best  Prac3ce   Page  14  

CSF  and  27001  –  Differences   Cybersecurity  Framework   ü Rudimentary  maturity   3ers   ü Even  basic  requirements   are  op3onal   ü Poten3al  for  agility   ISO/IEC  27001   ü Clear  documenta3on   requirements   ü Mandatory  management   system  requirements   ü Exclusion  of  controls   requires  jus3fica3on   ü Established  cer3fica3on   schemes   ü Well-­‐defined  terminology   CSF  /  Best  Prac3ce   Page  15  

Which  parts  of  the  CSF  are     unique  to  ICS  environments?   •  Tiers?   – Nope.  (Generic  descrip,on  of  risk  management  and   informa,on  sharing  “maturity”.)   •  Core?   – Nope.  (Introduc,on  acknowledges  that  IT  and  ICS   environments  and  considera,ons  differ.  But  the   (sub-­‐)categories  do  not  specifically  address  this.)   •  Profiles?   – Nope.  (Just  a  way  to  catalog  current  and  desired  selec,on   of  controls.)   CSF  /  Best  Prac3ce   Page  16  

Which  parts  of  the  CSF  are     unique  to  ICS  environments?   •  Tiers?   – Nope.  (Generic  descrip,on  of  risk  management  and   informa,on  sharing  “maturity”.)   •  Core?   – Nope.  (Introduc,on  acknowledges  that  IT  and  ICS   environments  and  considera,ons  differ.  But  the   (sub-­‐)categories  do  not  specifically  address  this.)   •  Profiles?   – Nope.  (Just  a  way  to  catalog  current  and  desired  selec,on   of  controls.)   CSF  /  Best  Prac3ce   Page  17  

SOME  MUSINGS   18  CSF  /  Best  Prac3ce  

The  Future  of  the  CSF…   •  …might  be  bright?   –  Just  another  controls  framework   –  But  with  poten3al!   •  Incen3ves   –  So  far  DHS  offers  managed  services  to  local/state   governments   –  Private  industry…  yet  to  come?   •  NIST  Roadmap  for  framework  development   –  Areas  for  development,  alignment,  and  collabora3on   CSF  /  Best  Prac3ce   Page  19  

Resources   •  Informa3on  Sharing   – Informa3on  Sharing  and  Analysis  Centers  (ISACs)   – InfraGard  partnership   •  US-­‐CERT’s  Cri3cal  Infrastructure  Cyber   Community  (C3)  Voluntary  Program   – Tools  and  resources   – (self)  assessment,  (ICS-­‐)CERTs,  training/educa3on,   …   •  Sector-­‐specific  resources!   CSF  /  Best  Prac3ce   Page  20  

Texas…  Since  We  Are  Here   •  Texas  Cybersecurity  Framework   – Requirements  for  security  governance     and  management   – Mandatory  for  state  agencies   – Controls  based  on  800-­‐53  controls   •  DIR  Resources   – h?p://www2.dir.state.tx.us/security/Pages/ security.aspx   CSF  /  Best  Prac3ce   Page  21  

Security  Management  –     Compliance  Is  a  Start,  But…   CSF  /  Best  Prac3ce   Page  22           Negligence       Controls-­‐Focused   Due  Diligence   Risk-­‐Informed   Good  Prac3ce   Risk-­‐   Governed     Where  compliance   with  control   frameworks  might     get  you…     (Technology  /  IT)  Risk   is  organiza3on-­‐specific;     compliance  with  control   frameworks  isn’t!   Compare  to  SSE-­‐CMM  or  others:   •  Con3nuously   Improving   •  Quan3ta3vely   Controlled     •  Well  Defined     •  Planned  and   Tracked     •  Performed   Informally  

Resources   •  NIST  Cybersecurity  Framework   –  h?p://www.nist.gov/cyberframework/   •  US-­‐CERT  C3  Voluntary  Program   –  h?p://www.us-­‐cert.gov/ccubedvp   •  Mapping  of  27001  to  the  CSF   –  h?p://www.secuilibrium.com/1/post/2014/02/ comparing-­‐isoiec-­‐27001-­‐with-­‐nists-­‐cybersecurity-­‐ framework.html   •  Contact:   –  David  Ochel  <david@secuilibrium.com>   CSF  /  Best  Prac3ce   Page  23  

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

Cybersecurity Framework | NIST

Cybersecurity professionals talk about what the Cybersecurity Framework means to their ... which blends the best of two globally recognized and ...
Read more

NISTs Cybersecurity Framework -- Comparison with Best ...

A presentation given to the Central Texas chapter of the ISSA. We introduce the Cybersecurity Framework, compare it to an existing standard defining ...
Read more

Comparing NIST's Cybersecurity Framework with ISO/IEC ...

Comparing NIST's Cybersecurity Framework with ... Cybersecurity Framework ... controls from 27001’s Annex A into more detailed best-practice ...
Read more

Essentials for a Cybersecurity Framework - Technology

... a practice commonly referred ... will share the essential components of a Cybersecurity Framework to ... NISTs Cybersecurity Framework -- Comparison ...
Read more

ISF Maps NIST's Cybersecurity Framework - Infosecurity ...

ISF Maps NIST's Cybersecurity Framework. ... NIST opens discussion on critical infrastructure security framework; ISF Debuts Best Practice Framework for ...
Read more

Cybersecurity Framework | LinkedIn

Cybersecurity Framework. Articles, experts, ... Cybersecurity Risk Management Analyst at ... Associate Head of Cybersecurity Practice at Platinion North ...
Read more