Your SlideShare is downloading. ×
0
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework Panel
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cyber Critical Infrastructure Framework Panel

555

Published on

The following presentation slides were used during the 2014 Cyber Summit Panel Session on Cyber Critical Infrastructure Guidelines at the University of Alabama at Birmingham

The following presentation slides were used during the 2014 Cyber Summit Panel Session on Cyber Critical Infrastructure Guidelines at the University of Alabama at Birmingham

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
555
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Image Source: http://www.flickr.com/photos/ttc_press/5007644722/sizes/o/
  • Image Source: http://www.shrader.net/images/news/1331930690_3841-AEI-(iphone-app).jpg
  • Image Source: http://research.pandasecurity.com/blogs/images/cartoon/online_banking.JPG
  • Image Source: http://a57.foxnews.com/global.fncstatic.com/static/managed/img/fn2/video/876/493/100213_serrie_medicalrecords_640.jpg?ve=1&tl=1
  • Image Source: http://www.flickr.com/photos/austenhufford/7216871660/sizes/o/Document Source: https://www.federalregister.gov/executive-order/13636
  • Image Source: http://www.flickr.com/photos/thairms/3499360774/sizes/l/
  • Image Source: http://www.flickr.com/photos/bensonkua/2405779789/sizes/l/
  • Image Source: http://www.flickr.com/photos/bensonkua/2405779789/sizes/l/
  • Image Source: http://www.flickr.com/photos/bensonkua/2405779789/sizes/l/
  • Image Source: http://www.flickr.com/photos/bensonkua/2405779789/sizes/l/
  • Image Source: http://www.flickr.com/photos/wwworks/4759535950/sizes/o/
  • Transcript

    • 1. NIST Cyber Critical Infrastructure Guidelines
    • 2. Meet Our Panelists Allen Johnston, Ph.D. Associate Professor of Information Systems Paul M. Di Gangi, Ph.D., CISSP Assistant Professor of Information Systems Deborah Williams, CISSP Program Manager Matthew Speare Head of Governance & Integration Angella Carlisle, CISSP, CRISC, CHSP IT Security Manager Dave Summitt, CISSP Chief Information Security Officer
    • 3. OUR NATION’S
    • 4. Critical Infrastructure Gone Digital...
    • 5. EO 13636: Improving Critical Cybersecurity Infrastructure It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. February 2013
    • 6. What are the critical infrastructure sectors? 85 % PRIVATELY OWNED
    • 7. What are we already doing to protect these sectors? Critical Sector Reg’s/Standards/Laws Critical Sector Reg’s/Standards/Laws Agriculture & Food 21 CFR 11 Government Facilities N/A Commercial Facilities 25 CFR 542 N/A Dams CIP 002-009 (Mandatory) National Monuments & Icons Transportation Systems 49 CFR 193,1520 Chemical 6 CFR 27 Critical Manufacturing N/A Emergency Services N/A Healthcare & Public Health 45 CFR 164 (HIPAA) Nuclear Reactors, Materials & Waste 10 CFR 73 (NRC) Water 42 U.S.C. 300-2 (Law) Energy CIP 002-009 (Mandatory) Information Technology N/A Postal & Shipping N/A Banking & Finance 12,16,17,31 CFR , (SOX,GLB, AML) Communications N/A Defense Industrial Base NISPOM
    • 8. But there are still gaps to the overall strategy!
    • 9. Organizational Views on Cybersecurity Adaptive Adapts cybersecurity practices based on lessons learned & predictive indicators; organization-wide approach to managing risk using risk-informed policies, processes, and procedures; actively shares information w/ partners Repeatable Risk management practices are formally approved, expressed in policy, and updated regularly; organization-wide approach to managing risk using risk-informed policies, processes, and procedures; understands dependencies w/partners Informed Risk management practices are approved by management, but may not have established organization-wide policy; awareness of risk at organizational level but approach not established; not formally sharing w/ partners Partial Risk management practices are not formalized & risk managed in a reactive manner; implements risks management on case-by-case basis; may not coordinate or collaborate w/ partners
    • 10. Cybersecurity Framework
    • 11. Cybersecurity Framework Strategically-oriented for “Big Picture” View Threat/Risk Centric Process Approach
    • 12. Why should organizations adopt a nonmandatory framework? Incentive Type Grants Rate-Recovery for PriceRegulated Industries Bundled Insurance Requirements, Liability Protection, and Legal Benefits Prioritizing Certain Classes of Training and Technical Assistance Procurement Considerations Streamline Information Security Regulations Summary Description Fixed cost, performance-based awards for investment in cybersecurity products and services for prospective Framework adopters. Recovery of cybersecurity investments in the rates charged for services provided by Framework adopters through a price cap, in which the government allows a firm to charge up to a certain maximum price that is independent of the realized cost. A system of litigation risk mitigation for which those entities that adopt the Framework and meet reasonable insurance requirements are eligible to apply. Other types of legal benefits may include limited indemnity, higher burdens of proof, or limited penalties; case consolidations; case transfers to a single Federal court; creation of a Federal legal privilege that preempts State disclosure and/or discovery requirements for certain cybersecurity self-assessments. The Federal Government offers several types of technical assistance to critical infrastructure owners and operators, including preparedness support, assessments, training of employees, and advice on best practices. Introduce a technical requirement in the procurement process for certain types of acquisitions for Framework adopters, or requirements for Framework adoption for Federal information and communications technology providers or other contracts, particularly those involving access to sensitive government information or essential services. Creation of a unified compliance model for similar requirements and eliminate overlaps among existing laws; streamlining of differences between U.S. and international law (perhaps through treaties); ensuring equivalent adoption; reducing audit burdens; and offering prioritized permitting.
    • 13. Where are we in the timeline?
    • 14. Panel Discussion Question: What are the pressing issues for critical infrastructure organizations in the information security/assurance domain? What are the initial reactions of organizations in your industry to the Critical Infrastructure guidelines that were recently released?
    • 15. Panel Discussion Question: How well does the Critical Infrastructure guidelines integrate with your existing regulatory requirements? What’s new that is currently not addressed? Are the Critical Infrastructure guidelines likely to become a standard for your industry or do you see a different set of guidelines being adopted?
    • 16. Panel Discussion Question: What are the primary challenges your organization faces for implementing the Critical Infrastructure guidelines?
    • 17. Panel Discussion Question: How are the incentives being perceived within your industry for complying with the Critical Infrastructure guidelines? Of the proposed incentives, grants, technical assistance, rate recovery, liability reform – which are most attractive to you?

    ×