Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introduction to Risk Management via the NIST Cyber Security Framework

973 views

Published on

The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk.

Main points covered:

• Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms.
• Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments.
• Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management.

Presenters:

David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications.

Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence.

Recorded webinar: https://youtu.be/hxpuYtMQgf0

Published in: Education
  • DOWNLOAD FULL. BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Introduction to Risk Management via the NIST Cyber Security Framework

  1. 1. Physical Security ServicesCopyright © 2018 Deloitte Development LLC. All rights reserved. 1
  2. 2. Physical Security ServicesCopyright © 2018 Deloitte Development LLC. All rights reserved. 2 Today’s objectives Introduce the components of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) • Core • Implementation Tiers • Profile Highlight specific categories within the core functions that may include assessment activities where physical-cyber convergence occurs 1 2
  3. 3. Physical Security ServicesCopyright © 2018 Deloitte Development LLC. All rights reserved. 3 Today’s Agenda • Baselining terminology • Development of NIST’s CSF • CSF components − Framework core − Framework implementation tiers − Framework profile • How to use the repeatable assessment framework • Questions / answers
  4. 4. Physical Security ServicesCopyright © 2018 Deloitte Development LLC. All rights reserved. 4 Baselining terminology For today’s discussion, we will refer to the below diagram that visualizes risk as a function of threat, vulnerability and consequence. Threat ConsequenceVulnerability Likelihood of the Adversary’s capability Likelihood of impact Likelihood of the Adversary’s intent
  5. 5. Physical Security ServicesCopyright © 2018 Deloitte Development LLC. All rights reserved. 5 Development of NIST’s CSF The CSF development process initiated with Executive Order 13636, which was released on February 12, 2013. The Executive Order introduced efforts on the sharing of cybersecurity threat information, and on building a set of current and successful approaches - a framework - for reducing risks to critical infrastructure. Executive Order 13800, released on May 11, 2017, requires all Federal agencies to utilize the CSF to manage the agency’s cybersecurity risk. Through this Executive Order, NIST was tasked with the development of a "Cybersecurity Framework" 1 Critical infrastructure is defined in the U.S. Patriot Act of 2001 as, “Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” National Institute of Standards & Technology (NIST) was selected for the task of developing the Framework because they are a non-regulatory Federal agency that acts as an unbiased source of scientific data and practices, including cybersecurity practices. NIST published the Cybersecurity Framework (CSF) version 1.0 on February 12, 2014 after a year-long collaborative effort with stakeholders in the critical infrastructure1 sector. The latest version (version 1.1) was released on April 16, 2018. CSF leverages elements of existing well-known risk management frameworks, processes, and guidelines (i.e., COBIT, ISA, ISO 27001 and NIST SP800/53).
  6. 6. Physical Security ServicesCopyright © 2018 Deloitte Development LLC. All rights reserved. 6 CSF components The CSF is a risk-based approach to managing cybersecurity risk, and is composed of three parts as shown below. The components reinforce the connection between business/mission drivers and cybersecurity activities. Implementation Tiers Core Profile • Describes the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework (e.g., risk and threat aware, repeatable, and adaptive) • Cybersecurity activities and informative references, organized around particular outcomes • Enables communication of cybersecurity risks across an organization • Aligns industry standards and best practices to the Framework Core in a particular implementation scenario • Supports prioritization and measurement while factoring in business needs
  7. 7. Physical Security ServicesCopyright © 2018 Deloitte Development LLC. All rights reserved. 7 Framework core The core provides a set of activities to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes. It comprises four elements: Functions, Categories, Subcategories, and Informative References. Aids an organization in expressing its management of cybersecurity risk by organizing information Subdivisions of a function into groups of cybersecurity outcomes closely tied to programs and particular activities Divides a category into specific outcomes of technical and/or management activities Specific sections of standards, guidelines, and practices common among critical infrastructure sectors
  8. 8. Physical Security ServicesCopyright © 2018 Deloitte Development LLC. All rights reserved. 8 Activity How would you answer each of the five questions below? 1 2 3 4 5 What processes and assets need protection? What safeguards or countermeasures are available? What techniques can identify security incidents? What activities can help contain the impacts of incidents? What activities are required to restore capabilities?
  9. 9. Physical Security ServicesCopyright © 2018 Deloitte Development LLC. All rights reserved. 9 Framework core Functions are to be performed concurrently and continuously to form an operational culture that addresses the dynamic cybersecurity risk. Function Category The Challenge Physical Controls Cyber Controls Identify Asset Management What processes and assets need protection? Business Environment Governance Risk Assessment Risk Management Strategy Supply Chain Management Protect Access Control What safeguards or countermeasures are available? Awareness and Training Data Security Info Protection Process & Procedure Maintenance Protective Technology Detect Anomalies and Events What techniques can identify cybersecurity incidents? Security Continuous Monitoring Detection Processes Respond Response Planning What activities can contain impacts of incidents? Communications Analysis Mitigation Improvements Recover Recovery Planning What activities are required to restore capabilities? Improvements Communications
  10. 10. Physical Security ServicesCopyright © 2018 Deloitte Development LLC. All rights reserved. 10 Framework core (cont’d) Functions are to be performed concurrently and continuously to form an operational culture that addresses the dynamic cybersecurity risk. Function Category The Challenge Physical Controls Cyber Controls Identify Asset Management What processes and assets need protection? Business Environment Governance Risk Assessment Risk Management Strategy Supply Chain Management
  11. 11. Physical Security ServicesCopyright © 2018 Deloitte Development LLC. All rights reserved. 11 Framework core (cont’d) Functions are to be performed concurrently and continuously to form an operational culture that addresses the dynamic cybersecurity risk. Function Category The Challenge Physical Controls Cyber Controls Protect Access Control What safeguards or counter- measures are available? Awareness and Training Data Security Info Protection Process & Procedure Maintenance Protective Technology
  12. 12. Physical Security ServicesCopyright © 2018 Deloitte Development LLC. All rights reserved. 12 Framework core (cont’d) Functions are to be performed concurrently and continuously to form an operational culture that addresses the dynamic cybersecurity risk. Function Category The Challenge Physical Controls Cyber Controls Detect Anomalies and Events What techniques can identify cybersecurity incidents? Security Continuous Monitoring Detection Processes
  13. 13. Physical Security ServicesCopyright © 2018 Deloitte Development LLC. All rights reserved. 13 Framework core (cont’d) Functions are to be performed concurrently and continuously to form an operational culture that addresses the dynamic cybersecurity risk. Function Category The Challenge Physical Controls Cyber Controls Respond Response Planning What activities can contain impacts of incidents? Communications Analysis Mitigation Improvements
  14. 14. Physical Security ServicesCopyright © 2018 Deloitte Development LLC. All rights reserved. 14 Framework core (cont’d) Functions are to be performed concurrently and continuously to form an operational culture that addresses the dynamic cybersecurity risk. Function Category The Challenge Physical Controls Cyber Controls Recover Recovery Planning What activities are required to restore capabilities? Improvements Communications
  15. 15. Physical Security ServicesCopyright © 2018 Deloitte Development LLC. All rights reserved. 15 Framework implementation tiers Implementation Tiers provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. An organization’s current risk management practices, threat environment, legal and regulatory requirements, information sharing practices, business/mission objectives, and supply chain cybersecurity requirements are considered while determining the tiers. Tier 1: Partial Tier 2: Risk Informed Tier 3: Repeatable Tier 4: Adaptable Risk Management Process The degree to which risk management processes are applied in alignment with organizational risk objectives, changes in business/mission requirements and a changing threat and technology landscape. • Not formalized • Ad hoc • Prioritization is not informed • Formalized, but no organizational- wide policy • Directly informed • Formal • Regularly updated • Incorporates: o Predictive indicators o Lessons Learned Integrated Risk Management Program Definition and implementation of risk-informed policies, processes, and procedures to enable personnel to possess the knowledge and skill to perform their appointed cybersecurity roles and responsibilities. • Irregular, case- by-case basis • Regular, but no organizational- wide approach • Consistent, organization -wide approach • Cybersecurity risk management is part of the organization’s culture External Participation Understanding of an organization’s role, dependencies, and dependents in the larger ecosystem by collaborating with and receiving information from other entities regularly that complements internally generated information, and sharing information with other entities • Lack of: o Ecosystem understanding o Collaboration • Dependencies or dependents known, but not both • Internal informal sharing • Both dependencie s and dependents are known • Internal and external information sharing • Generates prioritized information • Communicates proactively
  16. 16. Physical Security ServicesCopyright © 2018 Deloitte Development LLC. All rights reserved. 16 Framework profile The Framework Profile is the alignment of the functions, categories, and subcategories with the business requirements, risk tolerance, and resources of the organization. They can be used to describe the current state or the desired target state of specific cybersecurity activities. Current Profile indicates the cybersecurity outcomes from the framework categories and sub-categories that are currently being achieved. 1 Target Profile indicates the outcomes needed to achieve the desired cybersecurity risk management goals. 2 Gaps are identified by comparing Profiles (e.g., the Current Profile and Target Profile) 3 A roadmap is established for reducing cybersecurity risk aligned with organizational and sector goals, legal/regulatory requirements and industry best practices, and reflects risk management priorities 4
  17. 17. Physical Security ServicesCopyright © 2018 Deloitte Development LLC. All rights reserved. 17 David Feeney Manager Risk & Financial Advisory Deloitte 484.535.2543 dafeeney@deloitte.com Andrea LeStarge Senior Manager Risk & Financial Advisory Deloitte 414.530-1834 alestarge@deloitte.com
  18. 18. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a detailed description of DTTL and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. Copyright © 2018 Deloitte Development LLC. All rights reserved. As used in this document, “Deloitte Advisory” means Deloitte & Touche LLP, which provides audit and enterprise risk services; Deloitte Financial Advisory Services LLP, which provides forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions and Business Analytics LLP, which provides a wide range of advisory and analytics services. Deloitte Transactions and Business Analytics LLP is not a certified public accounting firm. These entities are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.
  19. 19. Physical Security ServicesCopyright © 2018 Deloitte Development LLC. All rights reserved. 19 ISO 31000 Training Courses ISO 31000 Introduction 1 Day Course ISO 31000 Foundation 2 Days Course ISO 31000 Risk Manager 3 Days Course ISO 31000 Lead Risk Manager 5 Days Course Exam and certification fees are included in the training price. www.pecb.com/en/education-and-certification-for- individuals/iso-31000 www.pecb.com/events
  20. 20. Physical Security ServicesCopyright © 2018 Deloitte Development LLC. All rights reserved. 20 THANK YOU ? https://www.linkedin.com/in/davidfeeney/ www.deloitte.com https://www.linkedin.com/in/andrea-lestarge-1b64a7a9/

×