1) The document discusses cyber security laws, regulations, and trends related to critical infrastructure protection. It covers Presidential Executive Orders on cyber security of critical infrastructure, key federal cyber security laws, and Department of Defense guidance documents.
2) It also discusses system cyber defense resilience architectures, including the National Institute of Standards and Technology cybersecurity framework and risk management process.
3) Finally, it addresses lifecycle systems cyber resiliency architecting, including principles, techniques, attack mechanisms, and metrics for measuring cyber resilience.
Dickstein Shapiro LLP and the Government Technology & Services Coalition (GTSC) held a webcast, “Key Cybersecurity Issues for Government Contractors” on Thursday, October 3, 2013. This interactive program, of particular interest to government contractor compliance officers, CIOs, CISOs, General Counsel, and any other C-suite members, discussed how the federal government is planning on fundamentally altering its acquisition policies to make the cybersecurity of its contractors a top priority. The discussion included:
- Proposed Federal Acquisitions Regulation (FAR) changes relating to President Obama’s Cybersecurity Executive Order;
- Planned changes to procurement requirements based on independent agency actions;
- Congressionally mandated cybersecurity requirements; and
Ways contractors can prepare for these changes.
To view the webinar, visit:
the Defense Department and General Services Administration report on improving cyber security and resilience through acquisition. This report, developed as part of the President’s Executive Order on Cyber Security, forms the baseline for a fundamental shift in federal procurement policy. In short, going forward cyber security is going to be a core consideration in federal procurements. Contractors will likely find cyber security obligations embedded in their contracts, and may even find themselves excluded from the procurement process if certain cyber security benchmarks are not met.
The report spells out six key recommendations:
1) Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for Appropriate Acquisitions
2) Address Cybersecurity in Relevant Training
3) Develop Common Cybersecurity Definitions for Federal Acquisitions
4) Institute a Federal Acquisition Cyber Risk Management Strategy
5) Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers, or Other “Trusted” Sources, Whenever Available, in Appropriate Acquisitions
6) Increase Government Accountability for Cyber Risk Management
Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership
Presentation: Cybersecurity for Government Contractors
Presenter: Robert Nichols, Partner, Covington & Burling LLP
Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership
Presentation: How do we Strengthen the Public-Private Partnership to Mitigate and Minimize the Damage: Improving Cybersecurity and Resilience Through Acquisition
Presenter: Emile Monette, Senior Advisor for Cybersecurity, GSA, Office of Mission Assurance
Description: How do we approach deliberate attacks against Federal contractors who handle and have access to massive amounts of sensitive and confidential data and information? From the increasing Insider threat to state-sponsored attacks, how can the Federal government partner more effectively with the private sector to detect and mitigate these attacks?
Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership
Presentation: How do we Protect our Systems and Meet Compliance in a Rapidly Changing Environment
Presenter: David Knox, Vice President of National Security Solutions, Oracle
Description: With all the constant innovation in cyber, what is “cutting edge”? What constraints hinder innovation? How is technology being used to address the Executive Orders, comply to standards, and other meet other mandates? What areas still need resources, ideas and innovation? Join us to hear advances in cyber security technology and ways to protect and monitor systems that will provide for resilient infrastructures and incorporate new solutions.
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
This webinar will provide more information on the importance of information security and how you can take security well beyond compliance, an approach on building strong information security, privacy and data governance programs, and the importance of strong data governance in relation to privacy and information security requirements.
The webinar covers
• Information Security
• Importance Of Information Security Today
• Taking Information Security Beyond A Compliance First
• Importance Of Data Governance In Information Security
• Privacy
• Changing And Evolving Privacy Requirements
• Importance Of Data Governance In Privacy
• Data Governance And Data Privacy
• Data Privacy - Data Processing Principles
Presenters:
Moji is a Senior Business Process Analyst working with GemaltoThales, a leading firm in the IT industry. Moji has over fifteen years of experience in leading projects to improve processes, create and implement processes leading to increased revenue generation and eliminate redundancies.
She has a zeal for adding value and increasing revenue for organizations. Moji is very passionate about Data Privacy and its application in business and consumer rights.
Hardeep Mehrotara has 20+ years of senior leadership experience in Information Technology and Cyber Security working for public and private organizations building security programs from the ground up. He has been featured on Canadian television as a cyber expert and provided advice to various communities on implementing cybersecurity strategy, best practices and controls. He has been a co-author on numerous leading industry security control frameworks, technical benchmarks and industry best practice standards.
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/aQcS5-RFIEY
Website link: https://pecb.com/
Dickstein Shapiro LLP and the Government Technology & Services Coalition (GTSC) held a webcast, “Key Cybersecurity Issues for Government Contractors” on Thursday, October 3, 2013. This interactive program, of particular interest to government contractor compliance officers, CIOs, CISOs, General Counsel, and any other C-suite members, discussed how the federal government is planning on fundamentally altering its acquisition policies to make the cybersecurity of its contractors a top priority. The discussion included:
- Proposed Federal Acquisitions Regulation (FAR) changes relating to President Obama’s Cybersecurity Executive Order;
- Planned changes to procurement requirements based on independent agency actions;
- Congressionally mandated cybersecurity requirements; and
Ways contractors can prepare for these changes.
To view the webinar, visit:
the Defense Department and General Services Administration report on improving cyber security and resilience through acquisition. This report, developed as part of the President’s Executive Order on Cyber Security, forms the baseline for a fundamental shift in federal procurement policy. In short, going forward cyber security is going to be a core consideration in federal procurements. Contractors will likely find cyber security obligations embedded in their contracts, and may even find themselves excluded from the procurement process if certain cyber security benchmarks are not met.
The report spells out six key recommendations:
1) Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for Appropriate Acquisitions
2) Address Cybersecurity in Relevant Training
3) Develop Common Cybersecurity Definitions for Federal Acquisitions
4) Institute a Federal Acquisition Cyber Risk Management Strategy
5) Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers, or Other “Trusted” Sources, Whenever Available, in Appropriate Acquisitions
6) Increase Government Accountability for Cyber Risk Management
Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership
Presentation: Cybersecurity for Government Contractors
Presenter: Robert Nichols, Partner, Covington & Burling LLP
Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership
Presentation: How do we Strengthen the Public-Private Partnership to Mitigate and Minimize the Damage: Improving Cybersecurity and Resilience Through Acquisition
Presenter: Emile Monette, Senior Advisor for Cybersecurity, GSA, Office of Mission Assurance
Description: How do we approach deliberate attacks against Federal contractors who handle and have access to massive amounts of sensitive and confidential data and information? From the increasing Insider threat to state-sponsored attacks, how can the Federal government partner more effectively with the private sector to detect and mitigate these attacks?
Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership
Presentation: How do we Protect our Systems and Meet Compliance in a Rapidly Changing Environment
Presenter: David Knox, Vice President of National Security Solutions, Oracle
Description: With all the constant innovation in cyber, what is “cutting edge”? What constraints hinder innovation? How is technology being used to address the Executive Orders, comply to standards, and other meet other mandates? What areas still need resources, ideas and innovation? Join us to hear advances in cyber security technology and ways to protect and monitor systems that will provide for resilient infrastructures and incorporate new solutions.
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
This webinar will provide more information on the importance of information security and how you can take security well beyond compliance, an approach on building strong information security, privacy and data governance programs, and the importance of strong data governance in relation to privacy and information security requirements.
The webinar covers
• Information Security
• Importance Of Information Security Today
• Taking Information Security Beyond A Compliance First
• Importance Of Data Governance In Information Security
• Privacy
• Changing And Evolving Privacy Requirements
• Importance Of Data Governance In Privacy
• Data Governance And Data Privacy
• Data Privacy - Data Processing Principles
Presenters:
Moji is a Senior Business Process Analyst working with GemaltoThales, a leading firm in the IT industry. Moji has over fifteen years of experience in leading projects to improve processes, create and implement processes leading to increased revenue generation and eliminate redundancies.
She has a zeal for adding value and increasing revenue for organizations. Moji is very passionate about Data Privacy and its application in business and consumer rights.
Hardeep Mehrotara has 20+ years of senior leadership experience in Information Technology and Cyber Security working for public and private organizations building security programs from the ground up. He has been featured on Canadian television as a cyber expert and provided advice to various communities on implementing cybersecurity strategy, best practices and controls. He has been a co-author on numerous leading industry security control frameworks, technical benchmarks and industry best practice standards.
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/aQcS5-RFIEY
Website link: https://pecb.com/
Dr. Daniel M. Gerstein has served as the Deputy Under Secretary for Science & Technology in the Department of Homeland Security since August 2011. He is also an Adjunct Professor at American University in Washington, DC at the School of International Service (SIS) where he teaches graduate level courses on biological warfare and the evolution of military thought.
Dr. Gerstein has extensive experience in the security and defense sectors in a variety of positions while serving as a Senior Executive Service (SES) government civilian, in uniform, and in industry. Before joining DHS, he served as the Principal Director for Countering Weapons of Mass
Destruction (WMD) within the Office of the Secretary of Defense (Policy). He has served on four different continents participating in homeland security and counterterrorism, peacekeeping, humanitarian assistance, and combat in addition to serving for over a decade in the Pentagon in various high level staff assignments. Following retirement from active duty, Dr. Gerstein joined L-3 Communications as Vice President for Homeland Security Services, leading an organization providing WMD preparedness and response, critical infrastructure security, emergency response capacity, and exercise support to U.S. and international customers.
Dr. Gerstein also has extensive experience in international negotiations having served on the Holbrooke Delegation that negotiated the peace settlement in Bosnia, developed and analyzed negotiating positions for the Conventional Armed Forces in Europe (CFE) talks, and developed an initiative to improve cross border communications between Colombia and neighboring Andean Ridge nations. Additionally, Dr. Gerstein led an initiative to develop a comprehensive biosurveillance system for the Department of Defense (2010-2011), served on the leadership team for the Project for National Security Reform (PNSR) which was charged with developing a new national security act to reflect the changing security environment (2007-2008), co-led the Secretary of the Army’s Transition Team (2004-2005), and led the Army’s most comprehensive restructuring since World War II (2000-2001).
He has been awarded numerous military and civilian awards including an award from the Government of Colombia, the Department of State’s Distinguished Service Award, and the U.S. Army Soldiers Medal for heroism.
He has published numerous books and articles on national security, biological warfare, and information technology including Bioterror in the 21st Century (Naval Institute Press, October 2009), ICMA Report: Planning for a Pandemic (ICMA Press, Volume 39/Number 3 2007), Securing America’s Future: National Strategy in the Information Age (Praeger Security International, September 2005); Leading at the Speed of Light (Potomac Books, November 2006); Assignment Pentagon (Potomac Books, May 2007). He has also served as a fellow at the Council on Foreign Relations and is a current member.
New York Department of Financial Services Cybersecurity RegulationsShawn Tuma
Getting in Shape – NYDFS Cyber Security Regulations Webinar
Presenters: Shawn Tuma, Cybersecurity & Data Protection Attorney, Scheef & Stone LLP | Bill Belcher, VP Americas, Boldon James In an initiative to protect New York’s financial services industry, a new State regulation has been introduced to protect consumers and financial institutions from cyber-attacks. Effective March 1, 2017, this risk-driven regulation requires all financial services institutions regulated by the Department of Financial Services (DFS) to establish and maintain a cyber security program that will protect both customers’ private data and the technology that supports this. The impact stretches down through the supply chain, as any organization that conducts business with the NYC financial services sector has to adopt the same level of data protection.
Watch this webcast to learn:
The key requirements of the NYC Cyber security regulation
How compliance is about process first, then people and technology
What organizations need to be doing to ensure they comply
How data classification can help ensure compliance
NYDFS Cybersecurity Regulations (23 NYCRR 500) New York is one of the biggest financial hubs in the world; as you can imagine where there is sensitive financial information, there are people who want to get their hands on it. It is for this reason major financial firms operating in New York will face stiff cyber security obligations under the new New York Department of Financial Services Cybersecurity Regulations (23 NYCRR 500). This regulation will apply to firms holding a banking, insurance or financial services licence to operate in New York. 23 NYCRR 500 has been effective as of March 1st 2017, although firms have 180 days from this introduction date to change internal systems in order to meet new compliance and regulation standards. This fact sheet outlines:
23 NYCRR 500 overview
Key dates for covered entities
Key tasks for compliance
How Boldon James can help
Please complete the adjoining form to request it.
Using international standards to improve Asia-Pacific cyber securityIT Governance Ltd
Understand the cyber threat facing APAC organisations, current legislation and how to utilise international standards to get your business cyber secure in this informative webinar, hosted by Alan Calder.
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...PECB
95% of cybersecurity breaches are due to human error. That’s what Cybint’s facts and stats article shows.
Seeing this high percentage of risk that might lead to greater loss, organizations should be well aware of their processes and procedures in place. Decisive for avoiding breaches is that everyone in the organization is able to understand and detect potential threats beforehand and react in a quick and effective way.
The webinar will cover:
• The most recent attacks such as the supply chain attacks
• Trends, and statistics
• The impacts of the pandemic on cybersecurity landscapes, closing the gaps on remote workforce security,
• How to improve your organization’s cybersecurity posture by asking the right questions and implementing a tiered approach
Recorded Webinar: https://youtu.be/Q5_2rYjAE8E
ICS Supply Chain Security: Learning from Recent Incidents and Other SectorsEnergySec
Presented by: Nadya Bartol, Utility Telecom Council
Abstract: A variety of recent breaches and vulnerabilities demonstrate that software and hardware supply chain is a serious concern in the ICS space. Asset owners/operators and suppliers are in a symbiotic relationship – acquirers cannot conduct business without the supplier products and services. Where do the subcomponents come from and what do we know about their contents? Which code libraries were used by the sub-supplier? Why do we need to know? Several solution sets have emerged over the last 6 years, developed in IT/communications, defense, and ICS space. These include soon-to-be-published ISO and IEC standards, NIST documents, certification framework, Common Criteria extensions, and efforts by software industry consortium. The presentation will survey ICT supply chain security problem space, provide an overview of available solutions developed to date, and recommend how to use these solutions in the ICS context
When it comes to Cyber Security it is no longer enough to adhere to regulations, to ensure protection against Cyber Intrusion we must constantly implement Best Practices.
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergySec
Presented by: Julie Soutuyo, Tennessee Valley Authority
Abstract: Over the past 40 years, the energy industry has evolved to a position of dependence upon information technology to accomplish its mission. Cyber attacks have become a “way of life”; as the Nation, industry, organizations, and individuals strive to operate safely and securely in cyberspace. Most rely on a compliance-based “whack-a-mole”; approach to cyber defense which presents multiple barriers to hackers, based on the last attack, with efforts to “hit” any that get inside the organization’s defenses. While still valid, this compliance-based approach has significant challenges: stopping intruders, mitigating the problems they create, and positioning an organization to achieve its mission under a cyber attack. Cyber experts across the Nation are increasingly turning to resiliency as a means for fighting through these attacks with the objective of meeting operational and mission requirements in spite of the attacks. This shift is driving organizations to rethink their organizational structures to achieve unity of effort and streamlined decision-making in the face of a fast paced set of operational demands. This presentation will highlight the strategies to promote a cyber resilient organization.
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistMatthew Rosenquist
Cybersecurity is a difficult and serious endeavor which over time strives to find a balance in managing the security of computing capabilities to protect the technology which connects and enriches the lives of everyone.
Peering into the future of cybersecurity provides valuable insights around the challenges and opportunities. The industry is changing rapidly and attackers seem to always be one step ahead. Organizations must not only address what is ongoing, but also prepare for how cyber-threats will maneuver in the future.
The 2016 Cybersecurity Predictions presentation showcases the cause-and-effect relationships and provides insights and perspectives of the forthcoming challenges the industry is likely to face and how we can be better prepared for it.
ControlCase discusses the following:
• About the different Regulations
• Components for Continuous Compliance Monitoring within IT Standards/Regulations
• Recurrence Frequency and Calendar
• Challenges in Continuous Compliance Monitoring
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsIBM Security
Attackers are using increasingly sophisticated methods to access your most sensitive data, and at the same time cloud, mobile and other innovations expand the perimeter you need to protect. This keynote discusses how to build a more secure enterprise with real-time analytics and behavior-based activity monitoring.
Advanced Security Intelligence tools store, correlate and analyze millions of events and flows daily to identify critical incidents your security team needs to investigate. The volume, variety and velocity involved clearly defines Security as a “Big Data challenge.”
Learn how advanced predictive analytics and incident forensics help defend against advanced attacks and respond to and remediate incidents quickly and effectively.
Join our webinar hosted by MAGNET: The Manufacturing Advocacy and Growth Network. As the NIST and Ohio MEP program advocates, we’ve invited a leader of our technological and educational cybersecurity partner, Ignyte Institute, for a conversation on how to get on board with the emerging Cybersecurity Maturity Model Certification (CMMC). This webinar will give a detailed and realistic overview of all cybersecurity frameworks and regulations required to continue working on existing projects or bid on future contracts as Department of Defense (DoD) prime and subcontractor. Our goal is to help you assess your current state of Governance, Risk Management, and Compliance (GRC), and provide you overall guidance on a smooth transition to the new regulatory norms in order to ensure that Ohio-based businesses maintain their competitive edge in the Defense Industrial Base (DIB).
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017Amazon Web Services
The Defense Federal Acquisition Regulation Supplement (DFARS) is a supplement to the FAR that provides Department of Defense-specific acquisition regulations that DoD government acquisition officials and contractors doing business with DoD must follow in the procurement process for goods and services. This session will discuss the implications for meeting DFARS in the cloud and provide practical guidance on how DoD and defense contracting organizations can meet DFARS requirements using AWS GovCloud (US). The session will also feature a customer use case on addressing DFARS in AWS GovCloud (US). Learn More: https://aws.amazon.com/government-education/
Cybersecurity for Energy: Moving Beyond ComplianceEnergySec
Presented by: Gib Sorebo, SAIC
Abstract: For the last few years, energy companies, particularly electric utilities, have been scrambling to meet the onslaught of cybersecurity regulations. However, hackers don’t follow regulations, so the need to rapidly address evolving threats is imperative to meet expectations of senior leadership, board members, and shareholders. This session will discuss how a mature governance structure and a cybersecurity strategy based on a comprehensive understanding of business risk can be used to address threats, comply with regulations, and obtain support from company stakeholders.
Dr. Daniel M. Gerstein has served as the Deputy Under Secretary for Science & Technology in the Department of Homeland Security since August 2011. He is also an Adjunct Professor at American University in Washington, DC at the School of International Service (SIS) where he teaches graduate level courses on biological warfare and the evolution of military thought.
Dr. Gerstein has extensive experience in the security and defense sectors in a variety of positions while serving as a Senior Executive Service (SES) government civilian, in uniform, and in industry. Before joining DHS, he served as the Principal Director for Countering Weapons of Mass
Destruction (WMD) within the Office of the Secretary of Defense (Policy). He has served on four different continents participating in homeland security and counterterrorism, peacekeeping, humanitarian assistance, and combat in addition to serving for over a decade in the Pentagon in various high level staff assignments. Following retirement from active duty, Dr. Gerstein joined L-3 Communications as Vice President for Homeland Security Services, leading an organization providing WMD preparedness and response, critical infrastructure security, emergency response capacity, and exercise support to U.S. and international customers.
Dr. Gerstein also has extensive experience in international negotiations having served on the Holbrooke Delegation that negotiated the peace settlement in Bosnia, developed and analyzed negotiating positions for the Conventional Armed Forces in Europe (CFE) talks, and developed an initiative to improve cross border communications between Colombia and neighboring Andean Ridge nations. Additionally, Dr. Gerstein led an initiative to develop a comprehensive biosurveillance system for the Department of Defense (2010-2011), served on the leadership team for the Project for National Security Reform (PNSR) which was charged with developing a new national security act to reflect the changing security environment (2007-2008), co-led the Secretary of the Army’s Transition Team (2004-2005), and led the Army’s most comprehensive restructuring since World War II (2000-2001).
He has been awarded numerous military and civilian awards including an award from the Government of Colombia, the Department of State’s Distinguished Service Award, and the U.S. Army Soldiers Medal for heroism.
He has published numerous books and articles on national security, biological warfare, and information technology including Bioterror in the 21st Century (Naval Institute Press, October 2009), ICMA Report: Planning for a Pandemic (ICMA Press, Volume 39/Number 3 2007), Securing America’s Future: National Strategy in the Information Age (Praeger Security International, September 2005); Leading at the Speed of Light (Potomac Books, November 2006); Assignment Pentagon (Potomac Books, May 2007). He has also served as a fellow at the Council on Foreign Relations and is a current member.
New York Department of Financial Services Cybersecurity RegulationsShawn Tuma
Getting in Shape – NYDFS Cyber Security Regulations Webinar
Presenters: Shawn Tuma, Cybersecurity & Data Protection Attorney, Scheef & Stone LLP | Bill Belcher, VP Americas, Boldon James In an initiative to protect New York’s financial services industry, a new State regulation has been introduced to protect consumers and financial institutions from cyber-attacks. Effective March 1, 2017, this risk-driven regulation requires all financial services institutions regulated by the Department of Financial Services (DFS) to establish and maintain a cyber security program that will protect both customers’ private data and the technology that supports this. The impact stretches down through the supply chain, as any organization that conducts business with the NYC financial services sector has to adopt the same level of data protection.
Watch this webcast to learn:
The key requirements of the NYC Cyber security regulation
How compliance is about process first, then people and technology
What organizations need to be doing to ensure they comply
How data classification can help ensure compliance
NYDFS Cybersecurity Regulations (23 NYCRR 500) New York is one of the biggest financial hubs in the world; as you can imagine where there is sensitive financial information, there are people who want to get their hands on it. It is for this reason major financial firms operating in New York will face stiff cyber security obligations under the new New York Department of Financial Services Cybersecurity Regulations (23 NYCRR 500). This regulation will apply to firms holding a banking, insurance or financial services licence to operate in New York. 23 NYCRR 500 has been effective as of March 1st 2017, although firms have 180 days from this introduction date to change internal systems in order to meet new compliance and regulation standards. This fact sheet outlines:
23 NYCRR 500 overview
Key dates for covered entities
Key tasks for compliance
How Boldon James can help
Please complete the adjoining form to request it.
Using international standards to improve Asia-Pacific cyber securityIT Governance Ltd
Understand the cyber threat facing APAC organisations, current legislation and how to utilise international standards to get your business cyber secure in this informative webinar, hosted by Alan Calder.
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...PECB
95% of cybersecurity breaches are due to human error. That’s what Cybint’s facts and stats article shows.
Seeing this high percentage of risk that might lead to greater loss, organizations should be well aware of their processes and procedures in place. Decisive for avoiding breaches is that everyone in the organization is able to understand and detect potential threats beforehand and react in a quick and effective way.
The webinar will cover:
• The most recent attacks such as the supply chain attacks
• Trends, and statistics
• The impacts of the pandemic on cybersecurity landscapes, closing the gaps on remote workforce security,
• How to improve your organization’s cybersecurity posture by asking the right questions and implementing a tiered approach
Recorded Webinar: https://youtu.be/Q5_2rYjAE8E
ICS Supply Chain Security: Learning from Recent Incidents and Other SectorsEnergySec
Presented by: Nadya Bartol, Utility Telecom Council
Abstract: A variety of recent breaches and vulnerabilities demonstrate that software and hardware supply chain is a serious concern in the ICS space. Asset owners/operators and suppliers are in a symbiotic relationship – acquirers cannot conduct business without the supplier products and services. Where do the subcomponents come from and what do we know about their contents? Which code libraries were used by the sub-supplier? Why do we need to know? Several solution sets have emerged over the last 6 years, developed in IT/communications, defense, and ICS space. These include soon-to-be-published ISO and IEC standards, NIST documents, certification framework, Common Criteria extensions, and efforts by software industry consortium. The presentation will survey ICT supply chain security problem space, provide an overview of available solutions developed to date, and recommend how to use these solutions in the ICS context
When it comes to Cyber Security it is no longer enough to adhere to regulations, to ensure protection against Cyber Intrusion we must constantly implement Best Practices.
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergySec
Presented by: Julie Soutuyo, Tennessee Valley Authority
Abstract: Over the past 40 years, the energy industry has evolved to a position of dependence upon information technology to accomplish its mission. Cyber attacks have become a “way of life”; as the Nation, industry, organizations, and individuals strive to operate safely and securely in cyberspace. Most rely on a compliance-based “whack-a-mole”; approach to cyber defense which presents multiple barriers to hackers, based on the last attack, with efforts to “hit” any that get inside the organization’s defenses. While still valid, this compliance-based approach has significant challenges: stopping intruders, mitigating the problems they create, and positioning an organization to achieve its mission under a cyber attack. Cyber experts across the Nation are increasingly turning to resiliency as a means for fighting through these attacks with the objective of meeting operational and mission requirements in spite of the attacks. This shift is driving organizations to rethink their organizational structures to achieve unity of effort and streamlined decision-making in the face of a fast paced set of operational demands. This presentation will highlight the strategies to promote a cyber resilient organization.
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistMatthew Rosenquist
Cybersecurity is a difficult and serious endeavor which over time strives to find a balance in managing the security of computing capabilities to protect the technology which connects and enriches the lives of everyone.
Peering into the future of cybersecurity provides valuable insights around the challenges and opportunities. The industry is changing rapidly and attackers seem to always be one step ahead. Organizations must not only address what is ongoing, but also prepare for how cyber-threats will maneuver in the future.
The 2016 Cybersecurity Predictions presentation showcases the cause-and-effect relationships and provides insights and perspectives of the forthcoming challenges the industry is likely to face and how we can be better prepared for it.
ControlCase discusses the following:
• About the different Regulations
• Components for Continuous Compliance Monitoring within IT Standards/Regulations
• Recurrence Frequency and Calendar
• Challenges in Continuous Compliance Monitoring
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsIBM Security
Attackers are using increasingly sophisticated methods to access your most sensitive data, and at the same time cloud, mobile and other innovations expand the perimeter you need to protect. This keynote discusses how to build a more secure enterprise with real-time analytics and behavior-based activity monitoring.
Advanced Security Intelligence tools store, correlate and analyze millions of events and flows daily to identify critical incidents your security team needs to investigate. The volume, variety and velocity involved clearly defines Security as a “Big Data challenge.”
Learn how advanced predictive analytics and incident forensics help defend against advanced attacks and respond to and remediate incidents quickly and effectively.
Join our webinar hosted by MAGNET: The Manufacturing Advocacy and Growth Network. As the NIST and Ohio MEP program advocates, we’ve invited a leader of our technological and educational cybersecurity partner, Ignyte Institute, for a conversation on how to get on board with the emerging Cybersecurity Maturity Model Certification (CMMC). This webinar will give a detailed and realistic overview of all cybersecurity frameworks and regulations required to continue working on existing projects or bid on future contracts as Department of Defense (DoD) prime and subcontractor. Our goal is to help you assess your current state of Governance, Risk Management, and Compliance (GRC), and provide you overall guidance on a smooth transition to the new regulatory norms in order to ensure that Ohio-based businesses maintain their competitive edge in the Defense Industrial Base (DIB).
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017Amazon Web Services
The Defense Federal Acquisition Regulation Supplement (DFARS) is a supplement to the FAR that provides Department of Defense-specific acquisition regulations that DoD government acquisition officials and contractors doing business with DoD must follow in the procurement process for goods and services. This session will discuss the implications for meeting DFARS in the cloud and provide practical guidance on how DoD and defense contracting organizations can meet DFARS requirements using AWS GovCloud (US). The session will also feature a customer use case on addressing DFARS in AWS GovCloud (US). Learn More: https://aws.amazon.com/government-education/
Cybersecurity for Energy: Moving Beyond ComplianceEnergySec
Presented by: Gib Sorebo, SAIC
Abstract: For the last few years, energy companies, particularly electric utilities, have been scrambling to meet the onslaught of cybersecurity regulations. However, hackers don’t follow regulations, so the need to rapidly address evolving threats is imperative to meet expectations of senior leadership, board members, and shareholders. This session will discuss how a mature governance structure and a cybersecurity strategy based on a comprehensive understanding of business risk can be used to address threats, comply with regulations, and obtain support from company stakeholders.
In the last few years, cloud computing has grown from being a promising business concept to one of the fastest growing segments of the IT industry. Now, recession-hit companies are increasingly realizing that simply by tapping into the cloud they can gain fast access to best-of-breed business applications or drastically boost their infrastructure resources, all at negligible cost. But as more and more information on individuals and companies is placed in the cloud, concerns are beginning to grow about just how safe an environment it is. This paper discusses security issues, requirements and challenges that cloud service providers (CSP) face during cloud engineering. Recommended security standards and management models to address these are suggested for technical and business community.
New regulations and the evolving cybersecurity technology landscapeUlf Mattsson
As the cyber threat landscape continues to evolve, organizations worldwide are increasing their spend on cybersecurity technology. We have a transition from 3rd party security providers into native cloud security services. The challenge of securing enterprise data assets is increasing. What’s needed to control Cyber Risk and stay Compliant in this evolving landscape?
We will discuss evolving industry standards, how to keep track of your data assets, protect your sensitive data and maintain compliance to new regulations.
Become the best version of most in-demand cybersecurity experts with the best cybersecurity certifications to guide OT security frameworks. Foresee cybersecurity threats as a specialized OT security professional and gain big!
Read more: https://shorturl.at/jsuGS
Infrastructure Security by Sivamurthy HiremathClubHack
With the development of technology, the interdependence of various infrastructures has increased, which also enhanced their vulnerabilities. The National Information Infrastructure security concerns the nation’s stability and economic security. So far, the research in Internet security primarily focused on securing the information rather than securing the infrastructure itself.
The pervasive and ubiquitous nature of the Internet coupled with growing concerns about cyber attacks we need immediate solutions for securing the Internet infrastructure. Given the prevailing threat situation, there is a compelling need to develop Hardware redesign architectures, Algorithms, and Protocols to realize a dependable Internet infrastructure. In order to achieve this goal, the first and foremost step is to develop a comprehensive understanding of the security threats and existing solutions. These attempts to fulfil this important step by providing classification of Security attacks are classified into four main categories: DNS hacking, Routing table poisoning, Packet mistreatment, and Denial-of-Service attacks. We are generally discussing on the existing Infrastructure solutions for each of these categories, and also outline a methodology for developing secured Nation.
Robust Cyber Security for Power UtilitiesNir Cohen
The security of critical networks is at the center of attention of industry and government regulators alike. Check Point and RAD offer a joint end-to-end cyber security solution that protects any utility operational technology (OT) network by eliminating RTU and SCADA equipment vulnerabilities, as well as defends against cyber-attacks on the network’s control and data planes. This solution brief explains how the joint solution enables compliance with NERC-CIP directives, provides deep visibility and control of ICS/SCADA communications, and allows secure remote access into OT networks.
Cybersecurity and continuous intelligenceNISIInstituut
Welcome to the cybersecurity & continuous intelligence knowledge slidedeck of NISI (Nederlands Instituut voor de Software Industrie).
Cybersecurity & Continuous Intelligence is a broad topic, covering rules & regulation, internet, cyberwar, software, machine learning and society & trust.
This slidedeck offers you a more in-depth view of this exciting area.
Please contact us directly for more information via email info@nisi.nl or the contact on form on nisi.nl.
Nederlands Instituut voor de Software Industrie
This kickoff intrtoduces the concept of the Agile Fractal grid to more than 100 companies that particpated in the full day workshop lead by Chuck Speicher and John Reynolds and Craig Miller the Chief scientist of the NRECA
Are existing compliance requirements sufficient to prevent data breaches? This session will provide a technical assessment of the 2019 Capital One data breach, illustrating the technical modus operandi of the attack and identify related compliance requirements based on the NIST Cybersecurity Framework. Attendees will learn the unexpected impact of corporate culture on overall cyber security posture.
This talk was presented at RSA Conference 2021 (Session RMG-T15) on May 18, 2021.
Original paper available for download at SSRN: Novaes Neto, Nelson and Madnick, Stuart E. and Moraes G. de Paula, Anchises and Malara Borges, Natasha, A Case Study of the Capital One Data Breach (28/04/2020). https://ssrn.com/abstract=3570138
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Essentials of Automations: The Art of Triggers and Actions in FME
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely final 05182016
1. Cyber Security 2016 Law & Regulatory
Environmental Trends
A) Presidential Executive Orders 13636 and 13691 Critical
Infrastructure Cyber Security
B) Legal Authority: Key Federal Laws, DOD Guidance (161
Directives), FAR/DFARS
C) System Cyber Defense Resilience Architecture
Alex Dely, Contracts Manager, Innovation & Cyber
Directorates, Raytheon Missile Systems
ASIS Phoenix Chapter 18 May 2016
Alex_Dely@Raytheon.com
1
2. Cyber Tidbits
• Typical Dwell Time in Public Infrastructure Networks before
Penetration Detection: 128 Days.
• Every minute 1,080 hacks occur, 27 Days to Resolve, $
7.4M/Incident.
• Software Code: 4.9 Flaws/1000 Lines of Code, of which 1 to 5%
represent serious vulnerabilities
• Typical Penetration Detector: External Vulnerability Assessment Part
• 1.5 Million Cyber Security Jobs Unfilled (Unfillable?)
• Attacker only needs 0.0001 Success Rate
• Most Asset Owners do not know about their Outbound Traffic: #
Connections, Length of Connection, Amount of Data, % Encrypted,
Destination IP
2
4. POTUS Executive Order 13636
EO 13636 Improving Critical Infrastructure Cybersecurity (March 2013)
* technology-neutral cybersecurity framework and practices
* increase volume, timeliness and quality of threat information sharing
* incorporate strong privacy and civil liberties protections
* evaluate regulatory adequacy
POTUS Policy Directive-21 Critical Infrastructure Security and Resilience directs the
Executive Branch, led by DHS, in coordination with NIST, NSA and sector Agencies to:
* develop near-real time physical and cyber situational awareness capability
* understand cascading consequences of infrastructure failures
* mature public-private partnerships
* update the National Infrastructure Protection Plan
* develop comprehensive research and development plan
5. NIPP 16 Critical Infrastructure Sectors
1) Defense Industrial Base 9) Energy
2) Critical Manufacturing 10) Communications
3) Emergency Services 11) Chemical
4) Government Facilities 12) Dams
5) Financial Services 13) Water & Wastewater
6) Information Technology 14) Food & Agriculture
7) Transportation 15) Public Health Facilities
8) Nuclear Reactors & Materials 16) Commercial Facilities
COMPLEX INTERLINKAGES WITH LIMITED CORRESPONDING
GOVERNMENT-INDUSTRY EXPERTISE & ACCOUNTABILITY
5
6. POTUS EXECUTIVE ORDER 13691
EO Order 13691 Private Sector Cybersecurity Information Sharing (Feb 2015)
- establishes Information Sharing & Analysis Organizations (ISAO)
standards and protocols to coordinate with US Government Information
Sharing & Analysis Centers (ISAC)
- strengthens DHS National Cybersecurity & Communications Integration
Center (NCCIC) ability to approve access to classified information
Categories: 1) Cyber-Physical (nano-scale to large-scale wide-area systems
of systems; dependably, safely, securely, efficiently and in
real-time; convergence of computation, communication, and
control)
2) Cyber-Cyber (Network Cyber)
3) Physical-Cyber
4) Physical-Physical
8. Integrated SCADA/ICS
Graphic courtesy of DHS Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies
9. Control System is NOT IT Network !!
Industrial Control Systems (ICS):
* Distributed Control Systems (IoT)
* Supervisory Control and Data Acquisition Systems (SCADA)
* Process Control Systems
* Manufacturing Execution Systems
Vulnerability Categories:
* Millions of Remote Access Points, many in Legacy systems with limited
Access Control, open Communications Protocols, Default Passwords,
Limited/No Firewalls
* Complex Systems Dynamically Reconfiguring in Space/Time
* Reliance on mostly Offshore Suppliers
* Technical Documentation freely available on Internet
* Hierarchical Wireless Sensor network allow attacker to determine where
the root node is placed;
9
11. DHS Cross Sector Roadmap of Cyber
Security Control Systems
Homeland security Presidential Directive-7: Robustness,
Survivability & Resilience Systems-of-Systems Principles:
1) Operational Independence of Elements
2) Managerial Independence of Elements
3) Geographical Distribution of Elements
4) Evolutionary Development
5) Emergent behavior
6) Heterogeneous Network of Systems
7) Automated Intrusion Audit Trails
8) Real Time Incident Response
9) Acquisition Strategy & Contracting
10) Training
11
12. Where We Want to Go
“Defense-in-Depth Architecture”
Graphic courtesy of DHS Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies October 2009
14. Key Federal Laws
1) Title 44 Federal Information Security
Management Act (3541 et seq)
2) Title 18 Computer Fraud & Abuse Act (1030)
3) Title 18 Stored Communications Act (2701 et
seq)
4) Title 18 Federal Wiretap Act (2510 et seq)
5) Title 18 Pen Registers and Trap and Trace
Devices (3121 et seq)
6) Many Presidential Executive Orders
14
15. DOD Guidance Documents (161!)
Build & Operate a Trusted DoDIN handut (CIO Cyber)
1) Lead & Govern (18)
2) Design for the Fight (26)
3) Develop the Workforce (12)
4) Partner for Strength (9)
5) Secure Data in Transit (22)
6) Manage Access (16)
7) Assure Information Sharing (7)
8) Understand the Battlespace (7)
9) Prevent & Delay Attackers/Prevent Attackers from Staying (15)
10) Develop and maintain Trust (9)
11) Strengthen Cyber Readiness (8)
12) Sustain Missions(12)
15
16. DoDI 5000.02 & 5200.39 Program Protection Planning
PPP is iterative System Security risk management process:
1) Critical Program Information Identification/Criticality
2) Mission Critical Functions & Components Trusted Systems &
Networks Analysis
3) Identification of Horizontal Protection Requirements
4) Identification of Foreign Involvement (Trusted Supply Chain)
5) Threat Analysis
6) Vulnerability Assessment
7) Risk Assessment
8) Trade-off Analyses
9) Countermeasures Implementation (Defensive Cyber Resilience,
Anti Tamper, OpSec, InfoSec/Information Assurance, Software
Assurance)
10) Verification & Validation and Residual Risk
16
17. DFARS 252.204-7012 (Sept 2015)
“Safeguarding Covered Defense Information and Cyber
Incident Reporting”: INTERIM RULE:
1) 72 Hr Network Penetration Reporting
2) Contracting for Cloud Services
Four Recommended Contractor Actions:
1) Register with DOD to obtain a mandatory Medium
Assurance certificate
2) Identify & Mark all Attributional/Proprietary Information
3) SCM Flowdown to Subcontractors (including Commercial
Item and Small Business Subcontracts, Teaming
Agreements etc). Sub must report to Prime and DOD within
72 hrs (no Tier limitation).
4) Monitor Existing Contract Mods
17
18. DFARS 252.204-7012 Cont 2
“Covered Defense Information”:
- unclassified information provided to contractor by or on behalf of DOD in
connection with performance of a contract
- Information collected, developed, received, transmitted, used or stored by or
on behalf of the contractor in support of contract performance
CDI includes:
- Controlled Technical Information - Critical Information
- ITAR Export Control Information - Other Restricted Information
Covered Contractor Information Systems: any systems
owned, or operated by or for, that processes, stores or transmits CDI.
NIST SP 800-171 Protecting Controlled Unclassified Information in
Nonfederal Information Systems and organizations. REPLACES NIST SP
800-53
18
19. DFARS 252.204-7012 Cont 3
72 HR CYBER INCIDENT REPORTING:
- Any action that results in a compromise or an actual or
potentially adverse effect on an information system and/or
the information residing therein
- Required “Review for Compromise”:
* disclosure of information to unauthorized persons
* violation of the security policy of a system in which
unauthorized intentional or unintentional disclosure,
modification, destruction or loss of an object, or copying to
unauthorized media may have occurred
90 DAY IMAGE PROTECTION OF INFORMATION SYSTEMS FOR
FORENSIC ANALYSIS AND DAMAGE ASSESSMENT
19
20. DFARS 252.204-7012 Cont 4
COMPANION DFARS 252.204-7009 Limitations on the
Use and Disclosure of Third Party Contractor Reported
Incident Information
Cyber Incident Info may be shared with:
1) US and other entities affected
2) Entities that may assist in diagnosis, detection, or mitigation
(need additional PIA/NDA!)
3) Law enforcement and counterintelligence
4) Defense Industrial Base participants
5) Support services contractors
20
22. Cyber Resiliency Defined (MITRE)
1) The ability of a nation, organization, mission,
process or weapon system to anticipate,
withstand, recover from, and evolve to improve
capabilities in face of adverse conditions,
stresses, or attacks on the supporting cyber
resources it needs to function
2) The sub-discipline of Mission Assurance
Engineering which considers: a) the ways an
evolving set of resilience practises can be applied,
and b) the tradeoffs associated with the different
strategies for applying those practises
22
24. Cyber Resiliency 3 Pillars
1) NATIONAL INSTITUTE FOR STANDARDS & TECHNOLOGY
(NIST):
A) Cybersecurity Framework
B) Risk Management Framework
C) Trustworthy Resilient Systems
D) Supply Chain Risk Management
SP 800 Series of Documents: SP 800-160 System Security Engineering,
SP 800-115 Information Security Testing, SP 800-161 Supply Chain Risk
Management
2) DOD ENGINEERED RESILIENT SYSTEMS INITITATIVE (ERS
TOGAF)
3) DOD PROGRAM PROTECTION PLANNING (PPP)
24
25. 18 Cyber Resiliency Architecture Principles
1) Separate 2) Manual Operation
3) “Stateless” Services (no record of previous interaction)
4) Common vs Redundant Services 5) Any Function/Console
6) Location Independent services 7) Degraded Modes
8) Saturation Alleviation 9) Disconnected Modes
10) Least Privilege 11) Provenance
12) Reconfigurability 13) Layers
14) Vulnerability Containment 15) Isolation
16) Boundaries 17) Audit
18) Recovery
25
27. 14 Cyber Attack Mechanisms
1) Gather Information
2) Deplete Resources
3) Injection
4) Deceptive Interactions
5) Abuse of Functionality
6) Probabilistic Techniques
7) Exploitation of Authentication
8) Exploitation of Authorization
9) Manipulate Data Structures
10) Analyze Target
11) Gain Physical Access
12) Malicious Code Execution
13) Alter System Components
14) Manipulate System Users
27
28. Measuring Cyber Resilience
• DOD Universal Joint task List Enclosure B
• MITRE Cyber Resiliency Metrics (272)
28
29. SUMMARY:
1) Critical Infrastructure Cyber Security goes
WELL beyond IT networks
2) Cyber Security Law & Regulation is infancy
and DOD Guidance will likely drive significant
expansion in scope & quantity of new laws
and FAR/DFARS regulations
3) Most of the 16 Critical Infrastructure Industry Sectors have
BARELY begun Cyber Resilience Architecting & Engineering
of Critical Systems
29
31. SCADA Cyber Security Needs
Operational Needs
• Certifiable, attribute-based access control (only authenticated AND authorized users)
• Low cost, small form factor information assurance appliances—SW and HW
• Tailorable levels of assurance to changing operational requirements
• Real-time data delivery between stations
• Interfaces with multiple communications protocols
• Rapid reconfiguration of security policies to meet dynamic needs of smart grids
• Scalable for all levels of service (e.g. generating stations, substations, primary & secondary
customers)
Operational Benefits
Enhanced operational effectiveness and efficiency
(e.g. lower cost per kwh)
Streamlined certification & accreditation to meet
emerging policy mandates
32. DHS Cyber Cryptography
• Aging Cryptographic Algorithms
– Legacy 80-bit algorithms (DES, MD5, SHA-1, RSA-1024, two-key 3DES,
SKIPJACK, KEA, and DSA) are threatened. NIST SP 800-78 requires
Government users to replace RSA-1024/SHA-1 with higher security
algorithms
• Suite B Algorithms for the Next Generation
– NSA-endorsed algorithms that are approved for classified use and deliver
the information assurance required for the next 30-50 years
– ECC in GF(p) (P-256, P-384, P-521*)
– Equivalent to 3,072, 7,680, and 15,360-bit RSA
– ECMQV and EC Diffie-Hellman key establishment
– ECDSA digital signatures
– AES-128/192*/256, SHA-224*/256/384/512*
33. DHS Control System AMI Security Requirements
2.8 System Communication Protection
* Policy/Management
* Port Partitioning/Security Function Isolation/Information
Remnants/Denial of Service Protection/
* Communication Integrity/Trusted Path/
* Validated Cryptographic Key Establishment/Public Key
Infrastructure Certificates
* Message Authenticity/Secure Name–Address Resolution
34. 2.9 Information System Management
2.10 System Development & Maintenance (Legacy)
2.12 Incident Response (Continuity of Operations/Alternate
Control Centers)
2.14 System & Information Integrity (Malicious
Code/Accuracy/Completeness/Validity/Authenticity)
2.15 Access Control (Authenticator Management, Remote
Access, Wireless Access)
2.16 Audit & Accountability (Time Stamps)
DHS Control System AMI Sec Cont
35. NIST Control System Security Cont
15 Categories of Logical Interfaces
1) SCADA Control Systems 2) WAN Control Systems
3) DMS/LMS Control Systems 4-5) Back Office Systems
6) B2B Connections 7) Control to NC Systems
8) Sensor Networks 9) Sensor to Control Sys
10) AMI Network Interfaces 11) HAN/BAN Customer
12) Interface to Customer 13) Mobile Field Crews
14) Metering Interfaces 15) Decision WAMS/ISO