Introduction to NIST’s Risk Management Framework (RMF)Donald E. Hester
This introductory session will cover the basic steps of the Risk Management Framework (RMF) and the transition away from the previous Certification and Accreditation approach to information systems security and assurance. This will also cover the benefits of the RMF for organizations, local, state, and federal governments.
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Denise Tawwab
Denise Tawwab's presentation on "Understanding the NIST Risk Management Framework" given at the Techno Security & Digital Forensics Conference on June 3, 2019 in Myrtle Beach, SC.
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk.
Main points covered:
• Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms.
• Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments.
• Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management.
Presenters:
David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications.
Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence.
Recorded webinar: https://youtu.be/hxpuYtMQgf0
Navigating the complex Risk Management Framework (RMF) requirements can be daunting. Learn best practices and gain a better understanding of NIST's RMF.
Jonathan Pollet and Mark Heard of Red Tiger Security at S4x15 OTDay.
The NIST Cybersecurity Framework (CSF) has been out for a year now, and some owner/operators have begun to use it to help create an ICS cyber security program. The Red Tiger Security team discusses what the CSF is and there experience in using it with real world clients.
Introduction to NIST’s Risk Management Framework (RMF)Donald E. Hester
This introductory session will cover the basic steps of the Risk Management Framework (RMF) and the transition away from the previous Certification and Accreditation approach to information systems security and assurance. This will also cover the benefits of the RMF for organizations, local, state, and federal governments.
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Denise Tawwab
Denise Tawwab's presentation on "Understanding the NIST Risk Management Framework" given at the Techno Security & Digital Forensics Conference on June 3, 2019 in Myrtle Beach, SC.
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk.
Main points covered:
• Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms.
• Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments.
• Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management.
Presenters:
David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications.
Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence.
Recorded webinar: https://youtu.be/hxpuYtMQgf0
Navigating the complex Risk Management Framework (RMF) requirements can be daunting. Learn best practices and gain a better understanding of NIST's RMF.
Jonathan Pollet and Mark Heard of Red Tiger Security at S4x15 OTDay.
The NIST Cybersecurity Framework (CSF) has been out for a year now, and some owner/operators have begun to use it to help create an ICS cyber security program. The Red Tiger Security team discusses what the CSF is and there experience in using it with real world clients.
What is ISO 27005? How is an ISO 27005 Risk Assessment done effectively? Find out in this presentation delivered at the ISACA Bangalore Chapter Office by Dharshan Shanthamurthy.
How to determine a proper scope selection based on ISO 27001?PECB
Meeting Clause 4 - Context of the Organization "generic" requirements of ISO 27001 in order to determine a proper Documented Scope statement that meets business requirements and gives value to products and/or services.
Main points that have been covered are:
• Interested Parties
• Interfaces & Dependencies
• Legal / Regulatory & Contractual Obligations (Risk of Non-Compliance)
• Documented Scope Statement (including locations within Scope)
Presenter:
Mr. David Anders has worked more than 20+ years in the risk management field managing a broad spectrum of consulting services and product solutions. David has worked in the consulting field for 16 years and is the founder / CEO of SecuraStar, LLC, a niche ISO 27001 consulting firm in the United States and founder / CEO of ISMS Manager Software, LLC.
Link of the recorded session published on YouTube: https://youtu.be/hSaAvKgAC2c
NIST Cybersecurity Framework is voluntary framework to support the emerging needs for having robust and effective cyber security practices across an enterprise. This presentation recaps the Framework 6 months into implementation and along with changes. Also, discusses the capabilities of TrustedAgent GRC to accelerate and strengthen the implementation of an effective cybersecurity program by automating or addressing many of the practices required by the framework.
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesPECB
After the last 2020 Global Leading voices webinar, comparing ISO27001 with CCPA and NYC Shield Act, we're taking a look at the next level of information and cybersecurity management.
How can you assess your security management? The CMMI model (using the 1 to 5 grading) is a well-known system. Early 2020 the US DOD launched the CMMC, Cybersecurity Maturity Model Certification which matches the same levels for cybersecurity. This session we'll discuss the maturity evaluation principles for information security, cybersecurity and application security and how you can use it in practice.
The webinar covers:
- What's the CMMI?
- What's the CMMC?
- Maturity in security governance (ISMS, cyber, application)
- Security maturity vs audit cycles
Recorded Webinar: https://youtu.be/9BpETh_nAOw
** CyberSecurity Certification Training: https://www.edureka.co/cybersecurity-certification-training **
This Edureka tutorial on "Cybersecurity Frameworks" will help you understand why and how the organizations are using the cybersecurity framework to Identify, Protect and Recover from cyber attacks.
Cybersecurity Training Playlist: https://bit.ly/2NqcTQV
ControlCase covers the following:
•What is PCI DSS?
•What does PCI DSS stand for?
•What is the purpose of PCI DSS?
•Who does PCI DSS apply to?
•What are the 12 requirements of PCI DSS?
•What are the 6 Principles of PCI DSS?
•What are the potential liabilities for not complying with PCI DSS?
•How can we achieve compliance in a cost effective manner?
Topics Covered In Webinar
Basics of PCI DSS
Lifecycle changes to PCI DSS
Evolution of PCI DSS Version 1.1 to version 3.21
Introduction of PCI DSS 4.0
PCI DSS 4.0 Implementation Timeline
Upgrading from PCI DSS 3.21 to PCI DSS 4.0
Key changes anticipated in the latest pci dss 4.0
Presentation for March 2017 webcast by NIST.
www.nist.gov/cyberframework
Webcast video: https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events
This presentation introduces the audience to the Framework for Improving Critical Infrastructure Cybersecurity (“The Framework”). It provides a brief history about why and how the Framework was developed, and an understanding of each of the three primary Framework components (the Core, Implementation Tiers, and Profiles). It covers potential benefits of Framework, and how the Framework can be used. It highlights industry resources, progress in Roadmap areas, and future direction of the Framework program.
What is the NIST Cybersecurity Framework?
Why YOU should care?
How would I apply it?
Would you drive BLINDFOLDED?
A false sense of security?
Without a Security Framework…
Why Cyber Security Framework?
How would I measure my effectiveness?
Summarize the design and build approach for SOC (Security Operation Center) for both end user company and service providers. Defines the approach flow for SOC building and various components and phases involved. Defines design thumb rules and parameters for SOC Design.
What is ISO 27005? How is an ISO 27005 Risk Assessment done effectively? Find out in this presentation delivered at the ISACA Bangalore Chapter Office by Dharshan Shanthamurthy.
How to determine a proper scope selection based on ISO 27001?PECB
Meeting Clause 4 - Context of the Organization "generic" requirements of ISO 27001 in order to determine a proper Documented Scope statement that meets business requirements and gives value to products and/or services.
Main points that have been covered are:
• Interested Parties
• Interfaces & Dependencies
• Legal / Regulatory & Contractual Obligations (Risk of Non-Compliance)
• Documented Scope Statement (including locations within Scope)
Presenter:
Mr. David Anders has worked more than 20+ years in the risk management field managing a broad spectrum of consulting services and product solutions. David has worked in the consulting field for 16 years and is the founder / CEO of SecuraStar, LLC, a niche ISO 27001 consulting firm in the United States and founder / CEO of ISMS Manager Software, LLC.
Link of the recorded session published on YouTube: https://youtu.be/hSaAvKgAC2c
NIST Cybersecurity Framework is voluntary framework to support the emerging needs for having robust and effective cyber security practices across an enterprise. This presentation recaps the Framework 6 months into implementation and along with changes. Also, discusses the capabilities of TrustedAgent GRC to accelerate and strengthen the implementation of an effective cybersecurity program by automating or addressing many of the practices required by the framework.
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesPECB
After the last 2020 Global Leading voices webinar, comparing ISO27001 with CCPA and NYC Shield Act, we're taking a look at the next level of information and cybersecurity management.
How can you assess your security management? The CMMI model (using the 1 to 5 grading) is a well-known system. Early 2020 the US DOD launched the CMMC, Cybersecurity Maturity Model Certification which matches the same levels for cybersecurity. This session we'll discuss the maturity evaluation principles for information security, cybersecurity and application security and how you can use it in practice.
The webinar covers:
- What's the CMMI?
- What's the CMMC?
- Maturity in security governance (ISMS, cyber, application)
- Security maturity vs audit cycles
Recorded Webinar: https://youtu.be/9BpETh_nAOw
** CyberSecurity Certification Training: https://www.edureka.co/cybersecurity-certification-training **
This Edureka tutorial on "Cybersecurity Frameworks" will help you understand why and how the organizations are using the cybersecurity framework to Identify, Protect and Recover from cyber attacks.
Cybersecurity Training Playlist: https://bit.ly/2NqcTQV
ControlCase covers the following:
•What is PCI DSS?
•What does PCI DSS stand for?
•What is the purpose of PCI DSS?
•Who does PCI DSS apply to?
•What are the 12 requirements of PCI DSS?
•What are the 6 Principles of PCI DSS?
•What are the potential liabilities for not complying with PCI DSS?
•How can we achieve compliance in a cost effective manner?
Topics Covered In Webinar
Basics of PCI DSS
Lifecycle changes to PCI DSS
Evolution of PCI DSS Version 1.1 to version 3.21
Introduction of PCI DSS 4.0
PCI DSS 4.0 Implementation Timeline
Upgrading from PCI DSS 3.21 to PCI DSS 4.0
Key changes anticipated in the latest pci dss 4.0
Presentation for March 2017 webcast by NIST.
www.nist.gov/cyberframework
Webcast video: https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events
This presentation introduces the audience to the Framework for Improving Critical Infrastructure Cybersecurity (“The Framework”). It provides a brief history about why and how the Framework was developed, and an understanding of each of the three primary Framework components (the Core, Implementation Tiers, and Profiles). It covers potential benefits of Framework, and how the Framework can be used. It highlights industry resources, progress in Roadmap areas, and future direction of the Framework program.
What is the NIST Cybersecurity Framework?
Why YOU should care?
How would I apply it?
Would you drive BLINDFOLDED?
A false sense of security?
Without a Security Framework…
Why Cyber Security Framework?
How would I measure my effectiveness?
Summarize the design and build approach for SOC (Security Operation Center) for both end user company and service providers. Defines the approach flow for SOC building and various components and phases involved. Defines design thumb rules and parameters for SOC Design.
Project #3 IT Security Controls Baseline for Red Clay Renovations.docxstilliegeorgiana
Project #3: IT Security Controls Baseline for Red Clay Renovations
To ensure compatibility with existing policy and documentation, Red Clay Renovations’ IT Security policies, plans, and procedures will continue to use the following security control classes (management, operational, technical), as defined in NIST SP 800-53 rev 3 (p. 6).
Security Controls Baseline
Red Clay Renovations Security Controls Baseline shall include the security controls listed below. Security control definitions and implementation guidance shall be obtained from the most recent version of NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations.
1. AC: Access Controls (Technical Controls Category)
AC-1
Access Control Policy and Procedures
AC-1
AC-2
Account Management
AC-2 (1) (2) (3) (4)
AC-3
Access Enforcement
AC-3
AC-4
Information Flow Enforcement
AC-4
AC-5
Separation of Duties
AC-5
AC-6
Least Privilege
AC-6 (1) (2) (5) (9) (10)
AC-7
Unsuccessful Logon Attempts
AC-7
AC-8
System Use Notification
AC-8
AC-11
Session Lock
AC-11 (1)
AC-12
Session Termination
AC-12
AC-14
Permitted Actions without Identification or Authentication
AC-14
AC-17
Remote Access
AC-17 (1) (2) (3) (4)
AC-18
Wireless Access
AC-18 (1)
AC-19
Access Control for Mobile Devices
AC-19 (5)
AC-20
Use of External Information Systems
AC-20 (1) (2)
AC-21
Information Sharing
AC-21
AC-22
Publicly Accessible Content
AC-22
2. AT: Awareness and Training (Operational Controls Category)
AT-1
Security Awareness and Training Policy and Procedures
AT-1
AT-2
Security Awareness Training
AT-2 (2)
AT-3
Role-Based Security Training
AT-3
AT-4
Security Training Records
AT-4
3. AU: Audit and Accountability (Technical Controls Category)
AU-1
Audit and Accountability Policy and Procedures
AU-1
AU-2
Audit Events
AU-2 (3)
AU-3
Content of Audit Records
AU-3 (1)
AU-4
Audit Storage Capacity
AU-4
AU-5
Response to Audit Processing Failures
AU-5
AU-6
Audit Review, Analysis, and Reporting
AU-6 (1) (3)
AU-7
Audit Reduction and Report Generation
AU-7 (1)
AU-8
Time Stamps
AU-8 (1)
AU-9
Protection of Audit Information
AU-9 (4)
AU-10
Non-repudiation
Not Selected
AU-11
Audit Record Retention
AU-11
AU-12
Audit Generation
AU-12
4. CA: Security Assessment and Authorization (Management Controls Category)
CA-1
Security Assessment and Authorization Policies and Procedures
CA-1
CA-2
Security Assessments
CA-2 (1)
CA-3
System Interconnections
CA-3 (5)
CA-5
Plan of Action and Milestones
CA-5
CA-6
Security Authorization
CA-6
CA-7
Continuous Monitoring
CA-7 (1)
CA-9
Internal System Connections
CA-9
5. CM: Configuration Management (Operational Controls Category)
CM-1
Configuration Management Policy and Procedures
CM-1
CM-2
Baseline Configuration
CM-2 (1) (3) (7)
CM-3
Configuration Change Control
CM-3 (2)
CM-4
Security Impact Analysis
CM-4
CM-5
Access Restrictions fo ...
Implementing CSIRT based on some frameworks and maturity modelRakuten Group, Inc.
We implemented CSIRT based on some frameworks and maturity model including FIRST Service Framework, SIM3 and some document devised in Japan. We will explain how to use these documents in this presentation.
Risk Management for Public Cloud ProjectsAlex Mags
Use NIST Risk Management and Cybersecurity Frameworks to understand and manage business risk as you extend the network to public cloud or move data outside the datacentre perimeter.
Comparative of risk analysis methodologiesRamiro Cid
A Comparison done by me of 3 different risk analysis methodologies: CRAMM, NIST and Octave.
Una comparativa desarrollada por mi de 3 metodologías diferentes de análisis de riesgo: CRAMM, NIST y Octave.
Our audits are designed to help you determine your SAP landscape's actual risk exposure and pinpoint areas that are open to potential attacks. They include everything from your infrastructure and SAP system parameters to individual component configurations and authorizations.
Also if your company's migration to SAP HANA or S/4HANA is right around the corner. An audit offers an ideal solution for safeguarding your systems and taking all the necessary security measures before you start your transition.
Our approach is based on SAP's security guidelines, the recommendations of the German Federal Office for Information Security (BSI), and the information security standard DIN ISO 27001.
Topics of focus:
• Challenges, tools and proven methods
• Advantages of a root cause analysis and of the resulting risks for your company
• Quick check vs. audit vs. penetrationtest
• Our project approach at a glance
• Recommendations for the follow-up of an Audit
-----------------------------------------------------------------------------------------
Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de
RiskWatch for Physical & Homeland Security™CPaschal
RiskWatch for Physical and Homeland Security™ assists the user in conducting automated risk analyses, physical security reviews, audits and vulnerability assessments of facilities and personnel. Security threats addressed include crimes against property, crimes against people, equipment of systems failure, terrorism ,natural disasters, fire and bomb threats. Question sets include entry control, perimeters, fire, facilities management, guards, including a specialized set of questions for the maritime/shipping industry. New ASP functionality allows the organization in question to put the entire questionnaire process on it\'s server, where users can easily log in by ID # and answer questions appropriative to their job. From there, all answers are instantly imported into the RiskWatch for Physical and Homeland Security™ program.
Are existing compliance requirements sufficient to prevent data breaches? This session will provide a technical assessment of the 2019 Capital One data breach, illustrating the technical modus operandi of the attack and identify related compliance requirements based on the NIST Cybersecurity Framework. Attendees will learn the unexpected impact of corporate culture on overall cyber security posture.
This talk was presented at RSA Conference 2021 (Session RMG-T15) on May 18, 2021.
Original paper available for download at SSRN: Novaes Neto, Nelson and Madnick, Stuart E. and Moraes G. de Paula, Anchises and Malara Borges, Natasha, A Case Study of the Capital One Data Breach (28/04/2020). https://ssrn.com/abstract=3570138
These are from the National Cyber Security Alliance (NCSA) for National Cyber Security Awareness Month (NCSAM) and are free to use. See https://staysafeonline.org/ for more info.
Cybersecurity Awareness Posters - Set #2NetLockSmith
Posters for National Cyber Security Awareness Month. All are from government entities and free for use (Unmarked ones are from the Montana state government.)
These are from the National Cybersecurity Awareness Month (NCSAM), the Center for Development of Security Excellence (CDSE), and Japan's IT Promotion Agency (IPA). They are free for public use.
Jennifer Schaus and Associates hosts a complimentary webinar series on The FAR in 2024. Join the webinars on Wednesdays and Fridays at noon, eastern.
Recordings are on YouTube and the company website.
https://www.youtube.com/@jenniferschaus/videos
A process server is a authorized person for delivering legal documents, such as summons, complaints, subpoenas, and other court papers, to peoples involved in legal proceedings.
ZGB - The Role of Generative AI in Government transformation.pdfSaeed Al Dhaheri
This keynote was presented during the the 7th edition of the UAE Hackathon 2024. It highlights the role of AI and Generative AI in addressing government transformation to achieve zero government bureaucracy
Understanding the Challenges of Street ChildrenSERUDS INDIA
By raising awareness, providing support, advocating for change, and offering assistance to children in need, individuals can play a crucial role in improving the lives of street children and helping them realize their full potential
Donate Us
https://serudsindia.org/how-individuals-can-support-street-children-in-india/
#donatefororphan, #donateforhomelesschildren, #childeducation, #ngochildeducation, #donateforeducation, #donationforchildeducation, #sponsorforpoorchild, #sponsororphanage #sponsororphanchild, #donation, #education, #charity, #educationforchild, #seruds, #kurnool, #joyhome
This session provides a comprehensive overview of the latest updates to the Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (commonly known as the Uniform Guidance) outlined in the 2 CFR 200.
With a focus on the 2024 revisions issued by the Office of Management and Budget (OMB), participants will gain insight into the key changes affecting federal grant recipients. The session will delve into critical regulatory updates, providing attendees with the knowledge and tools necessary to navigate and comply with the evolving landscape of federal grant management.
Learning Objectives:
- Understand the rationale behind the 2024 updates to the Uniform Guidance outlined in 2 CFR 200, and their implications for federal grant recipients.
- Identify the key changes and revisions introduced by the Office of Management and Budget (OMB) in the 2024 edition of 2 CFR 200.
- Gain proficiency in applying the updated regulations to ensure compliance with federal grant requirements and avoid potential audit findings.
- Develop strategies for effectively implementing the new guidelines within the grant management processes of their respective organizations, fostering efficiency and accountability in federal grant administration.
Jennifer Schaus and Associates hosts a complimentary webinar series on The FAR in 2024. Join the webinars on Wednesdays and Fridays at noon, eastern.
Recordings are on YouTube and the company website.
https://www.youtube.com/@jenniferschaus/videos
Canadian Immigration Tracker March 2024 - Key SlidesAndrew Griffith
Highlights
Permanent Residents decrease along with percentage of TR2PR decline to 52 percent of all Permanent Residents.
March asylum claim data not issued as of May 27 (unusually late). Irregular arrivals remain very small.
Study permit applications experiencing sharp decrease as a result of announced caps over 50 percent compared to February.
Citizenship numbers remain stable.
Slide 3 has the overall numbers and change.
Up the Ratios Bylaws - a Comprehensive Process of Our Organizationuptheratios
Up the Ratios is a non-profit organization dedicated to bridging the gap in STEM education for underprivileged students by providing free, high-quality learning opportunities in robotics and other STEM fields. Our mission is to empower the next generation of innovators, thinkers, and problem-solvers by offering a range of educational programs that foster curiosity, creativity, and critical thinking.
At Up the Ratios, we believe that every student, regardless of their socio-economic background, should have access to the tools and knowledge needed to succeed in today's technology-driven world. To achieve this, we host a variety of free classes, workshops, summer camps, and live lectures tailored to students from underserved communities. Our programs are designed to be engaging and hands-on, allowing students to explore the exciting world of robotics and STEM through practical, real-world applications.
Our free classes cover fundamental concepts in robotics, coding, and engineering, providing students with a strong foundation in these critical areas. Through our interactive workshops, students can dive deeper into specific topics, working on projects that challenge them to apply what they've learned and think creatively. Our summer camps offer an immersive experience where students can collaborate on larger projects, develop their teamwork skills, and gain confidence in their abilities.
In addition to our local programs, Up the Ratios is committed to making a global impact. We take donations of new and gently used robotics parts, which we then distribute to students and educational institutions in other countries. These donations help ensure that young learners worldwide have the resources they need to explore and excel in STEM fields. By supporting education in this way, we aim to nurture a global community of future leaders and innovators.
Our live lectures feature guest speakers from various STEM disciplines, including engineers, scientists, and industry professionals who share their knowledge and experiences with our students. These lectures provide valuable insights into potential career paths and inspire students to pursue their passions in STEM.
Up the Ratios relies on the generosity of donors and volunteers to continue our work. Contributions of time, expertise, and financial support are crucial to sustaining our programs and expanding our reach. Whether you're an individual passionate about education, a professional in the STEM field, or a company looking to give back to the community, there are many ways to get involved and make a difference.
We are proud of the positive impact we've had on the lives of countless students, many of whom have gone on to pursue higher education and careers in STEM. By providing these young minds with the tools and opportunities they need to succeed, we are not only changing their futures but also contributing to the advancement of technology and innovation on a broader scale.
Russian anarchist and anti-war movement in the third year of full-scale warAntti Rautiainen
Anarchist group ANA Regensburg hosted my online-presentation on 16th of May 2024, in which I discussed tactics of anti-war activism in Russia, and reasons why the anti-war movement has not been able to make an impact to change the course of events yet. Cases of anarchists repressed for anti-war activities are presented, as well as strategies of support for political prisoners, and modest successes in supporting their struggles.
Thumbnail picture is by MediaZona, you may read their report on anti-war arson attacks in Russia here: https://en.zona.media/article/2022/10/13/burn-map
Links:
Autonomous Action
http://Avtonom.org
Anarchist Black Cross Moscow
http://Avtonom.org/abc
Solidarity Zone
https://t.me/solidarity_zone
Memorial
https://memopzk.org/, https://t.me/pzk_memorial
OVD-Info
https://en.ovdinfo.org/antiwar-ovd-info-guide
RosUznik
https://rosuznik.org/
Uznik Online
http://uznikonline.tilda.ws/
Russian Reader
https://therussianreader.com/
ABC Irkutsk
https://abc38.noblogs.org/
Send mail to prisoners from abroad:
http://Prisonmail.online
YouTube: https://youtu.be/c5nSOdU48O8
Spotify: https://podcasters.spotify.com/pod/show/libertarianlifecoach/episodes/Russian-anarchist-and-anti-war-movement-in-the-third-year-of-full-scale-war-e2k8ai4
1. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1
Kelley Dempsey
NIST IT Laboratory
Computer Security Division
NIST SP 800-37 Revision 2
Risk Management Framework for Information Systems and Organizations
A System Life Cycle Approach for Security and Privacy
(Final Public Draft)
Department of Commerce, October 2018
RMFRISK MANAGEMENT FRAMEWORK
2.0
2. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2
NIST/ITL/CSD Public Comment Process
All publications produced by CSD go through the public
comment process
Your voice will be heard!!
Receive notifications of newly posted drafts (and more) by
subscribing at http://csrc.nist.gov/publications/subscribe.html
There may be one or more drafts of a given publication
Drafts are published at
http://csrc.nist.gov/publications/PubsDrafts.html
Lengths of public comment periods vary
3. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3
Risk Management
“If we guard our toothbrushes
and diamonds with equal zeal, we will
lose fewer toothbrushes and more
diamonds.”
-McGeorge Bundy, National Security Advisor to U.S.
Presidents Kennedy and Johnson
4. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4
Risk can never be eliminated and so it must be
MANAGED!!
Managing risk doesn’t mean
fixing everything,
nor does it mean
not fixing anything…
Risk Management
is about
knowledge and understanding!
Graphic copied from:
http://www.featurepics.com/online/Risk-
1109124.aspx
5. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5
RMF Roles and Responsibilities
Senior Accountable Official for Risk Management
and Risk Executive (Function)
Senior Agency Official for Privacy
Authorizing Official (AO) and Designated Rep
Senior Information Security Officer
Common Control Provider
System Owner
Information Owner/Steward
System Security/Privacy Officer
Control Assessor
6. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6
SP 800-37 Rev 2 Timeline So Far
Federal interagency working group review during spring 2017
Extensive discussion sessions with OMB OIRA throughout
winter/spring 2017/2018
JTF Review
Initial Public Draft released 9 May 2018 with six week
comment period
NIST adjudicated ~400 comments and developed FPD
OIRA review and approval
FPD released 2 October 2018
7. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7
Public comment period through 31 October 2018
https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/draft
NIST and OIRA adjudicate FPD public comments
NIST develops final publication
Review by JTF
Review and approval by OIRA
Final publication planned for December 2018*
SP 800-37 Rev 2 Final Timeline
*Publication date dependent on OMB OIRA review and approval
8. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8
RMF 2.0
CATEGORIZE
FIPS 199
SP 800-60
CUI Registry
ASSESS
SP 800-53A
AUTHORIZE
SP 800-37
MONITOR
SP 800-137/137A
NISTIR 8011
NISTIR 8212 & Tool
PREPARE
SP 800-18
SP 800-30
SP 800-39
SP 800-160
IMPLEMENT
Many NIST Pubs
SELECT
FIPS 200
SP 800-53
9. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9
Authorization Boundaries (Section 2.5/App G)
Defines the scope of protection for systems (i.e.,
what is included with the system to be authorized
WRT information, components, people, etc.)
Includes system hardware, software, firmware,
processes, and technologies needed to support
organizational missions/business processes
May or may not include the environment of operation
Is established before system security categorization
and the development of security plans
10. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10
Improvements in RMF 2.0
Addition of organization and system level
Prepare Step and associated tasks
Integrates privacy risk management
Integrates supply chain risk management
Expansion of Authorization options
Aligns RMF with CSF
Aligns RMF with security engineering
processes
11. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11
RMF 2.0 Task Outcomes
Tasks Outcomes
Task I-1
CONTROL IMPLEMENTATION
Controls specified in the security and privacy plans
are implemented.
[Cybersecurity Framework: PR.IP-1]
Systems security and privacy engineering
methodologies are used to implement the controls
in the system security and privacy plans.
[Cybersecurity Framework: PR.IP-2]
Task I-2
BASELINE CONFIGURATION
The configuration baseline is established.
[Cybersecurity Framework: PR.IP-1]
The security and privacy plans are updated based on
information obtained during the implementation of
the controls.
[Cybersecurity Framework: Profile]
12. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12
RMF 2.0 Task Structure
RISK ASSESSMENT—ORGANIZATION
Task P-3 Assess organization-wide security and privacy risk and update the results on an ongoing
basis.
Potential Inputs: Risk management strategy; mission or business objectives; current threat
information; system-level risk assessment results; previous organization-level risk assessment
results; security- and privacy-related information from continuous monitoring; information
sharing agreements or memoranda of understanding.
Potential Outputs: Organization-level risk assessment results.
Primary Responsibility: Senior Accountable Official for Risk Management or Risk Executive
(Function); Senior Agency Information Security Officer; Senior Agency Official for Privacy.
Supporting Roles: Chief Information Officer; Mission or Business Owner; Authorizing Official or
Authorizing Official Designated Representative.
Discussion: Risk assessment at the organizational level is focused on risk to mission or business
objectives and leverages aggregated information from system-level risk…..
References: NIST SP 800-30; NIST SP 800-39 (Organization Level, Mission/Business Process
Level); NIST SP 800-161; NIST IR 8062.
New
13. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13
Privacy is Fully Integrated into RMF
In accordance with OMB Circular A-130
Privacy in the RMF addressed in section 2.3
Privacy called out in task text as appropriate
(e.g., Task P-3 is to assess security and
privacy risk)
Privacy-specific Inputs, Outputs, Roles, and
References specified as appropriate in tasks
Privacy-specific detail in task discussions
14. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14
RMF and CSF Alignment
Inputs and Outputs reference CSF as
applicable, e.g., CSF profile as potential
output from Task P-4
Task Outcome tables reference CSF
sections, categories, or sub-categories as
applicable
References for tasks list applicable CSF
sections
15. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15
Security Engineering and RMF Alignment
Task references list related 800-160 process as
applicable
Section 2.4 discusses system elements/enabling
systems and tasks focus on stakeholder
requirements
16. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16
Supply Chain and RMF Alignment
Discussion of Supply Chain Risk Management
(SCRM) within the RMF added in section 2.8
SCRM addressed in Task discussions as applicable
SCRM artifacts included in task Inputs and Outputs
as applicable
SCRM responsibilities noted in Appendix D
Supply chain risk is addressed as part of security risk
17. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17
Prepare Step: Organization Level
Task P-1: ID and assign people to RM roles
Task P-2: Establish an org-wide RM strategy
Task P-3: Assess organization-wide risk
Task P-4: Org-wide tailored baselines (optional)
Task P-5: Common Control identification
Task P-6: Prioritize within impact level (optional)
Task P-7: Organization-wide ISCM strategy
18. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18
Prepare Step: System Level (1 of 2)
Task P-8: ID missions/business functions and
processes to be supported by the system
Task P-9: ID system stakeholders
Task P-10: ID assets that require protection
Task P-11: Determine authorization boundary
Task P-12: ID information types
19. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19
Prepare Step System Level (2 of 2)
Task P-13: ID information lifecycle
Task P-14: Assess system-level risk
Task P-15: Define security and privacy
requirements for system and environment
Task P-16: Determine placement within EA
Task P-17: System registration IAW org policy
20. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20
New/Revised Tasks in Existing Steps (1 of 2)
Categorize, Task C-2: Review and approve
categorization results and decision
Select, Task S-1: Allocate requirements
(expanded from identify common controls)
Select, Task S-3: Tailor selected controls
Select, Task S-4: Document planned
implementation details in plans
Implement, Task I-2: Document implementation
details different from planned (config baseline)
21. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21
New/Revised Tasks in Existing Steps (2 of 2)
Assess, Task A-1: Select appropriate assessor
Assess, Task A-6: POA&M (moved from Authorize)
Authorize, Task R-2: Risk analysis added to risk
determination by AO
Authorize, Task R-3: Respond to risk
Authorize, Task R-5: Report the authorization
decision and significant risk as required
22. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22
Authorization Options
Authorization to Operate
System Authorization (Traditional or Joint)
Type Authorization
Facility Authorization
Common Control Authorization
Authorization to Use
Denial of Authorization
Note: Ongoing authorization supplemental guidance
(June 2014) incorporated into Appendix F
23. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23
SP 800-53 Revision 5
Security and Privacy Controls for Information Systems and Organizations
As of October 2018
24. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24
Call for pre-comments spring 2016
Adjudicated ~3000 comments and coordinated with
SMEs (Privacy, SCRM, ID Mgmt., Crypto, etc.)
Federal interagency working group baseline review
during late winter/early spring 2017
Extensive discussion sessions with OMB OIRA
throughout spring/summer 2017
IPD published 15 August 2017
Adjudicated ~2000 public comments as above
FPD currently under development
800-53 Rev 5 Timeline So Far
25. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 25
Final Public Draft (FPD) next steps:
Review by JTF
Review and approval by OMB OIRA
FPD publication planned for January 2019*
Final publication next steps:
Adjudicate public comments on the FPD
NIST develops final publication
Reviews and approvals as above
Final publication planned for Spring 2019*
800-53 Rev 5 Timeline for FPD and Final
*Publication date dependent on OMB OIRA review and approval
26. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 26
Complete integration of privacy controls (removal
of Appendix J with App J mapping in FPD)
Two new Privacy Control families in IPD changed
to different new Privacy Control family in FPD
New Supply Chain control family in FPD
Incorporated Program Management family into
main control set
Complete control set in Chapter 3
800-53 Rev 5 Changes Summary (1 of 4)
27. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27
Baselines and tailoring guidance will be placed
in new volume, SP 800-53B
Some changes to all baselines, mostly in
accordance with suggestions from working group
Revised/clarified/added control language and
supplemental guidance
Streamlined front matter to focus only on the
control set and how to use it
800-53 Rev 5 Changes Summary (2 of 4)
28. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 28
Removed lead-in entities to each control
Focus on outcomes
Align with security engineering
Align with Cybersecurity Framework
Retained entity info in a column in table (App ?)
Reduced the federal focus
More usable and welcoming for all sectors
More usable and applicable for all system types
More usable for security engineering in all sectors
800-53 Rev 5 Changes Summary (3 of 4)
29. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 29
Rearranged appendices
Removed priority codes
Keywords appendix added in IPD to be removed
in FPD and provided as supplemental material
Thorough scrub of:
Related Controls
References
Glossary
ISO 27001 Mapping
800-53 Rev 5 Changes Summary (4 of 4)
30. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 30
Security Control Structure – Revision 5
AU-4 AUDIT LOG STORAGE CAPACITY
Control: Allocate audit log storage capacity to accommodate [Assignment: organization-
defined audit log retention requirements].
Discussion: Organizations consider the types of audit logging to be performed and the audit
log processing requirements when allocating audit log storage capacity. Allocating
sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded
and resulting in the potential loss or reduction of audit logging capability.
Related controls: AU-2, AU-5, AU-6, AU-7, AU-9, AU-11, AU-12, SI-4.
Control Enhancements:
(1) AUDIT LOG STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE
Transfer audit logs [Assignment: organization-defined frequency] to a different system, system
component, or media other than the system or system component conducting the logging.
Supplemental Guidance: This type of transfer, also known as off-loading, is a common process in systems
with limited audit log storage capacity and thus supports availability of the audit logs. The initial audit log
storage is used only in a transitory fashion until the system can communicate with the secondary or alternate
system allocated to audit log storage, at which point the audit logs are transferred. This control
enhancement is similar to AU-9(2) in that the audit logs are transferred to a different entity; however, the
primary purpose of selecting AU-9(2) is to protect the confidentiality and integrity of audit records.
Organizations can select either enhancement to obtain the dual benefit of increased audit log storage
capacity and preserving the confidentiality, integrity, and availability of audit records and logs.
Related controls: None
References: None.
31. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 31
Security Controls are Technology Neutral
Security controls are intentionally not focused
on any specific technologies
Security control implementations &
assessment methods will likely vary based
on the technology to which the control is
being applied, e.g.:
Cloud-based systems
Mobile systems
Applications
Sensors
“IoT”
32. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 32
800-53B Rev 5 BaselinesCNTL
NO. CONTROL NAME
PRIVACY-
RELATED
CONTROL BASELINES
LOW MODERATE HIGH
Access Control – AC
AC-1 Access Control Policy and
Procedures
AC-1 AC-1 AC-1
AC-2 Account Management AC-2 AC-2 (1) (2)
(3) (4) (10)
(13)
AC-2 (1) (2)
(3) (4) (5) (10)
(11) (12) (13)
AC-3 Access Enforcement AC-3 AC-3 AC-3
AC-4 Information Flow Enforcement — AC-4 AC-4 (4)
AC-5 Separation of Duties — AC-5 AC-5
AC-6 Least Privilege AC-6 (7) (9) AC-6 (1) (2)
(5) (7) (9) (10)
AC-6 (1) (2)
(3) (5) (7) (9)
(10)
AC-7 Unsuccessful Logon Attempts AC-7 AC-7 AC-7
AC-8 System Use Notification AC-8 AC-8 AC-8
AC-9 Previous Logon (Access) Notification — — —
AC-10 Concurrent Session Control — — AC-10
AC-11 Device Lock — AC-11 (1) AC-11 (1)
AC-12 Session Termination — AC-12 AC-12
AC-13 Withdrawn
AC-14 Permitted Actions without
Identification or Authentication
AC-14 AC-14 AC-14
33. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 33
800-53 Rev 5 Appendix Excerpt
CONTROL NAME
CONTROL ENHANCEMENT NAME
WITHDRAWN
PRIVACY-
RELATED
IMPLEMENTED
BY
ASSURANCE
PL-1 Planning Policy and Procedures P O A
PL-2 Security and Privacy Plans P O A
PL-2(1) Concept of operations W Incorporated into PL-7.
PL-2(2) Functional architecture W Incorporated into PL-8.
PL-2(3) Plan and coordinate with other organizational
entities
P O A
PL-3 System Security Plan Update W Incorporated into PL-2.
PL-4 Rules of Behavior P O A
PL-4(1) Social media and networking restrictions O A
PL-5 Privacy Impact Assessment W Incorporated into RA-8.
PL-6 Security-Related Activity Planning W Incorporated into PL-2.
PL-7 Concept of Operations P O
PL-8 Security and Privacy Architectures P O A
PL-8(1) Defense-in-depth O A
PL-8(2) Supplier diversity P O A
PL-9 Central Management P O A
PL-10 Baseline Selection O
PL-11 Baseline Tailoring O
Note: Privacy-related controls and control enhancements are not allocated to baselines in this table. See XXX for control selection and
implementation guidance
34. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 34
Privacy fully integrated throughout Rev 5
Privacy controls from App J and OMB A-130 privacy
requirements incorporated into main control set
Privacy controls added in existing families
Most in Program Management family
Some in other families (SA, SI)
“Sharing” existing controls
New privacy family: Processing Permissions (PP)
Privacy Appendix to include:
Mappings to OMB requirements and controls from App J
Summary tables
800-53 Rev 5 Privacy Integration
35. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 35
800-53 Rev 5 FPD Control Families
ID FAMILY ID FAMILY
AC Access Control PE Physical and
Environmental Protection
AT Awareness and Training PL Planning
AU Audit and Accountability PM Program Management
CA Security Assessment and
Authorization
PP Processing Permissions*
CM Configuration Management PS Personnel Security
CP Contingency Planning RA Risk Assessment
IA Identification and
Authentication
SA System and Services
Acquisition
IR Incident Response SC System & Communications
Protection
MA Maintenance SP Supply Chain Protection*
MP Media Protection SI System and Information
Integrity
*New families in Rev 5 FPD
36. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 36
Purpose: Increase agility and reduce effort and angst due
to significant change every 3-5 years
Web application operational immediately after R5 final
Provides workflows for:
Customers to propose changes to all aspects of controls
NIST staff to review proposals and push to SMEs if necessary
Public comments on proposed changes
Saving approved changes in a sandbox until next version
JTF review, OIRA review/approval, Editorial Review Board
Versions:
Minor (to include errata) – planned for quarterly
Major – planned for annually
800-53 Update Automation Application
37. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 37
Status of Other FISMA Publications
SP 800-18 Rev 2, Security Plan Guideline: In progress, IPD early CY 2019.
SP 800-47 Rev 1, Managing System Information Exchanges (working title):
In progress, IPD early CY 2019 (Current version title is Security Guide for
Interconnecting Information Technology Systems)
SP 800-60 Rev 2, Information Types Guideline: Partnering with NARA to
incorporate CUI - Temporarily on hold
SP 800-137A, Assessment Procedures for the ISCM Program: In progress,
IPD before end of CY 2018
NIST SP 800-160*, Systems Security Engineering: Volume 1 published 11-
16, Volume 2 IPD on Multidisciplinary Approach to SE published 3-18
NISTIR 8011*, Automation Support for Ongoing Assessment, Volumes 1 and
2: Final June 2017; Volume 3 in ERB/final to be published in next few weeks
NISTIR 8212 and Tool, ISCM Assessment: In Progress, IPD early CY 2019
* Multiple volumes planned
38. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 38
Contact Information
Comments: sec-cert@nist.gov (goes to all of the above)
Web: csrc.nist.gov/sec-cert
Position Name
Project Leader and NIST Fellow Dr. Ron Ross
Team Lead and Senior Information
Security Specialist
Victoria Pillitteri
Senior Information Security Specialist Kelley Dempsey
Information Security Specialists Ned Goren, Jody Jacobs
Administrative Support Jeff Brewer