Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

NIST CyberSecurity Framework: An Overview

9,045 views

Published on

Published in: Technology

NIST CyberSecurity Framework: An Overview

  1. 1. Cyber Security Framework Overview of NIST Security Guidelines CS684 IT Security Policies & Procedures Tandhy Simanjuntak
  2. 2. NIST History Other frameworks Cyber Security Framework Study Case Conclusion Agenda
  3. 3. NIST
  4. 4. National Institute of Standard and Technology 1901 Non-regulatory Federal Agency U.S. Dept. of Commerce NIST
  5. 5. Mission NIST Innovation Industrial Competitiveness •  Measurement Science •  Measurement Standards •  Measurement Technology = Economic security = Quality of Life
  6. 6. Areas NIST Bioscience & Health Building & Fire Research Chemistry Electronics & Telco. Energy Environment / Climate Information Technology Manufacturing Materials Science Math Nanotechnology Physics Public Safety & Security Quality Transportation
  7. 7. History
  8. 8. Feb 12, 2013 Executive Order 13636 “Improving Critical Infrastructure Cybersecurity” http://blogs.reuters.com/great-debate/2013/07/08/obamas-key-nuclear-deal-wi
  9. 9. Critical Infrastructure[1] “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
  10. 10. http://www.iprem.ca/initiatives/InitiativesPics/CriticalInfrastructureSectors.jpg
  11. 11. Other Frameworks
  12. 12. Others Security Framework ISO/IEC 27002:2013 COBIT COSO HITRUST CSF
  13. 13. ISO/IEC 27002:2013 COBIT COSO HITRUST CSF ISO: International Organization for Standardization IEC: International Electrotechnical Commission Best practice recommendations • Information Security Management • Information Security Program elements Others Security Framework
  14. 14. ISO/IEC 27002:2013 COBIT COSO HITRUST CSF Control Objectives for Information and related Technology Best practices for IT management Defines program and management control functions Others Security Framework
  15. 15. ISO/IEC 27002:2013 COBIT COSO HITRUST CSF Committee of Sponsoring Organizations of the Treadway Commission Thought of Leadership for frameworks development Guidance • Enterprise risk management • Internal control • Fraud deterrence Others Security Framework
  16. 16. ISO/IEC 27002:2013 COBIT COSO HITRUST CSF Healthcare and Information Security Professionals First IT Security for Healthcare Leverages existing standards • HIPAA, NIST, ISO, PCI, FTC and COBIT Others Security Framework
  17. 17. NIST vs Other Framework Other Frameworks NIST Specific to industry Specific to management Any industry Standards & Guidelines Guidelines
  18. 18. Cyber Security Framework
  19. 19. Framework Introduction Feb 13  Feb 14 Voluntary risk-based framework • Government and private sectors Standards and best practices • Manage cyber security risks Protect individual privacy and civil liberties
  20. 20. Framework Core Framework Implementation Tiers Framework Profile Framework
  21. 21. Framework Core Framework Implementation Tiers Framework Profile Activities, outcomes & applicable references Industry standards, guidelines & practices 5 concurrent and continuous Functions Identify Protect Detect Respond Recover Framework
  22. 22. Framework Core Framework Implementation Tiers Framework Profile Understanding to manage cybersecurity risk to systems, assets, data, and capabilities Identify the occurrence of a cybersecurity event Safeguards to ensure delivery of critical infrastructure services Action regarding a detected cybersecurity event • Maintain plans for resilience • Restore any capabilities or services Identify Protect Detect Respond Recover Framework
  23. 23. Framework Core Framework Implementation Tiers Framework Profile Framework Functions Categories Subcategories Informative Reference IDENTIFY ID PROTECT PR DETECT DE RESPOND RS RECOVER RC
  24. 24. IDENTIFY PROTECT DETECT RESPOND RECOVER Framework Function Category Identifier Category IDENTIFY (ID) ID.AM Asset Management ID.BE Business Environment ID.GV Governance ID.RA Risk Assessment ID.RM Risk Management Strategy
  25. 25. Framework Function Category Identifier Category PROTECT (PR) PR.AC Access Control PR.AT Awareness and Training PR.DS Data Security PR.IP Information Protection Processes and Procedures PR.MA Maintenance PR.PT Protective Technology IDENTIFY PROTECT DETECT RESPOND RECOVER
  26. 26. IDENTIFY PROTECT DETECT RESPOND RECOVER Framework Function Category Identifier Category DETECT (DE) DE.AE Anomalies and Events DE.CM Security Continuous Monitoring DE.DP Detection Processes
  27. 27. IDENTIFY PROTECT DETECT RESPOND RECOVER Framework Function Category Identifier Category RESPOND (RS) RS.RP Response Planning RS.CO Communications RS.AN Analysis RS.MI Mitigation RS.IM Improvements
  28. 28. IDENTIFY PROTECT DETECT RESPOND RECOVER Framework Function Category Identifier Category RECOVER (RC) RC.RP Recovery Planning RC.IM Improvements RC.CO Communications
  29. 29. Cybersecurity Risks Manage Risks Partial Risk Informed Repeatable Adaptive Framework Core Framework Implementation Tiers Framework Profile Framework Consideration • Risk management practices, threat environment, legal & regulatory req., objectives & constraints
  30. 30. Elements: •Risk Management Process •Integrated Risk Management Program •External Collaboration Framework Core Framework Implementation Tiers Framework Profile Framework
  31. 31. Risk Management Process Integrated Risk Management Program External Participation Partial • Not formalized • Reactive • Limited awareness • Irregular risk management • Private information No external collaboration Risk Informed • Approved practices • Not widely use as policy • More awareness • Risk-informed, processes & procedures • Adequate resources • Internal sharing Not formalized to interact & share information Repeatable • Approved as Policy • Update regularly • Organization approach • Risk-informed, processes & procedures defined & implemented as intended, and reviewed • Knowledge & skills • Collaborate • Receive information Adaptive Continuous improvement • Risk-informed, processes & procedures for potential events • Continuous awareness • Actively Actively shares information
  32. 32. Framework Core Framework Implementation Tiers Framework Profile Alignment of Framework Core and business requirements, risk tolerance & resources Establish roadmap to reduce risk aligned with organizational and sector goals Describe current and desired state of specific events Action plan to address gaps Framework
  33. 33. Create or improve a program 1. Prioritize and Scope 2. Orient 3. Create current profile 4. Conduct Risk assessment 5. Create target profile 6. Determine, Analyze & Prioritize Gaps 7. Implement Action Plan
  34. 34. Study Case
  35. 35. http://www.intel.com/content/www/us/en/government/cybersecurity-framework-in-action-use-case-brief.html
  36. 36. Conclusion
  37. 37. Conclusion Reduce and better manage cybersecurity risks Not a one-size-fits-all approach
  38. 38. Reference 1. NIST (2014). Framework for Improving Critical Infrastructure Cybersecurity. Retrieved from NIST site: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf 2. ISF (2007). The Standard of Good Practice for Information Security. Retrieved from Security Forum site: https://www.securityforum.org/userfiles/public/SOGP.pdf 3. IASME (2015) IASME Self-Assessment Questionnaire. Retrieved from IASME site: https://www.iasme.co.uk/index.php 4. Johnson, S. (2008). NERC Cyber Security Standards. SANS. Retrieved from SANS site: https://files.sans.org/summit/scada08/Stan_Johnson_NERC_Cyber_Security_Standards.pdf 5. Center for Internet Security. Retrieved from http://www.cisecurity.org/. 6. Solutionary (n.d.) Security Frameworks. Retrieved from Solutionary site: http://www.solutionary.com/compliance/security-frameworks/ 7. Intel (2015). The Cybersecurity Framework in Action: An Intel Use Case. Retrieved from Intel site: http://www.intel.com/content/www/us/en/government/cybersecurity-framework-in-action-use- case-brief.html

×