IT ITD D Cy Cyber ber Secu curi rity ty The NIST Framework - - PowerPoint PPT Presentation

it itd d cy cyber ber secu curi rity ty the nist
SMART_READER_LITE
LIVE PREVIEW

IT ITD D Cy Cyber ber Secu curi rity ty The NIST Framework - - PowerPoint PPT Presentation

May 16, 2023 218 likes •337 views

IT ITD D Cy Cyber ber Secu curi rity ty The NIST Framework High Value for ITS Shannon Barnes, CIO Craig Schumacher, CISO Idaho Transportation Department September 2015 NIST Cybersecurity Framework National Institute of Standards

slide-1
SLIDE 1

The NIST Framework High Value for ITS

Shannon Barnes, CIO Craig Schumacher, CISO Idaho Transportation Department September 2015 IT ITD D Cy Cyber ber Secu curi rity ty

slide-2
SLIDE 2

NIST Cybersecurity Framework

 National Institute of Standards (nist.gov)  Published in February 2014 - a collection of standards,

guidelines and practices for reducing cyber risks to critical infrastructure

 Industry and private sector partnership  Website http://www.nist.gov/cyberframework

2

slide-3
SLIDE 3

Why use NIST Framework

 Helps to better understand, manage, and reduce

cybersecurity risks.

 Determine which activities are most important to assure

critical operations and service delivery.

 Prioritize investments and maximize the impact of each

dollar spent on cybersecurity.

 Show executives in a objective quantitative manner the

status of the program and where improvements are needed.

3

slide-4
SLIDE 4

NIST Framework Details

Functions organize basic cybersecurity activities at their highest level

 Identify, Protect, Detect, Respond, and

Recover

 Functions aid ITD in managing risk by:

 Organizing information  Enabling risk management decisions  Addressing threats  Show the impact of investments in cybersecurity.

4

slide-5
SLIDE 5

Putting the Functions in Perspective

5

slide-6
SLIDE 6

NIST Framework Details

 Functions

 Categories - groups of cybersecurity outcomes closely tied to

programmatic needs

 Subcategories - specific outcomes of technical and/or

management activities

 Controls- illustrate a method to achieve the outcomes

 Rated by Tiers

6

slide-7
SLIDE 7

How did we measure our progress

 Developed a matrix (Excel spreadsheet) to evaluate

the framework by Sub Category by Tier

 Baselined (took an informed guess) at where we

were on the framework

 Set (aggressive) goals on where we think we should

be in 3 to 5 years

 Created a method of scoring the NIST by numeric

value of the Tier (0 through 4) by Sub Category.

7

slide-8
SLIDE 8

Visual Management – Key to Success

8

Create a baseline, set goals, evaluate progress routinely and communicate progress and risks

Identify Protect Detect Respond Recover

ITD NIST Cyber Security Functions and Goals Quarterly - FY 2015

Quarter 1 Quarter 2 Quarter 3 Quarter 4

Partial Risk Informed Repeatable Adaptive Nothing

ITD Goal

slide-9
SLIDE 9

Lessons Learned

 Team was focused on improving areas we were already

strong in, not on the things we were weak.

 Our baseline was fairly optimistic.  Some scores dropped because we gained a better

understanding of what was needed and what we were doing.

9

slide-10
SLIDE 10

ITS Opportunities

 Identify ID.RA-1  Protect PR.AC-1, PR.AC-2, PR.AC-3, PR.AC-5,

PR.AT-3, PR.DS-3, PR.IP-3, PR.MA-1, PR.MA-2, PR.PT-3, PR.PT-4

 Detect DE.AE-2, DE.AE-2, DE.CM-2, DE.CM-

7,DE.CM-8, DE.DP-2, DE.DP-3

10

slide-11
SLIDE 11

Questions?

Email: Craig.Schumacher@itd.idaho.gov NIST: http://www.nist.gov/cyberframework/

11