nist cybersecurity framework
play

NIST Cybersecurity Framework Sean Sweeney, Information Security - PowerPoint PPT Presentation

Jun 08, 2023 •134 likes •472 views

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015 Overview The University of Pittsburgh NIST Cybersecurity Framework Pitt NIST Cybersecurity Framework Program Wrap Up Questions The

  1. NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

  2. Overview • The University of Pittsburgh • NIST Cybersecurity Framework • Pitt NIST Cybersecurity Framework Program • Wrap Up • Questions

  3. The University of Pittsburgh

  4. Snapshot: Community Responsibility Centers = 49

  5. Snapshot: Information Security Office • 10 full-time security professionals* – Responsible for: • Enterprise Network Firewalls • Security Monitoring and Alerting • Incident Response • Policy, Risk, and Compliance • Awareness • Security Tools (Managed & Self-service) *Supported by 230 Central IT Professionals

  6. Snapshot: Target-rich Environment • Size and speed of network • Collaborative nature of research—open access • Diverse information-rich environment • Fluid user population • Decentralized IT • BYOD

  7. NIST Cybersecurity Framework

  8. Origin of the NIST CSF • Executive Order 13636, Improving Critical Infrastructure Cybersecurity, Feb. 2013 – Directed NIST to work with stakeholders to develop voluntary framework – based on existing standards, guidelines, and practices – for reducing cyber risks to critical infrastructure

  9. Presidential Policy Directive 21

  10. NIST CSF Overview • Provides standard measurement that organizations can use to measure risk and improve security • Includes senior management understanding of cyber risk • Currently voluntary, but likely the de-facto standard in event of a breach • Common language, not “government speak” • Maps to COBIT, ISO, 800-53, etc.

  11. NIST CSF Design • Core – Five Functions (Identify, Protect, Detect, Respond, Recover) • 22 categories, 98 subcategories • Implementation tiers – Partial, Risk Informed, Repeatable, Adaptive – One size does not fit all • Profiles – Current & Target

  12. NIST CSF Core

  13. Identify • Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. – ID.AM-1: Physical devices and systems within the organization are inventoried – ID.RA-2: Threat and vulnerability information is received from information sharing forums and sources

  14. Protect • Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. – PR.AC-1: Identities and credentials are managed for authorized devices and users – PR.DS-1: Data-at-rest is protected

  15. Detect • Develop and implement the appropriate activities to identify the occurrence of cybersecurity event. – DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed – DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events

  16. Respond • Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. – RS.RP-1: Response plan is executed during or after an event – RS.MI-1: Incidents are contained

  17. Recover • Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. – RC.RP-1: Recovery plan is executed during or after an event – RC.CO-1: Public relations are managed

  18. Tier 1 Partial • Risk Management Process – Ad hoc • Integrated Risk Management Program – Limited awareness of risk. Managed case by case basis. • External Participation – No processes in place to collaborate.

  19. Tier 2 Risk Informed • Risk Management Process – Established by management, but not policy. • Integrated Risk Management Program – Awareness of risk. Managed well. No organization wide approach. • External Participation – No formal processes for interaction and sharing.

  20. Tier 3 Repeatable • Risk Management Process – Expressed by policy. Practices updated regularly. • Integrated Risk Management Program – Organization wide approach to manage cyber risk. • External Participation – Receives information from partners for collaboration

  21. Tier 4 Adaptive • Risk Management Process – Continuous improvement incorporating advanced technologies and practices. • Integrated Risk Management Program – Cyber risk management is part of culture • External Participation – Actively shares information with partners

  22. Note About Tiers • Tiers do not represent maturity levels. • Progression to higher Tiers is encouraged when such a change would reduce cybersecurity risk and be cost effective. • Successful implementation of the Framework is based upon achievement of the outcomes described in the organization’s Target Profile(s) and not upon Tier determination.

  23. Profiles • Alignment of the functions, categories, and subcategories with the business requirements, risk tolerance, and resources of the organization. • Current and Target – Current outcomes vs those needed to achieve goals. • Comparison of Profiles – Gap mitigation prioritized and roadmap created – Allows organization to prioritize resources • “Living” document

  24. NIST CSF Decision Flows

  25. Pitt NIST CSF Program

  26. Steps 1. Prioritize and Scope 2. Orient, Create Current Profile 3. Conduct Risk Assessment 4. Create Target Profile 5. Determine, Analyze, and Prioritize Gaps 6. Implement Plan of Action

  27. Year 1 (July 1, 2014 – June 30, 2015) • Focused on enterprise network and systems managed by central IT. • Included central IT stakeholders in preparing profiles • Presented profiles and roadmap to executive management • Internal Audit review

  28. Year 2 (July 1, 2015 – June 30, 2016) • Expand scope of the system and assets by using framework on two key non-central units. • Adapt framework for departmental/school use. • Train key personnel to perform current state assessment. • Information Security to create target profile, gap analysis, and remediation plan with input from departments/schools.

  29. Wrap Up

  30. Future of NIST CSF • Roadmap published with CSF – Identified key areas of development, alignment, and collaboration. • Critical Infrastructure Cyber Community Voluntary Program – Focuses on Use, Outreach, and Feedback – Onsite or self-guided Cyber Resilience Review • Many critical sectors still determining how to apply framework

  31. Cross walking the NIST CSF

  32. Thoughts on NIST CSF • Allows communication of cyber risk up and across • Not overly prescriptive, but not vague • Not purely an IT controls exercise • Able to apply to unique enterprise without modification • Allows for prioritization of risk and associated resources • Future unclear

  33. Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cybersecurity Framework: Current Status and Next Steps Federal Advisory Committee on Insurance

Cybersecurity Framework: Current Status and Next Steps Federal Advisory Committee on Insurance

Cybersecurity Framework: Current Status and Next Steps Federal Advisory Committee on Insurance November 6, 2014 Adam Sedgewick Senior IT Policy Advisor Adam.Sedgewick@nist.gov National Institute of Standards and Technology (NIST) About NIST

466 views • 14 slides
IT ITD D Cy Cyber ber Secu curi rity ty The NIST Framework High Value for ITS Shannon

IT ITD D Cy Cyber ber Secu curi rity ty The NIST Framework High Value for ITS Shannon

IT ITD D Cy Cyber ber Secu curi rity ty The NIST Framework High Value for ITS Shannon Barnes, CIO Craig Schumacher, CISO Idaho Transportation Department September 2015 NIST Cybersecurity Framework National Institute of Standards

336 views • 11 slides
Designing, Building and Managing a Cyber Security Program Based on the NIST Cybersecurity

Designing, Building and Managing a Cyber Security Program Based on the NIST Cybersecurity

Designing, Building and Managing a Cyber Security Program Based on the NIST Cybersecurity Framework (NIST CSF) A Business Case Agenda and Objectives The Digital Innovation Economy The Cyber Security Problem The Cyber Security Solution

260 views • 22 slides
INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current cybersecurity statistics and

INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current cybersecurity statistics and

Section 1 Dr. Bruce Burton California Cybersecurity INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current cybersecurity statistics and implications Learn from past attacks Understand the NIST Cybersecurity Framework (CSF) &

368 views • 33 slides
NIST Recommendations for ICS & IIoT Security Securing Manufacturing Industrial Control

NIST Recommendations for ICS & IIoT Security Securing Manufacturing Industrial Control

NIST Recommendations for ICS & IIoT Security Securing Manufacturing Industrial Control Systems: Behavioral Anomaly Detection Mike Powell, Project Cybersecurity Engineer, NIST /NCCoE Jim McCarthy, Energy Sector Federal Lead NIST / NCCoE

616 views • 15 slides
The Evolution of the RMF May 23, 2018 Thomas G. Volpe Sr., CSSLP, PCIP Agenda Background

The Evolution of the RMF May 23, 2018 Thomas G. Volpe Sr., CSSLP, PCIP Agenda Background

The Evolution of the RMF May 23, 2018 Thomas G. Volpe Sr., CSSLP, PCIP Agenda Background FISMA then and now RMF V1 (NIST 800-37 R1) Overview of the CyberSecurity Framework RMF V2 (NIST 800-37 R2) Summary In the

281 views • 24 slides
Securing 5G Infrastructure NIST NCCoE 5G Cybersecurity Workshop Oct 10 th , 2019 Kapil Sood

Securing 5G Infrastructure NIST NCCoE 5G Cybersecurity Workshop Oct 10 th , 2019 Kapil Sood

DARPA ONLY Securing 5G Infrastructure NIST NCCoE 5G Cybersecurity Workshop Oct 10 th , 2019 Kapil Sood Security Architect, Intel Corp. Kapil.Sood@intel.com 1 Transparent 5G delivers on the promise of cloud Open standards and x86 based

287 views • 5 slides
Opening Remarks Cybersecurity in Cyber-Physical Systems Workshop hosted by NIST Information

Opening Remarks Cybersecurity in Cyber-Physical Systems Workshop hosted by NIST Information

Opening Remarks Cybersecurity in Cyber-Physical Systems Workshop hosted by NIST Information Technology Laboratory April 23-24, 2012 George W. Arnold, Eng.Sc.D. Director, Smart Grid and Cyber-Physical Systems Program Office Engineering

534 views • 12 slides
PQCRYPTO project in the EU Tanja Lange 3 April 2015 NIST Workshop on Cybersecurity in a

PQCRYPTO project in the EU Tanja Lange 3 April 2015 NIST Workshop on Cybersecurity in a

PQCRYPTO project in the EU Tanja Lange 3 April 2015 NIST Workshop on Cybersecurity in a Post-Quantum World Post-Quantum Cryptography for Long-term Security Project funded by EU in Horizon 2020. Starting date 1 March 2015, runs for 3

267 views • 7 slides
800-171 Handbook Webinar Pat Toth Cybersecurity Program Manager National Institute of Standards

800-171 Handbook Webinar Pat Toth Cybersecurity Program Manager National Institute of Standards

800-171 Handbook Webinar Pat Toth Cybersecurity Program Manager National Institute of Standards and Technology (NIST) Manufacturing Extension Partnership (MEP) MEP Overview NIST MEP 800-171 Assessment Handbook Step-by-step guide to

713 views • 48 slides
Cyber Security Resources For County Government September 21, 2017 September 21, 2017 2 NIST

Cyber Security Resources For County Government September 21, 2017 September 21, 2017 2 NIST

Cyber Security Resources For County Government September 21, 2017 September 21, 2017 2 NIST Cybersecurity Framework September 21, 2017 3 Resources Available to NYS Counties Funding (State Homeland Security and UASI Grants) Free

231 views • 22 slides
National Cybersecurity Workforce Framework Benjamin Scribner Department of Homeland Security

National Cybersecurity Workforce Framework Benjamin Scribner Department of Homeland Security

Federal Information Systems Security Educators March 19, 2014 National Cybersecurity Workforce Framework Benjamin Scribner Department of Homeland Security (DHS) National Cybersecurity Education & Awareness Branch (CE&A) T HE CYBER THREAT

315 views • 13 slides
U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity cybersecurity? William J. Perry Martin Casado Keith Coleman Dan Wendlandt MS&E 91SI Spring 2004 Stanford University U.S. National Cybersecurity

79 views • 7 slides
A Legal Framework for Cybersecurity Deirdre K. Mulligan Fred B. Schneider School of Information

A Legal Framework for Cybersecurity Deirdre K. Mulligan Fred B. Schneider School of Information

A Legal Framework for Cybersecurity Deirdre K. Mulligan Fred B. Schneider School of Information Computer Science UC Berkeley Cornell University Outline of Talk Brief background Why shift in legal framework is appropriate

764 views • 27 slides
Cybersecurity What you need to know Agenda Introduction Kevin Bobroske What is

Cybersecurity What you need to know Agenda Introduction Kevin Bobroske What is

Cybersecurity What you need to know Agenda Introduction Kevin Bobroske What is cybersecurity? Why should I care? What can I do about it? High level cyber framework overview Summary + QA Fun stuff BIO Kevin

546 views • 32 slides
Meeting the Need: Training that Rocks Kimberly Hemby Kassy LaBorie Lisa Plaggemier

Meeting the Need: Training that Rocks Kimberly Hemby Kassy LaBorie Lisa Plaggemier

CYBERSECURITY | INNOVATION . AWARENESS . TRAINING 2020 Vision : Bringing the Future of Cybersecurity Awareness and Training Into Focus 33rd Annual FISSEA Conference 2020 Summer Webinar Series #FISSEA2020 | nist.gov/fissea Meeting the Need:

1.16k views • 70 slides
Eco-Friendly Educational Hub. Excellent Campus with Academic Ambience

Eco-Friendly Educational Hub. Excellent Campus with Academic Ambience

Eco-Friendly Educational Hub. Excellent Campus with Academic Ambience Excellent Academic Results Free Branded Laptop and Cell Phone 24x7 Dedicated Internet Leased Line. Fully Air-conditioned Class Rooms for

431 views • 42 slides
MGX CEO Presentation 23 March 2018 Disclaimer This Document is Confidential and may not be

MGX CEO Presentation 23 March 2018 Disclaimer This Document is Confidential and may not be

General Meeting MGX CEO Presentation 23 March 2018 Disclaimer This Document is Confidential and may not be reproduced, redistributed or passed on, directly or indirectly, to any other person, or published, in whole or in part, for any purpose

390 views • 13 slides
Corporate Presentation August 30, 2020 TSX: ZENA Disclaimers IMPORTANT: YOU MUST READ THE

Corporate Presentation August 30, 2020 TSX: ZENA Disclaimers IMPORTANT: YOU MUST READ THE

Corporate Presentation August 30, 2020 TSX: ZENA Disclaimers IMPORTANT: YOU MUST READ THE FOLLOWING BEFORE CONTINUING . The information contained in this document has been prepared by Zenabis Global Inc. ( Zenabis or the Company) .

795 views • 31 slides
Results Presentation Second Quarter 2020 6 December 2019 Financial highlights Solid set of

Results Presentation Second Quarter 2020 6 December 2019 Financial highlights Solid set of

Results Presentation Second Quarter 2020 6 December 2019 Financial highlights Solid set of results for the Second Quarter 2020 Total Group EBITDA* for the Second Quarter 2020 was 36.8m (2019 - 35.4m) Pro-forma EBITDA for the Senior

371 views • 15 slides
Cybersecurity Requirements for Federal Contracts Seminar 8/9/17, 9- noon Time Topic Speaker

Cybersecurity Requirements for Federal Contracts Seminar 8/9/17, 9- noon Time Topic Speaker

Cybersecurity Requirements for Federal Contracts Seminar 8/9/17, 9- noon Time Topic Speaker 9-9:30 Arrival and Breakfast - 9:30 Welcome Don Pital, Manager GaMEP Don.pital@innovate.gatech.edu 9:35-9:55 Ga Sponsor Introductions Karen

782 views • 39 slides
The VVSG Version 1.1 Overview John P. Wack john.wack@nist.gov NIST Voting Program National

The VVSG Version 1.1 Overview John P. Wack john.wack@nist.gov NIST Voting Program National

The VVSG Version 1.1 Overview John P. Wack john.wack@nist.gov NIST Voting Program National Institute of Standards and Technology Overview Background and issues Selection criteria for ported material Overview of the ported material

535 views • 15 slides
Using&Risk&Management&to&Improve& Privacy&in&Informa7on&Systems 1

Using&Risk&Management&to&Improve& Privacy&in&Informa7on&Systems 1

Using&Risk&Management&to&Improve& Privacy&in&Informa7on&Systems 1 Poten7al&Problems&for&Individuals Loss&of&Autonomy Exclusion Loss&of&Self& Loss&of&Liberty

538 views • 19 slides
NIST Trustworthy Email Project High Assurance Domain Project Scott Rose, NIST scottr@nist.gov

NIST Trustworthy Email Project High Assurance Domain Project Scott Rose, NIST scottr@nist.gov

NIST Trustworthy Email Project High Assurance Domain Project Scott Rose, NIST scottr@nist.gov ICANN Meeting Oct. 15 th , 2014 Los Angeles CA First, A Bit of History 2011 USG DNSSEC Tiger Team has a 2 nd goal: authenticated email

308 views • 4 slides

More recommend