acr 2 solutions - airs. · pdf fileabout acr 2 solutions – your nist experts ... hipaa...
TRANSCRIPT
What’s all the noise about the
Cyber Security Framework ?
ACR 2 Solutions Compliance Tools
The Cyber Security Framework
Airs Conference May 2017
About ACR 2 Solutions – your NIST experts
ACR2 is a developer of scalable real-time Risk Management and IT
Compliance Software Solutions
Tools to support information security regulatory laws and regulations as follows:
FISMA, GLBA, HIPAA, NAIC, NERC and PCI DSS and most recently the Cyber
Security Framework
Risk and Compliance solutions for public, private, and government
organizations.
Technical Implementation Partner for GA-HITREC
We are an HP Healthcare Alliance Partner and work with Premier HP Resellers
We currently work with 100’s of locations in Healthcare and Financial Services
Single sites, distributed enterprise and hospitals and their practices
Todays Agenda:
1) Introductions
2) History of the Cybersecurity Framework (CSF)
3) Why do we need the CSF?
4) Terminology and Acronyms
5) What does the future of the CSF look like?
6) Will it remain optional?
7) The CyberSecurity Framework
8) How it can be utilized for My organization?
9) Questions and answers – As time allows
Getting to know you.
1. Works for a company that uses the HIPAA Privacy, Security and Breach rules?
2. Has mandated Security and Privacy Awareness trainings for all employees?
3. Has Read the Cybersecurity Framework Vers. 1? Draft 1.1
4. Read or know what “Omnibus rule” is?
5. Has anyone ever been asked for a “Business Associate Agreement” or requires them from contractors or partners.
6. Lastly know what the NIST stands for?
What is the Framework, and what is it
designed to accomplish?
The Framework is voluntary guidance, based on existing
standards, guidelines, and practices, for critical
infrastructure organizations to better manage and reduce
cybersecurity risk.
In addition to helping organizations manage and reduce
risks, it was designed to foster risk and cybersecurity
management communications amongst both internal and
external organizational stakeholders.
Cyber Security Objective
“[i]t is the Policy of the United States to
enhance the security and resilience
of the Nation’s critical infrastructure
and to maintain a cyber environment
that encourages efficiency, innovation,
and economic prosperity...”
Executive order 13636
February 12, 2013
Executive Order 13636
The Cybersecurity Framework was published in February 2014
following a collaborative process involving industry, academia and
government agencies.
More that 1000 individuals had input into the current revision.
The original goal was to develop a voluntary framework to help
organizations manage cybersecurity risk in the nation’s critical
infrastructure.
The framework has been widely adopted by many types of
organizations across the country and around the world.
The 16 Critical Infrastructure Industries
▪ Chemical Sector
▪ Commercial Facilities Sector
▪ Communications Sector
▪ Critical Manufacturing Sector
▪ Defense Industrial Base Sector
▪ Dams Sector
▪ Emergency Services Sector
▪ Energy Sector
Financial Services Sector
Food and Agriculture Sector
Government Facilities Sector
Healthcare and Public Health Sector
Information Technology Sector
Nuclear Reactors, Materials, and Waste
Transportation Systems Sector
Water and Wastewater Systems
Executive Summary
The national and economic security of the United States
depends on the reliable functioning of critical
infrastructure.
Cybersecurity threats exploit the increased complexity
and connectivity of critical infrastructure systems, placing
the Nation’s security, economy, and public safety and
health at risk.
Acronyms and Regulations
CCS - Council on CyberSecurity
COBIT - Control Objectives for
Information and Related
Technology
DCS - Distributed Control
System
DHS - Department of Homeland
Security
NIST - National Institute of
Standards and Technology
OMB – Office of Management and
Budget
ISO - International Organization
for Standardization
ISO 27001/2
HIPAA
FISMA – Federal Information
Security Management ACT
GLBA – Graham Leach Bliley
ACT
PCI – Payment Card In
Cybersecurity Framework
EO – Executive Order
Why do we need the CSF?
The national and economic security of the United States depends
on the reliable functioning of our critical infrastructure.
To strengthen the resilience of this infrastructure, President
Obama issued Executive Order 13636 (EO), “Improving Critical
Infrastructure Cybersecurity” on February 12, 66 2013.1
This Executive Order calls for the development of a voluntary
Cybersecurity Framework (“Framework”)
To assist organizations responsible for critical infrastructure
services to manage cybersecurity risk.
Cybersecurity Framework Overview
The Cybersecurity Framework – intention or design criteria
Includes a set of standards, methodologies, procedures, and
processes that align policy, business and technological
approaches to address cyber risks.
Provides a prioritized, flexible, repeatable, performance-based
and cost-effective approach.
This includes information security methods and controls to help
owners and operators of critical infrastructure identify, assess,
and manage cyber risk.
Cybersecurity Framework Overview
The Cybersecurity Framework
Identifies areas for improvement to be addressed through
future collaboration with particular sectors and standards-
developing organizations.
Is consistent with voluntary international standards.
NAIC CYBERSECURITY TASK FORCE ADOPTSREGULATORY PRINCIPLES
National Association of Insurance Commissioners (NAIC) • NAIC is the U.S. standard-setting and regulatory support organization created and
governed by the chief insurance regulators from the 50 states, the District of Columbia and five U.S. territories. Through the NAIC, state insurance regulators establish standards and best practices, conduct peer review, and coordinate their regulatory oversight.
• http://www.naic.org/state_web_map.htm
Cybersecurity Executive Order
NIST Risk Management Framework (RMF)
now mandatory for all federal agencies.
Agencies have 90 days to file implementation
plans with OMB.
“Agency heads will be held accountable by
the President for implementing risk
management measures”…
More about the NIST (From 1901 to 1988 called the Bureau of Standards)
• NIST publications, many of which are required for federal agencies, can serve as voluntary guidelines and best practices for state, local, and tribal governments and the private sector.
• NIST security standards and guidelines include:• Federal Information Processing Standards [FIPS], • Special Publications which can be used to support the requirements of both HIPAA and
FISMA and GLBA.• May be used by organizations to help provide a structured, yet flexible framework for
selecting, specifying, employing, and evaluating the security controls in information systems.
• Most importantly, it’ what the auditors know and are required to use internally!
A New Update is coming…
What changes are included in the proposed revision?
The draft revision (Version 1.1):
Clarifies use of Implementation Tiers and their relationship to
Profiles,
Enhances guidance for applying the Framework for supply chain
risk management,
Provides guidance on metrics and measurements using the
Framework,
Adds the concept of identity proofing and expands authorization,
and
Updates FAQs to support understanding and use of Framework.
If I adopt it, how will it impact my…Resources, Cost, and time..
And how much new work will it create?
• Implementing HIPAA Security Rule compared to implementing the CyberSecurity Framework (CSF),
• If you implement HIPAA using the NIST SP 800-66 you will have 52% of the CSF requirements addressed.
• If you implement CSF you will have 68% of the HIPAA requirements covered.“
Should we use the CSF?
• If I adopt it, how will it impact my…Resources, Cost, and time..And how much new work will it create?
• Implementing HIPAA Security Rule compared to implementing the CyberSecurity Framework (CSF),
• If you implement HIPAA using the NIST SP 800-66 you will have 52% of the CSF requirements addressed.
• If you implement CSF you will have 68% of the HIPAA requirements covered.“
Why use NIST Security Controls ?
There are official mappings between:The NIST controls and
ISO 27001/2
HIPAA
PCI
GLBA
Cybersecurity Framework
COBIT
Not necessarily State Requirements
PCI
ISO 27001/2COBIT
HIPAA Security
StatesCybersecurity Framework/
NAIC
GLBA
Not to scale.
We typically works on 3 regulations and the local state issues – most notably Breach Related
• Our Most Common Engagements are:• HIPAA Security
• Risk Assessment
• Security Awareness Training
• Develop and Review Policies and Procedures
• Add Cybersecurity Framework Ctrls.
• Add State Specific Requirements• Especially for Disclosure/Breach regulations
• Your Organization may be different!
States Specific Issues
Cybersecurity Framework/
NAIC
HIPAA Compliance & Security
GLBA
Critical Infrastructure Support
“It is the policy of the executive branch to use its authorities
and capabilities to support the cybersecurity risk
management efforts of the owners and operators of the
Nation's critical infrastructure”
“Reasonable Security” Becomes Reasonably Clear
If cybersecurity risks appear to be ubiquitous, some comfort may be taken in the fact that reasonable
defenses are well known. The Report emphasizes a finding that has been made regularly in Verizon’s
annual Data Breach Investigations Reports: 99.9 percent of exploited vulnerabilities were compromised
more than a year after the fix for the vulnerability had been made publicly available.
Defining a Reasonable Security Standard
California law requires organizations to implement “reasonable security procedures and practices . . .
to protect personal information from unauthorized, access, destruction, use, modification, or
disclosure.” The Report, drawing on a rich dataset of reported breaches, for the first time sets forth
the California Attorney General’s expectations, providing additional meaning to the “reasonable
security” requirement.
Overview of the Framework
The Framework complements, and does not replace, an
organization’s risk management process and
cybersecurity program.
1) Describe the current cybersecurity posture;
2) Describe their target state for cybersecurity;
3) Identify and prioritize opportunities for improvement within
the context of a continuous and repeatable process;
4) Assess progress toward the target statej;
5) Communicate among internal and external stakeholders
about cybersecurity risk.
Overview of the Framework
The Framework is a risk-based approach to managing
cybersecurity risk, and is composed of three parts:
the Framework Core,
the Framework Profile, and
the Framework Implementation Tiers.
The Framework Core
A set of cybersecurity activities, desired outcomes, and
applicable references that are common across critical
infrastructure sectors.
The Core presents industry standards, guidelines, and
practices in a manner that allows for communication of
cybersecurity activities and outcomes across the
organization
The Framework Profile
A Framework Profile (“Profile”) represents the outcomes
based on business needs that an organization has
selected from the Framework Categories and
Subcategories.
The Profile can be characterized as the alignment of
standards, guidelines, and practices to the Framework
Core in a particular implementation scenario.
The Framework Implementation Tiers.
Provide the context on how an organization views
cybersecurity risk and the processes in place to manage
that risk.
Tiers describe the degree to which an organization’s
cybersecurity risk management practices exhibit the
characteristics defined in the Framework.
Risk and Threat Awareness:
Partial, Risk Informed, Repeatable and Adaptable
Framework 7-Step Process
Step 1: Prioritize and Scope
Step 2: Orient
Step 3: Create a current Profile
Conduct a Risk Assessment
Create a Target Profile
Determine, Analyze and
Prioritize Gaps
Implement Action Plan
By the way…
There are co$ts associated with implementation
In order to be a 4 in a key area, you may choose to be a 2 in
That Cost Benefit analysis tells you where you can focus
The Core is designed to translate the highly technical that is
Cybersecurity to the other disciplines.
Cybersecurity works when the whole organization is in synch.
The five Framework core
Functions
Identify – Develop the organizational
understanding to manage cybersecurity risk
to systems, assets, data, and capabilities.
Protect – Develop and implement the
appropriate safeguards to ensure delivery of
critical infrastructure services.
Detect – Develop and implement the
appropriate activities to identify the
occurrence of a cybersecurity event.
Respond – Develop and implement the
appropriate activities to take action regarding
a detected cybersecurity event.
Recover – Develop and implement the
appropriate activities to maintain plans for
resilience and to restore any capabilities or
services that were impaired due to a
cybersecurity event.
The Core and Categories
“The Core 5 and the next 22
Categories are simple, but not
all groups will define the terms
the same…
The terminology are purposely
selected, to be generally
available.
The Core and Categories with ID’s
The Matra “Identify, Protect,
Detect, Respond and Recover”
The Core 5 and the next 22
Categories are simple, but not
all groups will define the terms
the same…
The terminology are purposely
selected, to be generally
available and understood by
many.
Building a Profile in 3 steps.
A profile can be thought of:
Mission Objects
Cybersecurity Requirements
Legislation
Regulations
Internal & External Policies
Best Practice
Operating Methodologies.
Conceptual Profile
Comply once report many
HIPAA, FISMA, Sarbanes Oxley
Their can be hundreds of distinct
profiles
Resource and Budgeting…
Why aren’t you addressing the
activities in regards to Priority
Why aren’t you doing subdcat 1?
The priorities smaller
The Gaps were smaller
The costs were greater
Than the Category 2 and 3.
You end up with a defensible plan!
Creating or editing a profile.
HHS and HIPAA Security Rule
to Cybersecurity Mappings
Profiles are there..
Efficiency is there..
3 – 2 hour meetings.
Step 1 - Prioritize and
Scope Program, i.e. What Assets
to Protect?
At least Annually, Start Cyber
Security Risk Mgt. Program
Small Organization Cyber Security Compliance
Step 2 – Orient , i.e. Locate
Assets at Risk
Step 5 – Create Target Profile
Showing Desired Risk Levels
Step 4 – Select Compliance Option and
Conduct Risk Assessment. NIST Recommended for
US Sites, ISO Internationally
Step 3 – Create Current Profile,
i.e. How are Assets Currently
Protected
Step 6 –Gap Analysis – What is Required to
Achieve Desired Risk Levels?
Step 7 – Action Plan –
Implement Changes to
Achieve Desired Risk Levels
Office of Civil Rights (OCR)
Risk Assessment Steps
• Step 1 System Characterization
• Step 2 Threat Identification
• Step 3 Vulnerability Identification
• Step 4 Control Analysis
• Step 5 Likelihood Determination
• Step 6 Impact Analysis
• Step 7 Risk Determination
• Step 8 Control Recommendations
• Step 9 Results Documentation
NIST Risk Management
Framework
3.1 RMF STEP 1 – CATEGORIZE INFO. SYSTEM
3.2 RMF STEP 2 – SELECT SECURITY CONTROLS
3.3 RMF STEP 3 – IMPLEMENT CONTROLS
3.4 RMF STEP 4 – ASSESS SECURITY CONTROLS
3.5 RMF STEP 5 – AUTHORIZE INFO. SYSTEM
3.6 RMF STEP 6 – MONITOR SECURITY CONTROLS
NIST Risk Management Framework
3.1 RMF STEP 1 – CATEGORIZE INFO. SYSTEM
TASK 1-1: Categorize the information system and
document the results…
References: FIPS Publication 199; NIST Special
Publications 800-30, 800-39, 800-59, 800-60;
CNSS Instruction 1253
TASK 1-2: Describe the information system…
References: None
TASK 1-3: Register the information system…
References: None.
NIST Risk Management
Framework3.2 RMF STEP 2 – SELECT SECURITY CONTROLS
TASK 2-1:Identify…and document the controls in a
security plan…References: FIPS 199, 200; NIST
800-30, 800-53; CNSS 1253.
TASK 2-2: Select the security controls…References:
FIPS199, 200; 800-30, 800-53; CNSS 1253.
TASK 2-3: Develop a strategy for the continuous
monitoring...References: NIST 800-30, 800-39, 800-
53; 800-53A; CNSS 1253.
TASK 2-4: Review and approve the security plan.
References: NIST 800-30, 800-53; CNSS 1253.
Content Based
NIST 80-53 SafeguardsSymbol NIST Title CUI CSF HIPAA Privacy
AC-02 Account Management X X X
AC-03 Access Enforcement X X X X
AC-04 Information Flow Enforcement X X X
AC-05 Separation of Duties X X X X
AC-06 Least Privi lege X X X X
AC-07 Unsuccessful Logon Attempts X X
AC-08 System Use Noti fication X X
AC-11 Sess ion Lock X X X
AC-12 Sess ion Termination X X X
AC-17 Remote Access X X X X
AC-18 Wireless Access X X
AC-19 Access Control for Mobi le Devices X X X X
AC-20 Use of External Information Systems X X
AC-22 Publ icly Access ible Content X X
AT-02 Securi ty Awareness Tra ining X X X
AT-03 Role-Based Securi ty Tra ining X X X
AU-02 Auditable Events X X X X
AU-03 Content of Audit Records X X X
AU-06 Audit Review, Analys is , and Reporting X X X X
AU-07 Audit Reduction and Report Generation X X X
AU-12 Audit Generation X X
NIST Risk Management Framework
3.3 RMF STEP 3 – IMPLEMENT SECURITY
CONTROLS
TASK 3-1: Implement the security controls specified in
the security plan…References: FIPS 200; NIST 800-
30, 800-53, 800-53A; CNSS 1253; Web:SCAP.
NIST.GOV.
TASK 3-2: Document the security control implemen-
tation…References: NIST 800-53; CNSS 1253.
NIST Risk Management Framework
3.4 RMF STEP 4 – ASSESS SECURITY CONTROLS
TASK 4-1: Develop, review, and approve a plan to
assess the security controls.
References: NIST Special Publication 800-53A.
TASK 4-2: Assess the security controls…References:
NIST 800-53A.
TASK 4-3: Prepare the security assessment report…
References: NIST 800-53A.
TASK 4-4: Conduct initial remediation actions…
References: NIST 800-30, 800-53A.
NIST Risk Management Framework
3.5 RMF STEP 5 – AUTHORIZE INFO. SYSTEM
TASK 5-1: Prepare the plan of action and milestones..
References: OMB Memorandum 02-01; NIST
800-30, 800-53A.
TASK 5-2: Assemble the security authorization
package…References: None.
TASK 5-3: Determine the risk…References: NIST
800-30, 800-39.
TASK 5-4: Determine if the risk…is acceptable. Refer-
ences: NIST 800-39.
NIST Risk Management Framework
3.6 RMF STEP 6 – MONITOR SECURITY
CONTROLS
TASK 6-1: Determine the security impact... Refer-
ences: NIST 800-30, 800-53A.
TASK 6-2: Assess a selected subset of the…security
controls…References: NIST 800-53A.
TASK 6-3: Conduct remediation actions...References:
NIST 800-30, 800-53, 800-53A; CNSS1253.
NIST Risk Management Framework
3.6 RMF STEP 6 – MONITOR SECURITY
CONTROLS
TASK 6-4: Update the security plan…based on the
results of the continuous monitoring process.
References: NIST 800-53A.
TASK 6-5: Report the security status of the informa-
tion system… on an ongoing basis…References:
NIST 800-53A.
NIST Risk Management Framework
3.6 RMF STEP 6 – MONITOR SECURITY
CONTROLS
TASK 6-6: Review the reported security status of the
information system..to determine whether the
risk..remains acceptable. References: NIST 800-30,
800-39.
TASK 6-7: Implement an information system
decommissioning strategy...References: NIST 800-
30, 800-53A.
Example – EPA RFI, 3/17
RFQ-DC-17-00099
RMF compliance 48 networks/15,000 assets
Other Cybersecurity and Management Services
For More Information
Website – www.ACR2solutions.com
Contacts
Jack Kolk, Benicia CA, 707 742-4211 or
Robert Peterson, Lilburn GA, 770 381-9229 or