cybersecurity frameworks and you: the perfect match
TRANSCRIPT
![Page 1: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/1.jpg)
CybersecurityFrameworks and You
The Perfect Match
![Page 2: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/2.jpg)
Building SuccessfulEmployee Relationships
A Cornerstone to Fraud Prevention
and Risk Management
![Page 3: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/3.jpg)
Building SuccessfulEmployee Relationships
A Cornerstone to Fraud Prevention
and Risk Management
![Page 4: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/4.jpg)
CybersecurityFrameworks and You
The Perfect Match
![Page 5: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/5.jpg)
IntroductionsSam BowerCraft
• Senior Manager in Internal Audit and Management Consulting Group
• Certified Information Systems Auditor (CISA)
• Security Consultant related to financial data, information systems, and assets.
• M.S. Information Systems
David Hammarberg• Principal of Forensic Accounting
• Certified Fraud Examiner (CFE)
• Director of Information Technology
• CPA, MCSE, CISSP, CISA
• 16+ years of experience
![Page 6: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/6.jpg)
Objectives
• Understanding the importance of using a framework in your organization.
• How a framework can benefit an organization.
• NIST Cybersecurity Framework: • The basic requirements for any organization.
![Page 7: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/7.jpg)
Frameworks &Their Importance
![Page 8: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/8.jpg)
An Exercise
• List all the areas of information technology and security that are important for your organization to consider and address.
![Page 9: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/9.jpg)
Framework Benefits
• Structure
• Building from a pre-existing foundation• Identify vulnerabilities
• Analyze or evaluate the risk associated with that vulnerability.
• Determine appropriate ways to eliminate or control the vulnerability.
• Efficiency: Cost Savings (time and dollars)
• Effectiveness
• Support
![Page 10: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/10.jpg)
Framework Drawbacks
• While structure is good, understanding is better.
• Limitations: • The framework versus your environment.
• “No battle plan survives contact with the enemy.”
- Helmuth von Moltke the Elder
• Clarity of Responsibility: you and the framework
![Page 11: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/11.jpg)
Best Practices
NOT…
• An automated security mechanism or setting.
• A business practice.
• A theory or possibility. It is in place.
• The one best practice; it is not the best of all.
• A human practice or method to perform a process.
• Security related, helping to protect information, resources, or operations.
• Effective as shown by experience and results.
• Among the most effective practices used to perform this process.
![Page 12: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/12.jpg)
Best Practices
From Worst to Best: Chevron says:
• Good Idea: Unproven. Intuitively makes sense, could be successful… requires analysis.
• Good Practice: Has improved results; supported by data and analysis.
• Local Best Practice: Best approach for large parts of the organization based on analysis of performance internally and some external review.
• Industry Best Practice: Best approach for large parts of the organization based on analysis of performance internally and externally.
![Page 13: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/13.jpg)
Standard Operating Procedures
• Facilitate Communication
• Provide consistency
• Increase productivity
• Provide for cross training
• Help ensure things are done right.
![Page 14: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/14.jpg)
Reviewing Your World
![Page 15: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/15.jpg)
Writing Things Down
• How is your memory?
• How long can you focus on one thing?
• Written goals result in more achievement.
• Reminders help focus… and keep track.
• Unburden your brain; de-clutter with a list / framework.
• Clearer thinking and being able to review… and communicate.
• Identify what needs your focus.
![Page 16: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/16.jpg)
Security Risk Assessment
• Identify the potential inherent security risks.
• Assess the likelihood and significance of occurrence of the identified security risks (ranking of risks).
• Evaluate which users and departments are most likely to have a significant security event and identify the methods they are likely to use.
• Identify and map existing preventive and detective controls to the relevant security risks (framework).
• Evaluate whether the identified controls are operating effectively and efficiently.
• Identify and evaluate residual security risks resulting from ineffective or nonexistent controls.
• Respond to residual security risks.
![Page 17: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/17.jpg)
Approach Comparisons
Proscriptive
• Scope the environment.
• Do these things.
• Evaluate control responses.• Design
• Operation
• Remediate/update controls.
• Repeat.
Risk Based
• Scope the environment.
• Evaluate vulnerabilities.
• Rank risks.
• Evaluate control responses.• Design
• Operation
• Remediate/update controls.
• Repeat.
![Page 18: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/18.jpg)
After the Risk Assessment
• The Risk Assessment may reveal certain residual risks that have not been adequately mitigated due to lack of, or non-compliance with, appropriate preventive and detective controls.
• The security professional works with the client to develop mitigation strategies for any residual risks with an unacceptably high likelihood or significance of occurrence.
• Responses should be evaluated in terms of their costs versus benefits and in light of the organization's level of risk tolerance.
![Page 19: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/19.jpg)
Cybercrime
Cybercrime, is simply a crime that involves a computer and a network.
![Page 20: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/20.jpg)
Types of Cybercrime
• Hacking
• Theft
• Cyber Stalking
• Identity Theft
• Malicious Software
• Child Soliciting and Abuse
![Page 21: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/21.jpg)
Categories of Cybercrime
• Individual: This type of cyber crime can be in the form of cyber stalking, distributing pornography, trafficking and “grooming.”
• Property: In this case, they can steal a person’s bank details and siphon off money; misuse the credit card to make numerous purchases online; run a scam to get naïve people to part with their hard earned money; use malicious software to gain access to an organizations website or disrupt the systems of the organization.
• Government: Crimes against a government are referred to as cyber terrorism. If successful, this category can wreak havoc and cause panic amongst the civilian population.
![Page 22: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/22.jpg)
Combating Cybercrimes
• Security Hardware
• Security Software
• Security Awareness
• Working along side other businesses
• Working with government agencies
![Page 23: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/23.jpg)
Query
• Are you willing to operate your information technology environment in an ad hoc and informal manner given the risks in the world today related to cybersecurity?
![Page 24: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/24.jpg)
Query
• Do you want to reinvent the wheel?
![Page 25: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/25.jpg)
CybersecurityBasic Requirements
![Page 26: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/26.jpg)
Cybersecurity - Basics
• IT Environment Inventory• What do you need to protect?• What data does it house?
• Risk Assessment• What risks do you face?• What vulnerabilities do you have?
• Structure• Framework/roadmap• Checklist
• Continuous Improvement
![Page 27: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/27.jpg)
Risk Assessment – NIST Style 800-60
![Page 28: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/28.jpg)
NIST Cybersecurity Framework
• What is the framework?
• 2013, President Obama issued Executive Order 13636, which directed NIST to work with stakeholders in developing a voluntary framework-based on existing standards, guidelines, and practices, for reducing cyber risks... (not just for government agencies)
![Page 29: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/29.jpg)
NIST Cybersecurity Framework
• https://www.nist.gov/cyberframework
![Page 30: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/30.jpg)
![Page 31: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/31.jpg)
![Page 32: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/32.jpg)
![Page 33: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/33.jpg)
![Page 34: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/34.jpg)
![Page 35: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/35.jpg)
![Page 36: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/36.jpg)
NIST Cybersecurity Controls
• ID.AM-1: Physical devices and systems within the organization are inventoried.
• ID.AM-4: External information systems are catalogued.
• ID.GV-1: Organizational information security policy is established.
• ID.RA-1: Asset vulnerabilities are identified and documented.
• ID.RA-4: Potential business impacts and likelihoods are identified.
• ID.RA-6: Risk responses are identified and prioritized.
• ID.AM-1: Physical devices and systems within the organization are inventoried.
• ID.AM-4: ExternaPR.AC-1: Identities and credentials are managed for authorized devices and users.
• PR.AC-3: Remote access is managed.
• PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties.
• PR.AT-1: All users are informed and trained.
• PR.AT-2: Privileged users understand roles & responsibilities.
• PR.IP-6: Data is destroyed according to policy.
• PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed.*THIS IS A SAMPLE
![Page 37: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/37.jpg)
SANS Top-20 Critical Controls
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
4. Continuous Vulnerability Assessment and Remediation
5. Malware Defenses
6. Application Software Security
7. Wireless Device Control
8. Data Recovery Capability (validated manually)
9. Security Skills Assessment and Appropriate Training to Fill Gaps (validated manually)
10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
11. Limitation and Control of Network Ports, Protocols, and Services
12. Controlled Use of Administrative Privileges
13. Boundary Defense
14. Maintenance, Monitoring, and Analysis of Security Audit Logs
15. Controlled Access Based on the Need to Know
16. Account Monitoring and Control
17. Data Loss Prevention
18. Incident Response Capability (validated manually)
19. Secure Network Engineering (validated manually)
20. Penetration Tests and Red Team Exercises (validated manually)
![Page 38: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/38.jpg)
NIST – Assess & Review
• External Vulnerability Assessments
• Network Architecture Reviews
• VPN Security Reviews
• Host/OS Configuration Reviews
• Internal Vulnerability Assessments
• Wireless Security Reviews
• Firewall Security Reviews
• Active Directory Reviews
![Page 39: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/39.jpg)
Cyber Maturity
![Page 40: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/40.jpg)
NIST Measuring Maturity
One way management can assess and improve.
![Page 41: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/41.jpg)
Documents
• https://www.nist.gov/cyberframework• NIST Cybersecurity Framework website
• http://energy.gov/sites/prod/files/2014/03/f13/C2M2-v1-1_cor.pdf• Maturity model
• https://www.sans.org/media/critical-security-controls/critical-controls-poster-2016.pdf• SANS Top 20 Critical Security Controls
![Page 42: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/42.jpg)
Questions?Sam BowerCraft
• Senior Manager in Internal Audit and Management Consulting Group
• Certified Information Systems Auditor (CISA)
• M.S. Information Systems
David Hammarberg• Principal of Forensic Accounting
• Certified Fraud Examiner (CFE)
• Director of Information Technology
• CPA, MCSE, CISSP, CISA
![Page 43: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/43.jpg)
Building SuccessfulEmployee Relationships
A Cornerstone to Fraud Prevention
and Risk Management
![Page 44: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/44.jpg)
Questions?
• Documents:• https://www.nist.gov/cyberframework
• NIST Cybersecurity Framework website
• http://energy.gov/sites/prod/files/2014/03/f13/C2M2-v1-1_cor.pdf• Maturity model
• https://www.sans.org/media/critical-security-controls/critical-controls-poster-2016.pdf• SANS Top 20 Critical Security Controls
![Page 45: Cybersecurity Frameworks and You: The Perfect Match](https://reader031.vdocuments.mx/reader031/viewer/2022021923/58ed18131a28abaa6c8b4635/html5/thumbnails/45.jpg)
Questions?Sam BowerCraft
• Senior Manager in Internal Audit and Management Consulting Group
• Certified Information Systems Auditor (CISA)
• M.S. Information Systems
David Hammarberg• Principal of Forensic Accounting
• Certified Fraud Examiner (CFE)
• Director of Information Technology
• CPA, MCSE, CISSP, CISA