What Are Best Practices? Making Sense of NIST and Other...

What Are Best Practices? Making Sense of NIST

and Other IT Security Frameworks April 27, 2017

Sarah Ackerman and Carly Devlin

Clark Schaefer Consulting

Our webinar will begin shortly.

What Are Best Practices? Making Sense of NIST

and Other IT Security Frameworks April 27, 2017

Sarah Ackerman and Carly Devlin

Clark Schaefer Consulting

Questions

3

How to ask a question during today’s webinar?

Use the “Chat” or “Question” feature on the

GoToWebinar panel.

You can also email DeAnna Bird at

[email protected].

Questions will be addressed at the end of the

webinar.

CPE

4

CPE is available for this event.

You will receive an email by the end of the day that

will contain today’s presentation & CPE form.

You will receive 3 CPE codes during today’s

presentation.

Record those 3 CPE codes to complete the CPE

form.

Introductions

Sarah Ackerman, CISSP, CISA, CICP

Managing Director, Cincinnati Office

Responsible for overall engagement quality and

oversight of projects

Areas of expertise include information security;

risk management; and IT governance, audit, and

compliance

Works with wide variety of clients and industries

across Ohio and Kentucky

In-depth knowledge of IT and security

frameworks, regulations, and standards,

including ISO, NIST, COBIT, GLBA, FDA,

HIPAA, PCI

Introductions

Carly Devlin, CISSP, CISA

Director, Columbus Office

Responsible for management of client

relationships, projects, and consultants

Areas of expertise include information security,

IT audit, IT operations, and risk management

Works with wide variety of clients and industries

across Ohio and Kentucky

In-depth knowledge of IT and security

frameworks, regulations, and standards,

including ISO, NIST, COBIT, GLBA, PCI

7

CPE Code 1

35764

Agenda

Regulatory vs. Security Frameworks

Overview of HIPAA, PCI, GLBA, ISO, NIST

NIST Deep Dive: Top 10

8

Regulatory Frameworks

PCI

HIPAA

GLBA

Security Frameworks

ISO

NIST

Regulatory vs. Security Frameworks

9

Overview of Regulatory Frameworks

10

PCI DSS Payment Card Industry Data Security Standard

What is it? Standards for protecting payment systems from breaches and theft of cardholder data

Who does it apply to? Merchants, financial institutions, point-of-sale vendors

Who enforces it? Individual payment brands or acquiring banks


11

HIPAA Health Insurance Portability and Accountability Act of 1996

What is it? Legislation that provides data privacy and security provisions for safeguarding medical information

Who does it apply to? Healthcare providers, health plans, and healthcare clearing houses

Who enforces it? United States Department of Health and Human Services (HHS)


12

GLBA Gramm-Leach-Bliley Act (Financial Modernization Act of 1999)

What is it? Regulation that requires disclosure of information-sharing practices to customers and safeguarding of sensitive data.

Who does it apply to? Financial Institutions

Who enforces it? FRB, FTC, FDIC, NCUA, OCC, CFPB, FTC

ISO Overview

13

International Organization for Standardization

ISO began operations in 1947

Independent, non-governmental international organization with a membership of 162 national

standards bodies

ISO has published 21,599 international standards and related documents for every industry

NIST Overview

14

National Institute of Standards and Technology

NIST was founded in 1901 and is now part of the U.S. Department of Commerce.

Mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science,

standards, and technology

Standards and guidelines developed by NIST for computer systems are issued as Federal Information

Processing Standards (FIPS)

15

CPE Code 2

13893

NIST: Special Publications

16

http://csrc.nist.gov/publications/PubsSPs.html

800-53: Security and Privacy Controls for Federal Information Systems and

Organizations

800-161: Supply Chain Risk Management Practices

800-61: Computer Security Incident Handling Guide

800-124: Guidelines for Managing the Security of Mobile Devices in the

Enterprise

800-50: Building an Information Technology Security Awareness and

Training Program

800-122: Guide to Protecting the Confidentiality of Personally Identifiable

Information (PII)

800-30: Guide for Conducting Risk Assessments

800-115: Technical Guide to Information Security Testing and Assessment

800-34: Contingency Planning Guide for Federal Information Systems

Cybersecurity Framework

1800 series: Cyber Security Practice Guides

http://csrc.nist.gov/publications/PubsSPs.html

800-53: Security and Privacy Controls for Federal

Information Systems and Organizations

18 security areas

– Management/enterprise

– Operational

– Technical

8 privacy areas

17

800-53: Security – Technical

AC: Access Control

AU: Audit and Accountability

CM: Configuration Management

IA: Identification and Authentication

SC: System and Communications Protection

SI: System and Information Integrity

18

800-53: Security – Operational

CA: Security Assessment and Authorization

CP: Contingency Planning

IR: Incident Response

MA: System Maintenance

MP: Media Protection

PE: Physical and Environmental Protection

19

800-53: Security – Management/ Enterprise

AT: Security Awareness and Training

PL: Security Planning

PM: Program Management

PS: Personnel Security

RA: Risk Assessment

SA: System and Services Acquisition

20

800-53: Privacy

AP: Authority and Purpose

AR: Accountability, Audit, and Risk Management

DI: Data Quality and Integrity

DM: Data Minimization and Retention

IP: Individual Participation and Redress

SE: Security

TR: Transparency

UL: Use Limitation

21

800-53: Example Control

22



Benefits:

– Comprehensive

– Supplemental guidance useful

– Baselines allow risk-based approach

– Supported by 53A, allowing for corresponding assessment

– Cross references throughout and to other NIST SPs

Challenges:

– Comprehensive! (Complex)

– Focus on Federal systems

• Private entities? State/Local government?

– Focus on information systems

• IoT devices, industrial control systems, weapons systems

23

24

800-53: What’s Next?

Revision 5 - 3/28/17

Not yet published

Proposed changes can be found here

All drafts of computer security publications can be

found here

http://csrc.nist.gov/publications/drafts/800-53r5/draft_sp800-53-rev5_update-message.pdf

http://csrc.nist.gov/publications/PubsDrafts.html

Revision 4, April 2013:

http://nvlpubs.nist.gov/nistpubs/SpecialPublic

ations/NIST.SP.800-53r4.pdf

Excel, XML available:

https://web.nvd.nist.gov/view/800-53/home

25



http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf







26

Information and communications technology (ICT)

supply chain risks

Includes the following:

Integration of ICT supply chain risks management (SCRM)

into organization-wide risk management

ICT SCRM Controls (enhanced overlay of NIST 800-53)

ICT Supply Chain Threat Events

Supply Chain Threat Scenarios and Analysis Framework

ICT SCRM Plan Template

800-161: Supply Chain Risk Management Practices for

Federal Information Systems and Organizations

27

Benefits:

Overlay of NIST 800-53

Developed with diverse input

Guidance for each organizational tier, organizational

functions, and system development life cycle

Challenges:

Cyber supply chain risks cut across every major function

and business line

800-161: Supply Chain Risk Management Practices for

Federal Information Systems and Organizations (cont.)

28

800-161: Supply Chain Risk Management Practices

for Federal Information Systems and Organizations

April 2015:

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/N

IST.SP.800-161.pdf

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161.pdf




29

800-61: Computer Security Incident

Handling Guide

Organizing a Computer Security Incident Response

Capability

Understanding Events and Incidents

Incident Response Policy, Plan, Procedures

Incident Response Team Structure

Handing an Incident

Preparation

Detection and Analysis

Containment, Eradication, and Recovery

Post-Incident Activity

30


Handling Guide (cont.)

Benefits:

Easy to understand for detection, analyzing, prioritizing,

handling incidents

Provides checklists, scenarios, examples, recommendations

Challenges:

Less focus on establishing incident response program

Doesn’t provide specific template for Incident Response

Policy or Plan

31


Handling Guide

Revision 2, August 2012:


IST.SP.800-61r2.pdf





32

800-124: Guidelines for Managing the Security of

Mobile Devices in the Enterprise

Organization-provided and BYOD mobile devices


Mobile Device Overview

Technologies for Mobile Device Management

Security for the Enterprise Mobile Device Solution Life

Cycle

Supporting NIST 800-53 Security Controls

33


Mobile Devices in the Enterprise (cont.)

Benefits:

Recommendations for selecting, implementing and using

centralized management technologies for securing mobile

devices

Refers to applicable NIST 800-53 controls

Challenges:

Addressing BYOD

34


Mobile Devices in the Enterprise

Revision 1, June 2013:


IST.SP.800-124r1.pdf





35

800-50: Building an Information Technology

Security Awareness and Training Program

Components: Awareness,

Training, Education

Designing the Program

Conducting Needs

Assessment

Developing Strategy and

Plan

Establishing Priorities

Setting the Bar

Funding the Program

Developing Material

Selecting Topics

Sources of Material

Implementing the Program

Communicating the Plan

Techniques for Delivering

Material

Post-Implementation

Monitoring Compliance

Evaluation and Feedback

Managing Change

Ongoing Improvement

Program Success Indicators

36

800-50: Building an Information Technology Security

Awareness and Training Program (cont.)

Appendices

Sample needs assessment interview and questionnaire

Sample metric

Sample program plan template

Sample awareness posters

37


Security Awareness and Training Program (cont.)

Benefits:

Good starting point

• Comprehensive list of awareness topics

Incorporates various roles from CIO to user

Different program models (centralized, partially/fully

decentralized)

Cross references to other NIST SPs

• Awareness and Training Metric => SP 800-55 Security

Metrics Guide for IT Systems

Challenges:

Outdated

Doesn’t incorporate tools (e.g., phishing)

Awareness and Training Plan template very high level, not

detailed

38


Security Awareness and Training Program

October 2003:

http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecial

publication800-50.pdf

http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-50.pdf




39

800-122: Guide to Protecting the Confidentiality

of Personally Identifiable Information (PII)

Confidentiality of PII


Introduction to PII

PII Confidentiality Impact Levels

PII Confidentiality Safeguards

Incident Response for Breaches Involving PII

Scenarios for PII Identification and Handling

40


of PII (cont.)

Benefits:

Categorizing PII by the confidentiality impact level

Other terms and definitions used to describe personal

information

Challenges:

Identifying all PII residing in environment

Organizations subject to a different combination of laws,

regulations, and other mandates

41


of PII

April 2010:







42


The Fundamentals

Risk management process

Risk assessment

Key risk concepts

Application of risk assessments

43


(cont.)

The Risk Assessment Process

44


(cont.)

Appendices

Threat Sources

Threat Events

Vulnerabilities and Predisposing Conditions

Likelihood of Occurrence

Impact

Risk Determination

Informing Risk Response

Risk Assessment Reports

Summary of Tasks

45


(cont.)

Benefits:

Comprehensive, detailed

Lots of examples

Good summaries of key activities throughout

Flexible

• Different approaches: threat, asset/impact, vulnerability

Challenges:

Complex

Overly granular

46


Revision 1, September 2012:

http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspeci

alpublication800-30r1.pdf

http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf




47

800-115: Technical Guide to Information

Security Testing and Assessment

Security testing and assessments


Security Testing and Examination Overview

Review Techniques

Target Identification and Analysis Techniques

Target Vulnerability Validation Techniques

Security Assessment Planning

Security Assessment Execution

Post-Testing Activities

48

800-115: Technical Guide to Information

Security Testing and Assessment (cont.)

Benefits:

Includes two live operating system CD distributions

Techniques can be leveraged with the NIST 800-53A

methodology

Challenges:

Technically oriented

Dozens of security testing and examination techniques exist

49

800-115: Technical Guide to Information Security

Testing and Assessment

September 2008:







50

800-34: Contingency Planning Guide for

Federal Information Systems

Information system contingency plan (ISCP) development


Types of Contingency Planning

Information System Contingency Planning Process

Information System Contingency Plan Development

Technical Contingency Planning Considerations

Sample Information System Contingency Plan Templates

51

800-34: Contingency Planning Guide for

Federal Information Systems (cont.)

Benefits:

Integrated with NIST 800-53 contingency planning related

controls

Purpose, scope, and plan relationship for various types of

plans

3 sample formats

Challenges:

Independent of specific hardware platforms, operating

systems, and applications

Does not address facility-level information system planning

(DR plan)

52

800-34: Contingency Planning Guide for Federal

Information Systems

Revision 1, May 2010:


publication800-34r1.pdf





Cybersecurity Framework (CSF)

Three parts:

– Framework Core

– Framework Implementation Tiers

– Framework Profiles

Framework Core:

53 53

CSF Core

54

CSF: Tiers/Profiles

Tiers

– Tier 1: Partial

– Tier 2: Risk Informed

– Tier 3: Repeatable

– Tier 4: Adaptive

Profiles

– Current profile (“as is”)

– Target profile (“to be”)

55

CSF: Applying The Framework

Develop the “As-Is” profile

Develop the “To-Be” profile

Identify gaps and opportunities

Develop a prioritized action plan

56

Rep

eata

ble

CSF: Benefits, Challenges

Benefits:

– Voluntary

– Expose new risks

– Sharing, collaboration

– Layered approach

Challenges:

– Not “set it and forget it”

– Requires “buy-in”

– Communicating risks

– Large, complex organizations

– Lack of quantifiable metrics

57

58

CSF: What’s Next?

Draft update (v1.1) has been issued

Comments were due 4/10/17

Proposed changes can be found here

https://www.nist.gov/cyberframework/proposed-updates-cybersecurity-framework

Cybersecurity Framework

59

Framework available as PDF, additional support via

Excel

Draft Version 1.1, January 2017:

https://www.nist.gov/cyberframework/draft-

version-11

Version 1, February 2014:

https://www.nist.gov/sites/default/files/documents/c

yberframework/cybersecurity-framework-

021214.pdf

https://www.nist.gov/cyberframework/draft-version-11





https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf






60

1800 Series: Cybersecurity Practice Guides

SP 1800-7

(Draft)

February

2017

Situational Awareness for Electric Utilities

Announcement and Draft Publication

SP 1800-6

(Draft)

November

2016

Domain Name Systems-Based Electronic Mail Security


SP 1800-5

(Draft)

October

2015

IT Asset Management: Financial Services


SP 1800-4

(Draft)

November

2015

Mobile Device Security: Cloud and Hybrid Builds


SP 1800-3

(Draft)

September

2015

Attribute Based Access Control


SP 1800-2

(Draft)

August

2015

Identity and Access Management for Electric Utilities


SP 1800-1

(Draft)

July

2015

Securing Electronic Health Records on Mobile Devices










61

CPE Code 3

56932

Questions?

62

Sarah Ackerman

[email protected]

(513) 371-5613

Carly Devlin

[email protected]

(614) 607-5132

If you wish to discuss any aspect of this presentation in

more detail, please feel free to contact us:

What Are Best Practices? Making Sense of NIST and Other...

Documents

Transcript of What Are Best Practices? Making Sense of NIST and Other...