Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallen.com
Cybersecurity Governance Update: New FFIEC Requirements
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Our perspective… CliftonLarsonAllen – Started in 1953 with a goal of total
client service
– Today, industry specialized CPA and Advisory firm ranked in the top 10 in the U.S.
– Information Security offered as specialized service offering for over 15 years
– Largest Credit Union Service Practice*
*Callahan and Associates 2014 Guide to Credit Union CPA Auditors. CliftonLarsonAllen’s credit union practice has recently grown to over 100 professionals including more than 20 principals. The group focuses on audit, assurance, consulting and advisory, information technology, and human resource management for credit unions across the country. www.larsonallen.com – news release
2
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Overview
• Up To Date Cybersecurity and Fraud Risks
– Current threat environment
– Industry examples and case studies
• FFIEC Cybersecurity Assessments and Governance Requirements
• Strategies to mitigate and manage risks
3
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cyber Fraud Risk Themes
• Hackers have “monetized” their activity
– More hacking
– More sophistication
– More “hands-on” effort
– Smaller organizations targeted
• Social engineering on the rise
• Hackers targeting members and member businesses
4
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Three Largest Cyber Fraud Trends
• Organized Crime
– Wholesale theft of personal financial information
• CATO– Corporate Account Takeover
– Use of online credentials for ACH, CC and wire fraud
• Ransomware
– Your data held for ransom
5
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
• Target
• Home Depot
• Goodwill
• Jimmy Johns
• Neiman Marcus
• Dairy Queen
• Sally Beauty
• Harbor Freight
• University of Maryland
• University of Indiana
• Olmsted Medical Center
• Community Health Systems
Theft of PFI
6
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Stolen Card Data
• Carder or Carding websites
• Dumps vs CVV’s
• A peek inside a carding operation:
http://krebsonsecurity.com/2014/06/peek-inside-a-professional-carding-shop/
7
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Credit Card Data For Sale
8
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
• Catholic church parish
• Hospice
• Finance company
• Main Street newspaper stand
• Electrical contractor
• Utility company
• Industry trade association
• Rural hospital
• Mining company
• On and on and on and on……………..
Corporate Account Takeover
9
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
a payment order received by the [bank] is “effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.”
10
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
• Tennessee Electric vs TriSummit Bank
• $327,804 stolen via ACH through CATO
• Internet banking site was “down” – DOS?
• Tennessee Electric asserting TriSummit processed bogus ACH file without any call back
11
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
• Choice Escrow vs BancorpSouth
• $440,000 stolen via single wire through CATO
– CE passed on dual control offered by the bank
• Court ruled in favor of bank
• CE attorneys failed to demonstrate bank’s procedures were not commercially reasonable
12
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Defensive Measures
• Multi-layer authentication
• Multi-factor authentication
• Out of band authentication
• Positive pay
• ACH block and filter
• IP address filtering
• Dual control
• Activity monitoring
• Manual vs. Automated controls
13
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
• Malware encrypts everything it can interact with
– i.e. anything the infected user has access to
• CryptoLocker
• Kovter
– Also displays and adds child pornography images
May 20, 2014 – Ransomware attacks doubled in last month (7,000 to 15,000)
http://insurancenewsnet.com/oarticle/2014/05/20/cryptolocker-goes-spear-phishing-infections-soar-warns-knowbe4-a-506966.html
14
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
• Working (tested) backups are key 15
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breaches 2013 2014
16
https://www2.trustwave.com/GSR2014.
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breaches…
17
Reliance/dependence on 3rd party service providers is at root of most breaches
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
How do hackers and fraudsters break in?
Social Engineering relies on the following:
• The appearance of “authority”
• People want to avoid inconvenience
• Timing, timing, timing…
“Amateurs hack systems, professionals hack people.” Bruce Schneier
18
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Pre-text Phone Calls • “Hi, this is Randy from Fiserv users support. I am
working with Dave, and I need your help…”
– Name dropping
– Establish a rapport
– Ask for help
– Inject some techno-babble
– Think telemarketers script
• Home Equity Line of Credit (HELOC) fraud calls
• Ongoing high-profile ACH frauds
19
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Attacks - Spoofing and Phishing
• Impersonate someone in authority and:
– Ask them to visit a web-site
– Ask them to open an attachment or run update
• Examples
– Better Business Bureau complaint
– http://www.millersmiles.co.uk/email/visa-usabetter-business-bureaucall-for-action-visa
– Microsoft Security Patch Download
20
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Phishing – “Targeted Attack”
21
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Physical (Facility) Security Compromise the site:
• “Hi, Joe said he would let you know I was coming to fix the printers…”
Plant devices:
• Keystroke loggers
• Wireless access point
• Thumb drives (“Switch Blade”)
Examples… -Sumitomo Bank (2005) – over $500M -http://www.networkworld.com/news/2009/012209-clerical-error-foiled-sumitomo-bank.html
-Barclays Bank (December, 2013) - $1.30M lost -http://www.telegraph.co.uk/news/uknews/crime/10322536/Barclays-hacking-attack-gang-stole-1.3-million-police-say.html
22
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies to Combat Social Engineering • (Ongoing) user awareness training
• SANS “First Five” – Layers “behind the people”
1. Secure/Standard Configurations (hardening)
2. Critical Patches – Operating Systems
3. Critical Patches – Applications
4. Application White Listing
5. Minimized user access rights
No browsing/email with admin rights
• Logging, Monitoring, and Alerting capabilities
– “The 3 R’s”: Recognize, React, Respond
– More on this at the end…
23
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallen.com
FFIEC – Executive Leadership of Cybresecurity
24
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Executive Order 13636
Improving Critical Infrastructure Cybersecurity
February 2013
25
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Executive Order 13636 Improving Critical Infrastructure Cybersecurity
• Issued on February 12, 2013
• The cyber threat to critical infrastructure … represents one of the most serious national security challenges…to the national and economic security of the US
– Enhance the security and resilience of the Nation's critical infrastructure
– Maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.
– Partnership with the owners and operators of critical infrastructure
26
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Executive Order 13636 Improving Critical Infrastructure Cybersecurity
• Definition of Critical Infrastructure
• Cybersecurity Information Sharing
• Privacy and Civil Liberties Protections
• Consultative Process
• Baseline Framework to Reduce Cyber Risk to Critical Infrastructure
• Voluntary Critical Infrastructure Cybersecurity Program
• Identification of Critical Infrastructure at Greatest Risk
• Adoption of Framework
• See appendix for details…
27
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Executive Leadership Cybersecurity Webinar
May 7, 2014
28
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
• https://www.fdic.gov/news/news/financial/2014/fil14021.html
29
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
• https://www.fdic.gov/news/news/financial/2014/fil14021.html
30
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
May 7, 2014 FFIEC Executive Leadership Cybersecurity webinar • Importance of identifying emerging cyber threats and the
need for Board/C-suite involvement, including:
– Setting the tone at the top and building a security culture
– Identifying, measuring, mitigating, and monitoring risks
– Developing risk management processes commensurate with the risks and complexity of the institutions
– Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
– Creating a governance process to ensure ongoing awareness and accountability
– Ensuring timely reports to senior management that include meaningful information addressing the institution's vulnerability to cyberrisks
31
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
• https://www.fdic.gov/news/news/financial/2014/fil14021.html
32
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
• https://www.fdic.gov/news/news/financial/2014/fil14021.html
33
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
• https://www.fdic.gov/news/news/financial/2014/fil14021.html
34
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
• https://www.fdic.gov/news/news/financial/2014/fil14021.html
35
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July – August 2014
36
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
• Each FFIEC agency (FDIC, Federal Reserve, OCC, NCUA) will perform periodic information technology examinations at regulated financial institutions.
• Examination procedures are based on the FFIEC IT Handbooks (http://ithandbook.ffiec.gov/) and supplemented by periodic agency guidance.
• IT Examinations review the financial institution’s Information Security Program.
37
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program • Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information – Board of Directors will develop an Information Security Program that
addresses the requirements of: ◊ Section 501(b) of the GLBA; ◊ Federal Financial Institutions Examination Council’s (FFIEC) “Interagency Guidelines
Establishing Information Security Standards” (501[b] Guidelines); and ◊ Agency-specific guidelines (i.e. Appendix B to Part 364 of the FDIC’s Rules and
Regulations)
• The Information Security Program is comprised of: – Risk Assessment – Risk Management – Audit – Business Continuity/Disaster Recovery/Incident Response – Vendor Management – Board and Committee Oversight
38
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
• Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data and/or availability of systems.
• Risk is determined based on the likelihood of a given threat-source’s ability to exercise a particular potential vulnerability, and the resulting impact of that adverse event on the organization.
• The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative, technical, and physical controls to reduce or eliminate the impact of the threat.
Information Security Program Risk Assessment and Risk Management
39
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
• ISP-related Audits/Reviews
– ISP Review/IT General Controls Review
– External/Internal Vulnerability and Penetration Assessments
– Social Engineering Assessments
• E-Banking Reviews
– ACH Audit
– Wire Transfer Audit
– Remote/Mobile Deposit Capture Audit
• Audit/Exam Recommendation Tracking and Reporting
40
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business Continuity/Disaster Recovery Incident Response
• Business Continuity/Disaster Recovery Plan
– Annual Testing of Critical Systems
– Annual Employee Tabletop/Scenario Testing
– Board Reporting
• Incident Response Plan
– Compromise of customer information
– Annual Testing
– FS-ISAC
– Cybersecurity Examinations?
41
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
• Vendor Management Policy
• Vendor Risk Assessment
– Access to Customer Information
– Criticality to Bank Operations
– Ease of Replacement
• New Vendor Due Diligence and Annual Reviews
• Continuous Monitoring
42
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
• In the summer of 2014, the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks.
• Integrated into regular IT Examination process
– Cyber Risk Management and Oversight
– Cyber Security Controls
– External Dependency Management
– Threat Intelligence and Collaboration
– Cyber Resilience
• Launched a cybercrime website https://www.ffiec.gov/cybersecurity.htm
43
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11/3/14)
• All FIs AND their critical technology service providers must have appropriate threat identification, information sharing, and response procedures.
• Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
– Improved identification and mitigation of attacks
– Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
– Sharing information to help other FIs
44
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11/3/14)
• FI Management should:
– Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
– Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization ◊ FS-ISAC: www.fsisac.com
◊ FBI Infragard: www.infragard.org
◊ U.S. Computer Emergency Readiness Team at US-CERT: www.us-cert.gov
◊ U.S. Secret Service Electronic Crimes Task Force: www.secretservice.gov/ectf.shtml
45
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
• Cybersecurity Inherent Risk
– Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
◊ Connection Types: identify and assess the threats to all access points to the internal network
• VPN
• Wireless
• Telnet/FTP
• Vendor LAN/WAN access
• BYOD
46
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
• Cybersecurity Inherent Risk (cont.)
◊ Products and Services: identify and assess threats to all products and services currently offered and planned
• Online ACH and Wire Transfer origination
• External funds transfers (A2A, P2P, bill pay)
47
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
• Cybersecurity Inherent Risk (cont.)
◊ Technologies Used: identify and assess threats to all technologies currently used and planned
• Core systems
• ATMs
• Internet and mobile applications
• Cloud computing
48
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
• Cybersecurity Preparedness
– Current cybersecurity practices and overall preparedness should include:
◊ Cybersecurity Controls: Preventive, detective, or corrective procedures for mitigating identified cybersecurity threats
• Patching, encryption, limited user access
• Intrusion detection/prevention systems, firewall alerts
• Formal audit program with scope and schedule based on an asset’s inherent risk, prompt and documented remediation of findings, regular activity report reviews
49
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
• Cybersecurity Preparedness (cont.)
–
◊ Cyber Incident Management and Resilience: Incident detection, response, mitigation, escalation, reporting, and resilience
• Formal Incident Response Programs, including regulatory and customer notification guidelines and procedures
• Senior management and board incident reporting
50
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications?
• Increased Board and C-Suite Involvement
• Participation in information-sharing group(s)
• Cybersecurity scenario testing with employees and management
• Increased oversight of third-party service providers
• Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
51
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Very Recent Examiner Supplemental Cyber Security “Request List”
52
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Very Recent Examiner Supplemental Cyber Security “Request List”
53
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Very Recent Examiner Supplemental Cyber Security “Request List”
54
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallen.com
Key Defensive Strategies
55
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives:
• Users who are more aware and savvy
• Networks that are resistant to malware
• Be Prepared… Monitoring, Incident Response, and forensic Capabilities
56
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1. Strong policies
2. Defined user access roles Minimum Access
3. Hardened internal systems and end points
4. Encryption strategy – data centered
5. Vulnerability management process
Ten Keys to Mitigate Risk
6. Perimeter security layers
7. Centralized logging, analysis and alerting capabilities
8. Incident response capabilities
9. Know / use online banking tools
10.Test, Test, Test – Independent validation that it works…
57
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon • Report is analysis of intrusions
investigated by Verizon and US Secret Service.
• KEY POINTS: – Time from successful intrusion to
compromise of data was days to weeks.
– Log files contained evidence of the intrusion attempt, success, and removal of data.
– Most successful intrusions were not considered highly difficult.
58
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging, Analysis, and Alerting Centralized audit logging, analysis, and automated alerting capabilities (SIEM)
•Firewalls
•Security appliances
•Routing infrastructure
•Network authentication
•Servers
•Applications ***
•Archiving vs. Reviewing
59
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
60
Policies to set foundation
Train your users
Thoroughly assess your risks
Three R’s: Recognize, React, Respond
Thoroughly validate your controls
– High expectations of your vendors
– Penetration testing
– Application testing
– Vulnerability scanning
– Social engineering testing
People Rules
`
Tools
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions?
61
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
62
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallen.com
twitter.com/ CLA_CPAs
facebook.com/ cliftonlarsonallen
linkedin.com/company/ cliftonlarsonallen
Randy Romes, CISSP, CRISC, MCP, PCI-QSA Principal Information Security Services [email protected] 888.529.2648
62
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources – Hardening Checklists
Hardening checklists from vendors
• CIS offers vendor-neutral hardening resources
http://www.cisecurity.org/
• Microsoft Security Checklists http://www.microsoft.com/technet/archive/security/chklist/default.mspx?mfr=true
http://technet.microsoft.com/en-us/library/dd366061.aspx
Most of these will be from the “BIG” software and hardware providers
63
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
“Three” Security Reports • Trends: Sans 2009 Top Cyber Security Threats
– http://www.sans.org/top-cyber-security-risks/
• Intrusion Analysis: TrustWave (Annual) – https://www.trustwave.com/whitePapers.php
• Intrusion Analysis: Verizon Business Services (Annual) – http://www.verizonenterprise.com/DBIR/
64
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Executive Order 13636
Improving Critical Infrastructure Cybersecurity
65
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Executive Order 13636 Improving Critical Infrastructure Cybersecurity
• Issued on February 12, 2013
• The cyber threat to critical infrastructure … represents one of the most serious national security challenges…to the national and economic security of the US
– Enhance the security and resilience of the Nation's critical infrastructure
– Maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.
– Partnership with the owners and operators of critical infrastructure
66
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Executive Order 13636 Improving Critical Infrastructure Cybersecurity
• Definition of Critical Infrastructure
– Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
67
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Executive Order 13636 Improving Critical Infrastructure Cybersecurity
• Cybersecurity Information Sharing
– Increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities
– The Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence shall each issue instructions … to ensure the timely production of unclassified reports of cyber threats that identify a specific targeted entity.
◊ Also includes the dissemination of classified reports to authorized critical infrastructure entities.
◊ Will establish a system for tracking the production, dissemination, and disposition of these reports.
68
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Executive Order 13636 Improving Critical Infrastructure Cybersecurity
• Cybersecurity Information Sharing (cont.)
– DHS Secretary shall:
◊ Establish procedures to expand the Enhanced Cybersecurity Services program to all critical infrastructure sectors.
◊ This voluntary information sharing program will provide classified cyber threat and technical information from the Government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure.
◊ Expedite the processing of security clearances to critical infrastructure personnel
◊ Expand the use of programs that bring private sector subject-matter experts into Federal service on a temporary basis [to] provide advice
69
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Executive Order 13636 Improving Critical Infrastructure Cybersecurity
• Privacy and Civil Liberties Protections
– Agencies shall coordinate their activities under this order with their senior agency officials for privacy and civil liberties and ensure that privacy and civil liberties protections are incorporated into such activities.
70
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Executive Order 13636 Improving Critical Infrastructure Cybersecurity • Consultative Process
– The DHS Secretary shall establish a consultative process to coordinate improvements to the cybersecurity of critical infrastructure.
◊ The Critical Infrastructure Partnership Advisory Council
◊ Sector Coordinating Councils
◊ Critical infrastructure owners and operators
◊ Sector-Specific Agencies
◊ Other relevant agencies
◊ Independent regulatory agencies
◊ State, local, territorial, and tribal governments
◊ Universities; and
◊ Outside experts.
71
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Executive Order 13636 Improving Critical Infrastructure Cybersecurity
• Baseline Framework to Reduce Cyber Risk to Critical Infrastructure
– The Secretary of Commerce shall direct the Director of NIST to lead the development of a framework to reduce cyber risks to critical infrastructure (the "Cybersecurity Framework").
◊ A set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.
◊ Shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible.
◊ Shall be consistent with voluntary international standards when such international standards will advance the objectives of this order.
72
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Executive Order 13636 Improving Critical Infrastructure Cybersecurity
• Baseline Framework to Reduce Cyber Risk to Critical Infrastructure
– The Cybersecurity Framework shall: ◊ Provide a prioritized, flexible, repeatable, performance-based, and
cost effective approach…to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.
◊ Focus on identifying cross-sector security standards and guidelines…
◊ Identify areas for improvement that should be addressed through future collaboration…
◊ Provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards…
◊ Include guidance for measuring the performance of an entity in implementing the Cybersecurity Framework.
73
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Executive Order 13636 Improving Critical Infrastructure Cybersecurity
• Voluntary Critical Infrastructure Cybersecurity Program
– Shall be a voluntary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested entities.
◊ Sector-Specific Agencies … shall coordinate with the Sector Coordinating Councils to review the Cybersecurity Framework and … develop implementation guidance or supplemental materials to address sector-specific risks and operating environments.
◊ Sector-Specific Agencies shall report annually to the President … on the extent to which owners and operators … are participating in the Program.
74
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Executive Order 13636 Improving Critical Infrastructure Cybersecurity
• Identification of Critical Infrastructure at Greatest Risk
– Risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.
◊ Expertise of Sector-Specific Agencies.
◊ Application of consistent, objective criteria in identifying such critical infrastructure.
◊ Shall not identify any commercial information technology products or consumer information technology services ….
◊ Review and update the list of identified critical infrastructure … on an annual basis
75
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Executive Order 13636 Improving Critical Infrastructure Cybersecurity
• Adoption of Framework
– Agencies with responsibility for regulating the security of critical infrastructure shall review the preliminary Cybersecurity Framework with DHS, OMB, and National Security Staff to determine if current cybersecurity regulatory requirements are sufficient given current and projected risks.
◊ If current regulatory requirements are … insufficient, …. agencies shall propose prioritized, risk-based, efficient, and coordinated actions … to mitigate cyber risk.
– Two years after publication of the final Framework, agencies shall report to OMB on any critical infrastructure subject to ineffective, conflicting, or excessively burdensome cybersecurity requirements.
76