Embed Size (px)
Citation preview
MANAGING THE EFFECTIVENESS OF A CYBER SECURITY PROGRAM THROUGH A NIST CYBER SECURITY FRAMEWORK EVALUATION Art Ehuan Alvarez & Marsal Global Cyber Risk Services LLC
þ How does an organization know if the cyber security program is effective
þ NIST Cybersecurity Framework Overview
þ Understanding the framework
þ Applying NIST to a Cyber Evaluation
þ Informative References and External Frameworks
AGENDA
3
Is the Existing Cyber Security Program Effective?
Over 169 million personal records were exposed in 2015, stemming from 781 publicized breaches across the financial, business, education, government and healthcare sectors.
– “ITRC Data Breach Reports – 2015 Year-End Totals” | ITRC
The average global cost per each lost or stolen record containing confidential and sensitive data was $154. The industry with the highest cost per stolen record was healthcare, at $363 per record.
– “Cost of Data Breach Study: Global Analysis” | IBM/ Ponemon
In 2015, there were 38 percent more security incidents detected than in 2014.
– “The Global State of Information Security Survey 2016” | PWC
The median number of days that attackers stay dormant within a network before detection is over 200.
– “Microsoft Advanced Threat Analytics” | Microsoft
As much as 70 percent of cyber attacks use a combination of phishing and hacking techniques and involve a secondary victim. – “2015 Data Breach Investigations Report” | Verizon
STATE OF CYBERSECURITY
4
An alarming 59% of respondents say that their agency struggles to understand how cyber attackers could potentially breach their systems, with 40% of respondents unaware of where their key assets are located.
65% of respondents disagree that the federal government as a whole can detect ongoing cyber attacks.
Only 67% of respondents believe their agencies can appropriately respond to a cyber incident.
Lack of accountability is a consistent theme throughout the industry.
“How does Management know” if the cyber security program is effective?
STATE OF CYBERSECURITY
5
Statistics attributed to the 2016 “State of Cybersecurity” report by the The International Information System Security Certification Consortium, or (ISC)² https://www.isc2.org/uploadedfiles/(isc)2_public_content/us_government/isc2-federal-cyber-survey-report.pdf
STATE OF CYBERSECURITY
6
Illustrations attributed to the 2016 “State of Cybersecurity” report by the The International Information System Security Certification Consortium, or (ISC)² https://www.isc2.org/uploadedfiles/(isc)2_public_content/us_government/isc2-federal-cyber-survey-report.pdf
TOP 3 INHIBITORS TO SECURITY
SIGNIFICANT GAME CHANGING TECHNOLOGY
CYBERSECURITY FRAMEWORK OVERVIEW
The Framework is a risk-based approach to managing cybersecurity risk, and is composed of three parts: the Framework Core, the Framework Implementation Tiers, and the Framework Profiles. Each Framework component reinforces the connection between business drivers and cybersecurity activities. The Framework uses risk management processes to enable organizations to inform and prioritize decisions regarding cybersecurity. It supports recurring risk assessments and validation of business drivers to help organizations select target states for cybersecurity activities that reflect desired outcomes. Thus, the Framework gives organizations the ability to dynamically select and direct improvement in cybersecurity risk management for the IT and ICS environments.
NIST CYBERSECURITY FRAMEWORK – WHAT IS IT?
8
• Voluntary participation • Nearly 3,000 participating SME’s to develop • Improve an organizations cyber readiness • Flexible, repeatable and activity driven • Technology neutral
• Maps to and leverage’s existing frameworks • Creates a common assessment language • Highlights the current cyber readiness state • Defines the future cyber readiness state • Industry agnostic
The NIST CSF is a risk-based framework created through collaboration between the U.S. government and private sector that frames a standardized set of cybersecurity concepts into best practices to help organizations manage cyber risks. The Framework consists of three parts; the Core, Implementation Tiers and the Profile. The Framework Core provides a set of five activities to achieve specific cybersecurity outcomes, divided into five functions: Identify, Protect, Detect, Respond, and Recover. The Implementation Tiers provide context on how you view cybersecurity risk and your processes currently in place to manage risk. The Framework Profile represents the alignment of your cybersecurity activities with business requirements, risk tolerances, and resources. The Framework enables you to describe your current and target cybersecurity profiles, identify and prioritize opportunities for improvement, and evaluate your progress toward your target state.
NIST CYBERSECURITY FRAMEWORK – WHAT IS IT?
9
Framework Informative References External Guidance and Control Mapping • Control Objectives for Information and Related
Technology (COBIT) • Council on CyberSecurity (CCS) Top 20 Critical
Security Controls • ANSI/ISA-62443-2-1 (99.02.01)-2009 • ANSI/ISA-62443-3-3 (99.03.03)-2013 • ISO/IEC 27001 • NIST Special Publication 800-53 Revision 4
Framework Implementation Tiers Subcategory Scoring and Gap Prioritization • Tier 1 – Partial • Tier 2 – Risk Informed • Tier 3 – Repeatable • Tier 4 – Adaptive
Improving Cybersecurity Program Steps to Gap Remediation and Improvement • Step 1 – Prioritize & Scope • Step 2 – Orient • Step 3 – Create a Current Profile • Step 4 – Conduct Risk Assessment • Step 5 – Create a Target Profile • Step 6 – Analyze & Prioritize Gaps • Step 7 – Implement Action Plan
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) CYBERSECURITY FRAMEWORK (CSF)
10
UNDERSTANDING THE FRAMEWORK
The NIST CSF is not proscriptive!
The NIST CSF does not include any control families. The categories and subcategories merely consolidate and describe security concepts as expectations. The framework also provides a common language and systematic methodology and roadmap for managing cyber risk.
It also does not tell a organization how much cyber risk is tolerable, but provides a roadmap to help develop an understanding of risk and risk tolerance.
The framework is a living document.
It is intended to be updated from time to time as stakeholders learn from implementation, and as technology and risks change. NIST held a public information sharing workshop this year.
The framework helps an organization focus on areas requiring additional attention and to ask the kind of hard risk tolerance and cultural questions that are necessary to manage cyber risk. While practices, technology, and standards will change over time – principles and corporate culture should not.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) CYBERSECURITY FRAMEWORK (CSF)
12
THE NIST CSF EVALUATION METHODOLOGY
13
Identify and Engage Executive Sponsor
Assess Current Profile using Implementation Tiers
Define Target Profile using Implementation Tiers
Continuously monitor, communicate and collaborate
• Seek and establish executive champion and evaluation context
• Provide and collect CSF questionnaire • Conduct leadership and SME interviews • Review previous work and collected documents and policies • Establish the current Profile as defined by the Implementation Tiers • Perform Gap Analysis to inform Target State
• Determine a Target Profile as defined by the Implementation Tiers • Draft a prioritized action roadmap and execution program
• Reiteratively reassess your Current Profile and Target Profile • Share information about the Target Profile with your executive sponsor • Seek guidance aligning the Target Profile into projects and initiatives
The Tiers are comprised of a numerical range between one (1) and four (4) and describe an increasing degree of rigor and sophistication in cybersecurity risk management practices. Risk management considerations include many aspects of cybersecurity, including the degree to which privacy and civil liberties considerations are integrated into an organization’s management of cybersecurity risk and potential risk responses. The Tier scoring process requires the consideration of three required conceptual criteria. These criteria are used to inform the understanding of the qualitative nature of the activities and comprehensiveness of the organizations efforts for the individual subcategory being assessed. Each of three conceptual criteria has an increasing burden of compliance relative to that concept for a Tier to be understood as achieved. The three criteria used to guide tier assignments are understood as: • Risk Management Practices • Integrated Risk Management program • External Participation and Information Consideration An organization scoring as tier 1 on a subcategory is encouraged to consider moving toward tier 2 or greater. However, the tiers themselves do not represent maturity levels. As such, organizational progression to a higher tier is encouraged when such a change would reduce cybersecurity risk and align with the organizational stated risk tolerance while remaining cost effective. The tiers themselves also do not describe the organizations’ efforts in any individual Framework subcategory as being good vs. bad or adequate vs. inadequate, but rather seek to level set the understanding of the current state profile for each subcategory so as to identify where additional gap closure might be required to align the cybersecurity posture to the stated risk tolerance.
FRAMEWORK IMPLEMENTATION TIERS - UNDERSTOOD
14
TIER 1 – PARTIAL Informal Practices Risk managed ad-hoc Limited awareness No external collaboration
TIER 2 – INFORMED Practices Approved – but not established Risk practices are informed Advanced awareness but no cohesion Aware of external info – no formal plan
TIER 3 – REPEATABLE Approved practices documented as policy Decisions are risk driven organization wide Awareness of risk and cohesion in action Actively consumes external information
TIER 4 – ADAPTIVE Lessons learned driven practices Continuous improvement in risk decisioning Risk awareness is cultural Actively participates in information sharing
The Tiers essentially provide a method for framing the 98 CSF subcategories with easy to understand metrics and provide context as to how the organization; 1) Competently accesses risk data and to the extent it understands the cybersecurity risks it faces 2) Articulates and communicates its tolerance to the identified risks 3) Expends resources, manages the processes and improves the activites committed to managing its cybersecurity risks. For the purposes of a consultative or regulatory examination, the tier scores can serve as triggers for increased scrutiny or the forced intervention and oversight by a regulatory body. In A&M’s experience, the following scale is an effective way to define these triggers: Tier score of 3.50 – 4.00: Receives annual monitoring Tier score of 3.00 – 3.49: Receives recurrent monitoring Tier score of 2.50 – 2.99: Requires scrutiny Tier score of 2.00 – 2.49: Receives scrutiny and possible intervention Tier score of 1.00 – 1.99: Requires intervention
FRAMEWORK IMPLEMENTATION TIERS - APPLIED
15
APPLYING NIST TO A CYBER EVALUATION
APPLYING NIST TO A CYBER EVALUATION
17
External Framework Alignment Evaluation
Application and Database Evaluation
Business and Operational Evaluation &
Analysis
Threat Remediation Planning
Vulnerability Remediation Planning
Program Deficiency Remediation Planning
Document Threats & Notify as Appropriate
Identify Policy & Framework Gaps
Executive Summary
Technical Evaluation &
Analysis
Vulnerability Evaluation
Compromise Evaluation
Review of Recently Developed Expert Work –
Plan For Reuse
Gap Remediation Planning
Policies, Standards, Controls & SOP Review
Assure Reusable Tools Versioning Control &
Licensing Sustainability
PEN Testing
Incident Response Plan Evaluation
Cybersecurity & SecOps Program Review
DR\BC Program Evaluation
GRC Technical Report
Program Technical Report
Threat Profile Technical Report
Reliance on NIST Cyber
Security Framework
for exam guidance
Initial Kickoff
Gather necessary planning information • Request previous related work product • Request regulatory aligned record requests • Request CSF aligned record requests • Distribute the Regulatory and CSF integrated cybersecurity baseline questionnaire
Review Information Gathered • Review collected previous work product • Review record request collected responses in real-time • Collate and review collected questionnaire responses • Reconcile all collected responses and generate validation requests
Complete cybersecurity review planning • Define external framework or regulatory applicability to the examination (e.g. HiTrust, PCI DSS) • Develop and execute validation responses review plan • Reconcile validation responses for completeness
Conduct cybersecurity fieldwork • Conduct initial executive, leadership and subject-matter expert (“SME”) interview sessions • Review collected validation information in real-time • Conduct SME validation sessions where privilege or confidentiality requirements constrain access to
information • Reconcile information gathered between CSF subcategories and external requirements • Generate prioritized risk findings • Consider functional or technical testing to further investigate high or critical findings • Conduct CSF Implementation Tier analysis, deliberation and scoring
APPLYING NIST TO AN INDEPENDENT CYBER EVALUATION
18
Generate record requests for
documentation related to cyber aligned
regulatory requirements
Review previous work product
(assessments, audits and regulatory
reports)
Create and maintain testing plan for demonstrative
validation
Generate record requests for
documentation related to the NIST CSF
Generate and distribute baseline cybersecurity risk questionnaire to
appropriate SME’s
Review record request response documents
in real-time
Collate and review cybersecurity risk
questionnaire responses
Continually reconcile demonstrative
validation responses for completeness
Conduct subject-matter demonstrative validation sessions of privileged information
Review demonstrative validation responses
in real-time
Generate real-time record requests for
demonstrative validation
Conduct executive discovery sessions
Conduct SME discovery sessions
Reconcile collected information and validation with cybersecurity Exhibit
C controls and NIST functions
Identify examination procedures as required
by applicable control families
Conduct NIST Implementation Tier
analysis, deliberation and scoring
Generate prioritized risk findings – determine and consider control and / or
technical testing
Perform maturity model and risk tier alignment
1. Gather Necessary Planning Information
2. Review Information Gathered
3. Complete Cybersecurity Review
Planning
4. Conduct Cybersecurity
Fieldwork
Generate record request for previous
work product (assessments, audits
and regulatory reports)
Reconcile reviewed information to
determine demonstrative
validation requirements
Enumerate applicable cybersecurity requirements
APPLYING NIST TO AN INDEPENDENT CYBER EVALUATION
19
CYBERSECURITY EVALUATORS GUIDE TO CONFIDENCE
20
INFORMATIVE REFERENCES AND EXTERNAL FRAMEWORKS
FRAMEWORK INFORMATIVE REFERENCES
22
Asset Management (ID.AM)
ID.AM-1: Physical devices and systems with the organization are inventoried 07.a Inventory of Assets
ID.AM-2: Software platforms and applications within the organization are inventoried 07.a Inventory of Assets
ID.AM-3: Organizational communication and data flows are mapped
01.m Segregation in Networks 05.i Identification of Risks Related to Third Parties 09.m Network Controls 09.n Security of Network Services
ID.AM-4: External information systems are catalogued 01.i Policy on the Use of Network Services 09.e Service Delivery 09.n Security of Network Services
ID.AM-5: Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value
07.a Inventory of Assets 07.b Ownership of Assets 07.d Classification Guidelines 12.a Including Information Security in the Business Continuity Management Process 12.c Developing and Implementing Continuity Plans Including Information Security 12.d Business Continuity Planning Framework
ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established
02.a Roles and Responsibilities 02.c Terms and Conditions of Employment 02.d Management Responsibilities 05.k Addressing Security in Third Party Agreements 07.b Ownership of Assets 09.n Security of Network Services 10.k Change Control Procedures 10.m Control of Technical Vulnerabilities 11.d Learning from Information Security Incidents 12.a Including Information Security in the Business Continuity Management Process 12.c Developing and Implementing Continuity Plans Including Information Security 12.d Business Continuity Planning Framework 12.e Testing, Maintaining and Re-assessing Business Continuity Plans
FTC Red Fag MARS-E
MAPPING OUTSIDE OF THE FRAMEWORK INDUSTRY-SPECIFIC EXTERNAL FRAMEWORKS
23
SUMMARY THOUGHTS
• The only path to AVERSION RISK is CULTURAL change – must be bottom up, driven by executive support
• Be risk aware and think risk first – Compliancy requirements will be met as a result
• Seek informative references – align with required control frameworks as inhibitors
• Seek a third-party and agnostic NIST based current state profile evaluation • Internally complete the NIST CSF profile exercise – build upon the current
state with a target state exercise • Develop gap remediation roadmap to accelerate towards the state target state
– seek executive leadership support • Formalize the risk tolerance process as a driver towards a risk-averse
corporate culture • Modernize the risk assessment process, seek metric based data that can
inform the risk tolerance process
24
CYBER PROFESSIONAL
• Art Ehuan has extensive, high-profile industry and law enforcement experience in the field of information security. Mr. Ehuan has a specialization in the financial, insurance and health sectors to include strategy for enterprise data protection, incident response, digital investigations for corporate and government agencies. Mr. Ehuan also serves as a senior lecturer on cyber crime/terrorism for the U.S. State Department, Diplomatic Security Service, Anti-Terrorism Assistance Program. In this capacity he has lectured on cyber threat to nation-state critical infrastructure to include Advanced Persistent Threat (ATP), Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) protection. Prior to his position as Managing Director at A&M, Art was a Director at Forward Discovery, a cyber forensics consulting and training firm.
• Mr. Ehuan served as Assistant VP and Director of the Corporate Information Security Department for USAA, a Fortune 200 financial services company. In this role, he was responsible for worldwide enterprise and strategic guidance on the protection of USAA information and established their digital forensic capability and Advanced Data Security and Incident reporting programs.
• Among Mr. Ehuan’s high-profile corporate positions was Deputy Chief Information Security Officer for the Northrop Grumman Corporation. He was responsible for protecting data from internal and external cyber threats, developing and managing security operations and implementing a corporate digital investigative unit. Mr. Ehuan was also a Federal Information Security Team Manager for BearingPoint (formerly KPMG Consulting), where he established information security initiatives and solutions for government and corporate organizations, as well as developing BearingPoint’s corporate incident response and digital forensic services. In addition, Mr. Ehuan served as the Program Manager for Cisco Systems Information Security, where he was responsible for securing corporate networks, managing risk assessments, protecting source code and developing Cisco’s worldwide digital forensic capability.
• As a law enforcement officer, Mr. Ehuan has worldwide experience working on cases involving computer crimes. His extensive background conducting and managing computer intrusion and forensic investigations with the Federal Bureau of Investigation (FBI) led to his assignment as a Supervisory Special Agent assigned to the Computer Crimes Investigations Program at FBI Headquarters in Washington, D.C. In addition, he served as a Computer Analysis Response Team Certified Examiner, where he developed and conducted training for law enforcement globally. Mr. Ehuan served as a computer crime Special Agent for the Air Force Office of Special Investigations (AFOSI), where he investigated cyber crime against the network systems of the U.S. Department of Defense. Mr. Ehuan has also testified in Federal, State and Military courts in cases involving digital forensics.
• Mr. Ehuan has received industry credentials including the Certified Information Systems Security Professional (CISSP),. He also maintains the Information Assessment Methodology (IAM) credentials with the National Security Agency (NSA).
• Mr. Ehuan was previously an Adjunct Professor/Lecturer at George Washington University, Georgetown University and Duke University where he taught courses on cyber crime, incident response, digital investigations and computer forensics. He is a contributing author of Techno-Security’s Guide to E-Discovery and Digital Forensics from Elsevier Publishing.
Managing Director Global Cyber Risk Services
Art Ehuan
600 Madison Avenue, 8th Floor New York, NY 10022 Direct: +1 517 331 7763 E-mail: [email protected]
25
© Copyright 2016. Alvarez & Marsal Holdings, LLC. All rights reserved. ALVAREZ & MARSAL®, ® and A&M® are trademarks of Alvarez & Marsal Holdings, LLC. © Copyright 2016. Alvarez & Marsal Holdings, LLC. All rights reserved. ALVAREZ & MARSAL®, ® and A&M® are trademarks of Alvarez & Marsal Holdings, LLC.
#AMCYBER
http://www.alvarezandmarsal.com/gcrs
