Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences

After the last 2020 Global Leading voices webinar, comparing ISO27001 with CCPA and NYC Shield Act, we're taking a look at the next level of information and cybersecurity management.

How can you assess your security management? The CMMI model (using the 1 to 5 grading) is a well-known system. Early 2020 the US DOD launched the CMMC, Cybersecurity Maturity Model Certification which matches the same levels for cybersecurity. This session we'll discuss the maturity evaluation principles for information security, cybersecurity and application security and how you can use it in practice.

The webinar covers:

- What's the CMMI?
- What's the CMMC?
- Maturity in security governance (ISMS, cyber, application)
- Security maturity vs audit cycles

Recorded Webinar: https://youtu.be/9BpETh_nAOw

Audiolibros relacionados

Gratis con una prueba de 30 días de Scribd

Ver todo
  • Sé el primero en comentar

CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences

  1. 1. • Introduction • ISO/IEC 27001 & 27701- quick recap (prev. sessions) • Introduction to CMMC • CMMC components • How to implement CMMC - highlights • CMMC > CMMI > ISO27001 • Q & A Agenda
  2. 2. Introduction
  3. 3. Before we start… Previous session recap
  4. 4. 1. Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard - (2019-12-09) 2. ISO/IEC 27701 vs GDPR - What you need to know (2020-01-29) 3. Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation (2020-04-15) 4. Key Data Privacy Roles Explained: Data Protection Officer, Information Security Manager, and Information Security Auditor (2020-06-24) 5. Session 5: PECB Webinar: ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know (2020-10-14) Previous sessions
  5. 5. Check the past webinars on the PECB website at • https://pecb.com/past-webinars Find all sessions with Q&A + collaterals (decks, recording) at: http://ffwd2.me/PECB_ISO27001_webinars (short cut to LinkedIN page) Previous sessions
  6. 6. • ISO27001 = ISMS • ISO27701 = PIMS For today also: • NIST = (US) National Institute of Standards and Technology (= Dept. of Commerce) Quick Recap
  7. 7. ISO or NIST deep dive • Course material reference see later • NIST document reference see later The nuts and bolts of ISMS Just know that it has • 10 chapters, 7 clauses (Clause 4..10, built on PDCA) • Annex with • 14 main categories (A5..A18) • 35 subcategories • 114 controls / measures • Course material reference, see later What this session is not about
  8. 8. ISO/IEC 27000 series • ISO27001 and ISO27701 = certifiable • Total 59 documents ISO27000 series including • Code of practices • Guidance • Auditing (ISO27006) • Incident management (ISO27035) • Cybersecurity (ISO27032) • Business continuity, Communications security, Application Security, Supply Chain, Storage, … • More info: https://www.iso.org/committee/45306/x/catalogue/p/1/u/0/w/0/d/0 And also
  9. 9. The nuts and bolts of PIMS Just know that it • Is certifiable like ISMS • Is Privacy & GDPR add-on to ISMS • Add specifications to interpretation of information security • Now including PII/personal data • Extra requirements from GDPR & other legislation • Interesting annex • GDPR mapping • ISO29100 (Privacy) mapping What this session is not about
  10. 10. Introduction to CMMC Cybersecurity Maturity Model Certification (DoD)
  11. 11. Source: https://www.acq.osd.mil/cmmc/index.html About • Cybersecurity standard by DoD (US Department of Defense) • V1 released 31 Jan 2020 • Currently v1.02 Purpose • set of standards from the DOD • to enhance the cybersecurity capabilities of defense contractors Focus • Cybersecurity (not Information Security) • USA • Re-use of existing principles and frameworks • Controlled Unclassified Information (CUI) CMMC - Cybersecurity Maturity Model Certification
  12. 12. Source: Focalpoint Timeline • January 2020: DoD introduces Version 1.0 of the CMMC • June 2020:The CMMC-AB released program requirements and opens registration for C3PAOs and third-party assessors • July 2020: DoD to create and publish a CMMC training • Summer 2020: DoD to undergo rulemaking to implement the CMMC into the DFARS regulation • September 2020: DoD to incorporate CMMC requirements in Requests for Proposals (RFPs) • FY 2021 – 2026: Implementation of the CMMC through a phased rollout • FY 2026: CMMC certification a requirement for all companies doing business with the DoD CMMC - Timeline
  13. 13. Source: https://www.acq.osd.mil/cmmc/index.html Based on • CERT Resilience Management Model (CERT RMM) v1.2 • CIS Controls v7.1 • Draft NIST SP 800-171B • FAR Clause 52.204-21 • NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) v1.1 • NIST SP 800-53 Rev 4 CMMC - Reference to other sources
  14. 14. Source: https://www.acq.osd.mil/cmmc/index.html Direct link to • International Standards • CMMI • ISO principles • Easy plugin to Information Security • Cybersecurity > data protection & privacy CMMC - reusing global principles
  15. 15. Source: https://www.acq.osd.mil/cmmc/index.html CMMD, reference to other sources • CERT Resilience Management Model (CERT RMM) v1.2 • CIS Controls v7.1 • Draft NIST SP 800-171B • FAR Clause 52.204-21 • NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) v1.1 • NIST SP 800-53 Rev 4 CMMC
  16. 16. CMMC components The essentials
  17. 17. Source: https://www.acq.osd.mil/cmmc/index.html Core components • 43 capabilities • 17 capability domains • Five levels to define and measure cyber maturity • 171 controls CMMC - the essence
  18. 18. Source: https://www.acq.osd.mil/cmmc/index.html CMMC - the model
  19. 19. Source: https://www.acq.osd.mil/cmmc/index.html CMMC - 17 domains
  20. 20. NIST SP800-53 (rev 5) Mapping
  21. 21. Source: https://www.acq.osd.mil/cmmc/index.html CMMC - processes & practices
  22. 22. Source: https://www.acq.osd.mil/cmmc/index.html CMMC - levels and focus
  23. 23. Source: https://www.acq.osd.mil/cmmc/index.html CMMC - effort
  24. 24. Source: https://www.acq.osd.mil/cmmc/index.html Core components • 43 capabilities • 17 capability domains • Five levels to define and measure cyber maturity • 171 controls CMMC - the essence
  25. 25. CMMC vs NIST CMM-C • C = Certification CMMC vs NIST • CMMC (DOD) - NIST (Dpt of Commerce) • CMMC has accredited audit, NIST doesn't • CMMC is reusing a lot of NIST practices • CMMC = cyber only, NIST has wide range of standards
  26. 26. CMMC vs NIST vs ISO CMMC NIST ISO27001+ Region US focus US focus International Target technology Cybersecurity Wide range Info sec Cyber Privacy Info security+ Cyber (27032)+ DP (27701) … Type of best practice Operational Mix Governance Details Practical Deep dive detail High level FrameW Owner DoD DoC ISO Audit Yes No Yes Certifiable Yes No Yes Maturity CMMI basis PRISMA CMMI
  27. 27. CMMC vs CMMI Quick comparison
  28. 28. Source: https://www.acq.osd.mil/cmmc/index.html CMMC vs CMMI
  29. 29. CMMI - Level 0
  30. 30. CMMI - Level 1
  31. 31. CMMI - Level 2
  32. 32. CMMI - Level 3
  33. 33. CMMI - Level 4
  34. 34. CMMI - Level 5
  35. 35. Controlling cyber maturity Implementing CMMC
  36. 36. CMMC Main model description
  37. 37. Remember 1. Level 1: Performed = Basic Cyber hygiene 2. Level 2: Documented = intermediate cyber hygiene 3. Level 3: Managed = good cyber hygiene 4. Level 4: Reviewed = Proactive 5. Level 5: Optimizing = advanced/proactive CMMC Main model description
  38. 38. Implementation layers & practices (p11) CMMC Practices
  39. 39. Level 1 CMMC Practices per level Incl. Excl. • AC • IA • MP • PE • SC • SI • AM • AU • AT • CM • IR • MA • PS • RE • RM • CA • SA
  40. 40. Level 2 CMMC Practices per level Incl. Excl. • AC • AU • AT • CM • IA • IR • MA • MP • PS • PE • RE • RM • CA • SC • SI • AM • SA
  41. 41. Level 3 CMMC Practices per level Incl. Excl. • AC • AM • AU • AT • CM • IA • IR • MA • MP • PE • RE • RM • CA • SC • SA • SI • PS
  42. 42. Level 4 CMMC Practices per level Incl. Excl. • AC • AU • AT • CM • IA • IR • MA • MP • PS • PE • RE • RM • CA • SC • SI • IA • MA • MP • PS • PE
  43. 43. Level 5 CMMC Practices per level Incl. Excl. • AC • AU • CM • IA • IR • RE • RM • SI • AM • AT • IA • MA • MP • PS • PE • CA • SA
  44. 44. Practices (Access control) • L1: • limit info access to authorized users, connections to external systerms • L2: • privacy notices, • Least privilege • Limit unsuccessful logons • Session lock • Monitor remote access • L3 • Segregation of duties • Wireless Authentication & encryption • Control Mobile devices CMMC Practices - main points
  45. 45. Practices (AC) • L4 • Control information flows • Review access permissions • L5 • Rogue Wi-Fi control CMMC Practices - main points
  46. 46. Practices (Asset Management) • L3 • Procedures • L4 • Discovery CMMC Practices - main points
  47. 47. Practices (Audit & accountability) • L2 • Trace individual users • L3 • Review logs • Collect audit info • Correlate info • L4 • Automate analysis • Review audit info • L5 • Identify unreported assets CMMC Practices - main points
  48. 48. Practices (Awareness & training) • L2 • Risk awareness to key roles • Train to security related duties • L3 • Security awareness • L4 • Awareness on threat recognition • Practical exercise CMMC Practices - main points
  49. 49. Practices (Config management) • L2 • Baseline configuration & inventory • Principle of least functionality • L3 • Manage & document logical access • L4 • Application whitelisting • L5 • Verify integrity of critical software (crypto, certificates, …) CMMC Practices - main points
  50. 50. Practices (Identification & AuhtN) • L1 • Classify users • Authentication to allow access • L2 • Password management • L3 • MFA • Identity management CMMC Practices - main points
  51. 51. Practices (Incident response) • L2 • Incident handling procedure • Detecting & reporting • Analysis & response + root cause analysis • L3 • Track & document incidents • L4 • Knowledge Attacker tactics • SOC • L5 • Forensics • Manual & automated real-time response • Unannounced exercises CMMC Practices - main points
  52. 52. Practices (Media protection) • L1 • Sanitize & destroy • L2 • Protect & limit access • L3 • Marking • Prohibit mobile media • Crypto protection CMMC Practices - main points
  53. 53. Practices (Personnel security) • L2 • Screening CMMC Practices - main points
  54. 54. Practices (Physical protection) • L1 • Limit access • Escort visitors • L2 • Protect & monitor physical facility & infra • L3 • Enforcement of safeguards to alternate sites CMMC Practices - main points
  55. 55. Practices (Recovery) • L2 • Perform and test backups • L3 • Resilient data backups • L5 • Information processing facilities redundancy CMMC Practices - main points
  56. 56. Practices (Risk management) • L2 • Periodical assessments to operations • Scan for vulnerabilities • L3 • Periodical assessments according risk categories, resources & measurement criteria • L4 • Catalog threat profiles • Threat intelligence • L5 • Exception process for non-whitelisted software CMMC Practices - main points
  57. 57. Practices (Security assessment) • L2 • Security plans • L3 • Monitor security controls • L4 • Security strategy • Red teaming CMMC Practices - main points
  58. 58. Practices (Situational Awareness) • L3 • Use Information sharing forums to collect info • L4 • Cyber Threat hunting • Indicators of compromise CMMC Practices - main points
  59. 59. Practices (System & Comm protection) • L1 • Monitor • L2 • Prohibit remote activation • L3 (!) • Crypto • Separate users from system management functionality • … • L4 • Physical & logical isolation • Threat intelligence (DNS, …) • L5 • Tailored Network monitoring CMMC Practices - main points
  60. 60. Practices (System & Info integrity) • L1 • Monitor system flaws • L2 • Monitor security alerts • L3 • Spam protection • Email forgery protection • L4 • Threat intelligence • L5 • Analyse system behaviour CMMC Practices - main points
  61. 61. Maturity indicators for management Driving the cyber & info security
  62. 62. CMMC Main model description
  63. 63. CMMC vs CMMI
  64. 64. Bringing maturity to management
  65. 65. Bringing maturity to management
  66. 66. Bringing maturity to management
  67. 67. Bringing maturity to management
  68. 68. References Interesting information sources
  69. 69. Reference material CMMC • https://www.acq.osd.mil/cmmc/index.html PECB • PECB as CMMC-AB licensed partner publisher CMMC audit • https://www.cmmcaudit.org/cmmc-level-1-certification-and-preparation-how-to/ • CMMC: A Comprehensive Guide For DoD Contractors • https://www.cmmc-compliance.com/cmmc-compliance-guide Others, see Linkedin page:
  70. 70. Reference material Other • Cybersecurity Maturity Model Certification (CMMC) v1.02 & NIST 800-171 rev2 Compliance CMMI • https://cmmiinstitute.com/ • https://cmmiinstitute.com/cmmi • Introduction to CMMI (by BMC) • CMMI on Wikipedia • What is CMMI? A model for optimizing development processes
  71. 71. Ramping up… Relevant PECB Training courses
  72. 72. Relevant Training PIMS • PECB ISO 27701 Foundation • PECB ISO 27701 LI • PECB ISO 27701 LA Information Security • PECB ISO 27001 LI • PECB ISO 27001 LA • PECB ISO 27002 LM
  73. 73. Relevant Training Data protection • PECB Certified Data protection Officer (GDPR) Privacy • PECB ISO29100 LI
  74. 74. Other Relevant Training Incident Management • PECB ISO 27035 LI Risk Management • PECB ISO 27005 LI
  75. 75. Check the PECB agenda, select the ISO/IEC 27701 Lead Implementer https://pecb.com/en/partnerEvent/event_schedule_list Training Events For full detailed information about an event click on the ‘View’ button on the right hand side under ‘View full details’. Note: Before applying for any training courses listed below, please make sure you are registered to PECB Training Agenda
  76. 76. Appendix
  77. 77. Relevant Training PECB ISO 27701 Foundation https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27701/iso-iec-27701-foundation PECB ISO 27701 Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27701/iso-iec-27701-lead-implementer PECB ISO 27701 Lead Auditor https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27701/iso-iec-27701-lead-auditor
  78. 78. Relevant Training PECB ISO 27001 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001 Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27001/iso-iec-27001-lead-implementer Lead Auditor https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27001/iso-iec-27001-lead-auditor
  79. 79. Relevant Training PECB ISO 27002 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27002 Lead Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27002/iso-iec-27002-lead-manager
  80. 80. Relevant Training PECB GDPR https://pecb.com/en/education-and-certification-for-individuals/gdpr CDPO https://pecb.com/en/education-and-certification-for-individuals/gdpr/certified- data-protection-officer
  81. 81. Relevant Training PECB ISO29100 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100- privacy-implementer Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100- privacy-implementer/iso-29100-lead-privacy-implementer
  82. 82. Relevant Training PECB ISO27035 - Incident Management https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035 Lead Incident Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035 /iso-iec-27035-lead-incident-manager
  83. 83. Relevant Training PECB ISO27005 - Risk Management https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005 Lead Risk Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005 /iso-27005-lead-risk-manager
  84. 84. ISO/IEC 27701 Training Courses • ISO/IEC 27701 Foundation 2 Day Course • ISO/IEC 27701 Lead Implementer 5Days Course Exam and certification fees are included in the training price. https://pecb.com/en/education-and-certification-for-individuals/iso- 27701 www.pecb.com/events
  85. 85. THANK YOU ? info@cyberminute.com CyberMinute hello@shiftleftsecurity.eu Shift Left Security

    Sé el primero en comentar

    Inicia sesión para ver los comentarios

  • LauBo

    Jan. 26, 2021
  • AdekLanin1

    Jan. 27, 2021
  • SorayaViloriaMontesd

    Mar. 25, 2021

After the last 2020 Global Leading voices webinar, comparing ISO27001 with CCPA and NYC Shield Act, we're taking a look at the next level of information and cybersecurity management. How can you assess your security management? The CMMI model (using the 1 to 5 grading) is a well-known system. Early 2020 the US DOD launched the CMMC, Cybersecurity Maturity Model Certification which matches the same levels for cybersecurity. This session we'll discuss the maturity evaluation principles for information security, cybersecurity and application security and how you can use it in practice. The webinar covers: - What's the CMMI? - What's the CMMC? - Maturity in security governance (ISMS, cyber, application) - Security maturity vs audit cycles Recorded Webinar: https://youtu.be/9BpETh_nAOw

Vistas

Total de vistas

1.559

En Slideshare

0

De embebidos

0

Número de embebidos

1.028

Acciones

Descargas

449

Compartidos

0

Comentarios

0

Me gusta

3

×