The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk.
Main points covered:
• Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms.
• Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments.
• Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management.
Presenters:
David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications.
Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence.
Recorded webinar: https://youtu.be/hxpuYtMQgf0
Dave
Core: Functions (5 functions)
Tiers: Grading (1 of 4 options)
Profile: Target State & Roadmap
Dave: No examples of grey boxes.
2 mins
Commentary: Concentrate on the light grey boxes that define the column titles… we’ll go into more specifics after the breakout activity and the slides that follow…
Dave: Begin activity. Read the questions. We’re going to ask because…
Dave: …the questions correspond to functions within core.
Andrea leads, I comment
ASSET MGMT: Apps are inventoried, Resources are prioritized.
BUS ENV: Org role in supply chain is identified & communicated.
GOVERNANCE: InfoSec policy is established.
Andrea leads, I comment
ACCESS CONTROL: Identities & credentials are managed, Physical access is managed.
AWARENESS & TRAINING: Privileged users, Sr. Execs, Sec Personnel, & 3rd parties understand roles & responsibilities.
DATASEC: Data at rest & in transit are protected, protections against leaks are implemented.
Andrea leads, I comment
ANOMALIES & EVENTS: Baseline is established, anomalies are detected & analyzed
SEC MONITORING: Network is monitored, phys environment is monitored.
DETECTION PROCESSES: Processes are tested, Event info is communicated.
Andrea leads, I comment
RESP PLANS: Created & executed upon occurrence of an event.
COMMS: Events are reported & info is shared as per response plans.
ANALYSIS: Impact is understood, Forensics are performed.
Andrea leads, I comment
RECOVERY PLAN: Created & executed during & after event.
IMPROVEMENTS: Incorporate lessons learned, update plan as needed
COMMS: Public relations are managed, reputation is repaired.