SlideShare una empresa de Scribd logo

NISTSP80037rev2.pptx

Descargar como PPTX, PDF
Muhammad Mazhar
Muhammad Mazhar

Nist 800- 37

Tecnología
1 de 21
NIST SP 800-37 (rev 2) NIST SP 800-37 (REV 2) NIST SP 800-37 (REV 1)
NIST 800-37 Revision 2 - SCHEDULE NIST Special Publication 800-37, Revision 2 Risk Management Framework for Security and Privacy ● Initial Public Draft: May 2018 ● Final Public Draft: July 2018 ● Final Publication: October 2018 NIST Special Publication 800-53, Revision 5 Security and Privacy Controls ● Final Public Draft: October 2018 ● Final Publication: December 2018 Source: https://csrc.nist.gov/projects/risk-management/schedule
Overview ● Sources of NIST 800-37 (rev 2) ● What is NIST SP 800-37 (rev 2) ● Difference between 800-37 Revision 1 & 2 ● Conclusion: Main thing you should know
Sources of NIST SP 800-37 (rev 2) Knowing the source of 800-7 (rev 2) allows better context and understanding. NIST SP 800-37 (REV 2) NIST SP 800-37 (REV 1)
NIST 800-37 Revision 2 - Source of Changes NIST 800-37 Rev 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy Source of Changes: ● President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure ● Office of Management and Budget Memorandum M-17-25 - next- generation Risk Management Framework (RMF) for systems and organizations ● NIST SP 800-53 Revision 5 Coordination Source: E.O. Strengthening Cybersecurity of Federal Networks Source: M-17-25 OMB
NIST 800-37 Revision 2 - Executive Order President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure ● National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity ● Focus on critical infrastructure targets with highest risk ● Securing the Internet and focus on Cybersecurity training Source: E.O. Strengthening Cybersecurity of Federal Networks Source: M-17-25 OMB Source: Framework for Improving Cybersecurity of Critical Infrastructure
NIST 800-37 Revision 2 - OMB M-17-25 Office of Management and Budget Memorandum M-17-25 - next-generation Risk Management Framework (RMF) for systems and organizations ● Memorandum to implement Improvements to Critical Infrastructure Cybersecurity ● Reporting on Agency Risk Management Assessments to DHS ● Action Plan for Implementation of the Framework ● Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover Source: M-17-25 OMB Source: Framework for Improving Cybersecurity of Critical Infrastructure
NIST 800-37 Revision 2 - NIST 800-53 Rev 5 NIST SP 800-53 (Revision 5) Coordination ● Security and privacy controls more outcome-based ● Fully integrating the privacy controls ● Separating the control selection process from the actual controls ● Incorporating new, state-of-the-practice controls based on threat intelligence ● Implementation of Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover Source: Framework for Improving Cybersecurity of Critical Infrastructure Source: NIST SP 800-53 Rev 5
What is NIST SP 800-37 (rev 2) & Changes NIST SP 800-37 (REV 2) NIST SP 800-37 (REV 1)
What is NIST 800-37 (Rev 2) Provide guidelines for applying the Risk Management Framework to federal information systems to include conducting the activities of security categorization, security control selection and implementation, security control assessment, information system authorization, and security. It is just a process the guides an organization through very thorough security during the life cycle of an important system. NIST 800-37 Revision 2 is an upgrade to this process. Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 37r1.pdf
NIST 800-37 Revision 2 - NAME NIST 800-37 Rev 1: Guide for Applying the Risk Management Framework to Federal Information Systems: a Security Life Cycle Approach NIST 800-37 Rev 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 37r1.pdf
NIST 800-37 Revision 2 - NAME NIST 800-37 Rev 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy Inline with NIST SP 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations Puts privacy upfront. Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 37r1.pdf Source: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft
NIST 800-37 Revision 2 - (4) Objectives There are four major objectives for this update— ● Communication between the risk management processes and activities at the C- suite level of the organization and the processes and activities at the system and operational level of the organization. ● To institutionalize critical enterprise-wide risk management preparatory activities to facilitate a more efficient and cost-effective execution of the Risk Management Framework at the system and operational level. ● To demonstrate how the Cybersecurity Framework can be implemented using the established NIST risk management processes (i.e., developing a Federal use case). ● To provide an integration of privacy concepts into the Risk Management Framework and support the use of the consolidated security and privacy control catalog in NIST Special Publication 800-53, Revision 5.
NIST 800-37 Revision 2 - NIST 800-37 Rev 2 Communication between the risk management processes and activities at the C-suite level; To institutionalize critical enterprise-wide risk management preparatory activities - Assign roles - Create Strategy - Identify stakeholders - Identify information life cycle - Placement of system - Create monitoring program
NIST 800-37 Revision 2 - NIST 800-53 Rev 5 The primary objectives for institutionalizing organizational preparation are as follows: ● To facilitate better communication between senior leaders and executives at the enterprise and mission/business process levels and system owners ● To facilitate organization-wide identification of common controls and the development of organization-wide tailored security and privacy control baselines, to reduce the workload on individual system owners and the cost of system development and protection. ● To reduce the complexity of the IT infrastructure by consolidating, standardizing, and optimizing systems, applications, and services through the application of enterprise architecture concepts and models. ● To identify, prioritize, and focus resources on high-value assets and high-impact systems that require increased levels of protection—taking steps commensurate with risk such as moving lower-impact systems to cloud or shared services, systems, and applications.
NIST 800-37 Revision 2 - Cybersecurity Framework & RMF Put preparation in the center of the organization.
NIST 800-37 Revision 2 - Cybersecurity Framework & RMF Put preparation in the center of the organization.
NIST 800-37 Revision 2 - Cybersecurity Framework & RMF Put preparation in the center of the organization.
NIST 800-37 Revision 2 - Privacy Put preparation in the center of the organization.
Conclusion What is the main thing I should know? NIST SP 800-37 (REV 2) NIST SP 800-37 (REV 1)
NIST 800-37 Revision 2 - NIST 800-53 Rev 5 Main things you should know: ● Check out the sources for context ● NIST 800-37 getting pushed to the forefront ● Cybersecurity Framework (what is it)

Recomendados

NISTSP80037rev2-by Beruos.pptx
NISTSP80037rev2-by Beruos.pptxNISTSP80037rev2-by Beruos.pptx
NISTSP80037rev2-by Beruos.pptxMuhammad Mazhar
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NetLockSmith
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Denise Tawwab
 
NIST Framework for Information System
NIST Framework for Information SystemNIST Framework for Information System
NIST Framework for Information Systemnewbie2019
 
Security Metrics Resources File
Security Metrics Resources FileSecurity Metrics Resources File
Security Metrics Resources Fileguest0947de
 
Risk Management for Public Cloud Projects
Risk Management for Public Cloud ProjectsRisk Management for Public Cloud Projects
Risk Management for Public Cloud ProjectsAlex Mags
 
cybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptxcybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptxMuhammadAbdullah311866
 
NIST Special Publication 800-37 Revision 2 Ris.docx
NIST Special Publication 800-37 Revision 2 Ris.docx NIST Special Publication 800-37 Revision 2 Ris.docx
NIST Special Publication 800-37 Revision 2 Ris.docxrobert345678
 

Recomendados

NISTSP80037rev2-by Beruos.pptx
NISTSP80037rev2-by Beruos.pptxNISTSP80037rev2-by Beruos.pptx
NISTSP80037rev2-by Beruos.pptxMuhammad Mazhar
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NetLockSmith
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Denise Tawwab
 
NIST Framework for Information System
NIST Framework for Information SystemNIST Framework for Information System
NIST Framework for Information Systemnewbie2019
 
Security Metrics Resources File
Security Metrics Resources FileSecurity Metrics Resources File
Security Metrics Resources Fileguest0947de
 
Risk Management for Public Cloud Projects
Risk Management for Public Cloud ProjectsRisk Management for Public Cloud Projects
Risk Management for Public Cloud ProjectsAlex Mags
 
cybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptxcybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptxMuhammadAbdullah311866
 
NIST Special Publication 800-37 Revision 2 Ris.docx
NIST Special Publication 800-37 Revision 2 Ris.docx NIST Special Publication 800-37 Revision 2 Ris.docx
NIST Special Publication 800-37 Revision 2 Ris.docxrobert345678
 
Nist.sp.800 82r2
Nist.sp.800 82r2Nist.sp.800 82r2
Nist.sp.800 82r2vimal Kumar Gupta
 
NIST.SP.800-37r2.pdf
NIST.SP.800-37r2.pdfNIST.SP.800-37r2.pdf
NIST.SP.800-37r2.pdf>hey> whee hey
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2newbie2019
 
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Cohesive Networks
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417James W. De Rienzo
 
Lesson 2 - System Specific Policy
Lesson 2 - System Specific PolicyLesson 2 - System Specific Policy
Lesson 2 - System Specific PolicyMLG College of Learning, Inc
 
20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)Peter GEELEN ✔
 
From NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfFrom NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Project #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docxProject #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docxstilliegeorgiana
 
CompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowCompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowInfosec
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security DemystifiedMichael Torres
 
CIP IT Governance 5.0 Solution Guide for ArcSight Logger
CIP IT Governance 5.0 Solution Guide for ArcSight LoggerCIP IT Governance 5.0 Solution Guide for ArcSight Logger
CIP IT Governance 5.0 Solution Guide for ArcSight Loggerprotect724rkeer
 
Khas bank isms 3 s
Khas bank isms 3 sKhas bank isms 3 s
Khas bank isms 3 sKhaltar Togtuun
 
Cybersecurity-Audit-A-Case-Study-for-SME.pdf
Cybersecurity-Audit-A-Case-Study-for-SME.pdfCybersecurity-Audit-A-Case-Study-for-SME.pdf
Cybersecurity-Audit-A-Case-Study-for-SME.pdfThilak Pathirage -Senior IT Gov and Risk Consultant
 
Continuous Monitoring: Getting Past Complexity & Reducing Risk
Continuous Monitoring: Getting Past Complexity & Reducing RiskContinuous Monitoring: Getting Past Complexity & Reducing Risk
Continuous Monitoring: Getting Past Complexity & Reducing RiskTripwire
 
Framework for Improving Critical Infrastructure Cyber.docx
Framework for Improving Critical Infrastructure Cyber.docxFramework for Improving Critical Infrastructure Cyber.docx
Framework for Improving Critical Infrastructure Cyber.docxbudbarber38650
 
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DC
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DCUnderstanding Federal IT Compliance in Three Steps - SharePoint Fest DC
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DCAdam Levithan
 
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...PECB
 
IRJET- Software Architecture and Software Design
IRJET- Software Architecture and Software DesignIRJET- Software Architecture and Software Design
IRJET- Software Architecture and Software DesignIRJET Journal
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 
Compliance & Auditing (UBL).pptx
Compliance & Auditing (UBL).pptxCompliance & Auditing (UBL).pptx
Compliance & Auditing (UBL).pptxMuhammad Mazhar
 
Reference_Template.pptx
Reference_Template.pptxReference_Template.pptx
Reference_Template.pptxMuhammad Mazhar
 

Más contenido relacionado

Similar a NISTSP80037rev2.pptx

Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2newbie2019
 
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Cohesive Networks
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417James W. De Rienzo
 
20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)Peter GEELEN ✔
 
Project #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docxProject #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docxstilliegeorgiana
 
CompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowCompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowInfosec
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security DemystifiedMichael Torres
 
CIP IT Governance 5.0 Solution Guide for ArcSight Logger
CIP IT Governance 5.0 Solution Guide for ArcSight LoggerCIP IT Governance 5.0 Solution Guide for ArcSight Logger
CIP IT Governance 5.0 Solution Guide for ArcSight Loggerprotect724rkeer
 
Continuous Monitoring: Getting Past Complexity & Reducing Risk
Continuous Monitoring: Getting Past Complexity & Reducing RiskContinuous Monitoring: Getting Past Complexity & Reducing Risk
Continuous Monitoring: Getting Past Complexity & Reducing RiskTripwire
 
Framework for Improving Critical Infrastructure Cyber.docx
Framework for Improving Critical Infrastructure Cyber.docxFramework for Improving Critical Infrastructure Cyber.docx
Framework for Improving Critical Infrastructure Cyber.docxbudbarber38650
 
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DC
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DCUnderstanding Federal IT Compliance in Three Steps - SharePoint Fest DC
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DCAdam Levithan
 
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...PECB
 
IRJET- Software Architecture and Software Design
IRJET- Software Architecture and Software DesignIRJET- Software Architecture and Software Design
IRJET- Software Architecture and Software DesignIRJET Journal
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 

Similar a NISTSP80037rev2.pptx (20)

Nist.sp.800 82r2
Nist.sp.800 82r2Nist.sp.800 82r2
Nist.sp.800 82r2
 
NIST.SP.800-37r2.pdf
NIST.SP.800-37r2.pdfNIST.SP.800-37r2.pdf
NIST.SP.800-37r2.pdf
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2
 
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417
 
Lesson 2 - System Specific Policy
Lesson 2 - System Specific PolicyLesson 2 - System Specific Policy
Lesson 2 - System Specific Policy
 
20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)
 
From NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfFrom NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdf
 
Project #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docxProject #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docx
 
CompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowCompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to know
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security Demystified
 
CIP IT Governance 5.0 Solution Guide for ArcSight Logger
CIP IT Governance 5.0 Solution Guide for ArcSight LoggerCIP IT Governance 5.0 Solution Guide for ArcSight Logger
CIP IT Governance 5.0 Solution Guide for ArcSight Logger
 
Khas bank isms 3 s
Khas bank isms 3 sKhas bank isms 3 s
Khas bank isms 3 s
 
Cybersecurity-Audit-A-Case-Study-for-SME.pdf
Cybersecurity-Audit-A-Case-Study-for-SME.pdfCybersecurity-Audit-A-Case-Study-for-SME.pdf
Cybersecurity-Audit-A-Case-Study-for-SME.pdf
 
Continuous Monitoring: Getting Past Complexity & Reducing Risk
Continuous Monitoring: Getting Past Complexity & Reducing RiskContinuous Monitoring: Getting Past Complexity & Reducing Risk
Continuous Monitoring: Getting Past Complexity & Reducing Risk
 
Framework for Improving Critical Infrastructure Cyber.docx
Framework for Improving Critical Infrastructure Cyber.docxFramework for Improving Critical Infrastructure Cyber.docx
Framework for Improving Critical Infrastructure Cyber.docx
 
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DC
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DCUnderstanding Federal IT Compliance in Three Steps - SharePoint Fest DC
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DC
 
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
 
IRJET- Software Architecture and Software Design
IRJET- Software Architecture and Software DesignIRJET- Software Architecture and Software Design
IRJET- Software Architecture and Software Design
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
 

Más de Muhammad Mazhar

Compliance & Auditing (UBL).pptx
Compliance & Auditing (UBL).pptxCompliance & Auditing (UBL).pptx
Compliance & Auditing (UBL).pptxMuhammad Mazhar
 
Central Depository Committee of Pakistan.pptx
Central Depository Committee of Pakistan.pptxCentral Depository Committee of Pakistan.pptx
Central Depository Committee of Pakistan.pptxMuhammad Mazhar
 

Más de Muhammad Mazhar (6)

Compliance & Auditing (UBL).pptx
Compliance & Auditing (UBL).pptxCompliance & Auditing (UBL).pptx
Compliance & Auditing (UBL).pptx
 
Reference_Template.pptx
Reference_Template.pptxReference_Template.pptx
Reference_Template.pptx
 
DSS RMF Training.pptx
DSS RMF Training.pptxDSS RMF Training.pptx
DSS RMF Training.pptx
 
Central Depository Committee of Pakistan.pptx
Central Depository Committee of Pakistan.pptxCentral Depository Committee of Pakistan.pptx
Central Depository Committee of Pakistan.pptx
 
CDC (1).pptx
CDC (1).pptxCDC (1).pptx
CDC (1).pptx
 
5757912.ppt
5757912.ppt5757912.ppt
5757912.ppt
 

Último

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 

Último (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 

NISTSP80037rev2.pptx

  • 1. NIST SP 800-37 (rev 2) NIST SP 800-37 (REV 2) NIST SP 800-37 (REV 1)
  • 2. NIST 800-37 Revision 2 - SCHEDULE NIST Special Publication 800-37, Revision 2 Risk Management Framework for Security and Privacy ● Initial Public Draft: May 2018 ● Final Public Draft: July 2018 ● Final Publication: October 2018 NIST Special Publication 800-53, Revision 5 Security and Privacy Controls ● Final Public Draft: October 2018 ● Final Publication: December 2018 Source: https://csrc.nist.gov/projects/risk-management/schedule
  • 3. Overview ● Sources of NIST 800-37 (rev 2) ● What is NIST SP 800-37 (rev 2) ● Difference between 800-37 Revision 1 & 2 ● Conclusion: Main thing you should know
  • 4. Sources of NIST SP 800-37 (rev 2) Knowing the source of 800-7 (rev 2) allows better context and understanding. NIST SP 800-37 (REV 2) NIST SP 800-37 (REV 1)
  • 5. NIST 800-37 Revision 2 - Source of Changes NIST 800-37 Rev 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy Source of Changes: ● President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure ● Office of Management and Budget Memorandum M-17-25 - next- generation Risk Management Framework (RMF) for systems and organizations ● NIST SP 800-53 Revision 5 Coordination Source: E.O. Strengthening Cybersecurity of Federal Networks Source: M-17-25 OMB
  • 6. NIST 800-37 Revision 2 - Executive Order President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure ● National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity ● Focus on critical infrastructure targets with highest risk ● Securing the Internet and focus on Cybersecurity training Source: E.O. Strengthening Cybersecurity of Federal Networks Source: M-17-25 OMB Source: Framework for Improving Cybersecurity of Critical Infrastructure
  • 7. NIST 800-37 Revision 2 - OMB M-17-25 Office of Management and Budget Memorandum M-17-25 - next-generation Risk Management Framework (RMF) for systems and organizations ● Memorandum to implement Improvements to Critical Infrastructure Cybersecurity ● Reporting on Agency Risk Management Assessments to DHS ● Action Plan for Implementation of the Framework ● Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover Source: M-17-25 OMB Source: Framework for Improving Cybersecurity of Critical Infrastructure
  • 8. NIST 800-37 Revision 2 - NIST 800-53 Rev 5 NIST SP 800-53 (Revision 5) Coordination ● Security and privacy controls more outcome-based ● Fully integrating the privacy controls ● Separating the control selection process from the actual controls ● Incorporating new, state-of-the-practice controls based on threat intelligence ● Implementation of Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover Source: Framework for Improving Cybersecurity of Critical Infrastructure Source: NIST SP 800-53 Rev 5
  • 9. What is NIST SP 800-37 (rev 2) & Changes NIST SP 800-37 (REV 2) NIST SP 800-37 (REV 1)
  • 10. What is NIST 800-37 (Rev 2) Provide guidelines for applying the Risk Management Framework to federal information systems to include conducting the activities of security categorization, security control selection and implementation, security control assessment, information system authorization, and security. It is just a process the guides an organization through very thorough security during the life cycle of an important system. NIST 800-37 Revision 2 is an upgrade to this process. Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 37r1.pdf
  • 11. NIST 800-37 Revision 2 - NAME NIST 800-37 Rev 1: Guide for Applying the Risk Management Framework to Federal Information Systems: a Security Life Cycle Approach NIST 800-37 Rev 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 37r1.pdf
  • 12. NIST 800-37 Revision 2 - NAME NIST 800-37 Rev 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy Inline with NIST SP 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations Puts privacy upfront. Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 37r1.pdf Source: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft
  • 13. NIST 800-37 Revision 2 - (4) Objectives There are four major objectives for this update— ● Communication between the risk management processes and activities at the C- suite level of the organization and the processes and activities at the system and operational level of the organization. ● To institutionalize critical enterprise-wide risk management preparatory activities to facilitate a more efficient and cost-effective execution of the Risk Management Framework at the system and operational level. ● To demonstrate how the Cybersecurity Framework can be implemented using the established NIST risk management processes (i.e., developing a Federal use case). ● To provide an integration of privacy concepts into the Risk Management Framework and support the use of the consolidated security and privacy control catalog in NIST Special Publication 800-53, Revision 5.
  • 14. NIST 800-37 Revision 2 - NIST 800-37 Rev 2 Communication between the risk management processes and activities at the C-suite level; To institutionalize critical enterprise-wide risk management preparatory activities - Assign roles - Create Strategy - Identify stakeholders - Identify information life cycle - Placement of system - Create monitoring program
  • 15. NIST 800-37 Revision 2 - NIST 800-53 Rev 5 The primary objectives for institutionalizing organizational preparation are as follows: ● To facilitate better communication between senior leaders and executives at the enterprise and mission/business process levels and system owners ● To facilitate organization-wide identification of common controls and the development of organization-wide tailored security and privacy control baselines, to reduce the workload on individual system owners and the cost of system development and protection. ● To reduce the complexity of the IT infrastructure by consolidating, standardizing, and optimizing systems, applications, and services through the application of enterprise architecture concepts and models. ● To identify, prioritize, and focus resources on high-value assets and high-impact systems that require increased levels of protection—taking steps commensurate with risk such as moving lower-impact systems to cloud or shared services, systems, and applications.
  • 16. NIST 800-37 Revision 2 - Cybersecurity Framework & RMF Put preparation in the center of the organization.
  • 17. NIST 800-37 Revision 2 - Cybersecurity Framework & RMF Put preparation in the center of the organization.
  • 18. NIST 800-37 Revision 2 - Cybersecurity Framework & RMF Put preparation in the center of the organization.
  • 19. NIST 800-37 Revision 2 - Privacy Put preparation in the center of the organization.
  • 20. Conclusion What is the main thing I should know? NIST SP 800-37 (REV 2) NIST SP 800-37 (REV 1)
  • 21. NIST 800-37 Revision 2 - NIST 800-53 Rev 5 Main things you should know: ● Check out the sources for context ● NIST 800-37 getting pushed to the forefront ● Cybersecurity Framework (what is it)

Notas del editor

  1. All special publications are sourced by higher documents. These documents are policies, regulations and laws that are broad but put the special publication in perspective. This perspective allow the reader (and or stake holder) more context and therefore better understanding of the publications direction and intent. It is really good to at least review the source documents.
  2. All special publications are sourced by higher documents. These documents are policies, regulations and laws that are broad but put the special publication in perspective. This perspective allow the reader (and or stake holder) more context and therefore better understanding of the publications direction and intent. It is really good to at least review the source documents.
  3. Revisions happen every few years to keep up with changes in the industry, threat levels, technology, etc.
  4. All special publications are sourced by higher documents. These documents are policies, regulations and laws that are broad but put the special publication in perspective. This perspective allow the reader (and or stake holder) more context and therefore better understanding of the publications direction and intent. It is really good to at least review the source documents.