WEEK 3 Flashcards
SLIDES
Priorities for Compliance
- Protect the organization’s data
• Know how it is used, created, processed, stored - Know the compliance and regulatory requirements
- Keep up to date on changing requirements
- Incidents will happen – get used to it
• Understand what happened
• Identify the root cause
• Develop remediation and prevent recurrence
How do I position my security
program for success?
CIA
- Confidentiality
- Integrity
- Availability
Why did NIST Cybersecurity Framework (CSF) design?
designed for individual businesses and other organizations TO USE TO ASSESS RISKS THEY FACE.
Cybersecurity Framework (CSF) IS DIVIDED INTO?
divided into:
• framework core
• implementation tiers
• framework profile
Cybersecurity Framework (CSF) The
FRAMEWORK CORE
describes 5 functions of an information security program:
- identify
- protect
- detect
- respond
- recover
NIST Cybersecurity Framework (CSF)
IMPLEMENTATION TIERS
defines four implementation tiers:
- partial
- risk-informed
- repeatable
- adaptive
NIST Cybersecurity Framework (CSF)
PROFILE
An organization:
• typically starts by using the framework to develop a Current Profile
• describes its cybersecurity activities
• what outcomes it is achieving
• then develops a Target Profile
• or adopts a baseline profile tailored to its sector (e.g. infrastructure industry)
• or type of organization
• then define steps switch from its current profile to its target profile
• recommends creating a current state and target state profile
• based on the analysis of the organization’s alignment with the
CSF core
• profiles will guide the organization’s efforts to improve its cyber
security posture
NIST Cybersecurity Framework vs NIST 800-53
Framework is:
• concise
• voluntary in nature (It’s your choice whether you want to implement in your organization or not. NIST 800-53 is mandatory)
• builds on existing frameworks
-Framework is more high-level in its scope compared to existing frameworks like NIST 800-53 (More suitable to be read by CEOs and C-suite member because it is not technical).
T/F
Cybersecurity Framework Does not provide how or how much cybersecurity is appropriate
TRUE
A Profile Can be Created from Three Types of Information
Business Objectives
Cybersecurity Requirements
Technical Environment (Threats Vulnerabilities)
Framework Seven Step Process
• Step 1: Prioritize and Scope
• Implementation Tiers may be used to express varying risk
tolerances1.1
• Step 2: Orient
• Step 3: Create a Current Profile
• Step 4: Conduct a Risk Assessment
• Step 5: Create a Target Profile
• When used in conjunction with an Implementation Tier, characteristics
of the Tier level should be reflected in the desired cybersecurity
outcomes1.1
• Step 6: Determine, Analyze, and Prioritize Gaps
• Step 7: Implementation Action Plan
What Technology Should I
Use?
Based on the following three things:
Regulations
• State, federal, industry-specific
• Typically based on data
Policies
• Organizational rules (internal)
Controls
• Security Controls
• Operational Controls
• Verify you meet the requirements
Why would you be non-compliant?
- Control may not apply
- Technology not feasible
- Too expensive
- Control not required due to other controls/processes
- Organization chose to accept the risk
Compliance Management
Guidelines
- Employ a governance structure
- Assess all compliance activities
- Architect cross-functional controls
- Architect a data classification program
- Know your compliance regulations
- Manage compliance at the highest level
You are the brand new CISO, you’ve been onboard for 1 month and your organization just suffered a major data breach. You don’t have a response plan. What do you do?
Manage communications through your PR department with GC input, consult with legal, tell people not to post on Social sites, Start documenting what you’re doing for next time,Establish an emergency action group, speak with the board members
