Premium Essay

Nist Cyber Security Frame Work

In:

Submitted By bhaveshp200
Words 4438
Pages 18
©iStockphoto/Ljupco

36

June 2015 | practicallaw.com

© 2015 Thomson Reuters. All rights reserved.

The NIST
Cybersecurity
Framework
Data breaches in organizations have rapidly increased in recent years. In 2014, the National Institute of Standards and Technology (NIST) issued a voluntary framework that is fast becoming the de facto standard for organizations to assess their cybersecurity programs.
RICHARD RAYSMAN

JOHN ROGERS

PARTNER
HOLLAND & KNIGHT LLP

CHIEF TECHNOLOGIST
BOOZ ALLEN HAMILTON INC.

Richard’s practice concentrates on computer law, outsourcing, complex technology transactions and intellectual property. He has significant experience in structuring technology transactions and has represented clients in billions of dollars of outsourcing transactions in addition to litigating reported cases. Richard is a guest contributor to The Wall
Street Journal on technology issues, and Chambers has selected him as a leading technology attorney. Prior to practicing law,
Richard was a systems engineer for IBM Corporation.
© 2015 Thomson Reuters. All rights reserved.

John has extensive information security experience in a variety of industries including financial services, retail, healthcare, higher education, insurance, non-profit and technology services. He focuses on improving client cybersecurity programs, assessing these programs against industry standards, designing secure solutions and performing cost/benefit analyses.

Practical Law The Journal | Transactions & Business | June 2015 37

D

espite major efforts to prevent cyber attacks, no common standard of care exists yet for organizations to assess their cybersecurity programs. While global cybersecurity spending is expected to exceed $50 billion in coming years, the proliferation of high-profile data breaches continues and remains a growing concern

Similar Documents

Premium Essay

Risk Assessment in Information Technology

...to the security data as well as regulatory issues surrounding risk assessment. In addressing the global implications, the paper will propose network security vulnerabilities and recommend the mitigation measures for the vulnerabilities. Cryptography recommendations based on data driven decision-making will be assessed, and develop risk assessment methodologies. Risk assessment in Information Technology Risk assessment is one of the mitigation methods for the Networks design. The scanners or vulnerability tools are used to identify the risks or vulnerabilities within the network design. The risks can be identified by these tools as they extend beyond software detects to incorporate other easily vulnerabilities including mis-configurations (Rouse, 2010). The shareware assessment tools are accessible online and can be used to supplement commercial scanners. Framework of risk assessment * Step 1 – categorizing information and information systems. Here unique department traits are highlighted and assigned impact levels (high, medium or low) in line with the security FISMA’s security objectives (confidentiality, integrity and availability). * Step 2 – security control families; common, hybrid, and system-specific security controls; tailoring and the identification of control enhancements. This involves specialized analysis of a product’s security features against a stated criteria (security in depth). * Step 3 – considerations for implementing security controls...

Words: 3240 - Pages: 13

Premium Essay

Cyber Attacks

...Cyber Security By Charles Jackson Strayer University Theories of Security Management CIS 502 Dr. Emmanuel Nyeanchi June 7, 2013 Table of Contents Abstract 2 NICE Strategic Plan 3 NICE Goal’s 3 Stockholders 4 NICE Outcome: 6 Professional Competency: 7 Conclusion: 7 References: 7 Abstract Cybersecurity has evolved with such quickness that it is challenging to capture all the moving parts. New threats to include old ones are being developed every day as do plans to defend against them. Electronic information is a critical part of our culture. It’s often said that electronic information created our way of life. No matter how far we’ve advanced with the age of new Technology, it remains a fact that cyberspace has a phenomenal impact on each of our lives. It’s extremely important for us to understand that we must have security in cyberspace just as we maintain security in our physical world. It’s very difficult...

Words: 1131 - Pages: 5

Premium Essay

Csec Ia1

...concerning its security as a sovereign nation. In other words, cybercrime equally brings serious concerns for both private industries and government. Also, private industries have an interchangeable relationship with government agencies as client to provide services. Most of utilities-related critical infrastructure systems in every city are mostly managed by private organizations. As we are more depending on technological management of such critical infrastructure and centralization of such system throughout the network, cybercrime targeting those critical infrastructures can have detrimental effects for both private and government sectors. There has been a steady increase in numbers of cybercrime with its benefits over the traditional crime in the past decades. Cyber criminals are getting smarter and equipped with more resources with every passing days and are becoming bigger threats. Therefore, it is important to scrutinize those cybercrime-related issues as well as to delve into planning a well-thought out countermeasure for both private and government sectors in various aspects for betterment of safer society of the information era. In this paper, Part I addresses how government intervention justifies telling private industry how to set up or improve their cybersecurity with its policies. Part II addresses the impacts on national security due to government regulation by private industry’s compliance. Part I. Government Regulation of Private Sector Cybersecurity Cyber criminals...

Words: 3978 - Pages: 16

Premium Essay

Cloud Computing

...What’s New About Cloud Computing Security? Yanpei Chen Vern Paxson Randy H. Katz Electrical Engineering and Computer Sciences University of California at Berkeley Technical Report No. UCB/EECS-2010-5 http://www.eecs.berkeley.edu/Pubs/TechRpts/2010/EECS-2010-5.html January 20, 2010 Copyright © 2010, by the author(s). All rights reserved. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission. What’s New About Cloud Computing Security? Yanpei Chen, Vern Paxson, Randy H. Katz CS Division, EECS Dept. UC Berkeley {ychen2, vern, randy}@eecs.berkeley.edu ABSTRACT While the economic case for cloud computing is compelling, the security challenges it poses are equally striking. In this work we strive to frame the full space of cloud-computing security issues, attempting to separate justified concerns from possible over-reactions. We examine contemporary and historical perspectives from industry, academia, government, and “black hats”. We argue that few cloud computing security issues are fundamentally new or fundamentally intractable; often what appears “new” is so only relative to “traditional” computing of the past several...

Words: 5878 - Pages: 24

Premium Essay

Term

...Information Security Program Guide For State Agencies April 2008 Table of Contents INTRODUCTION .......................................................................................................................................................3 A SUGGESTED IMPLEMENTATION STRATEGY .............................................................................................5 SECURITY COMPONENTS ...................................................................................................................................12 RISK MANAGEMENT ................................................................................................................................................12 POLICY MANAGEMENT ............................................................................................................................................14 ORGANIZING INFORMATION SECURITY ....................................................................................................................16 ASSET PROTECTION .................................................................................................................................................18 HUMAN RESOURCES SECURITY ...............................................................................................................................20 PHYSICAL AND ENVIRONMENTAL SECURITY ...........................................................................................................22 COMMUNICATIONS...

Words: 14063 - Pages: 57

Premium Essay

Ggao-09-232g

...United States Government Accountability Office GAO February 2009 GAO-09-232G FEDERAL INFORMATION SYSTEM CONTROLS AUDIT MANUAL (FISCAM) This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office Washington, DC 20548 February 2009 TO AUDIT OFFICIALS, CIOS, AND OTHERS INTERESTED IN FEDERAL AND OTHER GOVERNMENTAL INFORMATION SYSTEM CONTROLS AUDITING AND REPORTING This letter transmits the revised Government Accountability Office (GAO) Federal Information System Controls Audit Manual (FISCAM). The FISCAM presents a methodology for performing information system (IS) control 1 audits of federal and other governmental entities in accordance with professional standards, and was originally issued in January 1999. We have updated the FISCAM for significant changes affecting IS audits. This revised FISCAM reflects consideration of public comments received from professional accounting and auditing organizations, independent public accounting firms, state and local audit organizations, and interested individuals on the FISCAM Exposure Draft issued on July 31, 2008 (GAO-08-1029G)...

Words: 174530 - Pages: 699

Premium Essay

Final Project Risk Managment

...Introduction of the purpose and importance of risk management Risk management planning is a critical and often overlooked process on every project.  Allowing for the proper amount of risk planning in your project schedule can mean the difference between project success and project failure when those potential risks become real issues. The plan is only the output of the process. It details how the process will be implemented, monitored, and controlled through the life of this project. It details how the group will manage risks but doesn’t attempt to define the responses to individual risks. Risks come about for many reasons, some are internal to the project, and some are external such as but not limited to the project environment, the management process, planning process, inadequate resources, and other unforseen instances that can contribute to risk. Risks associated with the project generally concern the objectives, which turn to impact time, cost, or quality, or combination of those three things. Risk management provides assurance that an organization can create and implement an effective plan to prevent losses or reduce the impact if the a loss occurs. A good plan includes strategies and techniques for recognizing and confronting the threats, solutions for both preventing and solving the situation and indicates financial opportunities. An effective risk management practice does not terminate risks. However, an effective and operational risk management practice demonstrates...

Words: 3711 - Pages: 15

Free Essay

The Elements of a Risk Management Plan

...Chapter 7: Statutory Authority Chapter Outline 1. Introduction of topics and concepts to be discussed in the chapter. a. Legal basis of modern emergency management in the United States. b. Budget authority. c. Program eligibility. d. Roles and responsibilities. 2. Case Studies a. The National Earthquake Hazard Reduction Program (NEHRP): Legislation to Address a Particular Hazard b. The Homeland Security Act of 2002: A New Emergency Management c. The Disaster Mitigation Act of 2000: A Shift to Pre-Disaster Mitigation 3. Additional Sources of Information 4. Glossary of Terms 5. Acronyms 6. Discussion Questions a. General b. NEHRP c. Homeland Security Act of 2002 d. DMA 2000 7. Suggested Out of Class Exercises Introduction No emergency management system anywhere in the world can properly function without statutory authority and consistent budget appropriations. Statutory authority defines disasters programs, determines who is eligible for these programs, provides the legal support needed to implement disaster programs and establishes the legal foundation for funding the programs and activities of the disaster agency. Without such authority, a government agency is powerless. Legal Basis of Modern Emergency Management in the United States The first recorded emergency management legislation in the United States occurred in 1803 when a Congressional Act was passed to provide financial...

Words: 25108 - Pages: 101

Premium Essay

Paper

...Management of Information Security Third Edition This page intentionally left blank Management of Information Security Third Edition Michael Whitman, Ph.D., CISM, CISSP Herbert Mattord, M.B.A., CISM, CISSP Kennesaw State University ———————————————————————— Australia • Brazil • Japan • Korea • Mexico • Singapore • Spain • United Kingdom • United States Management of Information Security, Third Edition Michael E. Whitman and Herbert J. Mattord Vice President, Career and Professional Editorial: Dave Garza Executive Editor: Stephen Helba Managing Editor: Marah Bellegarde Product Manager: Natalie Pashoukos Developmental Editor: Lynne Raughley Editorial Assistant: Meghan Orvis Vice President, Career and Professional Marketing: Jennifer McAvey Marketing Director: Deborah S. Yarnell Senior Marketing Manager: Erin Coffin Marketing Coordinator: Shanna Gibbs Production Director: Carolyn Miller Production Manager: Andrew Crouth Senior Content Project Manager: Andrea Majot Senior Art Director: Jack Pendleton Cover illustration: Image copyright 2009. Used under license from Shutterstock.com Production Technology Analyst: Tom Stover © 2010 Course Technology, Cengage Learning ALL RIGHTS RESERVED. No part of this work covered by the copyright herein may be reproduced, transmitted, stored, or used in any form or by any means graphic, electronic, or mechanical, including but not limited to photocopying, recording, scanning, digitizing, taping, Web distribution, information...

Words: 229697 - Pages: 919

Free Essay

Is4550 Unit 3 Assignment 1

...The  Critical  Security  Controls   for   Effective  Cyber  Defense   Version  5.0                     1       Introduction   .....................................................................................................................................................................  3   CSC  1:    Inventory  of  Authorized  and  Unauthorized  Devices  ............................................................................  8   CSC  2:    Inventory  of  Authorized  and  Unauthorized  Software  .......................................................................  14   CSC  3:    Secure  Configurations  for  Hardware  and  Software  on  Mobile  Devices,  Laptops,   Workstations,  and  Servers  .......................................................................................................................................  19   CSC  4:    Continuous  Vulnerability  Assessment  and  Remediation  .................................................................  27   CSC  5:    Malware  Defenses  ..........................................................................................................................................  33   CSC  6:    Application  Software...

Words: 31673 - Pages: 127

Premium Essay

Beacuse I Have to

...State of North Carolina Statewide Information Security Manual Prepared by the Enterprise Security and Risk Management Office Publication Date: April 20, 2012 INTRODUCTION FOR STATEWIDE INFORMATION SECURITY MANUAL ...... 1 GUIDANCE FOR AGENCIES .............................................................................. 1 CHAPTER 1 – CLASSIFYING INFORMATION AND DATA ................................ 2 CHAPTER 2 – CONTROLLING ACCESS TO INFORMATION AND SYSTEMS. 7 CHAPTER 3 – PROCESSING INFORMATION AND DOCUMENTS ................. 32 CHAPTER 4 – PURCHASING AND MAINTAINING COMMERCIAL SOFTWARE ..................................................................................................... 107 CHAPTER 5 – SECURING HARDWARE, PERIPHERALS AND OTHER EQUIPMENT .................................................................................................... 122 CHAPTER 6 – COMBATING CYBER CRIME ................................................. 146 CHAPTER 7 – CONTROLLING E-COMMERCE INFORMATION SECURITY 153 CHAPTER 9 – DEALING WITH PREMISES RELATED CONSIDERATIONS . 173 CHAPTER 10 – ADDRESSING PERSONNEL ISSUES RELATING TO SECURITY ........................................................................................................ 185 CHAPTER 11 – DELIVERING TRAINING AND STAFF AWARENESS .......... 192 CHAPTER 12 – COMPLYING WITH LEGAL AND POLICY REQUIREMENTS ......................................................................................................................

Words: 65255 - Pages: 262

Free Essay

Dude

...role of layered architectures in networks and data communications. Differentiate between the logical and physical structure of a network. Describe the use and importance of protocols in networking. Describe what data is accessible at each layer of the OSI model during communication and the potential risks avoided based on the placement of protection mechanisms at each layer. Description - OSI Overview Welcome to the OSI model. In this learning object, we will describe each of the layers of the OSI model and its associated protocols. The seven layers of the OSI model are physical, data link, network, transport, session, presentation, and application. We start with this overview, where you will learn how the seven layers work together to provide to users a seamless integration and operation of functions across networks worldwide in a way that potentially eliminates any indication of where the computing Protocols - Application Layer The protocols associated with the application layer include: DNS (Domain Name Service): resolves domain names to IP addresses FTP (File Transfer Protocol): transfers data over a network from one computer to another HTTP (Hypertext Transfer Protocol): used for Web pages HTTPS: HTTP using SSL IMAP (Internet Message Access Protocol): an e-mail receiving protocol that maintains messages on a server LDAP (Lightweight Directory Access Protocol): provides logon to network environments POP3 (Post Office Protocol Version...

Words: 9561 - Pages: 39

Premium Essay

Office 360 Whitepaper

...Security and Compliance Office 365 Published: May 2014 For the latest information, please visit the Office 365 Trust Center at http://trust.office365.com Introduction 1 Service-Level Security 2 Physical layer—facility and network security 4 Logical layer—host, application, admin user 5 Data layer—data 7 Data integrity and encryption 7 Protection from security threats 8 Security monitoring and response 9 Independent verification 9 Security Customer Controls 10 Secure end-user access 12 Privacy by Design 14 Privacy Customer Controls 15 Service Compliance 16 Customer Compliance Controls 18 Conclusion 21 Introduction Information security is an essential consideration for all IT organizations around the world. In addition to the prevalence of information technology, the complexity of delivering access to services from a growing number of devices, platforms, and places than ever before forces information security to be a paramount matter. Multi-device access benefits your users, especially with the consumerization of IT, but broader access represents another potential attack surface. At the same time, organizations face ever-evolving cyber-threats from around the world that target users who may accidentally lose or compromise sensitive data. When you consider moving your organization to cloud services to store your data and various productivity services, the security concerns add another layer of consideration. That consideration is one...

Words: 6737 - Pages: 27

Premium Essay

Effects of Information and Communication Technology (Ict) on Social Science Research Han Ping Fung

...Success Model in which ICT had effects on productivity of social science researchers. This study is based on participative observation approach in which ICT had effects on social science research in the following three ICT application areas: a) Pre-data analysis, b) Data analysis, and c) Post-data analysis. These three ICT application areas had improved a researcher’s productivity in terms of speed, quantity, quality, complexity as well as cost perspective is also discussed. Some concerns of using ICT are also included in this paper which encompasses: a) High learning curve, b) Revised expectation on researcher, c) Research by the convenient of big data, and d) Decrease of social skills of researcher. Limitation, recommendation for future works and conclusion are also included Keywords – Information and Communication Technology, Social Science Research, Information Systems Success Model Introduction In 2010s, social science research is conducted differently from those in several decades before. Part of the factors may due to the advancement of...

Words: 6420 - Pages: 26

Premium Essay

Rik Management Audit

...Risk-Based IT Audit Risk-Based Audit Methodology Apply to Organization’s IT Risk Management Kun Tao (Quincy) Cal Poly Pomona Author Note This paper was prepared for GBA 577 Advanced IS Auditing, taught by Professor Manson. March 2014 Page 1 of 26 Risk-Based IT Audit Table of Contents Abstract .......................................................................................................................................... 3 Introduction .................................................................................................................................... 4 Methodology................................................................................................................................... 6 Risk-based auditing methodology: Risk assessment...................................................................... 6 IT Risk Management................................................................................................................... 7 IT Risk Control Framework........................................................................................................ 8 Identifying assets...................................................................................................................... 13 Determining criticality and confidentiality levels......................................................................14 Threat and vulnerability identification................................................................

Words: 6057 - Pages: 25