NIST, No Mystery - Patechcon.harrisburgu.edu

1y ago
32 Views
2 Downloads
3.49 MB
71 Pages
Last View : 3d ago
Last Download : 5m ago
Upload by : Brenna Zink
Transcription

NIST, No Mystery:Understanding NIST Cybersecurity Risk ManagementPeter RomnessCisco / US Public Sector Cybersecurity

Agenda1. PA Security Assessment Framework2. About NIST3. NIST SP 800-534. NIST RMF5. NIST CSF6. Conclusion

PA Security AssessmentFramework Baseline Security Best Practices AssessmentSecurity Policy & Organization ReviewPhysical and Environmental Security AssessmentInternal Network Discovery & Vulnerability ScansExternal Network Discovery & Vulnerability ScanWireless Security AnalysisAccount Management Procedure AnalysisServer and Workstation Configuration ReviewSecurity Infrastructure AnalysisContinuity Plan ReviewHuman Resources ReviewSecurity Awareness and Training Programs tal/server.pt/community/security awareness/494/security assessment framework/203339

NIST References.What’s the difference?How do these work?NIST Cybersecurity Framework (CSF)NIST Risk Management Framework (RMF)NIST Special Publication 800-53

NISTNational Institute of Standardsand TechnologyInformation Technology publications, securitystandards, tools, and best practices Computer Security Resource Center (CSRC) Cybersecurity Framework (CSF) National Cybersecurity Center of Excellence (NCCoE) Information Technology Laboratory (ITL) National Strategy for Trusted Identities in Cyberspace (NSTIC)Breadth and depth across vast subject areasbeyond Information Technology as well Telecommunications, nanotechnology, bioscience, energy, chemistry,math, physics, transportation, public safety -- and moreSource: National Institute of Standards and Technology, http://www.nist.gov/Mission“To promote innovation andindustrial competitiveness byadvancing measurementscience, standards, andtechnology in ways thatenhance economic securityand improve our quality of life”

NIST CSRCComputer Security Resource CenterFederal Information Processing Standards (FIPS)NIST Interagency or Internal Reports (NISTIRs)Information Technology Laboratory (ITL) BulletinsNIST Special Publications (SPs)800-Series: NIST's primary mode of publishing computer/cyber/informationsecurity guidelines, recommendationsand reference materials.800-Series: Computer Security1800-Series: Cybersecurity Practice Guides500-Series: Information TechnologySource: NIST CSRC Publications, http://csrc.nist.gov/publications/

NIST PublicationsKey Standards and Guidelines FIPS 199: Standards for Security Categorization FIPS 200: Minimum Security RequirementsNIST Risk Management Framework1. Categorize information system (NIST SP 800-60)2. Select security controls (NIST SP 800-53)3. Implement security controls (NIST SP 800-160)4. Assess security controls (NIST SP 800-53A)5. Authorize information system (NIST SP 800-37)6. Monitor security controls (NIST SP 800-137)Source: NIST CSRC, http://csrc.nist.gov/

NIST PublicationsKey Standards and Guidelines FIPS 199: Standards for Security Categorization FIPS 200: Minimum Security RequirementsNIST Risk Management Framework1. Categorize information system (NIST SP 800-60)2. Select security controls (NIST SP 800-53)3. Implement security controls (NIST SP 800-160)4. Assess security controls (NIST SP 800-53A)5. Authorize information system (NIST SP 800-37)6. Monitor security controls (NIST SP 800-137)Source: NIST CSRC, http://csrc.nist.gov/Focus Area

NIST SP 800-53

NIST SP 800-53Security and Privacy Controls forFederal Information SystemsSecurity Control Catalog 18 security control families with hundreds of security controls Essential for FISMA and the NIST Risk Management Framework“Special Publication 800-53, Revision 4, provides a more holistic approachto information security and risk management by providing organizations withthe breadth and depth of security controls necessary to fundamentallystrengthen their information systems and the environments in which thosesystems operate—contributing to systems that are more resilient in the faceof cyber attacks and other threats.”“This ‘Build It Right’ strategy is coupled with a variety of security controls forContinuous Monitoring to give organizations near real-time information thatis essential for senior leaders making ongoing risk-based decisions affectingtheir critical missions and business functions.”Source: NIST SP 800-53, Foreword, Page XV

NIST SP 800-53Security Control StructureSecurity Control Families Each family contains security controls related to the general security topic of the family Security controls may involve aspects of policy, oversight, supervision, manual processes, actions byindividuals, or automated mechanisms implemented by information systems/devicesA two-characterID uniquelyidentifies securitycontrol families

NIST SP 800-53Security Control StructureControl families drilldown into individualsecurity controlsNext slide for securitycontrol sectionsSI

NIST SP 800-53Security Control StructureSI-3 Malicious Code Protection1Control section2Supplemental Guidancesection3Control Enhancementssection4References section5Priority and BaselineAllocation section

NIST SP 800-53ACATAUCACMCPIAIRMAMPPEPLPSRASASCSIPMAccess ity AssessmentConfiguration MgmtContingency PlanningIdentification/AuthZIncident ResponseMaintenanceMedia ProtectionPhysical EnvironmentPlanningPersonnel SecurityRisk AssessmentSystem AcquisitionSys/Comm ProtectionSys/Info IntegrityProgram ManagementCisco Solution AlignmentSummary by Control FamilyCisco Safetyand Security

NIST RMF

NIST RMFRisk Management FrameworkStartMonitorNIST SP 800-137Authorize6CategorizeFIPS 199 & NIST SP 800-60152SelectFIPS 200 & NIST SP 800-53NIST SP 800-37AssessNIST SP 800-53A43ImplementNIST SP 800-160Source: NIST RMF Overview, ml

1CategorizeHighSystemImpactLevelsFIPS 199 andNIST SP 800-60The loss of confidentiality, integrity, or availability could be expected tohave a severe or catastrophic adverse effect on organizationaloperations, organizational assets, or individuals.ModerateThe loss of confidentiality, integrity, or availability could be expected tohave a serious adverse effect on organizational operations,organizational assets, or individuals.LowThe loss of confidentiality, integrity, or availability could be expected tohave a limited adverse effect on organizational operations,organizational assets, or individuals.SC {(confidentiality, impact), (integrity, impact), (availability, impact)}

FIPS 200 andNIST SP 800-53Select2CNTLNO.PRIORITYSelect the Initial Control Baseline according to System Category (SC)CONTROL NAMEINITIAL CONTROL BASELINESLOWMODHIGHACCESS CONTROLAC-1Access Control Policy and ProceduresP1AC-1AC-1AC-1AC-4Separation of DutiesP1Not SelectedAC-4AC-4AC-6Least PrivilegeP1Not )AC-7Unsuccessful Logon AttemptsP2AC-7AC-7AC-7AC-11Session LockP3Not SelectedAC-11(1)AC-11(1)Source: NIST SP 800-53, Table D-2: Security Control Baselines

ImplementNIST SP 800-1603Implement the security controls and document how the controls aredeployed within the information system and environment of operationIDPROCESS NAMEIDPROCESS NAMESRStakeholder Requirements DefinitionTRTransitionRARequirements AnalysisVAValidationADArchitectural tegrationDSDisposalVEVerificationSource: NIST SP 800-60, Table 1: Process Names and Designators

AssessNIST SP 800-53A4Assess the implemented securitycontrols to determine whether they are: Implemented correctly Operating as intended Producing the desired resultsSecurity Control AssessmentProcess OverviewSecurity control assessment goals: Consistent, comparable, and repeatable assessments ofsecurity controls with reproducible results More cost-effective assessments of security controls Better understanding of the risks to organizationaloperations, assets, individualsSource: NIST SP 800-53A, Figure 1: Security Control Assessment Process Overview

Authorize13Plan of Action and MilestonesPrepare based on the findings andrecommendations of the security assessmentreport excluding any remediation actions takenRisk DeterminationDetermine the risk to organizational operations(including mission, functions, image, orreputation), organizational assets, individuals, etc.ATONIST SP 800-37245Security Authorization PackageAssemble the security authorization package andsubmit the package to the authorizing official foradjudicationRisk AcceptanceDetermine if the risk to organizational operations,organizational assets, individuals, otherorganizations, or the Nation is acceptable“If the authorizing official, after reviewing the authorization package deems that the risk to organizational operationsand assets, individuals, other organizations, and the Nation is acceptable, an authorization to operate is issued forthe information system or for the common controls inherited by organizational information systems”Source: NIST SP 800-37, Appendix F: Security Authorization

6MonitorNIST SP 800-137Information Security ContinuousMonitoring (ISCM) Provides security situational awareness Enables appropriate action as the situation changes Part of the larger strategy of enterprise risk managementDefineReview/UpdateISCMThe role of automation in ISCM Augments the security processes conducted by securityprofessionals within an organizationReduces the amount of time a security professional mustspend on doing redundant tasksFrees the security professional to spend time on tasks thatdo require human cognitionSource: NIST SP 800-137, Chapter 2: The t

NIST RMF SummaryStartMonitorNIST SP 800-137AuthorizeRisk Management Framework6CategorizeFIPS 199 & NIST SP 800-60152SelectFIPS 200 & NIST SP 800-53NIST SP 800-37AssessNIST SP 800-53A43ImplementNIST SP 800-160Source: NIST RMF Overview, ml

NIST CSF

Improving Critical Infrastructure CybersecurityExecutive Order 13636February 2013“It is the policy of the United States to enhance the securityand resilience of the Nation’s critical infrastructure and tomaintain a cyber environment that encourages efficiency,innovation, and economic prosperity while promoting safety,security, business confidentiality, privacy, and civil liberties.”

NIST CSFCybersecurity FrameworkOutcome of Executive Order 13636, and result ofcollaboration between public and private sectors Manages cybersecurity risks in a cost-effective way, whileprotecting privacy and civil liberties References the globally accepted standards (COBIT,ISO/IEC, ISA, NIST, CCS) that are working well today Intended for worldwide adoption -- not US only Uses common terminology to discuss cybersecurity risk Ensures business drivers guide cybersecurity activities Considers cybersecurity risks as part of organization’soverall risk management process

Best PracticesPeopleProcessTechnologyFramework covers all three

PeopleFocused ActionFramework helps organizationsoptimize their cybersecurity activities Aligns cybersecurityactivities with business risk Prioritizes activities that aremost important for criticalservice delivery Maximizes the impact ofcybersecurity spending

PeopleBetter CommunicationFramework uses a common languageto discuss cybersecurity risk Improves communication amongcybersecurity experts and seniorleadership within an organization Improves communication with externalvendors, partners, and contractors Aligns the Information Technology (IT)and Operations Technology (OT) teams

ProcessProcess SupportFramework works with existing riskmanagement programs ISO/IEC 27005, Information Security RiskManagement ISO/IEC 31000, Risk Management NIST SP 800-39, Managing Information Security Risk Electricity Subsector Cybersecurity Risk ManagementProcess (RMP)

Broad ApplicabilityFramework enables all organizationsto improve security and resilience Any size or type of organization Both public and private sectors Any degree of cybersecurity risk Any level of cybersecurity sophistication Anywhere in the world

CSF ComponentsSet of activities, desiredoutcomes, andapplicable referencescommon across criticalinfrastructure mentationTiersAlignment of FrameworkCore structure with thespecific businessrequirements of aparticular organizationAn organization’s view onhow well it manages risk,ranging from Partial (Tier 1)to Adaptive (Tier 4)

CoreCSF CoreFunctionsCategoriesSubcategoriesInformative Resources234Identify1ProtectDetectRespondRecover

CoreCSF Informative Resources

CoreCSF dRecover2SubdivideFunctions intospecificactivitiesSubcategoriesInformative Resources

CoreCSF tDetectRespondRecover3SubdivideCategories intodesiredoutcomesInformative Resources

CoreCSF CoreFunctionsCategoriesSubcategoriesInformative ardsreferences toachieve theoutcomes

CoreFunctionsFunctionsIDIdentifyDevelop the organizational understanding to manage cybersecurity risk to systems,assets, data, and capabilitiesPRProtectDevelop and implement the appropriate safeguards to ensure delivery of criticalinfrastructure servicesDEDetectDevelop and implement the appropriate activities to identify the occurrence of acybersecurity eventRSRespondRCRecoverDevelop and implement the appropriate activities to take action regarding a detectedcybersecurity eventDevelop and implement the appropriate activities to maintain plans for resilience and torestore any capabilities or services that were impaired due to a cybersecurity event

CoreCategoriesFunctionCategoriesThe data, personnel, devices, systems, and facilities that enable theAssetorganization to achieve business purposes are identified and managedID.AMManagement (AM) consistent with their relative importance to business objectives and theorganization’s risk strategy.BusinessEnvironment (BE)The organization’s mission, objectives, stakeholders, and activities areunderstood and prioritized; this information is used to inform cybersecurityroles, responsibilities, and risk management decisions.ID.GVGovernance (GV)The policies, procedures, and processes to manage and monitor theorganization’s regulatory, legal, risk, environmental, and operationalrequirements are understood and inform the management of cyber risk.ID.RARisk Assessment(RA)The organization understands the cybersecurity risk to organizationaloperations (including mission, functions, image, or reputation),organizational assets, and individuals.ID.RMRisk Management The organization’s priorities, constraints, risk tolerances, and assumptionsare established and used to support operational risk decisions.Strategy (RM)ID.BEIdentify(ID)

gement(ID)(ID.AM)SubcategoriesID.AM-1Physical devices and systems within the organization are inventoriedID.AM-2Software platforms and applications within the organization are inventoriedID.AM-3Organizational communication and data flows are mappedID.AM-4External information systems are cataloguedID.AM-5Resources (hardware, devices, data, and software) are prioritized basedon their classification, criticality, and business valueID.AM-6Cybersecurity roles and responsibilities for the entire workforce and thirdparty stakeholders (suppliers, customers, partners) are established

CoreInformative ResourcesFunctionCategorySubcategoryInformative Resources CCS CSC 1 COBIT 5 BAI09.01, BAI09.02Identify(ID)AssetManagement(ID.AM)Physical deviceinventories(ID.AM-1) ISA 62443-2-1:2009 4.2.3.4 ISA 62443-3-3:2013 SR 7.8 ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 NIST SP 800-53 Rev. 4 CM-8Internationalstandardsreferences Council on CyberSecurity (CCS)Control Objectives for Information and Related Technology (COBIT)International Society of Automation (ISA)International Organization for Standardization (ISO)International Electrotechnical Commission (IEC)

CoreInformative ResourcesFunctionCategorySubcategoryInformative Resources CCS CSC 1 COBIT 5 BAI09.01, BAI09.02Identify(ID)AssetManagement(ID.AM)Physical deviceinventories(ID.AM-1) ISA 62443-2-1:2009 4.2.3.4 ISA 62443-3-3:2013 SR 7.8 ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 NIST SP 800-53 Rev. 4 CM-8ISO/IEC 27001:2013 Annex AA.8 Asset ManagementA.8.1.1Inventory of AssetsA.8.1.2Ownership of Assets

TiersTiersReflect how an organization views cybersecurityrisk and the processes in place to manage that riskTier4Adaptive: Practices fully established and continuously improvedTier3Repeatable: Practices approved and established by organizational policyTier2Risk Informed: Practices approved but not completely established by policyTier1Partial: Informal, ad hoc, reactive responses

ProfilesProfilesThe alignment of the Framework core with anorganizations business requirements, risktolerance, and resources Describes the current stateand desired future state Reveals gaps that can flowinto action plan development Facilities a roadmap forreducing cybersecurity risk

CoreHigh Level Core ViewKnow what you haveSecure what you haveSpot threats quicklyTake action immediatelyRestore operations

Important PointsOnly half of theFramework’sCategories areaddressed bytechnologyHighlights theimportance ofboth people andprocess incybersecurity

CSF gor tunitiesfor UpdatedInformativeReferencesMethodologytoProtect PrivacyandCivil Liberties“How well arewe doingtoday?”“Can weassess andimprove?”“Can we speakthe samelanguage?”“What elseshould weconsider?”“Can weprotect databetter?”Let’s focus here

Improving a ProgramImplement Action Plan17Analyze GapsPrioritize and ScopeStart6Create Target Profile2354OrientCreate Current ProfileConduct Risk Assessment

1Prioritize and ScopeIdentify business/mission objectivesand high-level organizational priorities Make strategic decisions oncybersecurity Determine scope of systems andassets that support the mission Assess risk tolerance

2OrientIdentify related systems, regulatoryrequirements, and overall risk approach Identify threats to systems andassets Identify vulnerabilities associatedwith systems and assets

Current ProfileFunctionCategorySubcategoryCurrent ProfilePhysical deviceinventories (ID.AM-1)Tier 1Manual, spreadsheet-based system isinsufficient and lacks network visibility.Software inventories(ID.AM-2)Tier 1Asset management system cannot detect newsoftware applications being deployed.Tier 2Flow maps are documented and approved butneeds to be formalized by policy.Communication/dataIdentify(ID)3Assetflow maps (ID.AM-3)ManagementExternal system(ID.AM)catalogs (ID.AM-4)UnusedCurrent business model does not requireexternal system catalogs.Resource prioritization(ID.AM-5)Tier 4Prioritization system is working well for ourneeds today.Roles/responsibilitiesclarification (ID.AM-6)Tier 3New cybersecurity responsibilities need to beformalized by policy.

Risk Assessment4Fxn.IDCat.Sub.Current ProfileID.AM-1Tier 1ID.AM-2Tier 1ID.AM-3Tier 2ID.AM-4UnusedRisk AssessmentUnacceptably high risksID.AMID.AM-5Tier 4ID.AM-6Tier 3Acceptable risks at this time

Target Profile5Fxn.Cat.Sub.Target ProfileID.AM-1Tier 4ID.AM-2Tier 4ID.AM-3Tier 2ID.AM-4UnusedID.AM-5Tier 4ID.AM-6Tier 3This is where we want to be Physical device and softwareinventories at Tier 4, “Adaptive” Practices fully established,continuously improved, andbuilt into our overall riskmanagement programIDID.AM

6Gap AnalysisFxn.IDCat.Sub.Target ProfileTier 1ID.AM-1Tier 4ID.AM-2Tier 1ID.AM-2Tier 4ID.AM-3Tier 2ID.AM-3Tier 2ID.AM-4UnusedSub.Current ProfileID.AM-1ID.AMFxn.Enables aprioritizedaction planIDCat.ID.AMID.AM-4UnusedID.AM-5Tier 4ID.AM-5Tier 4ID.AM-6Tier 3ID.AM-6Tier 3

7Action PlanFxn.Cat.Sub.Informative Resources CCS CSC 1 COBIT 5 BAI09.01, BAI09.02ID.AM-1 ISA 62443-2-1:2009 4.2.3.4 ISA 62443-3-3:2013 SR 7.8 ISO/IEC 27001:2013 A.8.1.1, A.8.1.2ID NIST SP 800-53 Rev. 4 CM-8ID.AM CCS CSC 2 COBIT 5 BAI09.01, BAI09.02, BAI09.05ID.AM-2 ISA 62443-2-1:2009 4.2.3.4 ISA 62443-3-3:2013 SR 7.8 ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 NIST SP 800-53 Rev. 4 CM-8NIST SP 800-53 Revision 4CM-8 / Information System Component InventoryControl: The organization:a. Develops and documents an inventory ofinformation system components that:1. Accurately reflects the current informationsystem;2. Includes all components within theauthorization boundary of the informationsystem;3. Is at the level of granularity deemednecessary for tracking and reporting; and4. Includes [Assignment: organization-definedinformation deemed necessary to achieveeffective information system componentaccountability]

7Develop Action PlanDevice Inventory?We need an accuratedevice inventory.?.but how can we know what’sactually on our network?

7Implement Action PlanDevice Discoveryand ProfilingNIST SP 800-53 Revision 4CM-8 / Information System Component InventoryCisco IdentityServices Engine (ISE) Discovers and accurately identifiesdevices connected to wired, wireless,and virtual private networksISEControl: The organization:a. Develops and documents an inventory ofinformation system components that:1. Accurately reflects the current informationsystem;2. Includes all components within theauthorization boundary of the informationsystem;3. Is at the level of granularity deemednecessary for tracking and reporting; and4. Includes [Assignment: organization-definedinformation deemed necessary to achieveeffective information system componentaccountability]

Continuous ImprovementNot once and done!Implement Action PlanPrioritize and Scope17Analyze Gaps6Create Target Profile2354OrientCreate Current ProfileConduct Risk Assessment

NIST RMF vs. NIST CSFWhat’s the difference?Risk Management Framework

NIST RMF OverviewStartMonitorNIST SP 800-137AuthorizeRisk Management Framework6CategorizeFIPS 199 & NIST SP 800-60152SelectFIPS 200 & NIST SP 800-53NIST SP 800-37AssessNIST SP 800-53A43ImplementNIST SP 800-160Source: NIST RMF Overview, ml

NIST RMF vs. NIST CSFSecurity Control SelectionNIST CSF guides organizations to risk-based Selection of effectivesecurity controls for inclusion in existing risk-management processCategorizeMonitorNIST SP 800-137Authorize652NIST SP 800-53ASelectNIST SP 800-53NIST SP 800-37AssessFIPS 199 & NIST SP 800-60143ImplementNIST SP 800-160

NIST RMF vs. NIST CSFOther Important DifferencesNIST CSF can be used with the NIST RMF but does not require it Organizations may choose to follow the NIST RMF, but are also free choose to use the NIST CSF withISO/IEC 27005 -- or any other enterprise risk management processNIST CSF references the NIST SP 800-53 security control catalog butdoes not require it Organizations may choose to select security controls from NIST SP 800-53, but are also free to selectfrom ISACA COBIT 5, ISO/IEC 27001/27002, or other security control catalogs NIST CSF Informative Resources refer to certain controls from NIST SP 800-53, but the CSF does notreference the complete set of NIST SP 800-53 controls NIST CSF describes its own cybersecurity improvement process that leverages CSF Profiles andImplementation Tiers, but without the rigor of the NIST RMF (e.g., no FIPS 199 System Categorization)

Cisco Security StrategyThe Threat-Centric Security ModelAttack rceHardenNetworkEndpointMobileVirtualPoint in TimeAfterScopeContainRemediateCloudContinuousEmail and Web

Cisco Security StrategyNIST CSF AlignmentAttack RemediateRespondRecover

TechnologyCisco Security ProductsIDPRDERSRCAsset ManagementBusiness EnvironmentGovernanceRisk AssessmentRisk Mgmt. StrategyAccess ControlAwareness/TrainingData SecurityInfo Protection ProcessMaintenanceProtective TechnologyAnomalies and EventsContinuous MonitoringDetection ProcessesResponse tsRecovery PlanningImprovementsCommunicationsNIST CSF AlignmentNon-technical control areaNon-technical control areaNon-technical control areaNon-technical control areaBNon-technical control areaDNon-technical control areaNon-technical control areaNon-technical control areaNon-technical control areaNon-technical control areaNon-technical control areaNon-technical control areaA

People ProcessCisco Security ServicesAdvisoryIDPRDERSRCAsset ManagementBusiness EnvironmentGovernanceRisk AssessmentRisk Mgmt. StrategyAccess ControlAwareness/TrainingData SecurityInfo Protection ProcessMaintenanceProtective TechnologyAnomalies and EventsContinuous MonitoringDetection ProcessesResponse tsRecovery PlanningImprovementsCommunicationsNIST CSF AlignmentIntegrationManagedBDA

CiscoOur AdvantagesCisco has the people, services, products, partners, corporate commitment and financial strength toensure your success Our worldwide security team, including threat intelligence, research, supply chain, and customer supportprofessionals, is focused on your success. Our services professionals can guide you as you plan, implement and manage your security, deliver security as aservice, or help you during an attack. Our family of best in class products work together to stop threats quickly while reducing complexity and cost. Because of our open platform and industry leadership, we team with comprehensive list of solutions providers anddelivery partners. Cisco is committed to your success with the financial strength to invest in research, develop new products, andsupport your successSecurely digitizing you enterprise allows you to secure yourreputation, accelerate your mission, and save money.

Conclusion

SummaryDid we accomplish our mission?1. PA CybersecurityReviewed Assessment Framework2. About NISTDiscussed who they are and what they do3. NIST SP 800-53Explained how the control catalog works4.NIST RMFConnected with the Strategic Plan5. NIST CSFRecommended it for cyber risk management

Call to Action1Learn more about Pennsylvania IT ver.pt/community/security awareness/494/security assessment framework/2033392Learn more about NIST cybersecurity best practices:http://csrc.nist.gov3Learn more about Cisco’s threat-centric security:http://www.cisco.com/go/securityThanks for your time today!

NIST Risk Management Framework 1. Categorize information system (NIST SP 800-60) 2. Select security controls (NIST SP 800-53) 3. Implement security controls (NIST SP 800-160) 4. Assess security controls (NIST SP 800-53A) 5. Authorize information system (NIST SP 800-37) 6. Monitor security controls (NIST SP 800-137) Source: NIST CSRC, http .

Related Documents:

2.1 NIST SP 800-18 4 2.2 NIST SP 800-30 4 2.3 NIST SP 800-34 4 2.4 NIST SP 800-37 4 2.5 NIST SP 800-39 5 2.6 NIST SP 800-53 5 2.7 NIST SP 800-53A 5 2.8 NIST SP 800-55 5 2.9 NIST SP 800-60 5 2.10 NIST SP 800-61 6 2.11 NIST SP 800-70 6 2.12 NIST SP 800-137 6 3 CERT-RMM Crosswalk of NIST 800-Series Special Publications 7

NIST SP 800-30 – Risk Assessment NIST SP 800-37 – Risk Management Framework NIST SP 800-39 – Risk Management NIST SP 800-53 – Recommended Security Controls NIST SP 800-53A – Security Control Assessment NIST SP 800-59 – National Security Systems NIST SP 800-60 – Security Category Mapping NIST

Digital mystery shops conducted via a brand's website or mobile application Retailers, restaurants, banks, hotels, automotive dealerships, B2B Customer Experience, Checkout, Fulfillment, Support/Chat Mystery Shopping is Omni-channel: Mystery Shopping Mystery Calling Mystery Mailing Mystery Clicking

Source: 9th Annual API Cybersecurity Conference & Expo November 11-12, 2014 - Houston, TX. 11 Industry Standards and Committee Initiatives WIB M2784-X-10 API 1164 ISA 99/IEC 62443 NIST SP 800-82 NIST SP 800-12 NIST SP 800-53 NIST SP 800-53A NIST SP 800-39 NIST SP 800-37 NIST SP 800-30 NIST SP 800-34 ISO 27001,2 ISO 27005 ISO 31000

Mar 01, 2018 · ISO 27799-2008 7.11 ISO/IEC 27002:2005 14.1.2 ISO/IEC 27002:2013 17.1.1 MARS-E v2 PM-8 NIST Cybersecurity Framework ID.BE-2 NIST Cybersecurity Framework ID.BE-4 NIST Cybersecurity Framework ID.RA-3 NIST Cybersecurity Framework ID.RA-4 NIST Cybersecurity Framework ID.RA-5 NIST Cybersecurity Framework ID.RM-3 NIST SP 800-53

Apr 08, 2020 · Email sec-cert@nist.gov Background: NIST Special Publication (SP) 800-53 Feb 2005 NIST SP 800-53, Recommended Security Controls for Federal Information Systems, originally published Nov 2001 NIST SP 800-26, Security Self-Assessment Guide for IT Systems, published Dec 2006 NIST SP 800-53, Rev. 1 published July 2008 NIST SP 800-53A, Guide for

Last Shot: A Final Four Mystery (2005) Vanishing Act: Mystery at the U.S. Open (2006) Cover-Up: Mystery at the Super Bowl (2007) Change-Up: Mystery at the World Series (2009) The Rivalry: Mystery at the Army-Navy Game (2010) Rush for the Gold: Mystery at the Olympic Games (2012) The Triple Threat The Walk On (2014) The Sixth Man (2015)

Abstract . The aim of this paper is to build on the Pragmatic Stochastic Reserving Working Party’s first paper (Carrato, et al., 2016) and present an overview of stochastic reserving used with a one-year view of