CHALLENGE - NIST Cybersecurity Framework for Improving Critical Infrastructure

Order 13636 requires accountability to assure cyber-security readiness, requiring Financial, Communications, Manufacturing, Defense, Energy, Emergency Services, Food and Agriculture, Healthcare, IT, Utilities, Chemical, Water, Nuclear Reactors, Materials, & Waste and Transportation sectors to initiate voluntary compliance with the NIST Cybersecurity Framework.

CSFsystempolicy2framwork

Get Cyber Ready

  • Know the critical assets and who’s responsible for them
  • Get everyone involved in cyber-resilience
  • Be prepared for attack
  • Prevent cyber-attack from throwing your organization into complete chaos.
  • Businesses must understand their environment from the perspective of an adversary.
  • Expectation to use threat modeling and ask “Who is the adversary and what does the adversary want to accomplish?”

Cyber threat analysis, reducing the attack surface requires understanding

  • Methods attackers use to touch or exploit vulnerabilities
  • That an attack surface represents every interface an enemy could exploit to their own malicious intent
  • FIPS 200 Minimum Security Requirements for Federal Information and Information Systems, and
  • FIPS 199 Standards for Security Categorization of Federal Information and Information Systems

 NIST Cybersecurity Framework (CSF)

Why align with CSF?

US Executive Order 13636 calls for the development of a voluntary cybersecurity framework by the National Institute of Science and Technology (NIST) for “critical infrastructure” providers.

The NIST Cybersecurity Framework seeks to protect systems and assets most crucial to the safety of our country and ensure all critical sectors uphold a certain level of cybersecurity.

Clients gain increased alignment with multiple Regulatory Requirements

EnterpriseGRC Solution works with Cavirin to adopt a RegTech approach, using agility, speed, integration and analytics to weave a regulatory fabric that both informs and allows business clients to breath.  The CSF Policy Pack leverages Homeland Security’s published Cyber Resilience Review (CRR): NIST Cybersecurity Framework Crosswalks to provide integrated risk reporting grouped by the Cyber Security Domains Identify (ID), Protect (PR), Detect (DE), Respond (RS), and Recover (RC).  Cavirin’s Automated Risk Assessment Platform, (ARAP™), reports according to the core framework and further maps environment findings to additional standards including CIS CSC 6.0, COBIT 5, ISO/IEC 27001:2013, HIPAA HITECH, NIST SP 800-53 Rev. 4 plus Appendix J for Privacy, SOC2 2016 including Privacy, PCI DSS 3.2 including Appendix, and various custom policy packages based on individual customer needs.

Financial services, Health, Government and all critical industry sectors are subject to demanding wide-ranging cybersecurity regulations and are repeatedly examined by federal and state authorities.  CSF strengthens the overall cyber-security posture of “critical infrastructure” by helping to ensure, among other things, that third party providers adhere to baseline cybersecurity standards. By enforcing the use of DISA STIGS and CIS Benchmarks to apply secure and policy-driven configuration, the framework is a catalyst to secure technologies.

Our clients gain advantage through alignment with NIST standards compliance. CSF program effectiveness supports elements in achieving compliance with all of the following laws:

  • UK Data Protection Act 1998
  • Fair Credit Reporting Act, the Right to Financial Privacy Act
  • The Computer Misuse Act 1990 (UK)
  • Federal Information Security Management Act 2001 (US)
  • Gramm‐Leach‐Bliley Act (GLBA) 1999 (US)
  • Federal Financial Inst. Examination Council’s (FFIEC) security guidelines (US)
  • Sarbanes‐Oxley Act (SOX) 2002 (US)
  • State security breach notification laws (e.g. California) (US)
  • Health Insurance Portability and Accountability Act (HIPAA) 1996 (US)

THE SOLUTION

EnterpriseGRC facilitated compliance solutions include the Automated Risk Analysis Platform (ARAP), designed to assist Chief Risk & Security, as well as IT and DevOps leadership in addressing their top security and compliance challenges:

  • Missing patches for operating systems and applications.
  • Monitoring and detecting sensitive data loss (data exfiltration).
  • Locating weak passwords.
  • Lack of logs and audit trails than can conduct forensics to identify and respond to a breach.
  • Security validation for new systems.
  • Missing or outdated anti-malware technology.
  • Encryption of sensitive information in transit.
  • Remediate deficiencies that would otherwise be impossible to manage due to the lack of trained staff maintaining security controls.

Compliance in any environment

  • Cloud Native platform supporting 12-factor patterns (things like port binding, logs, concurrency…)
  • A “hyper plane” of integrated “risk assessment” amongst segmented vulnerability domains
  • Works with Private, Hybrid, and Public Clouds
  • Support AWS, Azure, GCP (Google Cloud Platform)
  • Manages thousands of out-of-box policies, well curated and certified (SCAP, XCCDF, OVAL)
  • Is CIS Certified security content (Multiple OS, Docker, AWS Cloud)