SlideShare a Scribd company logo

Demystifying the Cyber NISTs

Schellman & Company
Schellman & Company

With all of the acronyms and numbers, it is challenging to determine what is what in the world of cyber security and compliance. In the government space, the National Institute of Standards (NIST) has been the key body for identifying and determining standards related to protecting critical infrastructure and government data. Participants will walk away more conversant in the alphabet soup of NIST requirements and how they apply to these various programs. This presentation: • Provides a deep dive in the the similarities and differences between standards such as NIST 800-53, 800-171, and frameworks such as the cybersecurity framework • How these standards and frameworks apply to FedRAMP, CJIS, and very specific programs covering data like the Death Master File (DMF)

Technology
1 of 22
Download to read offline
Demystifying the Cyber NISTs WEBINAR
1 Federal Alphabet Soup
Acronym Overload! Compliance, Critical Infrastructure, Cyber Security, EO 13636 - and Cyber Cyber Cyber… FedRAMP, FISMA, NIST, FIPS, RMF, DIACAP SP 800-53, SP 800-171, SP 800-37 FIPS 199, FIPS 200, OMB Circular 130
• Provide baseline knowledge of the most discussed frameworks, standards, and programs • Put the acronyms in context of their intention and discuss their relationship to other standards • Attempt to dispel some common misconceptions Learning Objectives
Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk. Source – NIST Cybersecurity Framework Bottom line is that the government has defined cybersecurity as the function of protecting interconnected critical infrastructure and data About That Cyber Term…
2 Diving into the “NISTs”
• Laws – Speak in terms of goals and objectives (e.g. FISMA) • Regulations – Clarify the goals and objectives of a law • Executive Orders – Provide additional guidance and direction • Frameworks – Bring together series of goals, objectives, and standards and implementation guidance like the NIST Cybersecurity Framework • Standards and Best Practices • FIPS – Federal Information Processing Standards • NIST SP – Special Publication (for security) • Information Supplements • Programs – Designed to implement and enforce laws, regulations, and standards for a defined group (e.g. FedRAMP for Cloud Computing) Note that the focus will largely be around standards and frameworks that Schellman’s service provider clients have to follow. Framing the Discussion for Federal
• FISMA – Federal Information Security Management Act • FISMA is a law that governs government agencies • Applies by extension to those that use government data or resources • Not a compliance certification • Regulations and Rulings • Often agency specific (e.g. ITAR) • HIPAA – Final Security Ruling • Executive Orders • Can provide clarity and enforcement guidance (e.g. EO 13636 signed by Barack Obama) Laws, Regulations, and EOs
• Why start here? • NIST SP 800-53 is the Kevin Bacon of federal cybersecurity • If not directly referenced within a law it is no more than two degrees of separation from everything! Standards: NIST SP 800-53
• National Institute of Standards and Technology Special Publication 800-53 - Security and Privacy Controls for Federal Information Systems and Organization • Currently revision 4 (5 is being put out to comment) • Supports government FISMA compliance • Is the detail behind Federal Information Processing Standard (FIPS) 200 • Is tailored based on FIPS 199 NIST SP 800-53 (cont.)
• Federal Information Processing Standards (FIPS) Publications are standards issued by NIST after approval by the Secretary of Commerce pursuant to the Federal Information Security Management Act (FISMA) • Most Common include: • FIPS 200 – Minimum Security Requirements for Federal Information and Information Systems • FIPS 199 – Provides the methodology for establishing information categorization based on risk (i.e. low, moderate, and high) • FIPS 140-2 – Security Requirements for Cryptographic Modules • FIPS tie laws to standards and in almost all cases, FIPS are supported by more detailed guidance within the NIST Special Publications (e.g. NIST 800-53) • https://csrc.nist.gov/publications/PubsFIPS.html Back to FIPS
NIST SP 800-171 • Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations • Designed largely for federal contractors • Uses a carved out subset of the NIST 800-53 requirements • Revision 1 released in December of 2016
Other Relevant Standards • Special Publications • SP 800-145 – The NIST Definition of Cloud Computing • SP 800-117 and 800-126 – Multiple standards related to the Security Content Automation Protocol (SCAP) • SP 800-37 – Guide for Applying the Risk Management Framework to Federal Information Systems: a Security Life Cycle Approach • Multiple SPs related to encryption and key management in support of FIPS 140-2 • Others are platform and technology specific (e.g. virtualization, wireless, and Apple OSX, and more) • http://csrc.nist.gov/publications/PubsSPs.html • Additional • Common Criteria aka ISO/IEC 15408
• Federal Risk and Authorization Management Program (FedRAMP) defined standard and requirements • Designed for cloud service providers (CSPs) being used by federal agencies • Core Documentation/Deliverables - System Security Plan (SSP), FIPS 199, Security Assessment Plan (SAP) and Security Assessment Report (SAR), and Plan of Action and Milestones (POA&M) • Based on NIST SP 800-53 and 800-53A (testing procedures) Program: FedRAMP
• DoD has additional frameworks and controls for maintaining mission critical systems • Leverages the Risk Management Framework (RMF) set forth in NIST SP 800-37 • Defines impact levels of 2 through 6 • FedRAMP moderate = Level 2 • FedRAMP+ = FedRAMP plus additional controls from the DoD Supplemental Resource Guide (SRG) • http://iasecontent.disa.mil/cloud/SRG/ DoD Instruction (DoDI) 8500.01, entitled Cybersecurity, directs Director DISA, under the authority, direction, and control of the DoD CIO to develop and maintain Control Correlation Identifiers (CCIs), Security Requirements Guides (SRGs), Security Technical Implementation Guides (STIGs), and mobile code risk categories and usage guides that implement and are consistent with DoD cybersecurity policies, standards, architectures, security controls, and validation procedures, with the support of the National Security Agency Central Security Service (NSA/CSS), using input from stakeholders, and using automation whenever possible. Program: Department of Defense and FedRAMP+
DoD Impact Levels Broken Out
• Originally published in 2014. Version 1.1 comments were solicited until April 10, 2017. • Designed to scale with flexibility regardless of industry • Builds on SP 800-53 and also maps to ISO 27001, COBIT, and Industrial Controls requirements • Recently pitched to the healthcare industry for adoption https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events Framework: NIST Cybersecurity Framework Describes how cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics Cybersecurity activities and informative references, organized around particular outcomes Enables communication of cyber risk across an organization Aligns industry standards and best practices to the Framework Core in a particular implementation scenario Supports prioritization and measurement while factoring in business needs Framework Profile Framework Core Framework Implementation Tiers
• International Traffic in Arms Regulation (ITAR) • Criminal Justice Information System (CJIS) • Program • Includes a “policy” of standards requirements • Department of Commerce National Technical Information Service (NTIS) Limited Access Death Master File (DMF) • Standard for protecting a file of social security numbers associated with deceased persons • Includes an attestation report/template What Else?
3 Bringing it Back Together
Understanding the Cyber NIST Pieces of the Puzzle Laws, Regulations, and EOs FISMA HIPAA EO 13636 FIPS Standards FIPS 200 FIPS 199 FIPS 140-2 SP Standards 800-53 800-37 800-171 Compliance Programs FedRAMP DoD SRG CJIS Frameworks NIST Risk Management Framework NIST Cybersecurity Framework
• Don’t have to be an expert • Recognize the core standards most applicable for your business • Know where to look for help (and who to ask!) Closing Thoughts
STAY UP-TO-DATE www.schellmanco.com

Recommended

Privacy in the Cloud- Introduction to ISO 27018
Privacy in the Cloud- Introduction to ISO 27018Privacy in the Cloud- Introduction to ISO 27018
Privacy in the Cloud- Introduction to ISO 27018Schellman & Company
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowPECB
 
we45 ISO-27001 Case Study
we45 ISO-27001 Case Studywe45 ISO-27001 Case Study
we45 ISO-27001 Case Studywe45
 
The EU ePrivacy Directive - Navigating the UK Cookie Law
The EU ePrivacy Directive - Navigating the UK Cookie LawThe EU ePrivacy Directive - Navigating the UK Cookie Law
The EU ePrivacy Directive - Navigating the UK Cookie LawSilverpop
 
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018Schellman & Company
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowPECB
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...PECB
 
Legal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorLegal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorMSpadea
 

Recommended

Privacy in the Cloud- Introduction to ISO 27018
Privacy in the Cloud- Introduction to ISO 27018Privacy in the Cloud- Introduction to ISO 27018
Privacy in the Cloud- Introduction to ISO 27018Schellman & Company
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowPECB
 
we45 ISO-27001 Case Study
we45 ISO-27001 Case Studywe45 ISO-27001 Case Study
we45 ISO-27001 Case Studywe45
 
The EU ePrivacy Directive - Navigating the UK Cookie Law
The EU ePrivacy Directive - Navigating the UK Cookie LawThe EU ePrivacy Directive - Navigating the UK Cookie Law
The EU ePrivacy Directive - Navigating the UK Cookie LawSilverpop
 
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018Schellman & Company
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowPECB
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...PECB
 
Legal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorLegal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorMSpadea
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701PECB
 
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...himalya sharma
 
Legal issues in the cloud renzo marchini & gene landy
Legal issues in the cloud renzo marchini & gene landyLegal issues in the cloud renzo marchini & gene landy
Legal issues in the cloud renzo marchini & gene landyIFCLA - International Federation of Computer Law Associations
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyControlCase
 
Gdpr data p rotection
Gdpr data p rotectionGdpr data p rotection
Gdpr data p rotectionFileOM
 
Data protection and data integrity
Data protection and data integrity Data protection and data integrity
Data protection and data integrityAxon Lawyers
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowPECB
 
It security iso 27001
It security iso 27001It security iso 27001
It security iso 27001Iris Maaß
 
Deep secure holistic protection for ICS
Deep secure holistic protection for ICSDeep secure holistic protection for ICS
Deep secure holistic protection for ICSjohnsdeepsecure
 
Any Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsAny Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsPECB
 
27001 2015(+a1)
27001 2015(+a1)27001 2015(+a1)
27001 2015(+a1)Carlos Ayil
 
Iso 28000 supply chain white paper lakshy rev02_17022015 low.pdf
Iso 28000 supply chain white paper lakshy rev02_17022015 low.pdfIso 28000 supply chain white paper lakshy rev02_17022015 low.pdf
Iso 28000 supply chain white paper lakshy rev02_17022015 low.pdfLakshy Management Consultant Pvt Ltd
 
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseMart Rovers
 
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesPECB
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? PECB
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCPECB
 
20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)Peter GEELEN ✔
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudControlCase
 
Integrating Multiple IT Security Standards
Integrating Multiple IT Security StandardsIntegrating Multiple IT Security Standards
Integrating Multiple IT Security StandardsMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowCMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowPECB
 
Infosec policies to appsec standards ed final
Infosec policies to appsec standards ed finalInfosec policies to appsec standards ed final
Infosec policies to appsec standards ed finaleadams2330
 

More Related Content

What's hot

GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701PECB
 
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...himalya sharma
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyControlCase
 
Gdpr data p rotection
Gdpr data p rotectionGdpr data p rotection
Gdpr data p rotectionFileOM
 
Data protection and data integrity
Data protection and data integrity Data protection and data integrity
Data protection and data integrityAxon Lawyers
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowPECB
 
It security iso 27001
It security iso 27001It security iso 27001
It security iso 27001Iris Maaß
 
Deep secure holistic protection for ICS
Deep secure holistic protection for ICSDeep secure holistic protection for ICS
Deep secure holistic protection for ICSjohnsdeepsecure
 
Any Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsAny Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsPECB
 
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseMart Rovers
 
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesPECB
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? PECB
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCPECB
 
20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)Peter GEELEN ✔
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudControlCase
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 

What's hot (20)

GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
 
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
 
Legal issues in the cloud renzo marchini & gene landy
Legal issues in the cloud renzo marchini & gene landyLegal issues in the cloud renzo marchini & gene landy
Legal issues in the cloud renzo marchini & gene landy
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of Privacy
 
Gdpr data p rotection
Gdpr data p rotectionGdpr data p rotection
Gdpr data p rotection
 
Data protection and data integrity
Data protection and data integrity Data protection and data integrity
Data protection and data integrity
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
 
It security iso 27001
It security iso 27001It security iso 27001
It security iso 27001
 
Deep secure holistic protection for ICS
Deep secure holistic protection for ICSDeep secure holistic protection for ICS
Deep secure holistic protection for ICS
 
Any Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsAny Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO Standards
 
27001 2015(+a1)
27001 2015(+a1)27001 2015(+a1)
27001 2015(+a1)
 
Iso 28000 supply chain white paper lakshy rev02_17022015 low.pdf
Iso 28000 supply chain white paper lakshy rev02_17022015 low.pdfIso 28000 supply chain white paper lakshy rev02_17022015 low.pdf
Iso 28000 supply chain white paper lakshy rev02_17022015 low.pdf
 
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training course
 
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation?
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRC
 
20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the Cloud
 
Integrating Multiple IT Security Standards
Integrating Multiple IT Security StandardsIntegrating Multiple IT Security Standards
Integrating Multiple IT Security Standards
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 

Similar to Demystifying the Cyber NISTs

CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowCMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowPECB
 
Infosec policies to appsec standards ed final
Infosec policies to appsec standards ed finalInfosec policies to appsec standards ed final
Infosec policies to appsec standards ed finaleadams2330
 
Endpoint Protection Platform Invent Youself/tutorialoutletdotcom
Endpoint Protection Platform Invent Youself/tutorialoutletdotcomEndpoint Protection Platform Invent Youself/tutorialoutletdotcom
Endpoint Protection Platform Invent Youself/tutorialoutletdotcomapjk220
 
Security Analysis Findings and Recommendations for the Department of Veterans...
Security Analysis Findings and Recommendations for the Department of Veterans...Security Analysis Findings and Recommendations for the Department of Veterans...
Security Analysis Findings and Recommendations for the Department of Veterans...David Bustin
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417James W. De Rienzo
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis PYA, P.C.
 
NIST Special Publication 800-34 Rev. 1 Contingency.docx
NIST Special Publication 800-34 Rev. 1 Contingency.docxNIST Special Publication 800-34 Rev. 1 Contingency.docx
NIST Special Publication 800-34 Rev. 1 Contingency.docxpicklesvalery
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataPrecisely
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...John Gilligan
 
Metholodogies and Security Standards
Metholodogies and Security StandardsMetholodogies and Security Standards
Metholodogies and Security StandardsConferencias FIST
 
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptxChapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptxkevlekalakala
 
Glossary - Standard Security Terms - NIST Vocabulary
Glossary - Standard Security Terms - NIST VocabularyGlossary - Standard Security Terms - NIST Vocabulary
Glossary - Standard Security Terms - NIST VocabularyDavid Sweigert
 
Federal government security planning
Federal government security planningFederal government security planning
Federal government security planninggdobbe
 
Contingency Planning Guide for Federal Information Systems Maria.docx
Contingency Planning Guide for Federal Information Systems Maria.docxContingency Planning Guide for Federal Information Systems Maria.docx
Contingency Planning Guide for Federal Information Systems Maria.docxmaxinesmith73660
 
How to Comply with NIST 800-171
How to Comply with NIST 800-171How to Comply with NIST 800-171
How to Comply with NIST 800-171Corserva
 
RMF Training, Risk Management Framework Implementation
RMF Training, Risk Management Framework ImplementationRMF Training, Risk Management Framework Implementation
RMF Training, Risk Management Framework ImplementationBryan Len
 
Security_360_Marketing_Package
Security_360_Marketing_PackageSecurity_360_Marketing_Package
Security_360_Marketing_PackageRandy B.
 
Bizmanualz-Computer-IT-Policies-and-Procedures-Sample.pdf
Bizmanualz-Computer-IT-Policies-and-Procedures-Sample.pdfBizmanualz-Computer-IT-Policies-and-Procedures-Sample.pdf
Bizmanualz-Computer-IT-Policies-and-Procedures-Sample.pdfBizmanualz
 

Similar to Demystifying the Cyber NISTs (20)

CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowCMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
 
Infosec policies to appsec standards ed final
Infosec policies to appsec standards ed finalInfosec policies to appsec standards ed final
Infosec policies to appsec standards ed final
 
Endpoint Protection Platform Invent Youself/tutorialoutletdotcom
Endpoint Protection Platform Invent Youself/tutorialoutletdotcomEndpoint Protection Platform Invent Youself/tutorialoutletdotcom
Endpoint Protection Platform Invent Youself/tutorialoutletdotcom
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdf
 
Security Analysis Findings and Recommendations for the Department of Veterans...
Security Analysis Findings and Recommendations for the Department of Veterans...Security Analysis Findings and Recommendations for the Department of Veterans...
Security Analysis Findings and Recommendations for the Department of Veterans...
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis
 
NIST Special Publication 800-34 Rev. 1 Contingency.docx
NIST Special Publication 800-34 Rev. 1 Contingency.docxNIST Special Publication 800-34 Rev. 1 Contingency.docx
NIST Special Publication 800-34 Rev. 1 Contingency.docx
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and Data
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
 
Metholodogies and Security Standards
Metholodogies and Security StandardsMetholodogies and Security Standards
Metholodogies and Security Standards
 
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptxChapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
 
Glossary - Standard Security Terms - NIST Vocabulary
Glossary - Standard Security Terms - NIST VocabularyGlossary - Standard Security Terms - NIST Vocabulary
Glossary - Standard Security Terms - NIST Vocabulary
 
KSC_FIPS_FISMA101
KSC_FIPS_FISMA101KSC_FIPS_FISMA101
KSC_FIPS_FISMA101
 
Federal government security planning
Federal government security planningFederal government security planning
Federal government security planning
 
Contingency Planning Guide for Federal Information Systems Maria.docx
Contingency Planning Guide for Federal Information Systems Maria.docxContingency Planning Guide for Federal Information Systems Maria.docx
Contingency Planning Guide for Federal Information Systems Maria.docx
 
How to Comply with NIST 800-171
How to Comply with NIST 800-171How to Comply with NIST 800-171
How to Comply with NIST 800-171
 
RMF Training, Risk Management Framework Implementation
RMF Training, Risk Management Framework ImplementationRMF Training, Risk Management Framework Implementation
RMF Training, Risk Management Framework Implementation
 
Security_360_Marketing_Package
Security_360_Marketing_PackageSecurity_360_Marketing_Package
Security_360_Marketing_Package
 
Bizmanualz-Computer-IT-Policies-and-Procedures-Sample.pdf
Bizmanualz-Computer-IT-Policies-and-Procedures-Sample.pdfBizmanualz-Computer-IT-Policies-and-Procedures-Sample.pdf
Bizmanualz-Computer-IT-Policies-and-Procedures-Sample.pdf
 

More from Schellman & Company

Determining Scope for PCI DSS Compliance
Determining Scope for PCI DSS ComplianceDetermining Scope for PCI DSS Compliance
Determining Scope for PCI DSS ComplianceSchellman & Company
 
Privacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU DataPrivacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU DataSchellman & Company
 
Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Schellman & Company
 
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...Schellman & Company
 
PA-DSS and Application Penetration Testing
PA-DSS and Application Penetration TestingPA-DSS and Application Penetration Testing
PA-DSS and Application Penetration TestingSchellman & Company
 
The CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & AttestationThe CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & AttestationSchellman & Company
 
STAND OUT: Why You Should Become ISO 27001 Certified
STAND OUT: Why You Should Become ISO 27001 CertifiedSTAND OUT: Why You Should Become ISO 27001 Certified
STAND OUT: Why You Should Become ISO 27001 CertifiedSchellman & Company
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationSchellman & Company
 
SOC 2: Build Trust and Confidence
SOC 2: Build Trust and ConfidenceSOC 2: Build Trust and Confidence
SOC 2: Build Trust and ConfidenceSchellman & Company
 
PCI DSS 3.0 Overview and Key Updates
PCI DSS 3.0 Overview and Key UpdatesPCI DSS 3.0 Overview and Key Updates
PCI DSS 3.0 Overview and Key UpdatesSchellman & Company
 
10 Steps Toward FedRAMP Compliance
10 Steps Toward FedRAMP Compliance10 Steps Toward FedRAMP Compliance
10 Steps Toward FedRAMP ComplianceSchellman & Company
 
Your've Been Hacked in Florida! Now What?
Your've Been Hacked in Florida! Now What?Your've Been Hacked in Florida! Now What?
Your've Been Hacked in Florida! Now What?Schellman & Company
 

More from Schellman & Company (18)

Determining Scope for PCI DSS Compliance
Determining Scope for PCI DSS ComplianceDetermining Scope for PCI DSS Compliance
Determining Scope for PCI DSS Compliance
 
Privacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU DataPrivacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU Data
 
Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1
 
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
 
PA-DSS and Application Penetration Testing
PA-DSS and Application Penetration TestingPA-DSS and Application Penetration Testing
PA-DSS and Application Penetration Testing
 
The CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & AttestationThe CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & Attestation
 
Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017
 
STAND OUT: Why You Should Become ISO 27001 Certified
STAND OUT: Why You Should Become ISO 27001 CertifiedSTAND OUT: Why You Should Become ISO 27001 Certified
STAND OUT: Why You Should Become ISO 27001 Certified
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and You
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
 
CSA STAR Program
CSA STAR ProgramCSA STAR Program
CSA STAR Program
 
SOC 2: Build Trust and Confidence
SOC 2: Build Trust and ConfidenceSOC 2: Build Trust and Confidence
SOC 2: Build Trust and Confidence
 
SOC 1 Overview
SOC 1 OverviewSOC 1 Overview
SOC 1 Overview
 
12 Steps to Preparing for a QAR
12 Steps to Preparing for a QAR12 Steps to Preparing for a QAR
12 Steps to Preparing for a QAR
 
EPCS Overview
EPCS OverviewEPCS Overview
EPCS Overview
 
PCI DSS 3.0 Overview and Key Updates
PCI DSS 3.0 Overview and Key UpdatesPCI DSS 3.0 Overview and Key Updates
PCI DSS 3.0 Overview and Key Updates
 
10 Steps Toward FedRAMP Compliance
10 Steps Toward FedRAMP Compliance10 Steps Toward FedRAMP Compliance
10 Steps Toward FedRAMP Compliance
 
Your've Been Hacked in Florida! Now What?
Your've Been Hacked in Florida! Now What?Your've Been Hacked in Florida! Now What?
Your've Been Hacked in Florida! Now What?
 

Recently uploaded

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 

Recently uploaded (20)

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 

Demystifying the Cyber NISTs

  • 3. Acronym Overload! Compliance, Critical Infrastructure, Cyber Security, EO 13636 - and Cyber Cyber Cyber… FedRAMP, FISMA, NIST, FIPS, RMF, DIACAP SP 800-53, SP 800-171, SP 800-37 FIPS 199, FIPS 200, OMB Circular 130
  • 4. • Provide baseline knowledge of the most discussed frameworks, standards, and programs • Put the acronyms in context of their intention and discuss their relationship to other standards • Attempt to dispel some common misconceptions Learning Objectives
  • 5. Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk. Source – NIST Cybersecurity Framework Bottom line is that the government has defined cybersecurity as the function of protecting interconnected critical infrastructure and data About That Cyber Term…
  • 6. 2 Diving into the “NISTs”
  • 7. • Laws – Speak in terms of goals and objectives (e.g. FISMA) • Regulations – Clarify the goals and objectives of a law • Executive Orders – Provide additional guidance and direction • Frameworks – Bring together series of goals, objectives, and standards and implementation guidance like the NIST Cybersecurity Framework • Standards and Best Practices • FIPS – Federal Information Processing Standards • NIST SP – Special Publication (for security) • Information Supplements • Programs – Designed to implement and enforce laws, regulations, and standards for a defined group (e.g. FedRAMP for Cloud Computing) Note that the focus will largely be around standards and frameworks that Schellman’s service provider clients have to follow. Framing the Discussion for Federal
  • 8. • FISMA – Federal Information Security Management Act • FISMA is a law that governs government agencies • Applies by extension to those that use government data or resources • Not a compliance certification • Regulations and Rulings • Often agency specific (e.g. ITAR) • HIPAA – Final Security Ruling • Executive Orders • Can provide clarity and enforcement guidance (e.g. EO 13636 signed by Barack Obama) Laws, Regulations, and EOs
  • 9. • Why start here? • NIST SP 800-53 is the Kevin Bacon of federal cybersecurity • If not directly referenced within a law it is no more than two degrees of separation from everything! Standards: NIST SP 800-53
  • 10. • National Institute of Standards and Technology Special Publication 800-53 - Security and Privacy Controls for Federal Information Systems and Organization • Currently revision 4 (5 is being put out to comment) • Supports government FISMA compliance • Is the detail behind Federal Information Processing Standard (FIPS) 200 • Is tailored based on FIPS 199 NIST SP 800-53 (cont.)
  • 11. • Federal Information Processing Standards (FIPS) Publications are standards issued by NIST after approval by the Secretary of Commerce pursuant to the Federal Information Security Management Act (FISMA) • Most Common include: • FIPS 200 – Minimum Security Requirements for Federal Information and Information Systems • FIPS 199 – Provides the methodology for establishing information categorization based on risk (i.e. low, moderate, and high) • FIPS 140-2 – Security Requirements for Cryptographic Modules • FIPS tie laws to standards and in almost all cases, FIPS are supported by more detailed guidance within the NIST Special Publications (e.g. NIST 800-53) • https://csrc.nist.gov/publications/PubsFIPS.html Back to FIPS
  • 12. NIST SP 800-171 • Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations • Designed largely for federal contractors • Uses a carved out subset of the NIST 800-53 requirements • Revision 1 released in December of 2016
  • 13. Other Relevant Standards • Special Publications • SP 800-145 – The NIST Definition of Cloud Computing • SP 800-117 and 800-126 – Multiple standards related to the Security Content Automation Protocol (SCAP) • SP 800-37 – Guide for Applying the Risk Management Framework to Federal Information Systems: a Security Life Cycle Approach • Multiple SPs related to encryption and key management in support of FIPS 140-2 • Others are platform and technology specific (e.g. virtualization, wireless, and Apple OSX, and more) • http://csrc.nist.gov/publications/PubsSPs.html • Additional • Common Criteria aka ISO/IEC 15408
  • 14. • Federal Risk and Authorization Management Program (FedRAMP) defined standard and requirements • Designed for cloud service providers (CSPs) being used by federal agencies • Core Documentation/Deliverables - System Security Plan (SSP), FIPS 199, Security Assessment Plan (SAP) and Security Assessment Report (SAR), and Plan of Action and Milestones (POA&M) • Based on NIST SP 800-53 and 800-53A (testing procedures) Program: FedRAMP
  • 15. • DoD has additional frameworks and controls for maintaining mission critical systems • Leverages the Risk Management Framework (RMF) set forth in NIST SP 800-37 • Defines impact levels of 2 through 6 • FedRAMP moderate = Level 2 • FedRAMP+ = FedRAMP plus additional controls from the DoD Supplemental Resource Guide (SRG) • http://iasecontent.disa.mil/cloud/SRG/ DoD Instruction (DoDI) 8500.01, entitled Cybersecurity, directs Director DISA, under the authority, direction, and control of the DoD CIO to develop and maintain Control Correlation Identifiers (CCIs), Security Requirements Guides (SRGs), Security Technical Implementation Guides (STIGs), and mobile code risk categories and usage guides that implement and are consistent with DoD cybersecurity policies, standards, architectures, security controls, and validation procedures, with the support of the National Security Agency Central Security Service (NSA/CSS), using input from stakeholders, and using automation whenever possible. Program: Department of Defense and FedRAMP+
  • 16. DoD Impact Levels Broken Out
  • 17. • Originally published in 2014. Version 1.1 comments were solicited until April 10, 2017. • Designed to scale with flexibility regardless of industry • Builds on SP 800-53 and also maps to ISO 27001, COBIT, and Industrial Controls requirements • Recently pitched to the healthcare industry for adoption https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events Framework: NIST Cybersecurity Framework Describes how cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics Cybersecurity activities and informative references, organized around particular outcomes Enables communication of cyber risk across an organization Aligns industry standards and best practices to the Framework Core in a particular implementation scenario Supports prioritization and measurement while factoring in business needs Framework Profile Framework Core Framework Implementation Tiers
  • 18. • International Traffic in Arms Regulation (ITAR) • Criminal Justice Information System (CJIS) • Program • Includes a “policy” of standards requirements • Department of Commerce National Technical Information Service (NTIS) Limited Access Death Master File (DMF) • Standard for protecting a file of social security numbers associated with deceased persons • Includes an attestation report/template What Else?
  • 19. 3 Bringing it Back Together
  • 20. Understanding the Cyber NIST Pieces of the Puzzle Laws, Regulations, and EOs FISMA HIPAA EO 13636 FIPS Standards FIPS 200 FIPS 199 FIPS 140-2 SP Standards 800-53 800-37 800-171 Compliance Programs FedRAMP DoD SRG CJIS Frameworks NIST Risk Management Framework NIST Cybersecurity Framework
  • 21. • Don’t have to be an expert • Recognize the core standards most applicable for your business • Know where to look for help (and who to ask!) Closing Thoughts