Ce diaporama a bien été signalé.
Le téléchargement de votre SlideShare est en cours. ×

NISTSP80037rev2-by Beruos.pptx

Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Chargement dans…3
×

Consultez-les par la suite

1 sur 21 Publicité
Publicité

Plus De Contenu Connexe

Plus récents (20)

Publicité

NISTSP80037rev2-by Beruos.pptx

  1. 1. NIST SP 800-37 (rev 2) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy NIST SP 800-37 (REV 2) NIST SP 800-37 (REV 1)
  2. 2. NIST 800-37 Revision 2 - SCHEDULE NIST Special Publication 800-37, Revision 2 Risk Management Framework for Security and Privacy ● Initial Public Draft: May 2018 ● Final Public Draft: July 2018 ● Final Publication: October 2018 NIST Special Publication 800-53, Revision 5 Security and Privacy Controls ● Final Public Draft: October 2018 ● Final Publication: December 2018 Source: https://csrc.nist.gov/projects/risk-management/schedule
  3. 3. Overview ● Sources of NIST 800-37 (rev 2) ● What is NIST SP 800-37 (rev 2) ● Difference between 800-37 Revision 1 & 2 ● Conclusion: Main thing you should know
  4. 4. Sources of NIST SP 800-37 (rev 2) Knowing the source of 800-7 (rev 2) allows better context and understanding. NIST SP 800-37 (REV 2) NIST SP 800-37 (REV 1)
  5. 5. NIST 800-37 Revision 2 - Source of Changes NIST 800-37 Rev 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy Source of Changes: ● President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure ● Office of Management and Budget Memorandum M-17-25 - next- generation Risk Management Framework (RMF) for systems and organizations ● NIST SP 800-53 Revision 5 Coordination Source: E.O. Strengthening Cybersecurity of Federal Networks Source: M-17-25 OMB
  6. 6. NIST 800-37 Revision 2 - Executive Order President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure ● National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity ● Focus on critical infrastructure targets with highest risk ● Securing the Internet and focus on Cybersecurity training Source: E.O. Strengthening Cybersecurity of Federal Networks Source: M-17-25 OMB Source: Framework for Improving Cybersecurity of Critical Infrastructure
  7. 7. NIST 800-37 Revision 2 - OMB M-17-25 Office of Management and Budget Memorandum M-17-25 - next-generation Risk Management Framework (RMF) for systems and organizations ● Memorandum to implement Improvements to Critical Infrastructure Cybersecurity ● Reporting on Agency Risk Management Assessments to DHS ● Action Plan for Implementation of the Framework ● Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover Source: M-17-25 OMB Source: Framework for Improving Cybersecurity of Critical Infrastructure
  8. 8. NIST 800-37 Revision 2 - NIST 800-53 Rev 5 NIST SP 800-53 (Revision 5) Coordination ● Security and privacy controls more outcome-based ● Fully integrating the privacy controls ● Separating the control selection process from the actual controls ● Incorporating new, state-of-the-practice controls based on threat intelligence ● Implementation of Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover Source: Framework for Improving Cybersecurity of Critical Infrastructure Source: NIST SP 800-53 Rev 5
  9. 9. What is NIST SP 800-37 (rev 2) & Changes NIST SP 800-37 (REV 2) NIST SP 800-37 (REV 1)
  10. 10. What is NIST 800-37 (Rev 2) Provide guidelines for applying the Risk Management Framework to federal information systems to include conducting the activities of security categorization, security control selection and implementation, security control assessment, information system authorization, and security. It is just a process the guides an organization through very thorough security during the life cycle of an important system. NIST 800-37 Revision 2 is an upgrade to this process. Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 37r1.pdf
  11. 11. NIST 800-37 Revision 2 - NAME NIST 800-37 Rev 1: Guide for Applying the Risk Management Framework to Federal Information Systems: a Security Life Cycle Approach NIST 800-37 Rev 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 37r1.pdf
  12. 12. NIST 800-37 Revision 2 - NAME NIST 800-37 Rev 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy Inline with NIST SP 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations Puts privacy upfront. Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 37r1.pdf Source: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft
  13. 13. NIST 800-37 Revision 2 - (4) Objectives There are four major objectives for this update— ● Communication between the risk management processes and activities at the C- suite level of the organization and the processes and activities at the system and operational level of the organization. ● To institutionalize critical enterprise-wide risk management preparatory activities to facilitate a more efficient and cost-effective execution of the Risk Management Framework at the system and operational level. ● To demonstrate how the Cybersecurity Framework can be implemented using the established NIST risk management processes (i.e., developing a Federal use case). ● To provide an integration of privacy concepts into the Risk Management Framework and support the use of the consolidated security and privacy control catalog in NIST Special Publication 800-53, Revision 5.
  14. 14. NIST 800-37 Revision 2 - NIST 800-37 Rev 2 Communication between the risk management processes and activities at the C-suite level; To institutionalize critical enterprise-wide risk management preparatory activities - Assign roles - Create Strategy - Identify stakeholders - Identify information life cycle - Placement of system - Create monitoring program
  15. 15. NIST 800-37 Revision 2 - NIST 800-53 Rev 5 The primary objectives for institutionalizing organizational preparation are as follows: ● To facilitate better communication between senior leaders and executives at the enterprise and mission/business process levels and system owners ● To facilitate organization-wide identification of common controls and the development of organization-wide tailored security and privacy control baselines, to reduce the workload on individual system owners and the cost of system development and protection. ● To reduce the complexity of the IT infrastructure by consolidating, standardizing, and optimizing systems, applications, and services through the application of enterprise architecture concepts and models. ● To identify, prioritize, and focus resources on high-value assets and high-impact systems that require increased levels of protection—taking steps commensurate with risk such as moving lower-impact systems to cloud or shared services, systems, and applications.
  16. 16. NIST 800-37 Revision 2 - Cybersecurity Framework & RMF Put preparation in the center of the organization.
  17. 17. NIST 800-37 Revision 2 - Cybersecurity Framework & RMF Put preparation in the center of the organization.
  18. 18. NIST 800-37 Revision 2 - Cybersecurity Framework & RMF Put preparation in the center of the organization.
  19. 19. NIST 800-37 Revision 2 - Privacy Put preparation in the center of the organization.
  20. 20. Conclusion What is the main thing I should know? NIST SP 800-37 (REV 2) NIST SP 800-37 (REV 1)
  21. 21. NIST 800-37 Revision 2 - NIST 800-53 Rev 5 Main things you should know: ● Check out the sources for context ● NIST 800-37 getting pushed to the forefront ● Cybersecurity Framework (what is it)

Notes de l'éditeur

  • All special publications are sourced by higher documents. These documents are policies, regulations and laws that are broad but put the special publication in perspective. This perspective allow the reader (and or stake holder) more context and therefore better understanding of the publications direction and intent. It is really good to at least review the source documents.
  • All special publications are sourced by higher documents. These documents are policies, regulations and laws that are broad but put the special publication in perspective. This perspective allow the reader (and or stake holder) more context and therefore better understanding of the publications direction and intent. It is really good to at least review the source documents.
  • Revisions happen every few years to keep up with changes in the industry, threat levels, technology, etc.
  • All special publications are sourced by higher documents. These documents are policies, regulations and laws that are broad but put the special publication in perspective. This perspective allow the reader (and or stake holder) more context and therefore better understanding of the publications direction and intent. It is really good to at least review the source documents.

×