Jump to content

All Activity

This stream auto-updates     

  1. Today
  2. Yesterday
  3. Last week
  4. Earlier
  5. A deeper look into the Framework

    Thank you to everyone. I am new at this site and can already tell its a cool place to share ideas. You have already given me a lot to think about and research. Thanks!
  6. World has been shocked by ransomware attack. Until today countries still pinned point to each other as nobody know who activate the virus. I'm attached security cum forensic agency and I'm a bot perplex with the Law & governed the Digital Forensics. The big question is why the culprits seemed to be always get away with the crime? Aren't the existing Law strong enough?
  7. Greg, I am new to the CFORUM. I was trying to watch your presentation on ISACA processes to apply CSF. The link reply is the page cannot be found any longer. Is there any way I can obtain a link and or the presentation to review. I am just starting a contract position where I need to implement information security practice using CSF and any insight to using other processes would be helpful. Respectfully, Don Wray
  8. Multi-User CSA's

    Hi All, We are interested in finding out how many members are using some sort of Control Self-Assessment (CSA) instrument, model, app, template or tool. For instance, are you using a self-created CSA on Excel or Word? The reason that we are asking this is to see if any of you have explored the use of a CSA tool that is designed for multiple users. Let us your thoughts as well as how you are currently measuring your company's progress in implementing the NIST Cybersecurity Framework (CSF)? Thank you, Phil Wilson The GRC Sphere http://GRCsphere.org
  9. Greg, I have been working on an infrastructure for a number of years. The infrastructure is now ready for review and improvement. A working group of interested individuals is needed. I have contacted the INCOSE security working group in the hope of creating a subgroup to review this infrastructure. NIST, ISO, IEEE, INCOSE and other working groups are all needed to help in forming a working group to investigate and develop techniques and standards for better system reliability and security. A subgroup would investigate the infrastructure that I have been working on. I would appreciate any help that you can provide in this matter. Thanks, Gene
  10. Good afternoon! I think there's a lot of merit in your suggestion. The adversaries have certainly figured out how to leverage multiple endpoints working as a large infrastructure. What might be the next steps to identify specific outcomes that would lead to your solution? BTW - I don't think there's a particular forum for this. Many of the others deal with specific elements of the Cybersecurity Framework, and I agree with you that this is a topic of general interest. Have a great day! Greg
  11. The current approach to Cyber security is usually about one computer and a response to a newly discovered vulnerability. This approach has led to the current Cyber security crisis. A new approach and pattern views a system as many computers working together. A basic assumption is that a computer within a system will become infected. The requirements for such a system are: - Work and bulk data should be protected from an infected system component. - Work and bulk data should be replicated on multiple computers to maximize reliability. - A system should seamlessly recover from or avoid failure situations. One solution approach is for system programs to use an infrastructure for client to server access and to exchange messages. A client and server check point work recovery information along with exchanged messages. The work and client to server communication of a failed client or server can be recovered by the same kind of program running on a different computer. A server knows the identity of a client and what work a client is authorized to request. A server validates that a client request is permitted before performing work. If a client request is not permitted then the client system can be isolated and repaired. This approach and pattern can be used to improve system reliability and security. The software community needs to evaluate this approach and possible infrastructures that help programs within a system to achieve this pattern. Question to forum administrator: Is there a more appropriate forum to post this topic?
  12. To secure data stored in the cloud

    Hello, There are some best ways to secure the data in cloud using Cybersecurity The first extra-security option comes in the form of a simple text message, and companies like Google and Microsoft have been offering it for a while. It involves sending a code to a consumer’s cellphone, and asking them to enter it along with their password. This second method relies on apps and is offered by firms like Duo and Authy. These apps offer an ever-changing series of numbers that serve as the extra step to go along with a consumer’s password. The app method is slightly more convenient because the user doesn’t have to wait for a text message, and crooks can’t compromise it by going through the phone company. The key method is extra-secure since it requires a user to prove they have a physical object before they can log-in from a strange computer—something that would be nearly impossible for a hacker to do. The key method can also be quicker since it doesn’t involve entering a code delivered to a phone. Hope this helps you, Thanks.
  13. Scoping the Effort

    That's cool insight, Phil. It's great to be able to understand the derived requirements that result from a relatively simple outcome like "Data-at-rest is protected". One point to consider that came up in this week's NIST workshop - some orgs have misinterpreted the Informative Reference column as required controls. Those are simply examples for inspiration, and one could find replacement or supplemental inspiration through GRCsphere and CCH. I don't know how that might impact the resulting derived controls, but I hope an organization wouldn't try to do ISA and ISO and COBIT 5 and RMF and CCS. That would be hard! Thanks for bringing the question to CForum. After a great week at NIST with hundreds of friends and peers, I'd love to have conversations like this every day! Greg G2, Inc
  14. Scoping the Effort

    Our organization has received numerous questions from our members on the number of implied controls and implementation requirements that we need to implement, based on the current 98 lower level control objectives the we find in the Rev 1.1 Draft. We did an assessment of CSF 1.0 using Common Controls Hub and came out with just over 1,000 specific requirements. Let us know if you have completed a Scoping assessment of 1.1. Thanks! Phil Wilson The GRC Sphere www.GRCsphere.org
  15. To choose right CMS

    I'd suggest looking into the superlative Drupal architecture which is especially strong in the areas of integration and extensibility, or if you'd prefer check out an e-commerce platform that uses Drupal 7 as an underlying infrastructure: cloudnet360.com. The latter will save you a lot of development dollars!
  16. List of Existing Mappings and Add-Ons?

    Hi Jack,Tom, Greg; You may be familiar with our member's use of the Common Controls Hub which is not only the largest database of external regulatory requirements, but also contains comprehensive and detailed GRC configuration capabilities. Please opt-in for free at http://grcsphere.pwcstores.com/select-role and we will provision an account for you. Again, no charge. We are looking forward to the release of the Mapper which supersedes all the work we have done in the past on spreadsheets, but does not obsolete our own mapping work. For those more technically inclined, we have a graphical programming tool that offers expert system support and we are using this Member facility to build advanced NIST CSF tools for industry-driven crowdsourcing and benchmarking. We have a foundation paper on this if you're interested. Phil
  17. Demystifying the NIST CSF: CSF 101

    Ken, Thanks for sharing the webinar. Sessions like these are helping to spread the word regarding the Framework and helping the community understand how they can use the Framework. On March 1, 2017, NIST hosted two additional webinars. They are presented by Matt Barrett the NIST Cybersecurity Framework PM. The first session is a Framework overview and the second reviews the proposed changes in the Version 1.1. update. The webinars are available at: https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events Tom
  18. Demystifying the NIST CSF: CSF 101

    Ken, I agree - I've enjoyed your sessions and I've been telling others about them. Thanks for the great work de-mystifying the model! Greg
  19. Symantec and NIST Co-hosted a NIST CSF 101 Webinar. It's a good overview and discussion about the creation and application of the Framework, I thought it might be of interest to the forum. https://www.brighttalk.com/webcast/13361/221237?cid=70138000001BZXYAA4&mc=201064&ot=wc&tt=tp
  20. Recently I came to know more about toll fraud and prevention methods from here http://www.thinktel.ca/fraud-prevention/. I have a question related to this. What can we do If we have been already hacked? What are the next steps we should follow? I have heard some cases. The customer would not know about this until he receives the bill at the month end. If you have more idea about toll fraud, please share it.
  21. I was reading about cloud backup and recovery services here http://www.storagepipe.com/services/online-backup-and-recovery-service/. I think it is better to keep our important documents in the cloud instead of using external hard drives or other devices. But how about the security of cloud backup systems? I have heard some cases of data loss from the cloud. How can we assure the safety of our documents inside the cloud?
  22. We have a software development company in Toronto. The project related files and other soft copies are stored in our online cloud. But we feel like our data is not secure in that cloud. We had some bad experience with that service.Now the company has decided to get services from some cyber security solutions providers like NCI in Mississauga. Apart from this, Is there any other secure methods to keep the cloud data safe. I am awaiting your replies. Thank you.
  23. CSF Implementation Panel @RSAC2017

    As part of my daily job, I work with the NIST Cybersecurity Framework team. It is my pleasure to share with you that after 3 years of dialog with the community, the Cybersecurity Framework has been updated. This draft update, version 1.1, draws from discussions had at workshops, public comment periods, and general feedback received from stakeholders. The update is a first and foremost an attempt to refine and clarify some aspects of the Framework. Additionally, the update adds additional information on topics that have been brought up as gaps in the original version, namely: cyber supply chain, measurement, and authentication. NIST is seeking comment on the draft from the community by April 10th 2017. If you plan on being at RSA2017 in February, I will be moderating a panel on the Cybersecurity Framework implementation and update. Scheduled to join me are: the NIST Cybersecurity Framework Program Manager Matthew Barrett, Venable Senior Director for Technology Risk Management John Banghart, as well as Center for Internet Security VP and CFORUM Executive Director Tony Sager. We will be discussing the who, the what, and the where of the Framework at 8:00am on Thursday 2/16/2017 in Moscone North 131. For those attending in person or who see the recap later, continue the conversation here, on CForum. Come join us.
  1. Load more activity
×