Jump to content

Greg Witte

  • Content Count

  • Joined

  • Last visited

About Greg Witte

  • Rank
    Advanced Member
  • Birthday March 24

Profile Information

  • Gender
  • Location
    Annapolis Junction, MD
  • Company Name
  • Sector
    Government information security

Recent Profile Visitors

1,003 profile views
  1. Good afternoon! I think there's a lot of merit in your suggestion. The adversaries have certainly figured out how to leverage multiple endpoints working as a large infrastructure. What might be the next steps to identify specific outcomes that would lead to your solution? BTW - I don't think there's a particular forum for this. Many of the others deal with specific elements of the Cybersecurity Framework, and I agree with you that this is a topic of general interest. Have a great day! Greg
  2. Greg Witte

    Scoping the Effort

    That's cool insight, Phil. It's great to be able to understand the derived requirements that result from a relatively simple outcome like "Data-at-rest is protected". One point to consider that came up in this week's NIST workshop - some orgs have misinterpreted the Informative Reference column as required controls. Those are simply examples for inspiration, and one could find replacement or supplemental inspiration through GRCsphere and CCH. I don't know how that might impact the resulting derived controls, but I hope an organization wouldn't try to do ISA and ISO and COBIT 5 and RMF and CCS. That would be hard! Thanks for bringing the question to CForum. After a great week at NIST with hundreds of friends and peers, I'd love to have conversations like this every day! Greg G2, Inc
  3. Greg Witte

    Demystifying the NIST CSF: CSF 101

    Ken, I agree - I've enjoyed your sessions and I've been telling others about them. Thanks for the great work de-mystifying the model! Greg
  4. Version


    Cybernance Response to BSI Request for Information
  5. Version


    BSI's Request for Information regarding a Certification Approach for ISO/IEC 27001:2013 with the Cybersecurity Framework
  6. Version


    Microsoft Corporation's response to the BSI Request for Information
  7. Version


    Response to BSI CSF RFI from itSM Solutions and the University of Massachusetts
  8. Version


    BSI RFI Questionnnaire Response from Hatstand, a Synechron Company
  9. Version


    Response to BSI CSF RFI Questionairre from Data Systems Analysts (DSA), Inc
  10. Version


    Response to BSI RFI from DNAnexus
  11. Version


    Response to the BSI RFI about CSF from Churchill & Harriman, Inc., Risk Management Consulting
  12. Version


    Socair Solutions BSI RFI Questionnnaire Response
  13. Version


    Aspiryon response to BSI_RFI_Questionnnaire_Response
  14. G2 is helping BSI explore industry interest in a third-party assessment based on a combination of the Cybersecurity Framework (CSF) and the ISO/IEC 27001:2013 standard. It issued a Request for Information back in August, which we've publicized here. As our engineers help to implement the CSF around the world, we often hear frustration that the CSF outcomes are somewhat high-level (e.g., PR.DS-01, Data-at-rest is protected). They were built that way because it would be inappropriate for the Framework to declare a prescriptive approach for all users and all types of data. CSF’s purpose is to inspire users to determine for themselves what procedures and controls are necessary to achieve risk management goals (as determined in CSF Step 1), and then identify ways to monitor the ongoing effectiveness of those measures. The “how” is intentionally in the eye of the beholder. The challenge, then, comes when we try to use the CSF Profiles to compare my target state requirements against another’s current state assertions. Some organizations may need an independent and qualified 3rd party to determine whether a Current State Profile accurately describes the procedures and controls in place, and to render an opinion on the effectiveness of those measures claimed. Many Framework adopters already use the ISO/IEC 27000 family of international standards, and 27001 was well referenced by CSF. An organization that wants to leverage BSI’s Certification to ISO/IEC 27001 Information Security Management will already be formally assessing those CSF subcategories to which ISO controls are mapped. When a 3rd-party assessor assures that the necessary ISO/IEC 27001 procedures and controls are in place and working effectively, that same reviewer could consider the reasonableness of the other Current State Profile assertions. This approach wouldn’t bind CSF to any particular standard, but it might be beneficial for those that already apply ISO 27000 standards to organizational practices, and it might help provide some confidence to those that need higher assurance that the Current State Profile is accurate and reasonable. What are your thoughts? We’re getting ready to post the formal responses received in the Downloads folders here, and we’d welcome your thoughts in the Forums (fora?) Until then, be safe and have a great weekend!
  15. Greg Witte

    Cybersecurity Framework Workshop 2016

    NIST will be holding a workshop to talk about Privacy Controls ... details at http://www.nist.gov/itl/privacy-controls-workshop-09082016.cfm And Tom and I will be presenting about the Framework at ISACA CSX in Las Vegas in October!