Jump to content

Greg Witte

  • Content Count

  • Joined

  • Last visited

Everything posted by Greg Witte

  1. We received the following question during the webinar yesterday - Do you have any thoughts around how culture within organizations affect not only CSF but information security overall? I personally think culture has a significant impact. During the workshops, we used the example of how a culture of safety affects that area of influence. If managers are lax about safety, people can get hurt badly and overall quality of company efforts will suffer. If, on the other hand, safety becomes institutionalized, it can become an enabler that brings the team together and creates an advantage. When a culture of common sense risk management becomes institutionalized, I think that security improves throughout. Social engineering attempts work fewer times, phishing emails work less frequently, and the ISSO is called in at the design phase rather than a week before a project goes live. Lastly, some of the information security awareness activities can be a lot of fun. That in itself can benefit the organization. Other thoughts? (Note: We have about a dozen questions that I'll post here for discussion.) Greg
  2. I had a great time today introducing the CSF and ISACA in ISACA's Cybersecurity Exchange Webinar. The recording is available at: http://www.isaca.org/Education/Online-Learning/Pages/Webinar-How-to-Implement-the-US-Cybersecurity-Framework-using-COBIT-5.aspx Meanwhile, I took note of some of the questions, and I'll start some discussion topics on those fronts. Thanks for everyone that took time out out their day to join us!! Greg
  3. Good afternoon! I think there's a lot of merit in your suggestion. The adversaries have certainly figured out how to leverage multiple endpoints working as a large infrastructure. What might be the next steps to identify specific outcomes that would lead to your solution? BTW - I don't think there's a particular forum for this. Many of the others deal with specific elements of the Cybersecurity Framework, and I agree with you that this is a topic of general interest. Have a great day! Greg
  4. Greg Witte

    Scoping the Effort

    That's cool insight, Phil. It's great to be able to understand the derived requirements that result from a relatively simple outcome like "Data-at-rest is protected". One point to consider that came up in this week's NIST workshop - some orgs have misinterpreted the Informative Reference column as required controls. Those are simply examples for inspiration, and one could find replacement or supplemental inspiration through GRCsphere and CCH. I don't know how that might impact the resulting derived controls, but I hope an organization wouldn't try to do ISA and ISO and COBIT 5 and RMF and CCS. That would be hard! Thanks for bringing the question to CForum. After a great week at NIST with hundreds of friends and peers, I'd love to have conversations like this every day! Greg G2, Inc
  5. Greg Witte

    Demystifying the NIST CSF: CSF 101

    Ken, I agree - I've enjoyed your sessions and I've been telling others about them. Thanks for the great work de-mystifying the model! Greg
  6. Version


    BSI's Request for Information regarding a Certification Approach for ISO/IEC 27001:2013 with the Cybersecurity Framework
  7. Version


    Cybernance Response to BSI Request for Information
  8. Version


    Microsoft Corporation's response to the BSI Request for Information
  9. Version


    Response to BSI CSF RFI from itSM Solutions and the University of Massachusetts
  10. Version


    BSI RFI Questionnnaire Response from Hatstand, a Synechron Company
  11. Version


    Response to BSI CSF RFI Questionairre from Data Systems Analysts (DSA), Inc
  12. Version


    Response to BSI RFI from DNAnexus
  13. Version


    Response to the BSI RFI about CSF from Churchill & Harriman, Inc., Risk Management Consulting
  14. Version


    Socair Solutions BSI RFI Questionnnaire Response
  15. Version


    Aspiryon response to BSI_RFI_Questionnnaire_Response
  16. G2 is helping BSI explore industry interest in a third-party assessment based on a combination of the Cybersecurity Framework (CSF) and the ISO/IEC 27001:2013 standard. It issued a Request for Information back in August, which we've publicized here. As our engineers help to implement the CSF around the world, we often hear frustration that the CSF outcomes are somewhat high-level (e.g., PR.DS-01, Data-at-rest is protected). They were built that way because it would be inappropriate for the Framework to declare a prescriptive approach for all users and all types of data. CSF’s purpose is to inspire users to determine for themselves what procedures and controls are necessary to achieve risk management goals (as determined in CSF Step 1), and then identify ways to monitor the ongoing effectiveness of those measures. The “how” is intentionally in the eye of the beholder. The challenge, then, comes when we try to use the CSF Profiles to compare my target state requirements against another’s current state assertions. Some organizations may need an independent and qualified 3rd party to determine whether a Current State Profile accurately describes the procedures and controls in place, and to render an opinion on the effectiveness of those measures claimed. Many Framework adopters already use the ISO/IEC 27000 family of international standards, and 27001 was well referenced by CSF. An organization that wants to leverage BSI’s Certification to ISO/IEC 27001 Information Security Management will already be formally assessing those CSF subcategories to which ISO controls are mapped. When a 3rd-party assessor assures that the necessary ISO/IEC 27001 procedures and controls are in place and working effectively, that same reviewer could consider the reasonableness of the other Current State Profile assertions. This approach wouldn’t bind CSF to any particular standard, but it might be beneficial for those that already apply ISO 27000 standards to organizational practices, and it might help provide some confidence to those that need higher assurance that the Current State Profile is accurate and reasonable. What are your thoughts? We’re getting ready to post the formal responses received in the Downloads folders here, and we’d welcome your thoughts in the Forums (fora?) Until then, be safe and have a great weekend!
  17. Greg Witte

    Cybersecurity Framework Workshop 2016

    NIST will be holding a workshop to talk about Privacy Controls ... details at http://www.nist.gov/itl/privacy-controls-workshop-09082016.cfm And Tom and I will be presenting about the Framework at ISACA CSX in Las Vegas in October!
  18. Greg Witte

    To choose right CMS

    Hi, Frank! I'm more of a process/policy person, so I don't know a lot about eCommerce platforms and went searching to learn more. I came across many sites, most of them ads for their particular platform, but I learned a lot from http://www.toptenreviews.com/business/internet/best-content-management-system-software/. I wasn't so much interested in their particular reviews, but I wanted to see what they used to measure "Security" aspects of a CMS. In your searching, some of those aspects might be useful in finding the right fit: Can you manage privileges in a granular way so that, if something goes wrong, the bad guy doesn't get all the keys to the kingdom? Does the CMS support well-established certificates and encryption models? Does it provide ways to confirm that there's a real human on the other end, without being too intrusive? Are there good logging & auditing methods to help you detect bad behavior, or at least understand what went wrong after an attack? Hopefully others can chime in with more specific suggestions, but I think one of my next steps would be to find specific security requirements that could be included in the search. Happy hunting! Greg
  19. Greg Witte

    Cyber security tool for business?

    Hi, Randy! Thanks for joining us! The company I'm part of (G2) is a small business here in the states, and I know that none of us has money to just give away to the bad guys. I'm sorry to hear your org fell prey to rotten criminals. Your note mentioned that you're looking at security tools and trying to replace security "top to bottom". Tools are important, and you might need a complete rebuild, but I would encourage you to take a look at the Cybersecurity Framework (or CSF) that CForum is organized around. The CSF was built by thousands of security teammates around the world, looking to find ways to deal with attacks like the ones you mentioned. We found that none of us have resources to just randomly throw at the problem, so we have to prioritize understanding of what needs to be done to protect what's really important to each company, then select the right tools to accomplish those priority outcomes. If you'd like to learn more about CSF, it's available here, and there's a supporting site at http://www.nist.gov/cyberframework. The industry resources page there has dozens of links to examples of how other organizations are already using it. Meanwhile, we have some free templates that might help get you started - please feel free to PM me via the CForum or drop me a note at greg.witte <at> g2-inc.com. Best wishes, Greg Witte
  20. I agree - it's great to see the ISAO community coming together. Several of their drafts are available for review/comment, and there's an open meeting at the end of August. For more information, visit https://www.isao.org/products/drafts/ Greg
  21. With the passage of recent legislation (e.g., the CISA provisions), it seems like organizations have more opportunities to directly share "best practices" directly with the government, who can then share relevant practices with sector participants. Based on the limited amount of sharing that has been going on over the last two years, perhaps such a USG based solution would work best. Are there steps the US could take to increase that? Greg
  22. Good morning, team! No responses to my earlier question, so I guess everyone is still thinking about the risk question. Here's the next in the series - I promise, we won't go through all 25 of the RFI questions, but I think this one is pretty key: What could we recommend to NIST that you would add to, remove from, or change about the current CSF model? I'll start us out with a couple that I would bring now that I've used it several times: 1. I still like the notion of how I read the Tiers' role - the idea of intentionally and specifically determining the org's risk management strategy, integration and collaboration, then using that to help frame the outcomes that go in the Profiles. That said they've clearly been confusing and I would re-engineer the way that occurs. 2. Meanwhile, where I see Tiers being used 90% of the time is where I would make a CSF addition: include a process capability determination in the Current State and Target State profiles. Many of my CSF clients have determined that it is helpful to add a rating scale to the category/subcategory outcomes, and that such a scale helps in setting the target. We use such a scale in COBIT 5 and our team added it to the ISACA CSF Profile. So, having poked the Tiers bear, standing by for brilliant thoughts. Have a great day!! Greg
  23. Greg Witte

    CForum RFI Response

    Good evening! I'd like to start collecting some information to provide a CForum response to NIST's RFI. This forum includes hundreds of those who attended the workshop, so I think we can speak with credibility and understanding. Certainly not going to try to cover all 25 questions, but I'd like to get some insight and I'll be sure to post the draft response here for consideration and feedback. Given that here's the first round: To what extent do you believe the Framework has helped reduce your cybersecurity risk? Please cite the metrics you use to track such reductions, if any. Thanks! Greg
  24. Coming off the excitement of this week's ISACA CSX conference, I wanted to share a heated debate that we had there that is rivaled only by the infamous bathroom tissue OVER vs UNDER debate. (Not that there is a debate - I've been known to enter friends' houses and quietly CORRECT their rolls to the OVER position.) My personal default is to identify priorities, risk architecture, critical supporting assets, and then start with a Target Profile that defines what must be done to protect those resources. Upon completing an impartial list of where do I want to be, I can then record my Current State and review gaps. Many of my colleagues and customers, and indeed COBIT 5 itself, start with where we are and then decide where we want to be. From my perspective, in determining where I need to go, my current position has little value. If I need to get to Cleveland for a meeting, then I need to get there regardless of where I'm starting from. Once I've decided that, though, I can determine that I'm in Baltimore and I can calculate routes to get there. The counter-argument, though, is that in a real world, I should consider reasonable steps from my current position, not hypothetical targets that may or may not be reachable from here. What do you think - which comes first? Greg
  25. Greg Witte

    How far is up?

    Yesterday, I watched with interest as several senators asked about the success criteria for the Framework. Some were a little more snarkey than others, but it's a valid question. U.S. academic, industrial, and governmental orgs have invested millions of dollars - how do we calculate the return on that investment? It seems like it needs to go beyond the talking phase - one could simply declare that they've selected a Tier to shoot for and say they're using the Framework. To run through the full cycle, while it could be done in days, is more likely to take several years. Certainly we wouldn't measure only those who have completed all the steps in a comprehensive way. So, how will we know if/when the Framework has achieved its goals? Greg