Security Technology Executive

SEP-OCT 2018

Issue link:

Contents of this Issue


Page 32 of 59

www. • September/October 2018 • SECURIT Y TECHNOLOGY E XECUTIVE 33 protect function could include access control, regular software updates, and anti-malware programs. • Subcategories: These are further divi- sions of categories with specific objec- tives. The regular software updates category could be divided into tasks like making sure wake on LAN is active, that Windows updates are configured properly and manually updating machines that are missed. • Informative References: Documenta- tion, steps for execution, standards, and other guidelines would fall into this category. A prime example in the manual Windows update category would be a document outlining steps to manually update Windows PCs. Another reason I have concluded that the NIST cybersecurity assessment model is more relevant to manufacturers and the system integrator community is that the NIST Cyber Security Framework is a more descriptive way as to how the level of implementation can be evaluated more than a simple (yes/no) answer. NIST Cybersecurity Framework Implementation Tiers Using the NIST CSF, there are four tiers of implementation, and while CSF doc- uments don't consider them maturity levels, the higher tiers are considered a more complete implementation of CSF standards. • Tier 1: Called partial implementation, organizations at Tier 1 have an ad-hoc and reactive cybersecurity posture. They have little awareness of organizational risk and any plans implemented are often done inconsistently. • Tier 2: Risk-informed organizations may be approving cybersecurity measures, but implementation is still piecemeal. They are aware of risks, have plans, and have the proper resources to protect themselves but haven't quite gotten to a proactive position. • Tier 3: The third tier is called repeatable, meaning that an organization has implemented CSF standards company-wide and are able to repeatedly respond to a crisis. Policy is consistently applied, and employees are informed of risks. • Tier 4: Called adaptive, this tier indicates total adoption of the CSF. Adaptive organizations aren't just prepared to respond to threats, they proactively detect threats and predict issues based on current trends and their IT architecture. In-House versus Third-Party Assessors Under the UL program, third-party sub- contractors comply under its third-party test data program to support field activities and product testing on its behalf. These third-party testers conform to Interna- tional Organization of Standardization, or (ISO). Most of the security benchmarking and testing under ISO is concentrated on the use of an Information Security Man- agement System (cybersecurity objectives) primarily used by large organizations as a comprehensive organization risk manage- ment plan. You will find ISO 27002 extensively used by multinational corporations and companies that do not have to specifically comply with U.S, federal regulations. ISO standards have been referred to as being "less paranoid" than NIST, which has an advantage of being less complex and About the author: Darnell Washington is the President/CEO of SecureX perts Inc. He is a consultant for over 22 federal agencies and prov ides subject matter expertise for architect ure and infrastruct ure components establishing Standard Operating A rchitect ure and Common Secure Infrastruct ure Operating A rchitect ure policy, compliance, governance, and Communications Securit y for Enterprise applications, including consolidation, ser ver v irt ualization, operations and maintenance, and deployment of wired and wireless applications. The NIST Security and Privacy Controls for Information Systems and Organizations encompass a comprehensive assessment methodolog y that can be applied to specific types of organizations, manufacturers, industrial control systems, defense and US Federal contractor protection of confidential and unclassified information, etc. therefore easier to implement. One unfor- tunate thing is that ISO charges for its publi- cations, and charges for certifications under its UL Assessment program. On the other hand, NIST Compliance is not based on a certification but more on a voluntary compliance and standard. Using a defined framework where third-party assessment and evaluation is included, greater flexibility can result in more dili- gence that can be applied to areas that are needed specific to the product or organi- zational objectives. These organizational objectives can be broken down based on operating modes and risk. Keep Your Organization Safe from Itself Whether you choose UL or NIST cybersecu- rity assessment models to ensure the prod- ucts you sell are cyber secure, I recommend you do choose one. According to TechRepublic those who consider themselves tech-savvy are more likely to get hacked. Professionals may have an attitude of "it won't happen to me" due to their knowledge and training , but one moment of complacency is all a dedicated hacker needs to find an exploit. Third-party assessments are the preferred way to keep your organization safe from itself. NIST Cybersecurity Framework IDENTIFY • Asset Management • Business Environment • Governance • Risk Assessment • Risk Management Strateg y PROTECT • Awareness Control • Awareness and Training • Data Security • Info Protection and Procedures • Maintenance • Protective Technolog y DETECT • Anomalies and Events • Security Continuous Monitoring • Detection Process RESPOND • Response Planning • Communication • Analysis • Mitigation • Improvements RECOVER • Recover y Planning • Improvements • Communications

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - SEP-OCT 2018