nist cybersecurity risk management conference 2018 · harmonize cybersecurity risk management and...

Draft Version – 18 September 2018

1Thisdraftagendaissubjecttochangeandwillbe

updatedasschedulesandsessiontitlesareconfirmed.

NIST Cybersecurity Risk Management Conference 2018Renaissance Baltimore Harborplace Hotel, Baltimore, Maryland

November 7-9, 2018ConferencePurpose:ThenewlyexpandedconferenceformatbuildsontheannualCybersecurityFrameworkWorkshopsheldforthepastfiveyearsandaddsothercybersecurityriskmanagementtopics:RiskManagementFramework,SupplyChainRiskManagement,andthePrivacyFramework.

Thisconferencewillprovideparticipantswith:

1) Anopportunitytolearnaboutthecurrentstateofcybersecurityriskmanagementandinnovativeapproachesthatarebeingdeployed,and2) Aforumtovoicetheiropinionsonanddiscusstoday’smostvitalcybersecurityriskmanagementissuesandsolutions.

Sharingwilltakeplacethroughpresentations,panels,andworkingsessions,aswellasampleforumsfornetworking.

Agenda Overview Wednesday,November7,2018RegistrantCheck-InWelcomingRemarksandPlenaryBreakPlenaryPanelsLunch–toincludelunchandlearnsessionsAfternoonSessionsIBreakAfternoonSessionsIIAdjourn

Thursday,November8,2018RegistrantCheck-InPlenaryPanelBreakMorningSessionsIIILunch–toincludelunchandlearnsessionsAfternoonSessionsIVBreakAfternoonSessionsVAdjourn




Friday,November9,2018RegistrantCheck-InPlenaryPresentationBreakMorningSessionsVILunch

Confirmed Sessions More topics to be added, session date and time to be determined FinancialServicesSectorCybersecurityProfile:ANIST-basedApproachtoHarmonizeCybersecurityRiskManagementandComplianceJoshMagri,BankPolicyInstituteStartingin2016,thefinancialservicesindustry--throughitsFinancialServicesSectorCoordinatingCouncil--beganmappingthemanyregulatoryissuancesagainsttheNISTCybersecurityFramework,CPMI-IOSCO,andISO27000standards.Throughthemapping,apatternemerged:over80%oftheregulatoryissuancesweretopicallyidentical,butsemanticallydifferent.Toreconcileandrationalizethesedifferences,inMarch2017,industrybegandevelopingtheFinancialServicesSectorCybersecurityProfile(“Profile”),architectedaroundtheNISTCybersecurityFramework.ThissessionoffersanopportunitytolearnabouttheProfile,itspubliclaunchasaVersion1.0,anditspotentialevolution.Atitscore,theProfileisaharmonizedmeta-frameworkapproachtocybersecuritythatrecognizesthemultiple,oftenoverlapping,regulationsandsupervisory/examiningagencyapproaches,whilefosteringanefficient,results-orientedapproachtocybersecurityforinstitutionsofallsizesandcomplexity.EnablingExecutiveLevelDecisionsJackJones,FAIRInstitute Thebreadandbutterofexecutivelifeinvolvesmakingdifficulttrade-offsregardingwheretoapplytheirlimitedresources.Thesetrade-offsinvariablyrequirevalue/liability-basedcomparisonsthatneedtobeas“apples-to-apples”innatureaspossible.Inthissession,thepresenterwilldescribehowtohelpexecutivesmakewell-informeddecisionsabouttheirinvestmentsincybersecuritybycombiningtheNISTCybersecurityFrameworkwithquantitativeanalyticsbasedontheFactorAnalysisofInformationRisk(FAIR)model.Byexpressingriskandriskreductionineconomicterms,thisapproachenablescost-benefitmeasurementsthatexecutivesinnatelyunderstand,andwhichsupportsrationalanddefensiblechoicesthatotherwisearen’tpossible.




UsingtheNISTFrameworktoDesignandImplementRisk-basedCybersecurityManagementinaGlobalConglomerateJohnPetrie,NTTThespeakerwillshareNTT’songoingeffortstousetheNISTCybersecurityFrameworktounifycybersecuritypracticesamongitsglobaloperatingcompanies.NTThasgrowngloballythroughmergerandacquisition.Eachoperatingcompanyhasadifferentcountryfranchise,size,culture,andbusinessfocus.Currently,itsglobalbusinesssizeis$20billion(USD)withmorethan20significantoperatingcompanies.NTTaimstodevelopa“OneNTTwithdiversity”strategyforitscybersecuritymanagement,andtousetheNISTFrameworktodevelopandimplementthisstrategy.Thepresentationwilldescribe:NTT’sinternationalbusinesses,itsaspirationtodevelopharmonizedcybersecuritypractices,theroleoftheNISTCybersecurityFrameworkindevelopingacommongoalacrossNTT’sdiversifiedoperatingcompanies,andkeychallengesintheon-goingefforts.Thiswillbeauniquecase,wheretheNISTFrameworkisbeingusedwithaglobalscopeandsignificantsize.Bysharingasuccessstory,thespeakeraimstostimulateactivediscussionsandwelcomestheopportunitytolearnfromparticipantsabouthowtoapplytheNISTFrameworktoadifferentbusinessculture,focus,andsize.CybersecurityCoalitionDistributedDenialofServiceMitigationProfileAriSchwartz,CoalitionforCybersecurityPolicyandLawTheCybersecurityCoalitionhasbeendevelopingDistributedDenialofService(DDoS)mitigationprofileoftheCybersecurityFramework.ThisisacriticaldeliverableidentifiedintheDOC/DHSbotnetreportsubmittedtothePresidentinMay2018.ItisalsoalittledifferentthanpastCybersecurityFrameworkprofiles,whichwerefocusedonsectorsratherthanaspecificthreat(DDoS.)RiskManagementforAutomotiveCybersecurityBillMazzara,FiatChryslerAutomotiveGroup

Theautoindustrycontinuestoaddconnectivitytovehiclestosatisfythecustomer'sinsatiableappetitefortechnology,butcarsarenotjustinsecureendpointsonsomecomputernetworkassomehaveportrayed.Vehiclecybersecurityisforginganewfieldofproductcybersecurity.WorkingcollaborativelywithISO,bestprocessesarebeingestablishedforindustry-widecybersecuritypreparedness.Riskpoliciesmustbeestablishedforprocessesofarisk-basedmethodologybasedonriskassessment.EnterprisecybersecurityriskassessmentmethodsmustbereworkedandusedinaconsistentmanneracrosstheIndustry.ISO21434proposescommoninterpretationsofmethodsleveragingtheexistingwealthofknowledgeinassetcategorizationandassessmentofimpactandattackpotentialinordertoestimaterisktoproducts.




TheBusinessandRegulatoryValueofThirdPartyCertificationtotheNISTCybersecurityFrameworkJohnDiMaria,BSIandRonaldTse,RiboseBSI’s“NISTCybersecurityFramework(NCFS)”assessmenttoolprovidesaharmonizedapproachtocybersecurity,andnowhasjoinedtheranksofISO(ISO27103).Thirdpartycertificationhasbeenembracedgloballybymanycountriesasawaytoincreaseglobalconsistencytocybersecurityapproachesandtosupportanindustry-basedself-regulatorysystemratherthanagovernment-basedmandatedregulatorysystem.ThissessionwillfeatureoneofthefirstglobalorganizationscertifiedbyBSItotheNISTCybersecurityFramework.Attendeeswillhearhow:companyleadershiphaspickedupthevocabularyoftheFrameworkandhavinginformedconversationsaboutcybersecurityrisk;theFramework’stiersareusedtodetermineoptimallevelsofriskmanagement;andtheprocessofcreatingprofilespromotesunderstandingofcurrentcybersecuritypracticesandhelpsinintegratingthesefindingswiththeirinformationsecuritymanagementsystem.TheorganizationimplementingtheNISTFrameworkalsowillexplainhowtheFramework’sholisticnatureintegrateswithISO/IEC27001,howthathelpsinprioritizingandbudgetingforcybersecurityimprovementactivities,andhowthecertificationprocessvalidatedtheirapproachandprovedtheeffectivenessoftheirprocess.MeasuringanOrganization’sSecurityMaturityUsingtheNISTCybersecurityFrameworkScottDavis,CloroxManyorganizationsoftenareverygoodatmeasuringsecuritymetricsfromtraditionalcontrolsandmonitoringsolutions.However,thechallengehasbeenprovidinganoverallviewofthesecurityorganizationtomanagementandbusinesscustomersandtrackingprogressovertime.ThissessionwillexplainhowusingtheNISTCybersecurityFrameworkalongwithamaturitymodel(Initial–Optimize),organizationscanprovideaviewintohoweffectivethesecurityprogramisperformingyearafteryearusingawell-definedsetofmetrics.NISTCybersecurityFrameworkandPCIDSSTroyLeachandLaurenHolloway,PCISecurityStandardsCouncil(SSC) ThissessionwillcoverPCISSC’scurrenteffortstomapcontrolsbetweentheCybersecurityFrameworkandPCIDataSecurityStandard(DSS).ThesimilaritiesandrelationshipbetweentheFrameworkandPCIDSSwillalsobedescribed.Additionally,thepresentationwillhelporganizationsunderstandhowachievementofCybersecurityFrameworkoutcomesmayalsoaddresscontrolsinotherstandardsandguidelines




FrameworkforImprovingCriticalInfrastructureCybersecurity:APracticalImplementationWilliamWestwater,Boeing

ThispresentationwillprovideapracticalexampleofhowtoimplementtheNISTCybersecurityFrameworkinascalablemannerforalargeenterprise.Thisapproachfocusesonthemanagementoftechnicalcontrolsand“securityhygiene”activitiesthatshouldaddressvulnerabilitiesthatarefrequentlyleveragedasanavenueforpenetrationandattacksoncriticalinfrastructuresystems.Thisisanunder-emphasizedaspectofsecuritythatisoftenovershadowedby“sexy”technicalcontrolsthat,whilecriticallyimportant,areunderminedifthefullsuiteofcontrolsisnotpresentandfunctioning.Thispresentationanddiscussionwillenableanorganizationtomanagecomputingsecurityactions,relatethemtorisk,andprioritizethoseactionsandthespendingassociatedwithsecuringanenterprise.CyberStrategyOptimizationforRiskManagement:ANewApproachMichaelCoden,BostonConsultingGroupThispresentationlaysoutanovelmethodologyforcalculatingtheROIoncybersecurityinitiativesinanorganization.Themethodologyblendsoperationalriskmanagement,theory,andcybersecuritydisciplines.ItappliestheNISTCybersecurityFrameworktoorganizeprojectportfoliosandevaluatecurrentandtargetstatesofcybersecuritywithintheenterprise.UsingtheLossDistributionApproachfromoperationalriskmanagementthemethodologyshowsthatitispossibletocalculatearelativeriskreductionbyimplementingcybersecurityprojectsthateitherprotecttheorganizationsassetsorreducetheimpactofpotentialincidentstothoseassets.Useofportfoliotheoryinthismethodologyhelpsaccountforsynergiesandoverlapsinprojectsthatarepotentiallyimpactingthesamecontrols,orprotectingthesameassets.Thisbendedmodelhelpsguidecybersecurityprojectselectiontooptimizeprojectspending,whilemaximizingtheresultsinbothdollarriskreductionandcybermaturityincrease.Ultimately,themodelproducesarelativeROIforeachofthealternativeportfoliostohelpdecisionmakersselectanoptimalprojectportfoliofortheirorganization. DerivingBusinessInsightfromCybersecurityFrameworkFindingsBrettYoung,Leidos ThispresentationoutlinesfiveusesforresultsfromaNISTCybersecurityFrameworkassessment.Basedonwell-establishedcriteria,theCMMI(CapabilityMaturityModelIntegration)allowsassessmentteamstoquantifyanorganization’smaturityforeachofthesub-categorieslistedintheCybersecurityFramework.Theresultingscorecardcanbeusedasaninputintoavarietyofgovernanceandbusinessintelligencemetrics.Formostcompaniesthistypeofinsightcanreducetheirsecurityspendbycomparingthecompany’sstatedsecurityobjectiveswithbestpractices.Theresultscanbeusefulfordeterminingcybersecuritystrategy.Examplestudieswillbehighlighted:




• ToolsandControls–Howdotheorganization’stoolsandcontrolsaddresstheprovisionsoftheNISTCybersecurityFrameworksub-categories?Thisfacilitatesdecisionsonbudgetsandpolicydevelopment.

• Teamresponsibilities–Whichteams/rolesareresponsibleforpolicybasedontheCybersecurityFramework?

• CybersecurityInitiatives–Howdotheorganization’scybersecurityinitiativescomparewiththevulnerabilityprofilesfromCybersecurityFrameworkresults?

• ManagedServiceProvider(MSP)-outsourcedservices–WhichresponsibilitiesshouldanMSPbear,andhowtomapthosetotheCybersecurityFramework.

• QuantifyingRisk–Assessments,alongwithtechnicalscansrepresentthebestsourceforassessingriskusingmethodssuchFactorAnalysisofInformationRisk(FAIR).

Participantswillreceiveaspreadsheetwithexamplesofeachstudydiscussed. ImplementingtheCybersecurityFrameworkErnestBegin,KAMANHowcanyoumeasureyourcybersecurityposture?WhatisyourITrisktolerance?Areourcybersecuritypracticesmatureenough?HearhowKaman,amid-sizedproviderofaerospaceandindustrialsolutions,identifiedandimplementedtheCybersecurityFrameworkfromanITpolicyperspective,howtheymeasuretheircybersecuritymaturity,andhowtheyplantocommunicatethattotheirsuppliersandcustomers. NISTCybersecurityGuidanceasSystemsEngineeringConstruct--andnotDIACAPByAnotherNameGaryStoneburner,JohnsHopkinsUniversityAppliedPhysicalLaboratoryThispresentationwillprovideperspectiveonthecurrent,commonstate-of-affairswithregardtoorganizations’useoftheNISTcybersecurityguidancemoreasprescriptivepolicyrequirementsthanasdescriptiveguidanceforuseinengineeringadequateresponsestorisksfromtheuseanddependenceoninformationtechnology.AttendeeswillheararationaleforwhytherecentNISTguidanceonSystemSecurityEngineering(SpecialPublication800-160)isakeyelementofeffectiveriskmanagement.ThepresenteralsowillsuggestspecificstepsforunderstandingtheunderlyingengineeringfocusalreadyincludedintheNISTguidance–somethingthatisessentialtoachievingtheneededassuranceofmission/businesssuccesswithoutcausingundueharmelsewhere.ModifyingFAIR(FactorsAnalysisinInformationRisk)forPrivacyR.JasonCronk,EnterprivacyConsultingGroupFAIRisaquantitativeframeworkforinformationsecurityriskanalysiswhichdecomposesriskintobasefactors,eachofwhichcanbeestimatedusingacalibratedestimates.Thepresenterhasmodifiedthisframeworktofocusonindividualprivacy,creatingaquantitativemeasureforprivacyrisk.Thispresentationwilldiscussthisframeworkandprovideexamplesofhowtousetocontrolprivacyrisk.




ATaleofTwoFrameworks:OptimizingFederalAgencyUseoftheRiskManagementFrameworkandCybersecurityFrameworkthroughFrameworkProfilesChristinaSamesandJulieSnyder,MITRETheRiskManagementFramework(RMF)hasbeenguidingfederalagencycybersecurityriskmanagementactivitiessince2002.In2017,ExecutiveOrder13800requiredheadsoffederalagenciestoalsousetheCybersecurityFramework(CybersecurityFramework)tomanagetheiragency’scybersecurityrisk.Whilethesetwoframeworksshareacommongoalofaddressingcybersecurityrisksaspartofanorganization’senterpriseriskmanagementprogram,thescopeandapproachofeachdiffer.Despitetheirdifferences,thetwoframeworkscomplementeachotherinwaysthatalloworganizationstorealizethebestofbothintheirimplementation.Thissessionwill:introducethebasicconceptsofeachframework,provideanoverviewofCybersecurityFrameworkProfiles,andexploreopportunitiesforusingthoseProfilestobringgreaterefficienciestoeachstepintheRMFusingaworkedexampleforaninformationsystem. AStructuredApproachforPrivacyRiskAssessmentsofFederalOrganizationsSarbariGupta,Electrosoft Thepresenterwillproposeatwo-levelPrivacyRiskAssessment(PRA)methodology:1)anorganizational-levelPRAthatfocusesonNISTSP800-53Rev4AppendixJprivacycontrols;and(2)asystem-levelPRAforeachinformationsystemthatfocusesonsystem-levelprivacycontrolsandanalyzesthePrivacyImpactAssessment(PIA)forthatsystem.AteachPRAlevel,thegoalisapplyanSP800-30Rev1-styleriskassessmentapproachbyidentifyingapplicablethreats,gaps/weaknesses(vulnerabilities)inprivacycontrolimplementations,alikelihoodofoccurrence,andtheresultingimpact.Theimpactofanattack(aprivacythreatexploitingaprivacyvulnerability)canbederivedbyconsideringthemagnitudeofharmtoindividualsiftheirPIIsuffersfromlowquality,unintendedaggregation,unauthorizeddisclosure,orunauthorizedmodification/destructionasaresultoftheattack.Theriskislow,moderateorhighiftheindividualsufferslimited,serious,orcatastrophicharm,respectively.ImplementingtheCybersecurityFramework:ASuccessStoryPlamenMartinov,UniversityofChicago TheUniversityofChicago(UoC)BiologicalScienceDivision(BSD)wasanearlyadopteroftheCybersecurityFramework.UoChasremainedattheforefrontofFrameworkimplementations;itisthefirstorganizationtodevelopaFrameworkSuccessStoryforNIST.BSDusedtheFrameworktoidentifyastrategyforimprovingtheircybersecuritycapabilitiesin2015.ManyofBSD’sinitiativesinthepastthreeyearshavebeenfocusedonachievingthegoalsdefinedwithintheTargetStateProfilecreatedduringtheir2015implementation.In2018,BSDreassessedtheircybersecurityprogramusingtheFrameworkonceagain.ThissecondassessmenthelpedBSDtounderstandchangesintheirorganizationandriskenvironment.




TowardsAutonomicSecurityManagement StefanoIannucciandCraigShorter,MississippiStateU. ThecontinuousincreaseinquantityandsophisticationofcyberattacksismakingitmoredifficultforsystemadministratorstohandlethealertsgeneratedbyIntrusionDetectionSystems.Todealwiththisproblem,severalIntrusionResponseSystemshavebeenproposedtoautomaticallyrespondtodetectedattacks.However,tothebestofourknowledge,mostexistingapproachesarenotadequatebecausearesponseisusuallyselectedeitherwithastaticattack-responsemappingorbyquantitativelyevaluatingalltheavailableresponses,whichintroducesseriousscalabilityissuesinmanagingcountermeasures.Inthistalk,thepresenterswillproposeamethodologybasedonreinforcementlearning–atechniquethatautomaticallylearnsthebehaviorofthesystemandoftheattacker,andautonomouslydrivestheprotectedsystemtowardsasafestate.ThepresentedapproachwillbeframedintotheMonitor,Analyze,Plan,Executeautonomicloop,showinghowitcanbeconnectedtoexistingstate-of-the-arttechnology. TheISFStandardofGoodPracticeandtheNISTCybersecurityFrameworkMarkChaplin,InformationSecurityForum TheISFStandardsofGoodPracticeandtheNISTCybersecurityFrameworkaretwooftheworld’smostusedframeworksforcybersecurityprograms.Whileeachprovidesuserswithvalue,leveragingbothapproachestogethercanprovideaddedbenefitsintermsofcybersecurityguidanceandcommunicationmechanismsforalllevelsoftheorganization.ThistalkwillexploretheintersectionofthetwodocumentsthroughanexerciseinimplementingNISTIR8204,Cybersecurity Framework Online 2 Informative References (OLIR) 3 4 Submissions (DRAFT). UsingaControlsFrameworktoAddressNIST,HIPAA,andGDPRSecurityProvisions--toEnsureManagementofCyberThreatsBryanClineandAnneKimbol,HITRUST;IianaPeters,Polsinelli Ensuringappropriatecybersecurityriskmanagement,includingcomplyingwiththevarietyofregulatoryandvoluntaryindustrycybersecuritystandards,continuestobearesource-intensiveandcomplicatedprocessfororganizations.Organizationsneedaneffectiveandefficientwaytoaddressidentifiedcyberriskandensureappropriateprotectionsareinplacetoprotectagainstcyberthreats.ThepanelwilldiscusssecuritymanagementprovisionsunderHIPAA,theNISTCybersecurityFramework,andtheEuropeanUnion’sGeneralDataProtectionRegulation.PresenterswillhighlighthowsuchlawsandguidanceaddresscybersecurityissuesandeducateattendeesonhowtoolsliketheHITRUSTCybersecurityFrameworkcanhelpmanagecybersecurityrisk.Panelistswillpresentproposalsforincentivizinguseofcontrolsframeworksacrossindustrysectorsanddiscussrelatedproposedpolicyandregulatoryinitiatives.




EnterpriseRiskMitigationUsingtheNISTCybersecurityFrameworkandCyberAnalyticsDaveSimprini,GrantThorntonParticipantswilllearnaboutacasestudyofalargeStategovernmentclientinwhichcyberriskdatafromacrossstateagencieswascollected,assessed,andaggregatedintoacyberanalyticstool.ThissolutionallowedtheStatetolookacrosstheenterpriseanddeterminewhereitsmostsignificantvulnerabilitiesexisted,wheretoprioritizeandspendlimitedfundstomaximizethe“bangforbuck”,andtoidentifyareaswhereagencieswerestrengtheningtheircyberposture.EmpiricalMeasurementofPerceivedPrivacyRiskJaspreetBhatia,CarnegieMellonUniversityThespeakerwillpresentanempiricalframeworktomeasureprivacyriskbasedonhowaperson’sinformationiscollected,usedandshared.Theframeworkconsistsoffactorialvignettesurveyswhichareusedtomeasuretheeffectofcontextualfactorsonhowusersperceiveriskstotheirprivacy.Thepresentationincludesexperimentalresultstoevaluatesixfactors:thetypeofinformationprocessed,thetypeofcomputerwheretheinformationwasstored,thepurposeforwhichthedatawasprocessed,theprivacyharm,thelikelihoodoftheharm,andseveralindividualdemographicfactors,suchasagerange,gender,educationlevel,ethnicityandhouseholdincome.Tomeasurelikelihood,theframeworkintroducesanewlikelihoodscalebasedonConstrualLevelTheoryfrompsychology.Thescaleframesindividualattitudesaboutrisklikelihoodbasedonsocialandphysicaldistancetotheprivacyharm.Findingsincludepredictionsabouttheextenttowhichtheabovefactorscorrespondtoriskacceptance--includingthatperceivedriskislowerforinduceddisclosureharmswhencomparedtosurveillanceandinsecurityharmsasdefinedinSolove’sTaxonomyofPrivacy.Anotherfinding:participantsaremorewillingtosharetheirinformationwhentheyperceivethebenefitsofsharing.TheframeworkandfindingswillappearinaforthcomingissueoftheACMTransactionsonHumanComputerInteraction.UsingNISTGuidancetoImplementandInformationSystemsRiskManagementProgramforaSmallNationalGovernmentStuartDaniels,Dr.MarisaStones,GovernmentofBermudaAlthoughBermudaisasmallisland,theGovernmenthas83DepartmentsandMinistriesthatprocesssensitiveinformationandprovidecriticalservices.AcomprehensiveInformationSystemsRiskManagementProgramwasneededtoensureanadequatelevelofcybersecurityacrosstheorganization.SeveralNISTstandards,includingtheCybersecurityFrameworkandtheRiskManagementFramework,haveprovidedinvaluableguidancethathelpedtheGovernmentofBermudatocraftaprogramthatmeetsitsvariedneeds.TheNISTCybersecurityFrameworkhasunderpinnedtheGovernment’seffortstosecureitsinformationsystemsbyprovidingameanstoassessandcommunicate




informationsecurityissuestomembersoftheCabinetandtheCivilServiceExecutive.TheSecurityandPrivacyControlsinNIST800-53providedvaluableguidanceforcreatingapolicyframeworkandtheRiskManagementFrameworkinformedtheprocessofintegratingsecuritywithintheSystemsDevelopmentLifecycle.ThispresentationwillprovideanoverviewoftheGovernmentofBermuda’suseofNISTstandardstodevelopitsInformationSystemsRiskManagementProgram,includingadiscussionofthechallengesandcriticalsuccessfactors.Data-DrivenRisk-basedDecisionMakingEllenAmbrosini,TeresaProctor,andMichaelPagels,CMSandKevinEiben,MITREThefederalCentersforMedicare&MedicaidServices(CMS)hasmadesignificantstridesinimplementingsecurityandprivacycapabilitiestosupportrisk-baseddecisionmaking.ACMSpanelwilldiscussitsrecentexperiencesandaccomplishmentsincluding:integratingtheuse/practicalityoftheCybersecurityFrameworkwithinthecontextoftheRiskManagementFramework;improvementsinAutomation(eGRC)andRiskReportingthatinformrisk-baseddecision-making;introducingandutilizingacustomerservicemodelwiththeinclusionofanewrole,theCyberRiskAdvisor;mentoringandfosteringtheroleofISSOusingaproactiveengagementmodel;developingandutilizingtoolsthatsupportriskmanagement;theCyberRiskAdvisorFramework,theISSOFramework,establishinganassessmentmethodologyusingprioritizedCoreControls;identifyingmethodsandprocessesthatautomatetheassessmentsofcontrolswithrelianceonrepeatableprocessesanddatathatinformsriskdecisionmaking;integratingsecurityandprivacyrequirementsintoagilesystemsdevelopmentmodels;andtheroleofPrivacyAdvisorsonITprojectintakereviewteamstohelpbuildacultureof“privacybydesign.”ReducingtheBurdenofCybersecurityUnitedKingdomThispresentationfocusesonhowtheUKisworkingwithindustry,civilsociety,andacademiatocorrectmarketfailuresthathaveledtoaninsufficientuptakeofdesiredcybersecuritybehavioracrosstheeconomyandsociety.Toanextent,thesystemissetuptopromptundesiredbehaviorsandtheUKisworkingtoreducetheburdenofcybersecuritydownstream,wherepossible,byadvocatingforsecure-by-designandcorrectingmarketfailure.ThispresentationwillhighlighttwoareasofourworkthatalignwiththeNISTCybersecurityFramework:1)theUKhasbeenworkingwithU.S.counterpartsonimprovingthesecurityoftheInternetofThings,shiftingtheburdenawayfromtheconsumertowardsindustryand2)theUKisdevelopingbettercybersecuritymetricsthatcanbeusedtocommunicatethecybersecurityriskposturesoforganizationstoboards.




SoftwareBillofMaterials:BestPracticesforMachine-ReadableAssuranceDatainMissionOperationsJCHerz,IonChannelThispanelwillcoverhowmachine-readableSoftwareBillofMaterials(SBOM)arebeingconsumedandoperationalizedtoraisethesecuritypostureandaccelerateapprovalofmissioncapabilities.Discussionswillincludecasestudiesabouthowopenformatsarebeingusedindefenseandindustry.Panelistswillreviewtheevolvingconsensusonstandardsandformats(e.g.SPDX,SWID),similaritiesanddifferencesbetweensoftware,firmware,hardwareanddataprovenance,andhowmachine-readableSBOMsfactorintohigh-assuranceandcontinuous-integration/continuous-deliveryworkflows.Morecontroversially,thiswillalsoincludediscussionaboutthesoftwaresupplychainassurancelandscapeofbothproprietaryproductsandopensourceecosystems,whichvarywidelyintheirexposuretosupply-chainriskandvulnerabilitytosupply-chaininjection,captureandattack. HowJapaneseIndustryUsestheNISTandNICEFrameworkstoOvercomeManpowerShortagesMasatoKimura,NipponTelephoneandTelegraphCorporationThissessionaimstosharehowJapaneseindustryusestheNISTFrameworktotacklethechallengeofcybersecuritytalentshortage.TheJapanesegovernmentexpectsJapanwillbeshortof193,010cybersecurityprofessionalsin2020,whentheTokyoSummerOlympicandParalympicGameswillbeheld.BecausecybersecuritywillbecrucialforthesuccessofTokyo2020,Japanhasbeenpromptedtocultivatecybersecurityprofessionals.In2015,NTT,NEC,andHitachitooktheinitiativetolaunchtheCross-SectorForumtocollaboratewithacademiaandgovernmentandcreateanecosystemtoeducate,recruit,retain,andtraincybersecurityprofessionals.Today,theForumhas48majorJapanesecriticalinfrastructurecompaniesfromthechemical,energy,finance,media,telecommunication,andtransportationsectors.TheForumusesboththeNISTCybersecurityFrameworkandNICECybersecurityWorkforceFrameworktounifythelanguageusedamongmemberstomapcybersecurityskillsetsbysector,department,andfunction.BestPracticesLearnedfromMitigatingRisksofDataBreachestoBuildaDataPrivacyProgramAnneConnell,CarnegieMellonUniversityItisnotamatterof‘if’,butrather,‘when’adatabreachwilltranspire.Thepresenterwilldiscussthemostcommonvectorsofdatabreachestoprovideinsightintothelifecycleofanincident,especiallyincidentsinvolvingPersonallyIdentifiableInformation(PII).Duetothesensitivityassociatedwithbreachinvestigationsandintrusions,manysecuritypractitionersandinvestigatorsareunwillingtoreportordisclosethisinformation,but




theyhavebeenwillingparticipantstosharethisknowledgewiththerestofthecybersecuritycommunity.Attendeeswilllearnaboutthemostcommonattackvectorsagainstorganizationsofanysize--andthosethatseektotakeadvantageofendusers,whichisthemostcommonentrypointforaPIIattack.Whilethehumanelementisthemostcommonvectorforanattacker,therearemanyareasoutsideofthecontrolofatypicalend-userthatmaycontributetotheproblem.Toachieveabaseline,researchersconductedmanyinterviewswithsecuritypractitionersandinvestigatorstolearnthemostcommonattackvectorsinvolvedinincidentsimpactingavarietyoforganizationsinmultipleindustriesaswellastheresponsetoasuccessfuldatabreach.Usingtheinformationcollected,researchersusedtheNISTCybersecurityFrameworktobuildaneffectivedataprivacyprogramtomitigaterisk.TheyalsousedtheNISTGuidetoThreatInformationSharingtocoordinateincidenthandling,includingproducingandconsumingPII,participatingininformationsharingcommunities,andprotectingincidentrelateddata.Thegoalofthistalkistoinformandeducatesecuritypractitionersonbestpracticestoprotectdataprivacyandtomitigatetheriskofdatabreachusingtheseframeworks.MeasuringtheCybersecurityRiskofSoftware-IntensiveSystemsBillCurtisandMarcJones,ConsortiumforITSoftwareQualityTheConsortiumforITSoftwareQuality(CISQ)hasdevelopedstandardsformeasuringstructuralqualityintheareasofReliability,Security,PerformanceEfficiency,andMaintainability.Thesemeasuresarecalculatedfromstaticallydetectingandmeasuringseverestructuraldefectsinsourcecode.Thesestandardsarecurrentlybeingrevisedforapplicationtoembeddedsoftware.Whencalibratedagainstoperationalperformance,thesemeasurescanassessseveralareasofcybersecurityrisktowhichasoftwaresystemexposestheenterprise.ThesemeasurescomplywithsoftwareproductqualitydefinitionsinISO/IEC25010andsupplementthebehavioralmeasuresinISO/IEC25023bymeasuringsoftwarequalityattributesatthesourcecodelevel.Thetalkwilldescribehowthesemeasurescanbeappliedinsoftwareacquisition,inagile/DevOpsenvironments,andinimplementingtheNISTCybersecurityFramework.Itwillendbydiscussingthepossibilitiesandchallengesofcertifyingthestructuralqualityofsoftware.SecureSoftware:TowardAProposedBenchmarkTommyRoss,BSA|TheSoftwareAlliance,etal.ThispanelwillpresentanddiscussaworkingconceptforanewsoftwaresecurityframeworkdevelopedbyBSA|TheSoftwareAlliance.ModeledontheNISTCybersecurityFramework,thefirst-of-itskindsoftwaresecurityframeworkwillofferabenchmarkfordefiningsoftwaresecurityandmeasuringorganizationalprogresstowarditsspecifiedobjectives.Itpresentsavoluntary,flexible,outcome-focusedapproachthatisalignedwithinternationallyrecognizedstandardsandbestpractices.Thepanelmoderatorwillpresentthestructureandkeyelementsoftheproposedframework.Thepaneldiscussionwill




addressthegaptheframeworkisintendedtofillandthepotentialapplicationsoftheframeworkfordevelopers,securityprofessionals,andpolicymakers.Thediscussionwillexposetheaudiencetoanexcitingnewapproachtooneofthemoreelusiveandvexingchallengesincybersecurityandinvitetheirinputandinvolvementastheprojectadvances.Cybervets:LeveragingVeteranstoBuildtheCybersecurityWorkforceP.ShaneGallager,SGSystemsConsulting,andFrankDomizio,CentersforMedicareandMedicaidServices(CMS)ThispresentationdescribestheCenterforMedicare&MedicaidServices(CMS)innovative“Cybervets”programdesignedtoaddressthesevereshortageofskilledcybersecurityworkersusinghighlycapableveterans.Currentestimatesindicatethatnearlyhalfofallveteransareunpreparedtotransitionintothecivilianworkforce.BeginninginJune2018,thisjointprogrambetweenCMS,theVeteransAdministration,andtheOfficeofPersonnelManagementbeganprovidingayear-longimmersiveadvancedcybersecuritytrainingprogramthroughcognitiveapprenticeshipandmentoring.Thetrainingusesahands-on,problem-basedapproachcombinedwiththeopportunitytoshadowexperiencedanalystsintheCMSsecurityoperationscenter(SOC)tohelptheCybervetsacquiretherelevantexperience,knowledge,skills,andabilities(KSAs)associatedwiththeNICEFrameworkCyberDefenseAnalyst(PR-DCA-001)position.Programevaluationactivitiestodateindicateahighlevelofparticipantsatisfactionandknowledgegrowth.ImplementingSecureSystemsusingthePMBOKandNISTCybersecurityFrameworkandBaldrigeExcellenceToolLawrenceCapuder,ConsultantCServicesFederalagenciesandotherentitieswithcriticalITinfrastructureneedtoensurethatsecureITinfrastructurestandardsareintegratedintonewandupgradeITdesign,developmentandimplementationprojects.Theseorganizationsneedtoprovidespecialattentiontodisruptivetechnologies,suchascloudcomputing,thattheFISMAandFedRAMPprojectsencourage.Thissessionwillanswerkeyquestionsrelatedtoensuringthatappropriatesecurityandcontrolsarefollowedincarryingouttheseprojects.Theseinclude:HowwelldotheNISTCybersecurityFrameworkandBaldrigeCybersecurityExcellenceBuilderself-assessmenttoolsaddressnotonlyexistingsystems,butalsonewITinitiativeprojects?Whyisusingawell-definedprojectmanagementmethodology,suchtheProjectManagementInstitute’s(PMI)ProjectManagementBookofKnowledge(PMBOK),crucialtoimplementingsecuresystems?HowcanthePMBOKbeintegratedwiththeNISTFrameworkandBaldrigetooltospecificallyaddresssecureFederalandcriticalinfrastructuresystems?




Simple,Consistent,andSecureCybersecurityandPrivacyinSmallandMedium-SizedOrganizationsKoushikSubramanian,UILabsManysmallandmedium-sizedorganizationsfacesimilarchallengeswithregardstocybersecurityandprivacy.Thebiggesthurdleisthelackofresources.Thiscanbealackofbudget,talent,time,etc.Thesheerthoughtofcybersecuritycancausealotoforganizationstosimplyaccepttheriskundertheguiseof“noonewouldattackus.”Thistypeofthinkingmustevolve.Maturinganorganization’scybersecuritypostureevenbyalittlebitcanensurethattheyarenotthelow-hangingfruitthatmostcommonlygetsattacked.Thispresentationofferssimple,actionableitemstohelporganizationstoprioritizeandtacklecybersecurityandprivacyconcernsandmaturetheiroverallcybersecurityposture.Role-BasedRiskManagementFramework--RMFandNICEFrameworkConvergenceJeffreyMonroe,U.S.DepartmentofInteriorFrameworkshelptoorganizeandunpackcomplicatedmatters.NISThasdevelopedtwohelpfulframeworksforinformationsecurityprograms.Learnonemethodtooverlaytheseframeworks,buildcohesionbetweentheframeworks,andimproveyoursecurityprogram.Data-DrivenBreachResponsePlanningJayBrudz,AnandRajShah,DrinkerBiddleandReathLLP;SergeJorgensen,SylintGroup;KennethDarrell,TrituraInformationGovernance;andJeffHunt,PulsePointGroupTheexpandingscope,sophisticationandfrequencyofdatacollectionprovidesstrategicopportunitiesfororganizationsrespondingtoacyberincidentbyleveragingtimelyintelligenceanddataanalytics.Industryexpertsininformationsecurity,crisiscommunications,lawanddatasciencewillexaminestepsthatincidentresponseteamscantaketoimplementadata-drivenapproachtodatabreachresponse.ManagingtheHiddenCybersecurityRisksTonyGiles,RhiaDancel,NationalScienceFoundationThepresentationwillexplorebestpracticeswhichorganizationstakeinmanagingandunderstandingtheirriskenvironment.Thesebestpracticeshavebeencapturedthroughglobalfeedbackandhaveallowedorganizationstocontinuallymonitorriskprobability,impactandtreatment.Thepresentationwillfocusontopidentifiedrisksandfeedbackonbestpracticesforrisktreatment.AttendeeswillhearhoworganizationscanutilizetheirriskassessmenttofocusonthedevelopmentandprioritizationoftheirPOAM’s(PlanofActionandMilestones).Thepresenterswillalsocoverhiddenrisksorganizationsfaceandprovidetrainingonhowtolookintoandtreatthose




risks.Thepresenterswillusereal-worldexamplesanddemonstrationstosupportorganizations’continualriskimprovementpractices.IntegratingPrivacyintotheRiskManagementFrameworkCelesteDade-Vinson,NationalInstitutesofHealth(NIH)andElizabethKoran,U.S.DepartmentofHealthandHumanResources(HHS)TheHHSOfficeofPrivacyandInformationManagement(PIM)andNIHSeniorOfficialforPrivacy/PrivacyActOfficerwillleadapaneldiscussiononcriticalconsiderationswhenintegratingprivacyintoanorganization’sassessmentandauthorizationprocess--particularlytheestablishmentofaprivacycontinuousmonitoringprogram.Theconversationwillfocusonarangeofconcerns,includingwhetherandtowhatextenttheprivacycontrolassessmentscanbeintegratedwithsecurity,whetherandtowhatextenttheassessmentscanorshouldbeautomated,andchallengesinimplementingsuchaprograminafederateddepartmentwithmultiplepotentiallociofcontrol.Thepanelwillincludeperspectivesfrombothapolicymakerandimplementer.Theywillprovidepracticallessonslearnedthatcanbeleveragedinestablishingaprivacycontrolassessmentandauthorizationprocessinuniquecontexts.RiskDataSharingforSituationalAwarenessDr.DavidFerlemannandDr.PearlRayms-Keller,NavalSurfaceWarfareCenterMaintainingcybersituationalawarenessrequireseffectiveandtimelyexchangeofriskinformationamonganalysts,managers,andexpertsacrossinternetnetworks.Thisexchangeofcriticalinformationhasnotbeeneffectiveduetoseveralfactors.First,thecurrentstateofcyberriskassessmentinvolvesassessingmanyriskframeworksandtechnologies--yetfindingcommondenominatorshasbeenchallenging.Organizationsandtheirbranchesoftenchoosedifferentpolicies,riskassessmenttoolsandcommunicationmethods.Asecondfactorworkingagainstefficientsharingofcommonrisksisorganizations’reluctancetopointtointernalvulnerabilitiestoexternalpartners,whichthenmightexposethemselvestopotentialthreats.Intermsoftechnicalchallenges,modelingandcapturingadiversityofriskdataisdifficult,andprocessingandpresentingtheriskdataatthisscaleinatimelymannerisalsoagreatobstacle.Thepresenterswilldiscusspossiblearchitecturestoexploitadvancesinlearningalgorithms(artificialintelligence)andbetterinformationsystems.Theywillalsodiscusstherolethatorganizationalpsychologyplaysinthiscybervulnerableageandprovideastrategyonhow“buildingtrust”acrossorganizationscouldbethefirststeptoachievemulti-domaincyberrisksituationalawareness.




UnderstandingandManagingCyberRiskwithaDwellTime-BasedApproachArunSood,GeorgeMasonPreventingallintrusionsisnearlyimpossible.ThepresentersuggestsaddingadifferentlayerofdefensebyusingtheMovingTargetDefenseparadigmthatseekstominimizedamageafteranintrusionhasoccurredbylimitingthetimeavailabletotheattacker.IntruderDWELLTIMEcanbeanimportantdefensemechanism,andhastheaddedadvantageofbeingeasilyunderstoodandmeasured.Atypicalattacktakesplacein3phases–GetIn(Phishing),StayIn(LateralMove)andAct(Ex-filtration).AttendeeswilllearnaboutanapproachthatreducesavailabletimeduringtheStayInandtheActstepswhichcanmitigateITandOTattacks.Thepresentationwilladdress:1.Definingresilienceandrecoveryandcomparerecoverysystemswithalertsystems.2.Mitigatingdirectandindirectattacks(BuildingAutomationSystemsandSecurityCameraNetworks).3.Benefitsandlimitationsofadwelltime-basedapproach.4.Usecases.RiskisMoneyPaulNeslusan,LeidosAllcybersecurity--fromthestrategictothetactical--dependsonproperbusinessriskassessment.Oneofthemostimportantaspectsistyingriskstodollarvalues.Thepresenterwillexplainhowrisktiedtomonetaryvaluedrivesdecisionsforeveryonefromshareholderstothesecuritypractitionersthemselves,andhowthiswilldrivecybersecurityspendingforyearstocome.Thesecurityindustryisrapidlymovingawayfromsellingandbuyingbasedonfear;itisaggressivelymovingtowardanalyticsdrivenpurchasing.DuringtimespentadvisingsecuritypractitionersfromtheanalystleveltotheC-Suite,thepresentersawconsiderablefrustration:peoplefeelingunheard,criticalprojectsunfunded,andglaringconcernsleftunattended.Thispresentationpresentsaclearpictureofwhyfinancially-tiedriskassessmentisimportanttobothvendorsandsecuritypractitioners,andhowtheycanusethisknowledgetoaccomplishtheirgoalswhileignoringdistractors.HelpingCommunitiesUtilizetheNISTCybersecurityFramework--ISAOsasaCatalystforDevelopingCommunityCybersecurityProgramsGregWhite,UTSanAntonioWiththeexpansionoftheinformationsharingcommunitybeyondtheoriginalInformationSharingandAnalysisCenters(ISACs),neworganizationsarebeingformed,includingInformationSharingandAnalysisOrganizations(ISAOs)focusedonstatesandcommunities.Thesegeographic-basedISAOsarenotlimitedtocriticalinfrastructures;theyarepublic-privatepartnershipsincludingallentitieswithintheirgeographicboundaries.ISAOscanbecomeacatalystforestablishingviableandsustainablesecurityprograms.Inparticular,theycanhelpwiththeadoptionoftheNISTCybersecurityFrameworkbyall




sectorsinvariedgeographicareas.Oftensmallandmedium-sizeorganizationsdonothavetheexpertisetoimplementtheFrameworkandmaystrugglewithestablishingtheirownsecurityprogram.UsingalocalISAOandfollowingtheCommunityCyberSecurityMaturityModel(CCSMM),theseentitiescanbeprovidedwitharoadmapandmentorstohelpthemestablishtheirprogramsandincorporatetheFramework.EnterpriseArchitectureandtheCybersecurityFramework:TwoComplementaryScopesofInterestMurrayRosenthal,CityofTorontoTheutilityoftheNISTCybersecurityFrameworkisafunctionofitscontextwithinenterprisearchitecture.Therationaleforthatassertionisbasedontheoperationalambit,andscopeofinterest,oftheNISTFramework,i.e.,realizationofasteady-stateposturethatenablestheenterprisetodetect,andneutralize,cyberthreatswithoutcompromisingtechnologyinfrastructureandthebusinesssystemsthatitsupports.Theoperationallens,orperspective,servicedbytheNCSF,shouldbeaugmentedbyacomplementaryengineeringcontextthroughwhich(a)theenterprise’sdigitalservicecapabilitiesaredescribed,and(b)designisinformed,suchthataholisticperspectiveofgovernanceandenterpriseriskmanagementisafforded.Thatother,complementarycontextisenterprisearchitecture.DemystifyingICSCyberRiskMikeRadigan,LeidosForplantoperationsmanagementtosupportandfundnewcybersecurityinitiatives,theymustunderstandtherelativepositiveimpactonreliabilityandsafetycomparedtoapplyingthesesameresourcestomitigatemorefamiliaroperationalriskissues.Thispresentationwilldemonstratebycasestudyhow1)cyberriskwasanalyzed,quantifiedandcomparedtothetopoperationalriskissuesforapowerplantand2)riskmitigationoptionswereevaluatedandchosenbasedonacommonfinancialmetricofriskreducedperunitcost.AttendeeswilllearnhowtocompeimenttheSP800-30GuideforConductingRiskAssessmentswithTheOpenGroup’sRiskTaxonomyv2.0(O-RT,RefC13K)quantitativeriskmodelandanalyticswithinanoperationalenvironment.Usingtheseresourcescandemystifycyberriskandanswerthemostchallengingquestionsfacingplantoperationstoday:Howmuchcyberriskisthereandhowdoesitcomparewithoperationalriskissues?HowTradeoffsIncreaseCyberSupplyChainRiskMarjorieWindelberg,CyberPackVenturesTradeoffsmadebyacquirersandsuppliersincybersupplychainsincreaserisksthatcanimpactthetrustworthinessofsystems.Tradeoffsareoften(butnotalways)




consciouschoicesamongfactorssuchascost,schedule,andrequirements.Moreover,tradeoffsbetweencompetingrequirementsarise.Requirementsmaybepartiallyorwhollyomitted,ornewrequirementsmaybesubstitutedforpreviouslyagreeduponrequirements.Withinanacquirer,differentgroupsmakedifferenttradeoffdecisions,andtheseoccurfrominitialacquisitionthroughoperationsandmaintenance.Differentacquirersalsohavedistinctriskprofiles,dependingontheirassessedthreats.Eachsupplierinthechainalsomakestradeoffs,withorwithoutdownstreamacquirers’knowledge.Furthermore,tradeoffsareinfluencedbyexplicitorimplicittrustassumptions.Thesetrustassumptionsarebasedontheperceptionthatriskfromatradeoffislow.Thus,risktoleranceandevenunderstandingofriskaremajorcybersupplychainvariables.AutomatedCyberHardeningMichaelWordenandAustinGarret,RaytheonDevOpsisasoftwaredevelopmentanddeliveryprocessthatemphasizescommunicationandcollaborationbetweenproductmanagement,softwaredevelopment,andoperationsprofessionals.CybersecurityisaparticularlythornychallengeforDevOpsasappliedtoSatelliteMissionManagementSystems,especiallywhencomplicatedbygovernmentalsecurityrequirementsdefinedintheRiskManagementFramework(RMF).ThistalkwilloutlinetheevolutionofacybersecurityautomationapproachtoautomatetheapplicationofSTIGs(SecureTechnicalImplementationGuides)anddetailimportantlessonslearned,including:applicationofsecurityrulesviainfrastructureascode,leveragingautomationplatformslikeCheforPuppet,andintegratingsecuritytestingusingNessusandACAS.Inaddition,attendeeswilllearnaboutSTIGLER,atoolwhichingestsDISASTIGsandautomatestheapplicationofthehundredsofhardeningrulesneededtomakeWindowsandLinuxplatformscompliantwithRMF.TheDigitalFastLane–HelpingNonprofitsKeepUpKelleyMisata,PhD,SightLineSecurityThelasttimeyougavemoneyortimetoyourfavoritecharitydidyouthinkabouttheirinformationsecurity?Didyouwonderwhatmeasurestheyweretakingtoprotectyourdata?Nonprofitsarebeingtargetedforthesametypesofintrusionsaslargecommercialorganizations,buthavefarfewerresourcestodefendthemselvesandtheyareoftenoverlookedbythesecurityfield.Thispresentationwillspotlightthechallengesfacingnonprofitsandwillpresentanewandholisticapproachtohelpthemcreateconfidencethroughassessments,plans,andmeasurementstoimproveinformationsecurity.BasedonresearchutilizingtheNISTCybersecurityFrameworkandfromtheuniqueviewofasurvivorofcyberstalkingturnedPh.D.,thepresenterwillspotlightherstudyandstrategiesforhowthesecuritycommunitycanmakeadifference.




APracticalApproachtoITSecurityforSmallandMedium-SizedBusinessesBasedontheNISTCybersecurityFrameworkJimWentworth,JACAssociatesAstheInternetofThings(IOT)andcloudcomputingextendtheITsecurityperimeterwellbeyondthetraditionaldatacenter,organizationsmustembraceanITstrategythataddressestoday’ssecurityneedswhileevolvingtomeetnew,moresophisticatedthreatsinthefuture.Small-andmedium-sizedbusinesses(SMBs)faceanevenmoredauntingchallenge.WhiletheyhavethesameITsecurityneedsaslargerorganizations,theytypicallydonothaveenoughresourcesdedicatedtoplanningandmaintainingtheirITsecurity.ThissessiontargetstheITsecurityskillneedsoftheseSMBsbyidentifyingfivekeycomponentsofaneffectiveITsecuritystrategyandoutliningaseriesofclear,practicalstepswhichSMBscanexecutetoenhancetheirITsecurity.SessionattendeeswillreceivefreeaccesstotheGrokITAcademyonlinesecuritycourse,APracticalApproachtoITSecurityforSmall-andMedium-sizedBusinessesbasedontheNISTCybersecurityFramework.

Panels in Progress Topics of interest. Panels now being finalized with session date and time to be determined

• BotnetsandtheCybersecurityFramework• TipsandTricksforSmallBusinessCybersecurity• ManagingControlledUnclassifiedInformation• ReducingCybersecurityRiskExposureinMedicalDevices• InternetofThingsSecurity,Safety,andPrivacy• ImplementingandManagingSecurityBestPracticesintheCloud• CybersecurityRiskMeasurementandMetrics• CyberSupplyChainRiskManagementStrategy• CyberSupplyChainRiskManagementTactics• ThreatsandMitigationsinFederalNetworks• FederatingFrameworkInformativeReferences

Self-Moderated or Facilitated Discussions Topics now being finalized with session date and time to be determined

nist cybersecurity risk management conference 2018 · harmonize cybersecurity risk management and...

Documents