In case you missed Convention this year:
The PSA Cybersecurity Committee anchored the presentations with an update on our cybersecurity tools and industry progress. In keeping with PSA’s focus on the three legs of cyber security: products, people, and processes, attendees were first briefed on the Underwriter Laboratories (UL) Series 2900 product certification progress and we’re anxious to see the manufacturer’s embrace the UL effort.
Secondly, we reminded the room about all of the SANS employee training information (Securing The Human) that we’ve posted, and that continues to be updated on the SANS website. Your staff is still the potentially weakest link in your cybersecurity program – train them well and train them often.
The meat of our presentation at this year’s convention was focused on processes. The Baldridge Cybersecurity Excellence Builder tool was introduced and a brief discussion of implementing the tool was undertaken. It is an easy way to get your cybersecurity plan started. The current tool is under review for comments by NIST until December 2016. With full adoption of the final tool anticipated to occur shortly thereafter.
The next tool that was highlighted was a Common-Criteria-Licensed mapping tool that facilitates the quick understanding of how various technical cybersecurity controls can be cross mapped between for example, the NIST Cyber Security Framework (CSF), and the SANS Institute Critical Security Controls (CSC) Top 20. The tool is handy for comparing requirements for regulatory controls in a given environment with those from another.
We also reviewed PSA’s Critical Security Control Maturity Assessment Tool. This another Common-Criteria licensed tool that uses a set of standard answers (a rubric) to respond to technical control questions related to cybersecurity status of a policy, an implementation, an automation, and reporting. The output of the tool provides a quick measure of an organizations overall cybersecurity maturity as measured against the CSC Top 20, and more importantly it visually demonstrates gaps in a cybersecurity program.
We also had time to look at how some of the products that are available in the industry provide full or limited mitigation for many of the controls in the CSC Top 20, and we were able to take a look at a small business implementation using the tools as well an enterprise implementation which was able to expand vastly on the existing toolset.
Standby for the tools to be posted to the PSA education portal and look for more from your cybersecurity committee at TEC 2017!
Who’s got your back?