NIST Briefing: ICS Cybersecurity Guidance – NIST SP 800-82 ...
CMS Data Guardian Program - NIST€¦ · CMS Data Guardian Program NIST FISSEA Conference March 14,...
Transcript of CMS Data Guardian Program - NIST€¦ · CMS Data Guardian Program NIST FISSEA Conference March 14,...
![Page 1: CMS Data Guardian Program - NIST€¦ · CMS Data Guardian Program NIST FISSEA Conference March 14, 2017 Karen Mandelbaum, Director, ... data and systems. February 2017 For Official](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f164c3b73c2e64b3b678042/html5/thumbnails/1.jpg)
CMSDataGuardianProgram
NISTFISSEAConference
March14,2017
KarenMandelbaum,Director,DivisionofSecurity,PrivacyPolicy&Governance
MicahBatchelder,FederalLead,IncidentManagementTeam
![Page 2: CMS Data Guardian Program - NIST€¦ · CMS Data Guardian Program NIST FISSEA Conference March 14, 2017 Karen Mandelbaum, Director, ... data and systems. February 2017 For Official](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f164c3b73c2e64b3b678042/html5/thumbnails/2.jpg)
February2017 ForOfficialUseOnly(FOUO) 2
Introduction
![Page 3: CMS Data Guardian Program - NIST€¦ · CMS Data Guardian Program NIST FISSEA Conference March 14, 2017 Karen Mandelbaum, Director, ... data and systems. February 2017 For Official](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f164c3b73c2e64b3b678042/html5/thumbnails/3.jpg)
February2017 ForOfficialUseOnly(FOUO) 3
DataGuardianasPrivacySteward
DataGuardianareresponsiblefordisseminatingthemessagethatfortifiesthecultureandencouragesstafftostop,think,andask beforetakingariskthatcouldpotentiallycompromisetheITsystemsordataoftheorganization.
https://www.dreamstime.com
![Page 4: CMS Data Guardian Program - NIST€¦ · CMS Data Guardian Program NIST FISSEA Conference March 14, 2017 Karen Mandelbaum, Director, ... data and systems. February 2017 For Official](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f164c3b73c2e64b3b678042/html5/thumbnails/4.jpg)
4
StakeholderDependencies
DataGuardians
PrivacySubjectMatterExperts/
CyberRiskAdvisors
BusinessOwners
InformationSecurity&
PrivacyGroup
PrivacyandSecuritystewards
ProvidesTraining
CyberAwarenessBriefs
Policy/Procedure
PrivacyandRiskspecialistsAssistin
developingPIA,SORNS,Data
SharingAgreements,etc.
Havein-depthknowledgeoftheirdataandsystems
![Page 5: CMS Data Guardian Program - NIST€¦ · CMS Data Guardian Program NIST FISSEA Conference March 14, 2017 Karen Mandelbaum, Director, ... data and systems. February 2017 For Official](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f164c3b73c2e64b3b678042/html5/thumbnails/5.jpg)
February2017 ForOfficialUseOnly(FOUO) 5
BuildingtheDataGuardianProgram
• TomeetthespecificneedsofeachOffice/Center• Framework– definesrolesinprocesses• SpecializedTraining– e.g.PrivacybyDesign• Expandefforts– buildssynergyCommunicationTailor
• CommunicationPlan• Training• Repository
SetFoundationalConceptsandSupporting
Infrastructure
• Charter,SWOT,ProgramPlanDefineStrategy
![Page 6: CMS Data Guardian Program - NIST€¦ · CMS Data Guardian Program NIST FISSEA Conference March 14, 2017 Karen Mandelbaum, Director, ... data and systems. February 2017 For Official](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f164c3b73c2e64b3b678042/html5/thumbnails/6.jpg)
6
DataGuardianMeetingAgenda
What’shappeninginternally/externallyin
thecyberworld&
whatDataGuardiansneedtoknowandacton
![Page 7: CMS Data Guardian Program - NIST€¦ · CMS Data Guardian Program NIST FISSEA Conference March 14, 2017 Karen Mandelbaum, Director, ... data and systems. February 2017 For Official](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f164c3b73c2e64b3b678042/html5/thumbnails/7.jpg)
• DefinePhishing• IdentifyPhishingScams• DevelopScenariosandRun
Exercises• ReviewStatistics• CommunicateResults• DevelopMitigationTactics• CompileLessonsLearnedfrom
Phishingresults
PhishingProgramOverview
7
![Page 8: CMS Data Guardian Program - NIST€¦ · CMS Data Guardian Program NIST FISSEA Conference March 14, 2017 Karen Mandelbaum, Director, ... data and systems. February 2017 For Official](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f164c3b73c2e64b3b678042/html5/thumbnails/8.jpg)
February2017 ForOfficialUseOnly(FOUO) 8
PhishingExerciseExampleValentinesDay
![Page 9: CMS Data Guardian Program - NIST€¦ · CMS Data Guardian Program NIST FISSEA Conference March 14, 2017 Karen Mandelbaum, Director, ... data and systems. February 2017 For Official](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f164c3b73c2e64b3b678042/html5/thumbnails/9.jpg)
February2017 ForOfficialUseOnly(FOUO) 9
ProvideaPhishingExercisewithFollow-onTraining
![Page 10: CMS Data Guardian Program - NIST€¦ · CMS Data Guardian Program NIST FISSEA Conference March 14, 2017 Karen Mandelbaum, Director, ... data and systems. February 2017 For Official](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f164c3b73c2e64b3b678042/html5/thumbnails/10.jpg)
ForwardtheemailtoHHSSpam([email protected])mailbox.
“SPAMButton”– tomakeiteasytoreport&actupon
Mitigation
10
Specializedtrainingforrepeatclickers
DevelopedandImplemented
Policies
Procedures
Processes
Acquired&ImplementedToolset
![Page 11: CMS Data Guardian Program - NIST€¦ · CMS Data Guardian Program NIST FISSEA Conference March 14, 2017 Karen Mandelbaum, Director, ... data and systems. February 2017 For Official](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f164c3b73c2e64b3b678042/html5/thumbnails/11.jpg)
February2017 ForOfficialUseOnly(FOUO)11
PhishingExercisesProgramOutcomes
41phishingexercisesto
date
Results:• Improvedabilitybystafftoidentifyaphishingscam• ImprovedresponsebySecurityOperationsTeam• Abilitytofocusmitigationandtraining
Decreaseinnumberofindividualsthatclicked
onphishingemails
![Page 12: CMS Data Guardian Program - NIST€¦ · CMS Data Guardian Program NIST FISSEA Conference March 14, 2017 Karen Mandelbaum, Director, ... data and systems. February 2017 For Official](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f164c3b73c2e64b3b678042/html5/thumbnails/12.jpg)
February2017 ForOfficialUseOnly(FOUO) 12
LessonsLearned
RunExercise
AnalyzeResults
ReporttoDG
ProvideTraining
• Createa“true”baseline
• Focusonproblems– Identification- ‘phishingclues’
– Reporting
• Varietykeepstheattention
• Communicateresultsoftheexercises
• Followeverycampaignwithtraining
![Page 13: CMS Data Guardian Program - NIST€¦ · CMS Data Guardian Program NIST FISSEA Conference March 14, 2017 Karen Mandelbaum, Director, ... data and systems. February 2017 For Official](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f164c3b73c2e64b3b678042/html5/thumbnails/13.jpg)
IncidentResponsePreparedness
– Identify&Practiceprocedures
– Giveinputtoenhanceprivacy/securityincidentresponsecapabilities
– Identifypreventativecorrectiveactionsthatcouldbeimplemented
ConductTabletopExercisesto:
Downloadedfrom:http://www.eci.com
NewOMBguidancerecentlyissuedemphasizesIncidentResponse
![Page 14: CMS Data Guardian Program - NIST€¦ · CMS Data Guardian Program NIST FISSEA Conference March 14, 2017 Karen Mandelbaum, Director, ... data and systems. February 2017 For Official](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f164c3b73c2e64b3b678042/html5/thumbnails/14.jpg)
14
DevelopScenariosthatEnsureCoverageofallTypesofIncidents
Notallsecurityincidents areprivacyincidents,andconversely,notallprivacyincidents aresecurityincident.
Infected PDF encrypts entire server with ransomware.Incorrectly Sharing a
file with PHI
Unauthorized access,
disclosure or modification of
PII
PrivacyIncident
SecurityIncident
![Page 15: CMS Data Guardian Program - NIST€¦ · CMS Data Guardian Program NIST FISSEA Conference March 14, 2017 Karen Mandelbaum, Director, ... data and systems. February 2017 For Official](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f164c3b73c2e64b3b678042/html5/thumbnails/15.jpg)
February2017 ForOfficialUseOnly(FOUO) 15
Process
Monitorinternal&externalcybernews/incidents
DetermineRelevancetoCMSbusiness
Getspecificrequestsfrombusinessowners
SetupTabletopExercise
Runtheexerciseasareal-lifesimulation
Reflect,Assess,Developproceduralcorrection
![Page 16: CMS Data Guardian Program - NIST€¦ · CMS Data Guardian Program NIST FISSEA Conference March 14, 2017 Karen Mandelbaum, Director, ... data and systems. February 2017 For Official](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f164c3b73c2e64b3b678042/html5/thumbnails/16.jpg)
TabletopExercisesLessonsLearned
• Solicitparticipantfeedbackonhowthetabletopexercisewascraftedandrun– itprovidesvaluableinsight
• Theresultsoftheexerciseshouldbeanalyzedonateam-by-teambasis;thisprovidesinformationonwheregapsexist
• Usepositivityandfocusoninsightgathered
• Buildrelationshipsandteamworkmindset
FOCUS ON THE
POSITIVE
![Page 17: CMS Data Guardian Program - NIST€¦ · CMS Data Guardian Program NIST FISSEA Conference March 14, 2017 Karen Mandelbaum, Director, ... data and systems. February 2017 For Official](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f164c3b73c2e64b3b678042/html5/thumbnails/17.jpg)
DataGuardianProgramSummary
• NeedstobeBusinessDrivenfocused– Leadership
• DataGuardianProgramforcommunicationandcoordinationoftechnology,compliance&business
• PhishingProgramtoanticipatethreats• TabletopExercisestominimizeharmandfacilitaterecovery
![Page 18: CMS Data Guardian Program - NIST€¦ · CMS Data Guardian Program NIST FISSEA Conference March 14, 2017 Karen Mandelbaum, Director, ... data and systems. February 2017 For Official](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f164c3b73c2e64b3b678042/html5/thumbnails/18.jpg)
February2017 18
Questions?