Agile Precis blog

Innovative Technologists with a Business Mind

NCCOE - Financial Services Update

National Cybersecurity Center of Excellence at the National Institute of Standards and Technology

Financial Services Update

Hello,

This email is for people currently working on financial services sector projects at the National Cybersecurity Center of Excellence (NCCoE) or who have expressed an interest in projects at the NCCoE. This email is just one part of the outreach between the NCCoE and our collaborators in the financial services industry. We will also share project status updates and hold regular teleconferences that we will invite you to attend using bulletins like these.

Currently, the NCCoE is conducting a great deal of lab work to build an example solution to the IT Asset Management (ITAM) use case. In March, the center’s other financial services use case, Identity and Access Control, will seek collaborators from the vendor community by publishing a notice in the Federal Register (you will receive an alert). Both use cases are a direct result of interactions with our financial services collaborators.

The ITAM project provides a complete view of all IT assets present in an enterprise. This includes physical devices, software and virtual machines, and will link into the existing information silos present in most organizations. Visit the project page for more detailed information. Currently, nine vendors are working with the NCCoE on the ITAM use case.

Please check the new NCCoE Financial Service ITAM forum for lab diagrams and a listing of all the machines currently installed. Updates will be posted to the forums as we hit milestones. I hope you will contribute your ideas and comments regarding the use case to the forums. It’s easy to sign up for an account to contribute your thoughts.

Earlier this month, the NCCoE met with CIOs, CTOs and CISOs at Stanford University in coordination with the White House Summit on Cybersecurity and Consumer Protection. We heard executives from retail, hospitality, health care, insurance, and other industries express concerns about issues like point of sale security, payment system security, information/threat sharing, data privacy, secure software development tools, and data integrity (database, file, system, and backups). Please stay tuned to these updates: We will be calling on you to assist us in developing some of these into use cases that will benefit your institutions.

ITAM Update

  • The lab infrastructure for the ITAM use case is functional and consists of a DMZ and four separate sub-networks for IT systems, network security, physical security and physical asset management. The lab is modular and can be modified as needed.
  • Products from Alphapoint, Belarc and RedJack are currently installed and running in the lab.
  • We are installing the Eracent ITAM solution, and configuring a VPN between the NCCoE and a mainframe computer from Vanguard Integrity Professionals.
  • Computer Associates is scheduled to begin installation of their products in early March.
  • The Cybersecurity Summit held at Stanford University on February 12-13 showed us additional cybersecurity challenges that need solving
  • Projected completion date: May 2015.

Thank you,

Michael J. Stone
Senior Security Engineer


 The NCCoE accelerates adoption of commercially available, secure solutions among U.S. businesses. We work with computer hardware manufacturers, software developers, technology vendors and system integrators to demonstrate practical, standards-based, open, modular, end-to-end cybersecurity solutions. 
http://nccoe.nist.gov            240-314-6800             nccoe@nist.gov

Any mention of commercial products in this bulletin is for information only; it does not imply recommendation or endorsement by NCCoE or NIST.

 

SUBSCRIBER SERVICES:
Manage Preferences | Unsubscribe | Help

If you have questions or problems with the subscription service, please contact subscriberhelp.govdelivery.com.
Technical questions? Contact inquiries@nist.gov. (301) 975-NIST (6478).

This service is provided to you at no charge by National Institute of Standards and Technology (NIST). 100 Bureau Drive, Stop 1070 · Gaithersburg, MD 20899 · 301-975-6478

NIST Cybersecurity Framework (CSF) Reference Tool


General Description
The NIST CSF reference tool is a FileMaker runtime database solution.  It represents the Framework Core which is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level. The Framework Core consists of five concurrent and continuous Functions - Identify, Protect, Detect, Respond, Recover. When considered together, these Functions provide a high-level, strategic view of the lifecycle of an organization's management of cybersecurity risk. The Framework Core then identifies underlying key Categories and Subcategories for each Function, and matches them with example Informative References such as existing standards, guidelines, and practices for each Subcategory.

The CSF Reference Tool allows the user to browse the Framework Core by functions, categories, subcategories, informative references, search for specific words, and export the current viewed data to various file types, e.g., tab-separated text file, comma-separated text file, XML, etc.

Systems Requirements
The CSF Reference Tool Windows version has been tested on Microsoft Windows 7 and newer version of the Windows operating system and on OS X 10.8 and newer version of the Apple OS X operating system.The application is a self-contained read-only executable.

Getting started with the CSF Reference Tool
Download the CSF Reference Tool files:

Microsoft Windows Version [SHA1: e6b377bddfeb84ee8abb88af019cee72a05a7bdc] [SHA256: 36b8b9aed45539c942ca2f01dbc15e83e8ebeb2e70a56947c924c003091c6e33]

Apple OS X Version [SHA1: 05a981287b078d78c240618b6f3d91da2037664c] [SHA256: c5094c6fbb6a64949e2665efeab6236f1226eabbd0089d42d3bd53b041eb5820]

To instantiate the application, extract the zip archive in a directory where the user has read, write, and execute permissions. Open the NIST-CSF directory and double-click the NIST-CSF (.exe extension) file on Windows systems and NIST-CSF(.app extension) file on OS X systems to run the application.

The home screen of the application displays the various components of the Cybersecurity Framework Core such as:
- Functions (Identify, Protect, etc.)
- Categories (Asset Management, Business Environments, etc.)
- Informative References (CCS CSC, COBIT 5, etc.)

- Click on the Cybersecurity Framework Core and its various labels. This will take the user to an associated detailed view that allows the user to browse the corresponding data.
- Click on the Home label. This will take the user back to the home screen.
- Click on the Export label. This will allow the user to export the data displayed in the current view in different user selectable file formats such as Tab-Separated Text, Excel Workbook, HTML, XML, etc.
- Click in the Search text box in the upper right hand corner. This will allow the user to perform a global search for a particular term.

License, copyright, and distribution
This software was developed at the National Institute of Standards and Technology by employees of the Federal Government in the course of their official duties.  Pursuant to title 17 Section 105 of the United States Code this software is not subject to copyright protection and is in the public domain.  The NIST CSF Reference Tool is a proof of concept application.  NIST assumes no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristics.

Comments and feedback
Please direct questions, comments, and feedback to csf-tool@nist.gov.