System Security Engineering From Compliance to Risk Management

No ratings

Presented at BsidesOttawa 2016 by

Drew Smeaton

Over the last two decades, we have taken a bottom up approach to securing our information infrastructure. The National Institute of Standards and Technology (NIST) published a set of security controls SP 800-53 and then followed up with a Risk Management Framework NIST SP 800-37 and 800-39. Canada followed suit with ITSG-33 IT Security Risk Management: A Lifecycle Approach in 2012. Based on the security controls of NIST this RMF essentially becomes a compliance exercise of security control implementation based on 900+ controls and enhancements. Enter the Cybersecurity Risk Management Framework (CSF) published in 2014 by NIST, a new construct aimed at the critical infrastructure section which attempts to measure security outcomes in 22 security activity areas to provide decision makers and risk managers with a better understanding of the risk and how to manage it then just compliance to controls. This talk will focus on how we are trying to create two levels of understanding for System Security Engineering, one at the detailed technical level for design implementation and one at the risk management level for risk based decision making.