1. Addressing Cyber Fundamentals

How do we move from inconsistent security/privacy protection control approaches to solid fundamentals that address most basic risks faced by agencies?

Endorse existing ideas by voting for them. YOU MUST BE LOGGED ON TO VOTE.

1. Addressing Cyber Fundamentals

Rethinking Audits into Real-time Situational Awarness

It is time to rethink the notion of an audit from something that happens periodically to some that can be continuously analyzed at will, in real-time. It is unacceptable that an organization wouldn’t have complete visibility into activities associated with all users, hosts, and applications within their network infrastructure. This becomes minimal acceptable hygiene, a starting point, inclusive of threat intelligence... more »

Voting

1 vote
Public Input

1. Addressing Cyber Fundamentals

Unified Security Practice Manager

Inconsistent security controls are often a result of human error. A move to “Orchestration”, or an approach that automates control implementations can lead to more effective and relevant utilization of controls. Benefits include: Enabling the Software Defined Data Center Centrally define security policy Security policies move with VMs Reduce security as a choke point; accelerate business agility and responsiveness by... more »

Voting

1 vote
Public Input

1. Addressing Cyber Fundamentals

Improving Detection, Remediation, and Investigation Capabilities

The evolution of the cyber attacker’s techniques, skills and tools has far exceeded the pace of the cyber defender’s. Throughout the public and private sector, from federal agencies to health insurance providers, emerging threats continue to wreak havoc on enterprise networks, applications and data. Incident response teams must move faster, but the tools they’ve been given to do the job aren’t fast enough in detecting,... more »

Voting

0 votes
Public Input

1. Addressing Cyber Fundamentals

Human-centered Approach

We could take a human-centered or human factors approach to answering the question, “Why don’t we do what we’re supposed to do, and what can we do differently to get a better outcome?” We'd have to drive conversation to the point where the rubber meets the road, by which I mean an action or behavior, performed by a person, which creates a particular harm. Assuming we could categorize the harms in a way useful for analysis... more »

Voting

1 vote
Public Input

1. Addressing Cyber Fundamentals

ACT-IAC Membership Meeting Ideas

1. Establish “white hat” teams that test employees through phishing and spear-phishing intrusion testing.

2. Change enterprise email policy to only allow plain text, preventing unintentional click-through threats.

3. Similar to the “Cybersecurity Tip of the Day” concept, establish a “Cybersecurity Blunder of the Day” program.

Voting

1 vote
Public Input

1. Addressing Cyber Fundamentals

Cyber-Castle Doctrine to Deter and Counter Cyber-Attacks on U.S.

Situation: • Cyber-attackers have no fear of retaliation, risk or viable legal proceedings. • There is no U.S. Government legal doctrine to counter cyber-attacks on U.S. industries, governments and citizens. • The U.S. Government does not have the cyber capacity to protect U.S. industries. Proposal: The U.S. Congress should create a newly crafted Cyber-Castle Doctrine legislation for a legal framework for U.S. industries... more »

Voting

2 votes
Public Input

1. Addressing Cyber Fundamentals

Hold agencies accountable to NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) did a great job describing what is needed to have a good cyber security posture, but it leaves you hanging on how do you do it; what are good practices; how do you measure it? To help assess the operational cyber defense posture of Department of Defense (DoD) systems, Office of Secretary of Defense (OSD), Director Operational Test and Evaluation (DOT&E) developed metrics using the... more »

Voting

2 votes
Public Input

1. Addressing Cyber Fundamentals

Budget Alignment and Accountability

Adding additional cyber requirements from the OMB / DHS without allocating funds implies that existing funds have to be spread ever thinner , or monies have to be diverted from the Department Agency mission. Perhaps an alternative is providing prioritization for allocation of existing funds (This mandate is #1, then this exec order etc etc). With the "public" availability of such a list, audit should become more effective,... more »

Voting

2 votes
Public Input

1. Addressing Cyber Fundamentals

Cyber Investment Board (SuperSIG)

Use Cyber Investment Management Boards (DOD example) where cyber projects are presented, defended, and measured against outcome based performance measures for funding. Helps get cybersecurity accountability as a shared responsibility across senior leadership of the organization and to understand costs and risk benefits.

Voting

2 votes
Public Input

1. Addressing Cyber Fundamentals

Cyber Tip of the Day (SuperSIG)

Cyber Tips of the Day – first thing to pop up on intranet logon-screen would be a cyber awareness question (with ability to quickly check against answer). These would be focused on knowledge leveling, increasing awareness of vulnerabilities created by SPAM/Phish attacks, etc. etc.

Voting

1 vote
Public Input

1. Addressing Cyber Fundamentals

Security Self Audit Checklist (SuperSIG)

Create a self-audit checklist that agencies could use on a regular basis to assess themselves on fundamental security capabilities. It would be risk profile based for each agency. Addresses the problem of just having this done by auditors (GAO/IG) or consultants. Keeps attention and resource needed to close weaknesses and vulnerabilities.

Note: FCC is example.

Voting

2 votes
Public Input

1. Addressing Cyber Fundamentals

1) How do we move from inconsistent security/privacy protection

This is the difference between thinking tactically and thinking strategically. If you are thinking tactically, your to-do list is endless. There is always one more control to install, one more security practice to implement. There is no way to prioritize the workload or to measure your improvement. Security practitioners sprint from task to task putting out fires, never taking the time to build a program that can absorb... more »

Voting

3 votes
Public Input

1. Addressing Cyber Fundamentals

Fundamentals of Security and Privacy start w/Risk Mitigation

Security/Privacy Protection Controls consistency is critical to mitigating organizational risk. Risk mitigation begins at the highest level of an organization. It is a combination of three key things—governance, accountability, and culture. Implementing an organizational governance process will bring myriad benefits, including lower costs, greater control, and overall increased efficiency and effectiveness. A benchmarked... more »

Voting

3 votes
Public Input