Working Group 11: Consensus Cyber Security Controls

March 14, 2013

Alan Paller, SANS InstituteMarcus Sachs, Verizon CommunicationsWG 11 Co-Chairs

2

Working Group 11: Consensus Cyber Security Controls

Description: This Working Group will examine and make recommendations to the Council regarding technical cyber security controls that can provide the most effective possible mitigation of known cyber risks to the business systems and networks maintained by communications providers and to the data maintained on and processed by those systems. In carrying out its work, the working group will evaluate and contrast the “critical cyber security controls” adopted by the National Security Agency, the Department of Homeland Security in the United States, and the UK Centre for the Protection of National Infrastructure and the Australian Defense Signals Directorate, with the existing set of CSRIC cyber security best practices. The working group will assess the degree to which the consensus lists of critical controls are applicable to the communications industry, identify gaps between the critical controls and the existing CSRIC best practices, and recommend a superset of the most critical controls for application in the communications industry. The Working Group will recommend updates to the best practices list compiled by CSRIC II with a prioritized list of critical cyber security controls that are applicable to the communications industry.

Duration: Revised, prioritized list of critical cyber security controls - March 6, 2013

http://transition.fcc.gov/pshs/advisory/csric3/wg-descriptions.pdf

Working Group 11 – Participants

3

Co-chairs*Alan Paller, SANS InstituteMarc Sachs, Verizon Communications

Active members, sorted by employer name

*Members of the FCC’s Communications Security, Reliability, and Interoperability Council

Working Group 11 – Participants

4*Members of the FCC’s Communications Security, Reliability, and Interoperability Council

Active members, sorted by employer name (continued)

Working Group 11 - Current Work Activity

Group formed on September 5, 2012 with a deadline of March 6, 2013 (six month project)

Approach: Analyze the 20 Critical Security Controls for applicability to the

Communications Sector Analyze the CSRIC II WG 2A cyber security best practices

Correlate all 397 best practices with the 20 Critical Security Controls Determine uniqueness and applicability to the comms sector, and challenges of

implementation Determine which of the 397 best practices should be classified as essential for stopping

or mitigating the impact of known attack vectors

Consolidate inputs and write report Calls held every Monday afternoon during the six month period

5

Working Group 11 - Work Completed

Working Group 11 accomplished four tasks: Task 1: Assessed the degree to which the 20 Controls are applicable to

the communications industry Tasks 2: Identified gaps between the 20 Controls and the existing

CSRIC best practices Task 3: Recommended a superset of the most critical controls for

application in the communications industry Task 4: Recommended updates to the best practices list compiled by

CSRIC II with a prioritized list of critical cyber security controls that are applicable to the communications industry

6

Working Group 11 - Next Steps

Working Group 11 finished its work on March 6, 2013 We expect our findings and recommendations will be

transferred to the Communications Sector Coordinating Council (or similar industry group) for further refinement Conclusions need to be independently vetted The 397 best practices need to be further updated and prioritized Some of the 397 best practices could be recommended as essential

due to their ability to stop or mitigate the impact of known attack methods

Integrate these findings into the cyber security framework called for in the President’s Cyber Security Executive Order

7

Working Group 11 - Project Timeline

Working Group 11 began its work on September 5, 2012Working Group 11 concluded its work on March 6, 2013

8