Michael Brown - The NIST Cybersecurity Framework is coming! Are you ready?

test 123

test test test

you what

test test test

hopefully everybody it can hear me if I'm around here present a little talk on in this cybersecurity framework mostly guys will be something new probably learn to me from this when I put either this talk it kind of made the assumption that while there were technical background with matrix pretty some of the things that deal with frameworks and controls or what you probably have not been exposed to so I kind of assumed a lack of knowledge in these were areas are going to make sure that everyone has brought a kind of a good decent level so if you do you know if you're the things I talk about it's not meant to be an insult it just meant

that i'm not sure what the audience experience and knowledge is someone trying to cover cover it for everyone

blogspot it's kind of an occasional flaw be a fight have something I want to talk about or see what kind of bothers me a blog about it so it's not a regular blog when they are do try to talk about us in the upcoming events let us see in the area they important i plan to sort of blog about today's event I kind of keep my impression terms of what i thought the event was it like myself will quickly I come from a technical background and a lot of people that you work in my area was not called governance risk and compliance too often come from when our auditing or an accountant tight background i come from

a technical background kind of had a very bright career and I sort off going to be a certain software engineer it went into system administration and then into the security one thing is that I was actually part of a 90 or addiction that was assessed at CMM level three and you know what that means that we don't i'll point out what why that's important later on i do have experience or a lot of different these frameworks without them very very popular whether its regulatory firm I swear I k HIPAA think of like pci iso 27001 and two and now with the new substrate framework that just kind of fits in with what i've been working

I'm awful acted in the I say some other organization as well there's kind of a background of what we're gonna cover it can I give you a background understanding of what we're talking about in terms of what our frameworks and what our controls and so we're going to the Miss cybersecurity framework kind of talk about what that is so you've a better understanding of it going to talk about some resources that you can make use of he's gotten more and more popular and I think it's going to increase so background I actually started this whole process of creating this was actually back in February of 2013 when president obama signed an executive order called 1

36 36 improving critical infrastructure cybersecurity it was all about you know let's create a substrate framework that companies and organizations can follow to reduce cyber risks if you're into the X he can get this document and take a look at it NIST which was the group that was to be to develop this they had a bunch of workshop that they called him in 2013 these were workshops that brought together people from the private industry from the public industry to get some feedback and understanding of what they thought was important they actually released the first version in February of 2014 which means that this this framework is less in a little over a year old that didn't had a six workshop in

October of last year to kind of get a feedback in terms of the people who had initially started using it what what they like with it didn't liked and kind of been laying the groundwork for possible improvements they didn't reach the report in December of 2014 about what they got out of this workshop now one thing they talk about here they talk about these is critical infrastructure it's like what the heck does that mean this is what they mean by the critical infrastructure all these different industries and quite honestly most of you here are probably in some of these industries if you're working in government you're working in healthcare so for you probably fall into one of

these critical infrastructures what is the big push of a federal government if you not IP services and whatnot for companies that are in these critical services will you follow their information technology but you probably might be working for coming that are in these different areas I know for what the work we do there they fall under some of these areas missed if you're not familiar with what NIST it's the National Institute of Standards and Technology the part of the Department of Commerce while their main focus or the original focus with standards and measurements they've actually gotten into a lot of technology stuff nothing something down technology standards by and large it's been the government that's been using their NIST

standards but you know these are available for everyone to make use of one that you may have heard about is what's known as the NIST special publications 800 series these are a series of publications over almost getting PI over 150 now various top you know some were are more fundamental someone were broader I know there's one for like you know cloud computing there's two three there about malware risk assessments and so forth and all of them are free if you want to make use of you go to the website and there they are as PDFs we can download them some of them are more active in terms of updating there's someone now they've got into like a third or fourth revision or

some they wrote in 15-20 years ago and haven't updated a sentence so this is a group that with that the government said hey you're going to put the other the cybersecurity framework I don't think that anything that happened was a couple months ago the White House had what was called the cybersecurity summit or full and some cyber security and consumer protection held its Stanford actually if you're curious about what they cover it cuz they covered a lot of different topics including cyber security you can actually go to the White House website whitehouse.gov and you can get a report of what they talked about and when they was interesting was they talked about the status the cybersecurity framework

and its use and so forth and I've actually pulled the other from different sources center where it's going right now and it's actually it's convincing how widely has become you know put to use already so this is something just from this from the private industry area you have lots of companies are already adopting the cybersecurity framework you have Intel you have apple yeah bank of america and what a lot of what these other companies are also doing is not only they're adapting it for their own use but they're telling their vendors ie companies that they deal with and either get goods or services from to say we want you to use this as well so it's

kind of its rapidly being adapted or being put to use by a lot of different industries some other ones are kind of interesting is a IG is using it in how they write cybersecurity insurance that's the biggest one thing I hear a lot is that people are like oh we had the cyber security issue oh let's just go get insurance to cover ourselves but what they're going to do is going to use the framework as a way to assess companies to see how good they're doing in their security because if they're not doing too well then they should probably be charging more for cybersecurity insurance for them and the legal community apparently is looking at it as

a way to set down a standard of care again using it to take a look at company to say are they following good practices or not and if they're not then they're not going due diligence you know good care and which means that they probably might be penalized for that that's just private industry and pump in the government side is the same thing a lot of government agencies are now using it DoD doee department homeland security is using it one thing is the federal gun is also incentivizing it to use IE encouraging more people to use it so they're doing things like we're building it into grants and such like oh if you get a

grant from the VOE or FEMA they're going to say and we want you to use this as well to assess yourself several state governments are using it those the ones that i have seen reference and some of these sources and what i think is really kind of insane foreign governments are looking at it I mean we created this opportunity framing for our use within the US but it's funny that the UK is looking at it the European unity is looking at it the SEC again when these things were is they're looking at it as a way to tell financial organizations that are hegler heavy regulated you need to be following this so depending on where you're at you may actually be in a

company or an industry were there already starting to push it so you need to be kind of aware of what the cybersecurity framework is because it's probably comes through the letter we've already dealing with with our clients we tech science coming up and say like hey we need to be assessed against this we need your help to look at our practices and see where we stand ok but we kept probably the framework what is a framework and this is a term that actually i'll be honest when I got into IT security what I never heard the term framework that's something that I've only seen kind of in the last few years with some of these concepts so I want to

make sure people are saying what we mean by a framework I think so there's some there's some misunderstandings and whatnot and there's a lot of them which makes it worse basically it's based on an abstraction assessed on basic controls things that you should be doing in your organization but it's meant to be in a very high level i saw one article that talked about the cypress tree framework and he kind of the person kind of complaining about oh it wasn't detailed enough it's not supposed to be detailed that's the whole idea of a framework it's meant to be a high level you know basics of how you set things up not getting down into an indie gritty to tell you what

you need to be doing because then it's not a framework it's kind of a misunderstanding about that again it doesn't specify technical solutions so a framework might say hey you need antivirus but it's not going to tell you how to implement that or what's best for you because some people I say well we're going to use white listing and we're going to use you know these are our antivirus products here and there that's great a framework is not going to tell you that that's what you need to understand about your needs in your organization to define that these are some of the frameworks that are out there too maybe you might have heard about these the one the copper rule

familiar the lobby was the 27,000 lon infinite 7002 which sets down was for do as information security management systems this is an international standard a lot of companies are following this another one it's cobit five which comes from eye sockets that's not what's called IT governance ITIL is one of the people might have heard of co so if you're from the financial side you might have heard of co so this has the 100 which is more of federal control so if you're not in the federal government you're probably not worried about 853 another one that probably a lot of people heard about why you're a year will improve the sands top 20 which is portos the critical security controls

yes

well kind of will get what you'll see you know how it ties in and it actually kind of interesting way how it does that I pull this off the internet kind of show you what we've been by some of that is that framework this is just kind of one we're kind of talks about the different elements need to advertise like scoping system model and so forth controls of the term if you hear a lot about and I don't and I think a lot of really don't really fully on here what control is I know if you'd asked me a few years ago I would have stumbled through it because I never use that term before even though to be honest i've

used controls my whole career basically there are just a specific activities performed by persons designed to ensure that business objectives are met basis meant to be you need to be doing this you know to make sure things are being done right and we have a lot of examples and probably guys probably use a lot easier change management system that's the control sutton out of standard for password that's the control you've all over control we probably have these were in your organization access control and so forth but i know for a lot of us i mean i always tell these are just policies but they're actually controls that's the fun of a thats a control can

be a policy it can be a procedure can be a guidance I've had people talk to me about what's my experience with the controls after I told them I've been writing policies were treated for years and I sent much wonder do they really in 10 what a control is because those policies are controls now ideally if you have a control alexia patchwork you know policy the hey patchers must be in a certain form and so forth you'd like to implement that control into the system what most of us do is we put in into the system where it forces you to adhere to the standard when you create a password and that's great to implement that

control but it can well could be as simple as a as a as a written document that says hey patchers we've been created this way and I create a kind of example I said pathak have a crashing against malware that's the control and the thing is this control oxys this is the lobbies frame which I want to pull them up and it kind of funny when you look at these different frameworks how much time they spend on it I the cybersecurity framework only has we've seen one statement that matches up to it where is with the critical security controls they have a whole section which goes into like about a dozen sub items all about malware so kind of varies in

terms of how much these different controls deal with different topics some it's like one-liner a do this others will go into like three or four or five or six more in-depth I'd integers how much they think is important with I so they have a basic control but then they go and they spend like a page or two of other information kind of you information and background lights important and some advice and so forth so it all kind of varies upon the controller by the framework that you make use of where your company is making use of so the cybersecurity framework this is actually the true name of it is framework for improving critical infrastructure cyber security as

currently version one it came out in February of 2014 it's meant to be voluntary at this point there is no government regulations that require anyone to follow it I think that's going to be the case everything I seem to get an indication in terms of things I'm hearing from the government what is they really don't want to put it into our regulatory requirements so it's not going to be like a hippo requirement where you're required to do it and be assessed against it and so forth they're more trying to put it out there and encourage it doing kind of incentivize it as opposed to forcing you to use it it's also meant to be a one size fit all and that's a

problem with the again with people thinking of frameworks that everyone has to do the same thing the idea is that each organization needs to take an assessment of them themselves what is important for them what is their risk to them to focus on what's important for them and that's going to really big go for a lot of people because we kind of have this mindset Oh everyone needs to do the exact same thing without realize that no every organization is a little different you know the threats for different ordinations are different so some more to defeat your focus in different areas and so forth it's also meant to be a living document they're going to be updating it based upon an

input and usage and so forth so we'll see how that goes it's just again it's busted it is little over a year out so we'll see how that goes the framework is basically has recommended three major parts there's the core there's the profiles and there's the tears I think for most people we're focusing on the core that's the that's the kind of the heart of it the core is broken been defined functions those are broken up into categories and the further going into subcategories and then what's really interesting is the subject remember then cross matches those subcategories to other frameworks that kind of goes into your question in terms of like how they match up that's what

they did they've actually gone through and said hey this control method up to these controls which is kind of interesting it's not meant to be replacement you know they did these crossovers because if your are using it then you can kind of match them up and using the conjunction right right yeah so sorry you can you can cross mattress you don't have to go and toss out what you're using it can use this in conjunction with what you're using you know what to think of what the thing is good and there's the profiles of tier that's a little trickier I'll get into that and this is how its laid out you have the five functions and they color code them

then there's about you cook divided into categories would you go into subcategories and they have the information reaver references this is actually how its laid out in the document if you take a look at it and this is actually that's the five function they use these color coding really so I protect attack respond color identify is laying out the groundwork for what we call in information security management system ie and it's broken you can't see it but a thing such as setting down your governance for IT and IT security doing a risk assessment understanding what your risks card for your organization you know understanding your strategy to how to manage risk things such as knowing what your assets

are and assets are not just you know your computer but also your software new systems and so forth and understanding your business environments what kind of like lays down how things are and then it takes the next step is you're putting in protection methods you know access control and training and so forth and then detect well that's all about you know monitoring and auditing and know what the heck's going on with your system or who's going to access your system and then if something does happen you have response yeah whether it's an incident response whether you have a disaster recovery had to respond to it and then once you've responded to you how to get back and running on your

business that's recovery what I do like is something that aren't ways and other friend works is if you see the response to require you having IV improvements you have an incident did you do a lessons learned have you figured out what went wrong or what you can do to prove it and then go back and improve how your act how you responding and how you're doing things a lot of people don't always do that they don't do that post-mortem reviewed how they improve things but the subject rimac actually puts it as very explicit they want you to be improving things and getting doing a better job I think that's me is real important because you

know as we see things going on as professional as we see hey you know target got hit what do they do right or wrong so that you can do better in your organization that's sort of improvements is really really critical so I kind of pulled this example out to kind of help you guys understand what it looks like so we have access control which is under protection and this is what they have in the sub-q framework it's you know access to assets are going to authorize user processes or devices and to authorize activities and transactions so that's that's the function which is here put any other protect the category is access control and then it breaks it up into

four sub categories number one is about identifications and credentials for authorized devices you know number two is about physical access you know that means things such as hey you have it in a secure room or you've got it in a secure data center three if you have remote access controlled your people dialing into your system and for that you have access permissions that are managed and you're dealing with least privilege and separation of duties and that is as far as it goes in the sub security framework it doesn't go any deeper and turns explanation which you know I think for some people frozen lawfully figure they're going to go into a lot of depth and whatnot but that's

why I like the fact that they do they do the matching up to other frameworks because then you can go to the other frameworks and see what they say what they expose upon and the TV go actually go deeper 45 is about a network integra you having segregating the accelerated networks there's another example again taken from the cemetery or framework this one is from identifying has asset management bastard laughing six different steps but this is how they laid out the framework in the document they talked about a function that had a cavalry they had a subcategory you see visual references with a new the actual map check the specific area in those different frameworks I realize that some

effects don't voice match up so you have an ISO 27001 and the same if your organization is already using ISO 27001 as your standard you can then match up and know what you're already doing in in the cybersecurity framework and then take a look at what is different or unique because there are things that are different and unique in the subject framer from others these the information reference to the exit there's this code five there's the critical security controls or sans top 20 there's these next two ones which are more people who are dealing with scatta i surf I 701 and then of course the the NIST 853 which is more for federal government so these the

match up to do and I've also heard of people who have done matchups with PCI DSS the secretary framework with gun matches up for HIPAA sub security framework and so far we've not seen those but they're out there i also have i don't i don't think i might have enough for everyone i also was able to get from sands they did this poster last year with Maricopa the critter critter controls but what it also does is also includes then this opportunity framework in a matchup matrix between critical screen controls I so 20 said that wasn't to DC I you know secretary framework so I'll pass these out toward the end the next element is the profile which is

kind of its more you use more for when you're implementing the subject to do framework and what it does is it kind of figured okay where do we stand and where do we want to go so they talked about the current profile which is okay where are you for each two categories and subcategories on with this control and this one you know not too well and here's where you stand and then again you have to assess your organization and what is important for you you then set down the future profile where do you want to be for each of those categories and obviously there's going to be a difference mean where you're at where you want to be so you do a gap

identification and now you know what you need to focus on without him from that within you within see what's more important and spend your resources on and this is kind of how it's done then you have a current profile your target and read well no need to focus on based upon where you where you're at where you want to be tears is really weird second I and I don't know how everyone really fully understand it I know I don't fully understand it so I'm not you know it's almost like why and people were heard it was basically a maturity model it's not a maturity model and I'm not sure how many people know what we mean by a

maturity model i'll talk about that shortly but i think it's really kind of important but it's poorly understood i think a lot of people are like I know just skimming over this point they have four tiers as partial risk inform repeatable and adapt and they assess these tears based on the maturity the organization in risk management and the integration which men into the organization and then an external participation that means how the organization is participating with other organizations and so forth in terms of information you know passing on information of getting information so forth that's become a big thing nowadays hey we need to be sharing information that we see so we can prove in six years

improve security so what is the maturity model again I don't know if how many people heard the term before and know what it is but basically it's about a degree of formality or basically how good your processes are in your organization ad hoc or what I've seen with IT organizations it's the ones that were during what we call firefighter mode you know doing everything by the seat of the pants you know if you for is to be your building systems you build systems ad hoc and just kind of like do it differently so every system is not quite the same and then when you go to any support work it's a pain in the butt

because they're all different or you have it clearly documented and followed procedure to build every system that's repeatable so every system is the same and then when it comes time to support them ahead of having a dozen or two dozen or several hundred systems that are all not quite the same you got all these just litter saying that all managed you can easily do it dr. team that's the difference in having an ad hoc yeah low maturity or no maturity for a very mature organization and that could be really really important because you know I know from my experience is it if you're you know in an immature organization you know your be very costly for your for your company or the

coming to get really tired of your organization get rid of you and I for if you're not doing the job that you're you're supposed to be doing some maturity models can be what we call process oriented and some are what we would be call process technology oriented one that you may or may not have heard of it's called CMM capability maturity model which is a rigid crated for software but then we started using for other areas and that's what I'm familiar with you know personally because I have I was involved with the orientation that had to be CNN assess there are others out there made her attorney with an older model or save your growth model

which is more people process technology oriented we don't think for IT security I think that's a better and some proceeded to be more people process technology oriented come to their maturity this is CM m for those who've not seen it before it's a five stage level and the idea is sort of level one with your ad hoc initial but if you wanted requires management product line and so forth you need to do all those processes well before you can be go to say it's too if you want to go to 63 you need to be doing everything it doubles two and a total three and so forth with the ultimate goal let's try to get yourself

to level 5 which is really really really difficult I know we got level 3 it was for us it was a lot of time a lot of energy a lot of money to get to level 3 but it was worth it because we didn't get out sourced like other IT group to our company this is the other time which basically has their columns here through our policy formation and so for and the assessment level how are you

which is kind of interesting is that in a CMM type model the goal of the top level whereas in the CSF model the other one well that's not necessarily the goal harsha would be after ad hoc or risk informing you have a better honey what's going on you have things under here a little bit better under control then you keep improving yourself for eatable and adaptive and this is what's going to need about the tears I think is that they do encourage you if you're at tier 1 to get to tier 2 but here's what I think that find is interesting is that going to a higher level isn't something that you have to do it depends in your

organization because in a biscuit it becomes costly in time and money to go to 23 you go to 4 and maybe for your organization it's not worth it so I'm to be staying it too is where you need to be so unlike with CMM where the ultimate goal for almost everyone who does CMM is a hey we get 25 that's the big goal in the subframe were getting 24 isn't it isn't the big goal and this well thought was kind of interesting is that they say that getting to your target profile I get into where you want to be for all the different categories and subcategories is more important than getting to a higher tier level so again

I mean the tears is kind of that to me is kind of a strange part of the sucker for your framework I don't know if it's everyone fully understands it because it's not a whole lot of information and even the document so

well that's house music it's all it's all based upon your risk college new risk exposure is you might have a set of you to the time yourself and that isn't it our frustration when you look at it because I mean it's not a fairly freaking big document you know they don't give you a whole lot of guidance I think you're trying to like it's kind of a balance between do we tell you tell me what to do and then I restrict your decisions or we made a high level enough that everyone's that are free to come up to what's best for you it's kind of a balancing act and maybe in future version they'll have it those who look

better will come out with lessons guidance and some suggestion and so forth because again the only thing is like you need your organization you know you have your own issues important to Eurovision what the risks are or another word addiction gives it took a risk and so by understanding what is that affected a lot of work or they should do a poor job of that that drives what is important to focus your activities I think it's kind of like it trying to be I think not trying to be a one size fit all it's going to be a make it flexible enough to fit different organizations it's one of the things we're like here is it too loose or croissant yeah so it

is and I think one thing also i think what's going to happen is is you might see people where they're going to come out of her life you know hey if you're the financial industry peers may be suggested you know profile for you who are in financial world you know oh hey you're in manufacturing this may be what you need to look at oh you're in healthcare and maybe this is what you need or something like that I think that that's something I would hear in it that you may have see that where people are hard working with it and coming up or something my page you will samples and guys into one after that

might help

a little bit

and then you seeking that crossover and what not even dhss i mean i'll mention about this supports to the gotta come back and over some of their stuff and cemetery framework so i think we can see more and more of that stuff it's just not there yet but i think we'll see something like the next year or two as more more hard ization views and more puzzling more or anything about our partner to push it yeah they needed have provided premium support it's not quite there but i think it's coming this is actually coming acting from how you implement it and their day was prioritizing scope it you want to poker pro by ear where you currently at and

how do you be you know the framework and again it's why I kind of like the matchups with the other framework so if you're like an ISO 27001 or two organization you know when you want a bit of sustenance that and sort of like okay what matches up oh we're doing this we do with this things we're not doing is that important for us you want to have your risk assessment I wondering what are the risks that face your organization then drive where you need to be and then once you have that you have your ally to acquire the apps and the implement and they also have this chart from the subcommittee framework booklet or its

again about your ongoing improvement is it really worth it was ongoing improvement and everybody involved with it I think for a lot of us were probably down here imitation of maybe more here but it has to be memorable it has to come from a senior level say we're going to do this the business processes ongoing improvements and so forth and that's and that's a real difficult thing for a lot of organizations who don't do if you will are not really mature in terms of how they are handling their security I said I do assessment with organizations I go in the air one per table hey you know let's say your policies and procedures you know we

don't have this okay so it's like started turning it that step 1 so some of the resources out there I think more coming again it's moving out a little over here so we're going to be that we have some stuff but a lot of things isn't there and I'm not really sure if we can see some of these things but it might be a lot so we're training there is no official training on this you know I don't think there ever will be the only 20 about half pound is a soccer at a two-day course on some of your affirmative report because they're behind code of five it's all cope with five oriented so that's this

is the only one you get a certificate complete exam that's not a certification that's just a certificate of completion well that's going to be interesting i'm not sure haven't seen this is i saw that if you're not aware is doing its cyber security conference in DC and october and i want to look at the preliminary information they have and they talk about how oh where have these tracks and guess what they call the tracks oh let me i'm good at each track and then protract track and a detective track and am I thinking yeah where did you get those terms from me so it's gonna be insane when we see the list of the workshops or the presentations at their

conference to see how oriented it is to secretary framework but soccer seem to be the only group that seemed to be kind of behind getting one cream too kind of getting behind it in terms of pushing it certifications no there's no certifications whether it's whether it's good or bad other frameworks do have those I mean with cooked with cobit with a high too with ISO 27001 and two you can get certifications like you can be certified in terms of a base knowledge you can be sort of quite an implementer of it you can be a certified in assessing it nothing for cybersecurity framework and don't expect that to change because it would probably have to come from with

missed approval yes

no totally different it's yeah the side of you know yugatech separate the Submariner this subsidy framework from the very book you know right into the 800 series they're totally separate this meant to me to overall all-encompassing cybersecurity framework in the 800 series the only one that said it's a close match is 853 but that's only focus on the federal government and it doesn't have a total match

yeah but that's again things more tightly to miss the mist 800 special publication which is for federal government whereas the Secretary's framework is very very new and it's also you know meant to be for everyone not just federal government in sort of private industry and everyone else so now a lot of people do can get confused especially when they're kind of familiar with the 800 series about like oh oh well isn't that the same it's not really I mean there is some matchups to it but its focus on a different area well actually I would say that the summer period actually meant to be a broader focus and because it's so broad it can't be is real specific versus the other one

which is more federal government computing in terms of books and resources at this point there's not a whole lot either you get the framework itself from this it's a PDF or the website they have actually a section on their webpage for it and they have some other other documents that you can download or other things that work with it the only person other group ended up in Britain a book on it is aisaka and it's in putting this under pretty framework using coba five big surprise there if you're a number you get that for free if you're not it's going to cost you quite a bit I think if I want to get the print version as a member it

can cost me 35 bucks if you're not a member i think it's like 80 bucks but there's nothing else I've done it I've got an amazon and search down side of your framework no one else has written any books I don't know what we're going to see one there are other item on Terra if our mother free Intel had written a white people on a used piece of it you downloaded for free price waterhouse cooper has created a white paper I'll adopt exceptionally framework this is a resource page tied to it which they're putting some stuff there the power of Homeland Security Network all the c3 site so it has resources there and I'm hoping that we'll see more and more of

these resources popping up but hey I said it's only been a little over a year so we'll see as we get more and more stuff out there version 2 oh I don't know I will point out that ISO 27001 it took about five years between versions like that we've only had it out for a year so I'm not you know I expected version 2 for another four or five years I think more people need to use it beat it up you know see what works what doesn't work and we'll see where that goes these going to make conclusions I really think we'll see more and more people using it more uncertain more more organizations using it what I do like

especially since they did the matchups is that people don't have to see it as an either/or proposition they don't have to you know if there are using there are using ISO 27001 they going to use the substring along with it one of our clients that was the case there are financial organization they already had built their information security infrastructure around ISO 27001 and the came to watch because there are financial institution the SEC comes along and says you need to be assessed to get by against the cybersecurity framework you know so for us we just did the matchups okay you know you're doing actually twist I'm the one I pay it matches up to you know these items in

the subsidy framework how will you doing it you know and the few ones that like don't match up because there are some that don't we assess them and say hey how we do on this one how you doing that point and so it wasn't they had to go and throw out what they have done it was just going to like will layer it on top or add to what you're already doing you think we're seeing increase are they using it especially with various other large companies now telling there's their vendors or suppliers however you want to call it until this financial institution they actually are a a vendor to bank of america and whomever haven't

yet come to my cell hey we wanted you to do this also but you know that could happen so you could be an arrow religion of where you're not using it now but maybe in six months or a year you're gonna be expected it to put it to use in some manner depending on your industry logging said i'm seeing a lot in financial in the financial industry you know other areas i know i think with health care everyone's running around a bit worried about HIPAA so i don't really expect to see it there but i think the ones that are more heavily regulated whether it's a pci or from the government are more likely to use it if

you're not don't follow in that area maybe a little bit farther down the road before you're gonna have to worry about it so any questions like that I had a few of these hand out here I've heard it from sands and what I like he hasn't had a poster on it you can get this as a PDF but I asked and send me a whole bunch of these don't want to be able to pass them out to you guys don't never have enough for everyone

don't really need it someone who can use it get it from the air but I think it's a really good tool whatnot so any other questions yes it's called the suckage called implement yo and put inside credit for instance that's the actual official and if you if you search on the disk CSF it'll take you to this website and you can download the PDF it's kind of really it's suffer from the 800 here exponent so it's a holy totally separate page on the Smiths I'm three framework and you can go and get PDF there and you'd like two or three other documents I'd like an Excel spreadsheet that you can help it'll help you out with some

stuff but if you look on the back of the poster there's a the whole listing of the matchup of iso with pci in the critical security with 73 framework that's what i find that that's why i like that poster I had all the ones i had a head you can also get that out there the PDF from their website I actually asked them saying they send me a whole bunch so you can probably you know drop the massive gift if you're not in the stands mailing list you dropped it in email inconvenience in your hardcopy but you can do as a PDF from the website that some is actually a poster that you can get an able to get them to send me some

for this session okay thank you