McAfee » compliance https://blogs.mcafee.com Blog Central Tue, 17 Feb 2015 19:27:17 +0000 en-US hourly 1 We Tried the NIST Framework and It Works https://blogs.mcafee.com/executive-perspectives/tried-nist-framework-works-2 https://blogs.mcafee.com/executive-perspectives/tried-nist-framework-works-2#comments Wed, 11 Feb 2015 15:34:15 +0000 https://blogs.mcafee.com/?p=41290 By Kent Landfield, Director of Standards and Technology Policy, Intel Security, and Malcolm Harkins, Chief Security and Privacy Officer at Intel When the Administration released the Framework for Improving Critical Infrastructure Cybersecurity (the Framework) on February 12, 2014, many of us at Intel and Intel Security were familiar with the details, as we had participated […]

The post We Tried the NIST Framework and It Works appeared first on McAfee.

]]>
By Kent Landfield, Director of Standards and Technology Policy, Intel Security, and Malcolm Harkins, Chief Security and Privacy Officer at Intel

When the Administration released the Framework for Improving Critical Infrastructure Cybersecurity (the Framework) on February 12, 2014, many of us at Intel and Intel Security were familiar with the details, as we had participated extensively in the public – private collaborative process to develop the Framework. What we didn’t yet know, however, was how the Framework would stand up when put to the test: what kind of learnings it would yield, what kinds of benefits it would really have. We knew theoretically that the Framework should be a valuable tool for organizations of all sizes, but we wanted to try it out ourselves to see if those expert assumptions were valid in a real organization. We aimed high: The business unit we partnered with to develop the Intel use case is sophisticated in terms of cybersecurity and manages a large range of products and services. We chose Intel IT and targeted the Office and Enterprise areas of our compute infrastructure to conduct our pilot project.

We focused on developing a use case that would create a common language and encourage the use of the Framework as a process and risk management tool rather than a set of static requirements. That aim proved successful, and we recently documented our experience in a white paper. Even in these early stages, the Framework has already helped us harmonize our risk management technologies and language, improve our visibility into Intel’s risk landscape, inform risk tolerance discussions across our company, and enhance our ability to set security priorities, develop budgets, and deploy security solutions.

One of the most valuable aspects of this pilot project is the discussions about security processes and terminology it has been generating. For example, a security policy might be written the same way across the corporation but implemented differently in groups such as manufacturing and human resources. Recognizing these differences is important, and discussing them becomes part of the security culture of an organization.

We plan to implement the Framework in other parts of Intel, and we encourage other organizations to implement it too. Some words of advice based on our experience:

For implementation of the Framework:

  • Do it yourself. Don’t rely on others to come in and give you an assessment, because the Framework is meant to be a tool for discovery – not a standard for measurement.
  • Start where you are comfortable. It made sense for us to start with the Office and Enterprise business functions because our IT Security organization had already begun similar efforts.
  • Tailor the framework to your business. Adding, changing or deleting categories and subcategories helps the Framework align with an organization’s business environment. Don’t be afraid to customize the Framework.
  • Engage decision makers in every stage of the process – continually. Cyber risk management is a dynamic process that doesn’t have a neat end result. A continuous process of iteration and validation will result in an ongoing dialogue about risk, which is the aim.

For continued work on the Framework:

  • Include cyberthreat intelligence. As the Framework continues to develop in the U.S., we believe it should include key elements such as the cyberthreat intelligence lifecycle, which is essential to developing a robust understanding of cybersecurity attacks.
  • Extend beyond the U.S. We believe the Framework’s benefits are not confined to the U.S. In fact, governments in other parts of the world have begun reaching out to learn more about its potential. We encourage transnational dialogue and adoption of the Framework across the globe.

Intel looks forward to continuing to use the Framework to analyze other areas of our business, as we believe it will provide value across our entire organization. Because we’ve taken the Framework out of the wrapper and made it a working tool, we feel confident in our belief that by focusing on risk management rather than compliance, the Framework has the potential to help transform cybersecurity on a global scale and accelerate cybersecurity across the compute continuum.

The post We Tried the NIST Framework and It Works appeared first on McAfee.

]]>
https://blogs.mcafee.com/executive-perspectives/tried-nist-framework-works-2/feed 0
Shedding light on ‘Shadow IT’ https://blogs.mcafee.com/business/shedding-light-on-shadow-it https://blogs.mcafee.com/business/shedding-light-on-shadow-it#comments Thu, 09 Jan 2014 17:19:11 +0000 http://blogs.mcafee.com/?p=32485 BYOD, BYOA, BYOx. The IT industry is full of acronyms depicting its constant evolution and relationship with the professional world. First came the devices; employees saw the power of personal devices and insisted on using them in the workplace. And so the consumerisation of IT was born. After the devices came the apps. Companies reported […]

The post Shedding light on ‘Shadow IT’ appeared first on McAfee.

]]>
BYOD, BYOA, BYOx. The IT industry is full of acronyms depicting its constant evolution and relationship with the professional world. First came the devices; employees saw the power of personal devices and insisted on using them in the workplace. And so the consumerisation of IT was born.

After the devices came the apps. Companies reported greater productivity and higher employee satisfaction at enabling Bring-Your-Own-Device policies, but attention then turned to the applications being used. And IT executives were left wondering whether they would face a similar ‘revolution’ to the one that followed BYOD  – the ‘Bring-Your-Own-Apps’ trend where employees choose the virtual tools needed to empower their devices and facilitate jobs. Recent research we conducted alongside Frost & Sullivan’s Stratecast proves that the app revolution is already here, but with some slightly insidious repercussions – ‘Shadow IT.’

Our global study, which questioned IT and enterprise decision-makers, aimed to uncover the extent and risks of unauthorised Software-as-a-Service (SaaS) applications. It found that more than 80 per cent of employees use non-approved SaaS applications in their jobs, with IT employees actually using a higher number than other company employees.

These SaaS applications are also referred to as ‘Shadow IT’, a term which broadly describes the use of technology solutions within an enterprise that have not been approved by the IT department or adhere to policies. Why is this happening? Low-cost, ease of access and ease of maintenance are factors, as is the cloud, which acts as a vehicle for employees to acquire and deploy these applications without involving anyone else. This ‘self-serve’ behaviour puts business at risk; in most cases, IT departments and security professionals are unaware of the extent of ‘Shadow IT’ and consequently are underprepared.

The current state and prevalence of ‘Shadow IT’ presents a great opportunity for resellers looking to engage with the many businesses struggling to understand their sprawling software use and the security implications of this. Deploying SaaS apps without the appropriate technical knowledge means corporate standards for data protection and encryption may be unknowingly neglected. This is particularly important for businesses managing sensitive customer or third-party data. Resellers should recognise the much needed help and guidance businesses need to ensure systems are in place to mitigate against the associated risks that deploying non-approved applications have within business. Although employees’ intentions aren’t malicious and are indicative of a workforce trying to be productive in a hyper-competitive market, the use of ‘Shadow IT’ within business can have severe repercussions on security and compliance.

The study highlighted a lack of understanding on the part of the employee, and lack of awareness and readiness on the part of the businesses that pressingly need to be addressed. Similarly with BYOD, the answer is not preventing employees from using these apps — it’s about striking the right balance between flexibility and control.

The channel can and should work with IT and business leaders to create and support policies that enable employees to use the apps they need while still minimising corporate risk. These policies should be built around security solutions that provide employees with secure access to a broad range of recognised SaaS options. The ability to control app usage – for example allowing users to access Facebook but restricting the ‘chat’ function or automatically encrypting files before they are uploaded to a file-sharing site – is also key. Tools like McAfee Web Gateway can track web traffic and automatically provide proactive protection against malware, as well as block undesirable URLs, prevent outbound data loss and enforce acceptable usage policies.

The right security solution, together with education, policy control and consistent communication with employees can make the difference between a business that is agile, innovative and competitive or closed and removed from the opportunities around them. The channel has a crucial role in helping enterprises to shine a light on this new behaviour and ensure that when it comes to the competition, they aren’t left behind.

The post Shedding light on ‘Shadow IT’ appeared first on McAfee.

]]>
https://blogs.mcafee.com/business/shedding-light-on-shadow-it/feed 0
Walking the Talk on Public-Private Partnerships https://blogs.mcafee.com/business/security-connected/walking-the-talk-on-public-private-partnerships https://blogs.mcafee.com/business/security-connected/walking-the-talk-on-public-private-partnerships#comments Fri, 16 Aug 2013 17:22:14 +0000 http://blogs.mcafee.com/?p=28473 There’s been a lot of talk about the value of public-private partnerships in moving the U.S. toward a more robust cyber security posture. And let’s be honest:  there’s also been a lot of private sector skepticism about how much the Administration really believed in the concept or how much they would do to make it […]

The post Walking the Talk on Public-Private Partnerships appeared first on McAfee.

]]>
There’s been a lot of talk about the value of public-private partnerships in moving the U.S. toward a more robust cyber security posture. And let’s be honest:  there’s also been a lot of private sector skepticism about how much the Administration really believed in the concept or how much they would do to make it happen.  I’m delighted to say that, so far, those skeptics have been proven wrong. Through both the NIST framework and the list of positive incentives recently released, this Administration is demonstrating that they really get it on cyber security partnerships.

To help secure the nation’s critical infrastructures, NIST is working with the private sector to design a Cybersecurity Framework – a set of core practices to develop capabilities to manage cyber security risk. McAfee participates in this effort, as do many other experts from government and industry, and while it’s difficult to bring all these players together, NIST is making good progress. The Administration has also kept its promise that the framework will be voluntary for owners/operators of critical infrastructure and other players such as IT companies or suppliers of products and services – a feature that’s key to the framework’s success and key to solidifying trust with the private sector.

To encourage critical infrastructure companies to adopt the framework, the Administration recently came out with recommendations for positive incentives, and these are also a step in the right direction. The incentives include such concepts as cybersecurity insurance, grants, limits on liability, streamlined regulation and increased funding for R&D.  Promoting incentives rather than additional regulation is exactly the right course, because with more regulation we risk having a more compliant power or water company, but not necessarily a more secure one.

With both initiatives – the framework and the incentives – the Administration is showing supporters and critics alike that they’re serious about partnering with the private sector and serious about keeping the fixes voluntary. I commend them for that. This way we can work collaboratively to secure our critical infrastructures so they’re able to resist cyber attack and recover quickly if they do incur attacks. That should be the greatest incentive of all.

To learn more about the cybersecurity executive order, the latest progress, and how you can participate, download the McAfee EO 13636 Solution Brief.

The post Walking the Talk on Public-Private Partnerships appeared first on McAfee.

]]>
https://blogs.mcafee.com/business/security-connected/walking-the-talk-on-public-private-partnerships/feed 0
Five Factors That Make D.C. Region a Cybersecurity Hub https://blogs.mcafee.com/business/security-connected/five-factors-that-make-dc-cybersecurity-hub https://blogs.mcafee.com/business/security-connected/five-factors-that-make-dc-cybersecurity-hub#comments Wed, 29 May 2013 13:37:55 +0000 http://blogs.mcafee.com/?p=25465 McAfee is based in Silicon Valley, but we know there’s more to tech than California. We recently joined the National Institute of Standards and Technology to launch the National Cybersecurity Center of Excellence, a joint effort among high-tech business, federal, state and local government and local universities located in Rockville, Md. The goal of the […]

The post Five Factors That Make D.C. Region a Cybersecurity Hub appeared first on McAfee.

]]>
McAfee is based in Silicon Valley, but we know there’s more to tech than California.

We recently joined the National Institute of Standards and Technology to launch the National Cybersecurity Center of Excellence, a joint effort among high-tech business, federal, state and local government and local universities located in Rockville, Md. The goal of the NCCoE is simple: to identify and help deploy real-world cybersecurity tools that ordinary businesses can use to secure their own networks. Ten other high-tech companies, Johns Hopkins University, the University of Maryland and the National Security Agency have committed their own personnel to the effort.

We’re particularly proud of our participation for lots of reasons, but it’s the combination of the players – the public-private part — that made this alliance particularly compelling.

Try as they may, most parts of the country have not succeeded in replicating the success that tech hubs like Silicon Valley have achieved. Greater Washington D.C. is a success story in its own right, and we think the NCCoE is another reason the DC region will continue to make its mark in computer security.

Every place is different, of course, but five factors seem to make for success when development is the goal.

RESEARCH

Tech is ultimately about smart people doing smart things with the tools they have, and education is the foundation of all of it. The source of Silicon Valley’s brainpower is clear enough: The region hosts a multitude of universities, foremost among them Stanford and Berkeley. DC area universities have received significant funding from the federal government and in many cases enjoy a close relationship with the nearby National Security Agency itself. Schools such as George Mason and James Madison in Virginia, the University of Maryland and Johns Hopkins in Baltimore head the list.

FUNDING

Cutting edge tech is important, but banks won’t fund it until it’s well established, so the path from startup to success can be a difficult one. Angel investors and venture capitalists are necessary components to any successful tech region, and that’s a part of the business world that’s clearly growing near the nation’s capital. New Enterprise Associates just up the road in Baltimore and In-Q-Tel have funded more than their share of startups in the area.

RISK TAKING

Anyone in business knows there are risks to trying to make a profit, but not everyone sees risk the same way. The best high-tech regions recognize that failure is often the prelude to success and won’t automatically penalize those who can’t make a go of a certain venture. Smart dealmakers don’t want to know that you failed — they want to know why.

The nation’s capital isn’t famous for risk taking, but the region’s business community increasingly is. Sequestration and ongoing budget pressures have accelerated the push towards the private sector and away from the old government-contractor mentality. The end result is a slow transformation of the region into an area of authentic innovation.

MOBILITY

It’s a factor many overlook, but it’s there nonetheless: Many, many people in tech aren’t just mobile; they’re from another country altogether. The fact is huge numbers of high-tech innovators in the U.S. left their home countries because they knew the US was still the land of opportunity and remains so today. Go to Silicon Valley, come to greater DC, walk around any top computer science school and you will see the same thing: Brilliant engineers with all the drive you could ask for making amazing discoveries in a country that has claimed them not for their ethnicity, but for the excellence of their work.

GOVERNMENT THAT WON’T GET IN THE WAY

You don’t have to be libertarian to recognize one simple fact: The business climate that government sets is hugely important. Places such as Silicon Valley, Northern Virginia and Suburban Maryland are for the most part left of center politically.  I’ll leave it to other to say why tech regions tend to lean liberal, but when it comes to business issues, these same regions look a lot like their red-state neighbors. Light-touch regulation yields real results not just for the companies directly affected but for the whole, decidedly prosperous places in which they operate.

THE FUTURE

Cybersecurity is booming. We take little joy in the reasons why, but we at McAfee are honored to be part of the solution to fighting the threats we face. We hope and expect our efforts here in suburban Maryland will bring a stronger, more secure future in cyberspace.

The post Five Factors That Make D.C. Region a Cybersecurity Hub appeared first on McAfee.

]]>
https://blogs.mcafee.com/business/security-connected/five-factors-that-make-dc-cybersecurity-hub/feed 0
Getting Assurance in a Time Constrained World https://blogs.mcafee.com/business/security-connected/getting-assurance-in-a-time-constrained-world https://blogs.mcafee.com/business/security-connected/getting-assurance-in-a-time-constrained-world#comments Mon, 20 May 2013 17:34:04 +0000 http://blogs.mcafee.com/?p=24904 Nothing is as frustrating as when something goes wrong, especially when you have time constraints.  NIST has just released Special Publication 800-53, Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations where a few notable items have been added to increase the confidence that security, practices, procedures and architectures of information systems […]

The post Getting Assurance in a Time Constrained World appeared first on McAfee.

]]>
Nothing is as frustrating as when something goes wrong, especially when you have time constraints.  NIST has just released Special Publication 800-53, Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations where a few notable items have been added to increase the confidence that security, practices, procedures and architectures of information systems accurately mediates and enforces security policy. Assurance is now a key element according to NIST’s Ron Ross in an interview with Information Security Media Group. It’s also the first time that this publication includes privacy within its title.

McAfee’s soon to be announced endpoint suite will provide a new level of assurance with real-time protection, management and more importantly results. Incorporating Intel hardware-assisted security through Deep Defender assures that systems are free of rootkits and blocks these kinds of APT’s. Some may argue that this type of advanced protection would be hard to cost-justify but having it included in our suite now provides one of the industry-changing ways to stronger security.  What used to be a nice-to have can now be a key component to keeping things on-track and secured.  It’s been estimated that up to 5 hours could be spend per system re-imaging them after detection of a rootkit.  Isn’t our time and resources better spent elsewhere than dealing with aftermath of a preventable situation?

But it’s also important to prove that the right level of protection has been enabled and where you may have gaps. Today this has to be accessible within minutes. McAfee Risk Advisor’s global risk dashboard allows you to quickly drill down to get granular details of a threat and how it relates to the specific assets in your organization. It lets you know where additional controls might be needed to combat the current threats of concern and target activities that will make the most of your time combating security risks. Time is precious and we want to make it easier for you to get the security that will protect the systems and infrastructure so you can provide the privacy controls that are right for your business.

 -Kim Singletary

The post Getting Assurance in a Time Constrained World appeared first on McAfee.

]]>
https://blogs.mcafee.com/business/security-connected/getting-assurance-in-a-time-constrained-world/feed 0