Designing a Cybersecurity Program Based on the NIST Cybersecurity Framework

When:  Apr 22, 2020 from 9:00 AM to 10:30 AM (ET)
Zoom Meeting Presented by: Larry Wilson, CISA, CISSP

*Zoom information to be emailed prior to session - 1.5 CPE Credits will be awarded for participation in this session*

Bio: Larry Wilson is the former Chief Information Security Officer for the University of Massachusetts President's Office. In this role, Larry was responsible for developing, implementing and overseeing compliance with the UMASS Information Security Policy and Written Information Security Plan (WISP). He currently operates a cybersecurity consulting practice (

In addition to designing a cybersecurity program for the University, Larry has developed and delivered cybersecurity training at multiple industry events, workshops, training venues, etc. This includes his role as Adjunct Faculty at the University of Massachusetts in the Computer Science Department. Courses include Designing and Building a Cybersecurity Program, The NIST Cybersecurity Framework Foundations and Practitioners courses, NIST 800-171, the CIS Controls, etc. He is currently developing a class on Secure Software Development.

Larry also provides consulting services to mid-sized and large enterprises. The consulting focuses mainly on designing and building cybersecurity programs based on the NIST Cybersecurity Framework, the CIS Critical Security Controls, NIST 800-53 Security and Privacy Controls, and NIST 800-171 Security Requirements.

Abstract: This talk focuses on industry frameworks and best practices for building a comprehensive cybersecurity program to protect critical infrastructure. It includes a very relevant case study – the current healthcare crisis (the Covid-19 Pandemic) to show how to apply these same fundamental principles to any emerging Business / Risk Management scenario.

The talk focuses on three main areas:

• Business / Risk Management: How organizations use the NIST Risk Management Framework and NIST Cybersecurity Framework to build and report on a Cybersecurity Risk Management Program. Deliverables include a Cybersecurity Strategy, Cybersecurity Policies, and Cybersecurity Risk Report.

• Cybersecurity Engineering / Design: How organizations use the DHS Continuous Diagnostics and Mitigation Architecture (Volume 1) and Continuous Diagnostics and Mitigation Technical Capabilities (Volume 2) to build and report on a Cybersecurity Engineering Program. Deliverables include a Cybersecurity Architecture, Cybersecurity Workloads, and a Cybersecurity Dashboard

• Cybersecurity Industry Standards / Operations: How organizations use Security and Privacy Controls for to secure and resilient infrastructure based on industry best practices. The focus is on NIST 800-53, CIS Critical Controls, ISO 27002 Code of Practice, etc.). Deliverables include a System Security Plan, a Cyber Risk Assessment and a Plan of Action and Milestones (POA&M).

In addition, a case study looking at managing the Covid-19 Healthcare Crisis:

• Case Study: Covid-19 Pandemic Crisis Management: How the government (federal and state) could apply cybersecurity best practices approach (risk management, engineering / design, controls standards / operations) to the Covid-19 Pandemic. Focus is on evaluating the principals and practices that are currently in place (based on task force briefings, news shows, government guidelines, etc.), against the current Cybersecurity Program approach. Would the approach we have been using to develop an enterprise cybersecurity program apply (and improve) the approach governments / businesses are using to manage a global healthcare crisis?

At the conclusion of the talk, attendees will have an understanding of the key frameworks and outcomes that organizations should follow in developing a comprehensive / standards based cybersecurity program to protect critical infrastructure. They will also understand how the government both federal and state) use many of the same principles in preparing for and responding to an emerging business / risk management scenario, such as the Covid-19 Healthcare crisis.



Dial-in Instructions:
Zoom information will be emailed to each registrant prior to the meeting.