Cybersecurity Policies & Procedures ICA April 2017

Q: Who is Responsible for Cybersecurity? Isn’t it just IT’s Problem?

Risk Responsibility YOU! Cyber risk is an imperative for everyone within the enterprise – but ultimate responsibility for overseeing risk rests with top leaders. YOU!

Managing Business Risk….. Boards & Top Managers should ask some basic questions: Do we demonstrate due diligence and effective management of cyber risk? Do we have the right leadership and organizational talent? Have we established an appropriate cyber risk escalation framework?

….Managing Risk What have we done to protect the company against third-party cyber risks? Can we rapidly contain damages and mobilize response resources when a cyber incident occurs? How do we evaluate the effectiveness of our company’s cyber risk program?

EVERY DEPARTMENT’s PROBLEM: Functions Most Likely to Be Affected by a Breach Operations 36% Finances 30% Brand Reputation 26% Customer Retention 26% Regulatory Scrutiny 19% Cisco 2017

Cyber Security & Employees “Things have changed over the past few years…cyber criminals are now focusing increasingly on employees … as the weak link in the security chain” Think HR Not just Management Not just IT Department

NIST Cybersecurity Framework When will we implement all the good ideas from the conference? When we have Time? When we can figure out How? When we can find someone to put it together?

Right Here…….Right Now NO MORE EXCUSES: Pull out your Pencils or Pens Open the Portfolios WE ARE GOING TO WORK!

Framework Core [one more time] IDENTIFY What assets need protection? PROTECT What safeguards are available? DETECT What techniques can identify incidents? RESPOND What techniques can contain impacts of incidents? RECOVER What techniques can restore capabilities?

IDENTIFY – Asset Management Physical devices & systems are inventoried Software platforms & applications are inventoried Communication & data flows are mapped External info systems are catalogued Resources prioritized based on classification, criticality & business value

IDENTIFY – Asset Management Roles & Responsibilities “ETHICS POLICY”

IDENTIFY Business Environment Role in supply chain is identified & communicated Place in critical infrastructure is identified & communicated Priorities for mission, objectives & activities are established and communicated Dependencies & critical functions for delivery of critical services are established Resilience requirements to support delivery of critical serves are established

IDENTIFY – Governance Information security policy is established Information security roles & responsibilities are coordinated and aligned with internal roles & external partners Legal and regulatory requirements regarding cybersecurity including privacy and civil liberties obligations are understood and managed Governance and risk management processes address cybersecurity risks

IDENTIFY – Risk Assessment Asset vulnerabilities are identified and documented Threat and vulnerability information is received from information sharing forums and sources Threats, both internal and external, are identified and documented Potential business impacts and likelihoods are identified Threats, vulnerabilities, likelihoods and impacts are used to determine risk Risk responses are identified & prioritized

IDENTIFY – Risk Management Strategy Risk management processes are established, managed and agreed to by organizational stakeholders Risk tolerance is determined and clearly expressed Determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis

PROTECT – Access Control Identities & credentials are managed for authorized devices and users “PASSWORD PROTECTION POLICY”

PROTECT – Access Control Physical access to assets is managed and protected “ACCEPTABLE USE POLICY”

PROTECT – Access Control Remote access is managed Access permissions are managed, incorporating the principles of least privilege and separation of duties Network integrity is protected, incorporating network segregation where appropriate

PROTECT – Awareness & Training All users are informed & trained Privileged users understand roles & responsibilities Third-party stakeholders [e.g. suppliers, customers, etc.] understand roles & responsibilities Senior executives understand roles & responsibilities

PROTECT – Data Security Data-at-rest is protected Data-in-transit is protected Assets are formally managed throughout removal, transfer and disposition Adequate capacity to ensure availability is maintained Protections against data leaks are implemented Integrity checking mechanisms are used to verify software, firmware and information integrity The development and testing environments are separate from the production environment

PROTECT – Information Protection Processes & Procedures A baseline configuration of information technology/industrial control systems is created and maintained “E-MAIL POLICY”

PROTECT – Information Protection Processes & Procedures A System Development Life Cycle to manage systems is implemented Configuration change control processes are in place Backups of information are conducted, maintained and tested periodically Policy & regulations regarding the physical operating environment for organizational assets are met

PROTECT – Information Protection Processes & Procedures Data is destroyed according to policy Protection processes are continuously improved Effectiveness of protection technologies is shared with appropriate parties Response plans and recovery plans are in place and managed Response and recovery plans are tested

PROTECT – Information Protection Processes & Procedures Cybersecurity is included in human resources practices [e.g. deprovisioning, personnel screening] “CLEAN DESK POLICY”

PROTECT – Information Protection Processes & Procedures A vulnerability management plan is developed and implemented

PROTECT - Maintenance Maintenance and repair of organizational assets is performed and logged in a timely manner, with approved and controlled tools Remote maintenance of organization assets is approved, logged and performed in a manner that prevents unauthorized access

DETECT – Anomalies & Events A baseline of network operations and expected data flows for users and systems is established and managed Detected events are analyzed to understand attack targets and methods Event data are aggregated and correlated from multiple sources and sensors Impact of events is determined Incident alert thresholds re-established

DETECT – Security Continuous Monitoring The network is monitored to detect potential cybersecurity events The physical environment is monitored to detect potential cybersecurity events Personnel activity is monitored to detect potential cybersecurity events Malicious code is detected

DETECT – Security Continuous Monitoring Unauthorized mobile code is detected External service provider activity is monitored to detect potential cybersecurity events Monitoring for unauthorized personnel, connections, devices and software is performed Vulnerability scans are performed

DETECT – Detection Process Roles & responsibilities for detection are well defined to ensure accountability Detection activities comply with all applicable requirements Detection processes are tested Event detection information is communicated to appropriate parties Detection processes are continuously improved

RESPOND – Response Planning Response plan is executed during or after an event “SECURITY RESPONSE PLAN POLICY”

RESPOND - Communications Personnel know their roles and order of operations when a response is needed Events are reported consistent with established criteria Information is shared consistent with response plans Coordination with stakeholders occurs consistent with response plans Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness

RESPOND - Analysis Notifications from detection systems are investigated The impact of the incident is understood Forensics are performed Incidents are categorized consistent with response plans

RESPOND - Mitigation Incidents are contained Incidents are mitigated Newly identified vulnerabilities are mitigated or documented as accepted risks

RESPOND - Improvements Response plans incorporate lessons learned Response strategies are updated

RECOVER – Recovery Planning Recovery plan is executed during or after an event “DISASTER RECOVERY PLAN POLICY”

RECOVER - Improvements Recovery plans incorporate lessons learned Recovery strategies are updated

RECOVER - Communications Public relations are managed Reputation after an event is repaired Recovery activities are communicated to internal stakeholders and executive and management teams

Emergency Plan What’s Your Plan???? P R A KEY ‘P’ Ops Eng IT Dep HR Dep PRE-EMERGENCY PREPARATION IT Data backup and protection P Generator Maintenance R PREPARATION JUST BEFORE EVENT Verify backup & Protection of IT Data Verify protection of IT Network RESPONSE DURING EVENT Monitor status of systems Manage EOC RECOVERY AFTER EVENT Assess Network Damage & Status Initiate System Repair & Recovery Account for all Personnel A What’s Your Plan???? KEY ‘P’ Perform Task [champion] “A” Assists with Task “R” Resource Support

We’ve Got A Good Start....... “Cyber risk concerns stretch well beyond IT and well beyond the walls of the enterprise – to every partner, to every customer, to every worker, and to every business process.” Deloitte

Sources Deloitte Cisco Think HR Unitel Network World US Telecom NIST SANS Institute

If you’d like to continue conversation….. Judi Ushio GVNW Consulting, Inc. jushio@gvnw.com 719-594-5814