USAID/Peru Risk Assessment In-Briefing February 19, 1999 PRIME Principal Resource for Information Management Enterprise-wide USAID

Team Introduction USAID ISSO - Jim Craft Risk Assessment Program Manager - Rod Murphy Consulting Manager, Information Technology - John Zobel Senior Computer Scientist - Mike Reiter UNIX Team Lead - Steve Bui

Purpose Determine which information is critical to the organization A Risk Assessment allows one to: Determine which information is critical to the organization Identify the systems that process, store, or transmit that critical information Identify potential vulnerabilities Recommend solutions to mitigate or eliminate those vulnerabilities

Determine the Scope Identify the boundaries of the system(s) being evaluated Cisco Routers Servers Workstations Communication Lines Identify the level of detail expected from the Assessment Compliance with Agency/Mission requirements Compliance with best practices PRIME Principal Resource for Information Management Enterprise-wide USAID

Pre-Assessment Activity Collected and Analyzed Mission Data Asset Information (Hardware/Software/Financial) Automated Survey Questionnaires 51 surveys sent out 22 responses received 34 potential vulnerabilities identified Conducted an Automated Network Scan using HYDRA Identified 8 major and 17 minor vulnerabilities Developed and forwarded an Immediate Needs Report to TCO and Mission staff for action Conducted a follow-up HYDRA scan to confirm Mission Configuration changes PRIME Principal Resource for Information Management Enterprise-wide USAID

On-site Activities Friday: Receive a Mission Threat Briefing Coordinate Assessment Logistics A room for the Assessment team to work out of A room scheduled for conducting training (Wed) A room for in-briefing and out-briefing Interviews scheduled for Mon and Tue, if necessary Schedule meeting with Functional Management on Tues. Schedule all staff training for Wed. (one hour sessions) Schedule meeting with Security Plan and Contingency Planning staff. (Wed) List of mission phones number ranges for scan PRIME Principal Resource for Information Management Enterprise-wide USAID

On-Site Activities (continued) Conduct a Physical Review of the Mission Facility Meet with System Administrators Establish System Ids as needed Conduct UNIX review Conduct Banyan review Review NT Security Monday: Conduct staff interviews Additional System (UNIX,Banyan,NT, Cisco) reviews Conduct an after-hours modem scan PRIME Principal Resource for Information Management Enterprise-wide USAID

On-Site Activities (continued) Tuesday: Conduct additional interviews as needed Meet with Functional Mission Management to discuss: Connectivity/Business needs Mission impact with regards to Agency requirements Roles and Responsibilities associated with policies Wednesday: Conduct Mission staff training Assist in the development of Mission Security Plan and Contingency Plan PRIME Principal Resource for Information Management Enterprise-wide USAID

On-Site Activities (continued) Conduct any activities needed to wrap-up assessment. Analyze information gathered from pre-assessment and on-site assessment activities. Develop “Draft” Assessment Executive Summary Report. Develop Out-Briefing Present Out-Briefing to Mission Management/Staff PRIME Principal Resource for Information Management Enterprise-wide USAID

Expected Outcome What the Assessment Team expects to Accomplish: Identify areas of concern Provide recommendations that will enable management to make decisions associated with risks Assist in the development of a Mission Security Plan Assist in the development of a Mission Contingency Plan Provide an annual Security refresher Training class to all Mission personnel Develop a standardized approach to conducting Mission Risk Assessments Identify Mission Concerns associated with UNIX, Banyan, NT, Cisco configuration checklists Identify and address specific Mission concerns PRIME Principal Resource for Information Management Enterprise-wide USAID

Additional Activities Being Conducted at Each Mission Assist in the development of a Mission System Security Plan Provide a template for developing a Mission Contingency Plan Provide on-site training General User System Administrator System Managers/Executive Officers Address any additional concerns PRIME Principal Resource for Information Management Enterprise-wide USAID