Colorado Cyber Security Program (CCSP) Risk Based Gap Analysis (RBGA) and Statewide Security Planning Update Rick Dakin, Security Strategist September.

Slides:



Advertisements
Similar presentations
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Advertisements

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Cyber Security A Program to Meet NERC CIP Requirements May 17, 2010 Rick Dakin Coalfire systems CEO and Co-founder.
Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Information Security Policies and Standards
University of Alaska System and UAF Information Technology Security Review 2007.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Security Governance Technology Executive Club
Session 3 – Information Security Policies
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,
Information Security Training for Management Complying with the HIPAA Security Law.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Protecting Critical Information Assets and Records FIRM Forum.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Appendix C: Designing an Operations Framework to Manage Security.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA, PMP August 22, 2008.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
Working with HIT Systems
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.
IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.
Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,
The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.
Information Security tools for records managers Frank Rankin.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
FFIEC Cybersecurity Assessment Tool Maine Credit Union League September 23, 2015 Patrick Truett, Information Systems Officer National Credit Union Administration.
Federal Information Security Management Act (F.I.S.M.A.) [ Justin Killian ]
CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
OFFICE OF VA ENTERPRISE ARCHITECTURE VA EA Cybersecurity Content Line of Sight Report April 29, 2016.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Welcome Information Security Office Services Available to Counties Security Operations Center Questions.
Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.
Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.
Information Security Program
WSU IT Risk Assessment Process
Cybersecurity - What’s Next? June 2017
Compliance with hardening standards
Securing Critical Assets: Arizona’s Security & Privacy Initiatives
Leverage What’s Out There
Cybersecurity Policies & Procedures ICA
I have many checklists: how do I get started with cyber security?
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
In the attack index…what number is your Company?
CMGT/431 INFORMATION SYSTEMS SECURITY The Latest Version // uopcourse.com
CMGT 431 CMGT431 cmgt 431 cmgt431 Entire Course // uopstudy.com
Presentation transcript:

Colorado Cyber Security Program (CCSP) Risk Based Gap Analysis (RBGA) and Statewide Security Planning Update Rick Dakin, Security Strategist September 18, 2007 V 1.4

2 Agenda  Risk and Threat Review  CCSP Program Overview Cyber Security Program Policies, Plans and Standards  Risk Based Gap Analysis (RBGA) Program Process Inventory and System Characterization Risk Assessment and Gap Analysis Security Plans Remediation and Gap Closure Plans Test and Accredit Operations  Questions and Open Discussion

3 Enterprise Security Program Security Program Drivers Critical Drivers More Regulatory Requirements Reduced Tolerance for Service Disruption Increasing Cyber Threats

4 Compliance Trends Present A Brief History of Regulatory Time Computer Security Act of 1987 EU Data Protection HIPAA FDA 21CFR Part 11 C6-Canada GLBA COPPA USA Patriot Act 2001 EC Data Privacy Directive CLERP 9 CAN-SPAM Act FISMA Sarbanes Oxley (SOX) CIPA 2002 Basel II NERC 1200 (2003) CISP Payment Card Industry (PCI) State Privacy Laws Privacy Act of 1974 Foreign Corrupt Practice Act of 1977

5 CCSP Program Overview  Designate Chief Information Security Officer (CISO)  Develop Colorado Cyber Security Program (CCSP)  Publish Cyber Security Rules and Associated Policies  Submit an Annual Agency Cyber Security Plans (ACSP)  Include a Plan of Action and Milestones (POAM) with the ACSP (3 year phase-in period to achieve compliance with the CCSP)  Implement a Statewide Incident Response Program  Enhance Statewide Security Awareness and Training  Establish Security Evaluation and Reporting to Enforce the Program HB was incorporated into Colorado Revised Statute part 4 in May The legislation established the Colorado Information Security Act with the following provisions: RBGA Draft Versions RBGA

6 Security Policies & Rule Review  Emergency Rule adopted December 20, 2006  Hearing conducted on January 5, 2007  Final Rule becomes effective early March, Policies: Organizational Policies Cyber Security Planning Incident Response Information Risk Management Vendor Management Self Assessment Security Training and Awareness Security Metrics and Measurement System Access and Acceptable Use Online Privacy Operational Policies Data Classification and Disposal Mobile Computing Wireless Security Network Operations System and Application Security Access Control Change Control Physical Security Personnel Security Disaster Recovery

7 Risk Based Gap Analysis (RBGA) Program  Provide orientation to agencies on new CCSP and policies  Identify major systems and rate criticality  Review current security programs and existing policies, procedures and plans  Facilitate agency Risk Based Gap Analysis (RBGA) for major systems  Facilitate development of DRAFT Agency Cyber Security Plans (ACSP) with integrated Plan of Action and Milestones (POAM)  Support development of an executive briefing to align new Executive Directors to the risks within agency systems and plans to mitigate risks before submittal The RBGA program was intended to coordinate agency security planning and provide “expert” resources to jump start the planning process. The process included:

8 Security Planning Process Developed by: The National Institutes of Standards and Technology

9 Risk Management Process NIST SP is an industry “Best Practice” referenced by the FFIEC to guide our risk assessment Inventory and Characterize Systems 2. 2.Threat Identification 3. 3.Vulnerability Assessment 4. 4.Likelihood Determination 5. 5.Impact Analysis 6. 6.Recommend Risk Controls

10 Natural Disasters Security Controls & Policies Vulnerabilities Good security controls can stop certain attacks Poor Security Policies could Let an attack through NO security policies or controls could be disastrous Malicious Threats Non- Malicious Threats Motives and Goals Methods and Tools Methods and Tools Methods and Tools ASSETS The Ingredients of an Attack Threat + Motive + Method + Vulnerability = ATTACK!

11 Systems Characterization   What do you do? Mission critical processes Key stakeholders Map processes   How important are those functions? Criticality rating (FIPS 199) Priority for risk analysis and deployment of controls   What Systems are used? Systems Inventory (applications, host platforms) Service Providers Diagrams.

12 Threat Identification Human Non-Human   Terrorist   Hacker   Disgruntled Employee   Vendors   Untrained Staff   Acts of Nature   Fire   Power Failures   Contamination   Configuration Errors   Systems Obsolescence

13 Vulnerability Assessment   What systems and processes are used to support critical operations ?   Servers   Software   Network Connectivity   User Access   Standard processes   What vulnerabilities could be exploited?   Patch levels   Unnecessary services   Security architecture   Monitoring and reporting   Access Controls   User behavior

14 Risk Analysis LOW HIGH SEVERITY LIKELIHOOD MEDIUM RISK HIGH RISK LOW RISK

15 Sample Risk Assessment Risks / HazardsControls Deployed Recommended Remediation  Security oversight may not identify and prioritize risk mitigation  IT Steering Committee  Dedicate an Information Security Officer (ISO) to oversee development of the security program  Formally establish an IT security committee with specific duties  IT security policy gaps fail to guide staff behavior  Only limited informal security policies  A complete set of policies should be developed according to best practices  Policies approved by IT Steering  Staff Trained  Business Continuity & Disaster Recovery plans are not adequate  Some system hardening and limited recovery plans or facilities are in place today  A BCP/disaster recovery plan will have to be developed  Deploy redundant facilities  Train staff  Update and test annually  Physical security does not protect critical systems  Physical security is limited only to the data rooms  Develop and deploy a comprehensive physical Security policy and plan for facility access, data center, access to network wiring infrastructure, media  Unauthorized access to data  Weak passwords  Shared accounts  Limited access granting process  Upgrade Access controls Access granting process Unique user ID Strong passwords (complexity)

16 Point Solutions FirewallsVulnerability Assessment Intrusion Detection Access Controls

17PCISOX HIPAA GLBA ISO Privacy Laws Unified IT Controls Hosting Penetration Testing Firewall Virus Protection Code Review Security Arch. Design Sec. Doc. Access Controls Training Security Policy NIDS/HIDS Unified Security Programs

18 Measure Control Effectiveness CoBIT Metrics Control Design AdequacyControl Effectiveness Controls Designed and Selected Control Deployed With REPEATABLE processes Controls Documented  Policies  Procedures  Inventories  Diagrams Oversight Provided  Control effectiveness reports  IT oversight Evidence or work papers from internal or external reports / meeting minutes Formal accountability assigned Program Adjustment after Justification Steering Committee review and recommendations, etc NIST Metrics Level 1 – control objective documented in a security policy Level 2 – security controls documented as procedures Level 3 – procedures have been implemented Level 4 – procedures and security controls are tested and reviewed Level 5 – procedures and security controls are fully integrated into a comprehensive program

19 Security Plans Leverage NIST SP 800 – 100 and SP  Organization Mission  Summary of Environment  Roles and Responsibilities  Summary of Risks  Selection of Controls  Deployment and Training  Test and Audit of Control Effectiveness  Accredit Systems Operations  Process to Enhance Plans

20 Plan of Action and Milestones (POAM) Risk Assessment Draft Security Plan Update Policies Remediate Gaps Document and Train Executive Briefing Update Security Plans Test and Accredit System Goal: Each risk assessment will identify gaps in current security plans that should be remediated by priority. Nov 07Dec 07Jan 08Feb 08Mar 08 Jul 08

21 Lessons Learned  New processes take time … Start Early  New security planning processes require training … even with seasoned IT professionals  It takes time and resources to deploy and manage controls … get key executives involved early to start planning budget impact  Why does it cost so much to protect systems that don’t cost very much?  Even with a great security plan, you may still get compromised. Have an IR Plan.

22 Open Discussion  Questions  Feedback  Next Steps – “What can you do?” Form a security oversight team Launch a program with a Risk Assessment First

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.