Presentation is loading. Please wait.

Presentation is loading. Please wait.

It’s Midnight…. do you know where your Federal Safeguards are?

Published byDomenica Nanni Modified over 6 years ago

Similar presentations

Presentation on theme: "It’s Midnight…. do you know where your Federal Safeguards are?"— Presentation transcript:

1

2 It’s Midnight…. do you know where your Federal Safeguards are?
image courtesy Brendan Loy

3 It’s Midnight on May 11, 2017… do you know where your safeguards were?

4 What is Cybersecurity? The Department of Homeland Security (DHS) defines cybersecurity as “the protection of computers and computer systems against unauthorized attacks or intrusion.”

5 It’s Midnight…do you know where your Federal Safeguards are?
Moderator: Richard Stump, AIA; Vice President, Stanley Consultants Speakers: Robert E. Jones, CPCM, Fellow; Left Brain Professionals Terry O’Connor, Partner; Berenzweig Leonard, LLP

6 Topics of Coverage A Brief Introduction – Safeguarding Data Today
Awareness Considerations for AECs, Small and Large Proactive Management Resolution The Value Proposition-Why Do It? Discussion and Takeaways

7 Password Tools LastPass KeePass Onelogin ManageEngine SplashID
A Brief Introduction – Safeguarding Data Today

8 DoD Cybersecurity Clauses FAR and DFARS
DFARS Safeguarding Covered Defense Information (CDI) DFARS Safeguarding CDI and Cyber Incident Reporting NIST (SP)

9 What is the purpose of DFARS 252.204-7012?
DFARS clause was structured to ensure that unclassified DoD information residing on a contractor’s internal information system is safeguarded from cyber incidents, and that any consequences associated with the loss of this information are assessed and minimized via the cyber incident reporting and damage assessment processes. In addition, by providing a single DoD-wide approach to safeguarding covered contractor information systems, the clause prevents the proliferation of cyber security clauses and contract language by the various entities across DoD. Source: 27 Jan 17 FAQ, DFARS Case 2013-D018

10 What is the purpose of DFARS 252.204-7012?
Safeguard unclassified DOD information on contractor information storage systems Minimize consequences of a cyber incident Provide a single DOD-wide approach

11 NIST (SP) Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations 14 Requirements: Access Control Awareness and Training Audit & Accountability Configuration Management Identification and Authentication Incident Response

12 NIST (SP) Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Maintenance Media Protection Personnel Security Physical Protection Risk Assessment Security Assessment System and Communications Protection System and Information Integrity

13 Contractor Compliance
Large businesses struggle Time and financial commitment can appear overwhelming How do small businesses have a chance?

14 Awareness Considerations for AECs, Small and Large Proactive Management Resolution The Value Proposition-Why Do It?

15 Awareness. Cyber Awareness Month is in October. The government expects you to be aware (and compliant with its clauses) all year long.

16 Positive Share

17 Safety Check

18 What to Protect? Corporate networks Cloud storage (Dropbox, Office 365) Social media Online accounts (banks, utilities, etc) Mobile devices IoT (phones, printers, other devices)

19 Physical Security Control access to building. Limit access to servers and systems. Visitor policy. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) Limit information system access to the types of transactions and functions that authorized users are permitted to execute Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals Escort visitors and monitor visitor activity; maintain audit logs of physical access, and control and manage physical access devices

20 Update & Virus Protection
Update OS and programs regularly. Invest in quality virus protection. Auto-update program and definitions. Provide protection from malicious code at appropriate locations within organizational information systems Update malicious code protection mechanisms when new releases are available; and Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

21 Virus Tools Avast McAfee AVG Eset MalwareBytes

22 Password Management Strong passwords are critical! California  California2017   Secret Q&A does not have to be real – only YOU need to know the answer. Verify and control/limit connections to and use of external information systems Identify information system users, processing acting on behalf of users, or devices

23 Password Tools LastPass KeePass Onelogin ManageEngine SplashID

24 Password Tools How Secure Is My Password? California – Instantly California2017 – 10 million years – 6 years – 204 million years

25 Wi-fi and Bluetooth Keep them off until needed. Separate guest network. Monitor, control, and protect organizational communications (i.e. information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks

26 Wi-fi Tools SecureLine VPN PureVPN

27 Mobile Devices Use Passcode/PIN for encryption. Have a method to remote wipe.

28 Mobile Tools Avast Mobile Avira Lookout

29 Keep separate accounts. Use a professional domain for work.

30 Tools Setup multi-factor authentication on every account.

31 Cloud Storage Use separate storage for work & personal. Don’t cross contaminate!

32 Cloud Tools Dropbox Google Drive Box iCloud Carbonite

33 Encryption Look for “https” in websites.

34 Encryption Tools SertintyOne

35 Multi-Factor Authentication
User name Password Another item Text code Digital certificate One-time password Biometric Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems

36 Multi-Factor Tools Windows Authenticator Google Authenticator
IdenTrust RSA SecurID

37 Awareness Considerations for AECs, Small and Large Proactive Management Resolution The Value Proposition-Why Do It?

38

39 Considerations for Business
Prime AEC Contracts with Federal Agencies Subcontracts Joint Venture Partners Host Nation Partners and Subconsultants

40 Prime Contract Considerations
Clause Compliance 31 Dec 17 – compliance required for DFARS Notification to DOD CIO within 30 days of award Flowdown of clauses CDI Identification and Management

41 Subcontractor Considerations
Clause Compliance Conformance to Prime AE cybersecurity requirements Need to report your compliance, post-award Costs of compliance vs. benefits of subcontract

42 Joint Venture Considerations
Clause Compliance for all parties All Parties’ Cybersecurity Conformance Incident Management and Reporting Location and Management of Data

43 Meeting the 31 Dec 17 Deadline DFARS 252.204-7012
Costs and time for compliance vary Larger contractor, greater compliance requirement Upfront costs and recurring costs Smaller firms benefit from smaller footprint Many firms will not be fully compliant by Dec 2017 If you haven’t yet started…you still need to comply!

44 Awareness Considerations for AECs, Small and Large Proactive Management Resolution The Value Proposition-Why Do It?

45 Explaining the Basic Safeguards
FAR requires 15 controls at a minimum on covered contractor information systems

46 Definitions Covered contractor information systems
Federal contract information Information Information system

47 Definitions The 15 requirements are requirements that “most prudent businesses already follow.”

48 Access controls Limit access: To authorized users
To the transactions/functions authorized users can execute

49 Access Controls Control: use of external information systems
posting of information on publicly accessible information systems

50 Identification and Authentication
Identify users and authenticate their identity before letting them use information system

51 Media Protection Destroy media before disposal

52 Physical Protection Limit physical access
Escorts, sign-in logs, door-openers

53 Systems and Communications Protection
Boundary protections Subnetworks

54 System and Information Integrity
Timely report and fix flaws Protect against malicious code and install update protections Scan system periodically and scan downloads in real-time

55 Systems and Communications Protection
Boundary protections Subnetworks

56 Awareness Considerations for AECs, Small and Large Proactive Management Resolution The Value Proposition-Why Do It?

57 Value Proposition Slide by Robert

58 Value Proposition Slide by Rich

59 Value Proposition Slide by Terry

60 A Little Bit of Conversation
Questions, Comments and Answers

61 It’s Midnight…. do you know where your Federal Safeguards are?
image courtesy Brendan Loy

62 Your Best Way Forward Takeaway 1 Takeaway 2 Takeaway 3 Takeaway 4

63 703.760.0402 Robert E. Jones (614) 556-4415 Robert@leftbrainpro.com
Contact Information Robert E. Jones (614) Richard Stump (808) Terry O’Connor  

Download ppt "It’s Midnight…. do you know where your Federal Safeguards are?"

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.

Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
FIVE STEPS TO REDUCE THE RISK OF CYBERCRIME TO YOUR BUSINESS.

FIVE STEPS TO REDUCE THE RISK OF CYBERCRIME TO YOUR BUSINESS.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.

Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
Chapter 2 Securing Network Server and User Workstations.

Chapter 2 Securing Network Server and User Workstations.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.

Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
Robert Ono Office of the Vice Provost, Information and Educational Technology September 9, 2010 TIF-Security Cyber-safety Plans for 2010.

Robert Ono Office of the Vice Provost, Information and Educational Technology September 9, 2010 TIF-Security Cyber-safety Plans for 2010.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.

Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.

Similar presentations

Ads by Google