Presentation is loading. Please wait.

Presentation is loading. Please wait.

Colorado Cyber Security Program (CCSP) Risk Based Gap Analysis (RBGA) and Statewide Security Planning Update Rick Dakin, Security Strategist September.

Published byTheodora Ball Modified over 9 years ago

Similar presentations

Presentation on theme: "Colorado Cyber Security Program (CCSP) Risk Based Gap Analysis (RBGA) and Statewide Security Planning Update Rick Dakin, Security Strategist September."— Presentation transcript:

1 Colorado Cyber Security Program (CCSP) Risk Based Gap Analysis (RBGA) and Statewide Security Planning Update Rick Dakin, Security Strategist September 18, 2007 V 1.4

2 2 Agenda  Risk and Threat Review  CCSP Program Overview Cyber Security Program Policies, Plans and Standards  Risk Based Gap Analysis (RBGA) Program Process Inventory and System Characterization Risk Assessment and Gap Analysis Security Plans Remediation and Gap Closure Plans Test and Accredit Operations  Questions and Open Discussion

3 3 Enterprise Security Program Security Program Drivers Critical Drivers More Regulatory Requirements Reduced Tolerance for Service Disruption Increasing Cyber Threats

4 4 Compliance Trends 1970- 1980 1980- 1990 1990- 2000 2000- Present A Brief History of Regulatory Time Computer Security Act of 1987 EU Data Protection HIPAA FDA 21CFR Part 11 C6-Canada GLBA COPPA USA Patriot Act 2001 EC Data Privacy Directive CLERP 9 CAN-SPAM Act FISMA Sarbanes Oxley (SOX) CIPA 2002 Basel II NERC 1200 (2003) CISP Payment Card Industry (PCI) State Privacy Laws Privacy Act of 1974 Foreign Corrupt Practice Act of 1977

5 5 CCSP Program Overview  Designate Chief Information Security Officer (CISO)  Develop Colorado Cyber Security Program (CCSP)  Publish Cyber Security Rules and Associated Policies  Submit an Annual Agency Cyber Security Plans (ACSP)  Include a Plan of Action and Milestones (POAM) with the ACSP (3 year phase-in period to achieve compliance with the CCSP)  Implement a Statewide Incident Response Program  Enhance Statewide Security Awareness and Training  Establish Security Evaluation and Reporting to Enforce the Program HB 06-1157 was incorporated into Colorado Revised Statute 24-37.5 part 4 in May 2006. The legislation established the Colorado Information Security Act with the following provisions: RBGA Draft Versions RBGA

6 6 Security Policies & Rule Review  Emergency Rule adopted December 20, 2006  Hearing conducted on January 5, 2007  Final Rule becomes effective early March, 2007 19 Policies: Organizational Policies Cyber Security Planning Incident Response Information Risk Management Vendor Management Self Assessment Security Training and Awareness Security Metrics and Measurement System Access and Acceptable Use Online Privacy Operational Policies Data Classification and Disposal Mobile Computing Wireless Security Network Operations System and Application Security Access Control Change Control Physical Security Personnel Security Disaster Recovery

7 7 Risk Based Gap Analysis (RBGA) Program  Provide orientation to agencies on new CCSP and policies  Identify major systems and rate criticality  Review current security programs and existing policies, procedures and plans  Facilitate agency Risk Based Gap Analysis (RBGA) for major systems  Facilitate development of DRAFT Agency Cyber Security Plans (ACSP) with integrated Plan of Action and Milestones (POAM)  Support development of an executive briefing to align new Executive Directors to the risks within agency systems and plans to mitigate risks before submittal The RBGA program was intended to coordinate agency security planning and provide “expert” resources to jump start the planning process. The process included:

8 8 Security Planning Process Developed by: The National Institutes of Standards and Technology

9 9 Risk Management Process NIST SP 800-30 is an industry “Best Practice” referenced by the FFIEC to guide our risk assessment. 1. 1.Inventory and Characterize Systems 2. 2.Threat Identification 3. 3.Vulnerability Assessment 4. 4.Likelihood Determination 5. 5.Impact Analysis 6. 6.Recommend Risk Controls

10 10 Natural Disasters Security Controls & Policies Vulnerabilities Good security controls can stop certain attacks Poor Security Policies could Let an attack through NO security policies or controls could be disastrous Malicious Threats Non- Malicious Threats Motives and Goals Methods and Tools Methods and Tools Methods and Tools ASSETS The Ingredients of an Attack Threat + Motive + Method + Vulnerability = ATTACK!

11 11 Systems Characterization   What do you do? Mission critical processes Key stakeholders Map processes   How important are those functions? Criticality rating (FIPS 199) Priority for risk analysis and deployment of controls   What Systems are used? Systems Inventory (applications, host platforms) Service Providers Diagrams.

12 12 Threat Identification Human Non-Human   Terrorist   Hacker   Disgruntled Employee   Vendors   Untrained Staff   Acts of Nature   Fire   Power Failures   Contamination   Configuration Errors   Systems Obsolescence

13 13 Vulnerability Assessment   What systems and processes are used to support critical operations ?   Servers   Software   Network Connectivity   User Access   Standard processes   What vulnerabilities could be exploited?   Patch levels   Unnecessary services   Security architecture   Monitoring and reporting   Access Controls   User behavior

14 14 Risk Analysis LOW HIGH SEVERITY LIKELIHOOD MEDIUM RISK HIGH RISK LOW RISK

15 15 Sample Risk Assessment Risks / HazardsControls Deployed Recommended Remediation  Security oversight may not identify and prioritize risk mitigation  IT Steering Committee  Dedicate an Information Security Officer (ISO) to oversee development of the security program  Formally establish an IT security committee with specific duties  IT security policy gaps fail to guide staff behavior  Only limited informal security policies  A complete set of policies should be developed according to best practices  Policies approved by IT Steering  Staff Trained  Business Continuity & Disaster Recovery plans are not adequate  Some system hardening and limited recovery plans or facilities are in place today  A BCP/disaster recovery plan will have to be developed  Deploy redundant facilities  Train staff  Update and test annually  Physical security does not protect critical systems  Physical security is limited only to the data rooms  Develop and deploy a comprehensive physical Security policy and plan for facility access, data center, access to network wiring infrastructure, media  Unauthorized access to data  Weak passwords  Shared accounts  Limited access granting process  Upgrade Access controls Access granting process Unique user ID Strong passwords (complexity)

16 16 Point Solutions FirewallsVulnerability Assessment Intrusion Detection Access Controls

17 17PCISOX HIPAA GLBA ISO-17799 Privacy Laws Unified IT Controls Hosting Penetration Testing Firewall Virus Protection Code Review Security Arch. Design Sec. Doc. Access Controls Training Security Policy NIDS/HIDS Unified Security Programs

18 18 Measure Control Effectiveness CoBIT Metrics Control Design AdequacyControl Effectiveness 12345 Controls Designed and Selected Control Deployed With REPEATABLE processes Controls Documented  Policies  Procedures  Inventories  Diagrams Oversight Provided  Control effectiveness reports  IT oversight Evidence or work papers from internal or external reports / meeting minutes Formal accountability assigned Program Adjustment after Justification Steering Committee review and recommendations, etc NIST Metrics Level 1 – control objective documented in a security policy Level 2 – security controls documented as procedures Level 3 – procedures have been implemented Level 4 – procedures and security controls are tested and reviewed Level 5 – procedures and security controls are fully integrated into a comprehensive program

19 19 Security Plans Leverage NIST SP 800 – 100 and SP 800-18  Organization Mission  Summary of Environment  Roles and Responsibilities  Summary of Risks  Selection of Controls  Deployment and Training  Test and Audit of Control Effectiveness  Accredit Systems Operations  Process to Enhance Plans

20 20 Plan of Action and Milestones (POAM) Risk Assessment Draft Security Plan Update Policies Remediate Gaps Document and Train Executive Briefing Update Security Plans Test and Accredit System Goal: Each risk assessment will identify gaps in current security plans that should be remediated by priority. Nov 07Dec 07Jan 08Feb 08Mar 08 Jul 08

21 21 Lessons Learned  New processes take time … Start Early  New security planning processes require training … even with seasoned IT professionals  It takes time and resources to deploy and manage controls … get key executives involved early to start planning budget impact  Why does it cost so much to protect systems that don’t cost very much?  Even with a great security plan, you may still get compromised. Have an IR Plan.

22 22 Open Discussion  Questions  Feedback  Next Steps – “What can you do?” Form a security oversight team Launch a program with a Risk Assessment First http://www.colorado.gov/cybersecurity/

Download ppt "Colorado Cyber Security Program (CCSP) Risk Based Gap Analysis (RBGA) and Statewide Security Planning Update Rick Dakin, Security Strategist September."

Similar presentations

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Cyber Security A Program to Meet NERC CIP Requirements May 17, 2010 Rick Dakin Coalfire systems CEO and Co-founder.

Cyber Security A Program to Meet NERC CIP Requirements May 17, 2010 Rick Dakin Coalfire systems CEO and Co-founder.
Security Controls – What Works

Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Information Security Policies and Standards

Information Security Policies and Standards
University of Alaska System and UAF Information Technology Security Review 2007.

University of Alaska System and UAF Information Technology Security Review 2007.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Security Governance Technology Executive Club

Security Governance Technology Executive Club
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.

1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.

Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.

Similar presentations

Ads by Google