Download presentation
Presentation is loading. Please wait.
Published byShonda Ray Modified over 9 years ago
1
© 2003 NYS OCSCIC Business Manager Cyber Security Training NYS Office of Cyber Security & Critical Infrastructure Coordination www.cscic.state.ny.us
2
© 2003 NYS OCSCIC Welcome Training is required for State Agencies by NYS Information Security Policy ( Cyber Security Policy P03-002) NYS CSCIC offers Cyber Security training and materials to State and local government Cyber Security Training Offerings: –Executive Briefing –Information Security Officer –Business Manager –Workforce Awareness
3
© 2003 NYS OCSCIC Kim Snyder Senior Consultant, AMA, a Division of SAIC Science Applications International Corporation (SAIC), is the nation's largest employee-owned research and engineering company, providing information technology, systems integration and eSolutions to commercial and government customers. 19 years experience in IT both the public and private sector Creation, design and delivery of an Information Security Awareness program for a large NYS agency MIS Director for the State of Massachusetts Department of Medical Security
4
© 2003 NYS OCSCIC Training Objectives Utilizing the NYS Information Security Policy as a tool for Counties Assist you in managing the risk of security exposure or compromise to County business information, systems, or applications Assist you in protecting the Confidentiality, Integrity and Availability of information in all County Department Assist you in recognizing a security weakness or incident
5
© 2003 NYS OCSCIC AGENDA Part One What is Information Security and Why is it so important now? What is the Information Security Officers role? What is the Business Managers role? Video Baseline of Knowledge for Business Managers (People, Access, Technology)
6
© 2003 NYS OCSCIC AGENDA Part Two Risk assessment & checklist Cyber War Be a Security Role model Summary
7
© 2003 NYS OCSCIC Your Packet Agenda PowerPoint slide Handouts Information Security Officers Roles and Responsibilities Threats 101 Review Risk Assessment How to be a “Role Model” Summary – Main Points of Policy Information Security Resources for Counties Evaluation
8
© 2003 NYS OCSCIC Information Security
9
© 2003 NYS OCSCIC What is Information? Paper –Project Plans, Memos, Manuals, Phone Lists, Org Charts Electronic data –PC’s,Laptops, Mainframes –Palm Pilots –Diskette, CDs, Tape Conversation –Discussions should be thoughtful, consider your location, surroundings and individuals in your midst
10
© 2003 NYS OCSCIC What is Information Security? Protecting Information from: Unauthorized use Modification Destruction Temporary or permanent loss
11
© 2003 NYS OCSCIC Why is Information Security so Important Now? Our reliance on IT systems and availability of its information is ever growing It is more portable and accessible
12
© 2003 NYS OCSCIC Ramifications If County Information is Modified, Lost or Unavailable… –Will there be a loss of confidence in your department? –How much revenue may have been lost? –How much downtime for your customers, staff and yourself can you afford? –Will your public users be upset?
13
© 2003 NYS OCSCIC Information Security Not Just A Technical Issue! Business function –Protects government’s ability to conduct business Management issue –Safeguards information assets: Department specific information Personnel related data Shared data / partner’s data
14
© 2003 NYS OCSCIC 2003 CSI/FBI Computer Crime & Security Survey People –80% insider abuse of network access –82% independent hackers Access –45% unauthorized access by insiders –22% reporting did not know if their website was hacked –15% reporting did not know there was unauthorized use of their computer systems Technology –82% virus incidents –42% denial of services attacks –36% system penetration
15
“CIA” Triangle Confidentiality Only authorized individuals have access to information Integrity Information must be reliable Availability On demand information for authorized individuals
16
Information Security Officer Awareness Security Policies & Standards Monitoring Enforcement Investigate Direction Leadership Education Violations Resource
17
© 2003 NYS OCSCIC Business Manager’s Role
18
© 2003 NYS OCSCIC Business Managers Role Adhere to Policy Protect the information you have been entrusted with Understand the Risks Understand the Ramifications Be a Security Role Model Support your Staff
19
© 2003 NYS OCSCIC Baseline Knowledge
20
© 2003 NYS OCSCIC Baseline Knowledge People Risks There must be a full cooperation for: –Policies, Procedures, Programs –Controls in place, or developed to ensure a secure environment Tools are only as effective as the people and processes who use them
21
© 2003 NYS OCSCIC Baseline Knowledge People Risks Physical: Secure work areas Lock buildings, offices, file cabinets Human: Lack of awareness Intentional / Unintentional Social Engineering /Dumpster Diving
22
© 2003 NYS OCSCIC Baseline Knowledge Access Risks Respect access rights –Understand the importance of granting / authorizing access –Understand the risks associated with improper or disregarded processes –Understand the importance of strong passwords – 1 st level of defense
23
© 2003 NYS OCSCIC Baseline Knowledge Access Risks Information Owners role –(Some) Business managers are responsible for determining who should have access to protected resources within their jurisdiction –Assigning a classification to information Confidential, Private, Restricted, Public, County/Department specific
24
© 2003 NYS OCSCIC Judy, Judy, Judy From the NYS Cyber Security Awareness video 2003 8 minutes
25
© 2003 NYS OCSCIC What went Wrong?
26
© 2003 NYS OCSCIC Baseline Knowledge Technology Technology is a tool Technology affects the way you: –Staff –Budget –Manage –Perform your day-to-day activities
27
© 2003 NYS OCSCIC LOCAL AREA NETWORK LAN Switch Server Time & Attendance Word EMAIL Time & Attendance Word EMAIL Time & Attendance Excel EMAIL
28
© 2003 NYS OCSCIC Wide Area Network WAN ALBANY LAN Switch Server ROUTER Switch UTICA LAN Server ROUTER Dedicated Telephone Line T1
29
ALBANY Switch Server ROUTER IDS FIREWALL Email Web ROUTER IDS DMZ
30
VPN Remote LAN Secure Communications Link ID’s & Verified Who You are ALBANY Switch Server IDS FIREWALL Email Web DMZ ROUTER IDS
31
ALBANY Switch Server IDS FIREWALL Email Web DMZ ROUTER IDS Wireless Communication
32
© 2003 NYS OCSCIC Never Install a Modem Without IT Approval Never Use a Rogue Wireless Device Never Disable Anti Virus Protection Never Install an Unapproved Screen Saver Never Give Away Your password Never Open Suspicious Email
33
© 2003 NYS OCSCIC Threats 101 Review Handout of Common Threats Human, Access, Technical
34
© 2003 NYS OCSCIC Risk Assessment
35
© 2003 NYS OCSCIC Risk Assessment Risk Assessment is a Business Process As managers, you already manage risks –Budgets –Projects There is another risk out there –Information Security Consider threats, vulnerabilities to information security Identify current weaknesses that could open your organization to compromise
36
© 2003 NYS OCSCIC Risk Assessment Assets are: –Hardware –Software –Data –People –Processes
37
© 2003 NYS OCSCIC Examples of RISKS
38
© 2003 NYS OCSCIC Risk Assessment Simplified Each asset has potential security exposures Each security exposure needs to be found/identified Its probability of occurrence has to be determined And then the risks need to be prioritized Create an action plan (fix, mitigate or accept the risk)
39
© 2003 NYS OCSCIC Risk Assessment Summary Utilize your: County Information Security Officer/Function –Include them in your next kickoff meeting for a new application –Invite them to your next on-going project meeting so they may address potential security concerns IT Group Information Owner Role
40
© 2003 NYS OCSCIC Resources to Help You The County Information Security Officer/Function The County Information Technology group NYS Information Security Policy The County Information Security Policy Information Security Training offered by OCSCIC Risk assessment checklist –6 critical or important things to ask during a risk assessment
41
© 2003 NYS OCSCIC Helpful Websites www.cscic.state.ny.us www.cscic.state.ny.us –Alerts, advisories –2004 NYS Cyber Security Conference www.sans.org www.sans.org
42
© 2003 NYS OCSCIC Wake Up Calls
43
© 2003 NYS OCSCIC Be a Security Role Model
44
© 2003 NYS OCSCIC Be a Security Role Model Familiarize yourself with information security policies Manage risks Understand IT's role Build in security in the beginning Support the education of your staff Encourage your staff to practice good security Be aware
45
© 2003 NYS OCSCIC Lead the Way Teach your staff about protecting information Encourage them to participate in Information Security Training Ask questions Don’t circumvent procedures Follow policies Don’t become a bad statistic
46
© 2003 NYS OCSCIC Summary NYS Information Security Policy NYS Information Security Policy: –Agencies to develop their own policies and standards –Manager to be familiar with Information Security Policies –Managers to participate in Risk Assessments as necessary –Agencies to have an information security function ISO –Agencies to identify Information Owners –Managers and staff attend Awareness Training and Education
47
© 2003 NYS OCSCIC Summary Utilize the NYS Information Security Policy as a baseline Create a County Information Security Policy Agency Policy Designate an Information Security Officer Function Work with your Information Technology Staff Identify Information Owner Role
48
© 2003 NYS OCSCIC Summary Doing it right the first time saves costs of recovery: –Workforce –Dollars Work together –People are the greatest asset –Buy-in is essential Be a “Security Role Model”
49
© 2003 NYS OCSCIC Questions? Thank You! www.cscic.state.ny.us
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.