Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2003 NYS OCSCIC Business Manager Cyber Security Training NYS Office of Cyber Security & Critical Infrastructure Coordination www.cscic.state.ny.us.

Published byShonda Ray Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2003 NYS OCSCIC Business Manager Cyber Security Training NYS Office of Cyber Security & Critical Infrastructure Coordination www.cscic.state.ny.us."— Presentation transcript:

1 © 2003 NYS OCSCIC Business Manager Cyber Security Training NYS Office of Cyber Security & Critical Infrastructure Coordination www.cscic.state.ny.us

2 © 2003 NYS OCSCIC Welcome  Training is required for State Agencies by NYS Information Security Policy ( Cyber Security Policy P03-002)  NYS CSCIC offers Cyber Security training and materials to State and local government  Cyber Security Training Offerings: –Executive Briefing –Information Security Officer –Business Manager –Workforce Awareness

3 © 2003 NYS OCSCIC Kim Snyder  Senior Consultant, AMA, a Division of SAIC  Science Applications International Corporation (SAIC), is the nation's largest employee-owned research and engineering company, providing information technology, systems integration and eSolutions to commercial and government customers.  19 years experience in IT both the public and private sector  Creation, design and delivery of an Information Security Awareness program for a large NYS agency  MIS Director for the State of Massachusetts Department of Medical Security

4 © 2003 NYS OCSCIC Training Objectives  Utilizing the NYS Information Security Policy as a tool for Counties  Assist you in managing the risk of security exposure or compromise to County business information, systems, or applications  Assist you in protecting the Confidentiality, Integrity and Availability of information in all County Department  Assist you in recognizing a security weakness or incident

5 © 2003 NYS OCSCIC AGENDA Part One  What is Information Security and Why is it so important now?  What is the Information Security Officers role?  What is the Business Managers role?  Video  Baseline of Knowledge for Business Managers (People, Access, Technology)

6 © 2003 NYS OCSCIC AGENDA Part Two  Risk assessment & checklist  Cyber War  Be a Security Role model  Summary

7 © 2003 NYS OCSCIC Your Packet  Agenda  PowerPoint slide Handouts  Information Security Officers Roles and Responsibilities  Threats 101 Review  Risk Assessment  How to be a “Role Model”  Summary – Main Points of Policy  Information Security Resources for Counties  Evaluation

8 © 2003 NYS OCSCIC Information Security

9 © 2003 NYS OCSCIC What is Information?  Paper –Project Plans, Memos, Manuals, Phone Lists, Org Charts  Electronic data –PC’s,Laptops, Mainframes –Palm Pilots –Diskette, CDs, Tape  Conversation –Discussions should be thoughtful, consider your location, surroundings and individuals in your midst

10 © 2003 NYS OCSCIC What is Information Security? Protecting Information from:  Unauthorized use  Modification  Destruction  Temporary or permanent loss

11 © 2003 NYS OCSCIC Why is Information Security so Important Now?  Our reliance on IT systems and availability of its information is ever growing  It is more portable and accessible

12 © 2003 NYS OCSCIC Ramifications  If County Information is Modified, Lost or Unavailable… –Will there be a loss of confidence in your department? –How much revenue may have been lost? –How much downtime for your customers, staff and yourself can you afford? –Will your public users be upset?

13 © 2003 NYS OCSCIC Information Security Not Just A Technical Issue!  Business function –Protects government’s ability to conduct business  Management issue –Safeguards information assets: Department specific information Personnel related data Shared data / partner’s data

14 © 2003 NYS OCSCIC 2003 CSI/FBI Computer Crime & Security Survey  People –80% insider abuse of network access –82% independent hackers  Access –45% unauthorized access by insiders –22% reporting did not know if their website was hacked –15% reporting did not know there was unauthorized use of their computer systems  Technology –82% virus incidents –42% denial of services attacks –36% system penetration

15 “CIA” Triangle Confidentiality Only authorized individuals have access to information Integrity Information must be reliable Availability On demand information for authorized individuals

16 Information Security Officer Awareness Security Policies & Standards Monitoring Enforcement Investigate Direction Leadership Education Violations Resource

17 © 2003 NYS OCSCIC Business Manager’s Role

18 © 2003 NYS OCSCIC Business Managers Role  Adhere to Policy  Protect the information you have been entrusted with  Understand the Risks  Understand the Ramifications  Be a Security Role Model  Support your Staff

19 © 2003 NYS OCSCIC Baseline Knowledge

20 © 2003 NYS OCSCIC Baseline Knowledge People Risks  There must be a full cooperation for: –Policies, Procedures, Programs –Controls in place, or developed to ensure a secure environment  Tools are only as effective as the people and processes who use them

21 © 2003 NYS OCSCIC Baseline Knowledge People Risks Physical:  Secure work areas  Lock buildings, offices, file cabinets Human:  Lack of awareness  Intentional / Unintentional  Social Engineering /Dumpster Diving

22 © 2003 NYS OCSCIC Baseline Knowledge Access Risks  Respect access rights –Understand the importance of granting / authorizing access –Understand the risks associated with improper or disregarded processes –Understand the importance of strong passwords – 1 st level of defense

23 © 2003 NYS OCSCIC Baseline Knowledge Access Risks  Information Owners role –(Some) Business managers are responsible for determining who should have access to protected resources within their jurisdiction –Assigning a classification to information Confidential, Private, Restricted, Public, County/Department specific

24 © 2003 NYS OCSCIC Judy, Judy, Judy From the NYS Cyber Security Awareness video 2003 8 minutes

25 © 2003 NYS OCSCIC What went Wrong?

26 © 2003 NYS OCSCIC Baseline Knowledge Technology  Technology is a tool  Technology affects the way you: –Staff –Budget –Manage –Perform your day-to-day activities

27 © 2003 NYS OCSCIC LOCAL AREA NETWORK LAN Switch Server Time & Attendance Word EMAIL Time & Attendance Word EMAIL Time & Attendance Excel EMAIL

28 © 2003 NYS OCSCIC Wide Area Network WAN ALBANY LAN Switch Server ROUTER Switch UTICA LAN Server ROUTER Dedicated Telephone Line T1

29 ALBANY Switch Server ROUTER IDS FIREWALL Email Web ROUTER IDS DMZ

30 VPN Remote LAN Secure Communications Link ID’s & Verified Who You are ALBANY Switch Server IDS FIREWALL Email Web DMZ ROUTER IDS

31 ALBANY Switch Server IDS FIREWALL Email Web DMZ ROUTER IDS Wireless Communication

32 © 2003 NYS OCSCIC Never Install a Modem Without IT Approval Never Use a Rogue Wireless Device Never Disable Anti Virus Protection Never Install an Unapproved Screen Saver Never Give Away Your password Never Open Suspicious Email

33 © 2003 NYS OCSCIC Threats 101 Review Handout of Common Threats Human, Access, Technical

34 © 2003 NYS OCSCIC Risk Assessment

35 © 2003 NYS OCSCIC Risk Assessment  Risk Assessment is a Business Process  As managers, you already manage risks –Budgets –Projects  There is another risk out there –Information Security Consider threats, vulnerabilities to information security Identify current weaknesses that could open your organization to compromise

36 © 2003 NYS OCSCIC Risk Assessment  Assets are: –Hardware –Software –Data –People –Processes

37 © 2003 NYS OCSCIC Examples of RISKS

38 © 2003 NYS OCSCIC Risk Assessment Simplified  Each asset has potential security exposures  Each security exposure needs to be found/identified  Its probability of occurrence has to be determined  And then the risks need to be prioritized  Create an action plan (fix, mitigate or accept the risk)

39 © 2003 NYS OCSCIC Risk Assessment Summary Utilize your:  County Information Security Officer/Function –Include them in your next kickoff meeting for a new application –Invite them to your next on-going project meeting so they may address potential security concerns  IT Group  Information Owner Role

40 © 2003 NYS OCSCIC Resources to Help You  The County Information Security Officer/Function  The County Information Technology group  NYS Information Security Policy  The County Information Security Policy  Information Security Training offered by OCSCIC  Risk assessment checklist –6 critical or important things to ask during a risk assessment

41 © 2003 NYS OCSCIC Helpful Websites  www.cscic.state.ny.us www.cscic.state.ny.us –Alerts, advisories –2004 NYS Cyber Security Conference  www.sans.org www.sans.org

42 © 2003 NYS OCSCIC Wake Up Calls

43 © 2003 NYS OCSCIC Be a Security Role Model

44 © 2003 NYS OCSCIC Be a Security Role Model  Familiarize yourself with information security policies  Manage risks  Understand IT's role  Build in security in the beginning  Support the education of your staff  Encourage your staff to practice good security  Be aware

45 © 2003 NYS OCSCIC Lead the Way  Teach your staff about protecting information  Encourage them to participate in Information Security Training  Ask questions  Don’t circumvent procedures  Follow policies  Don’t become a bad statistic

46 © 2003 NYS OCSCIC Summary NYS Information Security Policy  NYS Information Security Policy: –Agencies to develop their own policies and standards –Manager to be familiar with Information Security Policies –Managers to participate in Risk Assessments as necessary –Agencies to have an information security function ISO –Agencies to identify Information Owners –Managers and staff attend Awareness Training and Education

47 © 2003 NYS OCSCIC Summary  Utilize the NYS Information Security Policy as a baseline  Create a County Information Security Policy Agency Policy  Designate an Information Security Officer Function  Work with your Information Technology Staff  Identify Information Owner Role

48 © 2003 NYS OCSCIC Summary  Doing it right the first time saves costs of recovery: –Workforce –Dollars  Work together –People are the greatest asset –Buy-in is essential  Be a “Security Role Model”

49 © 2003 NYS OCSCIC Questions? Thank You! www.cscic.state.ny.us

Download ppt "© 2003 NYS OCSCIC Business Manager Cyber Security Training NYS Office of Cyber Security & Critical Infrastructure Coordination www.cscic.state.ny.us."

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September.

Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.

K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.
TRACs Security Awareness FY2009 Office of Information Technology Security 1.

TRACs Security Awareness FY2009 Office of Information Technology Security 1.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.

Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.
Current Job Components Information Technology Department Network Systems Administration Telecommunications Database Design and Administration.

Current Job Components Information Technology Department Network Systems Administration Telecommunications Database Design and Administration.
Anderson School of Management University of New Mexico.

Anderson School of Management University of New Mexico.
Prepared by: Dinesh Bajracharya Nepal Security and Control.

Prepared by: Dinesh Bajracharya Nepal Security and Control.

Similar presentations

Ads by Google