1. PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME 1 USAID/Peru Risk Assessment In-Briefing February 19, 1999 PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME

2. Principal Resource for Information Management Enterprise-wide USAID PRIME 2 Team Introduction USAID ISSO - Jim Craft Risk Assessment Program Manager - Rod Murphy Consulting Manager, Information Technology - John Zobel Senior Computer Scientist - Mike Reiter UNIX Team Lead - Steve Bui

3. PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME 3 Purpose A Risk Assessment allows one to: –Determine which information is critical to the organization –Identify the systems that process, store, or transmit that critical information –Identify potential vulnerabilities –Recommend solutions to mitigate or eliminate those vulnerabilities

4. PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME 4 Determine the Scope Identify the boundaries of the system(s) being evaluated –Cisco Routers –Servers –Workstations –Communication Lines Identify the level of detail expected from the Assessment –Compliance with Agency/Mission requirements –Compliance with best practices PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME

5. Principal Resource for Information Management Enterprise-wide USAID PRIME 5 Pre-Assessment Activity Collected and Analyzed Mission Data –Asset Information (Hardware/Software/Financial) –Automated Survey Questionnaires 51 surveys sent out 22 responses received –34 potential vulnerabilities identified –Conducted an Automated Network Scan using HYDRA Identified 8 major and 17 minor vulnerabilities Developed and forwarded an Immediate Needs Report to TCO and Mission staff for action –Conducted a follow-up HYDRA scan to confirm Mission Configuration changes PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME

6. Principal Resource for Information Management Enterprise-wide USAID PRIME 6 On-site Activities PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME Friday: Receive a Mission Threat Briefing Coordinate Assessment Logistics –A room for the Assessment team to work out of –A room scheduled for conducting training (Wed) –A room for in-briefing and out-briefing –Interviews scheduled for Mon and Tue, if necessary –Schedule meeting with Functional Management on Tues. –Schedule all staff training for Wed. (one hour sessions) –Schedule meeting with Security Plan and Contingency Planning staff. (Wed) –List of mission phones number ranges for scan

7. PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME 7 On-Site Activities (continued) PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME Conduct a Physical Review of the Mission Facility Meet with System Administrators –Establish System Ids as needed –Conduct UNIX review –Conduct Banyan review –Review NT Security Monday: Conduct staff interviews Additional System (UNIX,Banyan,NT, Cisco) reviews Conduct an after-hours modem scan

8. PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME 8 On-Site Activities (continued) PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME Tuesday: Conduct additional interviews as needed Meet with Functional Mission Management to discuss: –Connectivity/Business needs –Mission impact with regards to Agency requirements –Roles and Responsibilities associated with policies Wednesday: Conduct Mission staff training Assist in the development of Mission Security Plan and Contingency Plan

9. PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME 9 On-Site Activities (continued) Conduct any activities needed to wrap-up assessment. Analyze information gathered from pre-assessment and on-site assessment activities. Develop “Draft” Assessment Executive Summary Report. Develop Out-Briefing Present Out-Briefing to Mission Management/Staff PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME

10. Principal Resource for Information Management Enterprise-wide USAID PRIME 10 Expected Outcome What the Assessment Team expects to Accomplish: –Identify areas of concern –Provide recommendations that will enable management to make decisions associated with risks –Assist in the development of a Mission Security Plan –Assist in the development of a Mission Contingency Plan –Provide an annual Security refresher Training class to all Mission personnel –Develop a standardized approach to conducting Mission Risk Assessments –Identify Mission Concerns associated with UNIX, Banyan, NT, Cisco configuration checklists –Identify and address specific Mission concerns PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME

11. Principal Resource for Information Management Enterprise-wide USAID PRIME 11 Additional Activities Being Conducted at Each Mission Assist in the development of a Mission System Security Plan Provide a template for developing a Mission Contingency Plan Provide on-site training –General User –System Administrator –System Managers/Executive Officers Address any additional concerns PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME