Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD Information Technology Department of Finance & Administration

Cybersecurity: What the Board of Directors Needs to Ask Document copyright © 2014 by The Institute of Internal Auditors Research Foundation (IIARF). 1.Does the organization use a security framework? 2.What are the top five risks the organization has related to cybersecurity? 3.How are employees made aware of their role related to cybersecurity? 4.Are external and internal threats considered when planning cybersecurity program activities? 5.How is security governance managed within the organization? 6.In the event of a serious breach, has management developed a robust response protocol? 2

RTD’s Cybersecurity Framework (1) Does the organization use a security framework? Answer: Yes. RTD’s cybersecurity assessments and strategy are informed by multiple government and private industry standards and frameworks. Standards used for benchmarking RTD’s cybersecurity posture in 2014: NIST Cybersecurity Framework (pub. 12 Feb 2014); correlates to: NIST SP COBIT ISO SANS Critical Security Controls for Effective Cyber Defense Standards that additionally inform the growth and development of RTD’s cybersecurity strategy: APTA Standards Development Program Recommended Practices FTA Threat and Vulnerability Assessment Methodologies Department of Homeland Security (DHS) Recommendations and Methodologies, including those put forth by the Center for Internet Security (CIS) and sponsored by the DHS 3

Top Five Cybersecurity Risks (2) What are the top five risks the organization has related to cybersecurity? Answer: The top five things that keep me up at night are: 1)Securing RTD’s credit card Point of Sale systems 2)Maintaining the integrity and availability of RTD’s customer communications systems 3)Reviewing and applying appropriate access control to RTD’s sensitive data, including personnel, payroll, and accounting systems 4)Managing third party and Bring Your Own Device (BYOD) access to RTD systems and networks 5)Controlling visibility and access to control and dispatch systems Capabilities we are developing as an organization to address these items include: Organizational Cybersecurity Risk Awareness and Strategy Robust Incident Response Protocol and Follow Through Asset, Configuration, and Change Management Skilled, Dedicated Security Staff System Security Hygiene Across the Enterprise 4

Employee Cybersecurity Awareness (3) How are employees made aware of their role related to cybersecurity? Answer: RTD’s security policy, Management Directive IT-1: Secure Computing Standards, and an accompanying cybersecurity training program and wiki, were published in May 2014, piloted with employees throughout 2014, and became an annual requirement for all salaried employees in January In 2014, 226 employees took the self-guided training from the RTD intranet site Training was introduced to all new employees joining RTD since June of 2014 Training and policy are revised and evaluated annually as the cybersecurity program matures 5

Cybersecurity Threat Analysis (4) Are external and internal threats considered when planning cybersecurity program activities? Answer: Yes. RTD’s receives information about threats originating from inside and outside the organization from a variety of external sources. RTD follows FTA methodologies to identify our most critical assets and prioritize cybersecurity actions to have the most impact on the greatest areas of risk. Government and private sector information sharing groups for transportation, cybersecurity, and critical infrastructure threat intelligence Focus on the “unintentional insider” with cybersecurity governance, awareness training, and enforcement Supplement policy with detective and preventative technical controls to reduce dependency on end users Introduce controls for third parties who provide services to or control RTD data Technical Controls Tools or Automation, Points of Presence Audits, Reviews & Compliance Testing Processes, Procedures, Checklists, Education Policies 6

Security Governance (5) How is security governance managed within the organization? Answer: Cybersecurity responsibility is delegated to the Information Technology department. Major risks are reviewed with the Senior Manager of IT and IT Management as they are identified; critical risks and incidents are reviewed with the IT Governance Committee (AGMs) and Senior Leadership Team (AGMs and GM). IIA Three Lines of Defense Concept for Security Governance* Majority focus on the first line of defense (reactive) Security policies, standards, and technical configurations that align with the business are in development Internal / external audit functions will be IT security- control focused in 2015 From “Cybersecurity: What the Board of Directors Needs to Ask.” IIA / ISACA

Incident Response (6) In the event of a serious breach, has management developed a robust response protocol? Answer: Yes. In early 2014, RTD developed a preliminary critical incident handling framework for IT that addresses data breach or loss, security incidents, and major outages. Using industry best practices and lessons learned in 2014, RTD formally defined and published a robust incident management process in December Three-phased response process: Declare an incident Execute the response plan Incident review Identifies roles and responsibilities and communication flows from identification to closure Designed to integrate with Business Continuity and Recovery procedures (Disaster Recovery) when used as part of the response plan 8

Future Focus – 2015 and Beyond Require cybersecurity training for salaried computer users Train IT and other organizations in cybersecurity incident response Complete the first round of access control reviews Complete the first annual review and update of the Secure Computing Standards Perform a third-party Electronic Fare Collection Security Assessment (ticketing systems and SMT) Continue to develop asset profiles and configuration standards, including where third parties are concerned Update and enforce an enterprise-wide patch management program Establish basic network monitoring services Additional DHS / US-CERT assessments of enterprise and SCADA controls Related Hot Topics in IT Cloud Computing Disaster Recovery PCI Compliance Data Security Smart Media Control Systems 9

Key Takeaways 10 We are positioned to receive information about cybersecurity threats and respond appropriately to incidents. RTD’s cybersecurity program is growing on par with other transit agencies. RTD’s program is informed by national standards and federal initiatives. RTD has performed analysis to identify the key areas where we must focus our cybersecurity efforts. RTD has engaged projects to further enhance our cybersecurity defenses and encourage a risk-aware culture.

Questions & Answers 11