Fusion Center ITS security and Privacy Operations Joe Thomas

Slides:



Advertisements
Similar presentations
Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Advertisements

Springfield Technical Community College Security Awareness Training.
PII Breach Management and Risk Assessment
PCard Program Roles and Responsibilities Review Karen Brookbanks, C.P.M., CPPB.
DHS SECURITY INCIDENT REPORTING AND RESPONSE SECURITY INCIDENT REPORTING AND RESPONSE DHS managers, employees, and other authorized information users.
Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:
Session 3 – Information Security Policies
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.
Incident Response From the Ground Up Ellen Young and Adam Goldstein Dartmouth College NERCOMP March 11, 2008.
Peer Information Security Policies: A Sampling Summer 2015.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
APA of Isfahan University of Technology In the name of God.
Information Security Technological Security Implementation and Privacy Protection.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
General Awareness Training
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Information Systems Security Operational Control for Information Security.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.
The RCMP Tech Crime Unit & Information Systems Security Presented to: ISSA January 26, 2005.
MODULE 3 Composition & Roles. TAT TEAM APPROACH UPON COMPLETION OF THIS MODULE, PARTICIPANTS SHOULD UNDERSTAND: 3 – 2  Composition of the Threat Assessment.
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
IT Summit November 4th, 2009 Presented by: IT Internal Audit Team Leroy Amos Sue Ann Lipinski Suzanne Lopez Janice Shelton.
CONTROLLING INFORMATION SYSTEMS
Managing a “Data Spill”
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
Contingency Management Indiana University of Pennsylvania John P. Draganosky.
Welcome to the ICT Department Unit 3_5 Security Policies.
Washington State Auditor’s Office Cybersecurity Preparing for the Inevitable Washington State Auditor’s Office Peg Bodin, CISA, Local IS Audit Manager.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
Incident Response Strategy and Implementation Anthony J. Scaturro University IT Security Officer September 22, 2004.
Information Security and Privacy in HRIS
ISMS Information Security Management System
ISSeG Integrated Site Security for Grids WP2 - Methodology
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Threat Assessment Team Florida State University
Protection of CONSUMER information
Responding to Intrusions
Information Security Awareness
Business Continuity Plan Training
Data Compromises: A Tax Practitioners “Nightmare”
Cybersecurity Policies & Procedures ICA
Information Security Seminar
Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,
Cyber Issues Facing Medical Practice Managers
Red Flags Rule An Introduction County College of Morris
Business Continuity Planning
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
County HIPAA Review All Rights Reserved 2002.
Neil Kirton and Zoë Newman
Cyber Security: What the Head & Board Need to Know
Neopay Practical Guides #2 PSD2 (Should I be worried?)
Chapter # 3 COMPUTER AND INTERNET CRIME
Move this to online module slides 11-56
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Introduction to the PACS Security
Information Resource & Security Management www. oti. fsu. edu www
Anatomy of a Common Cyber Attack
Presentation transcript:

Fusion Center ITS security and Privacy Operations Joe Thomas October 2016

Overview Incident Response Security Goals Incident Benefits University Policies General Procedures Reporting to FSUPD, HR, FDLE,

Incident Response Phishing - Accounts Compromised Compromised File Ransomware Stolen Property Final Comments

What is an Incident A computer security incident is any action or activity – accidental or deliberate – that compromises the confidentiality, integrity, or availability of data and information technology resources. Incidents also include the use of technology for criminal activities such as: fraud, child porn, theft, etc… Policy violations may also be considered security incidents.

Incident Response Goals Preserving the confidentiality, integrity and availability of enterprise information assets. Minimizing the impact to the university. Providing management with sufficient information to decide on appropriate course of action. Providing a structured, logical, repeatable, and successful approach.

Incident Response Goals (con’t) Increase the efficiency and effectiveness of dealing with an incident Reduce the impact to the university from both financial and human resources perspectives. Provide evidence that may become significant should legal and liability issues arise.

University Policies The university has policies requiring action from IT administrators to report and respond to Security Incidents. 4-OP-H-5 Information Technology Security 4-OP-D-2-G Payment Cards 4-OP-H-12 Information Privacy policy

Team Leadership and Duties CISO or Operations Team Lead usually acts as CSIRT Leader Convene the CSIRT (Computer Security Incident Response Team). Select additional support members as necessary for the reported incident. Contact the Chief Information Officer. Conduct meetings of the CSIRT. Ensure meetings are documented. Direct team training on an ongoing basis. Periodically report status of incidents to the CIO. Manage incidents. Ensure Class 2 and Class 3 incidents are documented. Coordinate team incident research and response activities. Conduct a debriefing of lessons learned and report to the CIO.

Team Expertise Chief Information Office (CIO) Chief Auditor Office Legal   Human Resources Information Security (CISO or Representative) Registrar Public Information Officer Platform Specialists Financial Administrators Law Enforcement

Role of the CSIRT The role of the CSIRT is to serve as the first responder to computer security incidents within and to perform vital functions in identifying, mitigating, reviewing and reporting findings to management.

Responsibilities of the CSIRT Classify security incidents. Convene upon notification of a reported computer security incident. Conduct a preliminary assessment to determine the root cause, source, nature, extent of damage. Recommend response to a computer security incident. Select additional support members as necessary for the reported incident. Maintain confidentiality of information related to incidents. Assist with recovery efforts and provide reports to the CIO. Document incidents as appropriate. Examples include: lessons learned and recommended actions. Report incidents to the Information Security and Privacy Office. Maintain awareness of and implement procedures for effective response to computer security incidents. Stay current on functional and security operations for the technologies within their area of responsibility.

Classification of Security Incidents The CSIRT will classify each incident as a Class 1, Class 2, or Class 3 incident based upon risk severity. The following criteria are used to determine incident classification: Expanse of Service Disruption Data Classification Legal Issues Policy Infraction Public Interest Threat Potential Business Impact

Class 1 Incident: Low Severity A Class 1 incident is any incident that has a low impact to university information technology resources and is contained within the unit. The following criteria define Class 1 incidents: Data classification: Unauthorized disclosure of confidential information has not occurred. Legal issues: Lost or stolen hardware that has low monetary value or is not part of a mission critical system. Business impact: Incident does not involve mission critical services. Expanse of service disruption: Incident is within a single unit. Threat potential: Threat to other information technology resources is minimal. Public interest: Low potential for public interest. Policy infraction: Security policy violations determined by the university.

Class 2 Incident: Moderate Severity A Class 2 incident is any incident that has a moderate impact to university information technology resources and is contained within the unit. The following criteria define Class 2 incidents: Data classification: Unauthorized disclosure of confidential information has not been determined. Legal issues: Lost or stolen hardware with high monetary value or that is part of mission critical system. Business impact: Incident involves mission critical services. Expanse of service disruption: Incident affects multiple units within the university. Threat potential: Threat to other university information technology resources is possible. Public interest: There is the potential for public interest. Policy infraction: Security policy violations determined by the university.

Class 3 Incident: High Severity A Class 3 incident is any incident that has impacted or has the potential to impact other external information technology resources and/or events of public interest. The following criteria define Class 3 incidents: Data classification: Unauthorized disclosure of confidential information has occurred outside the university. Legal issues: Incident investigation and response is transferred to law enforcement. Business impact: Threat to other university information technology resources is high. Expanse of service disruption: Disruption is wide spread across the university and/or other entities. Threat potential: Incident has potential to become wide spread across the university and/or threatens external, third-party information technology resources. Public interest: There is active public interest in the incident. Policy infraction: Security policy violations determined by the university.

Reporting Process The CSIRT Leader reports and documents all incidents classified or reclassified as a Class 2 or Class 3 incidents. The Report should include the following: Executive Summary Description of the Incident CSIRT Members Participating CSIRT Findings Conclusions Recommendations

General Procedures End users need to communicate computer incidents to unit ISMs. Information security managers must immediately notify the FSU IT Security Incident Officer of Incident. Payment card data breach – the department head notifies the Security manager who then notifies the Director of Information Security and Privacy of the incident. Information security manager notifies the Police Department involving threats to human beings, property, child pornography, or breach of CJIS information. External Law enforcement if needed will be referred to the FSUPD who will serve as liaison during the Security Investigations. General Counsel, Director of Information Security and Privacy, and FSUPD must be notified when a subpoena is issued.

REPORTING OF it Security Incidents Different departments will become involved in the remediation of an incident. Criminal activities should be reported to FSUPD Employee misconduct, both criminal and otherwise should be reported to HR. Incidents of technical nature from an external source should be reported to the Director Information Security & Privacy. All University data should be classified into one of three levels: Level 1 – Protected Level 2 – Private Level 3 – Public

IT security Incidents reported to FSUPD Electronic transmission / storage of child pornography Electronic transmission of threats to the physical safety of human beings or physical assets Harassment and other criminal offenses involving user accounts Loss or theft of computing device Using FSU computing resource in the commission of a fraudulent activity against the university, individual, or outside entity. Incidents involving a breach of CJIS information.

IT security Incidents reported to Human resources Misuse of FSU IT resources is described in 4-OP-H-5 with some examples below: Commercial use of IT resources that is not pre-approved Advertisement for personal gain in FSU.EDU websites Use of IT resources that interferes with the performance of employee’s job Use of IT resources that result in an incremental cost to the University

Breach of Personal Identifiable Information (PII). Types of major security incidents Reported to the FSU Director of information security and privacy Breach of Personal Identifiable Information (PII). Root or system-level attacks on mission critical information system(s) desktop, laptop, tablet, server, storage device, or network infrastructure. Compromise of restricted protected service accounts or software installations, for data classified as “Protected” or “Private”. Denial of Service attacks that Impair FSU resources. Malicious code attacks including malware infections on devices that allow an unauthorized user access to data.

Types of major security incidents Reported (con’t) Open mail relay used to forward spam or other unauthorized communications with FSU email system. Compromise user logon account credentials. Denial of service on individual user accounts Other attacks that may constitute a risk to confidentiality, integrity, or availability of university data or systems.

Types of Minor security incidents Virus infections on servers and end-points

Departmental response to IT security incidents Isolation and Protection of Compromised Devices Discontinue use of that device immediately Do not power off the device Disconnect the Network Cable at the Network Jack Isolate computer to prevent any further use. Preserve logs Contact FSUPD, HR, Director of Information Security and Privacy, to assist in investigation If necessary get a backup of the hard drive. Identification of Personally Identifiable Data Calculation of Campus Unit Fiscal Cost to Remediate

Type of Attacks Phishing Ransomware Denial of Service Stolen Property Compromised File

Final Comments Any Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.