Cyber Protections: First Step, Risk Assessment

Slides:

Advertisements

Similar presentations

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

Advertisements

David A. Brown Chief Information Security Officer State of Ohio

Building a Better Business Model Start with a discussion of Risk Higher Education Policy Commission Board of Governors Summit August 2, 2014.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.

Network security policy: best practices

Information Security– SNO International Zanzibar, Tanzania Joe Beaulac, Sr. Manager – Cyber Defense Center & Risk/Vulnerability Management 23 September.

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

Enterprise Computing Community June , 2010February 27, Information Security Industry View Linda Betz IBM Director IT Policy and Information.

Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

ISMS for Mobile Devices Page 1 ISO/IEC Information Security Management System (ISMS) for Mobile Devices Why apply ISMS to Mobile Devices? Overview.

Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Continuous Monitoring: Diagnostics & Mitigation October 24, 2012.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

U of Maryland, Baltimore County Risk Analysis of Critical Process –Financial Aid Adapted STAR model –Focus on process and information flow –Reduced analysis.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA, PMP August 22, 2008.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.

Cyber Security Management Lesson Introduction ●Understand organizational context for cyber security ●Understand the people, process and technology dimensions.

STANFORD UNIVERSITY RESEARCH COMPUTING Are we outliers? Institutional minimum security requirements RUTH MARINSHAW OCTOBER 14, 2015.

The Importance of Proper Controls. 5 Network Controls Developing a secure network means developing mechanisms that reduce or eliminate the threats.

Critical Security Controls & Effective Cyber Defense Hasain “The Wolf”

IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.

E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.

Information Technology Assessment Findings Presented to the colleges of the State Center Community College District.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

Information Security tools for records managers Frank Rankin.

CBIZ RISK & ADVISORY SERVICES BUSINESS CONTINUITY PLANNING Developing a Readiness Strategy that Mitigates Risk and is Actionable and Easy to Implement.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

Best Cyber Security Practices for Counties An introduction to cybersecurity framework.

By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

Douglas DiJulio Director – Enterprise Operations Application Support Cyber Security.

Security and resilience for Smart Hospitals Key findings

Defining your requirements for a successful security (and compliance

Cybersecurity as a Business Differentiator

Risk management.

Cybersecurity - What’s Next? June 2017

Team 1 – Incident Response

Demystifying cybersecurity: Best practices to help strengthen your program Chris Candela Senior Consultant Business Consulting Services Charles Schwab.

Critical Security Controls

Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.

Security Standard: “reasonable security”

Compliance with hardening standards

Leverage What’s Out There

NYBA 2017 Technology, Compliance &

Cyber defense management

I have many checklists: how do I get started with cyber security?

Implementing and Auditing the Critical Controls

Securing Your Digital Transformation

IT Development Initiative: Status and Next Steps

We want to hear from you! chime16.org/evals

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

National Cyber Security

County HIPAA Review All Rights Reserved 2002.

How to Mitigate the Consequences What are the Countermeasures?

Security week 1 Introductions Class website Syllabus review

Cybersecurity Threat Assessment

November 30, 2017 By: Richard D. Condello NRECA Senior Director

Introduction to the PACS Security

6. Application Software Security

CMGT/431 INFORMATION SYSTEMS SECURITY The Latest Version // uopcourse.com

Presentation transcript:

Cyber Protections: First Step, Risk Assessment Insert Practice Area Cyber Protections: First Step, Risk Assessment Presentation to: Presented to: Mark LaVigne, Deputy Director NYSAC November 21, 2017 500 Avery Lane Rome, NY 13441 315.338.5818 www.nystec.com

In this presentation Cyber Protection Business Strategy The importance of cyber protection Cyber protection strategy Products of NYSTEC risk assessment Leveraging NYSTEC Cyber Protection Services

Importance of Cyber Protection Data breach at an upstate New York hospital Hackers gain access to NYS county’s 911 system Data breach at an upstate New York hospital in 2017 Impacted operations at a major trauma center Complete shutdown of over 6,000 computers Six-week technology outage forcing a return to manual methods not used in 20 years Critical systems such as electronic prescribing were unavailable for one month Hackers gain access to NYS county’s 911 system 911 features, such as mapping, were disrupted County reported that all files and servers required rebuilding

Typical outcomes from a security incident Financial loss $154-$158 per Record* Regulatory penalties / contract issues Credit monitoring ~$40/person per year Cost of litigation and mitigation Productivity loss Reputation Damage Executive loses job Financial Revenue loss Cost of breach $154-$158/record (2016 Ponemon Institute*) Credit monitoring (~$40/person per year) HIPAA penalty up to $1.5M/year Cost of litigation and mitigation Other Productivity loss Legal/regulatory/contract issues Patient, community, and worker safety Damage to reputation Executive job loss * 2016 Ponemon Institute https://securityintelligence.com/media/2016-cost-data-breach-study/

Cyber Protection Strategy Begins with a comprehensive assessment of risk No quick-fix Must be baked in and not bolted on Full leadership commitment Holistic and multi-faceted approach Continuous process Begins with a comprehensive assessment of risk There is no quick-fix technology solution Must be baked into your strategic business planning (not bolted on at the end) Full leadership commitment and understanding Involves a holistic, multi-faceted application of trained personnel, business-process, and technology safeguards Is a continuous process that involves ongoing risk assessment, training, safeguard effectiveness testing, and involvement at all levels of the organization

Value of a Risk Assessment Helps to identify: Benefits: Threats to Systems Gaps in Defenses Likelihood of system compromise Business Impact Identifies: Bad actors that target your business and systems Gaps in business processes and technical defenses that could allow someone to steal data or harm your business Measures the possibility that an adverse event will to occur in your environment and potential impact to your business processes and systems Helps to optimize your organization’s security investments Helps to plan out the application of safeguards Helps to justify investments to organization and State sponsors Optimize Investment in Security Plan Implementation of Safeguards Justification for County and State Sponsors

NYSTEC Risk Assessment Results of the Risk Assessment: Value of the Risk Mitigation Plan: Detailed explanation of review CIS Top-20 Heat Map Prioritized mitigation plan Business Impact A completed risk assessment includes a detailed report that provides: Detailed explanation of what was reviewed, which threats were considered, and how risks were calculated Data-driven “heat map” gaging cyber readiness and revealing “hot spots” where defenses might be insufficient to address identified risks, against the CIS Top-20 Critical Controls A prioritized risk mitigation plan that includes risk mitigation recommendations for each identified area of concern Risk mitigation plan Valuable for petitioning County and State leadership for funding Identifies where limited funds should be invested to maximize return on investment Use to justify funding requests Identify where limited funds should be invested Maximize return on investment

NYSTEC Risk Assessment Product

NYSTEC Compliance Heat Map Control Control Description Explanation Artifacts % CSC 1 Inventory of Authorized and Unauthorized Devices 80 75 CSC 2 Inventory of Authorized and Unauthorized Software 73 67 CSC 3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 69 57 CSC 4 Continuous Vulnerability Assessment and Remediation 87 83 CSC 5 Controlled Use of Administrative Privileges 60 25 CSC 6 Maintenance, Monitoring, and Analysis of Audit Logs 63 55 CSC 7 Email and Web Browser Protections CSC 8 Malware Defenses 40 CSC 9 Limitation and Control of Network Ports, Protocols, and Services 20 CSC 10 Data Recovery Capability 100 CSC 11 Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 66 38 CSC 12 Boundary Defense 48 CSC 13 Data Protection 76 CSC 14 Controlled Access Based on the Need to Know CSC 15 Wireless Access Control 92 CSC 16 Account Monitoring and Control 30 CSC 17 Security Skills Assessment and Appropriate Training to Fill Gaps CSC 18 Application Software Security 4 CSC 19 Incident Response and Management 31 14 CSC 20 Penetration Tests and Red Team Exercises 43

Interpreting the Heat Map Control Control Description Explanation Artifacts % CSC 1 Inventory of Authorized and Unauthorized Devices 80 75 CSC 2 Inventory of Authorized and Unauthorized Software 73 67 CSC 3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 69 57 CSC 4 Continuous Vulnerability Assessment and Remediation 87 83 CSC 5 Controlled Use of Administrative Privileges 60 25 CSC 6 Maintenance, Monitoring, and Analysis of Audit Logs 63 55 CSC 7 Email and Web Browser Protections CSC 8 Malware Defenses 40 CSC 9 Limitation and Control of Network Ports, Protocols, and Services 20 Risk Assessment will provide: Detailed explanation of scoring and business risks Recommended mitigation steps Recommended priority for implementing changes

NYSTEC Cyber Protections Services Menu Self-assessment Surveys CIS Top-20 Gap Assessment Worksheets System Characterization of Critical Assets In-Person and Phone interviews Review of Policies and Procedures Maturity Review of Docs and Artifacts Completion of NYSTEC Risk Assessment Matrix Review of Completed Risk Assessment Matrix Networked Device Vulnerability Analysis Web Application Scanning Small Smaller counties that have few critical assets or a small cyber presence Medium Medium-sized counties with critical assets and a significant cyber footprint Large Larger counties with significant cyber assets and a large footprint

Thank you Questions?