© 2003 NYS OCSCIC Business Manager Cyber Security Training NYS Office of Cyber Security & Critical Infrastructure Coordination

© 2003 NYS OCSCIC Welcome  Training is required for State Agencies by NYS Information Security Policy ( Cyber Security Policy P03-002)  NYS CSCIC offers Cyber Security training and materials to State and local government  Cyber Security Training Offerings: –Executive Briefing –Information Security Officer –Business Manager –Workforce Awareness

© 2003 NYS OCSCIC Kim Snyder  Senior Consultant, AMA, a Division of SAIC  Science Applications International Corporation (SAIC), is the nation's largest employee-owned research and engineering company, providing information technology, systems integration and eSolutions to commercial and government customers.  19 years experience in IT both the public and private sector  Creation, design and delivery of an Information Security Awareness program for a large NYS agency  MIS Director for the State of Massachusetts Department of Medical Security

© 2003 NYS OCSCIC Training Objectives  Utilizing the NYS Information Security Policy as a tool for Counties  Assist you in managing the risk of security exposure or compromise to County business information, systems, or applications  Assist you in protecting the Confidentiality, Integrity and Availability of information in all County Department  Assist you in recognizing a security weakness or incident

© 2003 NYS OCSCIC AGENDA Part One  What is Information Security and Why is it so important now?  What is the Information Security Officers role?  What is the Business Managers role?  Video  Baseline of Knowledge for Business Managers (People, Access, Technology)

© 2003 NYS OCSCIC AGENDA Part Two  Risk assessment & checklist  Cyber War  Be a Security Role model  Summary

© 2003 NYS OCSCIC Your Packet  Agenda  PowerPoint slide Handouts  Information Security Officers Roles and Responsibilities  Threats 101 Review  Risk Assessment  How to be a “Role Model”  Summary – Main Points of Policy  Information Security Resources for Counties  Evaluation

© 2003 NYS OCSCIC Information Security

© 2003 NYS OCSCIC What is Information?  Paper –Project Plans, Memos, Manuals, Phone Lists, Org Charts  Electronic data –PC’s,Laptops, Mainframes –Palm Pilots –Diskette, CDs, Tape  Conversation –Discussions should be thoughtful, consider your location, surroundings and individuals in your midst

© 2003 NYS OCSCIC What is Information Security? Protecting Information from:  Unauthorized use  Modification  Destruction  Temporary or permanent loss

© 2003 NYS OCSCIC Why is Information Security so Important Now?  Our reliance on IT systems and availability of its information is ever growing  It is more portable and accessible

© 2003 NYS OCSCIC Ramifications  If County Information is Modified, Lost or Unavailable… –Will there be a loss of confidence in your department? –How much revenue may have been lost? –How much downtime for your customers, staff and yourself can you afford? –Will your public users be upset?

© 2003 NYS OCSCIC Information Security Not Just A Technical Issue!  Business function –Protects government’s ability to conduct business  Management issue –Safeguards information assets: Department specific information Personnel related data Shared data / partner’s data

© 2003 NYS OCSCIC 2003 CSI/FBI Computer Crime & Security Survey  People –80% insider abuse of network access –82% independent hackers  Access –45% unauthorized access by insiders –22% reporting did not know if their website was hacked –15% reporting did not know there was unauthorized use of their computer systems  Technology –82% virus incidents –42% denial of services attacks –36% system penetration

“CIA” Triangle Confidentiality Only authorized individuals have access to information Integrity Information must be reliable Availability On demand information for authorized individuals

Information Security Officer Awareness Security Policies & Standards Monitoring Enforcement Investigate Direction Leadership Education Violations Resource

© 2003 NYS OCSCIC Business Manager’s Role

© 2003 NYS OCSCIC Business Managers Role  Adhere to Policy  Protect the information you have been entrusted with  Understand the Risks  Understand the Ramifications  Be a Security Role Model  Support your Staff

© 2003 NYS OCSCIC Baseline Knowledge

© 2003 NYS OCSCIC Baseline Knowledge People Risks  There must be a full cooperation for: –Policies, Procedures, Programs –Controls in place, or developed to ensure a secure environment  Tools are only as effective as the people and processes who use them

© 2003 NYS OCSCIC Baseline Knowledge People Risks Physical:  Secure work areas  Lock buildings, offices, file cabinets Human:  Lack of awareness  Intentional / Unintentional  Social Engineering /Dumpster Diving

© 2003 NYS OCSCIC Baseline Knowledge Access Risks  Respect access rights –Understand the importance of granting / authorizing access –Understand the risks associated with improper or disregarded processes –Understand the importance of strong passwords – 1 st level of defense

© 2003 NYS OCSCIC Baseline Knowledge Access Risks  Information Owners role –(Some) Business managers are responsible for determining who should have access to protected resources within their jurisdiction –Assigning a classification to information Confidential, Private, Restricted, Public, County/Department specific

© 2003 NYS OCSCIC Judy, Judy, Judy From the NYS Cyber Security Awareness video minutes

© 2003 NYS OCSCIC What went Wrong?

© 2003 NYS OCSCIC Baseline Knowledge Technology  Technology is a tool  Technology affects the way you: –Staff –Budget –Manage –Perform your day-to-day activities

© 2003 NYS OCSCIC LOCAL AREA NETWORK LAN Switch Server Time & Attendance Word Time & Attendance Word Time & Attendance Excel

© 2003 NYS OCSCIC Wide Area Network WAN ALBANY LAN Switch Server ROUTER Switch UTICA LAN Server ROUTER Dedicated Telephone Line T1

ALBANY Switch Server ROUTER IDS FIREWALL Web ROUTER IDS DMZ

VPN Remote LAN Secure Communications Link ID’s & Verified Who You are ALBANY Switch Server IDS FIREWALL Web DMZ ROUTER IDS

ALBANY Switch Server IDS FIREWALL Web DMZ ROUTER IDS Wireless Communication

© 2003 NYS OCSCIC Never Install a Modem Without IT Approval Never Use a Rogue Wireless Device Never Disable Anti Virus Protection Never Install an Unapproved Screen Saver Never Give Away Your password Never Open Suspicious

© 2003 NYS OCSCIC Threats 101 Review Handout of Common Threats Human, Access, Technical

© 2003 NYS OCSCIC Risk Assessment

© 2003 NYS OCSCIC Risk Assessment  Risk Assessment is a Business Process  As managers, you already manage risks –Budgets –Projects  There is another risk out there –Information Security Consider threats, vulnerabilities to information security Identify current weaknesses that could open your organization to compromise

© 2003 NYS OCSCIC Risk Assessment  Assets are: –Hardware –Software –Data –People –Processes

© 2003 NYS OCSCIC Examples of RISKS

© 2003 NYS OCSCIC Risk Assessment Simplified  Each asset has potential security exposures  Each security exposure needs to be found/identified  Its probability of occurrence has to be determined  And then the risks need to be prioritized  Create an action plan (fix, mitigate or accept the risk)

© 2003 NYS OCSCIC Risk Assessment Summary Utilize your:  County Information Security Officer/Function –Include them in your next kickoff meeting for a new application –Invite them to your next on-going project meeting so they may address potential security concerns  IT Group  Information Owner Role

© 2003 NYS OCSCIC Resources to Help You  The County Information Security Officer/Function  The County Information Technology group  NYS Information Security Policy  The County Information Security Policy  Information Security Training offered by OCSCIC  Risk assessment checklist –6 critical or important things to ask during a risk assessment

© 2003 NYS OCSCIC Helpful Websites  –Alerts, advisories –2004 NYS Cyber Security Conference 

© 2003 NYS OCSCIC Wake Up Calls

© 2003 NYS OCSCIC Be a Security Role Model

© 2003 NYS OCSCIC Be a Security Role Model  Familiarize yourself with information security policies  Manage risks  Understand IT's role  Build in security in the beginning  Support the education of your staff  Encourage your staff to practice good security  Be aware

© 2003 NYS OCSCIC Lead the Way  Teach your staff about protecting information  Encourage them to participate in Information Security Training  Ask questions  Don’t circumvent procedures  Follow policies  Don’t become a bad statistic

© 2003 NYS OCSCIC Summary NYS Information Security Policy  NYS Information Security Policy: –Agencies to develop their own policies and standards –Manager to be familiar with Information Security Policies –Managers to participate in Risk Assessments as necessary –Agencies to have an information security function ISO –Agencies to identify Information Owners –Managers and staff attend Awareness Training and Education

© 2003 NYS OCSCIC Summary  Utilize the NYS Information Security Policy as a baseline  Create a County Information Security Policy Agency Policy  Designate an Information Security Officer Function  Work with your Information Technology Staff  Identify Information Owner Role

© 2003 NYS OCSCIC Summary  Doing it right the first time saves costs of recovery: –Workforce –Dollars  Work together –People are the greatest asset –Buy-in is essential  Be a “Security Role Model”

© 2003 NYS OCSCIC Questions? Thank You!