Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Protections: First Step, Risk Assessment

Published byCynthia Gallagher Modified over 5 years ago

Similar presentations

Presentation on theme: "Cyber Protections: First Step, Risk Assessment"— Presentation transcript:

1 Cyber Protections: First Step, Risk Assessment
Insert Practice Area Cyber Protections: First Step, Risk Assessment Presentation to: Presented to: Mark LaVigne, Deputy Director NYSAC November 21, 2017 500 Avery Lane Rome, NY 13441

2 In this presentation Cyber Protection Business Strategy
The importance of cyber protection Cyber protection strategy Products of NYSTEC risk assessment Leveraging NYSTEC Cyber Protection Services

3 Importance of Cyber Protection
Data breach at an upstate New York hospital Hackers gain access to NYS county’s 911 system Data breach at an upstate New York hospital in 2017 Impacted operations at a major trauma center Complete shutdown of over 6,000 computers Six-week technology outage forcing a return to manual methods not used in 20 years Critical systems such as electronic prescribing were unavailable for one month Hackers gain access to NYS county’s 911 system 911 features, such as mapping, were disrupted County reported that all files and servers required rebuilding

4 Typical outcomes from a security incident
Financial loss $154-$158 per Record* Regulatory penalties / contract issues Credit monitoring ~$40/person per year Cost of litigation and mitigation Productivity loss Reputation Damage Executive loses job Financial Revenue loss Cost of breach $154-$158/record (2016 Ponemon Institute*) Credit monitoring (~$40/person per year) HIPAA penalty up to $1.5M/year Cost of litigation and mitigation Other Productivity loss Legal/regulatory/contract issues Patient, community, and worker safety Damage to reputation Executive job loss * 2016 Ponemon Institute

5 Cyber Protection Strategy
Begins with a comprehensive assessment of risk No quick-fix Must be baked in and not bolted on Full leadership commitment Holistic and multi-faceted approach Continuous process Begins with a comprehensive assessment of risk There is no quick-fix technology solution Must be baked into your strategic business planning (not bolted on at the end) Full leadership commitment and understanding Involves a holistic, multi-faceted application of trained personnel, business-process, and technology safeguards Is a continuous process that involves ongoing risk assessment, training, safeguard effectiveness testing, and involvement at all levels of the organization

6 Value of a Risk Assessment
Helps to identify: Benefits: Threats to Systems Gaps in Defenses Likelihood of system compromise Business Impact Identifies: Bad actors that target your business and systems Gaps in business processes and technical defenses that could allow someone to steal data or harm your business Measures the possibility that an adverse event will to occur in your environment and potential impact to your business processes and systems Helps to optimize your organization’s security investments Helps to plan out the application of safeguards Helps to justify investments to organization and State sponsors Optimize Investment in Security Plan Implementation of Safeguards Justification for County and State Sponsors

7 NYSTEC Risk Assessment
Results of the Risk Assessment: Value of the Risk Mitigation Plan: Detailed explanation of review CIS Top-20 Heat Map Prioritized mitigation plan Business Impact A completed risk assessment includes a detailed report that provides: Detailed explanation of what was reviewed, which threats were considered, and how risks were calculated Data-driven “heat map” gaging cyber readiness and revealing “hot spots” where defenses might be insufficient to address identified risks, against the CIS Top-20 Critical Controls A prioritized risk mitigation plan that includes risk mitigation recommendations for each identified area of concern Risk mitigation plan Valuable for petitioning County and State leadership for funding Identifies where limited funds should be invested to maximize return on investment Use to justify funding requests Identify where limited funds should be invested Maximize return on investment

8 NYSTEC Risk Assessment Product

9 NYSTEC Compliance Heat Map
Control Control Description Explanation Artifacts % CSC 1 Inventory of Authorized and Unauthorized Devices 80 75 CSC 2 Inventory of Authorized and Unauthorized Software 73 67 CSC 3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 69 57 CSC 4 Continuous Vulnerability Assessment and Remediation 87 83 CSC 5 Controlled Use of Administrative Privileges 60 25 CSC 6 Maintenance, Monitoring, and Analysis of Audit Logs 63 55 CSC 7 and Web Browser Protections CSC 8 Malware Defenses 40 CSC 9 Limitation and Control of Network Ports, Protocols, and Services 20 CSC 10 Data Recovery Capability 100 CSC 11 Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 66 38 CSC 12 Boundary Defense 48 CSC 13 Data Protection 76 CSC 14 Controlled Access Based on the Need to Know CSC 15 Wireless Access Control 92 CSC 16 Account Monitoring and Control 30 CSC 17 Security Skills Assessment and Appropriate Training to Fill Gaps CSC 18 Application Software Security 4 CSC 19 Incident Response and Management 31 14 CSC 20 Penetration Tests and Red Team Exercises 43

10 Interpreting the Heat Map
Control Control Description Explanation Artifacts % CSC 1 Inventory of Authorized and Unauthorized Devices 80 75 CSC 2 Inventory of Authorized and Unauthorized Software 73 67 CSC 3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 69 57 CSC 4 Continuous Vulnerability Assessment and Remediation 87 83 CSC 5 Controlled Use of Administrative Privileges 60 25 CSC 6 Maintenance, Monitoring, and Analysis of Audit Logs 63 55 CSC 7 and Web Browser Protections CSC 8 Malware Defenses 40 CSC 9 Limitation and Control of Network Ports, Protocols, and Services 20 Risk Assessment will provide: Detailed explanation of scoring and business risks Recommended mitigation steps Recommended priority for implementing changes

11 NYSTEC Cyber Protections Services Menu
Self-assessment Surveys CIS Top-20 Gap Assessment Worksheets System Characterization of Critical Assets In-Person and Phone interviews Review of Policies and Procedures Maturity Review of Docs and Artifacts Completion of NYSTEC Risk Assessment Matrix Review of Completed Risk Assessment Matrix Networked Device Vulnerability Analysis Web Application Scanning Small Smaller counties that have few critical assets or a small cyber presence Medium Medium-sized counties with critical assets and a significant cyber footprint Large Larger counties with significant cyber assets and a large footprint

12 Thank you Questions?

Download ppt "Cyber Protections: First Step, Risk Assessment"

Similar presentations

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Building a Better Business Model Start with a discussion of Risk Higher Education Policy Commission Board of Governors Summit August 2, 2014.

Building a Better Business Model Start with a discussion of Risk Higher Education Policy Commission Board of Governors Summit August 2, 2014.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.

Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.
Network security policy: best practices

Network security policy: best practices
Information Security– SNO International Zanzibar, Tanzania Joe Beaulac, Sr. Manager – Cyber Defense Center & Risk/Vulnerability Management 23 September.

Information Security– SNO International Zanzibar, Tanzania Joe Beaulac, Sr. Manager – Cyber Defense Center & Risk/Vulnerability Management 23 September.
 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
Enterprise Computing Community June 13 - 15, 2010February 27, 2010 1 Information Security Industry View Linda Betz IBM Director IT Policy and Information.

Enterprise Computing Community June , 2010February 27, Information Security Industry View Linda Betz IBM Director IT Policy and Information.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
ISMS for Mobile Devices Page 1 ISO/IEC 27001 Information Security Management System (ISMS) for Mobile Devices Why apply ISMS to Mobile Devices? Overview.

ISMS for Mobile Devices Page 1 ISO/IEC Information Security Management System (ISMS) for Mobile Devices Why apply ISMS to Mobile Devices? Overview.
Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.

Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Continuous Monitoring: Diagnostics & Mitigation October 24, 2012.

Continuous Monitoring: Diagnostics & Mitigation October 24, 2012.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
April 14, 2003- A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
U of Maryland, Baltimore County Risk Analysis of Critical Process –Financial Aid Adapted STAR model –Focus on process and information flow –Reduced analysis.

U of Maryland, Baltimore County Risk Analysis of Critical Process –Financial Aid Adapted STAR model –Focus on process and information flow –Reduced analysis.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Similar presentations

Ads by Google