College and University Auditors of Virginia Conference May 2019 SLAIT Consulting Cyber Security SLAIT CONSULTING.com
SLAIT Consulting an ePlus Technology, Inc. Company Ivan Gil, Sr. Information Security Consultant Sr. Information Security Consultant assisting clients with their Information • Security programs including: Implementing Information Security Programs • Developing and review of Information Security Policies • Performing compliance assessments, Risk Assessments, Security Audits, System • Security Plans Conduct Vulnerability Scans and Penetration Testing • Conduct Phishing, Vishing, and Social Engineering Campaigns • 30+ years for Information Technology and the last 10 years in Cyber Security • SLAIT Consulting, Northrop Grumman (VITA Program), Nemesys Corp. • SLAIT CONSULTING.com
Definition of Cyber Security: • Cyber security refers to the body of technologies, processes, and practices designed to protect networks, devices, programs, and data from attack, damage, or unauthorized access. SLAIT CONSULTING.com
Know Thyself Business Impact Analysis (BIA): What’s Important to Data & System the Business Feedback Classification: Loop: What type of Gather data is you feedback from organization organization. handling? Risk Policies & Assessment: Procedures: What are the Develop, risks to your document, and System systems and disseminate. Security Plan: data? Document how you will remediate risk findings & protect your SLAIT CONSULTING.com systems & data.
Business Impact Analysis (BIA): What’s Important to the Business Business Impact Analysis ❖ Primary Business Functions ❖ Mission Essential ❖ Recovery Time Objective (Acceptable Downtime) ❖ Recovery Point Objective ( Acceptable Data Loss) ❖ “Business Impacts” (If outage, corruption or breach, etc.) SLAIT CONSULTING.com
Data & System Classification What type of data is your agency handling? Data/System Classification ❖ Analysis of all system Data ❖ Ranked High, Medium, or Low ➢ In terms of: • Confidentiality (exposure) • Integrity (edits/corruption) • Availability (up time) ❖ System classified based on data sensitivity or availability SLAIT CONSULTING.com
Risk Assessment What are the risks to your systems and data? ❖ Consideration to Risk Assessment: ➢ IT Asset Inventory ➢ Platform/ Operating Systems ➢ Vulnerability Scans ➢ Change Control ➢ Configuration Management ➢ Access Control/Restrictions ➢ Remote Access ➢ Prior Findings ➢ Wireless Infrastructure ➢ Audit Logs (DB, Application, Server & Network ➢ Incidents/Outages ➢ Boundary Protection ➢ Application Code ➢ Database Configuration SLAIT CONSULTING.com ➢ Backups/Media Protection ➢ Environmental (Fire, Water, Temperature)
Continuity of Operations (COOP) Continuity of Operations ❖ Business determine their NEEDS for continuing to operate during: ➢ An outage, corruption, breach or disaster (i.e. “XYZ” application can be down for X hours before there’s an impact to normal operations) ➢ COOP plan may be to use paper and pencil, manual credit cards, setup operations at an alternate location, etc. ➢ The PLAN to continue and restore operations is based largely on the BIA & Data Classification – Recovery Time Objectives ➢ Each business unit is responsible for having input SLAIT CONSULTING.com into the COOP
Disaster Recovery (DR) Disaster Recovery ❖ How will IT Support & Service the business: ➢ During a corruption, breach or disaster. ➢ How will NGC/VITA be involved? ➢ What are the hardware, software, vendor needs planned and implemented by IT providing restoration & recovery services and support. SLAIT CONSULTING.com
System Security Plan Document how you will remediate risk findings & protect your systems & data ❖ System Security Plan ➢ Roles & Ownership ➢ Security Configurations ➢ Security Baselines ➢ Role Base Training ➢ Permissions ➢ Communications (POC) ➢ Architecture Diagrams ➢ Boundary Diagrams ➢ Data Flow Diagrams ➢ Media Protection SLAIT CONSULTING.com
Policies and Procedures Most controls families will start with a requirement for a policy and a procedure! NIST 800-53r4 and COV - SEC501 “Develops, documents, and disseminates to…” Examples: • ACCESS CONTROL Develops, documents, and disseminates to all organization personnel, contractors, and service providers with a responsibility • to implement access controls: • AWARENESS AND TRAINING Develops, documents, and disseminates to all information system users (including managers, senior executives, and • contractors): • AUDIT AND ACCOUNTABILITY Develops, documents, and disseminates to the appropriate organization-defined personnel and roles: • • SECURITY ASSESSMENT AND AUTHORIZATION CLASS Develops, documents, and disseminates to authorized organization-defined personnel: • • CONFIGURATION MANAGEMENT OPERATIONAL Develops, documents, and disseminates to all individuals providing system support and all system owners: • Without a policy, you do not have anything that you can assess against. SLAIT CONSULTING.com
Compliance Compliance Security SLAIT CONSULTING.com
Compliance Which regulations are you required to abide by? SLAIT CONSULTING.com
Innovative Solutions for Forward Thinking Companies Q & A SLAIT CONSULTING.com
Innovative Solutions for Forward Thinking Companies SLAIT Security Services Ivan Gil 4405 Cox Rd., Suite #100, Glen Allen, VA 23060 T: (804)632-8365 M: (804) 334-8074 www.slaitconsulting.com Follow Us On Our Social Sites SLAIT CONSULTING.com
Recommend
More recommend