Business Manager
 Cyber Security Training
NYS Office of Cyber Security & Critical Infrastructure Coordination

 

Welcome
  • Training is required for State Agencies by NYS Information Security Policy (Cyber Security Policy P03-002)
  • NYS CSCIC offers Cyber Security training and materials to State and local government
  • Cyber Security Training Offerings:
    • Executive Briefing
    • Information Security Officer
    • Business Manager
    • Workforce Awareness

Kim Snyder

  • Senior Consultant, AMA, a Division of SAIC
  • Science Applications International Corporation (SAIC), is the nation's largest employee-owned research and engineering company, providing information technology, systems integration and eSolutions to commercial and government customers.
  • 19 years experience in IT both the public and private sector
  • Creation, design and delivery of an Information Security Awareness program for a large NYS agency
  • MIS Director for the State of Massachusetts Department of Medical Security
Training Objectives
  • Utilizing the NYS Information Security Policy as a tool for Counties
  • Assist you in managing the risk of security exposure or compromise to County business information, systems, or applications
  • Assist you in protecting the Confidentiality, Integrity and Availability of information in all County Department
  • Assist you in recognizing a security weakness or incident
AGENDA
Part One
  • What is Information Security and Why is it so important now?
  • What is the Information Security Officers role?
  • What is the Business Managers role?
  • Video
  • Baseline of Knowledge for Business Managers (People, Access, Technology)
AGENDA
Part Two
  • Risk assessment & checklist
  • Cyber War
  • Be a Security Role model
  • Summary
Your Packet
  • Agenda
  • PowerPoint slide Handouts
  • Information Security Officers Roles and Responsibilities
  • Threats 101 Review
  • Risk Assessment
  • How to be a “Role Model”
  • Summary - Main Points of Policy
  • Information Security Resources for Counties
  • Evaluation

Information Security
What is Information?
What is Information Security?

Protecting Information from:

  • Unauthorized use
  • Modification
  • Destruction
  • Temporary or permanent loss
Why is Information Security so Important Now?
Ramifications
  • If County Information is Modified, Lost or Unavailable…
    • Will there be a loss of confidence in your department?
    • How much revenue may have been lost?
    • How much downtime for your customers, staff and yourself can you afford?
    • Will your public users be upset?
Information Security
Not Just A Technical Issue!
  • Business function
    • Protects government’s ability to conduct business
  • Management issue
    • Safeguards information assets:
      • Department specific information
      • Personnel related data
      • Shared data / partner’s data
2003 CSI/FBI Computer Crime & Security Survey
  • People
    • 80% insider abuse of network access
    • 82% independent hackers
  • Access
    • 45% unauthorized access by insiders
    • 22% reporting did not know if their website was hacked
    • 15% reporting did not know there was unauthorized use of their computer systems
  • Technology
    • 82% virus incidents
    • 42% denial of services attacks
    • 36% system penetration

“CIA” Triangle

Information Security Officer

  • Coordinate the development & implementation of the information security policy, procedures, and other control processes
  •  Consult on various computing platforms
  •  Work to ensure the implementation of security measures
  •  Evaluate new security threats and countermeasures and recommend risk mitigation to the Chief Information Officer and other management 
  • Review and approve all external network connections to the Counties network
  •  Ensure appropriate awareness and education
  •  Participate in the Development Life Cycle of Applications
  •  Investigate alleged information security violations and lead the incident response
  •  Assist with risk assessments
  •  Be aware of laws & regulations that may affect security

Business Manager’s Role

  • Adhere to Policy
  • Protect the information you have been entrusted with
  • Understand the Risks
  • Understand the Ramifications
  • Be a Security Role Model
  • Support your Staff
Baseline Knowledge
People Risks
  • There must be a full cooperation for:
    • Policies, Procedures, Programs
    • Controls in place, or developed to ensure a secure environment
  • Tools are only as effective as the people and processes who use them
Baseline Knowledge
People Risks

Physical:

  • Secure work areas
  • Lock buildings, offices, file cabinets

Human:

  • Lack of awareness
  • Intentional / Unintentional
  • Social Engineering /Dumpster Diving
Baseline Knowledge
Access Risks
  • Respect access rights
    • Understand the importance of granting / authorizing access
    • Understand the risks associated with improper or disregarded processes
    • Understand the importance of strong passwords – 1st level of defense
Baseline Knowledge
Access Risks
  • Information Owners role
    • (Some) Business managers are responsible for determining who should have access to protected resources within their jurisdiction
    • Assigning a classification to information
      • Confidential, Private, Restricted, Public, County/Department specific

Judy, Judy, Judy
From the NYS Cyber Security Awareness video 2003
8 minutes
What went Wrong?
Baseline Knowledge
Technology

  • Technology is a tool
  • Technology affects the way you:
    • Staff
    • Budget
    • Manage
    • Perform your day-to-day activities

Threats 101 Review

Handout of Common Threats

People and processes play a critical role – What you do on your desktop computer can and will affect others.
Be a Security Role Model

  • Support security awareness among your staff
  • Build Information Security into the process initially
  • Be Proactive avoid retrofit and more expense
  • Include your Information Security Officer (Function) in any systems development
  • Utilize only legitimate hardware, software and downloads
  • Manage information security business risks
  • Notice an individual picking through the trash
  • Verify and validate a person’s identity and intention
  • Implement a clear screen, clear desk routine
  • Separate duties to improve security
  • NEVER circumvent or undermine controls that are in place

Office of Cyber Security & Critical Infrastructure Coordination: (CSCIC) works collaboratively with the public and private sectors to foster communication and coordination.

Agencies/State Entities: (SE) Each NYS Agency (State Entity) is responsible for the implementation of information security.

Information Security Officer/ (Function): Each County should have an Information Security Function led by an Information Security Officer (Function).

Social Engineering: An approach to gain access to information through misrepresentation and lies.  The conscious manipulation of people to obtain security critical assets that allows security perils to take place. May take the form of impersonation via telephone or in person and through email.

Dumpster Diver: An individual that searches through the trash for valuable information.

Hacker: An individual that takes advantage of the known flaws; an opportunist.  Hackers scan the Internet for vulnerable systems.

Respect access rights: Understand the importance of granting / authorizing access.  If an individual leaves, or is hired, there needs to be a policy in place to handle this.

  • Understand the classification of information
  • Understand the risks associated with improper or disregarded processes
  • Plan ahead. When staffing requirement requires an individual to need access rights include that into a timeline.
  • Inquire into backup policy: Critical data needs to be backed up at least every day
  • Understand that individual accountability protects everyone
  • Implement a strong password policy
  • NEVER disclose your password

Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

Integrity: Understand that information must be reliable. Assure that data has not been altered or destroyed from its intended form or content in an unintentional or an unauthorized manner.

Availability: This is the ‘property’ of being operational, accessible, functional and usable upon demand by an authorized entity, e.g. a system or user.

Information Owners: Business managers may be responsible for determining who should have access to protected resources within their jurisdiction. 

Note:  If you are an Information Owner:  Classify the information, assign a value to it, and determine who gets access and how soon that information must be available if a disaster, etc. occurs.

Strong Password:

  • Eight Characters
  • Include a minimum of 2 numbers
  • Never write them down or divulge your password
  • Change every 30 – 90 days
  • Do not use words
  • Use a phrase

To reduce the risk of contracting malicious code, avoid Internet misuse.  Surfing to non-business related sites leaves you vulnerable.

  • Only utilize business related sites
  • Enable Virus Protection
  • Check with the sender if you are not expecting the attachment
  • Cooperate with IT’s instructions regarding Security Patches
  • NEVER open suspicious attachments or unexpected Email.
  • NEVER install hardware or software without IT approval
  • NEVER download any programs without IT approval

Spam or Unsolicited Commercial E-mail (UCE) - Electronic Junk Mail - SPAM robs your organization of productivity and of system resources

Virus: A program that replicates itself on computer systems by incorporating itself into other programs that are shared among computer systems. Once in the new host, a virus may damage data in the host’s memory, display unwanted messages, crash the host or, in some cases, simply lie dormant until a specified event occurs (e.g., the birth date of a historical figure).

Trojan Horse: Illegal code hidden in a legitimate program that when executed performs some unauthorized activity or function.

Worm: A program similar to a virus that can consume large quantities of network bandwidth and spread from one network to another.

Denial of Service Attack (DoS): An attack that takes up so much of the company’s business resource that it results in degradation of performance or loss of access to the company’s business services or resources.

Respect the Hardware and Software used on your network or infrastructure. Tampering with, or installing HW or SW can leave the system vulnerable and in the case of Software, can violate copyright laws.

  • Report any suspicious activity to your INFORMATION SECURITY OFFICER (FUNCTION)
  • Consider a “Power On” password for Laptops/PDAs
  • Enable security on wireless devices
  • Secure equipment with a lock when possible
  • NEVER attach any device (rogue) to your network – security must be implemented at each access point (i.e. laptop, modem)
  • NEVER Disable Anti Virus protection
  • NEVER use SW such as instant messaging without INFORMATION SECURITY OFFICER (FUNCTION) approval
  • NEVER circumvent your organization’s procedures when dialing in or by connecting to cable or DSL when remotely connected to your organization’s network.

LAN:   a group of computers and associated devices that share a common communications line or wireless link and typically share the resources within a small geographic area (for example, within an office building).

WAN:   is a geographically dispersed telecommunications network. The term distinguishes a broader telecommunication structure from a local area network.

Wireless Network: Allows portable computers to connect to a network from virtually anywhere within the building.  Wireless networks can be used in combination with cabled LANs.  If not installed properly, unauthorized access to your network and unauthorized reading or modifying of your data can occur.

IDS:   Intrusion Detection System -inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate someone attempting to break into or compromise a system.

Firewall:   A security mechanism that creates a barrier between an internal network and an external network.

DMZ:   Demilitarized zone; a semi-secured buffer or region between two networks such as between the public Internet and the trusted private County network.

Remote Access:  Connecting to a network from a remote location via dial up, telephone or cable connection.

Virtual Private Network - VPN is a secure communication link and identifies who you are and authorizes access.  It has to be organizationally approved and the SW/HW installed by IT.

Rogue Device: An unapproved, insecure device added to your Network.

6 Areas to Consider During Risk Assessment - handout

  • Negative effects on credibility
    Will my actions, process, program or procedure result in negatively affecting the County credibility?
    Ex:      Imagine if health information, probation or social services information were posted publicly on the Internet.
  • Health and Safety
    Will my actions, process, program or procedure result in affecting the health, safety and welfare of another?
    Ex:      Is someone going to die or be harmed?  If information is corrupted, drug-testing results for school bus drivers changed, or bridge height specifications altered; or a system slow down occurs that prevents updated information to be available to a sheriff regarding the vehicle information (stolen car) etc = negative impact.
  • Violation of the right to informational privacy or confidentiality
    Will my actions, process, program or procedure result in the breach of informational privacy or confidentiality?
    Ex:      All personal information, SS#, health information, drug testing results, tax information etc. needs to be protected
  • Violation of laws, regulations or contracts
    Will my actions, process, program or procedure result in the breach any law, regulation or contract?
    Ex:      Mental Hygiene Law in NY states: “if client information is exposed or divulged inappropriately, individuals can be financially accountable – personal financial liability upwards of $5,000…”
  • Operational Impact
    Will my actions, process, program or procedure result in impacting operations in a negative way?
    Ex:      If systems are unavailable, 911 dispatch information systems crash, or email is not available chaos can ensue, or at best, jobs cannot be done.
  • Financial consequences
    Will my actions, process, program or procedure result in loss of revenue, workforce downtime, litigation, or increased resource expenditure?
    Ex:      If Information is destroyed due to a virus or catastrophe, how could you restore it?  What is the cost to reproduce or recreate it?

Ask:

  • What does our Information Security Officer think?  Has he or she been contacted?
  • How is this information classified? Confidential, restricted, public, other County department classification?
  • Who has a need to access this information?
  • What information security threats exist to this design for the project?
  • What happens if the application, program, website is not available to those who need the information?
  • As the information travels, does it need to be protected/encrypted so unauthorized eyes do not read it?
  • Are there any security risks associated with the proposed software?
  • To who or what other organizations will this information be connected?
  • Will this be connected to the Internet?

 

Human, Access, Technical
Risk Assessment

  • Risk Assessment is a Business Process
  • As managers, you already manage risks
    • Budgets
    • Projects
  • There is another risk out there
    • Information Security
      • Consider threats, vulnerabilities to information security
      • Identify current weaknesses that could open your organization to compromise

Risk Assessment

  • Assets are:
    • Hardware
    • Software
    • Data
    • People
    • Processes

Examples of RISKS

Risk Assessment

 

Simplified

  • Each asset has potential security exposures
  • Each security exposure needs to be found/identified
  • Its probability of occurrence has to be determined
  • And then the risks need to be prioritized
  • Create an action plan (fix, mitigate or accept the risk)

Risk Assessment Summary

  • Utilize your:
  • County Information Security Officer/Function
    • Include them in your next kickoff meeting for a new application
    • Invite them to your next on-going project meeting so they may address potential security concerns
  • IT Group
  • Information Owner Role

Resources to Help You

  • The County Information Security Officer/Function
  • The County Information Technology group
  • NYS Information Security Policy
  • The County Information Security Policy
  • Information Security Training offered by OCSCIC
  • Risk assessment checklist
    • 6 critical or important things to ask during a risk assessment

Helpful Websites

 

Be a Security Role Model handout

Policies

  • Familiarize yourself with Information Security Policies
  • Understand and utilize the minimum requirements and responsibilities set forth by CSCIC New York State Information Security Policy to establish and maintain a secure environment
  • Understand your County’s Information Security Policy
  • Understand and comply with your Incident Reporting Policy
  • Understand how, when and to whom to report incidents or weaknesses to
Awareness
  • Ask questions
  • Recognize common security weaknesses
  • Recognize the signs of a “potential” security incident
  • Know the threats (Human/Technical/Access (Threats 101))
  • Understand the cost of compromise
Understand IT’S Roles

(They Support Security – They do not Drive it)

  • Don’t circumvent or avoid processes (antivirus installation, wireless access, installing hardware, software)
  • Understand the need for patches, upgrades and system maintenance
  • Respect the need for following procedures (antivirus installation, wireless access, installing hardware, software)
Lead the Way
  • Assist your staff in understanding their roles and responsibilities regarding information security
  • Understand the importance of Risk Assessment
  • Work with your County Information Security Officer (Function)
  • Know your assets (Hardware / Software / Applications / People / Information)

 

Be a Security Role Model

  • Familiarize yourself with information security policies
  • Manage risks
  • Understand IT's role
  • Build in security in the beginning
  • Support the education of your staff
  • Encourage your staff to practice good security
  • Be aware
Lead the Way
  • Teach your staff about protecting information
  • Encourage them to participate in Information Security Training
  • Ask questions
  • Don’t circumvent procedures
  • Follow policies
  • Don’t become a bad statistic

 

Utilize the New York State Information Security Policy as a model for your County

The primary objectives of the New York State Information Security Policy are to:

  • Effectively manage the risk of security exposure or compromise within State Entities systems;
    • Be proactive, understand the risks: people, access, technology
  • Communicate the responsibilities for the protection of State Entities information;
    • Be a role model, be proactive and do not circumvent procedures
  • Establish a secure processing base and a stable processing environment;
    • Consult with your agencyInformation Security Officer.
  • Reduce to the extent reasonably possible the opportunity for errors to be entered into an electronic system supporting State Entities business processes;
    • Ensure that applications are tested before going into production.
  • Preserve management's options in the event of an information asset misuse, loss or unauthorized disclosure;
    • Immediately report suspicious activities and incidents to your agency Information Security Officer;
  • Promote and increase the awareness of information security in all State Entities.
    • Encourage your staff to participate in information security training and to practice good information security.
  • NYS Information Security Policy:
    • Agencies to develop their own policies and  standards
    • Manager to be familiar with Information Security Policies
    • Managers to participate in Risk Assessments as necessary
    • Agencies to have an information security function ISO
    • Agencies to identify Information Owners
    • Managers and staff attend Awareness Training and Education
Summary
  • Utilize the NYS Information Security Policy as a baseline
  • Create a County Information Security Policy Agency Policy
  • Designate an Information Security Officer Function
  • Work with your Information Technology Staff
  • Identify Information Owner Role
Summary
  • Doing it right the first time saves costs of recovery:
    • Workforce
    • Dollars
  • Work together
    • People are the greatest asset
    • Buy-in is essential
  • Be a “Security Role Model”
Questions?