Colorado Cyber Security Program (CCSP) Risk Based Gap Analysis (RBGA) and Statewide Security Planning Update

1
Colorado Cyber Security Program (CCSP)Risk
Based Gap Analysis (RBGA) and Statewide Security
Planning Update

• Rick Dakin, Security Strategist
• September 18, 2007
• V 1.4

2
Agenda

• Risk and Threat Review
• CCSP Program Overview
• Cyber Security Program
• Policies, Plans and Standards
• Risk Based Gap Analysis (RBGA) Program
• Process Inventory and System Characterization
• Risk Assessment and Gap Analysis
• Security Plans
• Remediation and Gap Closure Plans
• Test and Accredit Operations
• Questions and Open Discussion

3
Security Program Drivers
Enterprise Security Program
Critical Drivers
Reduced Tolerance for Service Disruption
Increasing Cyber Threats
More Regulatory Requirements
4
Compliance Trends
A Brief History of Regulatory Time
2000- Present
1970-1980

• COPPA
• USA Patriot Act 2001
• EC Data Privacy Directive
• CLERP 9
• CAN-SPAM Act
• FISMA
• Sarbanes Oxley (SOX)
• CIPA 2002
• Basel II
• NERC 1200 (2003)
• CISP
• Payment Card Industry (PCI)
• State Privacy Laws

1990- 2000

• Privacy Act of 1974
• Foreign Corrupt Practice Actof 1977

• EU Data Protection
• HIPAA
• FDA 21CFR Part 11
• C6-Canada
• GLBA

1980- 1990

• Computer Security Act of 1987

5
CCSP Program Overview
HB 06-1157 was incorporated into Colorado Revised
Statute 24-37.5 part 4 in May 2006. The
legislation established the Colorado Information
Security Act with the following provisions

• Designate Chief Information Security Officer
  (CISO)
• Develop Colorado Cyber Security Program (CCSP)
• Publish Cyber Security Rules and Associated
  Policies
• Submit an Annual Agency Cyber Security Plans
  (ACSP)
• Include a Plan of Action and Milestones (POAM)
  with the ACSP (3 year phase-in period to achieve
  compliance with the CCSP)
• Implement a Statewide Incident Response Program
• Enhance Statewide Security Awareness and Training
• Establish Security Evaluation and Reporting to
  Enforce the Program

RBGA Draft Versions
6
Security Policies Rule Review

• Emergency Rule adopted December 20, 2006
• Hearing conducted on January 5, 2007
• Final Rule becomes effective early March, 2007

19 Policies Organizational Policies Cyber Security Planning Incident Response Information Risk Management Vendor Management Self Assessment Security Training and Awareness Security Metrics and Measurement System Access and Acceptable Use Online Privacy Operational Policies Data Classification and Disposal Mobile Computing Wireless Security Network Operations System and Application Security Access Control Change Control Physical Security Personnel Security Disaster Recovery
7
Risk Based Gap Analysis (RBGA) Program
The RBGA program was intended to coordinate
agency security planning and provide expert
resources to jump start the planning process.
The process included

• Provide orientation to agencies on new CCSP and
  policies
• Identify major systems and rate criticality
• Review current security programs and existing
  policies, procedures and plans
• Facilitate agency Risk Based Gap Analysis (RBGA)
  for major systems
• Facilitate development of DRAFT Agency Cyber
  Security Plans (ACSP) with integrated Plan of
  Action and Milestones (POAM)
• Support development of an executive briefing to
  align new Executive Directors to the risks within
  agency systems and plans to mitigate risks before
  submittal

8
Security Planning Process
Developed by The National Institutes of
Standards and Technology
9

• Risk Management
• Process
• NIST SP 800-30 is an industry Best Practice
  referenced by the FFIEC to guide our risk
  assessment.
• Inventory and Characterize Systems
• Threat Identification
• Vulnerability Assessment
• Likelihood Determination
• Impact Analysis
• Recommend Risk Controls

10
The Ingredients of an Attack
Threat Motive Method Vulnerability ATTACK!
11
Systems Characterization

• What do you do?
• Mission critical processes
• Key stakeholders
• Map processes
• How important are those functions?
• Criticality rating (FIPS 199)
• Priority for risk analysis and deployment of
  controls
• What Systems are used?
• Systems Inventory (applications, host platforms)
• Service Providers
• Diagrams.

12
Threat Identification

• Human Non-Human

• Acts of Nature
• Fire
• Power Failures
• Contamination
• Configuration Errors
• Systems Obsolescence

• Terrorist
• Hacker
• Disgruntled Employee
• Vendors
• Untrained Staff

13
Vulnerability Assessment

• What systems and processes are used to support
  critical operations ?
• Servers
• Software
• Network Connectivity
• User Access
• Standard processes
• What vulnerabilities could be exploited?
• Patch levels
• Unnecessary services
• Security architecture
• Monitoring and reporting
• Access Controls
• User behavior

14
Risk Analysis
HIGH
HIGH RISK
MEDIUM RISK
LOW RISK
LOW
HIGH
15
Sample Risk Assessment
Risks / Hazards Controls Deployed Recommended Remediation
Security oversight may not identify and prioritize risk mitigation IT Steering Committee Dedicate an Information Security Officer (ISO) to oversee development of the security program Formally establish an IT security committee with specific duties
IT security policy gaps fail to guide staff behavior Only limited informal security policies A complete set of policies should be developed according to best practices Policies approved by IT Steering Staff Trained
Business Continuity Disaster Recovery plans are not adequate Some system hardening and limited recovery plans or facilities are in place today A BCP/disaster recovery plan will have to be developed Deploy redundant facilities Train staff Update and test annually
Physical security does not protect critical systems Physical security is limited only to the data rooms Develop and deploy a comprehensive physical Security policy and plan for facility access, data center, access to network wiring infrastructure, media
Unauthorized access to data Weak passwords Shared accounts Limited access granting process Upgrade Access controls Access granting process Unique user ID Strong passwords (complexity)
16
Point Solutions
17
Unified Security Programs
Training
Sec. Doc.
Security Policy
Access Controls
Security Arch. Design
Unified IT Controls
Penetration Testing
Code Review
NIDS/HIDS
Hosting
Firewall
Virus Protection
18
Measure Control Effectiveness
CoBIT Metrics CoBIT Metrics CoBIT Metrics CoBIT Metrics CoBIT Metrics
Control Design Adequacy Control Design Adequacy Control Design Adequacy Control Effectiveness Control Effectiveness
1 2 3 4 5
Controls Designed and Selected Control Deployed With REPEATABLE processes Controls Documented Policies Procedures Inventories Diagrams Oversight Provided Control effectiveness reports IT oversight Evidence or work papers from internal or external reports / meeting minutes Formal accountability assigned Program Adjustment after Justification Steering Committee review and recommendations, etc
NIST Metrics NIST Metrics NIST Metrics NIST Metrics NIST Metrics
Level 1 control objective documented in a security policy Level 2 security controls documented as procedures Level 3 procedures have been implemented Level 4 procedures and security controls are tested and reviewed Level 5 procedures and security controls are fully integrated into a comprehensive program
19
Security Plans

• Leverage NIST SP 800 100 and SP 800-18
• Organization Mission
• Summary of Environment
• Roles and Responsibilities
• Summary of Risks
• Selection of Controls
• Deployment and Training
• Test and Audit of Control Effectiveness
• Accredit Systems Operations
• Process to Enhance Plans

20
Plan of Action and Milestones(POAM)
Goal Each risk assessment will identify gaps in
current security plans that should be remediated
by priority.
Nov 07 Dec 07 Jan 08 Feb 08 Mar 08 Jul 08

• Risk Assessment
• Draft Security Plan
• Update Policies
• Remediate Gaps
• Document and Train
• Executive Briefing
• Update Security Plans
• Test and Accredit System

21
Lessons Learned

• New processes take time Start Early
• New security planning processes require training
  even with seasoned IT professionals
• It takes time and resources to deploy and manage
  controls get key executives involved early to
  start planning budget impact
• Why does it cost so much to protect systems that
  dont cost very much?
• Even with a great security plan, you may still
  get compromised. Have an IR Plan.

22
Open Discussion

• Questions
• Feedback
• Next Steps What can you do?
• Form a security oversight team
• Launch a program with a Risk Assessment First
• http//www.colorado.gov/cybersecurity/