Colorado Cyber Security Program (CCSP) Risk Based Gap Analysis (RBGA) and Statewide Security Planning Update - PowerPoint PPT Presentation

View by Category
About This Presentation

Colorado Cyber Security Program (CCSP) Risk Based Gap Analysis (RBGA) and Statewide Security Planning Update


Test and Accredit Operations. Questions and Open Discussion. 3. Enterprise ... Accredit Systems Operations. Process to Enhance Plans. 20. Plan of ... Accredit ... – PowerPoint PPT presentation

Number of Views:517
Avg rating:3.0/5.0
Slides: 23
Provided by: informat1494
Learn more at:


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Colorado Cyber Security Program (CCSP) Risk Based Gap Analysis (RBGA) and Statewide Security Planning Update

Colorado Cyber Security Program (CCSP)Risk
Based Gap Analysis (RBGA) and Statewide Security
Planning Update
  • Rick Dakin, Security Strategist
  • September 18, 2007
  • V 1.4

  • Risk and Threat Review
  • CCSP Program Overview
  • Cyber Security Program
  • Policies, Plans and Standards
  • Risk Based Gap Analysis (RBGA) Program
  • Process Inventory and System Characterization
  • Risk Assessment and Gap Analysis
  • Security Plans
  • Remediation and Gap Closure Plans
  • Test and Accredit Operations
  • Questions and Open Discussion

Security Program Drivers
Enterprise Security Program
Critical Drivers
Reduced Tolerance for Service Disruption
Increasing Cyber Threats
More Regulatory Requirements
Compliance Trends
A Brief History of Regulatory Time
2000- Present
  • USA Patriot Act 2001
  • EC Data Privacy Directive
  • CLERP 9
  • CAN-SPAM Act
  • Sarbanes Oxley (SOX)
  • CIPA 2002
  • Basel II
  • NERC 1200 (2003)
  • CISP
  • Payment Card Industry (PCI)
  • State Privacy Laws

1990- 2000
  • Privacy Act of 1974
  • Foreign Corrupt Practice Actof 1977
  • EU Data Protection
  • FDA 21CFR Part 11
  • C6-Canada
  • GLBA

1980- 1990
  • Computer Security Act of 1987

CCSP Program Overview
HB 06-1157 was incorporated into Colorado Revised
Statute 24-37.5 part 4 in May 2006. The
legislation established the Colorado Information
Security Act with the following provisions
  • Designate Chief Information Security Officer
  • Develop Colorado Cyber Security Program (CCSP)
  • Publish Cyber Security Rules and Associated
  • Submit an Annual Agency Cyber Security Plans
  • Include a Plan of Action and Milestones (POAM)
    with the ACSP (3 year phase-in period to achieve
    compliance with the CCSP)
  • Implement a Statewide Incident Response Program
  • Enhance Statewide Security Awareness and Training
  • Establish Security Evaluation and Reporting to
    Enforce the Program

RBGA Draft Versions
Security Policies Rule Review
  • Emergency Rule adopted December 20, 2006
  • Hearing conducted on January 5, 2007
  • Final Rule becomes effective early March, 2007

19 Policies Organizational Policies Cyber Security Planning Incident Response Information Risk Management Vendor Management Self Assessment Security Training and Awareness Security Metrics and Measurement System Access and Acceptable Use Online Privacy Operational Policies Data Classification and Disposal Mobile Computing Wireless Security Network Operations System and Application Security Access Control Change Control Physical Security Personnel Security Disaster Recovery
Risk Based Gap Analysis (RBGA) Program
The RBGA program was intended to coordinate
agency security planning and provide expert
resources to jump start the planning process.
The process included
  • Provide orientation to agencies on new CCSP and
  • Identify major systems and rate criticality
  • Review current security programs and existing
    policies, procedures and plans
  • Facilitate agency Risk Based Gap Analysis (RBGA)
    for major systems
  • Facilitate development of DRAFT Agency Cyber
    Security Plans (ACSP) with integrated Plan of
    Action and Milestones (POAM)
  • Support development of an executive briefing to
    align new Executive Directors to the risks within
    agency systems and plans to mitigate risks before

Security Planning Process
Developed by The National Institutes of
Standards and Technology
  • Risk Management
  • Process
  • NIST SP 800-30 is an industry Best Practice
    referenced by the FFIEC to guide our risk
  • Inventory and Characterize Systems
  • Threat Identification
  • Vulnerability Assessment
  • Likelihood Determination
  • Impact Analysis
  • Recommend Risk Controls

The Ingredients of an Attack
Threat Motive Method Vulnerability ATTACK!
Systems Characterization
  • What do you do?
  • Mission critical processes
  • Key stakeholders
  • Map processes
  • How important are those functions?
  • Criticality rating (FIPS 199)
  • Priority for risk analysis and deployment of
  • What Systems are used?
  • Systems Inventory (applications, host platforms)
  • Service Providers
  • Diagrams.

Threat Identification
  • Human Non-Human
  • Acts of Nature
  • Fire
  • Power Failures
  • Contamination
  • Configuration Errors
  • Systems Obsolescence
  • Terrorist
  • Hacker
  • Disgruntled Employee
  • Vendors
  • Untrained Staff

Vulnerability Assessment
  • What systems and processes are used to support
    critical operations ?
  • Servers
  • Software
  • Network Connectivity
  • User Access
  • Standard processes
  • What vulnerabilities could be exploited?
  • Patch levels
  • Unnecessary services
  • Security architecture
  • Monitoring and reporting
  • Access Controls
  • User behavior

Risk Analysis
Sample Risk Assessment
Risks / Hazards Controls Deployed Recommended Remediation
Security oversight may not identify and prioritize risk mitigation IT Steering Committee Dedicate an Information Security Officer (ISO) to oversee development of the security program Formally establish an IT security committee with specific duties
IT security policy gaps fail to guide staff behavior Only limited informal security policies A complete set of policies should be developed according to best practices Policies approved by IT Steering Staff Trained
Business Continuity Disaster Recovery plans are not adequate Some system hardening and limited recovery plans or facilities are in place today A BCP/disaster recovery plan will have to be developed Deploy redundant facilities Train staff Update and test annually
Physical security does not protect critical systems Physical security is limited only to the data rooms Develop and deploy a comprehensive physical Security policy and plan for facility access, data center, access to network wiring infrastructure, media
Unauthorized access to data Weak passwords Shared accounts Limited access granting process Upgrade Access controls Access granting process Unique user ID Strong passwords (complexity)
Point Solutions
Unified Security Programs
Sec. Doc.
Security Policy
Access Controls
Security Arch. Design
Unified IT Controls
Penetration Testing
Code Review
Virus Protection
Measure Control Effectiveness
CoBIT Metrics CoBIT Metrics CoBIT Metrics CoBIT Metrics CoBIT Metrics
Control Design Adequacy Control Design Adequacy Control Design Adequacy Control Effectiveness Control Effectiveness
1 2 3 4 5
Controls Designed and Selected Control Deployed With REPEATABLE processes Controls Documented Policies Procedures Inventories Diagrams Oversight Provided Control effectiveness reports IT oversight Evidence or work papers from internal or external reports / meeting minutes Formal accountability assigned Program Adjustment after Justification Steering Committee review and recommendations, etc
NIST Metrics NIST Metrics NIST Metrics NIST Metrics NIST Metrics
Level 1 control objective documented in a security policy Level 2 security controls documented as procedures Level 3 procedures have been implemented Level 4 procedures and security controls are tested and reviewed Level 5 procedures and security controls are fully integrated into a comprehensive program
Security Plans
  • Leverage NIST SP 800 100 and SP 800-18
  • Organization Mission
  • Summary of Environment
  • Roles and Responsibilities
  • Summary of Risks
  • Selection of Controls
  • Deployment and Training
  • Test and Audit of Control Effectiveness
  • Accredit Systems Operations
  • Process to Enhance Plans

Plan of Action and Milestones(POAM)
Goal Each risk assessment will identify gaps in
current security plans that should be remediated
by priority.
Nov 07 Dec 07 Jan 08 Feb 08 Mar 08 Jul 08
  • Risk Assessment
  • Draft Security Plan
  • Update Policies
  • Remediate Gaps
  • Document and Train
  • Executive Briefing
  • Update Security Plans
  • Test and Accredit System

Lessons Learned
  • New processes take time Start Early
  • New security planning processes require training
    even with seasoned IT professionals
  • It takes time and resources to deploy and manage
    controls get key executives involved early to
    start planning budget impact
  • Why does it cost so much to protect systems that
    dont cost very much?
  • Even with a great security plan, you may still
    get compromised. Have an IR Plan.

Open Discussion
  • Questions
  • Feedback
  • Next Steps What can you do?
  • Form a security oversight team
  • Launch a program with a Risk Assessment First
  • http//