I. Contact Information: Lynn Herrick Director, Technology Integration and Project Management Wayne County Department of Technology

Transcription

1 CySAFE Security Assessment Tool Wayne County, Michigan P a g e 1 I. Contact Information: Lynn Herrick Director, Technology Integration and Project Management Wayne County Department of Technology II. Program Information: Program Title: CySAFE Security Assessment Tool Program Category: Information Technology 1. Abstract: In the complex landscape of Cyber Security, local governments often have difficulty knowing what security measures to prioritize in an ever-changing threat environment. CySAFE (Cyber Security Assessment for Everyone) was created through a collaborative effort of Wayne County, Michigan with four other Michigan counties and the State of Michigan. It is a free Cyber Security assessment tool that helps small and mid-sized government agencies assess, understand, and prioritize their IT security needs. Built upon three leading IT security frameworks: 20 Critical Controls, ISO and NIST, CySAFE combines controls from all three frameworks into a single master list, eliminating redundancy. The tool, which is MS-Excel based automatically calculates a risk profile as it is filled out. 2. The Problem/Need for the Program: The need has never been greater for organizations to institute, maintain, and improve their Cyber Security programs. This may be especially true for small and mid-sized government agencies who, until recently, have not been targeted with the same intensity as private companies and larger government entities and who, correspondingly, have typically not focused on creating robust cyber security programs. The interrelated problems that many local governments face today as they attempt to institute cyber security programs are: where to begin and how to prioritize. The CySAFE assessment tool addresses both of these issues.

2 CySAFE Security Assessment Tool Wayne County, Michigan P a g e 2 3. Description of the Program: The program consists of six steps that governments take using the Excel CySAFE tool: Step 1: Understand the Source Frameworks CySAFE was built upon current industry IT security standards: 20 Critical Controls, ISO and NIST. The tool contains a description of the 36 controls from each framework used with CySAFE. For more detailed background information on the security standards documents, users can refer to the links found in the Appendix worksheet. Step 2: Become Familiar With the Tool CySAFE was built in a Microsoft Excel workbook with eight worksheets. Each worksheet plays a different role in evaluating and understanding IT security readiness. The following worksheets are included: Instructions: Provides a general overview on how to use CySAFE Assessment: The assessment consists of a master list of 36 controls, across three key factors (cost, time and risk) and a rating scale of 0 5 Assessment Results: Provides a color coded list of each security control ordered by highest to lowest priority with the rating and CySAFE score, indicating the government agency's most important IT security initiatives Control Category & Summary: Controls are grouped into five categories and summarized in a chart and graphs to help improve IT security posture and track progress over time 20 CC: Provides a list of 19 selected controls including: control descriptions, examples of controls in place and the basic security level recommended ISO: Provides a list of 11 selected controls including: control descriptions, examples of controls in place and the basic security level recommended NIST: Provides a list of 6 selected controls including: control descriptions, examples of controls in place and the basic security level recommended Appendix: Provides links to the standards documents, reference documents and CySAFE contributors Step 3: Conduct an Assessment To begin the assessment, the user reviews the rating scale below and becomes familiar with the description for each number. The Assessment Rating Scale is adapted from the Carnegie Mellon University's Capability Maturity Model Integration (CMMI), a process

3 CySAFE Security Assessment Tool Wayne County, Michigan P a g e 3 improvement training and appraisal program. Next, the user selects the Assessment worksheet and enters a rating from 0 5 in Column I for each security control. Assessment Rating Scale: 0 Non Existent: Management Processes are not in place. Complete lack of any recognizable processes. The organization has not recognized that there is an issue to be addressed. 1 Initial Processes are ad hoc and disorganized: There is evidence that the organization has recognized that the issues exist and need to be addressed. However, there are no standardized processes. There are ad hoc approaches that tend to be applied on an individual or case by case basis. The overall approach to management is disorganized. 2 Repeatable Processes follow a regular pattern: Processes have developed to a stage where different people undertaking the same task follow similar procedures. There is no formal training or communication of standard procedures and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and errors are likely as a result. 3 Defined Processes are documented and communicated: Procedures have been standardized and documented and communicated through formal training. However, compliance with the procedures is left to each individual and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated, but are the formalization of existing practices. 4 Managed Processes are monitored and measured: It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way. 5 Optimized Best Practices are followed and automated: Processes have been refined to a level of best practice, based on the results of continuous improvement and benchmarking with other organizations and industry best practices. It is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.

4 CySAFE Security Assessment Tool Wayne County, Michigan P a g e 4 Step 4: Review Assessment Results Once the assessment is completed, the user selects the Assessment Results worksheet and reviews the results. The worksheet will list 36 controls with the user s rating and the CySAFE Score sorted from highest to lowest priority. The list will be color coded to depict the user s government agency's most important IT security initiatives. Controls highlighted in red indicate the highest priority for IT security initiatives. Controls highlighted in orange indicate the next highest priority for IT security initiative, with those highlighted in yellow being the next highest priority. Step 5: Implement New Controls/Enhance Security Capability The user refers to the 20 Critical Controls, ISO and NIST documentation for information on how to mitigate the risks, enhance or implement the security controls. These documents provide the much needed detail and foundational information for the user s agency to move its security program forward. Step 6: Reevaluate on a Periodic Basis A reassessment with CySAFE should be done quarterly and whenever the government agency implements any new IT products or processes. Quarterly graphing capabilities are available in the Control Category and Summary worksheet to help agencies track their progress. 4. Responding to Economic Downturn: This program was not created in response to an economic downturn. 5. Use of Technology: The CySAFE tool was built using Microsoft Excel, including Excel macros. The program is delivered to government agencies via download available on several websites. Use of an industry-standard format enables the widest possible use of the tool. 6. Cost of the Program: The cost of the program was limited to the opportunity cost of the efforts involved to create and market the tool. No funds were expended in this effort.

5 CySAFE Security Assessment Tool Wayne County, Michigan P a g e 5 7. The Results/Success of the Program: To date, more than 200 government agencies across the U.S. have downloaded the tool for their own use. 8. Worthiness of an Award: As articulated above, this program meets the required award criteria: The program became operational after January 1, 2010, The program has measurable results. County officials and staff, as part of their official duties, played a significant role in developing and implementing the program, with limited assistance from outside technical experts and/or consultants. This program promotes intergovernmental cooperation and coordination in addressing shared problems. This program is innovative and does not rely on the application of techniques or procedures that are common practice in most counties of similar population size. All aspects of this program are consistent with acceptable governmental and financial management practices and promote general governmental accountability.