ACM Retreat - Today s Topics:

Transcription

1 ACM Retreat - Today s Topics: Phase II Cyber Risk Management Services - What s next? Policy Development External Vulnerability Assessment Phishing Assessment Security Awareness Notification Third Party Risk Management Policies & Training Understanding the MEL s Cyber Risk Management Program

2 Cyber Risk Management Services What's Next?

3 What's Next Work with the JIF to develop templates to simplify implementation of relevant Policies and Standards. These will mitigate the most notable and common risks identified by the Loss Focused Risk & Gap Assessments and stay in-line with the MEL s Cyber Risk Management Program. HR Screening Policy Segregation of Duty Policy Password Management Policy Data Encryption Policy Disaster Recovery Policy Incident Response Policy Backup Policy

4 What's Next External Vulnerability Assessment Assess the external security posture of members via monthly network Vulnerability Assessments (VA) to ensure members are not immediately vulnerable to outside technical attack. Provide VA alerting s to each member with details if a high or critical risk is identified that details the vulnerability as well as potential solutions for remediation.

5 What's Next Phishing Assessments Monthly Phishing/Vishing assessments to ensure that members are not vulnerable to social engineering attacks likely to result in cyber claims. If a user is phished, they will be provided details on how they could have determined the was social engineering which ties back to the Ten Tips to Avoid being Hooked handout.

6 Example

7 What's Next Security Awareness Notification Provide the FUNDs members with regular (i.e. monthly) reminders and notifications on cyber security and other relevant timely information regarding recent cyber security threats and how to manage those threats. Provide the FUNDs members with regular (i.e. monthly) reminders regarding the regular updating of antivirus software and, on an as needed basis, provide notification to the members of major network software updates (i.e. Microsoft) when released by the manufacturer.

8 What's Next Third Party Risk Management Policies & Training Develop a TPRM Policy for review and approval by the funds Develop a template that can be used to ascertain vendor risk Develop simple Partner/Vendor Assessment template for High & Medium Risk Classification that includes potential vendor and vendor employee certifications/credentials that are appropriate to the use case/risk Develop sample contract inclusions for High, Medium, and Low Risk Partner/Vendors Provide guidance on the certifications/credentials/experience of IT professionals that can be used by the funds members to support their TPRM efforts Provide training on TPRM at JIF annual Meetings (as desired by JIF Administrators)

9 Understanding the MEL s Cyber Risk Management Program The program establishes a minimum set of technology proficiency standards and provides reimbursement of up to $7,500 of a member s deductible if they are in compliance with the minimum standards at the time of a claim.

10 Understanding the Program Back-Up 1. Daily incremental backups with at least 14 days of versioning on off-network devices for data files 2. Weekly off-network full backups of all devices 3. All backups are spot-checked monthly Patch 1. All operating and application software with latest versions. Defensive Software 1. All desktops and laptops: antivirus, firewall enabled 2. Mail server: anti-spam and anti-virus filters 3. Internet connected network servers: firewall on all active ports, unused ports closed, anti-virus, anti-malware 4. If applicable, Microsoft Office applications open all downloaded files in Protected Mode

11 Understanding the Program Training 1. All network users receive annual training of at least one hour, spread over two years, in: a) malware identification ( and websites) b) password construction c) identifying security incidents & social engineering attacks Incident Response Plan 1. Adopted basic cybersecurity incident response plan Physical Server Access 1. Servers are physically protected from unauthorized access Access Privilege Controls 1. Users with administrator rights are limited 2. Users only have access to those services they need 3. Access is removed when no longer needed or separated from service 4. Access rights are periodically reviewed

12 Understanding the Program Policies 1. Adopted sound and periodically reviewed government internet and use policies Protect Information 1. Files containing PII and PHI are password protected or encrypted Password Strength 1. Employees are required to use strong, unique passwords, changed at least annually Leadership Expertise 1. Leadership has access to expertise that supports technology decision making, such as risk assessment, planning and budgeting a) Officials b) Employees c) Contractors/consultants d) Citizen volunteers

13 Questions?