Records Management: Cyber Security or Cyber Insecurity Robert Pence, ITIL, CBCP, CCEP, PDS-FEMA Sr. Manager of Emergency Management, Compliance & Ethics With: Alaska Communications Systems Phone: (907) 244-4589 Email: robertpence@outlook.com Agenda What we don t know, can hurt us Insecurity comes from knowledge, security comes from action Best practices: records security and lessons learned What to know about securing records and what level of security 2 1
What we don t know, can hurt us Have you read all the cyber reports, attacks on organizations, heard about CEOs quitting? We know cyber danger is out there, but what are the chances of getting attacked? 81% of the applications we tested contained at least one Vulnerability relating to the environment Key Takeaway: Successful action comes from clear knowledge Retrieved April 2014, from ARC Sight: http://images.info.arcsight.com/web/arcsight/%7b201bc2e0 26c4 435b a995 c1273c435c12%7d_hp_cyber_security_risk_report_final_client_review_01_31_14.pdf 3 What we don t know, can hurt us What level of protection/security classification should be identified on records? Examples on what a policy on records security classifications will provide your organization: (Make sure the organization knows the policy and how to find the policy) 1. Language Now your whole organization will speak the same language 2. Standard Same page 3. Clarity no guessing 4. Move how to move records at different levels and what systems 5. Access Who can view 6. Controls How to ensure levels and access are enforced 7. Provides protection Lessens exposure, risk, & protects competitive edge 8. Saves resources Don t have to secure everything at the highest level Example of Records Classification: Your organization will need to identify levels that fit your culture Top Secret Secret Classified Unclassified Key Takeaway: Standardize and clarify security classifications in a policy Great resource for building your own policy Retrieved on April 2014 from University of California, Berkeley: https://security.berkeley.edu/data class intro?destination=node/421 4 2
What we don t know, can hurt us Government Updates National FBI Infragard All events, but mostly Cyber, also do an annual local conference (free) DHS NCC (National Coordinating Center) Coordinating centers are by critical infrastructure / industry Private/Public Partnerships APIP Alaska Partners for Infrastructure Protection, takes a look at crisis events and latest issues and dives into partnering to protect Alaska s Infrastructure (Private and public sector) RIMS Deals with all types of risk Vendors / News / Journals Disaster Recovery Journal CEB legal Pay for Service Dark Reading Security, IT GovSec Updates on Latest events Compliance and Ethics Professional Key Takeaway: Find the sources that works best for you; it is not possible to read them all. 5 Insecurity comes from knowledge, security comes from action Anecdote: (child verses adult watching same scary movie) Child: Can t distinguish the fantasy from reality Knowledge Mixes up what is real, verses fantasy Action Protection against fantasy can t sleep, has nightmares, and develops irrational fears. Inaction Don t distinguish real risk like: chasing a ball into a street or a stranger are lost amongst irrational fears. Adult: Occasional jump or racing heart may occur, but lingering fear of the fantasy is irrational Knowledge Understands what is real, verses fantasy Action Protection against real world risk; spending valuable and limited time and resources for real protection. Knows their appetite for fear and will leave the theater if necessary Inaction For fears that are irrational Key Takeaway: There is no one path to protection 6 3
Insecurity comes from knowledge, security comes from action Compare the anecdote of the scary movie as the: Adult is the experienced records cyber professional Compared with the Child being inexperienced with records management and cyber Knowledge Action Inaction Adult / SME 1. Risk analysis is performed 2. Understand orgs risk appetite 3. Know laws & regulations for records Action is specific, controlled, and latest fears or trends are reviewed, but acted on only if needed. ROI knowsthat some risks to records will have little or no resources because they are of little risk and ROI is minimal Child / Inexperienced 1. Risk analysis not performed, bases of knowledge 2. Understand leaderships appetite for risk 3. Does not know laws and regulations for records Action is random, reacts to latest fear, trend, but does not know if it is a real concern for the organization Inaction is random, does not know their environment, risk, appetite, or even what the organization is good at Key Takeaway: Every Organization is unique, find your own zen. 7 Best practices: records security and lessons learned NIST US Department of Commerce standards ISO International Organization of Standards (yes, it is backwards, don t blame me that is how it is translated) QuICS University of Maryland So following a standard will make our organization safe? Nope, not even close! Key Takeaway: Am I safe and secure yet? Not yet! 8 4
Best practices: records security and lessons learned Standards can t make your organization 100% safe and secure (or even close). Incident response plan is critical (Separate presentation) Approach this task responsibly, rationally, and most importantly, calm! Records cyber security is not successful because you implemented a standard or because one department got all focused! Accessing all these departments and more will be necessary to success: 1. Compliance & Ethics Work with HR, Legal, IT, etc to define the controls and policies 2. IT, Network, field Ops Implement an ITIL model for :change, incidents, controls, etc 3. NOC Monitors, facilitates, escalates, and communicates an incident 4. Legal & regulatory Monitors regulatory environment, recommends guidelines on records, etc Key Takeaway: No one person/department is as smart as all of us. 9 What to know about securing records and what level of security Level of security can be simplified into your basic three layers: (The Diagram is an example from Northrop Grumman and shows lots of detail) 1. Physical building security from both manmade and natural disasters 2. Virtual Applications, systems, firewalls, monitoring, etc 3. Policy or Controls How you manage access, provide guidance, direction, and control the environment from internal corruption Key Takeaway: Protection comes in many layers Resource from March 2014 from Industrial ip.org: http://www.northropgrumman.com/aboutus/contracts/managedservices/pages/securityservices.aspx 10 5
Contacts, Resources, References, and Any Questions: Any Questions? Robert Pence, ITIL, CBCP, CCEP, PDS-FEMA Sr. Manager of Emergency Management, Compliance & Ethics With: Alaska Communications Systems Phone: (907) 244-4589 Email: robertpence@outlook.com Retrieved March 2014, from Northrop Grumman: http://www.northropgrumman.com/aboutus/contracts/managedservices/pages/securityservices.aspx Retrieved April 2014, from University of California, Berkeley: https://security.berkeley.edu/data class intro?destination=node/421 Retrieved April 2014, from ARC Sight: http://images.info.arcsight.com/web/arcsight/%7b201bc2e0 26c4 435b a995 c1273c435c12%7d_hp_cyber_security_risk_report_final_client_review_01_31_14.pdf Retrieved May 2014, from Oracle: http://docs.oracle.com/cd/e23943_01/doc.1111/e10640/c06_classifications.htm Key Takeaway: Choose your poison, death by standard! 11 6