Cyber Protections: First Step, Risk Assessment

Similar documents
ISE North America Leadership Summit and Awards

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Designing and Building a Cybersecurity Program

K12 Cybersecurity Roadmap

Top 20 Critical Security Controls (CSC) for Effective Cyber Defense. Christian Espinosa Alpine Security

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

CyberSecurity: Top 20 Controls

Building Secure Systems

TIPS FOR AUDITING CYBERSECURITY

How to Develop Key Performance Indicators for Security

Automating the Top 20 CIS Critical Security Controls

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

How Breaches Really Happen

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

CISO as Change Agent: Getting to Yes

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

align security instill confidence

Les joies et les peines de la transformation numérique

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

WHO AM I? Been working in IT Security since 1992

NEN The Education Network

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

Cybersecurity Today Avoid Becoming a News Headline

How to Conduct a Business Impact Analysis and Risk Assessment

Cybersecurity Threat Modeling ISACA Atlanta Chapter Geek Week Conference

Business continuity management and cyber resiliency

Putting the 20 Critical Controls into Action: Real World Use Cases. Lawrence Wilson, UMass, CSO Wolfgang Kandek, Qualys, CTO

What is Penetration Testing?

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

CCISO Blueprint v1. EC-Council

Privacy Implications Guide. for. the CIS Critical Security Controls (Version 6)

Building a Complete Program around Data Loss Prevention

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

2015 HFMA What Healthcare Can Learn from the Banking Industry

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Building Resilience in a Digital Enterprise

Mapping Cyber-Protections to Regulatory Requirements for Fintech

VIVOTEK. Security Hardening Guide

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Cybersecurity for Health Care Providers

What It Takes to be a CISO in 2017

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Advanced IT Risk, Security management and Cybercrime Prevention

CompTIA Cybersecurity Analyst+

ALTITUDE DOESN T MAKE YOU SAFE. Satcom Direct s Comprehensive Cyber Security Portfolio for Business Aviation

HIPAA Compliance Assessment Module

Lessons from the Human Immune System Gavin Hill, Director Threat Intelligence

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Information Security Architecture Gap Assessment and Prioritization

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

RiskSense Attack Surface Validation for IoT Systems

Onapsis: The CISO Imperative Taking Control of SAP

A General Review of Key Security Strategies

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

Risk Assessment: Key to a successful risk management program

ClearPass Ecosystem. Tomas Muliuolis HPE Aruba Baltics lead

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Personal Physical Security

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Nebraska CERT Conference

112 th Annual Conference May 6-9, 2018 St. Louis, Missouri

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

4/13/2018. Certified Analyst Program Infosheet

Checklist: Credit Union Information Security and Privacy Policies

PowerSC AIX VUG. Stephen Dominguez June 2018

Evaluating the Security of Your IT Network. Vulnerability Scanning & Network Map

Using Metrics to Gain Management Support for Cyber Security Initiatives

Cybersecurity Session IIA Conference 2018

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Avoiding an Information Security Mismanagement Program through Fundamentals. Bill Curtis, SynerComm

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

ACM Retreat - Today s Topics:

THE POWER OF TECH-SAVVY BOARDS:

Information Security Policy

To Audit Your IAM Program

CYBERSECURITY MATURITY ASSESSMENT

Unified Communications Phase 2 Presentation to IT Services Users Group

Understanding IT Audit and Risk Management

Changing the Game: An HPR Approach to Cyber CRM007

National State Auditors Association Vulnerability Management: An Audit Primer September 20, 2018

The Future Is SECURITY THAT MAKES A DIFFERENCE. Implementing the 20 Critical Controls

Threat and Vulnerability Assessment Tool

Reinvent Your 2013 Security Management Strategy

Cyber Risk and Third Party Risk Management. Lisa Murphy First Horizon National Corporation

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

Cybersecurity The Evolving Landscape

Total Security Management PCI DSS Compliance Guide

Department of Management Services REQUEST FOR INFORMATION

FDIC InTREx What Documentation Are You Expected to Have?

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Transcription:

Cyber Protections: First Step, Risk Assessment Presentation to: Presented to: Mark LaVigne, Deputy Director NYSAC November 21, 2017 500 Avery Lane Rome, NY 13441 315.338.5818 www.nystec.com

In this presentation Cyber Protection Business Strategy The importance of cyber protection Cyber protection strategy Products of NYSTEC risk assessment Leveraging NYSTEC Cyber Protection Services 2

Importance of Cyber Protection Data breach at an upstate New York hospital Hackers gain access to NYS county s 911 system 3

Typical outcomes from a security incident Financial loss $154-$158 per Record* Regulatory penalties / contract issues Credit monitoring ~$40/person per year Cost of litigation and mitigation Productivity loss Reputation Damage Executive loses job 4 * 2016 Ponemon Institute https://securityintelligence.com/media/2016-costdata-breach-study/

Cyber Protection Strategy Begins with a comprehensive assessment of risk No quick-fix Must be baked in and not bolted on Full leadership commitment Holistic and multi-faceted approach 5 Continuous process

Value of a Risk Assessment Helps to identify: Threats to Systems Gaps in Defenses Likelihood of system compromise Business Impact Benefits: 6 Optimize Investment in Security Plan Implementation of Safeguards Justification for County and State Sponsors

NYSTEC Risk Assessment Results of the Risk Assessment: Detailed explanation of review CIS Top-20 Heat Map Prioritized mitigation plan Business Impact Value of the Risk Mitigation Plan: 7 Use to justify funding requests Identify where limited funds should be invested Maximize return on investment

NYSTEC Risk Assessment Product Adversarial Risks Non-Adversarial Risks 8

NYSTEC Compliance Heat Map Explanation Artifacts Control Control Description % % CSC 1 Inventory of Authorized and Unauthorized Devices 80 75 CSC 2 Inventory of Authorized and Unauthorized Software 73 67 CSC 3 Secure Configurations for Hardware and Software on Mobile 69 57 Devices, Laptops, Workstations, and Servers CSC 4 Continuous Vulnerability Assessment and Remediation 87 83 9 CSC 5 Controlled Use of Administrative Privileges 60 25 CSC 6 Maintenance, Monitoring, and Analysis of Audit Logs 63 55 CSC 7 Email and Web Browser Protections 69 57 CSC 8 Malware Defenses 60 40 CSC 9 Limitation and Control of Network Ports, Protocols, and 20 0 Services CSC 10 Data Recovery Capability 100 60 CSC 11 Secure Configurations for Network Devices such as Firewalls, 66 38 Routers, and Switches CSC 12 Boundary Defense 73 48 CSC 13 Data Protection 76 48 CSC 14 Controlled Access Based on the Need to Know 80 40 CSC 15 Wireless Access Control 92 60 CSC 16 Account Monitoring and Control 57 30 CSC 17 Security Skills Assessment and Appropriate Training to Fill Gaps 20 0 CSC 18 Application Software Security 4 0 CSC 19 Incident Response and Management 31 14 CSC 20 Penetration Tests and Red Team Exercises 63 43

Interpreting the Heat Map Explanation Artifacts Control Control Description % % CSC 1 Inventory of Authorized and Unauthorized Devices 80 75 CSC 2 Inventory of Authorized and Unauthorized Software 73 67 CSC 3 Secure Configurations for Hardware and Software on Mobile Devices, 69 57 Laptops, Workstations, and Servers CSC 4 Continuous Vulnerability Assessment and Remediation 87 83 CSC 5 Controlled Use of Administrative Privileges 60 25 CSC 6 Maintenance, Monitoring, and Analysis of Audit Logs 63 55 CSC 7 Email and Web Browser Protections 69 57 CSC 8 Malware Defenses 60 40 CSC 9 Limitation and Control of Network Ports, Protocols, and Services 20 0 10 Risk Assessment will provide: Detailed explanation of scoring and business risks Recommended mitigation steps Recommended priority for implementing changes

NYSTEC Cyber Protections Services Menu Selfassessment Surveys In-Person and Phone interviews Completion of NYSTEC Risk Assessment Matrix Web Application Scanning CIS Top-20 Gap Assessment Worksheets Small Smaller counties that have few critical assets or a small cyber presence Medium Medium-sized counties with critical assets and a significant cyber footprint Large Larger counties with significant cyber assets and a large footprint Review of Completed Risk Assessment Matrix 11 System Characterization of Critical Assets Maturity Review of Docs and Artifacts Review of Policies and Procedures Networked Device Vulnerability Analysis

Thank you Questions? 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback