Cyber Security SLAIT CONSULTING.com SLAIT Consulting an ePlus - - PowerPoint PPT Presentation

SLAITCONSULTING.com

Cyber Security

SLAIT Consulting

College and University Auditors of Virginia Conference May 2019

SLAITCONSULTING.com

Ivan Gil,

• Sr. Information Security Consultant

SLAIT Consulting an ePlus Technology, Inc. Company

• Sr. Information Security Consultant assisting clients with their Information

Security programs including:

• Implementing Information Security Programs
• Developing and review of Information Security Policies
• Performing compliance assessments, Risk Assessments, Security Audits, System

Security Plans

• Conduct Vulnerability Scans and Penetration Testing
• Conduct Phishing, Vishing, and Social Engineering Campaigns
• 30+ years for Information Technology and the last 10 years in Cyber Security
• SLAIT Consulting, Northrop Grumman (VITA Program), Nemesys Corp.

SLAITCONSULTING.com

Definition of Cyber Security:

• Cyber security refers to the

body of technologies, processes, and practices designed to protect networks, devices, programs, and data from attack, damage, or unauthorized access.

SLAITCONSULTING.com

Know Thyself

Business Impact Analysis (BIA): What’s Important to the Business Data & System Classification: What type of data is you

• rganization

handling? Risk Assessment: What are the risks to your systems and data? System Security Plan: Document how you will remediate risk findings & protect your systems & data. Policies & Procedures: Develop, document, and disseminate. Feedback Loop: Gather feedback from

• rganization.

SLAITCONSULTING.com

Business Impact Analysis (BIA): What’s Important to the Business

Business Impact Analysis ❖ Primary Business Functions ❖ Mission Essential ❖ Recovery Time Objective (Acceptable Downtime) ❖ Recovery Point Objective ( Acceptable Data Loss) ❖ “Business Impacts” (If outage, corruption or breach, etc.)

SLAITCONSULTING.com

Data & System Classification

What type of data is your agency handling? Data/System Classification ❖ Analysis of all system Data ❖ Ranked High, Medium, or Low ➢ In terms of:

• Confidentiality (exposure)
• Integrity (edits/corruption)
• Availability (up time)

❖ System classified based on data sensitivity or availability

SLAITCONSULTING.com

Risk Assessment

What are the risks to your systems and data? ❖ Consideration to Risk Assessment: ➢ IT Asset Inventory ➢ Platform/ Operating Systems ➢ Vulnerability Scans ➢ Change Control ➢ Configuration Management ➢ Access Control/Restrictions ➢ Remote Access ➢ Prior Findings ➢ Wireless Infrastructure ➢ Audit Logs (DB, Application, Server & Network ➢ Incidents/Outages ➢ Boundary Protection ➢ Application Code ➢ Database Configuration ➢ Backups/Media Protection ➢ Environmental (Fire, Water, Temperature)

SLAITCONSULTING.com

Continuity of Operations (COOP)

Continuity of Operations ❖ Business determine their NEEDS for continuing to

• perate during:

➢ An outage, corruption, breach or disaster (i.e. “XYZ” application can be down for X hours before there’s an impact to normal operations) ➢ COOP plan may be to use paper and pencil, manual credit cards, setup operations at an alternate location, etc. ➢ The PLAN to continue and restore operations is based largely on the BIA & Data Classification – Recovery Time Objectives ➢ Each business unit is responsible for having input into the COOP

SLAITCONSULTING.com

Disaster Recovery (DR)

Disaster Recovery ❖ How will IT Support & Service the business: ➢ During a corruption, breach or disaster. ➢ How will NGC/VITA be involved? ➢ What are the hardware, software, vendor needs planned and implemented by IT providing restoration & recovery services and support.

SLAITCONSULTING.com

System Security Plan

Document how you will remediate risk findings & protect your systems & data ❖ System Security Plan ➢ Roles & Ownership ➢ Security Configurations ➢ Security Baselines ➢ Role Base Training ➢ Permissions ➢ Communications (POC) ➢ Architecture Diagrams ➢ Boundary Diagrams ➢ Data Flow Diagrams ➢ Media Protection

SLAITCONSULTING.com

Policies and Procedures

Most controls families will start with a requirement for a policy and a procedure! NIST 800-53r4 and COV - SEC501 “Develops, documents, and disseminates to…” Examples:

• ACCESS CONTROL
• Develops, documents, and disseminates to all organization personnel, contractors, and service providers with a responsibility

to implement access controls:

• AWARENESS AND TRAINING
• Develops, documents, and disseminates to all information system users (including managers, senior executives, and

contractors):

• AUDIT AND ACCOUNTABILITY
• Develops, documents, and disseminates to the appropriate organization-defined personnel and roles:
• SECURITY ASSESSMENT AND AUTHORIZATION CLASS
• Develops, documents, and disseminates to authorized organization-defined personnel:
• CONFIGURATION MANAGEMENT OPERATIONAL
• Develops, documents, and disseminates to all individuals providing system support and all system owners:

Without a policy, you do not have anything that you can assess against.

SLAITCONSULTING.com

Compliance

Compliance Security

SLAITCONSULTING.com

Compliance

Which regulations are you required to abide by?

SLAITCONSULTING.com

Q & A

Innovative Solutions for Forward Thinking Companies

SLAITCONSULTING.com

SLAIT Security Services

Innovative Solutions for Forward Thinking Companies

Ivan Gil 4405 Cox Rd., Suite #100, Glen Allen, VA 23060 T: (804)632-8365 M: (804) 334-8074 www.slaitconsulting.com

Follow Us On Our Social Sites