dir hb 3834 end user cyber security awareness presentation
play

DIR HB 3834 END USER CYBER SECURITY AWARENESS PRESENTATION Andy - PDF document

Nov 22, 2022 •287 likes •729 views

DIR HB 3834 END USER CYBER SECURITY AWARENESS PRESENTATION Andy Bennett Deputy CISO State of Texas 1 HB 3834 Training Disclaimer DISCLAIMER These slides are distributed by the Texas Municipal League (TML) for informational purposes only.

  1. DIR HB 3834 END USER CYBER SECURITY AWARENESS PRESENTATION Andy Bennett Deputy CISO State of Texas 1 HB 3834 Training Disclaimer DISCLAIMER These slides are distributed by the Texas Municipal League (TML) for informational purposes only. Accordingly, possession of these slides does not satisfy the annual training requirement under HB 3834 (86 th Legislative Session). 2 1

  2. Agenda • Presenter Bio • HB 3834 Overview and Requirements • HB 3834 Training Session • The principles of information security • Safeguarding, response, and reporting best practices • Real-world examples • State and Federal Resources 3 Presenter Bio Andy Bennett is a boot wearin’ native Texan who serves the State of Texas as the Deputy Chief Information Security Officer. He has a diverse IT background covering 23 years of experience in roles across the enterprise and in a variety of sectors including government, banking, higher education, applied research, oil and gas, law enforcement, Fortune 500 consulting services, and more. He specializes in incident response, investigations, and change efforts and has a passion for security. He is the primary author of the State of Texas’ incident response redbook template and is involved in strategic planning and rulemaking at the statewide level. His professional philosophy is “Show works better than tell, every time.” 4 2

  3. State CISO and Cybersecurity Coordinator Role TEXAS GOVERNMENT CODE Sec. 2054.511. CYBERSECURITY COORDINATOR. The State Cybersecurity Coordinator shall "oversee cybersecurity matters for th[e] state.“ [LINK] Sec. 2054.512. CYBERSECURITY COUNCIL. “The state cybersecurity coordinator shall establish and lead a cybersecurity council that includes public and private sector leaders and cybersecurity practitioners to collaborate on matters of cybersecurity concerning this state.” [LINK] Sec. 2054.514. RECOMMENDATIONS. “The state cybersecurity coordinator may implement any portion or all of the recommendations made by the Cybersecurity, Education, and Economic Development Council under Subchapter N.” [LINK] 5 HB 3834 Overview TEXAS GOVERNMENT CODE Sec. 2054.519. STATE CERTIFIED CYBERSECURITY TRAINING PROGRAMS [LINK] • DIR, in consultation with the cybersecurity council and industry stakeholders shall “certify at least five cybersecurity training programs for state and local government employees.“ • To be certified, “ a cybersecurity training program must: • Focus on forming information security habits and procedures that protect information resources; and • Teach best practices for detecting, assessing, reporting and addressing information security threats .” 6 3

  4. Meeting HB 3834 Training Requirements Select a state certified cybersecurity training program • If you are currently using a program that was developed in-house, submit it for certification • Select a training program from the list of certified programs (available on the DIR website) Complete training by June 14, 2020 7 Principles of Information Security HB 3834 Topic Mapping Topic 1.1(a). Users should be aware of what ‘information security’ means 8 4

  5. Defining Information Security Definition: Information Security According to NIST, Information Security is “[t]he protection of information and information systems against unauthorized access, use, disclosure, modification, or destruction in order to provide confidentiality, integrity, and availability .” Source: NIST SP 800-171 Rev. 1 Information refers to “[a]ny Information System refers to “[a] communication or representation of discrete set of information resources knowledge such as facts, data, or organized for the collection, processing, opinions in any medium or form, maintenance, use, sharing, including textual, numerical, graphic, dissemination, or disposition of cartographic, narrative, or audiovisual.” information.” Source: NIST SP 800-171 Rev. 1 Protecting Source : NIST SP 800-53 Rev. 4 Security and Controlled Unclassified Information in Privacy Controls for Federal Information Nonfederal Systems and Organizations Systems and Organization 9 Availability Defining Information Security C Prevent unauthorized access and use of information resources I Prevent unauthorized change and ensure reliability of information resources A Ensure timely availability of information resources Users must exercise due care to ensure the confidentiality, integrity, and availability of the information resources under their care. Availability 10 5

  6. Information Security Objective: Confidentiality Information Security Objective: Confidentiality “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.” Common Controls/Safeguards: - Cryptography - Access Management - Acceptable Use Policy - Information Security Awareness Policy - Privacy Policy - Social Media Policy 11 Availability Information Security Objective: Integrity Information Security Objective: Integrity “Guarding against improper information modification or destruction, and includes ensuring information non- repudiation and authenticity.” Common Controls/Safeguards: - File Integrity Monitoring - System Integrity Monitoring - Hashing Technology 12 Availability 6

  7. Information Security Objective: Availability Information Security Objective: Availability “Ensuring timely and reliable access to and use of information.” Common Controls/Safeguards: - Incident Response Plan - Business Continuity Plan - Disaster Recovery Plan - Data/Record Retention Plans 13 Availability Information Security Strategy Defense-in-Depth Information assets are protected by many interlocking, redundant, and complimentary controls to detect, deter, and prevent attacks. This Photo by Unknown Author is licensed under CC BY-NC-ND This Photo by Unknown Author is licensed under CC BY-ND 14 7

  8. Information Security Strategy/Defense-in-Depth USER DOMAIN TYPICAL IT INFRASTRUCTURE WAN DOMAIN Public LAN DOMAIN LAN-TO-WAN DOMAIN Internet Vendors Encrypted Tunnel WORKSTATION DOMAIN APPLICATION DOMAIN REMOTE ACCESS DOMAIN Public Internet DMZ EMAIL Encrypted Tunnel WEB 15 Information Security Strategy Defense-in-Depth “Information assets” are protected by several layers of “technical” controls. Information assets are protected by many interlocking, redundant, and complimentary controls to detect, deter, and prevent attacks. Host-Based Controls Multi-Factor Authentication - Username/Pass - Fingerprint - Windows Hello Whole-Disk Encryption Encrypted Folders Anti-Malware Scanner Host-Based Firewall VPN Client Software 16 8

  9. Information Security Strategy Least Privileges & Segregation of Duties Limit user privileges (access/use) to no more than what is necessary to perform their duties. Ex: The judicial branch of government, by law, may decide the constitutionality of a law, but it may not create law. Why? Because this authority belongs to the legislature and CANNOT be delegated to another branch. This Photo by Unknown Author is licensed under CC BY-SA 17 Information Security Controls/Safeguards Controls/Safeguards Categories and Design Controls/safeguards are instruments implemented by an organization to ensure the “CIA” of “information assets”. They are categorized as one or several of the following: 1) Administrative; 2) Physical; or 3) Technical. They are designed for one or several outcomes: 1) Detection; 2) Deterrence; 3) Prevention; and/or 4) Correction. See NIST SP 800-53 Rev.4 for a comprehensive set of “controls”. (Link) 18 9

  10. Information Security Controls/Safeguards Administrative Controls/Safeguards Administrative controls/safeguards generally refer to the policies, standards, procedures, and guidelines adopted to provide for the confidentiality, integrity, and availability of information. Administrative controls can be enforced through physical and technical controls. Examples:  Acceptable Use Policy  Clean Desk Policy  Wireless Communication Policy  Wireless Communication Standard  Data Retention Policy  Information Classification Management Program  Mechanical Hard Drive Destruction Procedure  Vendor Management Program 19 Information Security Controls/Safeguards Administrative Controls/Safeguards • Documents stating an organization’s Your information security program should official position on an information consist of a “policy framework.” Policy security issue. The “policy framework” will balance • Documents defining methods for achieving system or procedural- the organization’s objectives and: Standards specific requirements. - Business requirements; - Legal requirements; and • Documents outlining the - Technical requirements. specific steps of a process. Procedures • Documents outlining voluntary methods Guidelines or procedures. 20 10

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

U.S. DEPARTMENT OF STATE JSAS Cyber Security IT Security Awareness training consistent with NIST

U.S. DEPARTMENT OF STATE JSAS Cyber Security IT Security Awareness training consistent with NIST

ISSLOB SSC CYBERSECURITY AWARENESS U.S. DEPARTMENT OF STATE JSAS Cyber Security IT Security Awareness training consistent with NIST SP 800-50 A proven, reliable solution that verifies retention of material and concepts A well

344 views • 17 slides
Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

ABB MINING USER CONFERENCE, MAY 02-05, 2017 Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial Automation Division Agenda Why worry about cyber security? ABBs approach to cyber security Cyber security

1.07k views • 39 slides
Institute for Cyber Security Towards Provenance and Risk-Awareness in Social Computing Yuan

Institute for Cyber Security Towards Provenance and Risk-Awareness in Social Computing Yuan

Institute for Cyber Security Towards Provenance and Risk-Awareness in Social Computing Yuan Cheng, Dang Nguyen, Khalid Bijon, Ram Krishnan, Jaehong Park and Ravi Sandhu Institute for Cyber Security University of Texas at San Antonio September

256 views • 12 slides
Cyber Security Awareness Seminar Presented By: Ryan Moore Ohio Cyber Range Institute, University

Cyber Security Awareness Seminar Presented By: Ryan Moore Ohio Cyber Range Institute, University

Cyber Security Awareness Seminar Presented By: Ryan Moore Ohio Cyber Range Institute, University of Cincinnati About This Seminar Designed for everyday cyber citizens Online Webinar 2 hour Presentation 10 Minute break

607 views • 57 slides
Nationwide Cyber Situational Awareness Framework for Critical In Infrastructures Hayretdin

Nationwide Cyber Situational Awareness Framework for Critical In Infrastructures Hayretdin

A A Conceptual Nationwide Cyber Situational Awareness Framework for Critical In Infrastructures Hayretdin Bahi , Olaf Manuel Maennel Centre For Digital Forensics and Cyber Security Tallinn University of Technology Evolvement of Cyber

470 views • 13 slides
Cyber Security Awareness Month! infosec@ucop.edu October is National Cyber Security Awareness

Cyber Security Awareness Month! infosec@ucop.edu October is National Cyber Security Awareness

October is National Cyber Security Awareness Month! infosec@ucop.edu October is National Cyber Security Awareness Month! October is National Cyber Security Awareness Month! 2 National Cyber Security Awareness Month at UCOP: 8 Important

1.04k views • 9 slides
Security Awareness Office of Informa(on Technology Informa5on

Security Awareness Office of Informa(on Technology Informa5on

Security Awareness Office of Informa(on Technology Informa5on Security Department 2011-2012 Top Security Issues BE CYBER SAFE 1 Security Awareness Top

383 views • 13 slides
Cyber Security User Overview Martin Dinham Martin.Dinham@cfsystems.co.uk 01209 340030 Some

Cyber Security User Overview Martin Dinham Martin.Dinham@cfsystems.co.uk 01209 340030 Some

Cyber Security User Overview Martin Dinham Martin.Dinham@cfsystems.co.uk 01209 340030 Some context Daily Mail online, April 2017 52 % the number of small businesses that had a security breach in 2016 UK Government Cyber Security

619 views • 39 slides
Awareness Out of the Box: New Ways to Present Meaningful Security Messages Susan Farrand U.S.

Awareness Out of the Box: New Ways to Present Meaningful Security Messages Susan Farrand U.S.

Awareness Out of the Box: New Ways to Present Meaningful Security Messages Susan Farrand U.S. Department of Energy Office of the Associate CIO for Cyber Security 1 Cyber Security Priorities Number 1 - Enable the mission Number 2 -

270 views • 23 slides
Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework Reporting Objectives Executive Summary Information Assess Current Cyber Security Posture Measure Progress Toward Improvement Assess

634 views • 5 slides
Securing Court Information October is National Cyber Security Awareness Month! 11 th Annual

Securing Court Information October is National Cyber Security Awareness Month! 11 th Annual

Securing Court Information October is National Cyber Security Awareness Month! 11 th Annual Sponsored by the Department of Homeland Security How it all works Computers 101 Hackers Court Data Justice Building

913 views • 51 slides
NATIONAL CYBE BER SECURITY AWARENESS MONTH: OCTOBE BER IT Security is joining a national effort

NATIONAL CYBE BER SECURITY AWARENESS MONTH: OCTOBE BER IT Security is joining a national effort

NATIONAL CYBE BER SECURITY AWARENESS MONTH: OCTOBE BER IT Security is joining a national effort to make the Internet safer. Keep an eye out for more information on cyber security topics in the UConn Health Lifeline, on displays throughout

438 views • 12 slides
Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web application weaknesses XSS AJAX weaknesses SQL Injection Attacks (Slides from Lars Olson)

588 views • 41 slides
Cyber Security Maintaining Your Identity on the Net Why Cyber Security? There are three

Cyber Security Maintaining Your Identity on the Net Why Cyber Security? There are three

Cyber Security Maintaining Your Identity on the Net Why Cyber Security? There are three points of failure in any secure network: Technology (hardware and software) Technology Support (ITS) End Users (USD students and employees)

359 views • 23 slides
AEB Open meeting HOW TO RAISE CYBER AWARENES ENESS S AT ALL LEVEL ELS IN Y YOUR COMPANY ANY

AEB Open meeting HOW TO RAISE CYBER AWARENES ENESS S AT ALL LEVEL ELS IN Y YOUR COMPANY ANY

AEB Open meeting HOW TO RAISE CYBER AWARENES ENESS S AT ALL LEVEL ELS IN Y YOUR COMPANY ANY Sergey Landyrev, BP Russia Business Security Manager March 2019 AG AGEN ENDA DA BP Russia Overview User Awareness Q&A BP Russia.

317 views • 7 slides
INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC

INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC

Leading a Secured Digital Life. INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC Hyderabad keeping yourself and your family safe in a tech driven world Toll Free No : 1800 425 6235 Ministry of

460 views • 8 slides
LIKE IT OR NOT EMPLOYEES RIGHTS AND RESPONSIBILITIES ON SOCIAL MEDIA Mari McGowan

LIKE IT OR NOT EMPLOYEES RIGHTS AND RESPONSIBILITIES ON SOCIAL MEDIA Mari McGowan

LIKE IT OR NOT EMPLOYEES RIGHTS AND RESPONSIBILITIES ON SOCIAL MEDIA Mari McGowan Director/Shareholder Abernathy, Roeder, Boyd & Hullett, P.C. McKinney, TX LEGAL DISCLAIMER This presentation should not be construed as legal

682 views • 44 slides
BYOD and The AUP Bring Your Own Device The Acceptable Use Policy Some Information You Need to

BYOD and The AUP Bring Your Own Device The Acceptable Use Policy Some Information You Need to

BYOD and The AUP Bring Your Own Device The Acceptable Use Policy Some Information You Need to Know The Acceptable Use Policy TCDSB Students and Staff must adhere to the Electronic Communications System - Acceptable Use Policy (AUP) All

110 views • 9 slides
Outage Management System Customer Partnership Group November 2017 Customer Partnership Group

Outage Management System Customer Partnership Group November 2017 Customer Partnership Group

Outage Management System Customer Partnership Group November 2017 Customer Partnership Group Scope and Objective Created in response to customers request to have more involvement in the planning, design and usability validation phases

277 views • 14 slides
NJEEDS Data Advisory Council December 13, 2017 Greetings and Introductions The New Jersey Office

NJEEDS Data Advisory Council December 13, 2017 Greetings and Introductions The New Jersey Office

NJEEDS Data Advisory Council December 13, 2017 Greetings and Introductions The New Jersey Office of the Secretary of Higher Education Rochelle Hendricks, Secretary of Higher Education Marie Virella, Director of Finance and NJEEDS Project

528 views • 11 slides
New Providence Middle School Parent iPad Presentation September 9, 2019 WHY 1:1 - Personalized

New Providence Middle School Parent iPad Presentation September 9, 2019 WHY 1:1 - Personalized

New Providence Middle School Parent iPad Presentation September 9, 2019 WHY 1:1 - Personalized Learning with iPads Streamlines assignments Boosts collaboration Fosters communication Apps & G Suite for Education A variety of Apps are

447 views • 12 slides
EPDP Phase 2 Webinar Proposed Recommendations for a Standardized System for

EPDP Phase 2 Webinar Proposed Recommendations for a Standardized System for

EPDP Phase 2 Webinar Proposed Recommendations for a Standardized System for Access/Disclosure (SSAD) 13 February 2020 | 1 Presenters Janis Karklins EPDP Team Chair Rafik Dammak EPDP Team Vice-Chair & GNSO Council Liaison | 2

455 views • 21 slides
Marlboro Central School Districts 1:1 Chromebook Initiative Robin Hecht John Marallo

Marlboro Central School Districts 1:1 Chromebook Initiative Robin Hecht John Marallo

Marlboro Central School Districts 1:1 Chromebook Initiative Robin Hecht John Marallo Director for Curriculum & Instruction Technology Integration Specialist Michael Bakatsias Assistant Superintendent for Technology & Personnel

578 views • 23 slides
Welcome to a 1:1 Learning Environment Operation Y 1:1 5 Dr. Nick Baughman Mr. Ryan Adkins

Welcome to a 1:1 Learning Environment Operation Y 1:1 5 Dr. Nick Baughman Mr. Ryan Adkins

Welcome to a 1:1 Learning Environment Operation Y 1:1 5 Dr. Nick Baughman Mr. Ryan Adkins Chief Academic Officer Director of Technology Mr. Jim Wolf Mr. Nate Campbell TOSA Project Manager TOSA- Tech Integration Mrs. Jennifer Waldvogel

573 views • 38 slides

More recommend