TRICO Retreat - Todays Topics: What did we learn from the member - PowerPoint PPT Presentation

TRICO Retreat - Today’s Topics: • What did we learn from the member assessments? • Most common risks and gaps across membership • How to read and understand my Security Assessment Report? • Now that I have all this information… Where do I start?

Member Assessments What Did We Learn?

Me Memb mber A Assessme ment Ove verview 37 members participated in the assessment: 78% of system passwords don’t adequately protect the IT environment • 97% don’t have a documented Business Continuity Plan in place • 46% of backups are stored on site • 95% don’t have a documented Incident Response Plan in place • 100% don’t have a security awareness education program • 100% don’t have a set of information security policies • 92% don’t encrypt sensitive information • 24% don’t track IT assets • 19% don’t perform background checks & 27% do marginal checks •

Out Outso source ced Ser Servic ices 37 members participated in the assessment: Payroll 59.5% • Casa Payroll Services (15) 40.5% • Prime Point (2) 5.4% • Paychex (1) 2.74% • ADP (1) 2.7% • Other (1) 2.7% • In-house (15) 40.5% • IT Services 89.2% • Email Services 78.4% • Very limited 3 rd party risk management practices in place

Security Assessment Report Read & Understand

Ri Risk sk Assessment Initial web based survey: Objective – To have a baseline measure of potential risks in an • effort to determine important controls required to reduce risks Risks generally relate to information & context (laws, processes, • locations, systems, etc.) What is a risk score – A risk score is a numeric value based on the • answers to the Risk Assessment Survey The lower the number the lower the potential risk factor • Four risk levels were used: Low, Moderate, High and Critical •

Sample Risk Assessment Survey Negative answers automatically change to red for further discussions

Gap Assessment Ga Onsite visit to assess the maturity of security controls in place: The Gap Assessment is intended to provide an indication of how well the • security controls are executed against “good practice” for your risks Gap Assessments controls status have a numeric value in effort to measure • the overall maturity level The higher the number, the higher the greater the maturity of security controls • in place Four control statuses are used: • Fully Implemented Partially Implemented Not Implemented Not Applicable

Ga Gap Assessment 14 Domains and 41 Controls were evaluated that are aligned with the ISO 27001 Framework: Information Security Policies • Organization of Information Security • Human Resources Security • Asset Management • Access Control • Cryptography • Physical and Environmental Security • Operations Security • Communications Security • Systems Acquisition, Development and Maintenance • Supplier Relationships • Information Security Incident Management • Information Security Aspects of Business Continuity and Disaster Recovery • Compliance •

We Have The Information… Now Where Do We Start?

Ri Risk sk Based Ap Approach We recommend each municipality take a “risk based” approach to their gap remediation efforts. We also recommend that you consider addressing each of the findings listed in section C “Identified Risk with Highest Priorities”. These will likely have the most notable impact on reducing the likelihood of your municipality experiencing a cyber incident and increasing the overall security posture Not to worry – You are not alone! The JIF is currently working on developing a strategy to address common deficiencies and guide you through the process

Risk Based Approach

Questions?