TRICO Retreat - Todays Topics: What did we learn from the member - - PowerPoint PPT Presentation

TRICO Retreat - Today’s Topics:

• What did we learn from the member assessments?
• Most common risks and gaps across membership
• How to read and understand my Security Assessment Report?
• Now that I have all this information… Where do I start?

Member Assessments What Did We Learn?

Me Memb mber A Assessme ment Ove verview

37 members participated in the assessment:

• 78%
• f system passwords don’t adequately protect the IT environment
• 97%

don’t have a documented Business Continuity Plan in place

• 46%
• f backups are stored on site
• 95% don’t have a documented Incident Response Plan in place
• 100% don’t have a security awareness education program
• 100% don’t have a set of information security policies
• 92%

don’t encrypt sensitive information

• 24% don’t track IT assets
• 19% don’t perform background checks & 27% do marginal checks

Out Outso source ced Ser Servic ices

37 members participated in the assessment:

• Payroll

59.5%

• Casa Payroll Services (15)

40.5%

• Prime Point (2)

5.4%

• Paychex (1)

2.74%

• ADP (1)

2.7%

• Other (1)

2.7%

• In-house (15)

40.5%

• IT Services

89.2%

• Email Services

78.4%

Very limited 3rd party risk management practices in place

Security Assessment Report Read & Understand

Ri Risk sk Assessment

Initial web based survey:

• Objective – To have a baseline measure of potential risks in an

effort to determine important controls required to reduce risks

• Risks generally relate to information & context (laws, processes,

locations, systems, etc.)

• What is a risk score – A risk score is a numeric value based on the

answers to the Risk Assessment Survey

• The lower the number the lower the potential risk factor
• Four risk levels were used: Low, Moderate, High and Critical

Negative answers automatically change to red for further discussions

Sample Risk Assessment Survey

Ga Gap Assessment

Onsite visit to assess the maturity of security controls in place:

• The Gap Assessment is intended to provide an indication of how well the

security controls are executed against “good practice” for your risks

• Gap Assessments controls status have a numeric value in effort to measure

the overall maturity level

• The higher the number, the higher the greater the maturity of security controls

in place

• Four control statuses are used:

Fully Implemented Partially Implemented Not Implemented Not Applicable

Ga Gap Assessment

14 Domains and 41 Controls were evaluated that are aligned with the ISO 27001 Framework:

• Information Security Policies
• Organization of Information Security
• Human Resources Security
• Asset Management
• Access Control
• Cryptography
• Physical and Environmental Security
• Operations Security
• Communications Security
• Systems Acquisition, Development and Maintenance
• Supplier Relationships
• Information Security Incident Management
• Information Security Aspects of Business Continuity and Disaster Recovery
• Compliance

We Have The Information… Now Where Do We Start?

Ri Risk sk Based Ap Approach

We recommend each municipality take a “risk based” approach to their gap remediation efforts. We also recommend that you consider addressing each of the findings listed in section C “Identified Risk with Highest Priorities”. These will likely have the most notable impact on reducing the likelihood of your municipality experiencing a cyber incident and increasing the overall security posture Not to worry – You are not alone! The JIF is currently working on developing a strategy to address common deficiencies and guide you through the process

Risk Based Approach

Questions?