Report on CAP Cybersecurity November 5, 2015

Transcription

1 Agenda Number 7. Report on CAP Cybersecurity November 5, 2015 Phil Cook CISSP, CISM Manager, Information Technologies

2 Risk #1 External Attacks PR 81 Protect and secure CAP's Information Technology assets and information. Protect sensitive business information, vital records and preserve historical information. PR 82 Prepare and plan for potential threats to CAP water operations. 2

3 Risk #2 Loss of Sensitive Data PR 66 Implement web services to securely share information with the outside world including consultants and other utilities. PR 81 Protect and secure CAP's Information Technology assets and information. Protect sensitive business information, vital records and preserve historical information. 3

4 Current State of Information Security In 2014, 42.8 million security incidents were detected, a 48 percent increase over the previous year, according to PricewaterhouseCoopers. Security Incidents (in Millions)

5 Challenges That Can Impact Our Security Risk Profile New technology New projects adding equipment to the network (typically not designed for security) Additional remote access requirements Social Media vulnerabilities Phishing attacks Internet facing attacks can come from anywhere in the world As information security increases system complexity increases 5

6 What Is Appropriate Risk? There is no such thing as "perfect protection" CAP High Risk Low Cost Low Maturity Business Model This is a moving target. As the threats change we have to be nimble and adjust on a quarterly basis to keep the risk at this level. Low Risk High Cost High Maturity

7 Asking The Right Questions Are we secure? Are we compliant? What is the current level of risk? Are our controls sufficient? Is the risk balanced in order to protect our assets (access to information, system availability, and employee resources) 7

8 The Process for Securing Our Assets Prevent attacks (network attacks, phishing, viruses, malware) Mitigate since controls can never protect 100% Respond when a problem is found Restore data after the problem has been resolved Plan for the unexpected and know what you are going to do when it happens. 8

9 Risk Management Approach What are the current, desired and planned states for information security? Understand the risk and at a minimum determine: o o o Which risks should we avoid? Which risks should and or can we accept / tolerate? Which risks should we mitigate? What is our incident management response plan? 9

10 Process Maturity and Planning Threat and Vulnerability Management Incident Response Identity and Access Management Business Disaster Recovery Intrusion Detection Monitoring (Outside Vendor) Current State Desired State

11 We use multiple forms of validation to understand our risks profile External Testing Web/Application Penetration Testing Internal Vulnerability Assessment Wireless Assessment Understanding Social Engineering Risks Secure Information and Event Management Tool 11

12 What We Are Doing to Manage the Risk? Doing the basics (patching, refreshing systems, following the change management process) Filtering for Internet/ to reduce potential risks Updating equipment for better security and monitoring of systems Risk assessment for every new system connecting to the network Training for IT employees (certifications, participation in security associations, forensics training) Internal systems to manage the network Education through the security awareness program Testing and improving our disaster recovery program (quarterly testing) External services to monitor the network 12

13 Alerts and Advisories Information Systems Security Association (ISSA) is a notfor-profit, international organization of information security professionals and practitioners. Information Sharing Analysis Centers (ISACs) are centralized sources of information and is a clearinghouse for information that helps identify risks and secure our infrastructure. WaterISAC analysts collect and review infrastructure protection information from government and private sources to share with members. InfraGard is an information sharing and analysis effort between the Federal Bureau of Investigation and the private sector. 13

14 Cyber Security Committee Involvement Status of the Cybersecurity Information Sharing Act of 2015 Executive Board Member Arizona Cyber Threat Response Alliance (ACTRA) Empower the private/public sectors themselves to provide a risk mitigation driven solution for the timely mutual exchange of victim non-attributable cyber information on a need to share basis between and among participating private sector, government, law enforcement and intelligence organizations. Partnership with FBI, DHS, and other federal agencies Participate in pilot projects of new systems and technologies 14

15 Conclusion Information security will continue to be one of CAP s top priorities. Everyone is responsible for information security. We must evaluate the risk correctly in order to make the appropriate decisions on how best to protect CAP data. Information security is not an IT issue. It's a business issue. 15