Communicating the Threat

Transcription

1 Communicating the Threat A Study to Assess Current Practices in Information Sharing and Gathering on Cyber- Security Threats in Canadian Public Sector, Crown Corporations and Major Private Sector Stakeholders Project Study Leaders Valarie Findlay, President, HumanLed Consulting Kevin Wennekes, Chief Business Officer, Canadian Advanced Technology Alliance January - July 2015

2 Contacts for this study: Valarie Findlay (613) / Kevin Wennekes (613) Study Objectives The detailed study, Communicating the Threat, has a three-fold focus: Cyber-Security in the Counter-Terror Model - Counter-terror models focus on physical threatactivities and encourage cross-departmental collaboration, communication and shared, exchangeable skills and capabilities including the transfer of information and intelligence from the federal to the community level. The discipline of cyber-security will be analyzed and evaluated in the same framework utilized in counter-terror models, conceptualized in legislation and at the operational and practical levels to deter, actively prevent, detect, respond and recover from cyber-threats and potential cyber-terrorist attacks. Cyber-Security Collaboration and Knowledge Sharing Cross-Sector - This area will assess current practices in information gathering and sharing, and its utilization, on cyber-security threats in the Canadian public sector, Crown corporations and major private sector stakeholders. Developing a New Threat/Risk Assessment (TRA) Tool - Examining new Threat/Risk Assessment options and approaches that will provide a dynamic, detailed analysis of threats, risks, vulnerabilities and assets and continuous improvement/shorter iteration cycles to ensure the most relevant and timely data. Study Approach and Results Information will be collected in questionnaire-guided in-person or telephone interviews and will explore these key areas: 1. Describing the current methods for determining risk and threat. 2. Describing the current legislation in relation to the counter-terrror model and whether it adequately meets the needs in supporting the management of cyber-threat. 3. Describing the current overall practices in information sharing and gathering for the subject department or organization. 4. Detailed examination of types of information exchange, scope of information, types of cyber-threats, timeliness, processes for clarification and escalation 5. Limitations or gaps in the above and end user suggested improvements

3 Questionnaire/Participant Type: Executive/C Level Senior Manager/Resource Supervisor Knowledge/Operational/Level I, II or III Professor Organization Type: Government Crown Private Sector Security Industry Service/Professional Services Academia Contact Info: Please note the following: Your participation is confidential, non-compensatory and voluntary. You may refuse to answer any question you feel to be intrusive or contravening to the security of your affiliated work or organization(s). You may choose to withdraw at any point without explanation. All collected data and notes will be treated confidentially and destroyed upon completion of the research report and will be stored securely with access limited to the primary researcher (Valarie Findlay). Your confirmation would considered to be written consent to this interview process. Note the numbering schema is intended for scoring purposes. Participant Interview Questions Insight and Opinion 1. Capabilities: What is your insight or opinion, if any and as applicable, of how cybersecurity is dealt with in general (Code: CAP): 2. Government: 3. Private Sector: 4. Crown:

4 5. Industry/Service Providers 6. Capabilities: What is your insight or opinion, if any and as applicable, of how cybersecurity threats and vulnerabilities are (Code: CAP): 7. Communicated to your organization: 8. Within your organization: 9. How it is shared externally: 10. Capabilities: What do you consider to be the roadblock(s) in instituting adequate cybersecurity? (Code: CAP) 11. Capabilities: Describe current methods for determining risk and threat - tools, methods, policies, etc. (Code: CAP) 12. Capabilities: Describe your understanding of current legislation in relation to the cybersecurity and privacy and whether it adequately meets the needs in supporting the management of cyber-threat (Code: CAP): 13. Capabilities: Describe current overall practices in information sharing and gathering; what type of information is shared, types of cyber-threats, timeliness, processes for clarification and escalation (Code: CAP): Experience and Practices 14. Information Sharing: Is cross-departmental collaboration and communication encouraged? (Code: IS) 15. Information Sharing: Is there a process for monitoring outside threats and vulnerabilities? (Code: IS) 16. Information Sharing: If yes to #15, is there process for monitoring outside threats and vulnerabilities effective and timely? (Code: IS) 17. Skills: Are there shared, exchangeable skills and capabilities including the transfer of information and Intelligence internally and externally? (Code: SK) 18. Credentials: What training or credentials are required for security resources? (Code: CR) 19. Credentials: If yes to #18, are training or credentials verified, audited and updated with training for security resources? (Code: CR) 20. Standards: What security standards and processes do you adhere to? (Code: ST) 21. Analysis: What is the level of analysis of threats, risks, vulnerabilities and assets prior to adopting new equipment, etc.? (Code: AN) 22. Analysis: If yes to #21, is this level of analysis of threats, risks, vulnerabilities and assets adhered to? (Code: AN) 23. Analysis: What is the frequency of analysis of threats, risks, vulnerabilities and assets after adoption? (Code: AN)

5 24. Improvement: Is there a continuous improvement process or framework for cybersecurity? (Code: IM) 25. Improvement: If yes to #24, is the continuous improvement process or framework for cyber-security adhered to? (Code: IM) 26. Incident Reporting: Is there a clear and known incident reporting process for security resources and employees? (Code: IR) 27. Incident Reporting: If yes to #26, is the incident reporting process effective and timely? (Code: IR) Gaps or Limitations 28. Gaps or Limitations: Discuss your perspectives or experience on the GAPS or LIMITATIONS on following (Code: GP): 29. Information Sharing (Code: GP-IS): 30. Skills (Code: GP-SK): 31. Standards (Code: GP-ST): 32. Credentials (Code: GP-CR): 33. Analysis (Code: GP-AN): 34. Improvement (continuous improvement) (Code: GP-IM): 35. Incident Reporting (Code: GP-IR): 36. Discuss your SUGGESTED IMPROVEMENTS following (Code: SI): 37. Information Sharing (Code: SI-IS): 38. Skills (Code: SI -SK): 39. Standards (Code: SI -ST): 40. Credentials (Code: SI -CR): 41. Analysis (Code: SI -AN): 42. Improvement (continuous improvement) (Code: SI -IM): 43. Incident Reporting (Code: SI -IR):