Report on CAP Cybersecurity November 5, 2015

Similar documents
CYBERSECURITY BEST PRACTICES FOR SMALL AND MEDIUM PENNSYLVANIA UTILITIES

Working with the FBI

Data Breach Response Planning: Laying the Right Foundation

CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015

Cybersecurity Awareness. Part 2

INFRAGARD.ORG. Portland FBI. Unclassified 1

Cyber Insurance: How to Investigate the Right Coverage for Your Company

National Cybersecurity & Communications Integration Center (NCCIC)

University of Central Florida Class Specification Administrative and Professional. Information Security Officer

Actions and Recommendations (A/R) Summary

Presented by Frederick J. Santarsiere

SECURITY 2.0 LUNCHEON

GEARS Cyber-Security Services

(BDT) BDT/POL/CYB/Circular

Keynote: FBI Wednesday, February 4 noon 1:10 p.m.

Cybersecurity. Are you prepared?

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

Top 10 Baseline Cybersecurity Controls Banks Aren't Doing

SECURE POWER SYSTEMS PROFESSIONALS (SPSP) PROJECT PHASE 3, FINAL REPORT: RECRUITING, SELECTING, AND DEVELOPING SECURE POWER SYSTEMS PROFESSIONALS

Written Statement of Richard Dewey Executive Vice President New York Independent System Operator

External Supplier Control Requirements

SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Click to edit Master title style

Protecting Energy s Infrastructure and Beyond: Cybersecurity for the Smart Grid

Information Systems Security Certificate Program

Defending Against Data Beaches: Internal Controls for Cybersecurity

THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY

An Overview of Large US Military Cybersecurity Organizations

Middle Class Economics: Cybersecurity Updated August 7, 2015

ICBA Summary of FFIEC Cybersecurity Assessment Tool

FFIEC Cybersecurity Assessment Tool

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

North American Electric Reliability Corporation (NERC) Cyber Security Standard

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Into the cybersecurity breach

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Information Security Program CHARTER

Microsoft s cybersecurity commitment

Cyber Security. John Leek Chief Strategist

The Protection Mission a constant endeavor

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

FedVTE Training Catalog SPRING advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

Bellevue University Cybersecurity Programs & Courses

Cybersecurity Awareness

Logical Operations CyberSec First Responder: Threat Detection and Response (CFR) Exam CFR-110

Eight Essential Elements for Effective Threat Intelligence Management May 2015

2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

ICS-CERT Incident Response Summary Report

FINRA Publishes its 2015 Report on Cybersecurity Practices

Best Practice Strategies for Managing and Mitigating Key Cyber Risks. Brendan Saunders, Principal Security Consultant - November 2015

Auditing emerging cyber threats and IT controls

National Cyber Security Awareness Month. Week Two: Creating a Culture of Cybersecurity at Work

LogRhythm and NERC CIP Compliance

8/27/2015. Brad Schuette IT Manager City of Punta Gorda (941) Don t Wait Another Day

CYBER SECURITY SERVICES PWNED

e-discovery Forensics Incident Response

Defensible Strategy To. Cyber Incident Response

SECURITY CONSIDERATIONS FOR LAW FIRMS

Global Cyber Range (GCR) Empowering the Cybersecurity Professional (CyPro)

FedVTE Training Catalog SUMMER advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Priority III: A National Cyberspace Security Awareness and Training Program

Jay Ferron. Blog.mir.net. CEHi, CWSP, CISM, CISSP, CVEi. MCITP, MCT, MVP, NSA IAM.

Incident Response. Proactive Incident Management. Sean Curran Director

Cybersecurity The role of Internal Audit

THE EVOLUTION OF CYBERSECURITY

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Defending against modern threats Kruger National Park ICCWS 2015

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

El Camino College Homeland Security Spring 2016 Courses

Cyber Security Metrics Dashboards & Analytics

Transcription:

Agenda Number 7. Report on CAP Cybersecurity November 5, 2015 Phil Cook CISSP, CISM Manager, Information Technologies

Risk #1 External Attacks PR 81 Protect and secure CAP's Information Technology assets and information. Protect sensitive business information, vital records and preserve historical information. PR 82 Prepare and plan for potential threats to CAP water operations. 2

Risk #2 Loss of Sensitive Data PR 66 Implement web services to securely share information with the outside world including consultants and other utilities. PR 81 Protect and secure CAP's Information Technology assets and information. Protect sensitive business information, vital records and preserve historical information. 3

Current State of Information Security In 2014, 42.8 million security incidents were detected, a 48 percent increase over the previous year, according to PricewaterhouseCoopers. Security Incidents (in Millions) 28.9 42.8 2013 2014 4

Challenges That Can Impact Our Security Risk Profile New technology New projects adding equipment to the network (typically not designed for security) Additional remote access requirements Social Media vulnerabilities Phishing attacks Internet facing attacks can come from anywhere in the world As information security increases system complexity increases 5

What Is Appropriate Risk? There is no such thing as "perfect protection" CAP High Risk Low Cost Low Maturity Business Model This is a moving target. As the threats change we have to be nimble and adjust on a quarterly basis to keep the risk at this level. Low Risk High Cost High Maturity

Asking The Right Questions Are we secure? Are we compliant? What is the current level of risk? Are our controls sufficient? Is the risk balanced in order to protect our assets (access to information, system availability, and employee resources) 7

The Process for Securing Our Assets Prevent attacks (network attacks, phishing, viruses, malware) Mitigate since controls can never protect 100% Respond when a problem is found Restore data after the problem has been resolved Plan for the unexpected and know what you are going to do when it happens. 8

Risk Management Approach What are the current, desired and planned states for information security? Understand the risk and at a minimum determine: o o o Which risks should we avoid? Which risks should and or can we accept / tolerate? Which risks should we mitigate? What is our incident management response plan? 9

Process Maturity and Planning Threat and Vulnerability Management 1 2 3 4 5 Incident Response 1 2 3 4 5 Identity and Access Management 1 2 3 4 5 Business Disaster Recovery 1 2 3 4 5 Intrusion Detection Monitoring (Outside Vendor) 1 2 3 4 5 Current State Desired State

We use multiple forms of validation to understand our risks profile External Testing Web/Application Penetration Testing Internal Vulnerability Assessment Wireless Assessment Understanding Social Engineering Risks Secure Information and Event Management Tool 11

What We Are Doing to Manage the Risk? Doing the basics (patching, refreshing systems, following the change management process) Filtering for Internet/email to reduce potential risks Updating equipment for better security and monitoring of systems Risk assessment for every new system connecting to the network Training for IT employees (certifications, participation in security associations, forensics training) Internal systems to manage the network Education through the security awareness program Testing and improving our disaster recovery program (quarterly testing) External services to monitor the network 12

Alerts and Advisories Information Systems Security Association (ISSA) is a notfor-profit, international organization of information security professionals and practitioners. Information Sharing Analysis Centers (ISACs) are centralized sources of information and is a clearinghouse for information that helps identify risks and secure our infrastructure. WaterISAC analysts collect and review infrastructure protection information from government and private sources to share with members. InfraGard is an information sharing and analysis effort between the Federal Bureau of Investigation and the private sector. 13

Cyber Security Committee Involvement Status of the Cybersecurity Information Sharing Act of 2015 Executive Board Member Arizona Cyber Threat Response Alliance (ACTRA) Empower the private/public sectors themselves to provide a risk mitigation driven solution for the timely mutual exchange of victim non-attributable cyber information on a need to share basis between and among participating private sector, government, law enforcement and intelligence organizations. Partnership with FBI, DHS, and other federal agencies Participate in pilot projects of new systems and technologies 14

Conclusion Information security will continue to be one of CAP s top priorities. Everyone is responsible for information security. We must evaluate the risk correctly in order to make the appropriate decisions on how best to protect CAP data. Information security is not an IT issue. It's a business issue. 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information