Welcome! Designing and Building a Cybersecurity Program



Similar documents
Cybersecurity Framework Security Policy Mapping Table

Automation Suite for NIST Cyber Security Framework

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

Happy First Anniversary NIST Cybersecurity Framework:

CRR-NIST CSF Crosswalk 1

Applying IBM Security solutions to the NIST Cybersecurity Framework

Designing & Building a Cybersecurity Program. Based on the NIST Cybersecurity Framework (CSF)

NIST Cybersecurity Framework & A Tale of Two Criticalities

Critical Manufacturing Cybersecurity Framework Implementation Guidance

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

Weak (1.0) Limited (2.0) Effective (3.0) Strong (4.0) Very Strong (5.0)

Framework for Improving Critical Infrastructure Cybersecurity

Appendix B: Mapping Cybersecurity Assessment Tool to NIST

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

Framework for Improving Critical Infrastructure Cybersecurity

Designing & Building an Information Security Program. To protect our critical assets

CRR Supplemental Resource Guide. Volume 5. Incident Management. Version 1.1

HITRUST Common Security Framework Summary of Changes

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Designing & Building a Cybersecurity Program. Based on the NIST Cybersecurity Framework (CSF)

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

SANS Top 20 Critical Controls for Effective Cyber Defense

Building Security In:

Continuous Network Monitoring

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

Defending Against Data Beaches: Internal Controls for Cybersecurity

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.

Payment Card Industry Data Security Standard

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Critical Security Controls

Information Technology Risk Management

Be Fast, but be Secure a New Approach to Application Security July 23, 2015

Critical Controls for Cyber Security.

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Discussion Draft of the Preliminary Cybersecurity Framework

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Cisco Security Optimization Service

Assessing the Effectiveness of a Cybersecurity Program

Logging In: Auditing Cybersecurity in an Unsecure World

Security Management. Keeping the IT Security Administrator Busy

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

The NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide

Looking at the SANS 20 Critical Security Controls

The Cloud App Visibility Blindspot

Information Technology Security Review April 16, 2012

INCIDENT RESPONSE CHECKLIST

THE TOP 4 CONTROLS.

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Industrial Cyber Security Risk

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk

The Importance of Cybersecurity Monitoring for Utilities

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

The Value of Vulnerability Management*

Enterprise Cybersecurity: Building an Effective Defense

Top 20 Critical Security Controls

Navigating the NIST Cybersecurity Framework

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

ACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector

Security Issues in Cloud Computing

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Concierge SIEM Reporting Overview

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

Eliminating Cybersecurity Blind Spots

ISO COMPLIANCE WITH OBSERVEIT

Cybersecurity Enhancement Account. FY 2017 President s Budget

High End Information Security Services

Leveraging Regulatory Compliance to Improve Cyber Security

Building Blocks of a Cyber Resilience Program. Monika Josi monika.josi@safis.ch

Department of Management Services. Request for Information

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Management (CSM) Capability

Facilitated Self-Evaluation v1.0

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

Securing business data. CNS White Paper. Cloud for Enterprise. Effective Management of Data Security

CYBER AND IT SECURITY: CLOUD SECURITY FINAL SESSION. Architecture Framework Advisory Committee November 4, 2014

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Attachment A. Identification of Risks/Cybersecurity Governance

Framework for Improving Critical Infrastructure Cybersecurity

Applying Framework to Mobile & BYOD

Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

Obtaining Enterprise Cybersituational

NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011

Overcoming PCI Compliance Challenges

Transcription:

Welcome! Designing and Building a Cybersecurity Program Note that audio will be through your phone. Please dial: 866-740-1260 Access code: 6260070 The webcast will be 60 minutes in length with time allotted for responding to questions. An archive of the webinar will be available at http://www.mhectech.org or http://www.youtube.com/user/mhec12 2 Overview The Midwestern Higher Education Compact (MHEC) MHEC/EiQ Networks Master Price Agreement Justin Pennock, EiQ Special Guest: Larry Wilson, Information Security Lead, President s Office, UMass 1

Interstate Compacts MHEC 1991 NEBHE 1955 WICHE 1953 SREB 1948 4 What is a Compact? The compact statute creating MHEC makes MHEC an instrumentality of state government of each of its member states. This statutory language gives MHEC broad contracting authority to help carry out its mission. MHEC then enters into agreements for the benefit of its twelve member states, effectively letting institutions in one state pool their resources and expertise with different institutions in other states to gain advantages in the marketplace they otherwise would not be able to obtain. 5 Statutory Authority to Purchase from MHEC Contracts Illinois - Chapter 45 ILCS 155 Indiana - Chapter IC 20-12-73 Iowa - Chapter 261D Kansas - Chapter 72-60b01 Michigan - Section 390.1531 Minnesota - Section 135A.20 Missouri - Section 173.700 Nebraska - Section 85-1301 North Dakota - Chapter 15-10.2 Ohio - Chapter 3333.40 South Dakota - Chapter 13-53C-1 Wisconsin - Chapter 14.90 6 2

Security Event & Information Management Competitively Sourced in 2011 Award to EiQ Networks Log Analysis Event Pattern Detection Compliance Automation Etc Contract Term: July 31, 2014 August 1, 2015 with three one-year renewals (2018). 7 Master Price Agreement Master Price Agreements Product and Services Price List Large Order Negotiations Terms and Conditions EULA http://www.mhectech.org/sites/mhectech.or g/files/20110919eiqnetworks_mstr_0.pdf 8 Who is eligible to purchase? Compacts: MHEC s 12 Midwestern states (ND & SD dual members) SREB s 16 Southeastern states WICHE s 15 Western states Higher Education K-12 districts and schools Cities, State and Local Governments http://mhectech.org/eligibility-purchase-partners 9 3

http://www.mhectech.org/ Contract Highlights http://www.mhectech.org/eiq http://eiqmhec.com/ 12 4

Contract Page http://mhectech.org/contracts MHEC Resources Contact Information: Nathan Sorensen Strategic Information Technology (IT) Procurement Officer 612-677-2767 nathans@mhec.org Rob Trembath Vice President and General Counsel 612-677-2763 robt@mhec.org Mary Roberson Director of Communications & Marketing 612-677-2765 maryr@mhec.org 14 5

Effective Cyber Security Monitoring & Compliance What is an effective security program? Process Technology People A set of processes and best practices developed and implemented Based on industry standards Immediate and comprehensive visibility into the Threat Remove silos and connect the dots Trained, experienced Information Security professionals Must be operational 24 x7 What EiQ s SOCVue Delivers: Process Technology People Council on Cyber Security & SANS Critical Security Controls Automation Continuously analyze your IT environment against Security best practice Identify weak Links in your security posture EiQ SecureVue Log Management & Security Monitoring Correlation & Forensic Analysis Compliance Reporting Asset Discovery EiQ SOCVue Service Certified Security & Product engineers 24x7 Monitoring Alert Notification and Remediation Guidance On Demand Investigation Daily/Monthly Reporting 1

Justin Pennock EiQ MHEC Account Manager 978 266 3165 jpennock@eiqnetworks.com www.eiqmhec.com 2

Designing & Building a Cybersecurity Program To protect our critical assets Our Controls Factory Midwestern Higher Education Compact Larry Wilson lwilson@umassp.edu October 23, 2014 1 The Challenge: To our Corporate and Government Leaders There is a global awakening among non technologists That we are vulnerable in cyberspace We are not organized well to protect ourselves We suffer from a fog of more More standards, more checklists, more devices, more things Where does your business stand on basic cybersecurity hygiene? Our Executives need to ask five basic questions Do we know what s connected to our systems and networks? Do we know what s running or trying to run on our systems and networks? Are we limiting the number of people with administrative privileges to change, bypass or override the security setting? Do we have continuous processes backed by security technologies that allow us to prevent most breaches, rapidly detect all that do succeed and minimize damage to our business and customers? Can you demonstrate all this to me, to our Board, and to our shareholders and customers today? Jane Holl Lute Council on Cybersecurity Served as Deputy Secretary for Homeland Security from April, 2009 to April 2013 Because. Having these basic safeguards in place will prevent 80% to 90% of the known attacks 2 Our Response: We Need to be Proactive. Manage or Risks Understand and establish a well developed risk management model Manage our Assets Inventory, prioritize, categorize (by type and value), safeguard Lifecycle Management (provision, de provision, discover, manage changes, reconciliation, monitor & alert Because every security incident starts with a compromised asset Secure our Assets Alignment and Transparency Are we on the same page? Are we learning and improving? Are we testing and measuring? Are we maturing our program over time? 3 1

Manage our Risks The Risk Equation Risk = Threats X Vulnerabilities X Asset Value + Residual Risk Controls How do we calculate risk? Risk is based on the likelihood and impact of a cyber security incident or data breach (model) Threats involve the potential attack against IT resources and information assets (model) Vulnerabilities are weaknesses of IT resources and information that could be exploited by a threat (model) Asset Value is based on criticality of IT resources and information assets (assess) Controls are safeguards that protect IT resources and information assets against threats and/or vulnerabilities (assess) Residual risk includes a combination of unknown threats + unknown vulnerabilities + unmanaged assets (model) 4 Manage our Assets Our Managed Assets ARE protected Our Unmanaged Assets ARE NOT protected Unmanaged Assets Identify and secure our managed assets We need to understand why security breaches occur And the steps to take to prevent them What is our managed asset portfolio? We need to build a portfolio of managed assets Identify and secure our unmanaged assets There are undetected problems not seen, not reported Our unmanaged assets become easy targets Ultimately leads to a breach from missing or ineffective controls What is our unmanaged asset portfolio? We need to secure our unmanaged assets and add them to our managed asset portfolio 5 Alignment and Transparency The Cybersecurity Controls Factory Current State As is Risk Environment Desired State To be Risk Environment 1.0 Threat Model 2.0 Controls Design 3.0 Controls Implementation 4.0 Controls Testing 1.1 Threats, Vulnerabilities Consequences 2.1 Controls Framework & Standards 3.1 Vendor Technologies & Services 4.1 Controls Testing Guidelines Unmanaged Assets* Input 1.2 The Cyber Attack Chain 2.2 The C³ Framework Components 3.2 Security Programs & Projects 4.2 Controls Testing Techniques Output Managed Assets* 1.3 Modeling Cyber Attacks 2.3. The Cybersecurity Controls Model 3.3 Security as a Service (SaaS) 4.3 Controls Assessment Procedures * The Assets 00: Master Blueprint Incorporates all programs and projects into single program blueprint 01: Endpoint Devices laptops, workstations, smart phones, tablets, point of sale terminals, etc. 02: Applications & Spreadsheets developing, implementing secure applications based on BSIMM V 03: Network Security including the perimeter, across the LAN, WAN, wireless networks 04: Data Center Systems securing servers in the data center (windows, linux, etc.). 05: Databases database applications or stored functions, database systems, database servers, et 06: Identity & Access Governance securing users, accounts, entitlements 07: Data Governance processes, technologies, and methods used by data stewards and data custodians to handle data 08: Monitoring & Response Center real time monitoring, correlation and expert analysis of security activity 6 2

1.0 The Threat Model 1.1 The Threats, Vulnerabilities, Consequences 1.2 The Cyber Attack Chain 1.3 Modelling Cyber Attacks 7 1.1 Threats, Vulnerabilities, Consequences Threats Vulnerabilities Consequences 8 1.2 The Cyber Attack Chain 9 3

1.3 Modelling Cyber Attacks Process for Attack Simulation and Threat Analysis (PASTA) 10 2.0 The Controls Design 2.1 Controls Frameworks and Standards 2.2 The C³ Framework Components 2.3 The Cybersecurity Controls Model 11 2.1 The Controls Frameworks and Standards NIST Cybersecurity Framework Core Functions Council on Cybersecurity Critical Security Controls (CSCs) ISO 27002: 2013 Code of Practice for Information Security Controls 12 4

2.2 The C³ Framework Components The Voluntary Framework is a set of Cybersecurity Activities, Desired Outcomes and Applicable References Function Unique Identifier Function (Basic activities) Category Unique Identifier Category (Cybersecurity outcomes) Subcategories (Specific outcomes of technical or management activities) Informative References (Specific sections of standards, guidelines, and best practices) ID PR DE RS Identify (24 activities) Protect (35 Activities) Detect (18 Activities) Respond (16 Activities) ID.AM Asset Management 6 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices ID.BE Business Environment 5 technical or management activities Align to ISO/IEC 27001:13 best practices ID.GV Governance 4 technical or management activities Align to ISO/IEC 27001:13 best practices ID.RA Risk Assessment 6 technical or management activities Align to ISO/IEC 27001:13 best practices ID.RM Risk Management Strategy 3 technical or management activities Align to ISO/IEC 27001:13 best practices PR.AC Access Control 5 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices PR.AT Awareness & Training 5 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices PR.DS Data Security 7 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices PR.IP Information Protection Process 12 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices PR.MA Maintenance 2 technical or management activities Align to ISO/IEC 27001:13 best practices PR.PT Protective Technology 4 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices DE.AE Anomalies and Events 5 technical or management activities Align to ISO/IEC 27001:13 best practices DE.CM Security Continuous Monitoring 8 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices DE.DP Detection Processes 5 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices RS.RP Response Planning 1 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices RS.CO Communications 5 technical or management activities Align to ISO/IEC 27001:13 best practices RS.AN Analysis 4 technical or management activities Align to ISO/IEC 27001:13 best practices RS.MI Mitigation 3 technical or management activities Align to ISO/IEC 27001:13 best practices RS.IM Improvements 2 technical or management activities Align to ISO/IEC 27001:13 best practices RC.RP Recovery Planning 1 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices RC Recover RC.IM Improvements 2 technical or management activities Not aligned with ISO/IEC 27001:2013 or CCS CSC practices (6 Activities) RC.CO Communications 3 technical or management activities Not aligned with ISO/IEC 27001:2013 or CCS CSC practices Building a Cyber-security Cybersecurity Program 13 6/25/2014 2.3 Modeling Cybersecurity Controls Asset Governance Provisioning initial creation of the asset Reconciliation periodic recertification of the asset De provisioning removal of the asset from the environment Monitoring & Management generate alerts and reports Managed Asset Model Managed Assets Unmanaged Assets Start with all known assets Categorize assets by type and value Discover / Identify unknown assets Asset Discovery Scan, Monitor, Filter for unknown assets Update known assets with those discovered Security Controls Management & Communications Controls [MGT] Cyber security Controls [CSC] General Computer Controls [GCC] Asset Governance General Computer Controls Scan Unmanaged Assets Management & Cybersecurity Communications Controls Controls Monitor Filter Unmanaged Unmanaged Assets Assets Unmanaged Assets Managed Assets Known assets (per asset group) with controls applied 14 The Controls Model Managed Assets 1. Establish system of record Create initial baseline of known users, devices, applications, information assets, information owners 2. Update with known assets Add / remove assets following standard approach 3. Scan network for unknown assets Establish network scanning process to detect unknown devices. 4. Monitor network for unknown assets Establish traffic monitoring process to detect unknown devices. 5. Filter network access from unknown assets 802.1x, NAC, Client Certificates, Whitelist, Blacklist 6. Update system of record with known but unmanaged assets Discovered through scanning, monitoring and filtering 7. Apply security controls to known assets General Computer Controls [GCC], Cyber security Controls [CSC], Management & Communications Controls [MGT] 8. Generate real time alerts and management reports Alert management when suspicious activity is detected. 9. Update system of record with managed assets Update with known as well as unknown (discovered) devices 15 5

3.0 The Controls Implementation 3.1 Vendor Technologies and Services 3.2 Cybersecurity Programs and Projects 3.3 Security as a Service (SaaS) 16 3.1 Vendor Technologies & Services TEC 01 TEC 02 TEC 03 TEC 04 TEC 05 TEC 06 TEC 07 TEC 08 TEC 09 TEC 10 TEC 11 TEC 12 TEC 13 TEC 14 TEC 15 TEC 16 TEC 17 Quest Software TEC 18 TEC 19 TEC 20 SVC 01 SVC 02 SVC 03 17 3.2 Security Programs and Projects PRG 00: Master Blueprint PRG 01: Endpoint Security PRG 02: Application Security PRG 03: Network Security PRG 04: Data Center System Security PRG 05: Database Security PRG 06: Identity Governance PRG 07: Data Governance PRG 08: Monitoring & Alerting Center 18 6

3.3 Security as a Service (SaaS) Option 1: Corporate Security Operations Center (SOC) Option 2: Outsourced Managed Cybersecurity Services Option 3: Co Managed Cybersecurity Services Option 4: Hybrid Cybersecurity Services 19 4.0 The Controls Testing 4.1 Controls Testing Guidelines 4.2 Controls Testing Techniques 4.3 Controls Assessment Procedures 20 4.1 Controls Testing Guidelines Open Source Security Testing Methodology Manual (OSSTMM) Cybersecurity Assessments NIST 800 115: Technical Guide to Information Security Testing and Assessment Information Systems Security Assessment Framework (ISSAF) Critical Infrastructure Security Analysis (CRISALIS) Experimental Cyber Immersion Training & Exercises (EXCITE) 21 7

4.2 Controls Testing Techniques TST 01: Black Box Testing TST 02: Grey Box Testing TST 03: White Box Testing No TST 01: Black Box Testing TST 02: Grey Box Testing TST 03: White Box Testing 1 The Internal Workings of an application are not required to be known 2 Also known as closed box testing, data driven testing and functional testing 3 Performed by end users and also by testers and developers 4 Testing is based on external expectations. Internal behavior of the application is unknown Somewhat knowledge of the Internal Workings are known Another term for grey box testing is translucent testing as the tester has limited knowledge of the insides of the application Performed by end users and also by testers and developers Testing is done on the basis of high level database diagrams and data flow diagrams Tester has full knowledge of the Internal Workings of the application Also known as clear box testing, structural testing or code based testing Normally performed by testers and developers Internal workings are fully known and the tester can design data accordingly 5 This is the least time consuming and exhaustive Partly time consuming and exhaustive The most exhaustive and time consuming type of testing 6 Not suited to algorithm testing Not suited to algorithm testing Suited to algorithm testing 7 This can only be done by trial and error method Data domains and Internal boundaries can be Data domains and Internal boundaries tested, if known can be better tested 22 4.3 Controls Assessments Procedures Perform Scoping Analysis Identify significant business applications, modules, line items and accounts Map processes and systems to significant accounts Determine locations / departments where significant business processes are performed (individual important, significant risk, significant when aggregated) Document Significant Business Processes & Controls Document process flows and develop control sets for all significant business processes and applications / IT Confirm location where significant processes are performed Evaluate Design of Controls Confirm control sets with business process owners Business units perform Self Assessments for all documented control activities Identify significant changes in processes and system quarterly Test Operating Effectiveness of Key Controls Design and develop test plans Determine level of testing for each location Execute test plans (Internal Audit, External Audit) Remediate Exceptions Identify control exception and root cause Work with business owners to determine remediation plan Analyze remediation items (individual and in aggregate) Implement remediation plan Monitor and track remediation progress Perform Year End Activities Define scope and approach for Q4 testing Perform '4Q / Update' testing (e.g., retesting of remediated items, high risk) Analyze remediation items (individual and in aggregate) Report on evaluation of internal controls 23 Cybersecurity Testing Center 1 8 Monitoring & Response Center Endpoint Devices Test Center Enterprise Applications Test Center 2 7 Data Governance Test Center Cybersecurity Controls Test Center Network Security Test Center 3 6 Identity Governance Test Center Database Security Test Center Data Center Systems Test Center 4 5 24 8

Controls Mapping Cybersecurity Controls Mapping Attack Phase Phase 1: Before an Attack Phase 2: During an Attack Phase 3: After an Attack 1 Attack Chain 1 2 3 4 5 6 7 NIST Controls Framework Identify Protect Detect Respond Recover 2 Controls Standards General Computer Controls (ISO 27001:2013) Technical Controls (Council on Cyber security CSC) Management Controls (ISO 27001:2013) Technology & Services 3 Programs & Projects 1 2 3 4 5 6 7 8 Database Security Endpoint Application Network Data Center Identity Data Security Operations Devices Security Security Systems Governance Governance 4 Testing Approach Cybersecurity Testing Guides, Techniques, Assessment Procedures Testing Center Cybersecurity Controls Testing Center Risk Management Approach FAIR Risk Model Factor Analysis of Information Risk (FAIR) Terminology: Risk The probable frequency and probable magnitude of future loss Loss Event Frequency The probable frequency, within a given timeframe, that a threat agent will inflict harm upon an asset Loss Magnitude The magnitude of loss resulting from a loss event Threat Event Frequency The probable frequency, within a given timeframe, that a threat agent will act against an asset Vulnerability The probability that an asset will be unable to resist the actions of a threat agent Primary Loss Consists of asset loss factors and threat loss factors Secondary Loss Consists of organizational loss factors and external loss factors Contact Frequency Occurs when a threat agent establishes a physical or virtual (e.g., network) connection to an asset Probability of Action An act taken against an asset by a threat agent. Requires contact occur between the asset and threat agent Threat Capability The probable level of force that a threat agent is capable of applying against an asset. Resistive Controls The resistive strength of a control as compared to a baseline measure of force. 26 Cybersecurity Program Summary Threats Vulnerabilities The Risk = Unmanaged Assets Controls Our Assets Known Assets Managed Assets Managed Assets Managed Assets Cybersecurity Testing Center Where does our business stand on basic cybersecurity hygiene? 1. Do we know what s connected to our systems and networks? 2. Do we know what s running or trying to run on our systems and networks? 3. Are we limiting the number of people with administrative privileges to change, bypass or override the security settings? 4. Do we have continuous processes backed by security technologies that allow us to prevent most breaches, rapidly detect all that do succeed and minimize damage to our business and customers? 5. Can you demonstrate all this to me, to our Board, and to our shareholders and customers today? 27 9

Thank You! Any Questions? 28 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information