Cybersecurity@RTD Program Overview and 2015 Outlook



Similar documents
Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Logging In: Auditing Cybersecurity in an Unsecure World

FINRA Publishes its 2015 Report on Cybersecurity Practices

FFIEC Cybersecurity Assessment Tool

Aalborg Universitet. Cyber Assurance - what should the IT auditor focus on? Berthing, Hans Henrik Aabenhus. Publication date: 2014

Adopting a Cybersecurity Framework for Governance and Risk Management

Feature. SCADA Cybersecurity Framework

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

CYBERSECURITY SLAs: MANANGING REQUIREMENTS AT ARM S LENGTH

fs viewpoint

Intelligence Driven Security

Certified Information Security Manager (CISM)

Why you should adopt the NIST Cybersecurity Framework

Vendor Risk Management Financial Organizations

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

The CAG An Earthquake in Security Compliance and How Security Is Measured ALAN PALLER DIRECTOR OF RESEARCH SANS INSTITUTE

Hans Henrik Berthing, CPA, CISA, CGEIT, CRISC, CIA

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Ecom Infotech. Page 1 of 6

Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR

PREPARED DIRECT TESTIMONY OF SCOTT KING ON BEHALF OF SOUTHERN CALIFORNIA GAS COMPANY

IG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY

ICBA Summary of FFIEC Cybersecurity Assessment Tool

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

Assessing the Effectiveness of a Cybersecurity Program

Looking at the SANS 20 Critical Security Controls

Information Technology Risk Management

Achieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations

Click to edit Master title style

Defending the Database Techniques and best practices

Trends in Information Technology (IT) Auditing

PCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

How To Transform It Risk Management

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

IT AUDIT WHO WE ARE. Current Trends and Top Risks of /9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski

CRR Supplemental Resource Guide. Volume 5. Incident Management. Version 1.1

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program

NetIQ FISMA Compliance & Risk Management Solutions

Capabilities for Cybersecurity Resilience

Information Security and Risk Management

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

ONE DEVICE TO RULE THEM ALL! AUDITING MOBILE DEVICES / BYOD NSAA IT CONFERENCE OCTOBER 2, 2014

Eliminating Cybersecurity Blind Spots

Cyber Governance Preparing for the Inevitable Perimeter Breach

Designing & Building a Cybersecurity Program. Based on the NIST Cybersecurity Framework (CSF)

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe

Enterprise Security Tactical Plan

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

VA Office of Inspector General

The Importance of Cybersecurity Monitoring for Utilities

Cybersecurity Awareness. Part 2

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

OCIE CYBERSECURITY INITIATIVE

Risk Considerations for Internal Audit

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

Cyber Risks in the Boardroom

How To Protect Water Utilities From Cyber Attack

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

RE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity

Real-Time Security for Active Directory

Developing National Frameworks & Engaging the Private Sector

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Cyber Risk Management Guidance for FHFA Regulated Entities

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Continuous Network Monitoring

An Overview of Large US Military Cybersecurity Organizations

Auditing emerging cyber threats and IT controls

Cybersecurity Framework: Current Status and Next Steps

North American Electric Reliability Corporation (NERC) Cyber Security Standard

PROJECT BOEING SGS. Interim Technology Performance Report 3. Company Name: The Boeing Company. Contract ID: DE-OE

Critical Controls for Cyber Security.

Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015

The Computerworld Honors Program

Personal Security Practices of the CAO

Symantec Security Compliance Solution Symantec s automated approach to IT security compliance helps organizations minimize threats, improve security,

Cybersecurity: What CFO s Need to Know

IT Governance, Risk and Compliance (GRC) : A Strategic Priority. Joerg Asma

Transcription:

Cybersecurity@RTD Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD Information Technology Department of Finance & Administration

Cybersecurity: What the Board of Directors Needs to Ask 1. Does the organization use a security framework? 2. What are the top five risks the organization has related to cybersecurity? 3. How are employees made aware of their role related to cybersecurity? 4. Are external and internal threats considered when planning cybersecurity program activities? 5. How is security governance managed within the organization? 6. In the event of a serious breach, has management developed a robust response protocol? Document copyright 2014 by The Institute of Internal Auditors Research Foundation (IIARF). 2

RTD s Cybersecurity Framework (1) Does the organization use a security framework? Answer: Yes. RTD s cybersecurity assessments and strategy are informed by multiple government and private industry standards and frameworks. Standards used for benchmarking RTD s cybersecurity posture in 2014: NIST Cybersecurity Framework (pub. 12 Feb 2014); correlates to: NIST SP 800-53 COBIT ISO 27001 SANS Critical Security Controls for Effective Cyber Defense Standards that additionally inform the growth and development of RTD s cybersecurity strategy: APTA Standards Development Program Recommended Practices FTA Threat and Vulnerability Assessment Methodologies Department of Homeland Security (DHS) Recommendations and Methodologies, including those put forth by the Center for Internet Security (CIS) and sponsored by the DHS 3

Top Five Cybersecurity Risks (2) What are the top five risks the organization has related to cybersecurity? Answer: The top five things that keep me up at night are: 1) Securing RTD s credit card Point of Sale systems 2) Maintaining the integrity and availability of RTD s customer communications systems 3) Reviewing and applying appropriate access control to RTD s sensitive data, including personnel, payroll, and accounting systems 4) Managing third party and Bring Your Own Device (BYOD) access to RTD systems and networks 5) Controlling visibility and access to control and dispatch systems Capabilities we are developing as an organization to address these items include: Organizational Cybersecurity Risk Awareness and Strategy Robust Incident Response Protocol and Follow Through Asset, Configuration, and Change Management Skilled, Dedicated Security Staff System Security Hygiene Across the Enterprise 4

Employee Cybersecurity Awareness (3) How are employees made aware of their role related to cybersecurity? Answer: RTD s security policy, Management Directive IT-1: Secure Computing Standards, and an accompanying cybersecurity training program and wiki, Cybersecurity@RTD, were published in May 2014, piloted with employees throughout 2014, and became an annual requirement for all salaried employees in January 2015. In 2014, 226 employees took the Cybersecurity@RTD self-guided training from the RTD intranet site Training was introduced to all new employees joining RTD since June of 2014 Training and policy are revised and evaluated annually as the cybersecurity program matures 5

Cybersecurity Threat Analysis (4) Are external and internal threats considered when planning cybersecurity program activities? Answer: Yes. RTD s receives information about threats originating from inside and outside the organization from a variety of external sources. RTD follows FTA methodologies to identify our most critical assets and prioritize cybersecurity actions to have the most impact on the greatest areas of risk. Technical Controls Tools or Automation, Points of Presence Audits, Reviews & Compliance Testing Processes, Procedures, Checklists, Education Policies Government and private sector information sharing groups for transportation, cybersecurity, and critical infrastructure threat intelligence Focus on the unintentional insider with cybersecurity governance, awareness training, and enforcement Supplement policy with detective and preventative technical controls to reduce dependency on end users Introduce controls for third parties who provide services to or control RTD data 6

Security Governance (5) How is security governance managed within the organization? Answer: Cybersecurity responsibility is delegated to the Information Technology department. Major risks are reviewed with the Senior Manager of IT and IT Management as they are identified; critical risks and incidents are reviewed with the IT Governance Committee (AGMs) and Senior Leadership Team (AGMs and GM). IIA Three Lines of Defense Concept for Security Governance* Security policies, standards, and technical configurations that align with the business are in development Majority focus on the first line of defense (reactive) Internal / external audit functions will be IT securitycontrol focused in 2015 From Cybersecurity: What the Board of Directors Needs to Ask. IIA / ISACA. 2014. 7

Incident Response (6) In the event of a serious breach, has management developed a robust response protocol? Answer: Yes. In early 2014, RTD developed a preliminary critical incident handling framework for IT that addresses data breach or loss, security incidents, and major outages. Using industry best practices and lessons learned in 2014, RTD formally defined and published a robust incident management process in December 2014. Three-phased response process: Declare an incident Execute the response plan Incident review Identifies roles and responsibilities and communication flows from identification to closure Designed to integrate with Business Continuity and Recovery procedures (Disaster Recovery) when used as part of the response plan 8

Future Focus 2015 and Beyond Require cybersecurity training for salaried computer users Train IT and other organizations in cybersecurity incident response Complete the first round of access control reviews Complete the first annual review and update of the Secure Computing Standards Perform a third-party Electronic Fare Collection Security Assessment (ticketing systems and SMT) Continue to develop asset profiles and configuration standards, including where third parties are concerned Update and enforce an enterprise-wide patch management program Establish basic network monitoring services Additional DHS / US-CERT assessments of enterprise and SCADA controls Related Hot Topics in IT Cloud Computing Disaster Recovery PCI Compliance Data Security Smart Media Control Systems 9

Key Takeaways RTD s cybersecurity program is growing on par with other transit agencies. RTD s program is informed by national standards and federal initiatives. RTD has performed analysis to identify the key areas where we must focus our cybersecurity efforts. RTD has engaged projects to further enhance our cybersecurity defenses and encourage a risk-aware culture. We are positioned to receive information about cybersecurity threats and respond appropriately to incidents. 10

Questions & Answers 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information