Information Assurance Branch (IAB) Cybersecurity Best Practice for Executive Level Managers

U.S. Department of State Diplomatic Security Office of Training & Performance Standards Security Engineering & Computer Security Training Division (SECD) Information Assurance Branch (IAB) Cybersecurity Best Practice for Executive Level Managers Version Number 1.0

Introduction Welcome This class is interactive... feel free to ask questions! Housekeeping Cell Phones Breaks Restrooms Class materials Share your experiences Fire Alarm/Evacuation Plan Natural disaster Sign-In/Point of contact after class 2

Objective Information Assurance (IA) - The processes and procedures that protect information and information systems; a.k.a. cybersecurity. At the end of this course the student will be able to: Summarize how IA supports the local mission Summarize ways you can support your employees in securing the information and information systems 3

Cybersecurity for Executives Introduction Cybersecurity: Concepts and Challenges The IA Leadership Role & The IA Team Incident Handling 4

President s Cybersecurity Priorities 1. Protect the country s critical infrastructure 2. Improve our ability to identify and report cyber incidents 3. Promote internet freedom for an open, interoperable, secure, and reliable cyberspace 4. Secure federal networks 5. Shape a cyber-savvy workforce 5

Threats: US-CERT Cyber Incidents The total number of security incidents reported to US-CERT annually more than doubled from fiscal year 2009 to fiscal year 2013 6

Threats: Malicious Code For the month of October 2014, the DOS Antivirus scanning tools detected and eradicated 15,669 viruses at the Desktop. VIRT members manually analyzed 6,678 email messages received at spam@state.gov. Source: IRM Systems Integrity 7

Federal Laws: Historical Overview Computer Security Act of 1987 Government Paperwork Reduction Act of 1995 Clinger-Cohen Act of 1996 Privacy Act of 1974 1970s 1980s 1990s 2000s FISMA (2002) Computer Fraud and Abuse Act of 1984 - amended 1994, 1996, and 2001 OMB Circular A- 130, Appendix III (2000) 8 PDD 63 (1998) and the Homeland Security Act of 2002 USA PATRIOT Act of 2001

FISMA Federal Information Security Management Act (FISMA) of 2002 2014 Risk-based approach to IT security Continuous Automated and Diagnostics continuous and monitoring Mitigation (CDM) Annual report to Congress on agency compliance with security requirements Role-based training NIST guidance complementary to CNSS Privacy 9

Introduction Summary Where Are We Now? Unfavorable scores & reports Cyber threats are more aggressive and increasing Incidents that involve misuse of government resources or information continue Accessing and sharing of information is still the priority 10

Cybersecurity for Executives Introduction Cybersecurity: Concepts and Challenges The IA Leadership Role & The IA Team Incident Handling 11

IA: Concepts and Challenges 12

Vulnerability: Mobile Devices Why do we use these items? Why are they listed as a vulnerability? What are your organization s policies for their use? 13

Vulnerability: Social Networking Is your organization using any of these? Are there policies for their use? What about your employees and the personal use of social media? 14

The Risk Management Framework (RMF) 15

Risk Decisions Accept the Risk Reduce the Risk Avoid the Risk Transfer the Risk 16

What do you have? Is/are there: A risk policy An Assessment & Authorization (A&A) Process Continuous diagnostics and mitigation Individuals responsible for security Tools and role-based training for those individuals 17

Activity What is the most important information created and/or stored in my organization? What parts of the organization rely on this information? What would be the impact if this information is compromised or lost? What is the biggest threat to this information? What are we doing currently to protect this information? Is there anything else we can do to increase the protection level? If yes, what resourcing decisions will have to be made? 18

Concepts & Challenges Summary Our information is a valued commodity Biggest concern: insider threat RMF: Review your categorization and adequacy of the controls 19

Cybersecurity for Executives Introduction Information Assurance: Concepts and Challenges The IA Leadership Role & The IA Team Incident Handling 20

Your Mission 1. To what extent does meeting your mission depend on the information system/networks? 2. How are you supporting cybersecurity at your site? 3. If an unauthorized USB media device is used on a computer in your organization and a virus infects the network and takes it out of service, who is ultimately responsible? 4. What if there is a loss of PII? 21

IA As A Cultural Value Executive leadership is the key to a culture that values information security. What can you do to create an IA-based culture? Activity: Discussion Questions 22

Leadership Responsibilities You own the system You set the example for your employees You provide support for success You approve policies and procedures You make the resource decisions You hold your employees accountable for good security practices 23

Tools for Cybersecurity Leadership Policies A & A Rules of Behavior CDM Cybersecurity Office Employees discussed on the next slides Training Role-based User Contingency Planning 24

IA Executive Team Executive secretary, commissioner, CEO, etc. Chief Information Officer Chief Information Security Officer And their staffs ( Cybersecurity/IA Office) How are these people promoting cybersecurity? 25

The IA/Cybersecurity Team System Owner Information Owner Project Manager ISSO Developer System Manager Users 26

Class Activity Your IA Team What can you do to support your IA team? Who are your key employees with IA responsibilities? What are some of their security responsibilities. What more can you do now to support these employees in fulfilling their responsibilities? 27

Cybersecurity for Executives Introduction Information Assurance: Concepts and Challenges The IA Leadership Role & The IA Team Incident Handling 28

What do you do Personnel issues When do you get involved? What do you want communicated? Loss of PII Who gets contacted? What s the process? What if it happens? Are there backups? Is there a contingency plan? Is there an offsite/alternate location? 29

Incident Handling Incident What do you need to know? What will you do? 30

Key Points Information systems are: Tools to support the completion of the mission Information security, a.k.a. cybersecurity is a: Topic that affects everyone everywhere Leadership: Make risk-based decisions, following federal guidance Support the professionals that implement cybersecurity Set the example, live the example, enforce the example Create a culture of protecting information and systems 31

Action Items Activity Based on our discussions in this course what will you do to assess or improve security at your site? 1. 2. 3. 32

Top Management Errors 7 Pretend the problem will go away if ignored 6 Authorize reactive, short-term fixes so problems re-emerge rapidly 5 Fail to realize how much money, information, and organizational reputations are worth 4 Rely primarily on a firewall 3 2 1 Fail to deal with operational aspects of security: make a few fixes and then do not follow through to ensure the problems stay fixed Fail to understand the relationship of information security to the business problem. Understand physical security but not the consequences of poor information security Assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job 33