Communicating the Threat



Similar documents
FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Cybersecurity Information Sharing Legislation Protecting Cyber Networks Act (PCNA) National Cybersecurity Protection Advancement (NCPA) Act

State Homeland Security Strategy (2012)

No. 33 February 19, The President

How To Write A Cybersecurity Framework

An Overview of Large US Military Cybersecurity Organizations

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

Application for CISM Certification

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Introduction to Information Security Management

Cyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks?

NIST Cybersecurity Framework What It Means for Energy Companies

The Importance of Cyber Threat Intelligence to a Strong Security Posture

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

OCIE CYBERSECURITY INITIATIVE

The STAGEnet Security Model

CYBER SECURITY GUIDANCE

JOB DESCRIPTION. Contract Management and Business Intelligence

Overview TECHIS Carry out risk assessment and management activities

CESG Certification of Cyber Security Training Courses

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Cybersecurity Framework Security Policy Mapping Table

Cybersecurity and internal audit. August 15, 2014

Cyber Security Risk Management

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Report of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information:

Water Security in New Jersey: Partnership and Services

Open Source Incident Management Tool for CSIRTs

Cyber Security VTT and the Finnish Approach

Federal Bureau of Investigation s Integrity and Compliance Program

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

Cybersecurity & Public Utility Commissions

State of Security Survey GLOBAL FINDINGS

Client Update SEC Releases Updated Cybersecurity Examination Guidelines

Delving Into FCC's 'Damn Important' Cybersecurity Report

Cybersecurity Enhancement Account. FY 2017 President s Budget

HPC IN Cybersecurity Annual Technical Meeting. Venue: Schlumberger Richmond Ave, Houston, TX 77042

Lessons from Defending Cyberspace

Billing Code: 3510-EA

Developing a robust cyber security governance framework 16 April 2015

Cyber-Security. FAS Annual Conference September 12, 2014

IT AUDIT WHO WE ARE. Current Trends and Top Risks of /9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski

National Security & Homeland Security Councils Review of National Cyber Security Policy. Submission of the Business Software Alliance March 19, 2009

Report on CAP Cybersecurity November 5, 2015

Information Security Awareness Training and Phishing

Business Continuity for Cyber Threat

Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security

NIST Cybersecurity Framework Impacting Your Company? April 24, 2014 Presented By Sheila FitzPatrick, NetApp Jeff Greene, Symantec Andy Serwin, MoFo

Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties

How To Write A National Cybersecurity Act

Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare

Security Transcends Technology

Privacy Governance and Compliance Framework Accountability

CYBERSECURITY INDEX OF INDICES

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

Cybersecurity. Are you prepared?

CFTC BRIEFING 2 JUNE 2015 CYBERSECURITY CONSIDERING BANK OF ENGLAND S CBEST PROGRAM

Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs

US Cyber Marathon. David Ambrose, Chief Security Officer and Chief Privacy Officer Bureau of the Fiscal Service U.S. Department of the Treasury

SUMMARY OF POSITION ROLE/RESPONSIBILITIES:

Attachment A. Identification of Risks/Cybersecurity Governance

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Priority III: A National Cyberspace Security Awareness and Training Program

Cyber Risk to Help Shape Industry Trends in 2014

Actions and Recommendations (A/R) Summary

GEARS Cyber-Security Services

Framework for an Aviation Security Management System (SeMS)

JOB DESCRIPTION POSITION DETAILS REPORTING RELATIONSHIPS SUPERVISOR 1 FUNCTIONS OF THE POSITION 2 ORGANISATIONAL CONTEXT. Chief Financial Officer

CLASSIFICATION SPECIFICATION FORM

Ecom Infotech. Page 1 of 6

Cyber Security key emerging risk Q3 2015

HSIN R3 User Accounts: Manual Identity Proofing Process

ESKISP Conduct security testing, under supervision

Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015

CYBER SECURITY INFORMATION SHARING & COLLABORATION

How we see malware introduced Phishing Targeted Phishing Water hole Download (software (+ free ), music, films, serialz)

WRITTEN TESTIMONY OF

Cybersecurity in the maritime and offshore industry

Auditing emerging cyber threats and IT controls

Transcription:

Communicating the Threat A Study to Assess Current Practices in Information Sharing and Gathering on Cyber- Security Threats in Canadian Public Sector, Crown Corporations and Major Private Sector Stakeholders Project Study Leaders Valarie Findlay, President, HumanLed Consulting Kevin Wennekes, Chief Business Officer, Canadian Advanced Technology Alliance January - July 2015

Contacts for this study: Valarie Findlay (613) 798-3746 Vaf2@st-andrews.ac.uk / vfindlay@humanled.com Kevin Wennekes (613) 769-8614 kwennekes@cata.ca Study Objectives The detailed study, Communicating the Threat, has a three-fold focus: Cyber-Security in the Counter-Terror Model - Counter-terror models focus on physical threatactivities and encourage cross-departmental collaboration, communication and shared, exchangeable skills and capabilities including the transfer of information and intelligence from the federal to the community level. The discipline of cyber-security will be analyzed and evaluated in the same framework utilized in counter-terror models, conceptualized in legislation and at the operational and practical levels to deter, actively prevent, detect, respond and recover from cyber-threats and potential cyber-terrorist attacks. Cyber-Security Collaboration and Knowledge Sharing Cross-Sector - This area will assess current practices in information gathering and sharing, and its utilization, on cyber-security threats in the Canadian public sector, Crown corporations and major private sector stakeholders. Developing a New Threat/Risk Assessment (TRA) Tool - Examining new Threat/Risk Assessment options and approaches that will provide a dynamic, detailed analysis of threats, risks, vulnerabilities and assets and continuous improvement/shorter iteration cycles to ensure the most relevant and timely data. Study Approach and Results Information will be collected in questionnaire-guided in-person or telephone interviews and will explore these key areas: 1. Describing the current methods for determining risk and threat. 2. Describing the current legislation in relation to the counter-terrror model and whether it adequately meets the needs in supporting the management of cyber-threat. 3. Describing the current overall practices in information sharing and gathering for the subject department or organization. 4. Detailed examination of types of information exchange, scope of information, types of cyber-threats, timeliness, processes for clarification and escalation 5. Limitations or gaps in the above and end user suggested improvements

Questionnaire/Participant Type: Executive/C Level Senior Manager/Resource Supervisor Knowledge/Operational/Level I, II or III Professor Organization Type: Government Crown Private Sector Security Industry Service/Professional Services Academia Contact Info: Please note the following: Your participation is confidential, non-compensatory and voluntary. You may refuse to answer any question you feel to be intrusive or contravening to the security of your affiliated work or organization(s). You may choose to withdraw at any point without explanation. All collected data and notes will be treated confidentially and destroyed upon completion of the research report and will be stored securely with access limited to the primary researcher (Valarie Findlay). Your email confirmation would considered to be written consent to this interview process. Note the numbering schema is intended for scoring purposes. Participant Interview Questions Insight and Opinion 1. Capabilities: What is your insight or opinion, if any and as applicable, of how cybersecurity is dealt with in general (Code: CAP): 2. Government: 3. Private Sector: 4. Crown:

5. Industry/Service Providers 6. Capabilities: What is your insight or opinion, if any and as applicable, of how cybersecurity threats and vulnerabilities are (Code: CAP): 7. Communicated to your organization: 8. Within your organization: 9. How it is shared externally: 10. Capabilities: What do you consider to be the roadblock(s) in instituting adequate cybersecurity? (Code: CAP) 11. Capabilities: Describe current methods for determining risk and threat - tools, methods, policies, etc. (Code: CAP) 12. Capabilities: Describe your understanding of current legislation in relation to the cybersecurity and privacy and whether it adequately meets the needs in supporting the management of cyber-threat (Code: CAP): 13. Capabilities: Describe current overall practices in information sharing and gathering; what type of information is shared, types of cyber-threats, timeliness, processes for clarification and escalation (Code: CAP): Experience and Practices 14. Information Sharing: Is cross-departmental collaboration and communication encouraged? (Code: IS) 15. Information Sharing: Is there a process for monitoring outside threats and vulnerabilities? (Code: IS) 16. Information Sharing: If yes to #15, is there process for monitoring outside threats and vulnerabilities effective and timely? (Code: IS) 17. Skills: Are there shared, exchangeable skills and capabilities including the transfer of information and Intelligence internally and externally? (Code: SK) 18. Credentials: What training or credentials are required for security resources? (Code: CR) 19. Credentials: If yes to #18, are training or credentials verified, audited and updated with training for security resources? (Code: CR) 20. Standards: What security standards and processes do you adhere to? (Code: ST) 21. Analysis: What is the level of analysis of threats, risks, vulnerabilities and assets prior to adopting new equipment, etc.? (Code: AN) 22. Analysis: If yes to #21, is this level of analysis of threats, risks, vulnerabilities and assets adhered to? (Code: AN) 23. Analysis: What is the frequency of analysis of threats, risks, vulnerabilities and assets after adoption? (Code: AN)

24. Improvement: Is there a continuous improvement process or framework for cybersecurity? (Code: IM) 25. Improvement: If yes to #24, is the continuous improvement process or framework for cyber-security adhered to? (Code: IM) 26. Incident Reporting: Is there a clear and known incident reporting process for security resources and employees? (Code: IR) 27. Incident Reporting: If yes to #26, is the incident reporting process effective and timely? (Code: IR) Gaps or Limitations 28. Gaps or Limitations: Discuss your perspectives or experience on the GAPS or LIMITATIONS on following (Code: GP): 29. Information Sharing (Code: GP-IS): 30. Skills (Code: GP-SK): 31. Standards (Code: GP-ST): 32. Credentials (Code: GP-CR): 33. Analysis (Code: GP-AN): 34. Improvement (continuous improvement) (Code: GP-IM): 35. Incident Reporting (Code: GP-IR): 36. Discuss your SUGGESTED IMPROVEMENTS following (Code: SI): 37. Information Sharing (Code: SI-IS): 38. Skills (Code: SI -SK): 39. Standards (Code: SI -ST): 40. Credentials (Code: SI -CR): 41. Analysis (Code: SI -AN): 42. Improvement (continuous improvement) (Code: SI -IM): 43. Incident Reporting (Code: SI -IR):

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information