commonwealth information security officers advisory group ...approximately 15 years with the us...
TRANSCRIPT
![Page 1: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/1.jpg)
1
Commonwealth Information Security Officers
Advisory Group (ISOAG) Meeting
August 12, 2009
www.vita.virginia.gov 1
![Page 2: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/2.jpg)
2
August
![Page 3: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/3.jpg)
3
ISOAG August 2009 AgendaI. Welcome & Opening Remarks Peggy Ward, VITA
II. Cyber Governance Dr. Kenneth Brancik, NG
III. Virginia.gov DNSSEC Eric Taylor, NG
IV . Partnership Security Update Don Kendrick, VITA
V. 2009 COV Security Policy & Standard John Green, VITA
VI. Commonwealth Information Security Council Peggy Ward, VITA
VII. 2009 Commonwealth Security Data Points Peggy Ward, VITA
VIII. Physical Security: Protecting Your Users and What They Use Bob Baskette, VITA
IX . COVITS 2009 Peggy Ward, VITA
X. Upcoming Events and Other Business Peggy Ward, VITA
![Page 4: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/4.jpg)
Dr. Kenneth C. Brancik,CISM, CISSP, CISA, ITIL
Cyber Governance Managing the Integrated Governance, Risk
Management and Compliance (iGRC) Process to reduce Cyber risks
![Page 5: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/5.jpg)
Introduction - BIO
Northrop Grumman Information Systems (NGIS)
– Advanced Technology Group (ATG)– Principal Security Architect
Director at VerizonBusiness Security Solutions (Trusted Security Advisor)
Former Federal Bank Regulator for approximately 15 years with the US Treasury (OCC) and the NY FED
Worked on Wall Street for several years in Auditing Technology Risk (Merrill Lynch & CITIGROUP)
Manager within PwC’s Assurance and Business Advisory Services Line of Service for the Federal Sector
Published Author (Insider Threat)
5
![Page 6: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/6.jpg)
Key Points
The Role and Importance of the Cyber Governance Process
Security Assessments are an important component of Cyber Governance and should be performed on a continuous basis to reduce operational risk
Effective Identity and Access Management can reduce Cyber risks
INFOSEC Scorecards are an effective way of scoring Cyber hygiene and risk profile
Cyber Threat Modeling should address the entire Threat Landscape to address both internal and external attacks
Migrating from a Network Centric to a data centric security architecture requires a strong understanding of data flows
Regulatory compliance can be achieved in a cost effective manner, through an effective Cyber Governance Process
An understanding of the evolving Cyber threat vectors can aide in the decision-making process for the selection of an appropriate Defense in Depth Security Architecture
Developing security metrics can assist in measuring incremental improvements in Cyber defenses
6
![Page 7: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/7.jpg)
Cyber Governance (Begins with a Security Assessment)
Cyber Governance: Includes an on- going process for Integrated Security Assessment (ISA), Risk Modeling / Mitigation, Solutioning and Performance Management
Key Security Assessment Risks include, but are not limited to the absence of effective controls over the following components:
– System Characterization– Threat Identification– Vulnerability Identification– Control Analysis– Likelihood Determination– Impact Analysis– Risk Determination
A MACRO Taxonomy of Security Assessments
7
![Page 8: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/8.jpg)
A Micro Taxonomy of Security Assessments
Security Assessments
Micro Taxonomy (An Operational View) Taxonomy (1 of 4)
Compliance Business
Continuity Management
Internal Organization
Mgmts Commitment to
INFOSEC
Confidentiality Agreements
Contact with Authorities
External Parties
ID of Risks Related to Ext.
Parties
Compliance with Legal Requirement
Identification of Applicable Legislation
Intellectual Property Rights
Protection of Organizational
Records
Compliance with Security Policy & Stds
Plan of Action & Milestones
Security
Accreditation
InfoSys Audit
Considerations
InfoSys Audit Controls
Protection of InfoSys Audit
Tools
C&A, Security
Assessment P& P
InfoSys
Connections
Security
Certifications
INFOSEC Aspects of Bus. Cont.
Including INFOSEC in
the Bus. Cont. Mgmt Process
Business Continuity & Risk
Assessment
Dev. & Imp. Cont. Plans
Incl. INFOSEC
Bus. Cont. Planning
Framework
Security Assessments Taxonomy (1 of 4)
Organization of Information Security
Data Protection &
Privacy
Prevention of Misuse of Information Processing
Facilities
INFOSEC Coordination
Allocation of INFOSEC
Responsibilities
Authorization process for INFO
Processing Facilities
Contact with SIGS
Independent Review of
Information Security
Audit &
Accountability
Auditable
Events
Addressing Security when dealing with Customers
Addressing Security when
Third Party Agreements
Compliance with Sec. Policies and Standards and Tech Compliance
Technical Compliance Checking
Regulation of Crypto
Controls
Testing, Maintaining and re-assessing Bus.
Cont. Plans
Continuous Monitoring
Content of Audit
Records
Audit Storage
Capacity
Audit Processing
Protection of
Audit Info
Audit Retention
8
![Page 9: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/9.jpg)
A Micro Taxonomy of Security Assessments
Security Assessments Micro Taxonomy (An Operational View)
(2 of 4)
Information Systems Acquisition, Development and Maintenance
Security Req. Analysis &
Specs
Correct Processing in
Apps
Input Data Validation
Cryptographic
Controls
Policy on the Use of
Cryptographic
Key Management
Control of Operational
Software
Access Control to Program
Source Code
Security in Development and Support
Tech Review of Apps after
O/S chgs
Restrictions on Chgs to Software
Packages
Information Leakage
Outsourced Software
Development
Threat & Vulnerability Identification
Security Assessments Taxonomy (2 of 4)
Security of System Files
Protection of System Test
Data
INFOSEC Incident Mgmt
System
Investigation – (Forensics) Taxonomy
Security Req. of InfoSys
Control of Internal
Processing
Message Integrity
Output Data Validation
Build Asset-Based Threat Profiles
ID Infrastructure Vulnerabilities
Develop Security Strategy and Plans
Controls of Technical
Vulnerabilities
Application Protection
Server Protection
Desktop Protection Network
Vulnerability Scans
9
![Page 10: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/10.jpg)
A Micro Taxonomy of Security Assessments
Classification Guidelines
Information Labeling & Handling
Security Assessments Taxonomy (3 of 4)
Inventory of Assets
Asset Mgmt
Information Classification
Responsibilities for Assets
Ownership of Assets
Acceptable Use of Assets
IAM Controls
(Refer to “IAM Control Taxonomy”)
Information
Security Policy
Information Classification
Review of the Information
Security Policy
Information Security Policy
Document
Human Resources Security
Mgmt Responsibilities
INFOSEC Awareness, Education &
Training
Roles & Responsibilities
Prior to Employment
Screening
Terms & Conditions of Employment
During Employment
Termination Responsibilities
ROA
Termination or Change of Employment
Removal of Access Rights
Security Assessments Micro Taxonomy (An Operational View)
(3 of 4)
10
![Page 11: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/11.jpg)
A Micro Taxonomy of Security Assessments
Security Assessments Taxonomy (4 of 4)
Documented Ops Proc.
Communications and Operations Management
Ops Proc &
Responsib.
Change Mgmt
Security Assessments Micro Taxonomy (An Operational View)
(4 of 4)
Svc Delivery
3rd Party Svc Deliv.
Mgt
Monitoring & Review of 3rd
Party Svcs
Capacity Mgmt
Sys Planning & Accept
System Acceptance
Controls against
MalCode
Protection against
Malcode
Controls against
Mobile Code
Information Back-Up
Back-Up
Network Controls
Network Security Mgmt
Security of Network Svcs
Management of Removable
Media
Media Handling
Disposal of Media
Info Exchange
P&P
Exchange of Info
Exchange Agreements
Electronic Commerce
Electronic Commerce
Svcs
On-Line Transactions
Audit Logging
Monitoring
Monitoring System Use
Segregation of Duties
Separation of Dev, Test &
Ops Facilities
Managing Chgs to 3rd Party Svcs
Info Handling Procedures
Security of Systems Doc
Physical Media In Transit
Electronic Messaging
Business Info Systems
Publicly Available
Information
Protection of Log Information
Administrator and Operator
Logs
Fault Logging
Clock Synch
11
![Page 12: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/12.jpg)
A Macro Taxonomy of IAM
Key Identity and Access Management (IAM) Risks include, but are not limited to the absence of effective controls over the following components:
– User Management, Administration, and Maintenance systems– User Provisioning and De-provisioning– User Self Service and Self Registration– Approval Workflows– Web Access Management– Enterprise Single Sign-On– Identity Federation and Partner Access– Role Based Access Control (RBAC) systems– Credentialing Systems– Digital Signing– Encryption Systems– Records Security and Data Privacy– Audit and Reporting
IAM Controls
Network Access Controls
User Responsibilities
User Access Mgmt
Business Requirements
Application & Information Access
Control
Mobile Computing & Teleworking
Authorization
Operations System Access Controls
IAM Control Taxonomy
(A Macro Executive View)
12
![Page 13: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/13.jpg)
A Micro Taxonomy for IAM
IAM Micro Taxonomy (An Operational View)
Business
Requirement. for Access Control
User Access
Management
User
Responsibilities
Network Access
Controls
Operations Sys Access Controls
App. & Info
Access Control
Mobile
Computing & Teleworking
Policy Enforcement
Access Control
Policy Decision Automated
Marking
Policy Management
Services
Principal Data Management
Resource Data Management
Environmental Data Management
Account Provisioning
Access Log Services
Automated Labeling
User Registration
Privilege Management
Password Management
Revision of Access Rights
Password Use
Unattended User
Equipment
Clear Desk and Clear
Screen Policy
(B) Segregation
of Duties
Policy on use of Network
Services
User Auth. For Ext Connect
Equipment Identification in Network
Remote Diag. & Config. Protection
Segregation in Network
Network Connection
Control
Network Routing Control
Secure Log-on Procedures
User Ident. & Auth
Password Management
System
Use of System Utilities
Session Time-Out
Limitation of Connection
Time
Information Access
Restrictions
Sensitive System
Isolation
Info Flow Enforcement
Least
Privilege
Device Ident. & Auth.
Concurrent Session
Control
System Use Notification
Mobile Computing . & Commun.
Teleworking
- Remote Access - Wireless Access
- A/C for Port. & Mobile Systems - Personally Owned Information Systems
Session
Termination
Session Lock
Permit. Actions w/o Ident & Authent..
Authorization
Unsuccessful Log-in Attempts
13
![Page 14: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/14.jpg)
Cyber Governance – (Typical INFOSEC Scorecard)
Security Policies, Standards and
Procedures
• Organizations are faced with the challenge of developing integrated security policies, standards and procedures. Mapping documented guidance to compliance, audit and corporate level guidance is a significant challenge
Systems Development and Security Architecture
. While the software development industry is making efforts to secure the design and implementation of the software development and engineering processes, their still is no defacto standard for industry sound and best practices, however, this area is improving
Information Security Monitoring & Data
Sourcing
• The security event and information monitoring (SEIM) process is starting to mature, however, there is still a significant amount of work which remains in this area in terms of determining root cause analysis for breaches (external and internal) and the creation of actionable items for corrective action
Production Application Systems Security
• The primary emphasis has historically been on pre-implementation reviews vs production applications. Recently, there has been an increased regulatory oversight on assessing the processes and controls governing production applications and systems (i.e. SOX 404, introduction of new code and vulnerabilities to applications due to version changes and patch management)
Network Security • CyberSecurity awareness within many organizations has generally improved over the past few years, however, information security architecture and design needs enhancements are needed to more effectively implement the Defense in Depth Model of layered security protection
User Authentication and Access Controls
•Many organizations are still placing too much reliance on the network controls vs the use of combined network and native application and systems controls for controlling user access
14
![Page 15: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/15.jpg)
Cyber Governance – (Typical INFOSEC Scorecard)
Vendor Management for Security
• Challenges facing organizations in Vendor Management is maintaining transparency and on-going communication of key information between the software vendor and service provider
Incident Response (Including Digital
Forensics)
• CyberSecurity Awareness and Preparedness has improved for many organizations in both the public and private sector, however, testing of the Incident Response Preparedness plan, which covers digital forensics and other areas are not being regulatory performed or performed at all.
15
![Page 16: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/16.jpg)
Cyber Threat Modeling
The Cyber Threat Modeling Needs to Factor many components: The results of the Security Risk Assessment, Vulnerabilities Identification, the Threat Landscape, Regulatory, Legal Compliance considerations and Industry Sound and Best Practices
There is a movement over the past few years for organizations to evolve from a Network to a Data Centric Model or “De-Perimeterization” for Cyber Risk Reduction and strengthening layered defenses for data privacy
De-Perimeterization (Data Centric Model) and “Control Point” identification
De-Perimeterization (Data Centric Model) and the Security Architecture
16
![Page 17: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/17.jpg)
The Nexus between the concept of De-Perimeterization, Regulatory Compliance & Security Architecture, lies within the identification and mapping of key data flows and “Control Points” within the enterprise and beyond
– Perimeter Security
– Data flow
– Regulatory Compliance
– Security Architecture
De-Perimeterization (Data Centric Modeling) (A Nexus to Perimeter Security, Regulatory Compliance & Security Architecture)
17
![Page 18: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/18.jpg)
The Traditional Network Centric Defense in Depth Layered
Security Architecture Perimeter Protection
Diagram Courtesy of Tom Diagram Courtesy of Tom KellermannKellermann, VP Core Technologies, VP Core Technologies
18
![Page 19: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/19.jpg)
Data Flow
Data Flow
Data Flow Data Flow
Data Flow
Data Flow
The Progressive De-Perimeterization (Data Centric Modeling) Security Architecture Approach
(Data Flow Mapping)
Transaction Creation
Transaction Creation
Supporting Technology
Supporting Technology
Transaction Processing
Supporting Technology
Supporting Technology
Transaction Processing
Supporting Technology
Supporting Technology
Transaction Processing
Supporting Technology
Supporting Technology
Transaction Processing
Business Process (Data) “flows horizontally”
Transaction Completion
Transaction Completion
Supporting Technology “flows vertically”
Where Data intersects technology, this is where
operational risk identification becomes truly
integrated
Best Practices: ID Data Flow Critical Path and Identify “Control Points”, where there is IAM, Input, Processing, Output / Data Transmission, storage & MIS Reporting functions
Diagram Courtesy of Jim Diagram Courtesy of Jim NelmsNelms, CISO of the World Bank, CISO of the World Bank
![Page 20: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/20.jpg)
Application Controls
Embedded in the financial and related applications
Application Controls
Embedded in the financial and related applications
De-Perimetization (Data Centric Modeling) &
Domestic Regulatory Compliance
General IT and IS Controls
Present in IT platforms that support financial and related applications
General IT and IS ControlsPresent in IT platforms that support financial and related applications
COSOCOSO
Sarbanes-
Oxley
Sarbanes-
Oxley
ITILITIL CoBITCoBIT CMMiCMMi ISO/ BS
ISO/ BS
ExternalRegulation
ExternalRegulation
CorporateGovernance
CorporateGovernance
ITGovernance
ITGovernance
OperationalRisk
OperationalRisk
HIPAAHIPAA
TechnologyRisk
TechnologyRisk
eDiscoveryeDiscovery
OWASPOWASPGAOGAO
GLBAGLBA Breach
Notification
Breach
Notification
SysTrust/WebT
rust
SysTrust/WebT
rust
Enterprise & Security
Architecture Methodologies
Enterprise & Security
Architecture Methodologies
CobITCobIT
Commonwealth of VirginiaCommonwealth of Virginia NISTNIST
PCIPCI
Diagram Courtesy of Jim Diagram Courtesy of Jim NelmsNelms, CISO of the World Bank, CISO of the World Bank
![Page 21: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/21.jpg)
Cyber Vulnerabilities
Vulnerabilities– Backdoors and holes in the network perimeter– Vulnerabilities in Common Protocols– Attacks on Field Devices– Database Attacks– Man in the Middle Attacks– Poorly Configured Firewalls– Trusted Peer Utility Links
And many more!
21
![Page 22: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/22.jpg)
Cyber Threat Actors
Script Kiddie
Recreational Hacker
Cyber Activist
Organized Crime
Terrorist Organization
Nation-State
Insider Threat
22
![Page 23: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/23.jpg)
Cyber Threats
EXTERNAL Threats: (The external attack vectors are the most commonly documented attacks of the three categories. The conventional attack pattern vectors have been memorialized primarily within MITRE’s Common Attack Pattern Enumeration and Classification (CAPEC) repository and other data sources)
– Bot-network operators – Criminal groups – Foreign intelligence services – Hackers– Phishers– Spammers– Spyware/Malware– Terrorists
INTERNAL Threats: (The Insider Threat component is one of the more elusive and insidious components of the Threat Landscape and represents a National Security concern given its implications on all sectors of the critical infrastructure. There is minimal data available in the public domain that provides credible data on this significant threat component. Consequently, the threat modeling process has long overlooked this significant component of the equation and has left many organizations unnecessarily exposed to this threat)
– Unauthorized System Access– Inappropriate Use of Confidential Corporate Data stored in one computer– Computer Data Manipulation– Ease of Access into a Computer System– Software Code Manipulation– Misuse of System’s Capabilities– Inadequate Network Journaling for Forensic Purposes– Illegal data transactions– Loss of IPR
23
![Page 24: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/24.jpg)
Cyber Threats
APT: The APT is the most elusive of all the threat vectors and involves the combination of conventional network attacks used in combination with many other components (i.e. People, Processes and Technology) to create a complex modus operandi and APT attack scenarios
Common Conventional Network Attacks (Mitre’s CAPEC) that can serve as the tip of the speak for more sophisticated attacks, involving people, processes and technology includes, but not limited to the following attacks:
– Blind SQL Injection - (7)– SQL Injection (66)– Client-side Injection-induced Buffer Overflow (14)– Overflow Binary Resource File (44)– Target Programs with Elevated Privileges (69)– Lifting Sensitive Data from the Client (94) (category not pattern)– Exploitation of Authorization (103) (category not pattern)
24
![Page 25: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/25.jpg)
A Cyber Macro Taxonomy
Of the Threat Landscape
(2) THE INSIDER THREAT
(3) APT
1.a Abuse of
Functionality
1.i Data Leakage
Attacks
1.b Spoofing
1.c Probabilistic Techniques
1.d Exploitation of Authentication
1.e Resource Depletion
1.f Exploitation of
Privilege / Trust
1.j Resource
Manipulation
2.A Data Input
Manipulation
2.b Data
Destruction
2.c Application or sys destruction
2.d Data
Suppression
2.i Hacking
2.j Code
Manipulation
2.k Logic Bomb
2.r Transmission of Unauthorized e-
mails
2.s. Damage to System
Availability
2.t Data
Leakage
2.u Exploitation of
Software Vulnerabilities
2.v Circumvention of Security Controls
2.w Deletion of
Audit Trails
2.1.a DoS
2.1.b Financial “Window-Dressing”
2.1.c Password
Trafficking
2.1.d Collusion
(insider/outsider)
2.1.e Data Privacy
(ID Theft)
2.1.f Data Privacy
(Extortion against Data Owner)
3.a Pre-Attack
ISR
3.b Pre-Attack
Target Selection
3.c Pre-Attack
Trojan / Tool Dev
3.d Pre-Attack C2 Setup
3.e Attack
Spear Phishing
3.j Overflow Binary
Resource File
(1) EXTERNAL THREATS
1.k Time &
State Attacks
2.e Denial of Service
2.f Misuse of Sys Capabilities
2.l MalCode Injection
2.m Trojan Horsse
`2.nInappropriate use
of Confidential Data
3.k Target Programs
with Elevated Privileges
3.l Lifting Sensitive
Data from the Client
3.m Exploitation of Authorization
3.n Maintain Access to
System
3.o Expand Access
3.f Web (SQIA) or
other Server Attack
1.g Injection
2.xInappropriate Data Viewing
2.1.g (Unauthorized
Funds Transfer)
2.g Hardware
destruction or damage
`2.oIllegal Fin’l Transaction
3.pCommand and
Control
3.gIllicit Device
Attack (USB, etc.)
3.hDown-Stream
Trust Exploitation
3.i Gain Initial
Access
1.h Data Structure
Attacks 2.h
Access Control (Level Misuse/Mods/ Access level Privilege
Escalation)
`2.pInappropriate Acq. Of Data
2.yDormant Acct Reactivation
`2.q Employee
Impersonation
2.zProg. Access
to Prog & Prod Data
25
![Page 26: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/26.jpg)
Compliance – (Data Privacy)
The prevention and responding to improper disclosures of personal information is becoming a systemic concern both within both the public sector and throughout each segment of the Critical Infrastructure
In the public sector, the Government Accountability Office (GAO) testified to the Committee on Government Reform, House of Representatives on the issue of data privacy in the federal government. – The GAO’s June 8, 2006 publication on this testimony concluded that federal
agencies can take a number of actions to help guard against the possibility that databases of personally identifiable information are inadvertently compromised.
26
![Page 27: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/27.jpg)
Compliance – (Data Privacy)
The two key steps include:– Develop a privacy impact assessment (PIA) (An analysis of how personal
information is collected, stored, shared, and managed – whenever information technology is used to process personal information)
– Ensure that a robust information security program is in place, as required by the Federal Information Security Management Act of 2002 (FISMA)
27
![Page 28: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/28.jpg)
Compliance – (Data Privacy)
GAO recommends that controls over privacy and security of personal information could be strengthened by:– Limiting the Collection of personal information (limits the opportunity for that
information to be compromised)– Limiting Data Retention (Retaining personal data longer than needed by
regulation adds to the risk that the data will be compromised)– Limit access to personal information and train personnel accordingly (Only
individuals with a need to access databases of personal information should have such access, and controls should be in place to monitor that access)
– Consider using technological controls such as encryption when data needs to be stored on mobile devices (i.e. laptop computers)
International – Cross Border Risks • Safe Harbor – US and EU for data privacy protection• APEC - US and members of the Asia Pacific region for data privacy
protection
28
![Page 29: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/29.jpg)
Compliance – (e-Discovery)
Interest in Data Breach Notification Legislation Has Increased
– Federal laws to date have not required agencies to report security breaches to the public, although breach notification has played an important role in the context of security breaches in the private sector.
– Several bills have been introduced to Congress and the Senate such as the Data Accountability and Trust Act (DATA), which would establish a national requirement for companies that maintain personal information to notify the public of security breaches.
Understanding E-Discovery Interrelationships
Putting all the pieces together– The Parent process that drives E-Discovery is Operational
Risk• The children of the parent process includes not only
E-Discovery but all the other components of this process, such as:
– Information Security– Risk Governance– Integrated Risk Assessment– Legal/Regulatory/Audit– Software Development and Engineering
Processes– SIEM– Incident Response Preparedness– Computer Forensics– Journaling– Archiving
29
![Page 30: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/30.jpg)
Compliance (General)
eDiscovery and operational risks can be reduced through an integrated risk assessment, threat analysis and privacy impact assessments which identify, measure, monitor and control the collection and storage of Electronically Stored Information (ESI)
eDiscovery and operational risks can be reduced through the implementation and testing of information security procedures which outline risk governance processes over Legal, Regulatory and Audit Processes, Software Development and Engineering, Security Information and Event Management (SIEM), Digital Forensics, Journaling and Archiving
_______________
Industry Sound and Best Practices: (ISO 27001 - 27005, NIST, ITIL, COBIT, SABSA, COV Security Requirements, DSS PCI, HIPPA, etc.)
30
![Page 31: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/31.jpg)
Cyber Solutions
Enterprise Risk Assessment (ERA) – (Cyber Vulnerabilities + Threats)
Threat Modeling
Compliance
Residual Risk Identification (Inherent Risk – Mitigating Controls) and Risk Acceptance
Economics (Costs and Performance Based Measurements to Identify incremental Security Improvements)
31
![Page 32: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/32.jpg)
Security Control Selection (Based on the iGRC Processes)
Integrated Risk Assessment (IRA)– Classify and Rank Sensitive Data, Systems, and Applications– Assess Threats and Vulnerabilities– Assign Risk Ratings– Develop an INFOSEC Risk Strategy:
– Enterprise (EA) and Security Architecture (SA) Considerations» Policies and Procedures» Technology Design» Outsourced Security Services
• Develop a strategy that defines control objectives and establishes an implementation plan. The security strategy should include:
– Appropriate consideration of prevention, detection, and response mechanisms– Implementation of the least permissions and least privileges concepts
– Security Controls Implementation:• Identify Cyber Base Practices for each component of Cyber Security & Integrate
32
![Page 33: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/33.jpg)
Cyber Controls Taxonomy
ERM – (Enterprise Risk Management)
Systems Development & Acquisition
User Authentication & Access Controls
Security Assessments
Unified Threat Management
Management of Encryption Key & Digital Certificates
Event Correlation
System Patch Management
Supply Chain Vulnerabilities
Secure Mobile Computing
Information Security Monitoring
Security Outsourcing
Security Architecture
Network Security & IAM
Production Application Security
Information Classification
IDS & IPS
Incident Response & Preparedness
Digital Forensics
Diagnostic Testing
Information Asset Protection
Characterization of System & Data Flows
33
![Page 34: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/34.jpg)
Performance Measurement (Metrics)
The 2009 CIS Security Metrics
– Incident Management– Vulnerability Management– Patch Management – Application Security– Configuration Management– Financial Metrics– Other
34
![Page 35: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/35.jpg)
Enterprise Security Architecture
The User Requirements and Design of the Enterprise Security Architecture should be a tight integration of the entire Cyber Governance Process
Layered Defenses within the IT infrastructure should be a by-product of an Enterprise- Wide Cyber Governance Process
IMPORTANT: The Cyber Risk Governance Process is on-going and iterative and so baking these processes into daily operational activities is the right RX for maintaining Good Cyber Hygiene!
35
![Page 36: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/36.jpg)
THANK YOU!
QUESTIONS?
Dr. Kenneth C. Brancik, CISM, CISSP, CISA, ITIL
Northrop Grumman Corporation
The Advanced Technology Group (ATG)
7575 Colshire Drive,
McLean, VA
(703) 883-8333 (Office)
36
![Page 37: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/37.jpg)
37
![Page 38: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/38.jpg)
38
Virginia.gov DNSSEC
![Page 39: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/39.jpg)
Agenda and objectives
• Objective • Provide update on DNSSEC effort and specifically the pilot
environment• Request your participation in ensuring success
• Agenda• Review DNSSEC requirements• Explain DNSSEC testing and the SNIP• Outline high level plan and milestones• Discuss actions and next steps
39
![Page 40: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/40.jpg)
DNSSEC
• On August 22, 2008, the Office of Management and Budget (OMB) released a memorandum requiring U.S. Federal Agencies to deploy DNSSEC across .gov sites• The .gov root was signed in January 2009• All subdomains under .gov must be signed by December 2009.
• DNS Security Extensions• Provides Authentication and Integrity
• Authentication of the origin• Helps to prevent spoofing• DNS Data integrity
• Uses public keys and signatures
• The IT Partnership has launched a project to ensure all Commonwealth sub-domains (virginia.gov) are signed by December 2009, and the test environment will soon be available
40
![Page 41: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/41.jpg)
What is the SNIP?
• The Secure Naming Infrastructure Pilot (SNIP) is a joint project involving NIST, SPARTA Inc, and the Dept. of Homeland Security.
• The main goal is to provide a test domain for participants to use and become familiar with the DNS Security Extensions (DNSSEC) and how they will affect current DNS operations.
• DNS operators will use a basic SNIP delegation from the SNIP domain (dnsops.gov) and attempt to mirror their current operational procedures.
41
![Page 42: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/42.jpg)
SNIP Infrastructure
InternetInternet2
dnsops.govdnsops.biz
dnsops.govsecondary
virginia.dnsops.gov
abc.virginia.dnsops.govideas.virginia.dnsops.gov
Delegation from dnsops.gov
Delegation from Virginia.dnsops.gov
42
![Page 43: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/43.jpg)
Viginia.gov SNIP• Virginia.dnsops.gov assigned and signed
• CTNGH03.Virginia.dnsops.gov
Sub-Domain Participation • Pilot (Test environment) is optional but strongly recommended• Production required
• Requirements • BIND 9.3.2 +• Name Server Daemon (NSD) maintained by NLNet Labs• Several Commercial Products and appliances
• Must support - RFC4033, RFC4034, and RFC4035• Full Support for DNSSEC will be introduced in Windows
Server 2008 R2 and Windows 7.• Server 2003 has partial support of DNSSEC
• Registration of sub-domains is being done manually• Contact: [email protected]
43
![Page 44: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/44.jpg)
Moving Forward
• Discovery• Parallel task with SNIP task• Communications will be published requesting information
about the current DNS • Design and Development
• DNSSEC Key Polices - creation, rollover scheme, key expiration
• Design and document operational processes and procedures• SNIP (Testing)
• Provides playground for testing your DNSSEC operations• Implementation
• Execute and monitor implementation process• Monitor and support
44
![Page 45: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/45.jpg)
DNSSEC Timeline
Proposed Timeline
45
![Page 46: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/46.jpg)
• In-scope Agencies• Preferred option is to migrate existing DNS to CESC
Enterprise DNS• Partnership is responsible for completing implementation • Project team will engage SD and Tower leads
• Out-of-Scope Agencies• Encouraged to participate in pilot environment• Required to participate in production environment
46
![Page 47: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/47.jpg)
In Scope Agencies Subdomain Authoritative Name Server Inscope Agency Notes
dpor.virginia.gov fw.dpor.virginia.gov. Yes DPORoig.virginia.gov dns.dmhmrsas.virginia.gov. Yes OIGabc.virginia.gov dns.abc.virginia.gov. Yes ABCabc.virginia.gov dns.abc.state.va.us. Yes ABCabc.virginia.gov dns2.abc.virginia.gov. Yes ABCabc.virginia.gov dns2.abc.state.va.us. Yes ABCdss.virginia.gov bastille.dss.state.va.us. Yes DSSdss.virginia.gov dssgate.dss.state.va.us. Yes DSSworkcomp.virginia.gov dns1.workcomp.virginia.gov. Yes CB Virginia Workers' Compensation Commissionworkcomp.virginia.gov dns2.workcomp.virginia.gov. Yes CB Virginia Workers' Compensation Commissioncicf.virginia.gov dns1.cicf.virginia.gov. Yes CB Criminal Injuries Compensation Fundcicf.virginia.gov dns2.cicf.virginia.gov. Yes CB Criminal Injuries Compensation Fundvsp.virginia.gov ns1.vsp.virginia.gov. Yes VSPvsp.virginia.gov ns2.vsp.virginia.gov. Yes VSPdmhmrsas.virginia.gov dns.dmhmrsas.virginia.gov. Yes DMHMRSASdmhmrsas.virginia.gov dgsfirewall.dgs.virginia.gov. Yes DMHMRSASvdh.virginia.gov dns-ext-1.vdh.virginia.gov. Yes VDHvdh.virginia.gov dns-ext-2.vdh.virginia.gov. Yes VDHvdh.virginia.gov dns-ext-2.vdh.virginia.gov. Yes VDHschev.virginia.gov dnrc1.principle.schev.edu. Yes SCHEVschev.virginia.gov dnrc2.principle.schev.edu. Yes SCHEVdhrm.virginia.gov ns1.dhrm.virginia.gov. Yes DHRMdhrm.virginia.gov ns2.dhrm.virginia.gov. Yes DHRMcvc.virginia.gov ns1.dhrm.virginia.gov. Yes DHRMcvc.virginia.gov ns2.dhrm.virginia.gov. Yes DHRMwww.drpt.virginia.gov ns.cybersharks.net. Yes DRPTwww.drpt.virginia.gov ns2.cybersharks.net. Yes DRPTftp.drpt.virginia.gov ns.cybersharks.net. Yes DRPTftp.drpt.virginia.gov ns2.cybersharks.net. Yes DRPTolga.drpt.virginia.gov ns.cybersharks.net. Yes DRPTolga.drpt.virginia.gov ns2.cybersharks.net. Yes DRPT
47
![Page 48: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/48.jpg)
Unknown POC’s
• Discovery Phase
Subdomain Authoritative Name Server Inscope Agency Notes
agencies.virginia.gov ns1.agencies.virginia.gov. TBD Under Constructionagencies.virginia.gov ns2.agencies.virginia.gov. TBD Under Constructionvcapride.virginia.gov ns1.easy-cgi.com. TBD Valley Commuter Assistance Program (VCAP)
related to NSVRCvcapride.virginia.gov ns2.easy-cgi.com. TBD Valley Commuter Assistance Program (VCAP)
related to NSVRCnsvrc.virginia.gov ns1.easy-cgi.com. TBD Northern Shenandoah Valley Regional Commission
(NSVRC) related to VCAPVirginia Association of Planning District Commissions
nsvrc.virginia.gov ns2.easy-cgi.com. TBD Northern Shenandoah Valley Regional Commission (NSVRC) related to VCAPVirginia Association of Planning District Commissions
espl.virginia.gov ns.intercom.net. TBD Eastern Shore Public Library espl.virginia.gov ns2.intercom.net. TBD Eastern Shore Public Library
48
![Page 49: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/49.jpg)
Out of Scope AgenciesSubdomain Authoritative Name Server Inscope Agency Notes
ideas.virginia.gov dns1.midphase.com. No VEAPideas.virginia.gov dns2.midphase.com. No VEAPcgep.virginia.gov uvaarpa.virginia.edu. No Commonwealth Graduate Engineering Program
cgep.virginia.gov nom.virginia.edu. No Commonwealth Graduate Engineering Program
vi.virginia.gov ns.vipnet.org. No Virginia Interactive
vi.virginia.gov burr.ai.org. No Virginia Interactive
business.virginia.gov ns.vipnet.org. no Virginia Interactive
business.virginia.gov burr.ai.org. no Virginia Interactive
49
![Page 50: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/50.jpg)
Resources
• http://www.dnssec.net/• http://www.dnsops.gov/• http://www-x.antd.nist.gov/dnssec/• NIST SP 800 81 - Secure Domain Name System
(DNS) Deployment Guide
50
![Page 51: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/51.jpg)
Questions
51
![Page 52: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/52.jpg)
52
Agency Encryption Requirements Survey Results
Partnership Security UpdateDon Kendrick
Senior Manager of Security Operations
![Page 53: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/53.jpg)
53
2009 COV Security Policy & Standard Update
John GreenDeputy Chief Information Security Officer
www.vita.virginia.gov 53
![Page 54: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/54.jpg)
54
Policy, Standard & Guidelines Update1. Collect comments & questions from the IS community during the year
2. Create draft of policy, standard or guideline (PSG) addressing comments…
3. Distribute draft to IS Council for review, input & feedback
4. Collect comments from IS Council, usually giving them a week or so to review
5. Review & address Council comments in the PSG
6. Send draft of PSG to ITIES Directorate for review & comment
7. Aggregate comments from ITIES, usually takes a week or so
8. Comments from ITIES are reviewed with CSRM management & addressed as
appropriate
9. Draft of PSG is sent to ITIES for posting to Online Review Comment Application
(ORCA)…
10. Gather comments from IS community (ORCA) for at least 30 days
11. Review & address ORCA comments
12. Create responses to comments from ORCA reviewers & distribute through ITIES
13. Send finalized version of PSG to ITIES who sends it to the CIO for approval.
14. If the CIO approves it goes to the ITIB for consideration & approval. If a standard
or guideline there is a 5 day comment period & if a policy it must be approved at
an ITIB meeting
15. Once approved it is posted to the webPolicy and Standard
Progress:Step by Step
= STATUS LAST MONTH= STATUS THIS MONTH
![Page 55: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/55.jpg)
55
Commonwealth Information Security Council
Peggy WardChief Information Security Officer
www.vita.virginia.gov 55
![Page 56: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/56.jpg)
www.vita.virginia.gov 56
2009 Commonwealth Security Annual Report
Peggy WardChief Information Security Officer
www.vita.virginia.gov 56
![Page 57: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/57.jpg)
www.vita.virginia.gov 57
§ 2.2-2009§ 2.2-2009. (Effective until July 1, 2008) Additional duties of the CIO relating
to security of government information.
C. The CIO shall report to the Governor and General Assembly by December 2008 and annually thereafter, those executive branch and independent agencies and institutions of higher education that have not implemented acceptable policies, procedures, and standards to control unauthorized uses, intrusions, or other security threats. For any executive branch and independent agency or institution of higher education whose security audit results and plans for corrective action are unacceptable, the CIO shall report such results to the (i) Information Technology Investment Board, (ii) affected cabinet secretary, (iii) Governor, and (iv) Auditor of Public Accounts. Upon review of the security audit results in question, the Information Technology Investment Board may take action to suspend the public bodies information technology projects pursuant to subdivision 3 of § 2.2-2458, limit additional information technology investments pending acceptable corrective actions, and recommend to the Governor any other appropriate actions.
![Page 58: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/58.jpg)
www.vita.virginia.gov 58
Acronyms:ISO: Information Security Officer IS: Information Security CAP: Corrective Action PlanCISO: Chief Information Security Officer of the Commonwealth
ISO Designated: The Agency Head hasYes - designated an ISO with the agency within the past two yearsNo - NOT designated an ISO for the agency since 2006Expired –designated an ISO more than 2 years ago or the designated ISO is no longer with the agency
Attended IS Orientation: The number indicates agency personnel that have attended the optional Information Security Orientation
sessions within the last 2 years. Their attendance indicates they are taking additional, voluntary action to improve security at their agency akin to “Extra Credit!”
ExplanationAgency
ISO Designated
Attended IS Orientation
Security Audit Plan Received CAPs Received
Quarterly Updates
Agency XYZ Yes 10 Yes Yes Yes
![Page 59: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/59.jpg)
www.vita.virginia.gov 59
Security Audit Plan Received: The Agency Head hasYes - submitted a Security Audit Plan for the period of fiscal year 2009 - 2011 for systems classified as
sensitive based on confidentiality, integrity or availabilityNo - not submitted a Security Audit Plan since 2006Exception – submitted an exception on file with VITA to allow time for developing the Security Audit
Plan & the CISO has approved Expired –submitted a Security Audit Plan on file that does not contain the current three year period FY
2009 – FY 2011Pending –submitted a Security Audit Plan that is currently under review
Corrective Action Plans Received: The Agency Head or designee hasYes - submitted an adequate Corrective Action Plan or notification of no findings for Security Audits
scheduled to have been completedSome - submitted an adequate Corrective Action Plan or notification of no findings for some, but NOT all
Security Audits scheduled to have been completedNo - NOT submitted any adequate Corrective Action Plans or notification of no findings for Security
Audits scheduled to have been completedNot Due - not had Security Audits scheduled to be completedN/A - not submitted a Security Audit Plan so not applicablePending –submitted a Corrective Action Plan that is currently under review
Explanation – ContinuedAgency
ISO Designated
Attended IS Orientation
Security Audit Plan Received CAPs Received
Quarterly Updates
Agency XYZ Yes 10 Yes Yes Yes
![Page 60: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/60.jpg)
www.vita.virginia.gov 60
Explanation – ContinuedAgency
ISO Designated
Attended IS Orientation
Security Audit Plan Received CAPs Received
Quarterly Updates
Agency XYZ Yes 10 Yes Yes Yes
Quarterly Updates: The Agency Head or designee has Yes - submitted adequate quarterly status updates for all corrective actions resulting from Security
Audits previously conducted by or on behalf of the agencySome - submitted adequate quarterly status updates for some corrective actions resulting from Security
Audits previously conducted by or on behalf of the agencyNo - not submitted ANY quarterly status updates for some corrective actions resulting from Security
Audits previously conducted by or on behalf of the agencyNot Due - no open Security Audit findingsN/A - not submitted a Security Audit Plan or a Corrective Action Plan that was duePending - submitted quarterly status update that is currently under review
![Page 61: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/61.jpg)
www.vita.virginia.gov 61
What should an agency do if they conduct a Security Audit that results in no findings?
In the event that a Security Audit was performed and there were no findings and, therefore, no Corrective Action Plan is due, the Agency Head or Designee should notify Commonwealth Security via email or letter stating what audit was conducted and that there were no findings.
FAQ!
![Page 62: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/62.jpg)
www.vita.virginia.gov 62
Secretariat: Administration
Data as of 8/5/2009
AgencyISO
DesignatedAttended IS Orientation
Security Audit Plan Received
CAP’s Received
Quarterly Updates
Human Rights Council Yes 0 No N/A N/A
Dept. of General Services Yes 0 Expired No N/A
Dept. of Human Res. Mgmt Yes 0 Expired No N/A
Dept. Min. Bus. Enterprise Yes 1 Pending Pending N/A
Employee Dispute Resolution Yes 3 Expired Not Due Not Due
Compensation Board Yes 1 Expired No N/A
State Board of Elections Yes 1 Expired No N/A
![Page 63: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/63.jpg)
www.vita.virginia.gov 63
Secretariat: Agriculture & Forestry
Data as of 8/5/2009
AgencyISO
DesignatedAttended IS Orientation
Security Audit Plan Received
CAP’s Received
Quarterly Updates
Dept. of Forestry Yes 1 Expired Not Due Not Due
Va. Dept. of Ag. & Cons. Serv. Yes 30 Yes Yes Yes
![Page 64: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/64.jpg)
www.vita.virginia.gov 64
Secretariat: Commerce & Trade
Data as of 8/5/2009
AgencyISO
DesignatedAttended IS Orientation
Security Audit Plan Received
CAP’s Received
Quarterly Updates
Dept of Business Assistance Yes 2 Yes Not Due Not Due
Board of Accountancy Yes 0 Yes Yes Not Due
Dept. of Housing & Community Development Yes 1 Pending Some No
Dept. of Mines, Minerals & Energy Yes 1 Yes Yes Yes
Dept. of Labor & Industry Yes 3 No N/A N/A
Dept. of Professional & Occupational Regulation Yes 1 Pending No N/A
Tobacco Indemnification Commission Yes 1 No N/A N/A
Va. Employment Commission Yes 2 Expired Some Yes
Va. Economic Development Partnership Yes 0 No N/A N/A
Va. Housing Development Authority No 1 No N/A N/A
Va. National Defense Industrial Authority Yes 0 No N/A N/A
Va. Resources Authority No 0 No N/A N/A
Va. Racing Commission Yes 1 Yes Pending Pending
![Page 65: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/65.jpg)
www.vita.virginia.gov 65
Secretariat: Education
Data as of 8/5/2009
AgencyISO
DesignatedAttended IS Orientation
Security Audit Plan Received
CAP’s Received
Quarterly Updates
Dept. of Education Expired 2 Pending No N/A
Frontier Culture Museum of Va. Yes 0 No N/A N/A
Gunston Hall Yes 0 No N/A N/A
Jamestown - Yorktown Foundation Yes 1 Pending Pending N/A
Library of Va. Yes 1 Expired Not Due Not Due
State Council of Higher Education for Va. Yes 0 No N/A N/A
Science Museum of Va. Yes 1 Pending N/A N/A
Va. Commission for the Arts Yes 0 No N/A N/A
Va. Museum of Fine Arts Yes 2 Pending Yes No
![Page 66: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/66.jpg)
www.vita.virginia.gov 66
Secretariat: Education (Cont’d)
Data as of 8/5/2009
AgencyISO
DesignatedAttended IS Orientation
Security Audit Plan Received
CAP’s Received
Quarterly Updates
Christopher Newport University Yes 0 Pending No N/A
George Mason University Yes 1 Yes Some Yes
James Madison University Yes 1 Yes Yes Some
Longwood University Yes 1 Pending Yes Yes
Norfolk State University Yes 2 Yes No N/A
Old Dominion University Yes 0 Pending Yes YES
Radford University Yes 0 Yes Yes Yes
University of Mary Washington Yes 1 Yes Not Due Not Due
Va. Community College System Yes 43 Pending YES YES
Virginia Military Institute Yes 0 Expired No N/A
Virginia State University Yes 3 Yes Not Due Not Due
![Page 67: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/67.jpg)
www.vita.virginia.gov 67
Secretariat: Finance
Data as of 8/5/2009
AgencyISO
DesignatedAttended IS Orientation
Security Audit Plan Received
CAP’s Received
Quarterly Updates
Dept. of Accounts Yes 4 Yes No N/A
Dept. of Planning & Budget Yes 1 Yes No N/A
Dept. of Taxation Yes 0 Yes Pending Some
Dept. of Treasury Yes 3 Yes Pending Some
![Page 68: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/68.jpg)
www.vita.virginia.gov 68
Secretariat: Health & Human Resources
Data as of 8/5/2009
AgencyISO
DesignatedAttended IS Orientation
Security Audit Plan Received
CAP’s Received
Quarterly Updates
Dept. of Health Professions Yes 2 Yes Not Due Not Due
Dept. of Medical Assistance Services Yes 4 Yes Yes Yes
Department of Behavioral Health and Developmental Services DMHMRSAS Yes 22 Yes No N/A
Dept. of Rehabilitative Services Yes 0 Pending Pending N/A
Dept. of Social Services Yes 1 Expired No N/A
Virginia Foundation for Healthy YouthTSF Yes 1 No N/A N/A
Va. Dept. for the Aging Yes 0 Yes Not Due Not Due
Va. Dept. of Health Yes 3 Yes Yes Yes
![Page 69: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/69.jpg)
www.vita.virginia.gov 69
Secretariat: Natural Resources
Data as of 8/5/2009
AgencyISO
DesignatedAttended IS Orientation
Security Audit Plan Received
CAP’s Received
Quarterly Updates
Dept. of Conservation & Recreation Yes 2 YES YES YES
Dept. of Environmental Quality Yes 4 Pending Some Pending
Dept of Game & Inland Fisheries Yes 3 Expired Some Some
Dept. of Historic Resources Yes 2 Expired No No
Marine Resources Commission Yes 3 Yes Yes Yes
Va. Museum of Natural History Yes 1 No N/A N/A
![Page 70: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/70.jpg)
www.vita.virginia.gov 70
Secretariat: Public Safety
Data as of 8/5/2009
AgencyISO
DesignatedAttended IS Orientation
Security Audit Plan Received
CAP’s Received
Quarterly Updates
Alcoholic Beverage Control Yes 4 Yes YES YES
Commonwealth’s Attorney’s Services Council Yes 0 No N/A N/A
Dept. of Criminal Justice Services Yes 2 Pending Pending Not Due
Dept. of Fire Programs Yes 2 Yes Not Due Not Due
Dept. of Forensic Science Yes 1 Expired No N/A
Dept. of Juvenile Justice Yes 3 Pending No N/A
Dept. of Military Affairs Expired 1 No N/A N/A
Dept. of Corrections Yes 2 Expired Some No
Dept. of Correctional Education Yes 1 Yes Not Due Not Due
Dept. of Veterans Services Yes 0 No N/A N/A
Va. Dept. of Emergency Management Yes 2 No N/A N/A
Va. State Police Yes 3 Yes Yes Not Due
![Page 71: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/71.jpg)
www.vita.virginia.gov 71
Secretariat: Technology
Data as of 8/5/2009
AgencyISO
DesignatedAttended IS Orientation
Security Audit Plan Received
CAP’s Received
Quarterly Updates
The Ctr for Innovative Tech. Yes 1 Expired No N/A
Va. Info. Technologies Agency Yes 30 Yes Not Due Not Due
![Page 72: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/72.jpg)
www.vita.virginia.gov 72
Secretariat: Transportation
Data as of 8/5/2009
AgencyISO
DesignatedAttended IS Orientation
Security Audit Plan Received
CAP’s Received
Quarterly Updates
Dept. of Motor Vehicles Yes 2 Yes Not Due Not Due
Dept. of Aviation Yes 3 No N/A N/A
Dept. of Rail & Public Trans. Yes 0 YES Not Due Not Due
Motor Vehicle Dealers Board Yes 0 Pending N/A N/A
Va. Dept. Of Transportation Yes 5 Yes Pending Pending
![Page 73: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/73.jpg)
www.vita.virginia.gov 73
Independent Branch Agencies
Data as of 8/5/2009
AgencyISO
DesignatedAttended IS Orientation
Security Audit Plan Received
CAP’s Received
Quarterly Updates
Indigent Defense Commission Yes 4 Expired Pending N/A
State Lottery Dept. Yes 2 No N/A N/A
State Corporation Commission Yes 3 Yes Not Due Not Due
Va. College Savings Plan Yes 3 Yes No N/A
Va. Office for Protection & Advocacy Yes 1 Exception Exception Not Due
Va. Retirement System Yes 2 Yes No N/A
Va. Workers’ Compensation Commission Yes 3 Exception Exception Not Due
![Page 74: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/74.jpg)
www.vita.virginia.gov 74
Others
Data as of 8/5/2009
AgencyISO
DesignatedAttended IS Orientation
Security Audit Plan Received
CAP’s Received
Quarterly Updates
Office of the Governor Yes 1 Exception Exception Not Due
Office of the Attorney General Yes 0 Yes Not Due Not Due
![Page 75: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/75.jpg)
75
Physical Security: Protecting Your Users and What They Use
Bob Baskette:CISSP-ISSAP CCNP/CCDPCommonwealth Security Incident Management Engineer
www.vita.virginia.gov 75
![Page 76: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/76.jpg)
76
COV ITRM SEC 501-01 Facility RequirementsCommensurate with sensitivity and risk, each agency shall or shall require that its
service provider document facilities security practices. – Safeguard IT systems and data residing in static facilities (such as buildings),
mobile facilities (such as computers mounted in vehicles), and portable facilities (such as mobile command centers).
– Design safeguards to protect against human, natural, and environmental risks.
– Require appropriate environmental controls such as electric power, heating, fire suppression, ventilation, air-conditioning and air purification, as required by the IT systems and data.
– Protect against physical access by unauthorized personnel.
– Control physical access to essential computer hardware, wiring, displays, and networks by the principle of least privilege.
– Provide a system of monitoring and auditing physical access to sensitive IT systems.
– Require that the ISO periodically review the list of persons allowed physical access to sensitive IT systems.
![Page 77: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/77.jpg)
77
Physical Security Tenants• Addresses the physical protection of the
resources of an organization.• Must include the people, data, facilities,
equipment, and Information Systems. • Examines how elements of the physical
environment and supporting infrastructure affect the confidentiality, integrity, and availability of information systems.
• Primary consideration is that nothing should impede Life-Safety goals.
![Page 78: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/78.jpg)
78
Physical Security Goals• Physical Security Program should comprise safety
and security mechanisms.• Safety is the protection life and assets from fire,
natural disasters, and accidents.• Security is the protection against vandalism,
theft, and attacks by people.• President’s Commission on Critical Infrastructure
Protection requires organizations that are part of the national critical infrastructure to have adequate protection mechanisms in place.
![Page 79: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/79.jpg)
79
Physical Security Threat Categories• Man-Made Threats• Natural environmental threats• Supply system threats• Politically motivated threats
![Page 80: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/80.jpg)
80
Man-Made Physical Threats• Sabotage• Vandalism• War• Strike• Unauthorized access• Explosives• Errors or accidents• Fraud• Theft
![Page 81: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/81.jpg)
81
Natural Physical Threats• Floods• Earthquakes• Storms• Fires• Extreme temperatures
![Page 82: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/82.jpg)
82
Environmental Physical Threats• Temperature• Gases• Liquid• Organisms• Projectiles• Earthquakes and other severe vibrations• Lava• Energy Anomalies
![Page 83: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/83.jpg)
83
Supply System Threats• Power distribution outages• Communication interruptions• Water, steam, gas disruptions
![Page 84: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/84.jpg)
84
Politically Motivated Physical Threats• Strikes• Riots• Terrorism
![Page 85: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/85.jpg)
85
Physical Security Program steps• Identify team to build program.
– Carry out Risk analysis.– Set acceptable risk level with management.
• Derive baseline from Acceptable Risk Level.
• Create countermeasure performance metrics.
• Identify and implement countermeasures.• Provide continuous monitoring.
![Page 86: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/86.jpg)
86
Issues When Selecting a Facility• Visibility
– Surrounding terrain– Building markings and signs– Type of neighbors– Population of area
• Surrounding area and external entities– Crime rate, riots, terrorism attacks– Proximity to police, medical, and fire
• Accessibility– Road access– Traffic– Proximity to airports, trains
• Natural disasters
![Page 87: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/87.jpg)
87
Crime Prevention Through Environmental Design
• Discipline that outlines how the proper design of a physical environment can reduce crime by directly affecting human behavior.
• Deals mainly with the construction of the facility: internal and external design, and exterior components such as lighting and landscaping.
• The physical environment can be manipulated to create behavioral effects that will reduce crime and the fear of crime. – Install benches to encourage people to sit and watch.– Only install sidewalks where people should walk.– Install computer room in middle of building for
protection.
![Page 88: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/88.jpg)
88
CPTED Categories• Natural access controls
– The guidance of people entering and leaving a space by the placement of doors, fences, lighting, and landscaping.
• Natural surveillance– Includes straight lines of sight, low
landscaping, raised entrances used to make criminals feel uncomfortable by providing many ways observers could see them.
![Page 89: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/89.jpg)
89
CPTED Categories Continued• Territorial Reinforcement
– Creates physical designs that emphasize or extend the company’s physical sphere of influence so legitimate users feel a sense of ownership of that space. Done via walls, fencing, landscaping, lighting, flags. Make the users proud of the environment and a sense of belonging.
• Activity Support– Planned activities for the area to be protected.
Provides guidelines for how to use the area and get people to use the area properly
![Page 90: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/90.jpg)
90
Security ZonesInterior space should be divided into zones
with different security levels. – Controlled– Restricted– Public– Sensitive
![Page 91: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/91.jpg)
91
CPTED verses Target Hardening• Target Hardening differs from CPTED due
to the fact that Target Hardening focuses on denying access through physical and artificial barriers.– Locks– Alarms– Fences
• Target Hardening will lead to restrictions on use, enjoyment, or aesthetics of the physical environment.
![Page 92: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/92.jpg)
92
Physical Security Program Control Categories
• Administrative• Deterrence• Delaying• Detection
![Page 93: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/93.jpg)
93
Administrative Controls• Facility Requirements Planning
– Visibility = low visibility is better (be careful of sign/markers)
– Local considerations = any hazards in area– Natural disasters = wind/flood/earthquakes– Transportation = excessive traffic– No Joint tenancy– External services relative proximity to
police/fire/medical
• Secure Facility Management– Audit trails and Access Logs– Emergency Procedures
![Page 94: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/94.jpg)
94
Administrative Controls Continued• Administrative Personnel controls
– Pre-employment screening– Background checks on employment,
references, education– Security clearance– Ongoing employee reviews
![Page 95: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/95.jpg)
95
Deterrent Controls• Fencing• Warning signs• Security guards• Dogs• Man-Traps• Exterior Lighting
![Page 96: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/96.jpg)
96
Fencing Information Fencing Types
– Extremely High Security • 3/8-inch mesh with 11-gauge wire
– Very High Security• 3/8-inch mesh with 9-gauge wire
– High Security• 1-inch mesh with 11-gauge wire
– Greater Security• 2-inch mesh with 9-gauge wire
– Normal Industrial security• 2-inch mesh with 6-gauge wire
![Page 97: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/97.jpg)
97
Fencing Information ContinuedFencing Height requirements
– 3' to 4' = Deters casual trespassers– 6' to 7' = Too hard to climb easily– 8' with 3 strands of barbed wire = will deter
most intruders
• PIDAS Fencing– Perimeter Intrusion Detection and Assessment
System– Fencing that has sensors located in the wire
mesh and at the base to detect events
![Page 98: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/98.jpg)
98
Gate Types• Class I
– Residential use
• Class II– Commercial use where general public has
access
• Class III– Industrial use where limited access is granted
• Class IV– Restricted access
![Page 99: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/99.jpg)
99
Window Protection / Glazing TypesApplied during manufacturing• Standard
– Cheapest and lowest level of protection– Residential use
• Tempered– Glass is heated and cooled rapidly– Increases strength 5-7 times
• Acrylic– Plastic (toxic when burned)– Polycarbonate acrylics are strongest glass
• Wired– Mesh of wire embedded between two sheets of glass– Prevents shattering
![Page 100: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/100.jpg)
100
Window Protection Continued• Laminated
– Plastic layer between two outer layers of glass
• Solar window film– Tinted to provide security
• Security film– Transparent film to increase strength
![Page 101: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/101.jpg)
101
Exterior Lighting NotesExterior Lighting should be at least 8’-high
with 2’ candlepowerExterior Lighting types:
– Floodlights– Streetlights– Fresnel lighting– Glare Protection
• Pointing lights at in-bound persons and away from the guard/security personnel
![Page 102: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/102.jpg)
102
Surveillance Techniques• Organized
– Security guards– Guard Dogs
• Mechanical– CCTY– Card access readers– Responsive Area Illumination
• IDS activated lighting• Used in combination with CCTV to allow fast verification of
IDS event
• Natural Strategies– Straight line of sight– Low landscaping– Raised entrances
![Page 103: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/103.jpg)
103
Guard Drawbacks• Availability
– Cannot exist in some environments
• Reliability– Pre-employment screening not always effective
• Training– Susceptible to social engineering– out-of-date manuals
• Cost
![Page 104: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/104.jpg)
104
Delay Controls• Locks• Defense in depth
– Establishment of Security Zones– Inspection points (Man-Traps)
• Access controls
![Page 105: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/105.jpg)
105
Mechanical Locks / Key-based• Warded locks
• Basic padlock with spring-loaded bolt with a notch cut in it
• Wards are metal projections around the keyhole
• Tumbler locks• Have multiple metal pieces that must be aligned to
allow bolt to move• Pin tumbler (Most common type of lock)• Wafer tumbler (Disk tumbler) (Uses wafers instead of
pins) ( normally found on file cabinets)• Lever tumbler
![Page 106: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/106.jpg)
106
Code-based Locks• Combination locks
– Can be electrical or mechanical– Traditional mechanical combination locks use internal
wheels– Electrical combination locks use a keypad
• Cipher locks– Programmable lock– Uses keypad and optional swipe card for access– The lock code can be changed/reprogrammed and
specific user codes blocked – Can provide:
• Door delay alarm if the door is held open• Key override • Master Keying• Hostage alarm/Panic code
![Page 107: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/107.jpg)
107
Lock Security Categories• Lock strengths
– Grade 1 • Commercial and industrial use
– Grade 2• Heavy-duty residential / light-duty commercial
– Grade 3 • Residential or consumer
![Page 108: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/108.jpg)
108
Lock Security Categories Continued• The delay time provided by a lock should match
the resistance of the door, door frame, and hinges.
• Lock cylinder categories– Low security
• No pick or drill resistance
– Medium security• A degree of pick resistance• Uses more complex notch combinations
– High security• Pick resistance• Only used in Grade 1 and Grade 2 locks
![Page 109: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/109.jpg)
109
Locking Mechanism Types• Fail-safe lock
– Door defaults to unlocked on loss of power
• Fail-secure lock– Door remains locked on loss of power
![Page 110: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/110.jpg)
110
Detection Controls• Intrusion detection systems should be
deployed as both external and internal sensors
• IDS mechanisms operate on:– Sounds and vibrations– Motion– Microwave, Ultrasonic, Electrostatic, and
Magnetic field variances– Electrical circuit– Beams of Light
![Page 111: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/111.jpg)
111
Electromechanical systems• Detects break or change in a circuit• Can be deployed on the exterior or in the
interior of a building• Types:
– Electrical Circuits• Uses contact tape placed across windows/doors or
pressure pads placed in front of doors/windows• Can also install fine wire mess to detect breakage of
walls or windows
– Magnetic Switches• Uses change in magnetic field between opposing
magnets to detect an opening
![Page 112: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/112.jpg)
112
Volumetric Systems• More sensitive than Electromechanical
Systems• Detects changes in subtle environmental
characteristics• Best employed in the interior of a building
![Page 113: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/113.jpg)
113
Volumetric System Types• Acoustic
– Uses microphones installed in floors, walls, and ceilings– Cannot be installed in areas that are exposed to exterior sound
sources or dynamic environments• Seismic/Vibration
– Used to detect forced entry – Normally installed on exterior walls or floors/ceilings of
sensitive rooms• Photoelectric
– Detects change in light beam– Requires consistent illumination– Should only be used in rooms without windows
• Proximity detector / capacitance detector– Most objects emit a measurable magnetic field – Monitors the electrical field around an object
![Page 114: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/114.jpg)
114
Volumetric System Types Continued• Wave-pattern motion detection
– Uses a wave pattern sent over a sensitive area and reflected back to a receiver
– A change in pattern indicates a change in the environment
– Can use Ultrasonic, Microwave, and low frequency patterns
• Passive Infrared Detector – System that reacts to fluctuations of ambient light
energy within its range.– Detect the change in temperature in object or
environment
![Page 115: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/115.jpg)
115
Environmental / Life Safety Controls• Electrical power• Fire Detection and suppression• HVAC
![Page 116: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/116.jpg)
116
Hot Topics• Fire is the rapid oxidation of materials
– Requires oxygen, heat, fuel• Damaging Temperatures
• Computer Systems 175-F• Magnetic Storage 100-F• Paper 350-F
• Store only the absolute minimum essential records, paper stock, inks, unused media in the computer room.
• Light-Frame construction can resist rapid oxidation for up to 30 minutes
• Heavy-Timber Frame construction can resist rapid oxidation for up to 1 hour
![Page 117: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/117.jpg)
117
Fire Suppression• When selecting a fire suppression
system consider:– Estimate rate of occurrence– Amount of damage potential– Types of fires– Portable extinguishers should be located within
50-feet of electrical equipment and near exits
![Page 118: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/118.jpg)
118
Fire Detection• Fire Detection (detect thermal combustion or its
by-products)• Smoke-actuated
– Used in ventilation systems– Photoelectric devices are triggered by variation in light– Ionization devices react to charged particles in smoke
created by the radioactive material in the smoke
• Smoke detectors provide good early-warning– Can be used to alert prior to automated suppression
release– Manually deal with smaller fires
![Page 119: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/119.jpg)
119
Fire Detection Continued• Heat-sensing
– Alerts when the temperature reaches a pre-set value or a rapid increase is detected
– Fixed temperature value detection results in lower false positive
• Flame-actuated – Sees infrared energy of the flame or the pulsation of the
flame– Have a very fast response time – Fairly expensive
• Sensors should be installed on and above ceilings and below raised floors
![Page 120: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/120.jpg)
120
Fire Suppression Equipment• Class A
– Common combustibles such as wood, cloth, paper, rubber, plastics
• Water or soda acid• Class B
– Liquids / Petrol / Coolants• Gas (Halon or CO2) or soda acid
• Class C– Electrical equipment
• Gas (Halon or CO2) or soda acid• Class D
– Metals• Dry powder
• Class K– Commercial kitchens
• Wet chemicals
![Page 121: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/121.jpg)
121
Fire Suppression Notes• Dry chemical composition
– Sodium bicarbonate, potassium bicarbonate, and calcium carbonate will stop chemical combustion
– Monoammonium phosphate will melt at low temperatures and excludes oxygen
• Water suppresses the temperature required to sustain the fire
• Foam floats on top of the surface of the material and excludes oxygen
• Soda Acid suppresses the fuel of the fire• CO2 suppresses/removes the availability of
oxygen (use in unmanned facilities)
![Page 122: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/122.jpg)
122
Halon Information• Halon uses a chemical reaction to suppress the
fire – Mixes well with air – Spreads extremely fast – Does not leave a residue– Above 900-F will become a toxic mixture (hydrogen
Fluoride)– Will also deplete ozone – Deadly in concentrations greater than 10-percent
• Halon 1211 is liquid (portable) • Halon 1301 is gas (facility)
![Page 123: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/123.jpg)
123
Halon Replacements• FM-200• AF-S-111• CEA-410• FE-13• Water• Inergen• Argon• Argonite• Inert gases or Halocarbon agents.
![Page 124: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/124.jpg)
124
Fire Extinguishing Systems• Dry Pipe System• Deluge• Wet Pipe System • Preaction
![Page 125: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/125.jpg)
125
Fire Extinguishing Systems ContinuedDry Pipe System
– No standing water in pipe– All water is held in a reserve tank by clapper
valve– Clapper valve is activated by smoke or fire
sensors and is designed to suspend the water supply for a short period.
– Once activated, the clapper value opens, the air is removed from the pipe and the water is released.
![Page 126: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/126.jpg)
126
Fire Extinguishing Systems ContinuedDeluge
– Variation on the Dry Pipe System – Designed to deliver a large volume of water
quickly– Not considered appropriate for computer
rooms
![Page 127: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/127.jpg)
127
Fire Extinguishing Systems ContinuedWet Pipe System
– Deliver pipes always contains water– Sprinkler releases water as soon as the sensor
detects smoke or fire– Is considered a closed-head system– Most sprinkler head systems use a fusible link
in the nozzle that melts at 165-F– Is considered the most reliable fire suppression
system– The only operational issues is that the system
can leak and the pipes can freeze
![Page 128: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/128.jpg)
128
Fire Extinguishing Systems ContinuedPreaction
– Recommended for computer rooms– Hybrid of Wet/Dry Pipe systems– Will fill pipe with water at first sign of
increased heat– Uses the fusible link to release the water– Enables manual intervention before discharge
of water– Dry-Pipe and Pre-Action systems use
pressurized air in pipe to keep value closed and water in holding tank
![Page 129: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/129.jpg)
129
Fire Related Notes• Fire extinguishers should be located within 50-
feet of electrical equipment and near the exists• Rate-of-rise temperature sensors provide shorter
warning times than fixed temperature sensors, but can generate higher false positives
• Smoke particulate residue will corrode metal contact surfaces and must be to removed with Freon or Freon-alcohol solvents
• Detectors should be located on and above drop ceilings and below raised floors
![Page 130: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/130.jpg)
130
Electrical Power definitions• Ground
– Pathway to earth to enable excessive voltage to dissipate
• Noise– Electromagnetic or frequency interference that
disrupts power flow– Presence of electrical fluctuations in the
system that is unintentional and interferes with the transmission of clean power
• Transient noise– Short duration of power line disruption
![Page 131: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/131.jpg)
131
Electromagnetic Interference• Electromagnetic interference is caused by the
generation of radiation from the charge differences among the three electrical wires
• Common-mode noise– Noise from the radiation generated by the charge
difference between the hot and ground wires
• Traverse-mode noise– Noise from the radiation generated by the charge
difference between the hot and neutral wires
![Page 132: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/132.jpg)
132
EMI Protection • TEMPEST
– Transient EM Pulse Emanation Standard– Developed by US and UK military– DoD standard to prevent EMI eavesdropping via heavy
metal shielding– Can use a Faraday cage (outer metal coating on housing
unit) to prevent EMI leakage – Very expensive to implement– Normally only used in highly secured areas
• Two alternatives to Tempest technology:– Use white noise (uniform spectrum of random electric
signals distributed over the full spectrum)– Use a control zone concept
![Page 133: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/133.jpg)
133
Radio Frequency Interference• Radio Frequency Interference noise is
generated from radio waves or noise generated by the components of an electrical system such as radiating electrical cables, fluorescent lighting, or electrical space heaters.
![Page 134: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/134.jpg)
134
Electrical Noise protection• Power line conditioning• Proper grounding of system to earth• Cable shielding• Limiting exposure to magnets, fluorescent
lights, electric motors, and space heaters
![Page 135: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/135.jpg)
135
Power Regulation Issues• Spike
– Momentary high voltage
• Surge– Prolonged high voltage
• In-Rush current– Initial surge of current required to start a load
• Transient– Short duration of line noise disturbances
![Page 136: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/136.jpg)
136
Power Regulation Issues Continued• Fault
– Momentary power outage
• Blackout– Prolonged or complete loss of power
• Sag/Dip– Momentary low voltage condition that can last
from one cycle to a few seconds
• Brownout– Prolonged power supply that is below normal
voltage
![Page 137: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/137.jpg)
137
Power Regulation Mechanisms• UPS Types
– On-line• Primary power passes through and charges batteries• UPS has power inverters that feed power to the data center
– Standby• Stays inactive until failure• Will switch to battery on failure
• Metal oxide varistor = used in surge protectors to move the excess voltage to ground
• Constant-voltage transformers can be used to regulate fluctuations in power during brown out conditions
![Page 138: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/138.jpg)
138
Static Electricity Precautions:• Use antistatic spray to treat surfaces• Use antistatic tables and floor mats• Data Centers should have antistatic flooring• Data Centers should have properly grounded
power systems• Use HVAC systems to control the level of
humidity in the Data Center• Humidity should be between 40 and 60 percent.
– < 40 % = static electricity / 20,000 volts possible– > 60 % = condensation on parts / corrosion of
connections
![Page 139: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/139.jpg)
139
Data Center Notes• Data Centers should have two doors:
– Controlled access for entry– Locked door with panic bar for emergency exit
• Data Centers must utilize positive air pressure• Data Centers need water detectors under floors and above
ceilings• Data Centers should have a power feed from two separate
substations if possible• Data Centers should have a separate power feed from the
rest of the building• Data Center doors should open out / use 3-pin hinges• Avoid internal partitions in secure areas (can pop ceiling
titles and climb over)
![Page 140: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/140.jpg)
140
Secure Media Storage (Safes)• Safe types
– Wall– Floor– Chest– Depositories– Vaults
• Passive relocking safes have extra bolts that fall into place if tampering occurs
• Thermal relocking safes have extra bolts that fall into place if a certain temperature is reached
![Page 141: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/141.jpg)
141
Collusion can defeat Physical ControlsCollusion controls• Separation of duties• Pre-employment background check• Rotation of duties• Supervision
![Page 142: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/142.jpg)
142
Final Thoughts• Physical Security, like other Security Disciplines,
works best in layers moving from the perimeter to the asset.
• Acceptable Risk Level should be derived from the laws and regulations with which the organization must comply and from the threat profile of the organization overall.
• Please reference COV ITRM SEC 501-01 and COV ITRM SEC 517-00 for more information on COV- specific requirements and guidelines.
![Page 144: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/144.jpg)
144
COVITS 2009
Peggy Ward
Chief Information Security & Internal Audit Officer
www.vita.virginia.gov 144
![Page 145: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/145.jpg)
145
11th Annual COVITS
Transparency, Participation & Collaboration
When: September 20-22, 2009
Where: Marriott – Williamsburg, Va.
Keynote Speakers Aneesh Chopra, Federal Chief Technology Officer
& Jerry Mechling, Harvard School of Government
Register at http://www.covits.org/Govt employees: $99 / SWAM Members: $99 (Must be certified by the
DMBE)
![Page 146: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/146.jpg)
146
11th Annual COVITSHelpful sessions to provide guidance & collaboration on topicspertinent to today’s IT challenges:
Topics include:
• Stimulus/Recovery Review• Legislator Panel: Challenges in Virginia • Cloud Computing • Security: Insider Threats and Outside Attacks • Continuity of Government Operations • Data Standardization and Governance • Economics of Customer Service • Social Networking and Government • Open Source and Free Stuff: Appropriate for Government? • Health IT: The Changes Ahead • Broadband across the Commonwealth
![Page 147: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/147.jpg)
147
Governor’s Technology AwardsWinners will be announced at a special ceremony during COVITS 2009.
This awards program honors outstanding achievements & recognizes innovative technology initiatives in the public sector throughout the Commonwealth of Virginia.
! Winners will receive complimentary admission to COVITS !
Enter at :
http://www.covits.org/governor's_technology_awards/index.cfm
Deadline for submissions is August 19, 2009.
![Page 148: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/148.jpg)
148
COVITS Special Ceremony
Award Categories
Online, Not in Line Cross-Boundary Collaboration IT as Efficiency Driver Innovative Use of Technology in Local GovernmentInnovative Use of Technology in K-12 EducationInnovative Use of Technology in Higher Education Best Private Sector Telework Initiative Best Public Sector Telework Initiative
![Page 149: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/149.jpg)
149www.vita.virginia.gov 149
Upcoming Events
![Page 150: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/150.jpg)
150
UPCOMING EVENTS! 9/9/09 ISOAGWednesday, September 9 From 1:00 – 4:00 pm
NEW LOCATION!!! State Capitol, House Room 3
Tour of the Capitol at 12:00 for the first 50 who register for the tour!
Thank you to Alison Anderson, DPB, for coordinating!
Keynotes:
Critical Infrastructure – Mike McCallister, OCP
Identity Theft Program – Steve Werby, VCU
![Page 151: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/151.jpg)
151
UPCOMING EVENTS! Future 2009 ISOAG’s
From 1:00 – 4:00 pm at CESC(please let us know if you want to host in the Richmond area!)
Tuesday - October 6
Wednesday - November 4
Wednesday - December 9
![Page 152: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/152.jpg)
152
Information Security System Association
ISSA meets on the second Wednesday of every month
• DATE: Wednesday September 16th• LOCATION: Hondo’s, The Shoppes at Innsbrook
4024-C Cox Road, Glen Allen, VA (directions at http://www.hondosprime.com/get_directions.shtml)
• Topic: “Nine Proven Software Security Best Practices – Building Security in maturity Model (BSIMM)”
• TIME: 11:30 - 1:30pm. Presentation starts at 11:45 & Lunch served at 12.
• COST: ISSA members: $10 & Non-Members: $20
![Page 153: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/153.jpg)
153
UPCOMING EVENTS: MS-ISAC WebcastNational Webcast!
Wednesday, August 19, 2009, 2:00 to 3:00 p.m.
Topic: Security of Social Networking Sites/Web 2.0
The National Webcast Initiative is a collaborative effort between government and the private sector to help strengthen our Nation's cyber readiness and resilience. A number of vendors have offered their services at no cost, to help develop and deliver the webcasts.
Register @: http://www.msisac.org/webcast/
![Page 154: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/154.jpg)
154
UPCOMING EVENTS - CIO-CAO Mtg.CIO-CAO Communications Meeting:
Tuesday, August 258:30 am – 9:00 am: Networking9:00 am: Meeting start
Location: Perimeter Center9960 Mayland DriveRichmond, VA
![Page 155: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/155.jpg)
155
FACTA Red Flag Requirements *NEW DATE
Implementation Date: November 1st, 2009
Announcement at: http://www.ftc.gov/opa/2009/07/redflag.shtm
Are you aware of the red flag requirements in the Fair and Accurate Credit Transactions Act (FACTA) of 2003?
Please read carefully as it is not only banks and financial institutions!
http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm
![Page 156: Commonwealth Information Security Officers Advisory Group ...approximately 15 years with the US Treasury (OCC) and the NY FED. Worked on Wall Street for several years in Auditing Technology](https://reader033.vdocument.in/reader033/viewer/2022060306/5f09ae707e708231d428016a/html5/thumbnails/156.jpg)
156www.vita.virginia.govwww.vita.virginia.gov 156
Any Other Business ??????