Download - Self-Assessment and Formulation of a National Cyber security/ciip Strategy: culture of security
Self-Assessment and Formulation of a National Cyber security/ciip
Strategy:
culture of security
The Self-Assessmentpurpose
Snapshot of where the nation is• Educate participants
Identify strengths and weaknesses
Identify gaps
Allocate responsibilities
Establish priorities
Provide input to a national cyber security strategy
10/19/1010/19/10
The self-assessmentaudience
All participants – the ultimate target
• But to ensure national action, the self-assessment must be addressed to key decision makers in Government (executive and legislative) Business and industry Other organizations and institutions Individuals and the general public
10/19/1010/19/10
key elements
10/18/1010/18/1044
Legal Framework
Culture ofCybersecurity
IncidentManagement
Collaborationand Information
Exchange
Key Elements of a National Cybersecurity Strategy
The Self-Assessmentkey elements
D. Culture of Security:
Develop security awareness programs for and outreach to all participants, for example, children, small business, etc.
Enhance science and technology (S&T) and research and development (R&D)
Other initiatives
10/19/1010/19/10
Yael WeinmanCounsel for International Consumer Protection
Office of International AffairsU.S. Federal Trade Commission
September 2010
A Cultural Shift:Cybersecurity Gets Personal
Federal Trade Commission
General jurisdiction consumer protection agency
Enforcement through federal district court and administrative litigation
Small agency
www.ftc.gov
Federal Trade Commission
Three-prong approach: Individual Culture Organizational Culture FTC Enforcement
Components of Cybersecurity Privacy and Data Security Spam Spyware Identity Theft
How the FTC Can Help Consumer and Business Education Research and Consultation International cooperation
Personal Culture
Privacy and Data Security
• It is every individual’s responsibility
• You don’t need computer
expertise or to be a member of IT to ensure data privacy and security
Organizational Culture
Privacy and Data Security
• Build in privacy and data security from the ground up
• Privacy Impact Assessments
• Routine use of data security hardware and software
Enforcement
Privacy and Data Security
Personal Culture
Spam and Phishing
Don’t open unknown emails
Never open attachments
unless you know the sender
Type URLs into the address
bar rather than clicking
Don’t respond with account or personal
information
Organizational Culture
Spam and Phishing
Let customers know how you
will use their personal
information—and stick to it
Know the rules on sending
unsolicited commercial email
(UCE)
Know how to communicate with your
customers
Enforcement
Spam and Phishing
$2.5 Million court-ordered fine for
weight loss spam
$413,000 fine under a settlement
with an X rated website
Personal Culture
Spyware
Don’t install software from an
unknown source on your computer
Be aware that games and other
freeware can contain spyware
Maintain virus protection software
Organizational Culture
Spyware
A consumer’s computer belongs to him or her, not software distributors
Full disclosures must be clear andconspicuous
A consumer must be able to uninstallor disable downloaded software
Enforcement
Spyware
Zango: $3 million disgorgement
Seismic Entertainment
ERG Ventures
Identity Theft
Identity Theft Task Force
Strategy – 4 key areas
keeping sensitive consumer data out of the hands of identity thieves through better data security and more accessible education;
making it more difficult for identity thieves who obtain consumer data to use it to steal identities;
assisting the victims of identity theft in recovering from the crime; and
deterring identity theft by more aggressive prosecution and punishment of those who commit the crime
Consumer and Business Education
Guidance to Business
Consumer Education
Communicating effectively
OnGuardOnline
En Español
Spam
Spyware
Identity Theft
1. Take stock.
2. Scale down.
3. Lock it.
4. Pitch it.
5. Plan ahead.
"Protecting PERSONAL INFORMATION: A Guide for Business"
Five Key Principles
Additional Resources
National Institute of Standards and Technology (NIST) Computer Security Resource Center. www.csrc.nist.gov
NIST’s Risk Management Guide for Information Technology Systems. www.csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
Department of Homeland Security’s National Strategy to Secure Cyberspace. www.dhs.gov/xlibrary/assets/National_Cyberspace_Strategy.pdf
SANS (SysAdmin, Audit, Network, Security) Institute’s Twenty Most Critical Internet Security Vulnerabilities. www.sans.org/top20
United States Computer Emergency Readiness Team (US-CERT). www.us-cert.govCarnegie Mellon Software Engineering Institute’s CERT Coordination Center.
http://www.cert.org/certcc.htmlCenter for Internet Security (CIS). www.cisecurity.orgThe Open Web Application Security Project. www.owasp.orgInstitute for Security Technology Studies. www.ists.dartmouth.eduOnGuard Online. www.OnGuardOnline.gov
Thank youThank you
Yael WeinmanCounsel for International Consumer Protection
Office of International AffairsU.S. Federal Trade Commission
[email protected]@ftc.gov
Questions?
Thank YouThank You
Joseph Richardson
10/19/1010/19/10