presentation to the cio prepared by: joshua smith, gary faulkner, brandon van guilder, and eric...
TRANSCRIPT
![Page 1: Presentation to the CIO PREPARED BY: JOSHUA SMITH, GARY FAULKNER, BRANDON VAN GUILDER, AND ERIC RUSCH](https://reader036.vdocument.in/reader036/viewer/2022082610/56649f4f5503460f94c707b1/html5/thumbnails/1.jpg)
Presentation to the CIO
PREPARED BY: JOSHUA SMITH, GARY FAULKNER, BRANDON VAN GUILDER, AND ERIC RUSCH
Easy Security Project
![Page 2: Presentation to the CIO PREPARED BY: JOSHUA SMITH, GARY FAULKNER, BRANDON VAN GUILDER, AND ERIC RUSCH](https://reader036.vdocument.in/reader036/viewer/2022082610/56649f4f5503460f94c707b1/html5/thumbnails/2.jpg)
Overview of Security Incident
Analysis of incident using COBIT control objectives (DS5)
Recommendations based on analysis
Conclusion & Questions
Agenda
![Page 3: Presentation to the CIO PREPARED BY: JOSHUA SMITH, GARY FAULKNER, BRANDON VAN GUILDER, AND ERIC RUSCH](https://reader036.vdocument.in/reader036/viewer/2022082610/56649f4f5503460f94c707b1/html5/thumbnails/3.jpg)
Stolen informati on was retrieved from VA servers by an authorized worker
The VA worker uti lized the data for testi ng and had authorizati on to bring work home
Informati on was brought home on external HD and laptop
An unencrypted nati onal database of 26.5 million veteran’s personal informati on was stolen
The theft occurred on May 3 rd at the worker ’s home and reported by the VA May 22 n d
Review of Security Incident
![Page 4: Presentation to the CIO PREPARED BY: JOSHUA SMITH, GARY FAULKNER, BRANDON VAN GUILDER, AND ERIC RUSCH](https://reader036.vdocument.in/reader036/viewer/2022082610/56649f4f5503460f94c707b1/html5/thumbnails/4.jpg)
Analysis was completed using COBIT Control Objecti ves (DS5)
All 21 control objecti ves were assessed
Not all objecti ves were applicable
Objecti ves not applicable were given a grade of PASS
Objecti ves not met were given expanded recommendati ons
Analysis criteria
![Page 5: Presentation to the CIO PREPARED BY: JOSHUA SMITH, GARY FAULKNER, BRANDON VAN GUILDER, AND ERIC RUSCH](https://reader036.vdocument.in/reader036/viewer/2022082610/56649f4f5503460f94c707b1/html5/thumbnails/5.jpg)
Create an independent Security Oversight Committ ee Committ ee reviews policies, procedures, and security control practices
annually and directly aft er any security incidents. Cost: $10k – 20k Annually
Improve Communicati on and documentati on between departments and management
Increase security incident response Cost: $5k - $10k
Expand Authority of the CIO Manage all IT staff across departments Enforce policies Cost: $5k - $10k
Recommendations
![Page 6: Presentation to the CIO PREPARED BY: JOSHUA SMITH, GARY FAULKNER, BRANDON VAN GUILDER, AND ERIC RUSCH](https://reader036.vdocument.in/reader036/viewer/2022082610/56649f4f5503460f94c707b1/html5/thumbnails/6.jpg)
Employee Training Program Employees need annual training on security policies and procedures. Cost: $10k – $15k annually
DLP – Data Loss Preventi on Policy and Procedure Policy and procedure restricting data removal to prevent PII Restrict Personal Devices from be connected to the VA network Cost: Minimal
Implement NAC on the VA Network Restrict Personal or unauthorized devices from connecting to the VA
Network Cost: $75k - $100k
Recommendations
![Page 7: Presentation to the CIO PREPARED BY: JOSHUA SMITH, GARY FAULKNER, BRANDON VAN GUILDER, AND ERIC RUSCH](https://reader036.vdocument.in/reader036/viewer/2022082610/56649f4f5503460f94c707b1/html5/thumbnails/7.jpg)
Encrypt all VA devices using SEE (Symantec Endpoint Encrypti on)
Utilize full disk encryption to protect data and PII Cost: $35k - $50K
Implement Identi fy Finder to Prevent Data Leakage Locate and secure sensitive information and PII Cost: $1.5M - $2M plus $30K - $50K annually
Recommendations
![Page 8: Presentation to the CIO PREPARED BY: JOSHUA SMITH, GARY FAULKNER, BRANDON VAN GUILDER, AND ERIC RUSCH](https://reader036.vdocument.in/reader036/viewer/2022082610/56649f4f5503460f94c707b1/html5/thumbnails/8.jpg)
Conclusion
Develop and maintain a security program that will meet our needs now and in the future.
Questions & Discussion