Presentation to the CIO

PREPARED BY: JOSHUA SMITH, GARY FAULKNER, BRANDON VAN GUILDER, AND ERIC RUSCH

Easy Security Project

Overview of Security Incident

Analysis of incident using COBIT control objectives (DS5)

Recommendations based on analysis

Conclusion & Questions

Agenda

Stolen informati on was retrieved from VA servers by an authorized worker

The VA worker uti lized the data for testi ng and had authorizati on to bring work home

Informati on was brought home on external HD and laptop

An unencrypted nati onal database of 26.5 million veteran’s personal informati on was stolen

The theft occurred on May 3 rd at the worker ’s home and reported by the VA May 22 n d

Review of Security Incident

Analysis was completed using COBIT Control Objecti ves (DS5)

All 21 control objecti ves were assessed

Not all objecti ves were applicable

Objecti ves not applicable were given a grade of PASS

Objecti ves not met were given expanded recommendati ons

Analysis criteria

Create an independent Security Oversight Committ ee Committ ee reviews policies, procedures, and security control practices

annually and directly aft er any security incidents. Cost: $10k – 20k Annually

Improve Communicati on and documentati on between departments and management

Increase security incident response Cost: $5k - $10k

Expand Authority of the CIO Manage all IT staff across departments Enforce policies Cost: $5k - $10k

Recommendations

Employee Training Program Employees need annual training on security policies and procedures. Cost: $10k – $15k annually

DLP – Data Loss Preventi on Policy and Procedure Policy and procedure restricting data removal to prevent PII Restrict Personal Devices from be connected to the VA network Cost: Minimal

Implement NAC on the VA Network Restrict Personal or unauthorized devices from connecting to the VA

Network Cost: $75k - $100k

Recommendations

Encrypt all VA devices using SEE (Symantec Endpoint Encrypti on)

Utilize full disk encryption to protect data and PII Cost: $35k - $50K

Implement Identi fy Finder to Prevent Data Leakage Locate and secure sensitive information and PII Cost: $1.5M - $2M plus $30K - $50K annually

Recommendations

Conclusion

Develop and maintain a security program that will meet our needs now and in the future.

Questions & Discussion