IT Security Review Project
Overview, Results, Recommendations
Doug Selix, MBA, CISM, PMP
(Project Consultant)
Introduction
•
•
•
•
•
•
Project Purpose and Scope
Project Structure and Approach
What We Learned
Project Value to WSTIP
Conclusions and Recommendations
Next Steps
2
Project Purpose and Scope
• Purpose
– Implement part of IRM Strategy
– Evaluate the Risk to WSTIP associated with
current member IT Security Practices
– Constrained by limited on-site time
• Scope
– Perform site visits to 14 WSTIP Members
– Perform high-level reviews based on observation
and interviews
• Not In Scope
– Detailed vulnerability assessments of systems
using analysis tools and configuration reviews
3
Members Evaluated
• Large Members
– Spokane
– Whatcom
– Ben Franklin
• Medium Sized
Members
– Link
– Mason
• Small Members
–
–
–
–
–
–
–
–
–
Clallam
Columbia
Grays Harbor
Grant
Jefferson
Pacific
Skagit
Twin
Valley
4
Sneak Peak – What We Found
• We found some very High Risks
• We found some surprises we did not
expect
• We found opportunity for
improvement and risk reduction
Project Approach
• WSTIP Contracted With Doug Selix and
Garrett Polehonka to:
–
–
–
–
Team with Jerry Spears
Perform limited on-site reviews
Document observations
Provide recommendations for improved IT
Security
– Share results with each member
– Analyze the collected aggregate data and
report findings to the WSTIP Board
6
Reviewer Experience
– Doug Selix, MBA, CISM, PMP
IT Security and Disaster Recovery Architect
State of Washington Office of Financial
Management & Office of the Governor
DISCLAIMER: Doug is not in any way representing OFM
or the Office of the Governor in this engagement.
– Garrett Polehonka
WSTIP Hardware Support, IT Consultant
7
Project Game Plan
• Review based on Washington State Information
Services Board (ISB) IT Security Standards
• Consultant recommendations for Improvement
based on Industry Best Practices
• Visit each members facility, interview person(s)
responsible for IT management
• Explore member policies, procedures, system
designs, and system configurations (Limited
Review)
8
ISB IT Security Standards
• Topics Covered by the ISB Standard
•
•
•
•
Management of IT Assets
Management of IT Security
IT Policies and Procedures
IT Security Implementation for:
–
–
–
–
–
Personnel Security
Physical Security
Data Security
Network Security
Access Security
9
What We Found
• Creative Security Solutions
What We Found
• Multi-Purpose Data Center
What We Found
• Purpose Built Data Center Areas
What We Found
• State of the Art Data Backup
Disaster Recovery Tape
Vault
What We Found
• State of the Art Wire/Cable Management
What We Found
• State of the Art Power Management
What We Found
• Happy Members
What We Learned
Top 10 Risks for Loss
10. Unauthorized disclosure of data due to weak
network security practices (2 of 14)
9. Unsecured Wireless Network Access due to
misconfiguration or poor network design
(2 of 14)
8. Unauthorized access to the Data Center or
Server Room due to weak or missing physical
security (5 of 14)
17
What We Learned
Top 10 Risks for Loss
7. Loss of the IT Administrator, or IT
knowledgeable person could cause problems
due to no depth of knowledge on staff (8 of 14)
•
•
•
•
IT role not fully staffed
Over reliance on contractor
No cross-training
No documentation
18
What We Learned
Top 10 Risks for Loss
6. Physical damage to IT equipment and data in
the Data Center or Server Room due to
inappropriate construction practices and
elevated fire risk (8 of 14)
•
•
•
•
•
•
•
NFPA-70/75 Standards not met
Interior walls constructed of flammable material (OSB)
Storing of flammable material in the room
Missing or ineffective fire suppression systems
Poorly designed or unmanaged electrical systems
Missing or ineffective environmental monitoring
No Fire-block in vertical electrical conduit
19
What We Learned
Top 10 Risks for Loss
5. Unauthorized disclosure of data at the employee
computer due to weak technology management
policies and practices (8 of 14)
•
Missing/Ineffective patch management practices
•
Missing/Ineffective anti-virus and anti-malware systems
•
Uncontrolled use of removable media (USB Drives, DVD)
•
Data stored on portable devices (e.g. laptop computers,
removable media, PDA’s) at risk if lost or stolen
•
Data stored on portable devices is not backed up
•
Surplus or discarded equipment not purged of data
20
What We Learned
Top 10 Risks for Loss
4. Loss of data and system availability due to poor
power management practices (9 of 14)
•
•
•
•
•
•
•
•
Very old UPS devices
Use many small UPS devices instead on one for the
whole server room.
Reliance on Emergency Generator only
No Emergency Generator
UPS not integrated to servers to control server shutdown
Lack of systems with dual power supplies
No emergency shut-off in server rooms
Server room power not integrated with fire detection
systems
21
What We Learned
Top 10 Risks for Loss
3. Elevated probability of employee errors and
omissions that adversely impact data and/or
systems due to little or no employee IT Security
training (10 of 14)
•
No IT Security Awareness Training for Employees
–
–
•
•
•
•
For all new employees
Annual review for all employees
No clear IT Security Policies
Lack of skills for IT staff or No IT staff
Over reliance on contractors
Increased risk to employees when using home computer
to do agency work
22
What We Learned
Number Two Risks for Loss
2. Loss of data due to poor data backup policies and
practices. This could lead to an inability to
recover in a disaster that destroys key computers
or servers (10 of 14)
•
•
•
•
•
No Off-Site Storage of Backup Media
Ineffective Off-Site Storage of Backup Media
No/Insufficient Rotation of Backup Media
Backup Media Not Periodically Tested
Not all Critical Data Backed Up
–
–
Data on workstations or laptop computers
Network stored data not included in backup
23
What We Learned
Number One Risk for Loss
1. Unauthorized disclosure of data at an employee
computer due to weak user management policies
and procedures. (13 of 14)
•
•
•
•
•
Missing/Ineffective Password Management
Missing/Ineffective User Account Management
Accounts not disabled when employees leave
Computers left logged on when not in use
Missing/Ineffective keyboard locking practices
24
What We Learned
Level of Compliance - ISB IT Security Standards
– Large members are generally more compliant
than small members
– Every member has important areas where they
can improve
– The standard forms a reasonable basis for
review and risk assessment
25
What We Delivered
• On-Site Actionable Advice
– Recommendations for immediate actions to
reduce risks that could be addressed quickly
and for low cost (If the Advice Was Taken)
– Recommendations for improvements over
time
• Assessments of risk to WSTIP
• Recommendations for reducing risk to
WSTIP
Was it Worth It?
• WSTIP paid less then $53,000 for consultant
time and expenses to compete this project.
– Loss exposure has been reduced beyond that amount
• Members have been able to immediately benefit by
correcting identified risks where they have the capability to
do so.
• Member feedback was positive with many expressing
appreciation for a non-threatening outside candid point of
view
• This review got many members to review how they manage
IT and IT Security looking for ways to improve
27
Conclusions
•
WSTIP has potential loss exposure that can
be reduced by changing the way IT is
managed
•
•
•
•
Most members do not have well thought out IT
management policies and procedures that consider IT
Security and minimize risk to data or system loss
Senior management may not know the risks they have
because most members do no perform any kind of periodic
risk assessments
Some members do not have the skills to properly manage
IT and IT risk.
WSTIP was successful in teaming with
members to complete this review
28
Recommendation 1
•
Encourage member executive
management to get involved with IT risk
management
•
•
•
Where risks were high we did not find evidence
of executive involvement
Staff will do what is important to the boss, IT risk
management should be important to the boss.
Provide executive level briefings on the need for,
and nature of IT risk management
29
Recommendation 2
•
Every member should have a written IT
Security plan
•
•
•
•
Documents member IT management policy
Documents compliance or exceptions to the ISB
IT Security Standards.
Documents plans to correct unacceptable risks
where they exist
Becomes the basis for on-going WSTIP IT
Security Reviews
30
Recommendation 3
•
Establish a on-going loss prevention
review process where IT Security
Reviews are performed by WSTIP for
every member once every three years
•
•
•
•
WSTIP facilitate reviews for 1/3 of members each
year
Reviews based on current ISB IT Security
Standards
Integrate into Integrated Risk Management
initiatives
Easy way to facilitate executive involvement
31
10 Ways WSTIP Can Help Members
1.
Facilitate Annual Reviews
2.
Report aggregate cyber risk to the board annually
3.
Publish a basic IT Security checklist of common
risks and corrective actions to aid executives in
managing IT Security risks
4.
Publish a set of model IT policies and best practices
to address common high risk areas of IT
management
5.
Develop generic IT Security training for system
administrators and member employees
32
10 Ways WSTIP Can Help Members
6.
Facilitate on-going IT Security consulting to
members (Grants or Assistance)
7.
Review contracts with IT service providers to
ensure IT Security considerations and operational
quality are adequately addressed
8.
Where appropriate, host IT vendor demonstrations
of technology that could benefit members
9.
Look for group buy opportunities to outsource IT
Security operations where appropriate
10. Promote consistency in systems use among small
members where there are little or no IT staff
33
Questions
34