USAID/Peru
Risk Assessment
In-Briefing
February 19, 1999
USAID
PRIME
Principal Resource for
Information Management Enterprise-wide
1
Team Introduction

USAID ISSO - Jim Craft

Risk Assessment Program Manager - Rod Murphy

Consulting Manager, Information Technology - John Zobel

Senior Computer Scientist - Mike Reiter

UNIX Team Lead - Steve Bui
USAID
PRIME
Principal Resource for
Information Management Enterprise-wide
2
Purpose

A Risk Assessment allows one to:
– Determine which information is critical to the
organization
– Identify the systems that process, store, or transmit
that critical information
– Identify potential vulnerabilities
– Recommend solutions to mitigate or eliminate those
vulnerabilities
USAID
PRIME
Principal Resource for
Information Management Enterprise-wide
3
Determine the Scope

Identify the boundaries of the system(s) being evaluated
– Cisco Routers
– Servers
– Workstations
– Communication Lines

Identify the level of detail expected from the Assessment
– Compliance with Agency/Mission requirements
– Compliance with best practices
USAID
PRIME
Principal Resource for
Information Management Enterprise-wide
4
Pre-Assessment Activity

Collected and Analyzed Mission Data
– Asset Information (Hardware/Software/Financial)
– Automated Survey Questionnaires
• 51 surveys sent out
• 22 responses received
– 34 potential vulnerabilities identified
– Conducted an Automated Network Scan using HYDRA
• Identified 8 major and 17 minor vulnerabilities
• Developed and forwarded an Immediate Needs
Report to TCO and Mission staff for action
– Conducted a follow-up HYDRA scan to confirm
Mission Configuration changes
USAID
PRIME
Principal Resource for
Information Management Enterprise-wide
5
On-site Activities

Friday:

Receive a Mission Threat Briefing

Coordinate Assessment Logistics
– A room for the Assessment team to work out of
– A room scheduled for conducting training (Wed)
– A room for in-briefing and out-briefing
– Interviews scheduled for Mon and Tue, if necessary
– Schedule meeting with Functional Management on
Tues.
– Schedule all staff training for Wed. (one hour sessions)
– Schedule meeting with Security Plan and Contingency
Planning staff. (Wed)
– List of mission phones number ranges for scan
USAID
PRIME
Principal Resource for
Information Management Enterprise-wide
6
On-Site Activities
(continued)

Conduct a Physical Review of the Mission Facility

Meet with System Administrators
– Establish System Ids as needed
– Conduct UNIX review
– Conduct Banyan review
– Review NT Security

Monday:

Conduct staff interviews

Additional System (UNIX,Banyan,NT, Cisco) reviews

Conduct an after-hours modem scan
USAID
PRIME
Principal Resource for
Information Management Enterprise-wide
7
On-Site Activities
(continued)

Tuesday:

Conduct additional interviews as needed

Meet with Functional Mission Management to discuss:
– Connectivity/Business needs
– Mission impact with regards to Agency requirements
– Roles and Responsibilities associated with policies

Wednesday:

Conduct Mission staff training

Assist in the development of Mission Security Plan and
Contingency Plan
USAID
PRIME
Principal Resource for
Information Management Enterprise-wide
8
On-Site Activities
(continued)

Conduct any activities needed to wrap-up assessment.

Analyze information gathered from pre-assessment and
on-site assessment activities.

Develop “Draft” Assessment Executive Summary Report.

Develop Out-Briefing

Present Out-Briefing to Mission Management/Staff
USAID
PRIME
Principal Resource for
Information Management Enterprise-wide
9
Expected Outcome

What the Assessment Team expects to Accomplish:
– Identify areas of concern
– Provide recommendations that will enable management
to make decisions associated with risks
– Assist in the development of a Mission Security Plan
– Assist in the development of a Mission Contingency
Plan
– Provide an annual Security refresher Training class to
all Mission personnel
– Develop a standardized approach to conducting Mission
Risk Assessments
– Identify Mission Concerns associated with UNIX,
Banyan, NT, Cisco configuration checklists
USAID
–
PRIME
Identify and address specific Mission concerns
Principal Resource for
Information Management Enterprise-wide
10
Additional Activities Being
Conducted at Each Mission

Assist in the development of a Mission System Security
Plan

Provide a template for developing a Mission Contingency
Plan

Provide on-site training
– General User
– System Administrator
– System Managers/Executive Officers

Address any additional concerns
USAID
PRIME
Principal Resource for
Information Management Enterprise-wide
11