Colorado Cyber Security Program (CCSP)
Risk Based Gap Analysis (RBGA) and
Statewide Security Planning Update
Rick Dakin, Security Strategist
September 18, 2007
V 1.4
Agenda
 Risk and Threat Review
 CCSP Program Overview


Cyber Security Program
Policies, Plans and Standards
 Risk Based Gap Analysis (RBGA) Program





Process Inventory and System Characterization
Risk Assessment and Gap Analysis
Security Plans
Remediation and Gap Closure Plans
Test and Accredit Operations
 Questions and Open Discussion
2
Security Program Drivers
Enterprise Security Program
Critical Drivers
More
Regulatory
Requirements
Increasing
Cyber
Threats
Reduced
Tolerance
for Service
Disruption
3
Compliance Trends
A Brief History of
Regulatory Time
19701980
 Privacy Act of
1974
 Foreign Corrupt
Practice Act
of 1977
19902000
19801990
 Computer Security Act
of 1987





EU Data Protection
HIPAA
FDA 21CFR Part 11
C6-Canada
GLBA
2000Present
 COPPA
 USA Patriot Act
2001
 EC Data Privacy
Directive
 CLERP 9
 CAN-SPAM Act
 FISMA
 Sarbanes Oxley
(SOX)
 CIPA 2002
 Basel II
 NERC 1200
(2003)
 CISP
 Payment Card
Industry (PCI)
 State Privacy
Laws
4
CCSP Program Overview
RBGA
Draft Versions
HB 06-1157 was incorporated into Colorado Revised
Statute 24-37.5 part 4 in May 2006. The legislation
established the Colorado Information Security Act with
the following provisions:





Designate Chief Information Security Officer (CISO)
Develop Colorado Cyber Security Program (CCSP)
Publish Cyber Security Rules and Associated Policies
Submit an Annual Agency Cyber Security Plans (ACSP)
Include a Plan of Action and Milestones (POAM) with the
ACSP (3 year phase-in period to achieve compliance with the CCSP)
 Implement a Statewide Incident Response Program
 Enhance Statewide Security Awareness and Training
 Establish Security Evaluation and Reporting to Enforce the
Program
5
Security Policies & Rule Review
 Emergency Rule adopted December 20, 2006
 Hearing conducted on January 5, 2007
 Final Rule becomes effective early March, 2007
19 Policies:
Organizational Policies
Cyber Security Planning
Incident Response
Information Risk Management
Vendor Management
Self Assessment
Security Training and Awareness
Security Metrics and Measurement
System Access and Acceptable Use
Online Privacy
Operational Policies
Data Classification and Disposal
Mobile Computing
Wireless Security
Network Operations
System and Application Security
Access Control
Change Control
Physical Security
Personnel Security
Disaster Recovery
6
Risk Based Gap Analysis
(RBGA) Program
The RBGA program was intended to coordinate agency
security planning and provide “expert” resources to jump
start the planning process. The process included:
 Provide orientation to agencies on new CCSP and policies
 Identify major systems and rate criticality
 Review current security programs and existing policies,
procedures and plans
 Facilitate agency Risk Based Gap Analysis (RBGA) for major
systems
 Facilitate development of DRAFT Agency Cyber Security Plans
(ACSP) with integrated Plan of Action and Milestones (POAM)
 Support development of an executive briefing to align new
Executive Directors to the risks within agency systems and plans
to mitigate risks before submittal
7
Security Planning Process
Developed by: The National Institutes of Standards and Technology
8
Risk Management
Process
NIST SP 800-30 is an
industry “Best Practice”
referenced by the FFIEC to
guide our risk assessment.
1. Inventory and
Characterize Systems
2. Threat Identification
3. Vulnerability
Assessment
4. Likelihood
Determination
5. Impact Analysis
6. Recommend Risk
Controls
9
The Ingredients of an Attack
Threat + Motive + Method + Vulnerability = ATTACK!
NonMalicious
Threats
Security
Controls &
Policies
Poor Security
Policies could
Let an attack
through
Methods
and
Tools
Malicious
Threats
Motives
and
Goals
Methods
and
Tools
Vulnerabilities
Methods
and
Tools
Natural
Disasters
ASSETS
Good security
controls can stop
certain attacks
NO security policies or
controls could be disastrous
10
Systems Characterization
 What do you do?



Mission critical processes
Key stakeholders
Map processes
 How important are those functions?


Criticality rating (FIPS 199)
Priority for risk analysis and deployment of controls
 What Systems are used?



Systems Inventory (applications, host platforms)
Service Providers
Diagrams.
11
Threat Identification
Human
 Terrorist
 Hacker
 Disgruntled
Employee
 Vendors
 Untrained Staff
Non-Human






Acts of Nature
Fire
Power Failures
Contamination
Configuration
Errors
Systems
Obsolescence
12
Vulnerability Assessment
 What systems and processes are used to support critical
operations ?





Servers
Software
Network Connectivity
User Access
Standard processes
 What vulnerabilities could be exploited?






Patch levels
Unnecessary services
Security architecture
Monitoring and reporting
Access Controls
User behavior
13
Risk Analysis
LIKELIHOOD
HIGH
LOW
HIGH
SEVERITY
14
Sample Risk Assessment
Risks / Hazards
Controls Deployed
Recommended Remediation
 Security oversight
may not identify
and prioritize risk
mitigation
 IT Steering
Committee
 Dedicate an Information Security
Officer (ISO) to oversee development
of the security program
 Formally establish an IT security
committee with specific duties
 IT security policy
gaps fail to guide
staff behavior
 Only limited informal
security policies
 A complete set of policies should be
developed according to best practices
 Policies approved by IT Steering
 Staff Trained
 Business Continuity
& Disaster
Recovery plans are
not adequate
 Some system
hardening and limited
recovery plans or
facilities are in place
today
 A BCP/disaster recovery plan will
have to be developed
 Deploy redundant facilities
 Train staff
 Update and test annually
 Physical security
does not protect
critical systems
 Physical security is
limited only to the
data rooms
 Develop and deploy a comprehensive
physical Security policy and plan for
facility access, data center, access to
network wiring infrastructure, media
 Unauthorized
access to data
 Weak passwords
 Shared accounts
 Limited access
granting process
 Upgrade Access controls
Access granting process
Unique user ID
Strong passwords (complexity)
15
Point Solutions
Intrusion
Detection
Firewalls
Access
Controls
Vulnerability
Assessment
16
Unified Security Programs
PCI
SOX
HIPAA
GLBA
ISO-17799
Privacy Laws
Training
Sec.
Doc.
Unified IT
Controls
Access
Controls
Security
Policy
Security Arch.
Design
Code Penetration
Review
Testing
NIDS/HIDS
Hosting
Firewall
Virus
Protection
17
Measure Control Effectiveness
CoBIT Metrics
Control Design Adequacy
1
Controls Designed
and Selected
2
Control Effectiveness
3
4
5
Control Deployed
With
REPEATABLE
processes
Controls
Documented
 Policies
 Procedures
 Inventories
 Diagrams
Oversight Provided
 Control
effectiveness
reports
 IT oversight
• Evidence or work
papers from
internal or external
reports / meeting
minutes
• Formal
accountability
assigned
Program Adjustment
after Justification
Level 2 –
security controls
documented as
procedures
Level 3 –
procedures have
been
implemented
Level 4 – procedures
and security controls
are tested and
reviewed
Level 5 – procedures
and security controls
are fully integrated
into a comprehensive
program
Steering Committee
review and
recommendations, etc
NIST Metrics
Level 1 –
control objective
documented in a
security policy
18
Security Plans
Leverage NIST SP 800 – 100 and SP 800-18
 Organization Mission
 Summary of Environment
 Roles and Responsibilities
 Summary of Risks
 Selection of Controls
 Deployment and Training
 Test and Audit of Control Effectiveness
 Accredit Systems Operations
 Process to Enhance Plans
19
Plan of Action and Milestones
(POAM)
Goal: Each risk assessment will identify gaps in current
security plans that should be remediated by priority.
Nov 07
Dec 07
Jan 08
Feb 08
Mar 08
Jul 08
Risk Assessment
Draft Security Plan
Update Policies
Remediate Gaps
Document and Train
Executive Briefing
Update Security Plans
Test and Accredit System
20
Lessons Learned
 New processes take time … Start Early
 New security planning processes require training
… even with seasoned IT professionals
 It takes time and resources to deploy and manage
controls … get key executives involved early to
start planning budget impact
 Why does it cost so much to protect systems that
don’t cost very much?
 Even with a great security plan, you may still get
compromised. Have an IR Plan.
21
Open Discussion
 Questions
 Feedback
 Next Steps – “What can you do?”


Form a security oversight team
Launch a program with a Risk Assessment First
http://www.colorado.gov/cybersecurity/
22