2 responds

profilelewcan13
10-1SecurityAwarenessProgramProposalsummaryandpresentation.pptx

Security Awareness Program Proposal

Image from https://sg.norton.com/cybercrime-definition

Presented by John Baker Student SNHU 2017

Multiple Unite Security Assurance

Make introduction and use the abstract to tell what will be covered.

The following proposal will look at Multiple Unite Security Assurance (MUSA) Corporation security awareness and will provide a plan and guidance to fix the corporation’s security issues. The following proposal will have an introduction to highlight current issues. Next will be the proposed fix actions and then the communications process to ensure all involved will understand the process of fixing the current issues.

1

Introduction:

-Current Risk Assessment ---HIGH

Can be Mitigated down ---Medium Low

-Security Concerns ---Needs addressing

-Policy letters ---Updating current polices

Multiple Unite Security Assurance

The following proposal will look at Multiple Unite Security Assurance (MUSA) Corporation security awareness and will provide a plan and guidance to fix the corporation’s security issues. The following proposal will have an introduction to highlight current issues. Next will be the proposed fix actions and then the communications process to ensure all involved will understand the process of fixing the current issues.

Overall current risk is high. We can mitigate this down with implementing new protective devices, updating rules and developing programs to conduct/track training, develop new administrative policies to separate duties and hold employees accountable and review and update plan as needed to a medium low. I don’t feel we can ever get to a low risk due to the fact of changing technology and hacker techniques.

No annual cyber security awareness training, which is causing high phishing and social engineering attacks

No configuration change management policy (to reduce unintentional threats)

No intrusion detection/prevention system

Logs are not being collected or analyzed

No media access control policy

No encryption or hashing to control data flow and unauthorized alteration of data

Vulnerability assessment is conducted every three years; unable to assess the security posture status

High turnover and low morale among the employees (due to lack of employee readiness programs and work planning strategy)

High number of theft reports and security incidents; possible unethical/disgruntled employees

No segregation of duties or mandatory vacation policies (to mitigate intentional threats)

Policy letters:

MUSA PL 1 Maintaining Cyber Security Training

MUSA PL 2 Implementation of Change Management

MUSA PL 3 Implementation of Intrusion/ Prevention systems

MUSA PL 4 Audit Logs

MUSA PL 5 Media Access Control

MUSA PL 6 Data Flow Control

MUSA PL 7 Vulnerability Assessment

MUSA PL 8 Employee Readiness

MUSA PL 9 Thefts and Incidents

MUSA PL10 Office Policies for Cyber Security

2

CONTINOUS MONITORING PLAN ---Needed to determine

--- Mitigate risks before they happen

COMMUNICATIONS PLAN ---Who?

--- All employees from management down

--- Why?

---To understand the need to ensure information/system protection

Multiple Unite Security Assurance

MUSA 300.1 requires MUSA to have a continuous monitoring plan. The use of the continuous monitoring plan will allow the company to determine and mitigate risks before they can become issues.

The plan will be developed around the guidance provided in NIST Special Publication 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems, A Security Life Cycle Approach, February 2010 and other governing policies as listed in this document.

The continuous monitoring plan is part of the six-step risk management process that is outlined in the NIST guidance.

MUSA has a need for an ongoing security program due to the fact we are handling customer information and that needs to be protected according to the rules and regulations that are put out by the federal government.

3

RISK ASSESSMENT:

HIGH

Due to lack of

protections and training

Mitigation: Medium Low

With IDS/IPS

Training and

tying Training to access

Multiple Unite Security Assurance

I have been briefed by chief executive officer that the corporation is having some issues in the security awareness realm.

He stated that he has seen a presentation on the importance of a security awareness program that was presented by one of the information security team.

He has asked me to develop a security awareness program for the MUSA Corporation to fix the current security gaps.

Overall current risk is high. We can mitigate this down with implementing new protective devices, updating rules and developing programs to conduct/track training, develop new administrative policies to separate duties and hold employees accountable and review and update plan as needed to a medium low.

4

CURRENT SECURITY CONCERNS

Lack of awareness training,

high phishing and social engineering attacks

No configuration change management policy

No intrusion detection/prevention system

Multiple Unite Security Assurance

Recommendations

Item 1. Establish cyber security awareness training program.

This will include a tracking program that will allow company to tie currency to system access.

Recommend training be conducted every six months due to changing technology and hacker techniques.

Item 2. Establish change management policy to ensure only those authorized to make changes and changes follow procedures to ensure that no interruptions in service will occur.

- Item 3. Implement use of intrusion detection and prevention systems to ensure network is secured. This will also allow us to see what is going on with system as far as attempt to access system from outside sources.

5

Logs are not being collected or analyzed

No media access control policy

No encryption or hashing for data

Vulnerability assessment

Lack of security posture

Multiple Unite Security Assurance

Item 4. Establish procedures for collection and monitoring logs.

Item 5. Establish media access control policy to ensure that only what is authorized is accessed by network.

Item 6. Implement encryption and hashing program to ensure our data is protected.

- Item 7. Implement program to conduct vulnerability assessment at least every six months for the first two years to ensure we are capturing our current risks.

6

High turnover / low morale among the

High number of theft / security incidents

Possible unethical/disgruntled employees

Outdate office policies

Segregation of duties

Mandatory vacation

Multiple Unite Security Assurance

- Item 8. Conduct survey to see what employees feel are company issues.

Item 9. Collect and review theft reports and incidents and see if these occurring by same individuals.

- Item 10. Review administrative policies on leave policy and segregation of duties.

Ensure that groups do not take vacations at same time.

Ensure that individuals do not have privileges that allow them to control a whole process without some sort of oversight.

7

POLICY LETTERS ---Needed clear guidance

See SOP binder with new letters

CONTINIOUS MONITORING PLAN

Roles and Responsibilities

Work Setting

Work Planning and Controls

Employee readiness

Multiple Unite Security Assurance

The follow policy letters address the ten most significant threats to the company now and in need of correction before the issues become too much risk for the company to handle.

Continuous Monitoring Plan

The use of the continuous monitoring plan will allow the company to determine and mitigate risks before they can become issues.

This plan will also help the company to improve the work environment to improve efficiency and company morale.

The plan will be developed around the guidance provided in NIST Special Publication 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems, A Security Life Cycle Approach, February 2010 and other governing policies as listed in this document. The continuous monitoring plan is part of the six-step risk management process that is outlined in the NIST guidance.

Roles and Responsibilities

Management must be the focal point of this plan.

The management must be willing to give approval and follow/enforce the plan to ensure its success.

Work Setting

Issues: Distractions in the work environment, Insufficient resources, Poor management systems, Inadequate security practices

Proposals: To combat distractions, the work center we need to implement rules that will not allow employees to go to sites on the Internet that pose threats and take up employee time.

We must make sure our IPS devices are working to let us monitor what comes into our systems. This will be used in conjunction with updated antivirus program.

Work Planning and Controls

Issues: Job pressures and time management, Task difficulty, Changes in routine, Poor task planning/management practices, Lack of knowledge, skills and ability

Proposals: All the issues listed above would be fixed by reviewing our current management system and ensuring that we are operating in the most efficient manner.

Our employees need to have a work schedule well in advance that allows them to plan for time off and time to get work done.

Employee Readiness

Issues: Inattention, stress/anxiety and fatigue/boredom, Employee wellness, Values and attitudes

Proposals: Allow employees time away from desk. If employees continued to be tied to the desk they will lose focus and thus lose productivity.

8

COMMUNICATIONS PLAN

To get management buy in

To give employees their part in providing security

Senior Management Approval

Outside Threat

Inside Threat

Recommendations for Future

Multiple Unite Security Assurance

The Outside Threat

The Internet has continued to grow and develop at a steady rate. With these changes the Internet has become an avenue for nefarious actions from hackers. They seek to disrupt companies from daily operations and to steal information for their own profit. In 2016 it was noted from the Symantec Corporation in their Internet Security Threat Report, Vol 22 (Apr 2017) that there were 1,209 total breaches and on the average 927K identities were exposed per breach. You can see more of a breakdown in the following image from the same report.

From the same report you also have the following statics from 2016:

Email:

-Spam Rate - 53%

-Phishing Rate - 1 in 2,596

-Malware Rate - 1 in 131

-New Malware Variants - 357 million

-Number of Bots – 98.6 million

The Inside Threat

According to the responding organizations, insiders were the source (or cause) of the following:

-50% of incidents where private or sensitive information was unintentionally exposed

-40% of incidents where employee records were compromised or stolen

-33% of incidents where customer records were compromised or stolen

-32% of incidents where confidential records (i.e., trade secrets or intellectual property) were compromised or stolen”.

-This points to the need for detection and preventative systems to be in place so that we can mitigate or reduce the impact from incidents like these. Training and having audit programs to track activities on our systems will allow us to prevent such activities and save us money from losses in the future.

Recommendations for the Future

MUSA must continue to be proactive and always strive to protect company assets by:

-Continue to provide training in cyber awareness and the current threats. Use a rewards program to get employees to become more vigilant in cyber awareness.

-Monitor and restrict access to only trusted sites and users with correct privileges. Develop a program to show employees the reasons for limited privileges and how to detect misuse of privileges.

-Use monitoring and audit logs to track changes and behaviors occurring on systems. Tie this back to the rewards program and allow employees to receive rewards when they discover issues before they become problems.

-Ensure all partners are aware of cyber threats and to do business with us they need to protect their systems and any information shared. Post a monthly bulletin of current cyber threats and ways to protect our company and employee computers at work and at home.

9

References:

NIST Special Publication 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems, A Security Life Cycle Approach, February 2010. Retrieved 13 Oct 2017 from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf

Ponemon Institute website (2016). Cost of Cyber Crime Study & the Risk of Business Innovation fig. 1. Retrieved 27 Oct 2017 from https://www.ponemon.org/local/upload/file/2016%20HPE%20CCC%20GLOBAL%20REPORT%20FINAL%203.pdf

Symantec Corporation (2017). Internet Security Threat Report, Vol 22, pg. 10. Retrieved 27 Oct 2017 from https://digitalhubshare.symantec.com/content/dam/Atlantis/campaigns-and-launches/FY17/Threat%20Protection/ISTR22_Main-FINAL-JUN8.pdf?aid=elq_

Multiple Unite Security Assurance