1 / 8

Prepared by: Joshua Smith, Gary Faulkner, Brandon Van Guilder , and Eric Rusch

Prepared by: Joshua Smith, Gary Faulkner, Brandon Van Guilder , and Eric Rusch. Presentation to the CIO. Eas y Security Project. Agenda. Overview of Security Incident Analysis of incident using COBIT control objectives (DS5 ) Recommendations based on analysis Conclusion & Questions.

geoff
Download Presentation

Prepared by: Joshua Smith, Gary Faulkner, Brandon Van Guilder , and Eric Rusch

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Preparedby: Joshua Smith, Gary Faulkner, Brandon Van Guilder, and Eric Rusch Presentation to the CIO EasySecurity Project

  2. Agenda • Overview of Security Incident • Analysis of incident using COBIT control objectives (DS5) • Recommendations based on analysis • Conclusion & Questions

  3. Review of Security Incident • Stolen information was retrieved from VA servers by an authorized worker • The VA worker utilized the data for testing and had authorization to bring work home • Information was brought home on external HD and laptop • An unencrypted national database of 26.5 million veteran’s personal information was stolen • The theft occurred on May 3rd at the worker’s home and reported by the VA May 22nd

  4. Analysis criteria • Analysis was completed using COBIT Control Objectives (DS5) • All 21 control objectives were assessed • Not all objectives were applicable • Objectives not applicable were given a grade of PASS • Objectives not met were given expanded recommendations

  5. Recommendations • Create an independent Security Oversight Committee • Committee reviews policies, procedures, and security control practices annually and directly after any security incidents. • Cost: $10k – 20k Annually • Improve Communication and documentation between departments and management • Increase security incident response • Cost: $5k - $10k • Expand Authority of the CIO • Manage all IT staff across departments • Enforce policies • Cost: $5k - $10k

  6. Recommendations • Employee Training Program • Employees need annual training on security policies and procedures. • Cost: $10k – $15k annually • DLP – Data Loss Prevention Policy and Procedure • Policy and procedure restricting data removal to prevent PII • Restrict Personal Devices from be connected to the VA network • Cost: Minimal • Implement NAC on the VA Network • Restrict Personal or unauthorized devices from connecting to the VA Network • Cost: $75k - $100k

  7. Recommendations • Encrypt all VA devices using SEE (Symantec Endpoint Encryption) • Utilize full disk encryption to protect data and PII • Cost: $35k - $50K • Implement Identify Finder to Prevent Data Leakage • Locate and secure sensitive information and PII • Cost: $1.5M - $2M plus $30K - $50K annually

  8. Conclusion Develop and maintain a security program that will meet our needs now and in the future. Questions & Discussion

More Related