1 / 10

February 2000 EPA Unplugged

February 2000 EPA Unplugged. EPA Case Study Lessons Learned December 11, 2002. October 1999 – GAO Audit begins December 1999 – GAO notifies EPA of certain vulnerabilities February 2000 – GAO exit interview citing serious vulnerabilities

EllenMixel
Download Presentation

February 2000 EPA Unplugged

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. February 2000EPA Unplugged EPA Case Study Lessons Learned December 11, 2002

  2. October 1999 – GAO Audit begins December 1999 – GAO notifies EPA of certain vulnerabilities February 2000 – GAO exit interview citing serious vulnerabilities Due to publicity of the audit, EPA Administrator decided to disconnect Agency from Internet GAO Audit Timeline

  3. Ineffective perimeter defenses Inadequate system access controls Weak network and operating system controls Weak security planning and risk assessment practices Audit Findings

  4. Established criteria for service restoration Asked Executive Management to identify highest priority systems and services Worked only on highest priorities Embraced risk based decision making Improved management processes EPA Response

  5. Reflected new approach – deny all except where allowed. Risk Based Senior Management priorities Focused on: Services critical to mission operations Services easiest to restore Services serving the widest community Service Restoration Process

  6. Service Restoration Process

  7. 90% of services restored within 6 months including: Public access to web server Financial systems Internet access and email for employees Of balance, some services never restored due to unacceptable risks Services Restored

  8. Engage Executive Management in decision making Set priorities based on executive management needs Make risk based decisions Reduce unnecessary open connections Assure risks are known Ensure appropriate controls in place before going live Lessons Learned

  9. Better understanding of what connections are needed to do business Value of independent expertise Need for documentation Value of explicit decision making Communicate with managers and users Lessons Learned

  10. Conclusion Security is the management of risks. Questions ? Marian Cody, Associate Director Technical Information Security Staff U.S. EPA 202-566-0302

More Related