110 likes | 294 Views
USAID. PRIME. PRIME. Principal Resource for Information Management Enterprise-wide. USAID/Peru Risk Assessment In-Briefing. February 19, 1999. Team Introduction. USAID ISSO - Jim Craft Risk Assessment Program Manager - Rod Murphy Consulting Manager, Information Technology - John Zobel
E N D
USAID PRIME PRIME Principal Resource forInformation Management Enterprise-wide USAID/Peru Risk Assessment In-Briefing February 19, 1999
Team Introduction • USAID ISSO - Jim Craft • Risk Assessment Program Manager - Rod Murphy • Consulting Manager, Information Technology - John Zobel • Senior Computer Scientist - Mike Reiter • UNIX Team Lead - Steve Bui
Purpose • A Risk Assessment allows one to: • Determine which information is critical to the organization • Identify the systems that process, store, or transmit that critical information • Identify potential vulnerabilities • Recommend solutions to mitigate or eliminate those vulnerabilities
Determine the Scope USAID PRIME PRIME Principal Resource forInformation Management Enterprise-wide • Identify the boundaries of the system(s) being evaluated • Cisco Routers • Servers • Workstations • Communication Lines • Identify the level of detail expected from the Assessment • Compliance with Agency/Mission requirements • Compliance with best practices
Pre-Assessment Activity USAID PRIME PRIME Principal Resource forInformation Management Enterprise-wide • Collected and Analyzed Mission Data • Asset Information (Hardware/Software/Financial) • Automated Survey Questionnaires • 51 surveys sent out • 22 responses received • 34 potential vulnerabilities identified • Conducted an Automated Network Scan using HYDRA • Identified 8 major and 17 minor vulnerabilities • Developed and forwarded an Immediate Needs Report to TCO and Mission staff for action • Conducted a follow-up HYDRA scan to confirm Mission Configuration changes
On-site Activities USAID PRIME PRIME Principal Resource forInformation Management Enterprise-wide • Friday: • Receive a Mission Threat Briefing • Coordinate Assessment Logistics • A room for the Assessment team to work out of • A room scheduled for conducting training (Wed) • A room for in-briefing and out-briefing • Interviews scheduled for Mon and Tue, if necessary • Schedule meeting with Functional Management on Tues. • Schedule all staff training for Wed. (one hour sessions) • Schedule meeting with Security Plan and Contingency Planning staff. (Wed) • List of mission phones number ranges for scan
On-Site Activities (continued) USAID PRIME PRIME Principal Resource forInformation Management Enterprise-wide • Conduct a Physical Review of the Mission Facility • Meet with System Administrators • Establish System Ids as needed • Conduct UNIX review • Conduct Banyan review • Review NT Security • Monday: • Conduct staff interviews • Additional System (UNIX,Banyan,NT, Cisco) reviews • Conduct an after-hours modem scan
On-Site Activities (continued) USAID PRIME PRIME Principal Resource forInformation Management Enterprise-wide • Tuesday: • Conduct additional interviews as needed • Meet with Functional Mission Management to discuss: • Connectivity/Business needs • Mission impact with regards to Agency requirements • Roles and Responsibilities associated with policies • Wednesday: • Conduct Mission staff training • Assist in the development of Mission Security Plan and Contingency Plan
On-Site Activities (continued) USAID PRIME PRIME Principal Resource forInformation Management Enterprise-wide • Conduct any activities needed to wrap-up assessment. • Analyze information gathered from pre-assessment and on-site assessment activities. • Develop “Draft” Assessment Executive Summary Report. • Develop Out-Briefing • Present Out-Briefing to Mission Management/Staff
Expected Outcome USAID PRIME PRIME Principal Resource forInformation Management Enterprise-wide • What the Assessment Team expects to Accomplish: • Identify areas of concern • Provide recommendations that will enable management to make decisions associated with risks • Assist in the development of a Mission Security Plan • Assist in the development of a Mission Contingency Plan • Provide an annual Security refresher Training class to all Mission personnel • Develop a standardized approach to conducting Mission Risk Assessments • Identify Mission Concerns associated with UNIX, Banyan, NT, Cisco configuration checklists • Identify and address specific Mission concerns
Additional Activities Being Conducted at Each Mission USAID PRIME PRIME Principal Resource forInformation Management Enterprise-wide • Assist in the development of a Mission System Security Plan • Provide a template for developing a Mission Contingency Plan • Provide on-site training • General User • System Administrator • System Managers/Executive Officers • Address any additional concerns