80 likes | 226 Views
Prepared by: Joshua Smith, Gary Faulkner, Brandon Van Guilder , and Eric Rusch. Presentation to the CIO. Eas y Security Project. Agenda. Overview of Security Incident Analysis of incident using COBIT control objectives (DS5 ) Recommendations based on analysis Conclusion & Questions.
E N D
Preparedby: Joshua Smith, Gary Faulkner, Brandon Van Guilder, and Eric Rusch Presentation to the CIO EasySecurity Project
Agenda • Overview of Security Incident • Analysis of incident using COBIT control objectives (DS5) • Recommendations based on analysis • Conclusion & Questions
Review of Security Incident • Stolen information was retrieved from VA servers by an authorized worker • The VA worker utilized the data for testing and had authorization to bring work home • Information was brought home on external HD and laptop • An unencrypted national database of 26.5 million veteran’s personal information was stolen • The theft occurred on May 3rd at the worker’s home and reported by the VA May 22nd
Analysis criteria • Analysis was completed using COBIT Control Objectives (DS5) • All 21 control objectives were assessed • Not all objectives were applicable • Objectives not applicable were given a grade of PASS • Objectives not met were given expanded recommendations
Recommendations • Create an independent Security Oversight Committee • Committee reviews policies, procedures, and security control practices annually and directly after any security incidents. • Cost: $10k – 20k Annually • Improve Communication and documentation between departments and management • Increase security incident response • Cost: $5k - $10k • Expand Authority of the CIO • Manage all IT staff across departments • Enforce policies • Cost: $5k - $10k
Recommendations • Employee Training Program • Employees need annual training on security policies and procedures. • Cost: $10k – $15k annually • DLP – Data Loss Prevention Policy and Procedure • Policy and procedure restricting data removal to prevent PII • Restrict Personal Devices from be connected to the VA network • Cost: Minimal • Implement NAC on the VA Network • Restrict Personal or unauthorized devices from connecting to the VA Network • Cost: $75k - $100k
Recommendations • Encrypt all VA devices using SEE (Symantec Endpoint Encryption) • Utilize full disk encryption to protect data and PII • Cost: $35k - $50K • Implement Identify Finder to Prevent Data Leakage • Locate and secure sensitive information and PII • Cost: $1.5M - $2M plus $30K - $50K annually
Conclusion Develop and maintain a security program that will meet our needs now and in the future. Questions & Discussion