How an 80’s pop song can help you address 3 critical IT security risks Thursday, November 12th, 2015
About RoundTable and about me RoundTable Technology is a team of experienced professionals working to strengthen and enrich the nonprofit community by helping organizations make the most effective use of technology. I am the vice president of RoundTable Technology, an expert trainer for Idealware.org, former Director of IT for the Fund for the City of New York and I have been dedicated full-time to helping nonprofits with technology since 1994.
What about you? Two quick polls
Our Learning Objectives today... ● ● ● ● ●
●
A few logistics to help things go smoothly
● If you have a question, please type it in during the webinar. Toward the end we will unmute all for Q&A. ● If you dialed into the audio by phone, you need to enter your audio PIN ( 2 digit number displayed immediately underneath the dial-in number and access code). Otherwise we won’t be able to unmute you for Q&A.
“You and I in a little toy shop Buy a bag of balloons with the money we've got. Set them free at the break of dawn 'Til one by one, they were gone. Back at base, bugs in the software Flash the message, Something's out there. Floating in the summer sky. Ninety nine red balloons go by.�
Yes, there are bugs in the software
So, where to start?
Critical IT Security Risk #1 Not understanding your risk.
Risk Assessment (sounds fancy, but not that complicated)
● What do you have? ● Where is it? ● How much do you care about it? ● What could happen to it? ● How likely is it to happen? ● How bad would it be if it happened? ● How will you know? ● How will you respond?
Why this process? The framework we are learning today is based on: NIST Special Publication 800-30, revision 1 - “Guide for Conducting Risk Assessments.” It’s 95 pages long. This webinar is 60 minutes. Don’t worry.
Back to Nena
Confidentiality, Integrity and Availability Confidentiality - Information exposed to unauthorized parties Integrity - Information changed or lost in ways that can’t be tracked or retrieved Availability - Information unavailable for some period of time.
Impact
Information Identification and Classification
Risk Assessment Report Template
Has your organization ever done a risk assessment? (poll)
WWND (What Would Nena do)?
Critical IT Security Risk #2 Not having a plan.
Some things to keep in mind Threats against confidentiality can be the most challenging to address Threats against availability can be the ones that most impact productivity You can’t eliminate risk Your goal is to find the right balance for your organization
Risk Assessment ROI A bad thing that doesn’t happen is just as valuable as a good thing that does happen. (twice as much, in fact, if you take into account loss aversion, but that’s another webinar)
Some Safeguards Safeguard Backups
Policies
Response Plan
Access Controls IT Controls (AV, firewalls, etc.) Security Awareness Training Risk Assessment
Confidentiality
Integrity
Availability
Cloud-based backup solutions These solutions backup data from your network servers and computers to the cloud.
Policies
Incident Response Plan - The SANS 6
Revision History in the Cloud
Revision History in the Cloud, continued...
IT Controls • Firewalls -equipped with Universal Threat Management and up-to-date with support and subscriptions • Malware Protection - Centrally managed and monitored • Email - configured to reduce SPAM, Spoofing and Phishing (proper SPF records at a minimum) • Two-factor authentication where appropriate
Security Awareness Training • One of the most effective security interventions • As little as 10 minutes/month can be very effective. • DIY or get help from outside vendor
SANS - Securing the Human
What risks most worry you? (poll)
• • • • •
Our last check-in with Nena
Critical IT Security Risk #3 Worry without action
Mission matter more Take the time to thoughtfully put appropriate systems and processes in place so you can put your focus where you want it to be - on your mission.
The Three Security Risks 1. Not understanding our risk 2. Not having a plan to deal with risk 3. Unproductive worry
• •
•
Feedback and Handouts