Appendix II

PERSONNEL SECURITY
  1. Does your staff wear ID badges?
  2. Is a current picture part of the ID badge?
  3. Are authorized access levels and type (employee, contractor, visitor) identified on the badge?
  4. Do you check the credentials of external contractors?
  5. Do you have policies addressing background checks for employees and contractors?
  6. Do you have a process for effectively cutting off access to facilities and information systems when an employee/contractor terminates employment?


PHYSICAL SECURITY
  1. Do you have policies and procedures that address allowing authorized and limiting unauthorized physical access to electronic information systems and the facilities in which they are housed?
  2. Do your policies and procedures specify the methods used to control physical access to your secure areas, such as door locks, access control systems, security officers, or video monitoring?
  3. Is access to your computing area controlled (single point, reception or security desk, sign-in/sign-out log, temporary/visitor badges)?
  4. Are visitors escorted into and out of controlled areas?
  5. Are your PCs inaccessible to unauthorized users (e.g., located away from public areas)?
  6. Is your computing area and equipment physically secured?
  7. Are there procedures in place to prevent computers from being left in a logged on state, however briefly?
  8. Are screens automatically locked after 10 minutes idle?
  9. Are modems set to Auto-Answer OFF (not to accept incoming calls)?
  10. Do you have procedures for protecting data during equipment repairs?
  11. Do you have policies covering laptop security (e.g., cable lock or secure storage)?
  12. Do you have an emergency evacuation plan and is it current?
  13. Does your plan identify areas and facilities that need to be sealed off immediately in case of an emergency?
  14. Are key personnel aware of which areas and facilities need to be sealed off and how?


ACCOUNT AND PASSWORD MANAGEMENT

  1. Do you have policies and standards covering electronic authentication, authorization, and access control of personnel and resources to your information systems, applications and data?
  2. Do you ensure that only authorized personnel have access to your computers?
  3. Do you require and enforce appropriate passwords?
  4. Are your passwords secure (not easy to guess, regularly changed, no use of temporary or default passwords)?
  5. Are your computers set up so others cannot view staff entering passwords?


CONFIDENTIALITY OF SENSITIVE DATA
  1. Do you classify your data, identifying sensitive data versus non sensitive?
  2. Are you exercising responsibilities to protect sensitive data under your control?
  3. Is the most valuable or sensitive data encrypted?
  4. Do you have a policy for identifying the retention of information (both hard and soft copies)?
  5. Do you have procedures in place to deal with credit card information?
  6. Do you have procedures covering the management of personal private information?
  7. Is there a process for creating retrievable back up and archival copies of critical information?
  8. Do you have procedures for disposing of waste material?
  9. Is waste paper binned or shredded?
  10. Is your shred bin locked at all times?
  11. Do your policies for disposing of old computer equipment protect against loss of data (e.g., by reading old disks and hard drives)?
  12. Do your disposal procedures identify appropriate technologies and methods for making hardware and electronic media unusable and inaccessible (such as shredding CDs and DVDs, electronically wiping drives, burning tapes, etc.)?


DISASTER RECOVERY

  1. Do you have a current business continuity plan?
  2. Is there a process for creating retrievable back up and archival copies of critical information?
  3. Do you have an emergency/incident management communications plan?
  4. Do you have a procedure for notifying authorities in the case of a disaster or security incident?
  5. Does your procedure identify who should be contacted, including contact information?
  6. Is the contact information sorted and identified by incident type?
  7. Does your procedure identify who should make the contacts?
  8. Have you identified who will speak to the press/public in the case of an emergency or an incident?
  9. Does your communications plan cover internal communications with your employees and their families?
  10. Can emergency procedures be appropriately implemented, as needed, by those responsible?


SECURITY AWARENESS AND EDUCATION
  1. Are you providing information about computer security to your staff?
  2. Do you provide training on a regular recurring basis?
  3. Are employees taught to be alert to possible security breaches?
  4. Are your employees taught about keeping their passwords secure?
  5. Are your employees able to identify and protect classified data, including paper documents, removable media, and electronic documents?
  6. Does your awareness and education plan teach proper methods for managing credit card data (PCI standards) and personal private information (Social security numbers, names, addresses, phone numbers, etc.)?


COMPLIANCE AND AUDIT

  1. Do you review and revise your security documents, such as: policies, standards, procedures, and guidelines, on a regular basis?
  2. Do you audit your processes and procedures for compliance with established policies and standards?
  3. Do you test your disaster plans on a regular basis?
  4. Does management regularly review lists of individuals with physical access to sensitive facilities or electronic access to information systems?


Checklist Response Analysis

For each question that is marked “No,” carefully review its applicability to your organization. Implementing or improving controls decreases potential exposure to threats/vulnerabilities that may seriously impact the ability to successfully operate.		YESNO

Cyber Security Threat/Vulnerability Assessment

Impact scale likelihood scale

For this assessment, numeric rating scales are used to establish impact potential (0–6) and likelihood probability (0–5).


IMPACT SCALE

LIKELIHOOD SCALE
1. Impact is negligible0. Unlikely to occur
2. Effect is minor, major agency operations are not affected1. Likely to occur less than once per year
3. Organization operations are unavailable for a certain amount of time, costs are incurred.

Public/customer confidence is minimally affected		2. Likely to occur once per year
4. Significant loss of operations, significant impact on employee/user confidence3. Likely to occur once per month
5. Effect is disastrous, systems are down for an extended period of time, systems need to be rebuilt and data replaced4. Likely to occur once per week
6. Effect is catastrophic, critical systems are offline for an extended period; data are lost or irreparably corrupted; employees safety, and possibly external public are affected5. Likely to occur daily

When determining impact, consider the value of the resources at risk, both in terms of inherent (replacement) value and the importance of the resources (criticality) to the organization’s successful operation.

Factors influencing likelihood include: threat capability, frequency of threat occurrence, and effectiveness of current countermeasures (security controls). Threats caused by humans are capable of significantly impairing the ability for an organization to operate effectively.

Human threats sources include:



SOURCE

SOURCE DESCRIPTION
Insiders:Employees,
General contractors and subcontractorsCleaning crew, developers, technical support personnel, and computer and telephone repair workers
Former employeesIncludes those who have quit, were fired, or retired
Unauthorized personnelIntruders, computer hackers, trespassers, terrorists, and other people with bad intent

Score risk level risk occurrence result

21–30 High Risk Occurrence may result in significant loss of major tangible assets, information, or information resources. May significantly disrupt the organization’s operations or seriously harm its reputation.

11–20 Medium Risk Occurrence may result in some loss of tangible assets, information, or information resources. May disrupt or harm the organization’s operation or reputation. For example, authorized users are not able to access supportive data for several days.

1–10 Low Risk Occurrence may result in minimal loss of tangible assets, information, or information resources. May adversely affect the organization’s operation or reputation. For example, authorized users are not granted access to supportive data for an hour.



HUMAN THREATS

Impact (0–6)

Probability (0–5)

Score (Impact × Probability)
1. Human error
    Image Accidental destruction, modification, disclosure, or incorrect classification of information____________
    Image Ignorance: inadequate security awareness, lack of security guidelines, lack of proper documentation, lack of knowledge____________
    Image Workload: Too many or too few system administrators, highly pressured users____________
    Image Users may inadvertently give information on security weaknesses to attackers____________
    Image Incorrect system configuration____________
    Image Security policy not adequate____________
    Image Security policy not enforced____________
    Image Security analysis may have omitted something important or be wrong____________
2. Dishonesty: Fraud, theft, embezzlement, selling of confidential agency information____________
3. Attacks by “social engineering”
    Image Attackers may use telephone to impersonate employees to persuade users/administrators to give user name/passwords/modem numbers, etc.____________
    Image Attackers may persuade users to execute Trojan Horse programs____________
4. Abuse of privileges/trust____________


GENERAL THREATS

Impact (0–6)

Probability (0–5)

Score (Impact × Probability)
1. Unauthorized use of “open” computers/laptops’____________
2. Mixing of test and production data or environments____________
3. Introduction of unauthorized software or hardware____________
4. Time bombs: Software programmed to damage a system on a certain date____________
5. Operating system design errors: Certain systems were not designed to be highly secure____________
6. Protocol Design Errors: Certain Protocols not designed to be highly secure. Protocol weakness in TCP/IP can result in:____________
    Image Source Routing, DNS Spoofing, TCP sequence guessing, unauthorized access____________
    Image Hijacked sessions and authentication session/transaction replay, data is changed or copied during transmission____________
    Image Denial of Service due to ICMP Bombing, TCP-SYN Flooding, large PING packets, etc.____________
7. Logic Bombs: Software programmed to damage a system under certain conditions____________
8. Viruses in programs, documents and e-mail attachments____________
9. Trojan Horses (programs masquerading as other programs)____________
10. Intruders seeking to spoof or obtain unauthorized access____________
11. Phishing attacks (e-mail appearing to come from authorized sources)____________
12. Attacks through SKYPE®, VIBER®, and teleconferencing software____________
13. SCADA attacks and control system spoofing____________
14. Sabotage____________
15. Physical destruction of equipment____________
16. Electromagnetic radiation (EMP) attacks____________
17. Failure to properly remove and destroy electronic media in abandoned equipment____________
18. Deliberated deletion of critical files and backup systems____________

Cyber Security Threat/Vulnerability Assessment Scoring

Next steps

After completing a review of current security controls and along with a review and rating of potential threats/vulnerabilities, a series of actions should be determined to reduce risk (threats exploiting vulnerabilities) to and acceptable level. These actions should include putting into place missing security controls, and/or increasing the strength of existing controls.

Security controls should ideally reduce and/or eliminate vulnerabilities and meet the needs of the business. Cost must be balanced against expected security benefit and risk reduction. Security remediation efforts and actions will be focused on addressing identified high risk threat/vulnerabilities.

The recommended Security Actions to remediate vulnerabilities should be displayed in a tabular form, and a color coded or shaded table displaying risk vulnerabilities, costs in a semi-quantitative format could be formulated to permit rapid identification of the risks accompanying the report. Another approach is to conduct a Bow-Tie Analysis of the various risks and preventative/remedial measures and cost the damages and remedial responses in the table. An example of the type of table is shown below.



Sample of Cyber Risk Vulnerability/Risk and Preventive Actions


Item

Damage Cost, Millions

Probability of Occurrence, No. per year

Remedial Actions Equipment Costs, Millions

Training and Other Associated Costs, Millions
Spoofing SCADA—destroys process plants2.00.010.50.0
Intrusion0.041.00.020.01
Cyber attack0.312.00.050.05
Data breach0.31.00.010.05

The table is more effective in color, but even in one color, it can be printed with shading from the darkest to the lightest shading to highlight the important information. A variety of display options can be used.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset