prime principal resource for information management enterprise-wide usaid prime 1 usaid/peru risk...
TRANSCRIPT
1PRIMEPrincipal Resource forInformation Management Enterprise-wide
USAID
PRIME
USAID/Peru Risk Assessment
In-Briefing
February 19, 1999
PRIMEPrincipal Resource forInformation Management Enterprise-wide
USAID
PRIME
2PRIMEPrincipal Resource forInformation Management Enterprise-wide
USAID
PRIME
Team Introduction
USAID ISSO - Jim Craft
Risk Assessment Program Manager - Rod Murphy
Consulting Manager, Information Technology - John Zobel
Senior Computer Scientist - Mike Reiter
UNIX Team Lead - Steve Bui
3PRIMEPrincipal Resource forInformation Management Enterprise-wide
USAID
PRIME
Purpose
A Risk Assessment allows one to:
– Determine which information is critical to the organization
– Identify the systems that process, store, or transmit that critical information
– Identify potential vulnerabilities
– Recommend solutions to mitigate or eliminate those vulnerabilities
4PRIMEPrincipal Resource forInformation Management Enterprise-wide
USAID
PRIME
Determine the Scope
Identify the boundaries of the system(s) being evaluated
– Cisco Routers
– Servers
– Workstations
– Communication Lines
Identify the level of detail expected from the Assessment
– Compliance with Agency/Mission requirements
– Compliance with best practices
PRIMEPrincipal Resource forInformation Management Enterprise-wide
USAID
PRIME
5PRIMEPrincipal Resource forInformation Management Enterprise-wide
USAID
PRIME
Pre-Assessment Activity
Collected and Analyzed Mission Data
– Asset Information (Hardware/Software/Financial)
– Automated Survey Questionnaires
• 51 surveys sent out
• 22 responses received
– 34 potential vulnerabilities identified
– Conducted an Automated Network Scan using HYDRA
• Identified 8 major and 17 minor vulnerabilities
• Developed and forwarded an Immediate Needs Report to TCO and Mission staff for action
– Conducted a follow-up HYDRA scan to confirm Mission Configuration changes
PRIMEPrincipal Resource forInformation Management Enterprise-wide
USAID
PRIME
6PRIMEPrincipal Resource forInformation Management Enterprise-wide
USAID
PRIME
On-site Activities
PRIMEPrincipal Resource forInformation Management Enterprise-wide
USAID
PRIME
Friday:
Receive a Mission Threat Briefing
Coordinate Assessment Logistics
– A room for the Assessment team to work out of
– A room scheduled for conducting training (Wed)
– A room for in-briefing and out-briefing
– Interviews scheduled for Mon and Tue, if necessary
– Schedule meeting with Functional Management on Tues.
– Schedule all staff training for Wed. (one hour sessions)
– Schedule meeting with Security Plan and Contingency Planning staff. (Wed)
– List of mission phones number ranges for scan
7PRIMEPrincipal Resource forInformation Management Enterprise-wide
USAID
PRIME
On-Site Activities (continued)
PRIMEPrincipal Resource forInformation Management Enterprise-wide
USAID
PRIME
Conduct a Physical Review of the Mission Facility
Meet with System Administrators
– Establish System Ids as needed
– Conduct UNIX review
– Conduct Banyan review
– Review NT Security
Monday:
Conduct staff interviews
Additional System (UNIX,Banyan,NT, Cisco) reviews
Conduct an after-hours modem scan
8PRIMEPrincipal Resource forInformation Management Enterprise-wide
USAID
PRIME
On-Site Activities (continued)
PRIMEPrincipal Resource forInformation Management Enterprise-wide
USAID
PRIME
Tuesday:
Conduct additional interviews as needed
Meet with Functional Mission Management to discuss:
– Connectivity/Business needs
– Mission impact with regards to Agency requirements
– Roles and Responsibilities associated with policies
Wednesday:
Conduct Mission staff training
Assist in the development of Mission Security Plan and Contingency Plan
9PRIMEPrincipal Resource forInformation Management Enterprise-wide
USAID
PRIME
On-Site Activities (continued)
Conduct any activities needed to wrap-up assessment.
Analyze information gathered from pre-assessment and on-site assessment activities.
Develop “Draft” Assessment Executive Summary Report.
Develop Out-Briefing
Present Out-Briefing to Mission Management/Staff
PRIMEPrincipal Resource forInformation Management Enterprise-wide
USAID
PRIME
10PRIMEPrincipal Resource forInformation Management Enterprise-wide
USAID
PRIME
Expected Outcome
What the Assessment Team expects to Accomplish:
– Identify areas of concern
– Provide recommendations that will enable management to make decisions associated with risks
– Assist in the development of a Mission Security Plan
– Assist in the development of a Mission Contingency Plan
– Provide an annual Security refresher Training class to all Mission personnel
– Develop a standardized approach to conducting Mission Risk Assessments
– Identify Mission Concerns associated with UNIX, Banyan, NT, Cisco configuration checklists
– Identify and address specific Mission concerns
PRIMEPrincipal Resource forInformation Management Enterprise-wide
USAID
PRIME
11PRIMEPrincipal Resource forInformation Management Enterprise-wide
USAID
PRIME
Additional Activities Being Conducted at Each Mission
Assist in the development of a Mission System Security Plan
Provide a template for developing a Mission Contingency Plan
Provide on-site training
– General User
– System Administrator
– System Managers/Executive Officers
Address any additional concerns
PRIMEPrincipal Resource forInformation Management Enterprise-wide
USAID
PRIME