SlideShare a Scribd company logo

Cyber Security Risk Assessment Awareness for Emergency Managers

David Sweigert
David Sweigert

This document discusses developing Emergency Support Function (ESF) No. 18. The objective is to provide non-cyber experts an awareness of cyber security concepts to facilitate emergency planning. It discusses identifying risks and assets, assessing vulnerabilities, understanding threats, and using a consistent risk assessment framework to determine how to deal with potential consequences from cyber incidents. The author is an experienced cyber security professional who advises on risk management, information assurance, and governance frameworks.

Related slideshows

ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
 
Industrial Cyber Security: What is Application Whitelisting?
Industrial Cyber Security: What is Application Whitelisting?Industrial Cyber Security: What is Application Whitelisting?
Industrial Cyber Security: What is Application Whitelisting?
 
Cyber Security: Protecting Today's Mission Critical Public Safety Networks
Cyber Security: Protecting Today's Mission Critical Public Safety NetworksCyber Security: Protecting Today's Mission Critical Public Safety Networks
Cyber Security: Protecting Today's Mission Critical Public Safety Networks
 
1 of 16
Developing Emergency Support Function (ESF) no. 18 Dave Sweigert, EMS, CISSP, CISA, PMP February, 2014 Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
Audience and Objectives • Objective: Provide non-cyber experts an awareness of the core concepts and terms used by cyber security professionals to facilitate better dialogue in the emergency planning process. • Primary audience: Emergency Managers tasked with developing an ESF 18 Annex Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
Basic concepts in addressing risk • Plan risk management • Identify risks • Quantitative risk analysis • Qualitative risk analysis • Plan risk responses • Control risk Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
CPG-201 and THIRA approach: Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
PMBOK Chapter 11 (RISK): Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
Risk assessment life cycle: • Identify what assets you need to protect • What are the vulnerabilities? • Types of risks and likelihood of exploit? • What are the downstream consequences if vulnerability is exploited by a threat agent? Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
Asset inventory and service questions: • What and where are the data “family jewels” (sensitive data)? • Are there service level expectations (24x7 public safety, no interruptions)? • Criticality of life safety systems (hospital systems used in life support)? Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
Identification of cyber assets: Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
Assess core security components: • Who are the cognizant personnel involved? • What are relevant policies, procedures, standards and guidelines (PSGs)? • What tools will be used to mitigate a cyber event? Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
Use a consistent risk model: Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
Understand the risks around assets: Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
Who are the exploiters? • Disgruntled employees (see disruption of traffic signals during union negotiations) • White/Gray/Black hat hackers • Cyber terrorists (Estonia cyber militias, Syrian Electronic Army) • Script kiddies (hacktivists) Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
How will you deal with exploit? • Accept the consequences (TARGET) • Diminish consequences with mitigation strategies • Transfer the risk to another party (outsource) Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
CONCLUSION Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
Conclusion • Embrace a consistent risk assessment framework • Have “all parties” at the table to identify key assets, threats and vulnerabilities • Seek guidance from leadership regarding on how you will deal with consequences • Strive for multi-discipline team Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
About the author: An Air Force veteran, Dave Sweigert acquired significant security engineering experience with military and defense contractors before earning two Masters’ degrees (Project Management and Information Security). He holds the following certifications: California Emergency Management Specialist (EMS), Project Management Professional (PMP) , Certified Information Security Systems Professional (CISSP), and Certified Information Systems Auditor (CISA). Mr. Sweigert has over twenty years experience in information assurance, risk management, governance frameworks and litigation support. Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014

More Related Content

Cyber Security Risk Assessment Awareness for Emergency Managers

  • 1. Developing Emergency Support Function (ESF) no. 18 Dave Sweigert, EMS, CISSP, CISA, PMP February, 2014 Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
  • 2. Audience and Objectives • Objective: Provide non-cyber experts an awareness of the core concepts and terms used by cyber security professionals to facilitate better dialogue in the emergency planning process. • Primary audience: Emergency Managers tasked with developing an ESF 18 Annex Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
  • 3. Basic concepts in addressing risk • Plan risk management • Identify risks • Quantitative risk analysis • Qualitative risk analysis • Plan risk responses • Control risk Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
  • 4. CPG-201 and THIRA approach: Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
  • 5. PMBOK Chapter 11 (RISK): Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
  • 6. Risk assessment life cycle: • Identify what assets you need to protect • What are the vulnerabilities? • Types of risks and likelihood of exploit? • What are the downstream consequences if vulnerability is exploited by a threat agent? Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
  • 7. Asset inventory and service questions: • What and where are the data “family jewels” (sensitive data)? • Are there service level expectations (24x7 public safety, no interruptions)? • Criticality of life safety systems (hospital systems used in life support)? Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
  • 8. Identification of cyber assets: Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
  • 9. Assess core security components: • Who are the cognizant personnel involved? • What are relevant policies, procedures, standards and guidelines (PSGs)? • What tools will be used to mitigate a cyber event? Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
  • 10. Use a consistent risk model: Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
  • 11. Understand the risks around assets: Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
  • 12. Who are the exploiters? • Disgruntled employees (see disruption of traffic signals during union negotiations) • White/Gray/Black hat hackers • Cyber terrorists (Estonia cyber militias, Syrian Electronic Army) • Script kiddies (hacktivists) Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
  • 13. How will you deal with exploit? • Accept the consequences (TARGET) • Diminish consequences with mitigation strategies • Transfer the risk to another party (outsource) Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
  • 14. CONCLUSION Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
  • 15. Conclusion • Embrace a consistent risk assessment framework • Have “all parties” at the table to identify key assets, threats and vulnerabilities • Seek guidance from leadership regarding on how you will deal with consequences • Strive for multi-discipline team Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014
  • 16. About the author: An Air Force veteran, Dave Sweigert acquired significant security engineering experience with military and defense contractors before earning two Masters’ degrees (Project Management and Information Security). He holds the following certifications: California Emergency Management Specialist (EMS), Project Management Professional (PMP) , Certified Information Security Systems Professional (CISSP), and Certified Information Systems Auditor (CISA). Mr. Sweigert has over twenty years experience in information assurance, risk management, governance frameworks and litigation support. Dave Sweigert, EMS, PMP, CISA, CISSP 2/5/2014