
fa53978ff85890e6843cd14fe0d720bc.ppt
- Количество слайдов: 11
USAID/Peru Risk Assessment In-Briefing February 19, 1999 USAID PRIME Principal Resource for Information Management Enterprise-wide 1
Team Introduction n USAID ISSO - Jim Craft n Risk Assessment Program Manager - Rod Murphy n Consulting Manager, Information Technology - John Zobel n Senior Computer Scientist - Mike Reiter n UNIX Team Lead - Steve Bui 2
Purpose n A Risk Assessment allows one to: – Determine which information is critical to the organization – Identify the systems that process, store, or transmit that critical information – Identify potential vulnerabilities – Recommend solutions to mitigate or eliminate those vulnerabilities 3
Determine the Scope n Identify the boundaries of the system(s) being evaluated – Cisco Routers – Servers – Workstations – Communication Lines n Identify the level of detail expected from the Assessment – Compliance with Agency/Mission requirements – Compliance with best practices USAID PRIME Principal Resource for Information Management Enterprise-wide 4
Pre-Assessment Activity n Collected and Analyzed Mission Data – Asset Information (Hardware/Software/Financial) – Automated Survey Questionnaires • 51 surveys sent out • 22 responses received – 34 potential vulnerabilities identified – Conducted an Automated Network Scan using HYDRA • Identified 8 major and 17 minor vulnerabilities • Developed and forwarded an Immediate Needs Report to TCO and Mission staff for action – Conducted a follow-up HYDRA scan to confirm Mission Configuration changes USAID PRIME Principal Resource for Information Management Enterprise-wide 5
On-site Activities n Friday: n Receive a Mission Threat Briefing n Coordinate Assessment Logistics – A room for the Assessment team to work out of – A room scheduled for conducting training (Wed) – A room for in-briefing and out-briefing – Interviews scheduled for Mon and Tue, if necessary – Schedule meeting with Functional Management on Tues. – Schedule all staff training for Wed. (one hour sessions) – Schedule meeting with Security Plan and Contingency Planning staff. (Wed) – List of mission phones number ranges for scan USAID PRIME Principal Resource for Information Management Enterprise-wide 6
On-Site Activities (continued) n Conduct a Physical Review of the Mission Facility n Meet with System Administrators – Establish System Ids as needed – Conduct UNIX review – Conduct Banyan review – Review NT Security n Monday: n Conduct staff interviews n Additional System (UNIX, Banyan, NT, Cisco) reviews n Conduct an after-hours modem scan USAID PRIME Principal Resource for Information Management Enterprise-wide 7
On-Site Activities (continued) n Tuesday: n Conduct additional interviews as needed n Meet with Functional Mission Management to discuss: – Connectivity/Business needs – Mission impact with regards to Agency requirements – Roles and Responsibilities associated with policies n Wednesday: n Conduct Mission staff training n Assist in the development of Mission Security Plan and Contingency Plan USAID PRIME Principal Resource for Information Management Enterprise-wide 8
On-Site Activities (continued) n Conduct any activities needed to wrap-up assessment. n Analyze information gathered from pre-assessment and on -site assessment activities. n Develop “Draft” Assessment Executive Summary Report. n Develop Out-Briefing n Present Out-Briefing to Mission Management/Staff USAID PRIME Principal Resource for Information Management Enterprise-wide 9
Expected Outcome n What the Assessment Team expects to Accomplish: – Identify areas of concern – Provide recommendations that will enable management to make decisions associated with risks – Assist in the development of a Mission Security Plan – Assist in the development of a Mission Contingency Plan – Provide an annual Security refresher Training class to all Mission personnel – Develop a standardized approach to conducting Mission Risk Assessments – Identify Mission Concerns associated with UNIX, Banyan, NT, Cisco configuration checklists USAID – PRIME Identify and address specific Mission concerns Principal Resource for Information Management Enterprise-wide 10
Additional Activities Being Conducted at Each Mission n Assist in the development of a Mission System Security Plan n Provide a template for developing a Mission Contingency Plan n Provide on-site training – General User – System Administrator – System Managers/Executive Officers n Address any additional concerns USAID PRIME Principal Resource for Information Management Enterprise-wide 11
fa53978ff85890e6843cd14fe0d720bc.ppt