Cybersecurity@RTD
Program Overview and 2015 Outlook
Finance & Administration Committee Meeting
February 10, 2015
Sheri Le, Manager of Cybersecurity
RTD Information Technology
Department of Finance & Administration
Cybersecurity: What the Board of Directors
Needs to Ask
1. Does the organization use a security framework?
2. What are the top five risks the organization has
related to cybersecurity?
3. How are employees made aware of their role
related to cybersecurity?
4. Are external and internal threats considered when
planning cybersecurity program activities?
5. How is security governance managed within the
organization?
6. In the event of a serious breach, has management
developed a robust response protocol?
Document copyright © 2014 by The Institute of Internal Auditors Research Foundation (IIARF).
2
RTD’s Cybersecurity Framework
(1) Does the organization use a security framework?
Answer: Yes. RTD’s cybersecurity assessments and strategy are
informed by multiple government and private industry standards
and frameworks.
•
Standards used for benchmarking RTD’s cybersecurity posture in 2014:
• NIST Cybersecurity Framework (pub. 12 Feb 2014); correlates to:
• NIST SP 800-53
• COBIT
• ISO 27001
• SANS Critical Security Controls for Effective Cyber Defense
•
Standards that additionally inform the growth and development of RTD’s
cybersecurity strategy:
• APTA Standards Development Program Recommended Practices
• FTA Threat and Vulnerability Assessment Methodologies
• Department of Homeland Security (DHS) Recommendations and
Methodologies, including those put forth by the Center for Internet
Security (CIS) and sponsored by the DHS
3
Top Five Cybersecurity Risks
(2) What are the top five risks the organization has related to cybersecurity?
Answer: The top five things that keep me up at night are:
1) Securing RTD’s credit card Point of Sale systems
2) Maintaining the integrity and availability of RTD’s customer communications systems
3) Reviewing and applying appropriate access control to RTD’s sensitive data, including personnel,
payroll, and accounting systems
4) Managing third party and Bring Your Own Device (BYOD) access to RTD systems and networks
5) Controlling visibility and access to control and dispatch systems
Capabilities we are developing as an organization to address these items include:
Organizational
Cybersecurity Risk
Awareness and
Strategy
Robust Incident
Response Protocol
and Follow
Through
Skilled, Dedicated
Security Staff
Asset,
Configuration, and
Change
Management
System Security
Hygiene Across the
Enterprise
4
Employee Cybersecurity Awareness
(3) How are employees made aware of their role related to cybersecurity?
Answer: RTD’s security policy, Management Directive IT-1: Secure Computing Standards,
and an accompanying cybersecurity training program and wiki, Cybersecurity@RTD,
were published in May 2014, piloted with employees throughout 2014, and became an
annual requirement for all salaried employees in January 2015.
•
In 2014, 226 employees took the
Cybersecurity@RTD self-guided training
from the RTD intranet site
•
Training was introduced to all new
employees joining RTD since June of
2014
•
Training and policy are revised and
evaluated annually as the cybersecurity
program matures
5
Cybersecurity Threat Analysis
(4) Are external and internal threats considered when planning cybersecurity program activities?
Answer: Yes. RTD’s receives information about threats originating from inside and
outside the organization from a variety of external sources. RTD follows FTA
methodologies to identify our most critical assets and prioritize cybersecurity actions to
have the most impact on the greatest areas of risk.
•
Government and private sector information sharing
groups for transportation, cybersecurity, and critical
infrastructure threat intelligence
•
Focus on the “unintentional insider” with
cybersecurity governance, awareness training, and
enforcement
•
Supplement policy with detective and preventative
technical controls to reduce dependency on end
users
•
Introduce controls for third parties who provide
services to or control RTD data
Technical Controls
Tools or Automation,
Points of Presence
Audits, Reviews &
Compliance Testing
Processes, Procedures,
Checklists, Education
Policies
6
Security Governance
(5) How is security governance managed within the organization?
Answer: Cybersecurity responsibility is delegated to the Information Technology
department. Major risks are reviewed with the Senior Manager of IT and IT
Management as they are identified; critical risks and incidents are reviewed with the IT
Governance Committee (AGMs) and Senior Leadership Team (AGMs and GM).
IIA Three Lines of Defense Concept for Security Governance*
Security policies, standards,
and technical configurations
that align with the business
are in development
Majority focus
on the first line
of defense
(reactive)
From “Cybersecurity: What the Board of Directors Needs to Ask.” IIA / ISACA. 2014.
Internal / external
audit functions
will be IT securitycontrol focused in
2015
7
Incident Response
(6) In the event of a serious breach, has management developed a robust response protocol?
Answer: Yes. In early 2014, RTD developed a preliminary critical incident handling
framework for IT that addresses data breach or loss, security incidents, and major
outages. Using industry best practices and lessons learned in 2014, RTD formally
defined and published a robust incident management process in December 2014.
•
Three-phased response process:
• Declare an incident
• Execute the response plan
• Incident review
•
Identifies roles and responsibilities and communication flows from identification to closure
•
Designed to integrate with Business Continuity and Recovery procedures (Disaster Recovery)
when used as part of the response plan
8
Future Focus – 2015 and Beyond
• Require cybersecurity training for salaried computer
users
• Train IT and other organizations in cybersecurity
incident response
Related Hot Topics
in IT
• Complete the first round of access control reviews
• Complete the first annual review and update of the
Secure Computing Standards
• Perform a third-party Electronic Fare Collection
Security Assessment (ticketing systems and SMT)
• Continue to develop asset profiles and configuration
standards, including where third parties are concerned
• Update and enforce an enterprise-wide patch
management program
•
•
•
•
•
•
Cloud Computing
Disaster Recovery
PCI Compliance
Data Security
Smart Media
Control Systems
• Establish basic network monitoring services
• Additional DHS / US-CERT assessments of enterprise
and SCADA controls
9
Key Takeaways
• RTD’s cybersecurity program is growing on par with other transit agencies.
• RTD’s program is informed by national standards and federal initiatives.
• RTD has performed analysis to identify the key areas where we must focus our
cybersecurity efforts.
• RTD has engaged projects to further enhance our cybersecurity defenses and
encourage a risk-aware culture.
• We are positioned to receive information about
cybersecurity threats and respond appropriately
to incidents.
10
Questions & Answers
11