Keeping Your Data Secure - American Public Power Association

Download Report

Transcript Keeping Your Data Secure - American Public Power Association

Keeping Your Data Secure
A small utility looks at the
problem.
Presenter:
Chris Mitchell
North Attleborough Electric Department
Information Systems Manager
508-643-6372
[email protected]
Scope
What we considered:
• Us-What are we doing?
• Them-Yes, the Shadow knows.
• Those-Involving Administration.
What are we protecting, and what are my first steps?
We have to continue to assure our customers that:
•
The people handling their sensitive information are handling it well and within
reasonable means.
We have to assure ourselves that:
•
We have taken reasonable steps to assure our regulatory compliance.
Measures taken at NAED:
•
•
•
Review the relevant regulatory standards for their requirements
Review the capabilities of in-use systems to encrypt sensitive data
Throw hands up in confusion and despair
…and then get to work
NAED Information Systems:
•
•
•
•
•
Teamed with process-owners to develop staff guidelines for the handling of sensitive
data, using Red Flag as the beginning reference point
Business Manager attained Board of Commissioners approval to implement, ahead of
requirement deadline(s)
Implemented steps to enable encryption of credit card, social security data in existing
CIS-this requires an upgrade to the existing CIS
CIS vendor providing upgrade as part of normal support and maintenance
Determined existing FMS did not support encrypting sensitive vendor records
Other steps taken:
•
•
•
Implemented control of portable media via group policy
Encryption on all departmental laptops
Increased internal network security, including honeypot
Honeypot: KFSensor, from Key Focus, http://www.keyfocus.net/kfsensor/
Cost: $599, single-site license
…and more work
Further steps included:
•
•
NAED policy for compliance with MA 220 CMR 17.0, a requirement protecting
sensitive customer data
NAED data usage policies and procedures documented for Board approval
Problem:
•
Where do you get time to write coherent policies and procedures?
I used a subscription service, Info-Tech Research Group
• http://www.infotech.com/
• Samples of templates
• Extensive research on IT topics
• Annual subscription cost: $990
• Paid for itself in time saved just in templates alone
Them: Who is that Shadow, trying to
cross into my realm?
NAED worked to minimize its exposure of data to external parties.
Concerns included:
•
•
•
•
•
•
Social engineering
Physical access to the network and attached systems
Securing customer information on the NAED web payment portal
Unauthorized access to the network via web-based vectors
Addressing needs of NAED consultants and sub-contractors
Securing staff remote access
…..and oh-so-many more
…so, where to start here?
Risk: In a small utility, the temptation is always to go after answers on your
own. You are, after all, the staff expert.
After consulting with divisional managers, I was able to undertake a set of
practical steps, including:
•
•
•
•
•
•
•
•
NAED Information Systems Guidelines for NAED Personnel
Removal of all those personal-space Post-Its with passwords, stuck on monitors,
under keyboards, in desk drawers…
Screen-savers on time out, with password required
Re-position customer service counter monitors to be unviewable by customers
Remove Credit Card authorization device from top of counter, out of customer reach
Train, practice, use guidelines of departmental Red Flag policy
Check payment services consolidated, using Check Free, and files encrypted
between Check Free and NAED via PGP
Controlled staff remote access to the NAED LAN via SonicWALL SSL VPN
…and here?
NAED Information Systems-Data Network and Physical Transport
•
•
•
•
•
•
•
•
•
SonicWALL firewalls, with Intrusion Protection, AV Gateway Content Filtering and
ViewPoint reporting.
Reading log files is a necessary, albeit dull, task
Set up alerts for relevant events: port scans, IP spoofing and Adware, as examples
Research the alerted events reported-I use DNSStuff and its associated toolsets.
Professional toolset: $79/Year-and take appropriate actions to resolve
I use MRTG to watch traffic patterns; this has tipped the presence of viruses in users
of the municipal fiber network NAED operates and maintains.
I have the NAED Eservices web portal in a DMZ
The online payment service uses PayPal Payflow Link; PayPal has responsibility for
securing customer credit card information (Yes, that was a buck-passing)
BelManage is used to monitor PC and server configurations, and changes to same.
Symantec Corporate Edition, desktop and server, and Symantec Mail AV gateway
combine with SonicWALL for defense in depth
Working with legislative mandates
and our internal bureaucracy
As a small utility, NAED has limited resources on staff to determine what it is
responsible to implement and report.
•
•
•
•
•
•
•
•
NAED attended meetings organized by national and regional organizations (APPA,
NEPPA, ex.) to get background and possible solution sets
Results of those meetings led to the writing and approval of the NAED Red Flag
policy, and the policy addressing MA 220 CMR 17.0
A further result was to move NERC/FERC CIP compliance research to a consultant
NAED has filed with NERC/FERC as having no critical cyber assets, an annual filing
Further NERC/FERC compliance is operational in nature, owned by Engineering
Policy and procedure is reviewed by the NAED General Manager
Policy and procedure is reviewed by counsel as necessary
Approval of policies through the Board of Commissioners
Summary:
We’re little and have to do a lot, but we have a lot with which to do it if only we
make the effort to use it.
•
•
•
•
•
•
Understand that this a team task
Know, or learn, what you are
mandated to protect
Enlist assistance to assure
adequate research
Utilize external resources to
bridge knowledge gaps
Identify where you are at risk
Identify steps to address those
risks
•
•
•
•
•
•
•
•
Prepare actions and policies
framing them
Ready the policy changes through
channels
Train the changes
Implement the actions
Train more
Keep staff in the loop and involved
Keep management informed
Reassess results, question and
improve