Bulldawg Wakeboarding IT Risk Assessment UGA GRIP Course Spring 2018

Bulldawg Wakeboarding IT Risk Assessment UGA GRIP Course Spring 2018 Spring 2018

AGENDA 1 2 3 4 Areas of Focus Overall Recommendations User Access Networking & Telecommunications 5 6 7 8 Business Continuity & Disaster Recovery Plans Software Security Risk Analysis & Matrix Roadmap & Benefits Spring 2018

AREAS OF FOCUS Networking and Telecommunications User Access Business Continuity and Disaster Recovery BD WB Software Security Spring 2018

OVERALL RECOMMENDATIONS Segregation of Duties & Employee Training Create BCP & DRP Encrypt Data (ex. PBKDF2/ bcrypt) Implement new IDS/IPS (Ex. Cisco IOS IPS) Spring 2018

USER ACCESS Recommendations Challenges Two-Factor Authorization No “Standard Access” Restriction of Access on Different Roles No process for Identity Management Automate System (ex. Avatier) Small team handling a relatively heavy amount of tickets Spring 2018

NETWORKING & TELECOMMUNICATIONS Recommendations Challenges Implement Encryption Process (ex. Lack of encryption due to likely Cisco IOS IPS system) Streamline daily reports by filtering through the use of specific factors performance hit High flow of traffic IDS is lagging and IPS is not running Put penetration testing in place Spring 2018

BUSINESS CONTINUITY & DISASTER RECOVERY Recommendations Challenges Create Business Continuity Plan and Specific plan in case of an incident not Disaster Recovery Plan Implement company-wide employee training on Disaster Recovery Separation of system functionality (ex. currently in place General system administrator not included in drills or training System downtime Database server and payroll system) for the creation of differential backups Spring 2018

SOFTWARE SECURITY Recommendations Challenges Implement an Agile SDLC Currently use the waterfall approach Emphasize Segregation of Duties by Experienced developers can review defining specific roles their own codes Automate validation checks Developers request validation checks Formally train employees in secure Testing on vulnerabilities is focused on coding and security issues functionality rather than security Spring 2018

RISK ANALYSIS L I Total (L*I) System downtime No separation of System Functions 4 4 16 Confidentiality of Data Not safe as lacking encryption 3 4 12 IDS/IPS Suspicious activity not being detected 4 3 12 4 3 2 3 3 3 4 2 12 9 8 6 Risk Likelihood (L) Scale 1 – Low 2 – Moderately Low 3 – Moderately High 4 – High Impact (I) Scale 1 – Immaterial 2 – Moderate 3 – Severe 4 – Threatening Integrity of Data Lack of SOD Employee Negligence (Untrained) Disgruntled Employee Hacking Inefficiency from HR/ Onboarding Intensity Spring 2018

RISK MATRIX System Downtime Likelihood Scale 1 – Low 2 – Moderately Low 3 – Moderately High 4 – High Lo w Mo dLo w Mo dHig h Hig h Risk Likelihood Confidentiality of Data IDS/IPS Integrity Of Data Impact Scale 1 – Immaterial 2 – Moderate 3 – Severe 4 – Threatening Immaterial Moderate Risk Impact Severe Threatening Spring 2018

RECOMMENDATIONS Encrypt Data (ex. PBKDF2/ bcrypt) 04 03 Create BCP & DRP 02 01 Segregation of Duties & Employee Training Implement new IDS/IPS (Ex. Cisco IOS IPS) Spring 2018

ROADMAP Start Create BCP & DRP Segregation of Duties & Employee Training Encrypt Data (ex. PBKDF2/ bcrypt) Implement new IDS/IPS (Ex. Cisco IOS IPS) Finish Spring 2018

ROADMAP Tasks Create BCP & DRP Phase 1 - Functional Phase 3 - Closeout 3 Weeks Encrypt Data (PBKDF2) 1 Week Implement Cisco IOS IPS SoD & Employee Training Phase 2 - Technical 1 Week 4 Weeks The entire process will take 4 weeks. Spring 2018

BENEFITS X 01 02 Up-to-date with industry best practice & standards and improved cyber security posture Creation of concrete, solid foundation that will help with future growth Spring 2018