100 likes | 220 Vues
Keeping Your Data Secure. A small utility looks at the problem. Presenter: Chris Mitchell North Attleborough Electric Department Information Systems Manager 508-643-6372 cmitchell@naelectric.com. Scope. What we considered: Us-What are we doing? Them-Yes, the Shadow knows.
E N D
Keeping Your Data Secure A small utility looks at the problem. Presenter: Chris Mitchell North Attleborough Electric Department Information Systems Manager 508-643-6372 cmitchell@naelectric.com
Scope What we considered: • Us-What are we doing? • Them-Yes, the Shadow knows. • Those-Involving Administration.
What are we protecting, and what are my first steps? We have to continue to assure our customers that: • The people handling their sensitive information are handling it well and within reasonable means. We have to assure ourselves that: • We have taken reasonable steps to assure our regulatory compliance. Measures taken at NAED: • Review the relevant regulatory standards for their requirements • Review the capabilities of in-use systems to encrypt sensitive data • Throw hands up in confusion and despair
…and then get to work NAED Information Systems: • Teamed with process-owners to develop staff guidelines for the handling of sensitive data, using Red Flag as the beginning reference point • Business Manager attained Board of Commissioners approval to implement, ahead of requirement deadline(s) • Implemented steps to enable encryption of credit card, social security data in existing CIS-this requires an upgrade to the existing CIS • CIS vendor providing upgrade as part of normal support and maintenance • Determined existing FMS did not support encrypting sensitive vendor records Other steps taken: • Implemented control of portable media via group policy • Encryption on all departmental laptops • Increased internal network security, including honeypot Honeypot: KFSensor, from Key Focus, http://www.keyfocus.net/kfsensor/ Cost: $599, single-site license
…and more work Further steps included: • NAED policy for compliance with MA 220 CMR 17.0, a requirement protecting sensitive customer data • NAED data usage policies and procedures documented for Board approval Problem: • Where do you get time to write coherent policies and procedures? I used a subscription service, Info-Tech Research Group • http://www.infotech.com/ • Samples of templates • Extensive research on IT topics • Annual subscription cost: $990 • Paid for itself in time saved just in templates alone
Them: Who is that Shadow, trying to cross into my realm? NAED worked to minimize its exposure of data to external parties. Concerns included: • Social engineering • Physical access to the network and attached systems • Securing customer information on the NAED web payment portal • Unauthorized access to the network via web-based vectors • Addressing needs of NAED consultants and sub-contractors • Securing staff remote access …..and oh-so-many more
…so, where to start here? Risk: In a small utility, the temptation is always to go after answers on your own. You are, after all, the staff expert. After consulting with divisional managers, I was able to undertake a set of practical steps, including: • NAED Information Systems Guidelines for NAED Personnel • Removal of all those personal-space Post-Its with passwords, stuck on monitors, under keyboards, in desk drawers… • Screen-savers on time out, with password required • Re-position customer service counter monitors to be unviewable by customers • Remove Credit Card authorization device from top of counter, out of customer reach • Train, practice, use guidelines of departmental Red Flag policy • Check payment services consolidated, using Check Free, and files encrypted between Check Free and NAED via PGP • Controlled staff remote access to the NAED LAN via SonicWALL SSL VPN
…and here? NAED Information Systems-Data Network and Physical Transport • SonicWALL firewalls, with Intrusion Protection, AV Gateway Content Filtering and ViewPoint reporting. • Reading log files is a necessary, albeit dull, task • Set up alerts for relevant events: port scans, IP spoofing and Adware, as examples • Research the alerted events reported-I use DNSStuff and its associated toolsets. Professional toolset: $79/Year-and take appropriate actions to resolve • I use MRTG to watch traffic patterns; this has tipped the presence of viruses in users of the municipal fiber network NAED operates and maintains. • I have the NAED Eservices web portal in a DMZ • The online payment service uses PayPal Payflow Link; PayPal has responsibility for securing customer credit card information (Yes, that was a buck-passing) • BelManage is used to monitor PC and server configurations, and changes to same. • Symantec Corporate Edition, desktop and server, and Symantec Mail AV gateway combine with SonicWALL for defense in depth
Working with legislative mandates and our internal bureaucracy As a small utility, NAED has limited resources on staff to determine what it is responsible to implement and report. • NAED attended meetings organized by national and regional organizations (APPA, NEPPA, ex.) to get background and possible solution sets • Results of those meetings led to the writing and approval of the NAED Red Flag policy, and the policy addressing MA 220 CMR 17.0 • A further result was to move NERC/FERC CIP compliance research to a consultant • NAED has filed with NERC/FERC as having no critical cyber assets, an annual filing • Further NERC/FERC compliance is operational in nature, owned by Engineering • Policy and procedure is reviewed by the NAED General Manager • Policy and procedure is reviewed by counsel as necessary • Approval of policies through the Board of Commissioners
Understand that this a team task Know, or learn, what you are mandated to protect Enlist assistance to assure adequate research Utilize external resources to bridge knowledge gaps Identify where you are at risk Identify steps to address those risks Prepare actions and policies framing them Ready the policy changes through channels Train the changes Implement the actions Train more Keep staff in the loop and involved Keep management informed Reassess results, question and improve Summary:We’re little and have to do a lot, but we have a lot with which to do it if only we make the effort to use it.