CMSDataGuardianProgram
NISTFISSEAConference
March14,2017
KarenMandelbaum,Director,DivisionofSecurity,PrivacyPolicy&Governance
MicahBatchelder,FederalLead,IncidentManagementTeam
February2017 ForOfficialUseOnly(FOUO) 2
Introduction
February2017 ForOfficialUseOnly(FOUO) 3
DataGuardianasPrivacySteward
DataGuardianareresponsiblefordisseminatingthemessagethatfortifiesthecultureandencouragesstafftostop,think,andask beforetakingariskthatcouldpotentiallycompromisetheITsystemsordataoftheorganization.
https://www.dreamstime.com
4
StakeholderDependencies
DataGuardians
PrivacySubjectMatterExperts/
CyberRiskAdvisors
BusinessOwners
InformationSecurity&
PrivacyGroup
PrivacyandSecuritystewards
ProvidesTraining
CyberAwarenessBriefs
Policy/Procedure
PrivacyandRiskspecialistsAssistin
developingPIA,SORNS,Data
SharingAgreements,etc.
Havein-depthknowledgeoftheirdataandsystems
February2017 ForOfficialUseOnly(FOUO) 5
BuildingtheDataGuardianProgram
• TomeetthespecificneedsofeachOffice/Center• Framework– definesrolesinprocesses• SpecializedTraining– e.g.PrivacybyDesign• Expandefforts– buildssynergyCommunicationTailor
• CommunicationPlan• Training• Repository
SetFoundationalConceptsandSupporting
Infrastructure
• Charter,SWOT,ProgramPlanDefineStrategy
6
DataGuardianMeetingAgenda
What’shappeninginternally/externallyin
thecyberworld&
whatDataGuardiansneedtoknowandacton
• DefinePhishing• IdentifyPhishingScams• DevelopScenariosandRun
Exercises• ReviewStatistics• CommunicateResults• DevelopMitigationTactics• CompileLessonsLearnedfrom
Phishingresults
PhishingProgramOverview
7
February2017 ForOfficialUseOnly(FOUO) 8
PhishingExerciseExampleValentinesDay
February2017 ForOfficialUseOnly(FOUO) 9
ProvideaPhishingExercisewithFollow-onTraining
ForwardtheemailtoHHSSpam([email protected])mailbox.
“SPAMButton”– tomakeiteasytoreport&actupon
Mitigation
10
Specializedtrainingforrepeatclickers
DevelopedandImplemented
Policies
Procedures
Processes
Acquired&ImplementedToolset
February2017 ForOfficialUseOnly(FOUO)11
PhishingExercisesProgramOutcomes
41phishingexercisesto
date
Results:• Improvedabilitybystafftoidentifyaphishingscam• ImprovedresponsebySecurityOperationsTeam• Abilitytofocusmitigationandtraining
Decreaseinnumberofindividualsthatclicked
onphishingemails
February2017 ForOfficialUseOnly(FOUO) 12
LessonsLearned
RunExercise
AnalyzeResults
ReporttoDG
ProvideTraining
• Createa“true”baseline
• Focusonproblems– Identification- ‘phishingclues’
– Reporting
• Varietykeepstheattention
• Communicateresultsoftheexercises
• Followeverycampaignwithtraining
IncidentResponsePreparedness
– Identify&Practiceprocedures
– Giveinputtoenhanceprivacy/securityincidentresponsecapabilities
– Identifypreventativecorrectiveactionsthatcouldbeimplemented
ConductTabletopExercisesto:
Downloadedfrom:http://www.eci.com
NewOMBguidancerecentlyissuedemphasizesIncidentResponse
14
DevelopScenariosthatEnsureCoverageofallTypesofIncidents
Notallsecurityincidents areprivacyincidents,andconversely,notallprivacyincidents aresecurityincident.
Infected PDF encrypts entire server with ransomware.Incorrectly Sharing a
file with PHI
Unauthorized access,
disclosure or modification of
PII
PrivacyIncident
SecurityIncident
February2017 ForOfficialUseOnly(FOUO) 15
Process
Monitorinternal&externalcybernews/incidents
DetermineRelevancetoCMSbusiness
Getspecificrequestsfrombusinessowners
SetupTabletopExercise
Runtheexerciseasareal-lifesimulation
Reflect,Assess,Developproceduralcorrection
TabletopExercisesLessonsLearned
• Solicitparticipantfeedbackonhowthetabletopexercisewascraftedandrun– itprovidesvaluableinsight
• Theresultsoftheexerciseshouldbeanalyzedonateam-by-teambasis;thisprovidesinformationonwheregapsexist
• Usepositivityandfocusoninsightgathered
• Buildrelationshipsandteamworkmindset
FOCUS ON THE
POSITIVE
DataGuardianProgramSummary
• NeedstobeBusinessDrivenfocused– Leadership
• DataGuardianProgramforcommunicationandcoordinationoftechnology,compliance&business
• PhishingProgramtoanticipatethreats• TabletopExercisestominimizeharmandfacilitaterecovery
February2017 18
Questions?
