TribalNet Magazine - Spring 2016

< PreviousFeatured Columns - Risk ManagementAndy Jabbour, President, Gate 15Today’s threat environment is complex, highly integrated, and fast moving. With the abundance of information available through traditional and online means, being able to sift through the noise to identify relevant threats and risks can be challenging. Leaders – whether security personnel, risk managers, preparedness professionals, or others – cannot afford not to understand threats, assess the risks, and apply those to preparedness and operational activities. It Starts with Information. Information can be deﬁned as knowledge about someone or something, or the facts and details about a subject. When it comes to the security environment, that means collecting information on the various existing threats. Threat information is not analysis, or even context, but more broadly and simply, knowledge about what threats exist. Some would like to limit the scope of threat infor-mation to a speciﬁc discipline – information (or cyber) security, physical security, crime, terrorism, health, etc. In today’s interdependent environment, that simply won’t do. Leaders need to ensure they have a reasonable level of awareness on potential threats across the all-hazards environment in order to make informed assessments of their organizational risks.You’ve Got Info, Now Get Some Intel. Information is a critical starting point in understanding the facts and data about the threat environment, but information on its own may lack the additional context needed to make it useful and actionable. In terms of the intelligence cycle, the next step in the process of understanding the environment is taking the raw data, which may be buried under the biases and limitations of the source, and processing it, analyzing it, and developing the context and information that will allow you to understand the potential risks that may affect your organization and operations. That analyzed information is intelligence. With it, you now have threat-informed context.Assess the Risk. Once you have the needed threat intelligence, you are able to start assessing organizational risk. It is important here to differenti-ate between “threat” and “risk” as the terms often get misused. The Department of Homeland Security (DHS) deﬁnes threat as “natural or man-made occur-rence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment, and/or property,” and risk as the “po-tential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences.” Simply put, a risk is assessed by determining the severity of such a threat being realized and the probability of that occurring. Every organization, based on mission, location, and a number of other variables, will assess those threats differently. Once completed, a proper risk assessment, informed by a sound understand-ing of the threat environment, provides leaders and organizations a threat-informed, risk-based perspec-tive through which appropriate preparedness and operational actions can be determined.Critical Moment! With a well-informed perspective, leaders can now make smart choices as to how to allocate limited resources to most effectively mitigate the greatest concerns. In an ideal world, with unlimited time and money, organizations would be able to write every plan, train on every concern, exercise all procedures, purchase all needed equipment and services, and hire all the desired staff, as well as establish and maintain robust operations centers, response staff, and security personnel. Most of us don’t live in that world. As such, leaders need to prioritize risks and focus limited time and resources accordingly.Threat-Informed, Risk-Based Preparedness & Operations. Having an informed understanding of the threat environment and using that to develop a solid risk assessment, leaders can start assessing how to best decrease organizational risk. Some of that may be accomplished through stopping certain activities or by purchasing appropriate types of insurance. In many cases, organizations will need to look at Threat-Informed, Risk-Based Preparedness & OperationsAndy JabbourPresidentGate 1510TribalNet“Having an informed understanding of the threat environment and using that to develop a solid risk assessment, leaders can start assessing how to best decrease organizational risk.” Featured Columns - Risk Managementpreparedness activities than can prepare the orga-nization to best mitigate the impacts of the greatest risks. An organization along a major fault line may determine that an earthquake is a highly rated risk. Another organization may assess serious concerns related to information security and the potential damage associated with a data breach. Whatever the areas of concern are, leaders can now prioritize limited time and resources to mitigate those greatest risks. Taking the time to develop appropriate plans; organize and equip the organization in order to build capabilities and address requirements; train staff on expected roles, responsibilities and actions; and then exercise those plans and personnel in discussion-based forums and build up to operational drills and complex exercises, leaders can prepare their organi-zations for the most concerning risks. Operationally, understanding the risks, purchasing, and resourcing decisions can effectively be made to get the most “bang for the buck.” Security services, barriers, alter-nate facilities, and other operational considerations can be considered through a threat-informed, risk-based lens. That perspective, applied to preparedness and operations, maximizes an organization’s limited time and resources and focuses on addressing the greatest areas of concern.Where Do I Start? Everything noted above can be done within an organization, or a service provider can support some or all of it. If conducting such activities internally, it is important that staff be given clear guidance, roles, responsibilities, time, and training to do what is needed. There are many free resources available to the TribalNet community. TribalNet has previously made available our team’s free all-hazards informational product as a link from the TribalNet website. The Federal Emergency Management Agency (FEMA) has a wealth of resources available for preparedness, the DHS offers numerous free training courses around the country, and TribalNet members can join the Multi-State Information Sharing and Analysis Center (MS-ISAC) - among other resources, tools, and communities that could be useful.In today’s threat environment, organizations need to ensure they are applying a sound approach to identifying threats, assessing risks, and properly mitigating at least the greatest concerns. Applying a threat-informed and risk-based approach can help to maximize the limited time and resources leaders have available.Spring 2016Andy Jabbour is the founder of Gate 15 and serves as Director for Threat & Risk Analysis and leads a variety of preparedness, analysis, and operational activities. Andy has previously served in a variety of roles including leading analysis for the Real Estate Information Sharing & Analysis Center (ISAC), supporting the Financial Services ISAC and DHS exercises and incident response, as well as worldwide assignment in the US Army.www.FireEye.com© 2015 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names may be trademarks or service marks of their respective owners.ONE UNIFIED DEFENSEAGAINST CYBER ATTACKERSDETECTSignature-less and multi-ﬂow virtual machine based approach that leverages superior threat intelligencePREVENTMulti-vector inline known and unknown threat preventionANALYZEContainment, forensics investigation and kill chain reconstructionRESPONDRemediation support and threat intelligence to recover and improve risk postureToday’s cyber attacks are targeted, sophisticated and focused on acquiring your most sensitive information. They also go undetected by traditional security technology. Government agencies and organizations need to reimagine security and adopt a Continuous Threat Protection model. This means having the ability to detect threats in real-time and reduce time to respond, thereby preventing or minimizing business impact. The FireEye Platform provides a multi-faceted approach to security – detect, prevent, analyze, respond. Scan the code to learn more.Product Spotlight12TribalNetArctic IT “Tribal Platforms” is built on the Microsoft Dynamics CRM Platform. The software suite consists of the following unique applications; Tribal Enrollment Management, Tribal Education Management, and Tribal Social Services Case Management. At the heart of all services provided by a tribal government to its members, is the Tribal Member Master Record. That record is the basis for determining eligibility, family relationships, households, and many other vital statistics for reporting to the government on the efﬁcacy of the programs delivered. The Arctic IT “Tribal Platforms” solution is engineered to provide 360 degree, secure access to the member’s information on a central database. This foundational capability revolutionizes the way a tribe administers its member services. Each department has unique security roles to limit the visibility they require. The system leverages a main “contact” record in which the “member proﬁle”, “student proﬁle”, and “client proﬁle” are built from. Contact records are used for non-tribal member records required for the household and family tree, while the other proﬁles are used for the case work and program participation activities being tracked.The entire application is fully integrated with the Microsoft Ofﬁce Suite and works on all mobile devices and tablets for clinical and home based scenarios like home inspections for child welfare cases or on location at a tribal school entering information regarding a student’s performance.The tribe can print their unique Tribal ID Cards out of the system, manage Tribal Elections, and perform U.S. Census Reporting whenever it is required. The application is easily conﬁgured to meet the unique needs of each tribe.Value to Native American market:Although most assume that all Native American Tribes are very similar, the fact is, they are all quite unique. Geography, Socio-Economic climate, number of members, and politics drastically shape each tribe into a standalone Sovereign Nation and Government, responsible for ensur-ing the health and well-being of its membership. However, at a certain point in our tenure, we realized that there was enough similarity that we could assemble enough of a software foundation to help each tribe uniquely impart a set of best practices and common functionality. We built the Arctic IT “Tribal Platforms” Suite of applications in their latest iteration on Microsoft Dynamics CRM 2016 over the latest versions of Microsoft SQL Server and Microsoft Ofﬁce. This new “Commercial-Off-The-Shelf” (COTS) software application allows our new tribal customers to start with a solid foundation for Tribal Enrollment, Education, and Social Services, and then leverage the out-of-the-box conﬁguration utilities with our assistance to customize the application to the unique needs of their tribe.Who We Are: Arctic IT is a 100% Tribally-Owned information technol-ogy Enterprise that focuses on implementing Microsoft Business Applications for Native American Tribes throughout the U.S. Our extensive experience working with Tribal Governments and Tribal Enterprise allows us to provide value and expert consulting services to our clients. We grew our roots working for tribal organizations and we deeply understand the need to leverage technology to ensure secure futures for the tribe and its members. Our parent organization, Doyon, Limited (www.doyon.com) has also enabled us to grow our business into Federal Government Contracting where we have been thriving. We work for the same government organizations that help fund the member services and programs within our client base. Enrollment, Education, Social Services Case Management, Per Capita and Loan Management are all components of our Tribal Platforms Software Suite. These software applications designed speciﬁcally for use by tribes, are fully integrated in our Microsoft Dynamics Accounting and CRM applications, providing an efﬁcient and audit trail compliant suite of software that any size tribe can leverage, cost effectively.References of Where Installed: • Seminole Tribe of Florida• Poarch Creek Tribe of Alabama• Choctaw Nation of OklahomaCompanyArctic Information Technology, Inc./Tribal PlatformsSales ContactsDave Bailey, CTO & Vice President Lessa Peter, Marketing Managerdbailey@arcticit.com lpeter@arcticit.comwww.arcticit.com www.arcticit.comArctic IT “TRIBAL PLATFORMS” on Microsoft Dynamics CRM byPLATFORMSTRIBAL A DOYON GOVERNMENT GROUP COMPANYAgency Updates - USETUnited South and Eastern Tribes, Inc. (USET) United South and Eastern Tribes, Inc. (USET) works daily to uphold, promote, and protect tribal sovereignty and nation rebuilding through capacity building, organization/government development, technical assistance, advocacy, partnership, and resource development so that the quality of life and overall wellbeing of Indian people improves and thrives. Through the USET team’s hard work and the addition of a policy and legislative director, economic development director, and additional staff and support, USET has become a nationally recognized intertribal organization. USET recently initiated a new 501c4 enterprise as a counterpart to the non-proﬁt organization USET began 48 years ago. This new addition will allow USET to build a leading advocacy organization with a strong foundation that gives voice to, and advances, a comprehensive policy and legislative affairs agenda reﬂecting the interests of USET tribal nations, their citizens, and Indian Country. With this addition, USET has become a leading provider of comments and testimony in the governmental realm of Indian issues. As the year passes, USET Tribal Nation members gather for meetings to consider and discuss pressing issues that threaten tribal nation sovereignty and conclude how to appropriately manage and dispense effective resolution and guidance. In addition to working directly with tribal nation members, USET has a new app, which provides USET events, news, and information regarding member Tribal Nations and Indian Country issues at the touch of a button. USET’s Facebook page and Twitter account keep up with USET business and activities sticking with the progress of social media and information sharing. Please visit www.usetinc.org for more information and to keep up with USET business.Brandon StephensDevelopment DirectorBstephens@usetinc.orghttp://www.usetinc.orgTribalNet 2016BE THERE…it’s that simple.McLean & Company: Human Resource ManagementPractical research, tools and advice covering the entire spectrum of HR challenges to ensure you achieve measurable, positive results. Includes HR Strategy, Employee Engagement, Talent Management, Talent Acquisition, Performance Management, Learning & Development, Total Compensation, and HR Operations & Infrastructure. Info-Tech Research GroupInfo-Tech’s mission is to help our members conquer their challenges by improving their core IT processes and actively assisting in delivering on their key projects. Includes all core research including Applications, Infrastructure, Strategy & Leadership, and IT Management & Governance Best Practice Process Framework.Your NATRC Membership Includes:Access to Tribal speciﬁc research available nowhere else in the industry Complimentary 3 month Info-Tech Research Group & McLean & Company Core Membership for 3 of your IT and 3 of your HR executives Complimentary annual TribalNet all-access membershipComplimentary TribalNet conference pass On average our clients receive over $30,000 in value each time they engage with our analyst teamSpecial savings when combining the Native American Technology Research Center (NATRC) and the Gaming & Hospitality Research Center (GHRC) memberships •••••• IT’S IN YOUR HANDSThe NATRC is putting the choice for the right tools in your hands so you can put the opportunity in your tribe’s hands.I’ve been an Info-Tech customer for several years. With their valuable research easily available, they save me time and money by not having to research it myself. It’s hard to believe they provide so much information on every topic I can think of. They understand Native American Tribes and issues with sovereignty which makes their research more meaningful and speciﬁcally focused.Jon JamesCIO, Cherokee Nation““JOINNATRCOF THEIN REALIZING THE POWERTHE GROWING NUMBER OF TRIBESBefore the NATRC there was NO research available speciﬁc to technology and innovation within tribal organizations. Look at how far we’ve come now:TECHNOLOGY TO PROTECT YOUR PASTAND PREPARE YOU FOR THE FUTUREAnd we have exciting upcoming 2016 NATRC Additions:Tribal Financial Management SolutionsTribal Enrollment and Membership Management SystemsTribal Court & Docket Management SystemsTribal Asset & Work Order ManagementHow to Select, Implement, or Change a Resource Patient Management System (RPMS)• • • • • Tribal Emergency Response Management SystemsTrain Tribal Managers to Develop Employees to Increase Engagement and ProductivityHow to Prepare for a HIPAA Compliance Audit• • • DISCOVER THE POWER OF THE NATRC JOIN TODAY!Erin FontManaging Director, NATRC1-888-670-8889 x 27721-519-777-3731efont@infotech.comLarry FretzPractice Lead, NATRC1-702-574-4575lfretz@infotech.comFeatured Columns - Security AwarenessWinnie Callahan Ed.D, Director, University of San Diego, Center for Cyber Security Engineering and TechnologyAs a nation, we have a love/hate relationship with the Digital Age. We like the conveniences it provides such as online banking; the ability to pay at the pump and ﬁll the gas tank; the mobile devices that ensure connectivity; the GPS system to ensure we reach the desired destination with minimum stress; and the global reach available in near real time to information, businesses, and people. Amazing accomplishments provided through technological advances and scientiﬁc discovery directly tied to the Digital Age.With this explosion of technology comes a tremendous onslaught of vulnerabilities. By simply being connected to the Internet, many “strangers” suddenly can have access to you, your home, your children, and your most closely held information. This is frightening enough, but what is really terrifying is you have just entered a world where you have no one to really call for help. The “buck,” so to speak, “stops with you!” In an instant, you have just applied for what some might consider a coveted job, that of Chief Information Security Ofﬁcer, not with an organization but of “your” world. Are you prepared? Do you have a degree in Information Assurance or Cybersecurity? Most people don’t. But you are required to accept this responsibility whether you want it or not. You must commit to learn about cybersecurity; the threats that are cited daily in the news; the cyber criminals that lurk not only outside your door, but may actually now reside within your home, your ofﬁce, and perhaps your mobile device. You want to know why they’re there, what they hope to gain from you, and more, to mitigate these threats now and in the future.Many organizations exist that offer security software to protect your computer from attack, but how good is it, and how often should it be updated, and how will you know if your machine has been breached? Again, you must assume responsibility to learn about ways in which you can protect yourself and your family. Almost overnight passwords take on new relevance and vendors who profess to know “exactly what you need” become suspect. If you’re feeling lonely, that’s because you are alone. You simply cannot outsource this responsibility without a great deal of study and without checking references and knowing the reliability factor of those who say “they have all the answers.”Some suggestions for you as you start or rather continue your journey to become the CISO of Self, ﬁnd reputable people with whom you can trust and engage them in discussions of lessons learned. Know that you need to have security software in place and that regular updates are required. Don’t overlook or delay the upgrades. Don’t put any more personal information online than is absolutely necessary. Once it’s in cyberspace, it’s there to stay. Avoid mixing work with personal activities. They are very different and should be kept separate and on different systems. Avoid using public hotspots, as most are not secure. Passwords should have at least 14 characters using upper case, lower case, numbers, and special symbols such as “!” or “@.” Change about every 60 days and avoid family names, addresses, etc. Don’t send photos with geospatial data on the prints. Be very wary of links, ﬁles, and add-ons, as often these are the carriers of botnets, Trojan horses, and/or viruses. Keep in mind social media is a huge vulnerability. Control “friend” accesses.BECOMING the CISO of SELFWinnie Callahan Ed.DDirectorUniversity of San Diego Center for Cyber Security Engineer-ing and Technology“What is best in dealing with cybersecurity issues is to realize you don’t know what you don’t know.” 18TribalNetFeatured Columns - Security AwarenessYou may say to yourself that I can let my guard down at work … after all, most businesses have an IT group and they are responsible for the business security, right? Generally speaking, this is accurate, but you as an employee still must assume responsibility to protect the organization. You must be alert to information that comes to your workstation. For example, you may get an email that doesn’t look right. You may not recognize the name of the sender or the email address… a good rule of thumb is don’t open it. You may be the target of a phishing attack where the message you receive is bait to get into the company or even your home machine by appearing to be from a reputable/trusted source. Look carefully at such messages and if there is an error in the message such as misspelling, or it’s from an institution you don’t have an account with, but is titled “important changes to your account,” it is likely a concerted attempt to gain entrance into your machine and perhaps infect your computer. DON’T TAKE THE BAIT. Get out and communicate the type of attack and other attempts you recognize to IT and your co-workers. This is very important as one of your colleagues may step into the trick and create anything from a breach of personal information to a denial of service attack on the company.What is best in dealing with cybersecurity issues is to realize you don’t know what you don’t know. Think of this brave new world as an opportunity to solve a puzzle. Learn all you can, create an insatiable appetite for becoming the best CISO in your organization … the CISO of self, both at home and work. If you assume this responsibility in an aggressive way, you greatly reduce the chances that you’ll become the victim of the attack. If you make it hard for the attackers, they’ll move to the “lower hanging fruit.” Quite simply, don’t abdicate your responsibilities in the cyber domain, as the buck does indeed stop with YOU!Winnie Callahan joined the University of San Diego in June of 2015 as the founding director of the University of San Diego Center for Cyber Security Engineering and Technology. In this role, Callahan works with both the Shiley-Marcos School of Engineering and the School of Professional and Continuing Education to build a world-class Cyber Security program through academic degree opportunities, certiﬁcate programs, service, and associated research. Callahan holds a Bachelors Degree from Winthrop University in South Carolina, and a Masters and Doctorate from the University of Nebraska in Educational Administration. Through the years, Callahan has presented frequently at the national level, has several publications to her credit, served as a consultant to Disney, and has many recognitions to include installation in the Aksarben Court of Honor. She was named the YWCA’s Woman of Distinction in 1994, and made an Admiral in the Great Navy of Nebraska by then Governor Ben Nelson. In 2007, Callahan was named the West Point Society’s Citizen of the Year, recogniz-ing her leadership, community participation, and patriotism.19Spring 2016Next >