1
IT Security in the CommonwealthA high-level review
Sam A. Nixon Jr.Chief Information Officer of the Commonwealth
Governor’s Secure Commonwealth PanelHHR Sub-Panel December 16, 2013
www.vita.virginia.gov 1
2
VITA’s Mission: Mandate for Change• Executive & Legislative Branch leaders called for
o Business-like approach to managing IT services across the enterprise of state government
• Concept of “Shared Services” (cloud computing) o Statewide IT infrastructure for government entities
• Major Statutory Responsibilities:– Provisioning of IT Infrastructure Services (in-scope agencies)– Central oversight of IT procurement, projects, security,
standards, policy and procedures, Wireless E-911, and contingent labor
• Modernization is a journey– Step 1: Creation of VITA & statutory framework– Step 2: Transformation of infrastructure– Step 3: Enterprise Applications & Services
3
Information Security in the Commonwealth
www.vita.virginia.gov
VITA is tasked with security governance over all three branches of state government.
VITA oversees delivery of infrastructure services to executive branch agencies. Agencies remain responsible for business applications and data. Shared responsibility.
4www.vita.virginia.gov
Printers 5,311 network 22,000 desktop
CoVA IT Infrastructure
2,247 Locations
Communications55,000 desk phones6,100 handhelds
(PDAs)11,000 cell phones
Networks2,039 circuits
Data Centers (2)CESCSWESC
Computers59,374 PCs 3,356 servers
Mailboxes58,948 accounts
Data storage1.5 petabytes
Mainframes (2)IBMUnisys
5www.vita.virginia.gov
Exec Branch Business Applications• Core Applications:
– 2,100• Sensitive Systems:
– 697• Why does Security matter? Examples:
– Health Care – PHI, Birth Records, Prescription Monitoring
– Public Safety - Forensics Lab Data, Fingerprint System, Emergency Planning data
– Transportation – Traffic Mgmt Systems, Road, Rail and Air
– Taxation – Citizen and Business Financial Info, FTI (SSN)
– VITA – Infrastructure & Security Architecture, Network, Employee Authorization
6
Security Strategy
Enterprise Logging
Network Defense Content Security End-Point Defense Data Security
OPE
RA
TIO
NS
&
SER
VIC
ES
Architecture Design & Development Security Lifecycle Managem
ent
IT Service Managem
entTE
CH
NO
LOG
YPE
OPL
E
Audit & Assets
Event Monitoring
Incident Detection, Analysis, & Response
Forensics Vuln Mgmt Compliance Mgmt
Threat Assessment
Contract
Policies & Procedures
Training & Awareness
Security Admin
Physical Security
PersonnelSecurity
Firewalls Web App Firewalls
IDS/IPS
Anti-Spam Web Filtering
Anti-Virus
HIPS/HIDS Desktop Firewall
Anti-Virus
VPNs
Hard Disk Encryption
7www.vita.virginia.gov
Government Data Breaches & Attacks
Source: Privacy Rights Clearinghouse, A Chronology of Data Breaches, Aug 2013
Virginia Agencies• *95,513,983 attack
attempts• >300K / day
• *708,027,671 spam messages blocked
*Jan – Dec 13, 2013, transformed agencies only
Security breaches of over 1 Million records
Financial30%
Government 25%
Fi-nan-cial30%
Retail18%
Non-Profit
3%
Other12%
Health,13%
8
Increase in Security Incidents (2010-2013)
2010 4Q
2011 2Q
2011 4Q
2012 2Q
2012 Q4
2013 Q2
2013 Q4
0
50
100
150
200
250
300
350
9
Cyber Attack Map – July 2013
10
VITA Has Broad Statutory Security Role• Set security architecture & standards• Oversee Northrop Grumman• Perform overall incident response• Share intelligence & information (FBI, DHS,
State Police, VDEM)• Conduct risk management• Oversee & assist agencies
– CIO has limited authority to ensure compliance
www.vita.virginia.gov
11
NG Responsible for Infrastructure Security• Physical & logical security
– Data center protection– Firewalls, intrusion monitors, encryption,
compartmentalization, antivirus & spam filters• Detection, containment & removal of security
incidents affecting the infrastructure • However, primary attack vector is against
applications & not the infrastructure– NG assists with attacks against applications, but
agencies remain responsible for applications & data
www.vita.virginia.gov
12
State Agency IT Security Efforts Are Mixed
www.vita.virginia.gov
Source: 2012 Commonwealth of Virginia Information Security Annual Report
Agencies in Compliance
Agency Responsibility
71Develop & maintain IT security audit plan
97%Appoint Information Security Officer
63Conduct IT security audits every 3 years (minimum)
56Develop & maintain corrective action plans
42Develop & maintain policies and procedures to control unauthorized uses and intrusions
13
Priority – Cyber Security• Improve Analysis & Risk Assessment
– Full packet analysis to address data exfiltration– Risk management tool (being pursued) to
identify potential impact of breach or outage• Enhance Access Security
– More secure remote network access (SSL VPN)– Password resets (from 90 to 45 days)– Two-factor authentication
• Address Security Compliance– Increasing CoVA capabilities
www.vita.virginia.gov
14
VITA & Agencies Lack Security Staff• VITA needs a cyber intelligence program to
analyze threats and attacks– Need for risk-based decisions based on
likelihood of attack attempts – Need analysis of malicious third parties that
directly target the Commonwealth • State agency staffing constraints impede
security gap correction & limit auditing– Agencies must test their applications against
new patches & evolving federal requirements
www.vita.virginia.gov
15
Future Governance of IT Security
• Future Governance Considerations– Federal regulations & third-party mandates
require new security efforts for agencies– Agency constraints impede security gap
correction & limit auditing to find unknown gaps• EX: Annual security reviews, JAVA, Win 7
– Implementing a Commonwealth wide IT risk management program
– Continued agility to rapidly respond to threats• IT Security demands a “First Defender” approach
www.vita.virginia.gov