erik avakian, cissp, cisa, cism chief information security officer commonwealth of pennsylvania...
TRANSCRIPT
Erik Avakian, CISSP, CISA, CISMChief Information Security Officer Commonwealth of Pennsylvania
The Core Security Services Taxonomy
Commonwealth of Pennsylvania
But first….Some background
information before we dive in
Just how did we get here?
2
• Deloitte-NASCIO Joint Cybersecurity Study kicked off in 2010
• Consisted of a survey targeting U.S. state enterprise- level CISOs, with additional input from agency CISOs and security staff
• High participation: 49 of the 50 states responding
2010 Deloitte/NASCIO Study
3
Five Main Joint Study Areas of Focus:
• IT Security Governance• Security Strategy• Budget (Investments and use
of Security technologies)• Internal, External Threats• Security of Third Party
Providers
2010 Deloitte/NASCIO Study
4
Key Findings
5
IT Security Governance• Cyber Security Governance in
the public space is lacking
Security Strategy• States had the strategic
plans. However the survey data revealed significant challenges in the execution
2010 Study - Key Findings
6
Budget• State IT Security functions
were significantly underfunded
• Not only that - Security budgets were in a dangerous downward trend, aggravated by economic conditions and competing state priorities
2010 Study - Key Findings
7
Third-Party Providers• States must enforce better
third-party security
Internal and External Threats
• States store enormous amounts of citizens PII
• These “pots of gold” must be protected while potential threats to that data increase
2010 Study - Key Findings
8
Internal and External Threats on the Rise
• States needed to do more to secure citizen data and maintain public trust
• State and local governments needed to implement tougher security safeguards, thwart these threats, and be ready to respond when an attack occurs
2010 Study - Key Findings
9
Overall Theme
• States lacked the appropriate funding for security programs and strategies (and asking for new funding just wasn’t working)
• Significant diversity in security postures existed between the states
• Service Offerings were lacking to combat threats
2010 Study - Key Findings
10
Lets examine some of the real world cyber related
events that have transpired since the
2010 survey
11
In 2011 alone…• 25 million new strains of malware
(including new threats and variants)
• Number of malicious websites more than doubled from the previous year
• More than 11 million records nationwide were involved in data breaches – and numbers continued to grow
Emerging Threat Landscape
12
Emerging Threat Landscape
Emerging Threat Landscape
14
Emerging Threat Landscape
15
Emerging Threat Landscape
16
Emerging Threat Landscape
17
Emerging Threat Landscape
18
Emerging Threat Landscape
19
Hactivism - Defacement
20
Hactivism - Defacement
21
Hactivism – Data Theft/DDOS
25
22
Malware and Botnets
23
Phishing: How Severe is the Threat?
• 73 million U.S. adults received more than 50 phishing e-mails a year in 2011 alone – trend increasing!
• Financial losses by the end of 2012 expected to reach upwards of 5 billion.
THREAT
Social Engineering Attacks
24
Advanced Persistent Threats
25
Fast Forward to Present Day
26
Present Day Attacks
27
Present Day Attacks
28
What The Bad Guys (Still) Want• Organizational, proprietary, financial, and
sensitive private information for identity theft or to sell it for big $$$$.
• Competitive advantage from disruption of operations (DDOS)
• National pride or political message
Present Day Attacks
29
Asymmetric Cyber Battle
Attack• Low barrier of entry• Low cost• From anywhere• High probability of
success• Low probability of
getting caught
Defend• Huge effort• High cost• Identified targets• High probability of
being compromised• Little or no recourse
Challenges states and other orgs face
30
2010 Study Findings
Action Items• The 2010 Joint Study results
led to several key action items for states to help identify and mitigate present day and future cyber security risk
• Among those were key items prompting development of the Core Security Services Taxonomy
31
2010 Study Findings
…”Though there is no mandated state compliance platform to drive consistent security programs, adopting an understood, comprehensive, and repeatable framework state-wide will enable improved alignment between state agencies and business, technology, and security leaders.”*
32
A Call to Action
33
Joint Study Follow up:
• Feb ’11: NASCIO asks state CIOs to respond to the growing threats, fiscal constraints, and security requirements for protecting critical state data and operational capacity.
• November ’11: the NASCIO Security & Privacy Committee completes core security services taxonomy to enhance the State CIOs and CISOs ability to assess risks and better understand resource requirements
A Call to Action
34
Overview:Core Security Services
Taxonomy
35
What are the core security services?
• A common vocabulary for describing security services that must be provided to meet the requirements of security standards frameworks defined by various standards bodies
• A common set of security services that ALL state’s should have, provide, or acquire to ensure appropriate levels of protection for state data assets and operational capabilities
Core Security Services
36
Divides security services into two main categories:
1. Governance, Risk, Compliance Services (GRC)
2. Operational Security Services
Under the 2 primary categories are 12 sub-categories
Core Security Services
37
Core Service Categories
38
Core Service Categories
39
Identifying Criterea
• List is inclusive, so that every IT security-related function performed by a state IT security program is included or nests under one of the sub-category headings
• Items representative of all functions that need to be performed by an IT organization to ensure adequate information security and risk assessment is in place
Core Security Services
40
Core Security Services
41
Identifying Criterea
• Services focus on what needs to be done – not on who needs to do it
• Services could be outsourced, could be internal or a hybrid of the two
• Not all functions have to report to the CISO. (This helps ensure separation of duties between compliance and operations)
Core Security Services
42
Core Security Services
43
Common Questions
• How can I convince management this year that we really need funding for this new security tool?
• Why doesn’t management understand cyber security funding?
44
Common Questions
• Is my state’s security spend in line with industry best practices?
• How do my investments compare with other states?
• Is the right mix of services in my security portfolio?
45
Taxonomy Goals
• Help CIOs and other government leaders understand what needs to be done by identifying
Key Services Key Outcomes Tools
• Provide a common framework for financial comparisons down the road
46
Promoting Understandability• Target audience:
CIOs and other executives
• Consistent format to describe each security service
• Use simple terms without jargon
Taxonomy Goals
47
Lets take a Closer Look
• We’ll examine a key service, the key outcomes, and tools used
• We’ll focus on one example service category – but can be applied to any
Methodology
48
Service Categories - Example
49
Secure System Engineering
Service Description:Designing appropriate security controls in new systems or systems that are undergoing substantial redesign, including both in-house and outsourced solutions
Service Categories - Example
50
Secure System Engineering• Integrate security design requirements in the SDLC
• Participate as a security consultant on significant technology projects
• Assist with the creation of system security plans, outlining key controls to address risks
• Assist with creation of residual risk documentation for management acceptance
Key Outcomes from Activities
51
Secure System Engineering• Integrate security requirements into contracts for outsourced services
• Assist with the creation of information security policies, standards, procedures, and guidelines
• Assist with the creation of secure configuration standards for hardware, software, and network devices
Key Outcomes from Activities
52
Secure System Engineering• Standardized system
security planning templates
• Governance, risk, and compliance software
• Various operational and application security tools
• Best practice frameworks for the management of IT, such as ITIL
Tools to Implement
53
Commonwealth Of Pennsylvania- Cyber Security Taxonomy Implementation -
PA’s Taxonomy Implementation
54
Initial Maturity Assessment:
The 2012 Deloitte/NASCIO Cybersecurity Study
55
2012 Deloitte/NASCIO Cyber Study
56
2012 Deloitte/NASCIO Cyber Study
Methodology in accordance with ISACA COBIT 4.1
57
2012 Deloitte/NASCIO Cyber Study
58
2012 Deloitte/NASCIO Cyber Study
59
2012 Deloitte/NASCIO Cyber Study
60
2012 Deloitte/NASCIO Cyber Study
61
2012 Deloitte/NASCIO Cyber Study
62
Agreeing upon, using & describing a set of
essential core services creates significant
opportunities and benefits for state IT leaders
Benefits
63
Benefits
• Identifies the services that are ideally performed centrally versus those which are distributed
• Creates a common vocabulary in decentralized environments across lines of agency authority and allow better assessment of the total costs being expended to fulfill the service requirement
• Creates a real method for CISOs to assess their programs against those of other states
64
Benefits
• Can be used as states move to use of cloud computing services to ensure that security requirements are well articulated and understood
• Assists state leaders in making informed decisions related to cyber security threats, risks, programs, and strategies
• Finally – It provides a way to demonstrate real funding needs based on maturity levels
65
Benefits
Uses of the Taxonomy
• From an auditing standpoint, if states are making strides in maturing the taxonomy service areas, this closes compliance gaps, reduces real risk, and identified residual real risk
• Much easier for the organization to demonstrate compliance by ensuring these service areas are covered properly
66
Mid-Year Wrap Up
Q & A from the NASCIO Midyear
1) Are there any specific areas in the taxonomy that you feel that the states are in most need of help? If so what are they?
2) Are there certain service area items within the taxonomy that absolutely must report to the CISO?
67
Mid-Year Wrap Up
Q & A from the NASCIO Midyear
3) Where does Application Security fit into the model?
4) Resources are limited. States are being asked to do more with less. What if the a state organization simply doesn't have enough human resources to allocate to all the parts of the taxonomy?
68
What’s Next?
Next Steps:
• Results from the 2012 Deloitte/NASCIO Cyber Security review to be released during the 2012 NASCIO Annual conference in mid October
• Results will be an important step to identifying initial maturity baselines for states - where they are and in what areas they need to improve to stay ahead of the cyber threat landscape
69
The 2010 Deloitte-NASCIO Cyber Security Study*• http://www.nascio.org/publications/documents/Deloitte-NASCIOCy
bersecurityStudy2010.PDF
The Heart of the Matter: A Core Services Taxonomy for State IT Security Programs*
• http://www.nascio.org/publications/documents/NASCIO_CoreSecuritySevices.pdf
Resources and References
E
Thank You!
Questions? Erik Avakian, CISSP, CISA, CISM
Chief Information Security Officer Commonwealth of Pennsylvania