isstategovtproposal
TRANSCRIPT
Inception Securities
History• Began in 2002 providing database
performance tuning and security for database applications
• By 2006, routinely provided complete security service(assessments, penetration tests, policy creation, and regulatory compliance assistance)
Clients in the Past
Our clients include organizations of different sizes. Most are state and federal government agencies that must demonstrate compliance with specific security-related regulations.
Current
• New “In-State” Headquarters• 22 full-time employees; including 4 who will
focus on providing services and products for this new opportunity, should we be awarded the contract
Resources
• Of the five people, all hold Certified Information Systems Security Professional (CISSP) certifications, Certified Information Security Manager (CISM), Global Information Assurance Certification (GIAC), Security Essentials Certification (GSEC), and other GIAC certifications
The Cast
• Project Manager – Dale White• Network Administrator – Julie Newton• Database Security – Stephen Davis• Risk Management – Will Lopez• Procurement/Compliance – Tara Ramchi
Accomplishments
• Won four major contracts in the last four years for vulnerability assessments and penetration tests.
User Domain
• Bi-monthly training on security (what to look out for, what is allowed, password security, etc.)
• Employees will be working with trainers certified through Inception Securities
• Background checks for employees• Access badges assigned to each employee
Workstation Domain
• Nightly virus scans performed by Symantec• Nightly malware scans performed by Malware
Bytes• Monthly checks for updates and patches• All laptops will be encrypted by Symantec• Physical security by disabling USB ports
LAN Domain
• Proxy settings to filter content based on departmental needs
• Account based access • Once a day port scanning performed by
Nessus to identify unauthorized open ports• Departments sub-netted to separate them for
easier security control
LAN-WAN Domain
• Constant monitoring of the packet flow by Omni-Peek to maintain optimal network functionality
• Once a day port scanning performed by Nmap to identify unauthorized open ports
• Access control list (ACL) limiting the access per department
WAN Domain
• Black and white lists for the DMZ. The Black list details sites that are blocked and the White list details the sites that are approved
• ACL detailing what individual people are allowed to access based on job code
Remote Domain
• Organizational units in Active Directory providing access to only those who need to use it
• Virtual Private Network (VPN) client to ensure data security
• Password requirements will be implemented
Application Domain
• Updates to be applied by the Application team as they are approved and released
• Patches to be applied by the System Administrator as they are approved and released
• Physical security to the server room. Security code and badge
Physical Security
• Data Integrity is the single most important part of the network.
• All data will be under physical security (i.e Lock and Key) with only specific personal having access.
• Notices on the Network closets will have disclaimers about unauthorized access.
Active Directory• All employees will have a unique username and password. (90 Day
Expiration on passwords)
• Password uniqueness will require at least seven characters, one uppercase, one number and cannot be your last seven previous passwords
• Employees will have access to only job specific tasks.
• Access to shared folders will need to be approved by the employees manager.
• Provide generic accounts with tight Group Policy
Workstations• All workstations will be a part of a domain and will need to added
manually with administrative privileges.
• All downloads will be conducted by the Help Desk.
• All patches will be conducted by the Desktop System Administrator.
• All administrative rights to local machines will need permission from the CIO.
• Laptops will have a full disc encryption and will need someone to register the user for first time use.
Servers
• All servers will be Virtualized and have a Raid 5 setup for redundancy
• Data Center will be in a central location of the building in a fire rated room.
• Security cameras will be installed to monitor movement
Software
• All software will be tested in a controlled environment and approved before put in the live environment.
• All software installations will be installed from a shared network and not the internet.
User Training
• All new employees will need to review the user agreement policy and sign before actually starting work.
• Mandatory annual IT security training (social networking, phishing emails, etc.)
• Proper user training could strengthen data integrity.
Identify Threats
• What is considered a threat?
1. External hacking threats
2. Personnel
3. Out dated policies
How often is this threat occurring
• Depending on how often the threat occurs will determine the action to be taken.
• How the security was bypassed and what new process can be used to stop the threat from happening.
• By reviewing the past years information to help determine the trend and which possible action can be taken next.
What to do with your assets
Cold site – Will be used to handle issues such as unforeseen network hiccups, but planed1. Network updates2. Hardware failure
Warm Sites – For sections of the company that might go down.
Hot Sites- For events far beyond human control.
What are your assets
Departmental heads from each department are
considered important to the business continuity
Managers that help assist with the incident
Core documents and materials to maintain
business continuity.
What is procurement?
• “Procurement” is the overarching function that describes the activities and processes to acquire goods and services.
• Procurement involves the activities involved in establishing fundamental requirements, sourcing activities such as market research and vendor evaluation and negotiation of contracts.
• Procurement differs from purchasing. The term “Purchasing” refers to the process of ordering and receiving goods and services. It is a subset of the wider procurement process.
Procurement Process
• Involves 5 Steps1. Define Business Need
Capture business requirements. Obtain full stakeholder buy into any resulting plans and
timelines.
2. Develop Procurement Strategy Agree procurement approach and timescale. Evaluate current environment and decide on the procurement
process.
3. Supplier Evaluation & Selection To select the right suppliers and value proposition to be taken
forward to final negotiation.
Procurement Process (Cont.)
4. Negotiation and Award of Contract Complete negotiations and select best supplier. Award contract.
5. Induction & Integration To ensure that the suppliers is fully prepared to
deliver all aspects of the contracts. To ensure that all parties are familiar with agreed
P2P policies and procedures. To initiate the relevant performance measures and
reporting.
Compliancy• Legislation and regulations are always changing. Keeping on top
of new developments can be a challenge. • Our project team:
– Conducts mock regulatory inspections.– Performs compliance reviews.– Runs risk mapping projects– Updates policies and procedures.– Advises on the compliance issues surrounding new products
and new businesses.– Conducts training sessions on important compliance topics.– Researches and reports on a variety of regulatory issues across
many jurisdictions.
Compliancy (Cont.)
– Accelerates licensing and compliance.– Results in significant savings for your organization.– Enables your organization to focus on business critical tasks.– Smoothes out volatility in resource demands.– Protects your organization from penalties/fines associated
with compliance mistakes.– We have an in depth understanding of the security industry
and thorough knowledge of the regulations that impact your business.
– Our services are aligned with state and local regulations to ensure complete compliance for your organization.
Importance of Compliancy
• What is compliancy?– Compliance refers to the company obeying all of the legal
laws and regulations in regards to how they manage the business, their staff, and their treatment towards their consumers. The concept of compliance is to make sure that corporations act responsibly.
• Benefits– Avoidance of Criminal Charges and Penalties– Building Positive Reputation– Higher Productivity in the Company
Compliance Policy
• All State of Florida agencies must be compliant with this security policy document
• Compliance with Legal Requirements (11.1) – All State of Florida agencies must be compliant with any
State or Federal regulatory requirements which supersede this policy document.
• Applicable Legislation (11.1.1) – All State of Florida agencies must be compliant with any
legislation enacted by the State of Florida in regards to the management of information resources on behalf of the State.
Compliance Policy (Cont.)• Data Protection and Privacy (11.1.2)
– All State of Florida agency data custodians must ensure that all “Personal Information” data assets, as defined by applicable State and/or Federal law and regulations, are protected from unauthorized use, modification or disclosure.
• Data Breach and Disclosure (11.1.3) – Any State of Florida agency that discovers a breach of the information
security controls set forth in this document which results in disclosure of unencrypted “personal information” about persons to unauthorized third parties shall provide notice of the disclosure in accordance with TCA 47-18-2107(3)(A).
Equipment cost
• $357,794.52 – Includes• Desktops by Lenovo• Think Pads• Routers and switches• Color Laser Printers• Anti-virus• Servers
Cost
• Project Manager $200,000
• Risk Management $150,000
• Database Security$200,000
• Network Administrator $120,000
• Procurement/Compliance $160,000$730,000
$4m - $730k = $3,999,270,000
Closing
• It would be advantageous of the State Government and the Department of Finance and Administration to make sure that the information on the databases are safe and above other State Governments’ level of security. By using the analysis of the NIST framework and of COBIT, all layers of security shall be perlustrated to ensure the client’s satisfaction of the services provided by Inception Securities.
Closing (cont.)
• Proven specialists in penetration testing, vulnerability assessments, risk management/mitigation analysis, network systems and software hardening, and compliance/regulation analysis
• We will ensure that the State Government and the Department of Finance and Administration does not suffer any unforeseen penalty due to noncompliance.