statewide security plan and standards forum (ppt)
TRANSCRIPT
11
Enterprise Security Plan and Standards Forum
Theresa A. MasseState Chief Information Security Officer
John RitchieSenior Security Analyst
22
Agenda
BackgroundStatewide Information Security PlanStatewide Information Security
StandardsAgency Next StepsPanelWrap Up
33
Background
The combination of the Statewide Plan, Standards, and Policies in the framework of 27001 & 27002 form the Enterprise Security Architecture
Enterprise Security Plan
ISO Domains 5.0 Asset Management 7.0 Access Control 9.0 Communications & Operations Management 11.0 System Development and Maintenance
Enterprise Security Standards & Processes
Enterprise Security Architecture
ISO Domains8.0 Incident Management
ESO Strategic InitiativeStatewide Incident Response
Program
ISO Domains3.0 Compliance
6.0 Physical & Environmental10.0 Business Continuity Plan
ESO Strategic InitiativeInformation Security Consulting Services
ISO Domains1.0 Security Organization
2.0 Security Policy
ESO Strategic InitiativeIdentify & Evaluate Security
Opportunities
ISO Domains2.0 Security Policy
ESO Strategic InitiativePolicy Development
ISO Domains3.0 Compliance
ESO Strategic InitiativeVulnerability Assessment
ISO Domains1.0 Security Organization
ESO Strategic InitiativeInformation Security Communication Plan
Agency Information Security Plans
ISO Domains4.0 Human Resources
ESO Strategic InitiativeUser Awareness Program
ISO Domains5.0 Asset Management
ESO Strategic InitiativeInformation Security Risk
Assessment
Enterprise Security Policies
ISO 27001Information Security Management System
ISO 27002 – Technical Standards
44
Background
Based on ISO 27001/27002 Incorporating Best Practices from:
National Institute of Standards and Technology (NIST) recommended standards
SANS Institute recommended standards and best practices
Burton Group recommended methodologies and best practices
Vetted by agencies
55
Background
ISO 27001 Information Security Management
System (ISMS) Foundation - Security Risk
Assessment Aligns with Agency’s Strategic Risk
Management Policy and Direction
66
Background
ISO 27002 Information Security DomainsControls minimize identified riskRisk Assessment identifies areas of
Security Control focus
77
ISO 27002
27002 consists of 11 domains
Includes an outline for each Domain and corresponding Controls
Security Policy
Security Organization
Compliance
Asset
Management
Access Control
Human Resources
Physical and
Environmental Security
System
Development and Maintenance
Communications & Operations
Management
Business
Continuity Management
Incident Management
Security
Governance & Compliance
Security
Infrastructure & Environment
Tactical Security
Operations
RiskAssessment
88
Background Policies and standards assist agencies in
achieving compliance with state laws
ESO cannot establish plans, policies or standards that are less restrictive than state laws
Specifically – ORS 182.122 Information Systems Security & ORS 646A.600 the Oregon Identity Theft Protection Act
Agencies can implement more restrictive controls as required for compliance with other regulations - IRS, HIPAA, etc.
99
Security Plan
Security Management Framework ISO 27001 Agency Annual Risk Assessment Agency Information Systems Security Risk
Assessments Agency Information Security Management
System
1010
Security Plan
Security Governance and Compliance ISO 27002 Agency Security Policies & Governance
Processes Information Security Audits within Agency
1111
Security Plan
Security Infrastructure and Environment ISO 27002 Agency Employee Security Policies Process for Access Control to Information Assets
within Agency Agency Information Security Awareness Training Agency compliance with Information Asset
Classification Policy # 107-004-050 Agency compliance with the Transporting Information
Assets Policy #107-005-100 DAS Building Security Access Controls Policy #
125-6-215 Evaluation of Agency facilities for security
1212
Security Plan
Tactical Security Operations ISO 27002 Agency compliance with the Enterprise Information
Security Standards Agency compliance with Employee Security policy
#107-004-053 Agency compliance with the Information Security
Incident Response policy #107-004-120 Agency BCP per policy # 107-001-010
Agency BCP testing Agency DR testing
Agency compliance with Sustainable Acquisition and Disposal of Electronic Equipment (E-waste/Recovery Policy)
1313
Security Plan
Implementation of Plan Implementation Metrics
Submit agency plan to ESO – due July 2009
1414
Security Standards
Incorporating Best Practices from: International Organization for Standardization
(ISO) 27001 & 27002 National Institute of Standards and Technology
(NIST) recommended standards SANS Institute recommended standards and best
practices Burton Group recommended methodologies and
best practices
1515
Security Standards
Technical Controls Four Domains From ISO 27002
Access Control Information Asset Management Communications & Operations Management Information Systems Acquisition,
Development and Management
1616
Security Standards
Access Control Authentication Standards Authorization Standards Audit of Access Control Standards
1717
Security Standards
Information Asset Management Protection of Information Assets Standards Handling of Information Assets Standards
1818
Security Standards
Communications & Operations Management Antivirus and Anti-malware Standards Workstation Management & Desktop
Security Standards Mobile Device Management Standards Server Management Standards Log Management Standards Information Backup Standards
1919
Security Standards
Communications & Operations Management
Security Zone and Network Security Management (Local Area Network & Wide Area Network) Standards
Intrusion Detection Standards E-mail Standards Remote Access Standards Wireless Access Standards
2020
Security Standards
Information Systems Acquisition, Development and Management
Business Case Standard Encryption Standards Patch Management Standards Information System Development Lifecycle
Standards
2121
Security Standards
One Size Fits All? Small Agencies
Most Standards Apply
Large Agencies All Standards Apply
State Data Center Most Standards Apply Will Assist Agencies
2222
Security Standards
Agencies Responsible for Data Classification Protection
Agencies and Third Party Providers Contractors State Data Center
23
Security Standards
Standards Minimum Requirements “Meet or Exceed”
Recommended Best Practices Not Mandatory
24
Security Standards
Standards Are Specific Are Interdependent Must Be Implemented In Entirety, but…
Risk Assessment Drives Implementation Compensating Controls Exceptions
25
Agency Next Steps
Survey Are you compliant? If not, do you have a plan? Do you have the resources to implement
plan?
Gap AnalysisWorkshop
26
Panel
Robert Hulshof-Schmidt -State Library, Program Manager, Government Research Services
David Wilson- Department of Corrections, Information Security Officer
Al Grapoli - Network, Security and Voice Services Manager, DAS, State Data Center
27
Information Security Plan and Guidelines – Development and Implementation
Robert Hulshof-Schmidt , Program Manager,Government Research ServicesState Library
Oregon State Library
28
State Library Overview
44 employees, 20+ regular volunteers
4 Teams Administrative Services Government Research Services Library Development Services Talking Book & Braille Services
29
OSL Information Assets
Mostly Levels 1 & 2No Level 4 Level 3 almost exclusively in
Administrative Services Consolidated donor info Patron info streamlined and protected by
statute
30
OSL Info Environment
Most staff are professional information workers
Three full-time IT staff Agency-wide values on research, openness,
information exchange Generally tech-savvy, gadget-owning staff At start of security planning:
Lack of concern due to limited level 3 info Unclear connection to everyday work
31
Information Security Plan
Used ESO template – covered most of our needs
Started good conversation on physical security, not just electronic
Dovetailed with IT initiative to create stronger domain environment
Valuable, but felt to most staff like a “Business Office/IT” activity only
32
Making the Connection
Management team conversation about information security Everything connected to the enterprise carries
risk Even “local-only” connections put our
business at risk All staff have a role and a responsibility Statewide policies provide a good framework We need local guidelines
33
Creating Guidelines
Information Asset Use, Implementation, and Security Guidelines
Started with suite of seven statewide policies related to topic
Added reference to statewide policies related to staff behavior (telework, professional workplace, etc.)
Added reference to OSL policies and documents as relevant
34
Creating Guidelines
Created plain-language definitions of key terms
Did not repeat content of policiesFocused on areas that required agency-
specific clarification or interpretationPulled common themes from various
policies into cohesive sections Allowed for streamlining
35
Creating Guidelines
1. Reference to relevant policies/authorization2. Definitions3. Appropriate usage times for state assets and
systems4. Use of personal information systems5. Use of networks (state and personal)6. Use of Internet resources7. Use of electronic communication tools8. Passwords9. Monitoring behavior10. Responding to incidents (tied to plan)11. Decision-making, approvals, and access
36
Guidelines Rollout
Iterative development Management review Business office review IT review Key staff review
Agency-wide announcement All staff training
Three sessions One presenter IT and HR at all three sessions
37
Next Steps
IT review of guidelines Performance gaps 30-day action plan Long-term action plan SDC consultation
Prepare for standards review and implementation
Set priorities based on risk and resources
39
David Wilson, Information Security Officer
Department of Corrections
40
DOC Mission Statement
The mission of the Oregon Department of Corrections
is to promote public safety by holding offenders accountable for their actions and reducing the risk of future
criminal behavior.
41
Oregon Accountability ModelCriminal Risk Factor Assessment and
Case PlanningStaff-Inmate InteractionsWork and ProgramsChildren and FamiliesRe-entryCommunity Supervision and Programs
42
Quick Facts
14 Institutions
4 Administration Sites
2 County Parole & Probation Offices
43
Quick Facts
4,426 Employees 1,970 Active Volunteers
Offenders: Inmates 13,841 Parole and Probation 2,794 Local Control 890
Total Current Offenders 17,525
44
Quick Facts
Others Accessing ODOC Information
Contracted Service Providers
Community Partners
Courts and Legal Professionals
Other Governmental Agencies
The Public
45
ODOC Information Security History
Information Security Officer Collateral duty prior to October, 2009
Projects through Office of Project Management Information Security Administration Department-wide Records Management
46
Project Methodology
Initiated in April, 2008ODOC missed early compliance datesCombined project resourcesChose to focus resources on:
ID of agency Information Assets (IA’s) Organizing IA’s into a Special Retention
Schedule Use structure to identify “ownership”
47
Methodology Mistake
Information Owners
Not defined or identified at the beginning of the projects.
48
Informed Information Owners Needed
Realized need for: Definition of Information Owner role and
responsibilities Decision makers to decide Classification
Identified need to: Educate decision makers Define Data Handling Standards Define Classification expectations
49
“Snap Shot” Standards Needed
Methodology and standards: OVERWHELMING!
Found something simple: PERS Data Handling Standards
http://www.oregon.gov/DAS/EISPD/ESO/IAC.shtml
Simple Matrix = Enterprise Standards
Reflects PROCESS expectations
50
Curriculum Identified
Protecting IA’s at the Right Level Balancing the Risk with the Cost: Confidentiality,
Integrity and Accessibility
Public Records Requests - Simple Division Level 1 & 2: Releasable = Low Risk & Priority Level 3 & 4: Not releasable = High Risk & Priority Able to categorize by this division based on known
mandates and project team input
Level 3 vs. Level 4 Mandates vs. Business Decision Risk of Level 3: Mitigated by agency culture Cost of Level 4: Resources and Accessibility
51
Information Owner Decision
Information Owners were asked to look at a draft list of their Level 3 and 4 IA’s
They were then asked to identify: Risk they where willing to accept Cost, in resources and accessibility, they were
willing to pay to mitigate that risk
“If you want to call it a Level 4, are you willing to pay the cost of protection?”
52
Did not understand it then. . . .
Gap Analysis of Enterprise Standards:
Process: How the agency works with the information
Technology: Technical capabilities, limitations and safeguards
53
Realized in retrospect. . . .
Educating Information Owners
Provided a business opportunity:
To review existing processes, identify limitations and determine current resources
That resulted in:
Gap Analysis of Process
54
Enterprise Standards Published11/2009 - Enterprise Standards Published
ODOC Classification process had already narrowed the focus
Gap Analysis of Processes completed
All that was left:Compare current Information Technology
practices and resources against Enterprise Standards
55
Gap Analysis: Technology
FYI:Computer experts live and breath
Tech Specs!!!
Standards = Foreign Language
Computer experts: Speak it fluently Know their systems in detail Can translate in terms of existing ability
56
Do we meet the standard?
“Yes” No further action required
“No, but our method is as good as or better than. . . ”
Document Variance
57
Do we meet the standard?
“No, and that might be a problem” Red Flag or “Gap” Plan Needed - Will getting there take:
Time (within existing resources)? Money (to buy solutions)? Staff (additional personnel)?
Plans will be assessed and prioritized based on:
Risk and Available Resources
58
Gap Analysis = Risk Mitigation
Risk Mitigation for ODOCGap Analysis provides data for
Risk Based prioritization of resources necessary for
operations within current fiscal climate
Final plan will be taken to ODOC Leadership for approval
60
Oregon State Data Center
Security Architecture Standards
Information Security Plan and Standards Forum
December 10, 2009
61
Security Architecture Principles
Security Architecture must be:
Cost Effective and Business Driven Supportable Standards Based
62
Cost Effective and Business Driven
Flexible architecture provides for granularity of controls
Ability to accommodate agency business requirements
Consolidation of security controls to reduce administrative overhead
63
Supportable
Standard processes and procedures in support of security controls
Centralized management of security controls Increased logging and monitoring Integration permits greater security
enforcement and intelligence Standard equipment allows for easier
implementation and for replacement in the event of a failure
64
Standards Based
Use standards-based technologies to provide security (e.g. AES, 802.1x, etc.) Increases the likelihood that security
technologies are interoperable Ensures that implemented technologies have
been subjected to the process review necessary to achieve the status of “standard”
65
Where we are…
Secure Server Builds
Site-to-site encryption
Network Access Control Firewalls
VLANs/MPLS
Anti-Virus, Patching standardized
Network Intrusion Detection
Email Firewalls Log Aggregation
Standardization
66
Where we are going…
Network Admission Control Host Intrusion Prevention Consolidated Remote Access VPN Firewall Consolidation Increased Use of Log Aggregation Configuration Management
67
Security Policies
State Security Policies http://oregon.gov/DAS/EISPD/ESO/Policies.shtml
Recent Implementation State Security Standards State Security Plan Privileged Access Policy
69
Thank You!
Security is an architecture, not an appliance
Network Magazine
70
Recap and Next Steps
Plan and Standards PublishedSurvey
Are you compliant? If not, do you have a plan? Do you have the resources to implement
plan?
Gap AnalysisWorkshop
71
Questions?
72
Thank You!
Theresa MasseState Chief Information Security OfficerDAS EISPD / Enterprise Security Office(503) [email protected]://oregon.gov/DAS/EISPD/ESO