1. The Core Security Services Taxonomy
Commonwealth of Pennsylvania
The Core Security Services Taxonomy
Erik Avakian, CISSP, CISA, CISM
Chief Information Security Officer
Commonwealth of Pennsylvania

2. Some background information before we dive in
But first….
Some background information before we dive in
Just how did we get here? 2

3. 2010 Deloitte/NASCIO Study
Deloitte-NASCIO Joint Cybersecurity Study kicked off in 2010
Consisted of a survey targeting U.S. state enterprise- level CISOs, with additional input from agency CISOs and security staff
High participation: 49 of the 50 states responding 3

4. 2010 Deloitte/NASCIO Study
Five Main Joint Study Areas of Focus:
IT Security Governance
Security Strategy
Budget (Investments and use of Security technologies)
Internal, External Threats
Security of Third Party Providers 4

5. Key Findings 5

6. 2010 Study - Key Findings IT Security Governance Security Strategy
Cyber Security Governance in the public space is lacking
Security Strategy
States had the strategic plans. However the survey data revealed significant challenges in the execution 6

7. 2010 Study - Key Findings Budget
State IT Security functions were significantly underfunded
Not only that - Security budgets were in a dangerous downward trend, aggravated by economic conditions and competing state priorities 7

8. 2010 Study - Key Findings Third-Party Providers
States must enforce better third-party security
Internal and External Threats
States store enormous amounts of citizens PII
These “pots of gold” must be protected while potential threats to that data increase 8

9. 2010 Study - Key Findings Internal and External Threats on the Rise
States needed to do more to secure citizen data and maintain public trust
State and local governments needed to implement tougher security safeguards, thwart these threats, and be ready to respond when an attack occurs 9

10. 2010 Study - Key Findings Overall Theme
States lacked the appropriate funding for security programs and strategies (and asking for new funding just wasn’t working)
Significant diversity in security postures existed between the states
Service Offerings were lacking to combat threats 10

11. Lets examine some of the real world cyber related events that have transpired since the 2010 survey11

12. In 2011 alone… Emerging Threat Landscape
25 million new strains of malware (including new threats and variants)
Number of malicious websites more than doubled from the previous year
More than 11 million records nationwide were involved in data breaches – and numbers continued to grow 12

13. Emerging Threat Landscape

14. Emerging Threat Landscape14

15. Emerging Threat Landscape15

16. Emerging Threat Landscape16

17. Emerging Threat Landscape17

18. Emerging Threat Landscape18

19. Emerging Threat Landscape19

20. Hactivism - Defacement20

21. Hactivism - Defacement21

22. Hactivism – Data Theft/DDOS25 22

23. Malware and Botnets 23

24. Phishing: How Severe is the Threat?
Social Engineering Attacks
THREAT
Phishing: How Severe is the Threat?
73 million U.S. adults received more than 50 phishing s a year in 2011 alone – trend increasing!
Financial losses by the end of 2012 expected to reach upwards of 5 billion. 24 24

25. Advanced Persistent Threats25

26. Fast Forward to Present Day26

27. Present Day Attacks 27

28. Present Day Attacks 28

29. What The Bad Guys (Still) Want
Present Day Attacks
What The Bad Guys (Still) Want
Organizational, proprietary, financial, and sensitive private information for identity theft or to sell it for big $$$$.
Competitive advantage from disruption of operations (DDOS)
National pride or political message 29

30. Asymmetric Cyber Battle
Challenges states and other orgs face
Attack
Low barrier of entry
Low cost
From anywhere
High probability of success
Low probability of getting caught
Defend
Huge effort
High cost
Identified targets
High probability of being compromised
Little or no recourse 30

31. 2010 Study Findings Action Items
The 2010 Joint Study results led to several key action items for states to help identify and mitigate present day and future cyber security risk
Among those were key items prompting development of the Core Security Services Taxonomy 31

32. 2010 Study Findings
…”Though there is no mandated state compliance platform to drive consistent security programs, adopting an understood, comprehensive, and repeatable framework state-wide will enable improved alignment between state agencies and business, technology, and security leaders.”* 32

33. A Call to Action 33

34. A Call to Action Joint Study Follow up:
Feb ’11: NASCIO asks state CIOs to respond to the growing threats, fiscal constraints, and security requirements for protecting critical state data and operational capacity.
November ’11: the NASCIO Security & Privacy Committee completes core security services taxonomy to enhance the State CIOs and CISOs ability to assess risks and better understand resource requirements 34

35. Core Security Services Taxonomy
Overview:
Core Security Services Taxonomy 35

36. Core Security Services
What are the core security services?
A common vocabulary for describing security services that must be provided to meet the requirements of security standards frameworks defined by various standards bodies
A common set of security services that ALL state’s should have, provide, or acquire to ensure appropriate levels of protection for state data assets and operational capabilities 36

37. Core Security Services
Divides security services into two main categories:
Governance, Risk, Compliance Services (GRC)
Operational Security Services
Under the 2 primary categories are 12 sub-categories 37

38. Core Service Categories38 38

39. Core Service Categories39

40. Core Security Services
Identifying Criterea
List is inclusive, so that every IT security-related function performed by a state IT security program is included or nests under one of the sub-category headings
Items representative of all functions that need to be performed by an IT organization to ensure adequate information security and risk assessment is in place 40

41. Core Security Services41

42. Core Security Services
Identifying Criterea
Services focus on what needs to be done – not on who needs to do it
Services could be outsourced, could be internal or a hybrid of the two
Not all functions have to report to the CISO. (This helps ensure separation of duties between compliance and operations) 42

43. Core Security Services43

44. Common Questions
How can I convince management this year that we really need funding for this new security tool?
Why doesn’t management understand cyber security funding? 44 44

45. Common Questions
Is my state’s security spend in line with industry best practices?
How do my investments compare with other states?
Is the right mix of services in my security portfolio? 45 45

46. Taxonomy Goals Key Services Key Outcomes Tools
Help CIOs and other government leaders understand what needs to be done by identifying
Key Services
Key Outcomes
Tools
Provide a common framework for financial comparisons down the road 46 46

47. Promoting Understandability
Taxonomy Goals
Promoting Understandability
Target audience: CIOs and other executives
Consistent format to describe each security service
Use simple terms without jargon 47

48. Methodology Lets take a Closer Look
We’ll examine a key service, the key outcomes, and tools used
We’ll focus on one example service category – but can be applied to any 48

49. Service Categories - Example49

50. Secure System Engineering
Service Categories - Example
Secure System Engineering
Service Description: Designing appropriate security controls in new systems or systems that are undergoing substantial redesign, including both in-house and outsourced solutions 50

51. Secure System Engineering
Key Outcomes from Activities
Secure System Engineering
Integrate security design requirements in the SDLC
Participate as a security consultant on significant technology projects
Assist with the creation of system security plans, outlining key controls to address risks
Assist with creation of residual risk documentation for management acceptance 51

52. Secure System Engineering
Key Outcomes from Activities
Secure System Engineering
Integrate security requirements into contracts for outsourced services
Assist with the creation of information security policies, standards, procedures, and guidelines
Assist with the creation of secure configuration standards for hardware, software, and network devices 52

53. Secure System Engineering
Tools to Implement
Secure System Engineering
Standardized system security planning templates
Governance, risk, and compliance software
Various operational and application security tools
Best practice frameworks for the management of IT, such as ITIL 53 53

54. PA’s Taxonomy Implementation
Commonwealth Of Pennsylvania
- Cyber Security Taxonomy Implementation - 54 54

55. Initial Maturity Assessment:
The 2012 Deloitte/NASCIO Cybersecurity Study 55

56. 2012 Deloitte/NASCIO Cyber Study56 56

57. 2012 Deloitte/NASCIO Cyber Study
Methodology in accordance with ISACA COBIT 4.1 57 57

58. 2012 Deloitte/NASCIO Cyber Study58 58

59. 2012 Deloitte/NASCIO Cyber Study59 59

60. 2012 Deloitte/NASCIO Cyber Study60 60

61. 2012 Deloitte/NASCIO Cyber Study61 61

62. 2012 Deloitte/NASCIO Cyber Study62 62

63. Benefits
Agreeing upon, using & describing a set of essential core services creates significant opportunities and benefits for state IT leaders 63

64. Benefits
Identifies the services that are ideally performed centrally versus those which are distributed
Creates a common vocabulary in decentralized environments across lines of agency authority and allow better assessment of the total costs being expended to fulfill the service requirement
Creates a real method for CISOs to assess their programs against those of other states 64 64

65. Benefits
Can be used as states move to use of cloud computing services to ensure that security requirements are well articulated and understood
Assists state leaders in making informed decisions related to cyber security threats, risks, programs, and strategies
Finally – It provides a way to demonstrate real funding needs based on maturity levels 65 65

66. Benefits Uses of the Taxonomy
From an auditing standpoint, if states are making strides in maturing the taxonomy service areas, this closes compliance gaps, reduces real risk, and identified residual real risk
Much easier for the organization to demonstrate compliance by ensuring these service areas are covered properly 66 66

67. Mid-Year Wrap Up Q & A from the NASCIO Midyear
1) Are there any specific areas in the taxonomy that you feel that the states are in most need of help? If so what are they?
2) Are there certain service area items within the taxonomy that absolutely must report to the CISO? 67 67

68. Mid-Year Wrap Up Q & A from the NASCIO Midyear
3) Where does Application Security fit into the model? 
4) Resources are limited. States are being asked to do more with less. What if the a state organization simply doesn't have enough human resources to allocate to all the parts of the taxonomy? 68 68

69. What’s Next? Next Steps:
Results from the 2012 Deloitte/NASCIO Cyber Security review to be released during the 2012 NASCIO Annual conference in mid October
Results will be an important step to identifying initial maturity baselines for states - where they are and in what areas they need to improve to stay ahead of the cyber threat landscape 69 69

70. Resources and References
The 2010 Deloitte-NASCIO Cyber Security Study*
The Heart of the Matter: A Core Services Taxonomy for State IT Security Programs* E

71. Thank You! Questions? Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania