Presentation is loading. Please wait.

Presentation is loading. Please wait.

Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania The Core Security Services Taxonomy Commonwealth.

Similar presentations

Presentation on theme: "Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania The Core Security Services Taxonomy Commonwealth."— Presentation transcript:

1 Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania The Core Security Services Taxonomy Commonwealth of Pennsylvania

2 But first…. Some background information before we dive in Just how did we get here? 2

3 Deloitte-NASCIO Joint Cybersecurity Study kicked off in 2010 Consisted of a survey targeting U.S. state enterprise- level CISOs, with additional input from agency CISOs and security staff High participation: 49 of the 50 states responding 2010 Deloitte/NASCIO Study 3

4 Five Main Joint Study Areas of Focus: IT Security Governance Security Strategy Budget (Investments and use of Security technologies) Internal, External Threats Security of Third Party Providers 2010 Deloitte/NASCIO Study 4

5 Key Findings 5

6 IT Security Governance Cyber Security Governance in the public space is lacking Security Strategy States had the strategic plans. However the survey data revealed significant challenges in the execution 2010 Study - Key Findings 6

7 Budget State IT Security functions were significantly underfunded Not only that - Security budgets were in a dangerous downward trend, aggravated by economic conditions and competing state priorities 2010 Study - Key Findings 7

8 Third-Party Providers States must enforce better third-party security Internal and External Threats States store enormous amounts of citizens PII These pots of gold must be protected while potential threats to that data increase 2010 Study - Key Findings 8

9 Internal and External Threats on the Rise States needed to do more to secure citizen data and maintain public trust State and local governments needed to implement tougher security safeguards, thwart these threats, and be ready to respond when an attack occurs 2010 Study - Key Findings 9

10 Overall Theme States lacked the appropriate funding for security programs and strategies (and asking for new funding just wasnt working) Significant diversity in security postures existed between the states Service Offerings were lacking to combat threats 2010 Study - Key Findings 10

11 Lets examine some of the real world cyber related events that have transpired since the 2010 survey 11

12 In 2011 alone… 25 million new strains of malware (including new threats and variants) Number of malicious websites more than doubled from the previous year More than 11 million records nationwide were involved in data breaches – and numbers continued to grow Emerging Threat Landscape 12

13 Emerging Threat Landscape

14 14

15 Emerging Threat Landscape 15

16 Emerging Threat Landscape 16

17 Emerging Threat Landscape 17

18 Emerging Threat Landscape 18

19 Emerging Threat Landscape 19

20 Hactivism - Defacement 20

21 Hactivism - Defacement 21

22 Hactivism – Data Theft/DDOS 25 22

23 Malware and Botnets 23

24 Phishing: How Severe is the Threat? 73 million U.S. adults received more than 50 phishing s a year in 2011 alone – trend increasing! Financial losses by the end of 2012 expected to reach upwards of 5 billion. THREATTHREAT Social Engineering Attacks 24

25 Advanced Persistent Threats 25

26 Fast Forward to Present Day 26

27 Present Day Attacks 27

28 Present Day Attacks 28

29 What The Bad Guys (Still) Want Organizational, proprietary, financial, and sensitive private information for identity theft or to sell it for big $$$$. Competitive advantage from disruption of operations (DDOS) National pride or political message Present Day Attacks 29

30 Asymmetric Cyber Battle Attack Low barrier of entry Low cost From anywhere High probability of success Low probability of getting caught Defend Huge effort High cost Identified targets High probability of being compromised Little or no recourse Challenges states and other orgs face 30

31 2010 Study Findings Action Items The 2010 Joint Study results led to several key action items for states to help identify and mitigate present day and future cyber security risk Among those were key items prompting development of the Core Security Services Taxonomy 31

32 2010 Study Findings …Though there is no mandated state compliance platform to drive consistent security programs, adopting an understood, comprehensive, and repeatable framework state- wide will enable improved alignment between state agencies and business, technology, and security leaders.* 32

33 A Call to Action 33

34 Joint Study Follow up: Feb 11: NASCIO asks state CIOs to respond to the growing threats, fiscal constraints, and security requirements for protecting critical state data and operational capacity. November 11: the NASCIO Security & Privacy Committee completes core security services taxonomy to enhance the State CIOs and CISOs ability to assess risks and better understand resource requirements A Call to Action 34

35 Overview: Core Security Services Taxonomy 35

36 What are the core security services? A common vocabulary for describing security services that must be provided to meet the requirements of security standards frameworks defined by various standards bodies A common set of security services that ALL states should have, provide, or acquire to ensure appropriate levels of protection for state data assets and operational capabilities Core Security Services 36

37 Divides security services into two main categories: 1.Governance, Risk, Compliance Services (GRC) 2.Operational Security Services Under the 2 primary categories are 12 sub-categories Core Security Services 37

38 Core Service Categories 38

39 Core Service Categories 39

40 Identifying Criterea List is inclusive, so that every IT security- related function performed by a state IT security program is included or nests under one of the sub-category headings Items representative of all functions that need to be performed by an IT organization to ensure adequate information security and risk assessment is in place Core Security Services 40

41 Core Security Services 41

42 Identifying Criterea Services focus on what needs to be done – not on who needs to do it Services could be outsourced, could be internal or a hybrid of the two Not all functions have to report to the CISO. (This helps ensure separation of duties between compliance and operations) Core Security Services 42

43 Core Security Services 43

44 Common Questions How can I convince management this year that we really need funding for this new security tool? Why doesnt management understand cyber security funding? 44

45 Common Questions Is my states security spend in line with industry best practices? How do my investments compare with other states? Is the right mix of services in my security portfolio? 45

46 Taxonomy Goals Help CIOs and other government leaders understand what needs to be done by identifying Key Services Key Outcomes Tools Provide a common framework for financial comparisons down the road 46

47 Promoting Understandability Target audience: CIOs and other executives Consistent format to describe each security service Use simple terms without jargon Taxonomy Goals 47

48 Lets take a Closer Look Well examine a key service, the key outcomes, and tools used Well focus on one example service category – but can be applied to any Methodology 48

49 Service Categories - Example 49

50 Secure System Engineering Service Description: Designing appropriate security controls in new systems or systems that are undergoing substantial redesign, including both in-house and outsourced solutions Service Categories - Example 50

51 Secure System Engineering Integrate security design requirements in the SDLC Participate as a security consultant on significant technology projects Assist with the creation of system security plans, outlining key controls to address risks Assist with creation of residual risk documentation for management acceptance Key Outcomes from Activities 51

52 Secure System Engineering Integrate security requirements into contracts for outsourced services Assist with the creation of information security policies, standards, procedures, and guidelines Assist with the creation of secure configuration standards for hardware, software, and network devices Key Outcomes from Activities 52

53 Secure System Engineering Standardized system security planning templates Governance, risk, and compliance software Various operational and application security tools Best practice frameworks for the management of IT, such as ITIL Tools to Implement 53

54 Commonwealth Of Pennsylvania - Cyber Security Taxonomy Implementation - PAs Taxonomy Implementation 54

55 Initial Maturity Assessment: The 2012 Deloitte/NASCIO Cybersecurity Study 55

56 2012 Deloitte/NASCIO Cyber Study 56

57 2012 Deloitte/NASCIO Cyber Study Methodology in accordance with ISACA COBIT

58 2012 Deloitte/NASCIO Cyber Study 58

59 2012 Deloitte/NASCIO Cyber Study 59

60 2012 Deloitte/NASCIO Cyber Study 60

61 2012 Deloitte/NASCIO Cyber Study 61

62 2012 Deloitte/NASCIO Cyber Study 62

63 Agreeing upon, using & describing a set of essential core services creates significant opportunities and benefits for state IT leaders Benefits 63

64 Benefits Identifies the services that are ideally performed centrally versus those which are distributed Creates a common vocabulary in decentralized environments across lines of agency authority and allow better assessment of the total costs being expended to fulfill the service requirement Creates a real method for CISOs to assess their programs against those of other states 64

65 Benefits Can be used as states move to use of cloud computing services to ensure that security requirements are well articulated and understood Assists state leaders in making informed decisions related to cyber security threats, risks, programs, and strategies Finally – It provides a way to demonstrate real funding needs based on maturity levels 65

66 Benefits Uses of the Taxonomy From an auditing standpoint, if states are making strides in maturing the taxonomy service areas, this closes compliance gaps, reduces real risk, and identified residual real risk Much easier for the organization to demonstrate compliance by ensuring these service areas are covered properly 66

67 Mid-Year Wrap Up Q & A from the NASCIO Midyear 1) Are there any specific areas in the taxonomy that you feel that the states are in most need of help? If so what are they? 2) Are there certain service area items within the taxonomy that absolutely must report to the CISO? 67

68 Mid-Year Wrap Up Q & A from the NASCIO Midyear 3) Where does Application Security fit into the model? 4) Resources are limited. States are being asked to do more with less. What if the a state organization simply doesn't have enough human resources to allocate to all the parts of the taxonomy? 68

69 Whats Next? Next Steps: Results from the 2012 Deloitte/NASCIO Cyber Security review to be released during the 2012 NASCIO Annual conference in mid October Results will be an important step to identifying initial maturity baselines for states - where they are and in what areas they need to improve to stay ahead of the cyber threat landscape 69

70 The 2010 Deloitte-NASCIO Cyber Security Study* NASCIOCybersecurityStudy2010.PDF NASCIOCybersecurityStudy2010.PDF The Heart of the Matter: A Core Services Taxonomy for State IT Security Programs* uritySevices.pdf uritySevices.pdf Resources and References E

71 Thank You! Questions? Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania

Download ppt "Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania The Core Security Services Taxonomy Commonwealth."

Similar presentations

Ads by Google