Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Core Security Services Taxonomy

Similar presentations

Presentation on theme: "The Core Security Services Taxonomy"— Presentation transcript:

1 The Core Security Services Taxonomy
Commonwealth of Pennsylvania The Core Security Services Taxonomy Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania

2 Some background information before we dive in
But first…. Some background information before we dive in Just how did we get here? 2

3 2010 Deloitte/NASCIO Study
Deloitte-NASCIO Joint Cybersecurity Study kicked off in 2010 Consisted of a survey targeting U.S. state enterprise- level CISOs, with additional input from agency CISOs and security staff High participation: 49 of the 50 states responding 3

4 2010 Deloitte/NASCIO Study
Five Main Joint Study Areas of Focus: IT Security Governance Security Strategy Budget (Investments and use of Security technologies) Internal, External Threats Security of Third Party Providers 4

5 Key Findings 5

6 2010 Study - Key Findings IT Security Governance Security Strategy
Cyber Security Governance in the public space is lacking Security Strategy States had the strategic plans. However the survey data revealed significant challenges in the execution 6

7 2010 Study - Key Findings Budget
State IT Security functions were significantly underfunded Not only that - Security budgets were in a dangerous downward trend, aggravated by economic conditions and competing state priorities 7

8 2010 Study - Key Findings Third-Party Providers
States must enforce better third-party security Internal and External Threats States store enormous amounts of citizens PII These “pots of gold” must be protected while potential threats to that data increase 8

9 2010 Study - Key Findings Internal and External Threats on the Rise
States needed to do more to secure citizen data and maintain public trust State and local governments needed to implement tougher security safeguards, thwart these threats, and be ready to respond when an attack occurs 9

10 2010 Study - Key Findings Overall Theme
States lacked the appropriate funding for security programs and strategies (and asking for new funding just wasn’t working) Significant diversity in security postures existed between the states Service Offerings were lacking to combat threats 10

11 Lets examine some of the real world cyber related events that have transpired since the 2010 survey

12 In 2011 alone… Emerging Threat Landscape
25 million new strains of malware (including new threats and variants) Number of malicious websites more than doubled from the previous year More than 11 million records nationwide were involved in data breaches – and numbers continued to grow 12

13 Emerging Threat Landscape

14 Emerging Threat Landscape

15 Emerging Threat Landscape

16 Emerging Threat Landscape

17 Emerging Threat Landscape

18 Emerging Threat Landscape

19 Emerging Threat Landscape

20 Hactivism - Defacement

21 Hactivism - Defacement

22 Hactivism – Data Theft/DDOS
25 22

23 Malware and Botnets 23

24 Phishing: How Severe is the Threat?
Social Engineering Attacks THREAT Phishing: How Severe is the Threat? 73 million U.S. adults received more than 50 phishing s a year in 2011 alone – trend increasing! Financial losses by the end of 2012 expected to reach upwards of 5 billion. 24 24

25 Advanced Persistent Threats

26 Fast Forward to Present Day

27 Present Day Attacks 27

28 Present Day Attacks 28

29 What The Bad Guys (Still) Want
Present Day Attacks What The Bad Guys (Still) Want Organizational, proprietary, financial, and sensitive private information for identity theft or to sell it for big $$$$. Competitive advantage from disruption of operations (DDOS) National pride or political message 29

30 Asymmetric Cyber Battle
Challenges states and other orgs face Attack Low barrier of entry Low cost From anywhere High probability of success Low probability of getting caught Defend Huge effort High cost Identified targets High probability of being compromised Little or no recourse 30

31 2010 Study Findings Action Items
The 2010 Joint Study results led to several key action items for states to help identify and mitigate present day and future cyber security risk Among those were key items prompting development of the Core Security Services Taxonomy 31

32 2010 Study Findings …”Though there is no mandated state compliance platform to drive consistent security programs, adopting an understood, comprehensive, and repeatable framework state-wide will enable improved alignment between state agencies and business, technology, and security leaders.”* 32

33 A Call to Action 33

34 A Call to Action Joint Study Follow up:
Feb ’11: NASCIO asks state CIOs to respond to the growing threats, fiscal constraints, and security requirements for protecting critical state data and operational capacity. November ’11: the NASCIO Security & Privacy Committee completes core security services taxonomy to enhance the State CIOs and CISOs ability to assess risks and better understand resource requirements 34

35 Core Security Services Taxonomy
Overview: Core Security Services Taxonomy 35

36 Core Security Services
What are the core security services? A common vocabulary for describing security services that must be provided to meet the requirements of security standards frameworks defined by various standards bodies A common set of security services that ALL state’s should have, provide, or acquire to ensure appropriate levels of protection for state data assets and operational capabilities 36

37 Core Security Services
Divides security services into two main categories: Governance, Risk, Compliance Services (GRC) Operational Security Services Under the 2 primary categories are 12 sub-categories 37

38 Core Service Categories
38 38

39 Core Service Categories

40 Core Security Services
Identifying Criterea List is inclusive, so that every IT security-related function performed by a state IT security program is included or nests under one of the sub-category headings Items representative of all functions that need to be performed by an IT organization to ensure adequate information security and risk assessment is in place 40

41 Core Security Services

42 Core Security Services
Identifying Criterea Services focus on what needs to be done – not on who needs to do it Services could be outsourced, could be internal or a hybrid of the two Not all functions have to report to the CISO. (This helps ensure separation of duties between compliance and operations) 42

43 Core Security Services

44 Common Questions How can I convince management this year that we really need funding for this new security tool? Why doesn’t management understand cyber security funding? 44 44

45 Common Questions Is my state’s security spend in line with industry best practices? How do my investments compare with other states? Is the right mix of services in my security portfolio? 45 45

46 Taxonomy Goals Key Services Key Outcomes Tools
Help CIOs and other government leaders understand what needs to be done by identifying Key Services Key Outcomes Tools Provide a common framework for financial comparisons down the road 46 46

47 Promoting Understandability
Taxonomy Goals Promoting Understandability Target audience: CIOs and other executives Consistent format to describe each security service Use simple terms without jargon 47

48 Methodology Lets take a Closer Look
We’ll examine a key service, the key outcomes, and tools used We’ll focus on one example service category – but can be applied to any 48

49 Service Categories - Example

50 Secure System Engineering
Service Categories - Example Secure System Engineering Service Description: Designing appropriate security controls in new systems or systems that are undergoing substantial redesign, including both in-house and outsourced solutions 50

51 Secure System Engineering
Key Outcomes from Activities Secure System Engineering Integrate security design requirements in the SDLC Participate as a security consultant on significant technology projects Assist with the creation of system security plans, outlining key controls to address risks Assist with creation of residual risk documentation for management acceptance 51

52 Secure System Engineering
Key Outcomes from Activities Secure System Engineering Integrate security requirements into contracts for outsourced services Assist with the creation of information security policies, standards, procedures, and guidelines Assist with the creation of secure configuration standards for hardware, software, and network devices 52

53 Secure System Engineering
Tools to Implement Secure System Engineering Standardized system security planning templates Governance, risk, and compliance software Various operational and application security tools Best practice frameworks for the management of IT, such as ITIL 53 53

54 PA’s Taxonomy Implementation
Commonwealth Of Pennsylvania - Cyber Security Taxonomy Implementation - 54 54

55 Initial Maturity Assessment:
The 2012 Deloitte/NASCIO Cybersecurity Study 55

56 2012 Deloitte/NASCIO Cyber Study
56 56

57 2012 Deloitte/NASCIO Cyber Study
Methodology in accordance with ISACA COBIT 4.1 57 57

58 2012 Deloitte/NASCIO Cyber Study
58 58

59 2012 Deloitte/NASCIO Cyber Study
59 59

60 2012 Deloitte/NASCIO Cyber Study
60 60

61 2012 Deloitte/NASCIO Cyber Study
61 61

62 2012 Deloitte/NASCIO Cyber Study
62 62

63 Benefits Agreeing upon, using & describing a set of essential core services creates significant opportunities and benefits for state IT leaders 63

64 Benefits Identifies the services that are ideally performed centrally versus those which are distributed Creates a common vocabulary in decentralized environments across lines of agency authority and allow better assessment of the total costs being expended to fulfill the service requirement Creates a real method for CISOs to assess their programs against those of other states 64 64

65 Benefits Can be used as states move to use of cloud computing services to ensure that security requirements are well articulated and understood Assists state leaders in making informed decisions related to cyber security threats, risks, programs, and strategies Finally – It provides a way to demonstrate real funding needs based on maturity levels 65 65

66 Benefits Uses of the Taxonomy
From an auditing standpoint, if states are making strides in maturing the taxonomy service areas, this closes compliance gaps, reduces real risk, and identified residual real risk Much easier for the organization to demonstrate compliance by ensuring these service areas are covered properly 66 66

67 Mid-Year Wrap Up Q & A from the NASCIO Midyear
1) Are there any specific areas in the taxonomy that you feel that the states are in most need of help? If so what are they? 2) Are there certain service area items within the taxonomy that absolutely must report to the CISO? 67 67

68 Mid-Year Wrap Up Q & A from the NASCIO Midyear
3) Where does Application Security fit into the model?  4) Resources are limited. States are being asked to do more with less. What if the a state organization simply doesn't have enough human resources to allocate to all the parts of the taxonomy? 68 68

69 What’s Next? Next Steps:
Results from the 2012 Deloitte/NASCIO Cyber Security review to be released during the 2012 NASCIO Annual conference in mid October Results will be an important step to identifying initial maturity baselines for states - where they are and in what areas they need to improve to stay ahead of the cyber threat landscape 69 69

70 Resources and References
The 2010 Deloitte-NASCIO Cyber Security Study* The Heart of the Matter: A Core Services Taxonomy for State IT Security Programs* E

71 Thank You! Questions? Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania

Download ppt "The Core Security Services Taxonomy"

Similar presentations

Ads by Google