Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cybersecurity in Ohio David A. Brown Chief Information Security Officer State of Ohio.

Similar presentations


Presentation on theme: "Cybersecurity in Ohio David A. Brown Chief Information Security Officer State of Ohio."— Presentation transcript:

1 Cybersecurity in Ohio David A. Brown Chief Information Security Officer State of Ohio

2 Denial of Service Spear Phishing SQL Injection Web Defacements Malware (Keyloggers, Trojans,etc.) Theft of Devices Hacktivist Activity Threats Against Government

3 Examples of the Threat February 2012 – Missouri’s Official Web Site Defacement April 2012 – Utah Department of Health –Medicaid System Hack October South Carolina Department of Revenue Data Breach October 2012 – City of Burlington, Washington System Attack December 2012 – South Carolina Department of Employment & Workforce Web Defacement January 2013 – Florida Dept. of Juvenile Justice Device Theft

4 State of Ohio Security Program  Approximately 100 agencies, boards, and commissions under program  Decentralized environment  Chief Information Security Officer responsibilities under ORC :  Coordinate the implementation of security policies and procedures in state agencies  Assist each agency with the development of a security strategic plan

5 State of Ohio Security Program  April 2011 – State sets IT Standard ITS-SEC-02  Establishes NIST as state security framework  Creates enterprise security controls that align with Consensus Audit Guidelines (SANS Top 20 Critical Controls)  Agencies to be compliant with CAG by October 2012  Fall 2012 – Agencies required to submit strategic security plan to Office of Information Security & Privacy  Leveraged CAG self-assessment in US Homeland Security CSET tool

6 State of Ohio Security Program SANS Top 20 Critical Controls (Consensus Audit Guidelines) Hardware Inventory Software Inventory Secure Configuration of Systems Secure Configuration of Network Devices Boundary Defense Security Audit Logs Application Software Security Controlled Use of Administrative Privileges Controlled Access/Need to Know Vulnerability Management Account Monitoring & Control Malware Defense Limiting Ports, Protocols, Services Wireless Device Control Data Loss Prevention Secure Network Engineering Penetration Testing Incident Response Capability Data Recovery Capability Security Training

7 State of Ohio Security Program Ohio is one of a few states who have adopted the SANS Top 20 Critical Controls The Consortium for Cybersecurity Action was established in 2012 Ensures that updated versions of the controls reflected the most relevant threat information Shares lessons learned from organizations that have implemented them. Ohio participates in this consortium. CISOs for Ohio and Colorado co-chair a state/local government workgroup for the Consortium. US State Department saw a 94% reduction in measured security risk by implementing these controls

8 State of Ohio Security Program Security Services Provided by OISP Today: Risk Assessments Security Assessments Security Architecture Security Consulting IT Security Policies/Standards Incident Response Vulnerability Assessments Penetration Testing (limited) Enterprise SIEM Security Awareness & Training Cyber Intelligence and Threat Management

9 State of Ohio Security Program Industrial Control Systems Assessments Began these assessments in February 2012 Partnered with US Homeland Security to conduct two pilot assessments Each assessment was completed within one day No cost to the State of Ohio

10 State of Ohio Security Program Securing the Human Began offering this training in 2011 Online training produced by SANS Institute 36 different modules of training Updated twice a year based on current threats Approximately 50,000 state employees will be trained this year Excellent reviews by our users

11 State of Ohio Security Program Enterprise SIEM Began offering this service in 2012 Collect security logs from systems 5 agencies participating today Extending to all cabinet agencies Over 100 Million event logs analyzed per day Both agencies and OISP monitor system

12 Challenges Facing Government 1.Funding for security 2.Cybersecurity authority and governance 3.Attractive targets for cybercriminals and hacktivists 4.Lack of skilled staff 5.Sophistication of attacks

13 What Can You Do? 1.Assess and communicate security risks 2.Consider shared security services 3.Encourage user education in security awareness 4.Explore alternative funding for cybersecurity 5.Use the no-cost assessments provided by DHS 6.Encourage IT personnel to use the DHS CSET Tool to do assessments and develop plan of action. 7.Become a member of the MS-ISAC 8.Leverage free cybersecurity training provided by various sources 9.Develop an incident response plan 10.Develop a disaster recovery plan

14 Cybersecurity Council  The Cybersecurity, Education, and Economic Development Council was created under ORC in  Consists of 12 members appointed by Governor, Speaker of the House, and President of the Senate.  Council is to conduct a study and make recommendations regarding:  Improving the infrastructure of the state’s cybersecurity operations with existing resources and through partnerships between government, business, and institutions of higher education.  Specific actions that would accelerate growth of the cybersecurity industry in the state.

15 Questions?

16 Contact Information David A. Brown State Chief Information Security Officer Ohio Department of Administrative Services 30 E. Broad Street FL 40 Columbus, OH Office: (614)


Download ppt "Cybersecurity in Ohio David A. Brown Chief Information Security Officer State of Ohio."

Similar presentations


Ads by Google