Presentation is loading. Please wait.

Presentation is loading. Please wait.

11 Enterprise Security Plan and Standards Forum Theresa A. Masse State Chief Information Security Officer John Ritchie Senior Security Analyst.

Published byRandall Hoover Modified over 8 years ago

Similar presentations

Presentation on theme: "11 Enterprise Security Plan and Standards Forum Theresa A. Masse State Chief Information Security Officer John Ritchie Senior Security Analyst."— Presentation transcript:

1 11 Enterprise Security Plan and Standards Forum Theresa A. Masse State Chief Information Security Officer John Ritchie Senior Security Analyst

2 22 Agenda Background Statewide Information Security Plan Statewide Information Security Standards Agency Next Steps Panel Wrap Up

3 33 Background The combination of the Statewide Plan, Standards, and Policies in the framework of 27001 & 27002 form the Enterprise Security Architecture

4 44 Background Based on ISO 27001/27002 Incorporating Best Practices from: National Institute of Standards and Technology (NIST) recommended standards SANS Institute recommended standards and best practices Burton Group recommended methodologies and best practices Vetted by agencies

5 55 Background ISO 27001 Information Security Management System (ISMS) Foundation - Security Risk Assessment Aligns with Agency’s Strategic Risk Management Policy and Direction

6 66 Background ISO 27002 Information Security Domains Controls minimize identified risk Risk Assessment identifies areas of Security Control focus

7 77 ISO 27002 27002 consists of 11 domains Includes an outline for each Domain and corresponding Controls Security Policy Security Organization Compliance Asset Management Access Control Human Resources Physical and Environmental Security System Development and Maintenance Communications &Operations Management Business Continuity Management Incident Management Security Governance& Compliance Security Infrastructure &Environment Tactical Security Operations Risk Assessment

8 88 Background Policies and standards assist agencies in achieving compliance with state laws ESO cannot establish plans, policies or standards that are less restrictive than state laws Specifically – ORS 182.122 Information Systems Security & ORS 646A.600 the Oregon Identity Theft Protection Act Agencies can implement more restrictive controls as required for compliance with other regulations - IRS, HIPAA, etc.

9 99 Security Plan Security Management Framework ISO 27001 Agency Annual Risk Assessment Agency Information Systems Security Risk Assessments Agency Information Security Management System

10 10 Security Plan Security Governance and Compliance ISO 27002 Agency Security Policies & Governance Processes Information Security Audits within Agency

11 11 Security Plan Security Infrastructure and Environment ISO 27002 Agency Employee Security Policies Process for Access Control to Information Assets within Agency Agency Information Security Awareness Training Agency compliance with Information Asset Classification Policy # 107-004-050 Agency compliance with the Transporting Information Assets Policy #107-005-100 DAS Building Security Access Controls Policy # 125-6- 215 Evaluation of Agency facilities for security

12 12 Security Plan Tactical Security Operations ISO 27002 Agency compliance with the Enterprise Information Security Standards Agency compliance with Employee Security policy #107-004-053 Agency compliance with the Information Security Incident Response policy #107-004-120 Agency BCP per policy # 107-001-010 Agency BCP testing Agency DR testing Agency compliance with Sustainable Acquisition and Disposal of Electronic Equipment (E-waste/Recovery Policy)

13 13 Security Plan Implementation of Plan Implementation Metrics Submit agency plan to ESO – due July 2009

14 14 Security Standards Incorporating Best Practices from: International Organization for Standardization (ISO) 27001 & 27002 National Institute of Standards and Technology (NIST) recommended standards SANS Institute recommended standards and best practices Burton Group recommended methodologies and best practices

15 15 Security Standards Technical Controls Four Domains From ISO 27002 Access Control Information Asset Management Communications & Operations Management Information Systems Acquisition, Development and Management

16 16 Security Standards Access Control Authentication Standards Authorization Standards Audit of Access Control Standards

17 17 Security Standards Information Asset Management Protection of Information Assets Standards Handling of Information Assets Standards

18 18 Security Standards Communications & Operations Management Antivirus and Anti-malware Standards Workstation Management & Desktop Security Standards Mobile Device Management Standards Server Management Standards Log Management Standards Information Backup Standards

19 19 Security Standards Communications & Operations Management Security Zone and Network Security Management (Local Area Network & Wide Area Network) Standards Intrusion Detection Standards E-mail Standards Remote Access Standards Wireless Access Standards

20 20 Security Standards Information Systems Acquisition, Development and Management Business Case Standard Encryption Standards Patch Management Standards Information System Development Lifecycle Standards

21 21 Security Standards One Size Fits All? Small Agencies Most Standards Apply Large Agencies All Standards Apply State Data Center Most Standards Apply Will Assist Agencies

22 22 Security Standards Agencies Responsible for Data Classification Protection Agencies and Third Party Providers Contractors State Data Center

23 23 Security Standards Standards Minimum Requirements “Meet or Exceed” Recommended Best Practices Not Mandatory

24 24 Security Standards Standards Are Specific Are Interdependent Must Be Implemented In Entirety, but… Risk Assessment Drives Implementation Compensating Controls Exceptions

25 25 Agency Next Steps Survey Are you compliant? If not, do you have a plan? Do you have the resources to implement plan? Gap Analysis Workshop

26 26 Panel Robert Hulshof-Schmidt -State Library, Program Manager, Government Research Services David Wilson- Department of Corrections, Information Security Officer Al Grapoli - Network, Security and Voice Services Manager, DAS, State Data Center

27 27 Information Security Plan and Guidelines – Development and Implementation Robert Hulshof-Schmidt, Program Manager, Government Research Services State Library Oregon State Library

28 28 State Library Overview 44 employees, 20+ regular volunteers 4 Teams Administrative Services Government Research Services Library Development Services Talking Book & Braille Services

29 29 OSL Information Assets Mostly Levels 1 & 2 No Level 4 Level 3 almost exclusively in Administrative Services Consolidated donor info Patron info streamlined and protected by statute

30 30 OSL Info Environment Most staff are professional information workers Three full-time IT staff Agency-wide values on research, openness, information exchange Generally tech-savvy, gadget-owning staff At start of security planning: Lack of concern due to limited level 3 info Unclear connection to everyday work

31 31 Information Security Plan Used ESO template – covered most of our needs Started good conversation on physical security, not just electronic Dovetailed with IT initiative to create stronger domain environment Valuable, but felt to most staff like a “Business Office/IT” activity only

32 32 Making the Connection Management team conversation about information security Everything connected to the enterprise carries risk Even “local-only” connections put our business at risk All staff have a role and a responsibility Statewide policies provide a good framework We need local guidelines

33 33 Creating Guidelines Information Asset Use, Implementation, and Security Guidelines Started with suite of seven statewide policies related to topic Added reference to statewide policies related to staff behavior (telework, professional workplace, etc.) Added reference to OSL policies and documents as relevant

34 34 Creating Guidelines Created plain-language definitions of key terms Did not repeat content of policies Focused on areas that required agency- specific clarification or interpretation Pulled common themes from various policies into cohesive sections Allowed for streamlining

35 35 Creating Guidelines 1. Reference to relevant policies/authorization 2. Definitions 3. Appropriate usage times for state assets and systems 4. Use of personal information systems 5. Use of networks (state and personal) 6. Use of Internet resources 7. Use of electronic communication tools 8. Passwords 9. Monitoring behavior 10. Responding to incidents (tied to plan) 11. Decision-making, approvals, and access

36 36 Guidelines Rollout Iterative development Management review Business office review IT review Key staff review Agency-wide announcement All staff training Three sessions One presenter IT and HR at all three sessions

37 37 Next Steps IT review of guidelines Performance gaps 30-day action plan Long-term action plan SDC consultation Prepare for standards review and implementation Set priorities based on risk and resources

38 38 Questions? Guidelines available to share Robert Hulshof-Schmidt 503.378.5030 robert.hulshof-schmidt@state.or.us

39 39 David Wilson, Information Security Officer Department of Corrections

40 40 DOC Mission Statement The mission of the Oregon Department of Corrections is to promote public safety by holding offenders accountable for their actions and reducing the risk of future criminal behavior.

41 41 Oregon Accountability Model Criminal Risk Factor Assessment and Case Planning Staff-Inmate Interactions Work and Programs Children and Families Re-entry Community Supervision and Programs

42 42 Quick Facts 14 Institutions 4 Administration Sites 2 County Parole & Probation Offices

43 43 Quick Facts 4,426 Employees 1,970 Active Volunteers Offenders: Inmates 13,841 Parole and Probation 2,794 Local Control 890 Total Current Offenders 17,525

44 44 Quick Facts Others Accessing ODOC Information Contracted Service Providers Community Partners Courts and Legal Professionals Other Governmental Agencies The Public

45 45 ODOC Information Security History Information Security Officer Collateral duty prior to October, 2009 Projects through Office of Project Management Information Security Administration Department-wide Records Management

46 46 Project Methodology Initiated in April, 2008 ODOC missed early compliance dates Combined project resources Chose to focus resources on: ID of agency Information Assets (IA’s) Organizing IA’s into a Special Retention Schedule Use structure to identify “ownership”

47 47 Methodology Mistake Information Owners Not defined or identified at the beginning of the projects.

48 48 Informed Information Owners Needed Realized need for: Definition of Information Owner role and responsibilities Decision makers to decide Classification Identified need to: Educate decision makers Define Data Handling Standards Define Classification expectations

49 49 “Snap Shot” Standards Needed Methodology and standards: OVERWHELMING! Found something simple: PERS Data Handling Standards http://www.oregon.gov/DAS/EISPD/ESO/IAC.shtml Simple Matrix = Enterprise Standards Reflects PROCESS expectations

50 50 Curriculum Identified Protecting IA’s at the Right Level Balancing the Risk with the Cost: Confidentiality, Integrity and Accessibility Public Records Requests - Simple Division Level 1 & 2: Releasable = Low Risk & Priority Level 3 & 4: Not releasable = High Risk & Priority Able to categorize by this division based on known mandates and project team input Level 3 vs. Level 4 Mandates vs. Business Decision Risk of Level 3: Mitigated by agency culture Cost of Level 4: Resources and Accessibility

51 51 Information Owner Decision Information Owners were asked to look at a draft list of their Level 3 and 4 IA’s They were then asked to identify: Risk they where willing to accept Cost, in resources and accessibility, they were willing to pay to mitigate that risk “If you want to call it a Level 4, are you willing to pay the cost of protection?”

52 52 Did not understand it then.... Gap Analysis of Enterprise Standards: Process: How the agency works with the information Technology: Technical capabilities, limitations and safeguards

53 53 Realized in retrospect.... Educating Information Owners Provided a business opportunity: To review existing processes, identify limitations and determine current resources That resulted in: Gap Analysis of Process

54 54 Enterprise Standards Published 11/2009 - Enterprise Standards Published ODOC Classification process had already narrowed the focus Gap Analysis of Processes completed All that was left: Compare current Information Technology practices and resources against Enterprise Standards

55 55 Gap Analysis: Technology FYI: Computer experts live and breath Tech Specs!!! Standards = Foreign Language Computer experts: Speak it fluently Know their systems in detail Can translate in terms of existing ability

56 56 Do we meet the standard? “Yes” No further action required “No, but our method is as good as or better than... ” Document Variance

57 57 Do we meet the standard? “No, and that might be a problem” Red Flag or “Gap” Plan Needed - Will getting there take: Time (within existing resources)? Money (to buy solutions)? Staff (additional personnel)? Plans will be assessed and prioritized based on: Risk and Available Resources

58 58 Gap Analysis = Risk Mitigation Risk Mitigation for ODOC Gap Analysis provides data for Risk Based prioritization of resources necessary for operations within current fiscal climate Final plan will be taken to ODOC Leadership for approval

59 59 Questions? david.s.wilson@state.or.us

60 60 Oregon State Data Center Security Architecture Standards Information Security Plan and Standards Forum December 10, 2009

61 61 Security Architecture Principles Security Architecture must be: Cost Effective and Business Driven Supportable Standards Based

62 62 Cost Effective and Business Driven Flexible architecture provides for granularity of controls Ability to accommodate agency business requirements Consolidation of security controls to reduce administrative overhead

63 63 Supportable Standard processes and procedures in support of security controls Centralized management of security controls Increased logging and monitoring Integration permits greater security enforcement and intelligence Standard equipment allows for easier implementation and for replacement in the event of a failure

64 64 Standards Based Use standards-based technologies to provide security (e.g. AES, 802.1x, etc.) Increases the likelihood that security technologies are interoperable Ensures that implemented technologies have been subjected to the process review necessary to achieve the status of “standard”

65 65 Where we are… Secure Server Builds Site-to-site encryption Network Access Control Firewalls VLANs/MPLS Anti-Virus, Patching standardized Network Intrusion Detection Email Firewalls Log Aggregation Standardization

66 66 Where we are going… Network Admission Control Host Intrusion Prevention Consolidated Remote Access VPN Firewall Consolidation Increased Use of Log Aggregation Configuration Management

67 67 Security Policies State Security Policies http://oregon.gov/DAS/EISPD/ESO/Policies.shtml Recent Implementation State Security Standards State Security Plan Privileged Access Policy

68 68 Questions? al.grapoli@state.or.us

69 69 Thank You! Security is an architecture, not an appliance Network Magazine

70 70 Recap and Next Steps Plan and Standards Published Survey Are you compliant? If not, do you have a plan? Do you have the resources to implement plan? Gap Analysis Workshop

71 71 Questions?

72 72 Thank You! Theresa Masse State Chief Information Security Officer DAS EISPD / Enterprise Security Office (503) 378-4896 theresa.a.masse@state.or.us http://oregon.gov/DAS/EISPD/ESO

Download ppt "11 Enterprise Security Plan and Standards Forum Theresa A. Masse State Chief Information Security Officer John Ritchie Senior Security Analyst."

Similar presentations

Program Management Office (PMO) Design

Program Management Office (PMO) Design
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Information Asset Classification Communications Forum Theresa A. Masse, State Chief Information Security Officer Department of Administrative Services.

Information Asset Classification Communications Forum Theresa A. Masse, State Chief Information Security Officer Department of Administrative Services.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
SL21 Information Security Board Mission, Goals and Guiding Principles.

SL21 Information Security Board Mission, Goals and Guiding Principles.
Security and Personnel

Security and Personnel
Security Controls – What Works

Security Controls – What Works
ISA 562 Summer 2008 1 Information Security Management CISSP Topic 1 ISA 562 Internet Security Theory and Practice.

ISA 562 Summer Information Security Management CISSP Topic 1 ISA 562 Internet Security Theory and Practice.
Information Security Policies and Standards

Information Security Policies and Standards
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Enterprise Architecture The Arkansas Approach. Key Areas What is enterprise architecture? Why is it important? How you can participate Current status.

Enterprise Architecture The Arkansas Approach. Key Areas What is enterprise architecture? Why is it important? How you can participate Current status.
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Www.adira.org Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.

Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.
ITIL: Why Your IT Organization Should Care Service Support

ITIL: Why Your IT Organization Should Care Service Support
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Similar presentations

Ads by Google