David A. Brown Chief Information Security Officer State of Ohio

Slides:



Advertisements
Similar presentations
ETHICAL HACKING A LICENCE TO HACK
Advertisements

Security Education and Awareness Workshop January 15-16, 2004 Baltimore, MD.
National Infrastructure Protection Plan
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
A Cyber Security Company June 16, 2009 Cyber Security: Current Events and White House Cyberspace Policy Review.
National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
National Governor’s Association September 29-30, 2003 Salt Lake City, Utah.
 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
Seán Paul McGurk National Cybersecurity and Communications
Network Security Resources from the Department of Homeland Security National Cyber Security Division.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Continuous Monitoring: Diagnostics & Mitigation October 24, 2012.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
1 Smart Grid Cyber Security Annabelle Lee Senior Cyber Security Strategist Computer Security Division National Institute of Standards and Technology June.
GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.
Project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Business Convergence WS#2 Smart Grid Technologies.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.
Understanding Technology Stakeholders: Their Progress and Challenges John M. Gilligan Software Assurance Forum November 4, 2009.
EDUCAUSE LIVE EDUCAUSE/Internet2 Computer and Network Security Task Force Update Jack Suess January 21, 2004.
AGENDA NCSIP Mandate IT Security Threats Specific Action Items Additional Initiatives.
The Direction of Information Security and Privacy in State Government Presented by Colleen Pedroza Chief Information Security Officer California State.
Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &
HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
Agency Name Security Program FY 2009 John Q. Public Agency Director/CIO/ISO.
New A.M. Best Cyber Questionnaire
Critical Security Controls & Effective Cyber Defense Hasain “The Wolf”
IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.
Organizing a Privacy Program: Administrative Infrastructure and Reporting Relationships Presented by: Samuel P. Jenkins, Director Defense Privacy Office.
February 2, 2016 | Chicago NFA Cybersecurity Workshop.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Information Security tools for records managers Frank Rankin.
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
National Emergency Communications Plan Update National Association of Regulatory Utility Commissioners Winter Committee Meeting February 16, 2015 Ron Hewitt.
Best Cyber Security Practices for Counties An introduction to cybersecurity framework.
Information Security in Laurier Grant Li Wilfrid Laurier University.
DHS/ODP OVERVIEW The Department of Homeland Security (DHS), Office for Domestic Preparedness (ODP) implements programs designed to enhance the preparedness.
UNCLASSIFIED Homeland Security 2016 TRB Annual Meeting Cyber Risk Management CAPT Verne Gifford (CG-5PC) 1.
10/04/2016 David LaPlante, CISO Information Security & Cybersecurity Program Planning Critical Infrastructure Cyber Security Framework.
Security and resilience for Smart Hospitals Key findings
Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.
BruinTech Vendor Meet & Greet December 3, 2015
Information Security Program
NCDPI Information Technology k-12 Cybersecurity Study
Cybersecurity - What’s Next? June 2017
Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.
Security Standard: “reasonable security”
Compliance with hardening standards
Securing Critical Assets: Arizona’s Security & Privacy Initiatives
Cyber Protections: First Step, Risk Assessment
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
NYBA 2017 Technology, Compliance &
Unit 7 – Organisational Systems Security
I have many checklists: how do I get started with cyber security?
Implementing and Auditing the Critical Controls
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
National Cyber Security
David J. Carter, CISO Commonwealth Office of Technology
Cybersecurity Threat Assessment
Presentation transcript:

David A. Brown Chief Information Security Officer State of Ohio Cybersecurity in Ohio David A. Brown Chief Information Security Officer State of Ohio

Threats Against Government Denial of Service Spear Phishing SQL Injection Web Defacements Malware (Keyloggers, Trojans,etc.) Theft of Devices Hacktivist Activity

Examples of the Threat February 2012 – Missouri’s Official Web Site Defacement April 2012 – Utah Department of Health –Medicaid System Hack October 2012 -South Carolina Department of Revenue Data Breach October 2012 – City of Burlington, Washington System Attack December 2012 – South Carolina Department of Employment & Workforce Web Defacement January 2013 – Florida Dept. of Juvenile Justice Device Theft Missouri Defacement – no data loss Utah – 780,000 records stolen South Carolina Data Breach – 6.4 million records stolen by a foreign hacker – spear phishing City of Burlington - $400,000 diverted to other accounts across the country. South Carolina Defacement – no data loss Florida Juvenile Justice– mobile device with 100,000 youth and employee records stolen from office – no encryption or password protection Several incidents have occurred in Ohio as well. All of the threats noted earlier have occurred here in state and/or local agencies.

State of Ohio Security Program Approximately 100 agencies, boards, and commissions under program Decentralized environment Chief Information Security Officer responsibilities under ORC 125.18: Coordinate the implementation of security policies and procedures in state agencies Assist each agency with the development of a security strategic plan

State of Ohio Security Program April 2011 – State sets IT Standard ITS-SEC-02 Establishes NIST 800-53 as state security framework Creates enterprise security controls that align with Consensus Audit Guidelines (SANS Top 20 Critical Controls) Agencies to be compliant with CAG by October 2012 Fall 2012 – Agencies required to submit strategic security plan to Office of Information Security & Privacy Leveraged CAG self-assessment in US Homeland Security CSET tool Explain value of CSET tool for local municipalities and county governments

State of Ohio Security Program SANS Top 20 Critical Controls (Consensus Audit Guidelines) Hardware Inventory Software Inventory Secure Configuration of Systems Secure Configuration of Network Devices Boundary Defense Security Audit Logs Application Software Security Controlled Use of Administrative Privileges Controlled Access/Need to Know Vulnerability Management Account Monitoring & Control Malware Defense Limiting Ports, Protocols, Services Wireless Device Control Data Loss Prevention Secure Network Engineering Penetration Testing Incident Response Capability Data Recovery Capability Security Training

State of Ohio Security Program Ohio is one of a few states who have adopted the SANS Top 20 Critical Controls The Consortium for Cybersecurity Action was established in 2012 Ensures that updated versions of the controls reflected the most relevant threat information Shares lessons learned from organizations that have implemented them. Ohio participates in this consortium. CISOs for Ohio and Colorado co-chair a state/local government workgroup for the Consortium. US State Department saw a 94% reduction in measured security risk by implementing these controls

State of Ohio Security Program Security Services Provided by OISP Today: Risk Assessments Security Assessments Security Architecture Security Consulting IT Security Policies/Standards Incident Response Vulnerability Assessments Penetration Testing (limited) Enterprise SIEM Security Awareness & Training Cyber Intelligence and Threat Management Agencies may provide other services as well.

State of Ohio Security Program Industrial Control Systems Assessments Began these assessments in February 2012 Partnered with US Homeland Security to conduct two pilot assessments Each assessment was completed within one day No cost to the State of Ohio

State of Ohio Security Program Securing the Human Began offering this training in 2011 Online training produced by SANS Institute 36 different modules of training Updated twice a year based on current threats Approximately 50,000 state employees will be trained this year Excellent reviews by our users

State of Ohio Security Program Enterprise SIEM Began offering this service in 2012 Collect security logs from systems 5 agencies participating today Extending to all cabinet agencies Over 100 Million event logs analyzed per day Both agencies and OISP monitor system

Challenges Facing Government Funding for security Cybersecurity authority and governance Attractive targets for cybercriminals and hacktivists Lack of skilled staff Sophistication of attacks According to the 2012 Deloitte – NASCIO Cybersecurity study, many governments fund security at 1-2% of overall IT budget. Some don’t fund it at all. While this study pertained to state governments, local governments have the same issue. In fact, many have little budget for IT as a whole and do not have dedicated IT staff and rely on vendors. 78% of the states saw their security budgets remain about the same or become reduced during 2010 and 2011. The study also pointed out that many CISOs operate in a highly distributed model with little direct authority over agency strategies, activities, and resources. The study also showed that government agencies host systems that contain a lot of personal information, making them attractive targets for cybercriminals and hacktivists.

What Can You Do? Assess and communicate security risks Consider shared security services Encourage user education in security awareness Explore alternative funding for cybersecurity Use the no-cost assessments provided by DHS Encourage IT personnel to use the DHS CSET Tool to do assessments and develop plan of action. Become a member of the MS-ISAC Leverage free cybersecurity training provided by various sources Develop an incident response plan Develop a disaster recovery plan

Cybersecurity Council The Cybersecurity, Education, and Economic Development Council was created under ORC 121.92 in 2012. Consists of 12 members appointed by Governor, Speaker of the House, and President of the Senate. Council is to conduct a study and make recommendations regarding: Improving the infrastructure of the state’s cybersecurity operations with existing resources and through partnerships between government, business, and institutions of higher education. Specific actions that would accelerate growth of the cybersecurity industry in the state.

Questions?

Contact Information David A. Brown State Chief Information Security Officer Ohio Department of Administrative Services 30 E. Broad Street FL 40 Columbus, OH 43215 Office: (614) 644-9391

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.