11 Enterprise Security Plan and Standards Forum Theresa A. Masse State Chief Information Security Officer John Ritchie Senior Security Analyst

22 Agenda Background Statewide Information Security Plan Statewide Information Security Standards Agency Next Steps Panel Wrap Up

33 Background The combination of the Statewide Plan, Standards, and Policies in the framework of & form the Enterprise Security Architecture

44 Background Based on ISO 27001/27002 Incorporating Best Practices from: National Institute of Standards and Technology (NIST) recommended standards SANS Institute recommended standards and best practices Burton Group recommended methodologies and best practices Vetted by agencies

55 Background ISO Information Security Management System (ISMS) Foundation - Security Risk Assessment Aligns with Agency’s Strategic Risk Management Policy and Direction

66 Background ISO Information Security Domains Controls minimize identified risk Risk Assessment identifies areas of Security Control focus

77 ISO consists of 11 domains Includes an outline for each Domain and corresponding Controls Security Policy Security Organization Compliance Asset Management Access Control Human Resources Physical and Environmental Security System Development and Maintenance Communications &Operations Management Business Continuity Management Incident Management Security Governance& Compliance Security Infrastructure &Environment Tactical Security Operations Risk Assessment

88 Background Policies and standards assist agencies in achieving compliance with state laws ESO cannot establish plans, policies or standards that are less restrictive than state laws Specifically – ORS Information Systems Security & ORS 646A.600 the Oregon Identity Theft Protection Act Agencies can implement more restrictive controls as required for compliance with other regulations - IRS, HIPAA, etc.

99 Security Plan Security Management Framework ISO Agency Annual Risk Assessment Agency Information Systems Security Risk Assessments Agency Information Security Management System

10 Security Plan Security Governance and Compliance ISO Agency Security Policies & Governance Processes Information Security Audits within Agency

11 Security Plan Security Infrastructure and Environment ISO Agency Employee Security Policies Process for Access Control to Information Assets within Agency Agency Information Security Awareness Training Agency compliance with Information Asset Classification Policy # Agency compliance with the Transporting Information Assets Policy # DAS Building Security Access Controls Policy # Evaluation of Agency facilities for security

12 Security Plan Tactical Security Operations ISO Agency compliance with the Enterprise Information Security Standards Agency compliance with Employee Security policy # Agency compliance with the Information Security Incident Response policy # Agency BCP per policy # Agency BCP testing Agency DR testing Agency compliance with Sustainable Acquisition and Disposal of Electronic Equipment (E-waste/Recovery Policy)

13 Security Plan Implementation of Plan Implementation Metrics Submit agency plan to ESO – due July 2009

14 Security Standards Incorporating Best Practices from: International Organization for Standardization (ISO) & National Institute of Standards and Technology (NIST) recommended standards SANS Institute recommended standards and best practices Burton Group recommended methodologies and best practices

15 Security Standards Technical Controls Four Domains From ISO Access Control Information Asset Management Communications & Operations Management Information Systems Acquisition, Development and Management

16 Security Standards Access Control Authentication Standards Authorization Standards Audit of Access Control Standards

17 Security Standards Information Asset Management Protection of Information Assets Standards Handling of Information Assets Standards

18 Security Standards Communications & Operations Management Antivirus and Anti-malware Standards Workstation Management & Desktop Security Standards Mobile Device Management Standards Server Management Standards Log Management Standards Information Backup Standards

19 Security Standards Communications & Operations Management Security Zone and Network Security Management (Local Area Network & Wide Area Network) Standards Intrusion Detection Standards Standards Remote Access Standards Wireless Access Standards

20 Security Standards Information Systems Acquisition, Development and Management Business Case Standard Encryption Standards Patch Management Standards Information System Development Lifecycle Standards

21 Security Standards One Size Fits All? Small Agencies Most Standards Apply Large Agencies All Standards Apply State Data Center Most Standards Apply Will Assist Agencies

22 Security Standards Agencies Responsible for Data Classification Protection Agencies and Third Party Providers Contractors State Data Center

23 Security Standards Standards Minimum Requirements “Meet or Exceed” Recommended Best Practices Not Mandatory

24 Security Standards Standards Are Specific Are Interdependent Must Be Implemented In Entirety, but… Risk Assessment Drives Implementation Compensating Controls Exceptions

25 Agency Next Steps Survey Are you compliant? If not, do you have a plan? Do you have the resources to implement plan? Gap Analysis Workshop

26 Panel Robert Hulshof-Schmidt -State Library, Program Manager, Government Research Services David Wilson- Department of Corrections, Information Security Officer Al Grapoli - Network, Security and Voice Services Manager, DAS, State Data Center

27 Information Security Plan and Guidelines – Development and Implementation Robert Hulshof-Schmidt, Program Manager, Government Research Services State Library Oregon State Library

28 State Library Overview 44 employees, 20+ regular volunteers 4 Teams Administrative Services Government Research Services Library Development Services Talking Book & Braille Services

29 OSL Information Assets Mostly Levels 1 & 2 No Level 4 Level 3 almost exclusively in Administrative Services Consolidated donor info Patron info streamlined and protected by statute

30 OSL Info Environment Most staff are professional information workers Three full-time IT staff Agency-wide values on research, openness, information exchange Generally tech-savvy, gadget-owning staff At start of security planning: Lack of concern due to limited level 3 info Unclear connection to everyday work

31 Information Security Plan Used ESO template – covered most of our needs Started good conversation on physical security, not just electronic Dovetailed with IT initiative to create stronger domain environment Valuable, but felt to most staff like a “Business Office/IT” activity only

32 Making the Connection Management team conversation about information security Everything connected to the enterprise carries risk Even “local-only” connections put our business at risk All staff have a role and a responsibility Statewide policies provide a good framework We need local guidelines

33 Creating Guidelines Information Asset Use, Implementation, and Security Guidelines Started with suite of seven statewide policies related to topic Added reference to statewide policies related to staff behavior (telework, professional workplace, etc.) Added reference to OSL policies and documents as relevant

34 Creating Guidelines Created plain-language definitions of key terms Did not repeat content of policies Focused on areas that required agency- specific clarification or interpretation Pulled common themes from various policies into cohesive sections Allowed for streamlining

35 Creating Guidelines 1. Reference to relevant policies/authorization 2. Definitions 3. Appropriate usage times for state assets and systems 4. Use of personal information systems 5. Use of networks (state and personal) 6. Use of Internet resources 7. Use of electronic communication tools 8. Passwords 9. Monitoring behavior 10. Responding to incidents (tied to plan) 11. Decision-making, approvals, and access

36 Guidelines Rollout Iterative development Management review Business office review IT review Key staff review Agency-wide announcement All staff training Three sessions One presenter IT and HR at all three sessions

37 Next Steps IT review of guidelines Performance gaps 30-day action plan Long-term action plan SDC consultation Prepare for standards review and implementation Set priorities based on risk and resources

38 Questions? Guidelines available to share Robert Hulshof-Schmidt

39 David Wilson, Information Security Officer Department of Corrections

40 DOC Mission Statement The mission of the Oregon Department of Corrections is to promote public safety by holding offenders accountable for their actions and reducing the risk of future criminal behavior.

41 Oregon Accountability Model Criminal Risk Factor Assessment and Case Planning Staff-Inmate Interactions Work and Programs Children and Families Re-entry Community Supervision and Programs

42 Quick Facts 14 Institutions 4 Administration Sites 2 County Parole & Probation Offices

43 Quick Facts 4,426 Employees 1,970 Active Volunteers Offenders: Inmates 13,841 Parole and Probation 2,794 Local Control 890 Total Current Offenders 17,525

44 Quick Facts Others Accessing ODOC Information Contracted Service Providers Community Partners Courts and Legal Professionals Other Governmental Agencies The Public

45 ODOC Information Security History Information Security Officer Collateral duty prior to October, 2009 Projects through Office of Project Management Information Security Administration Department-wide Records Management

46 Project Methodology Initiated in April, 2008 ODOC missed early compliance dates Combined project resources Chose to focus resources on: ID of agency Information Assets (IA’s) Organizing IA’s into a Special Retention Schedule Use structure to identify “ownership”

47 Methodology Mistake Information Owners Not defined or identified at the beginning of the projects.

48 Informed Information Owners Needed Realized need for: Definition of Information Owner role and responsibilities Decision makers to decide Classification Identified need to: Educate decision makers Define Data Handling Standards Define Classification expectations

49 “Snap Shot” Standards Needed Methodology and standards: OVERWHELMING! Found something simple: PERS Data Handling Standards Simple Matrix = Enterprise Standards Reflects PROCESS expectations

50 Curriculum Identified Protecting IA’s at the Right Level Balancing the Risk with the Cost: Confidentiality, Integrity and Accessibility Public Records Requests - Simple Division Level 1 & 2: Releasable = Low Risk & Priority Level 3 & 4: Not releasable = High Risk & Priority Able to categorize by this division based on known mandates and project team input Level 3 vs. Level 4 Mandates vs. Business Decision Risk of Level 3: Mitigated by agency culture Cost of Level 4: Resources and Accessibility

51 Information Owner Decision Information Owners were asked to look at a draft list of their Level 3 and 4 IA’s They were then asked to identify: Risk they where willing to accept Cost, in resources and accessibility, they were willing to pay to mitigate that risk “If you want to call it a Level 4, are you willing to pay the cost of protection?”

52 Did not understand it then.... Gap Analysis of Enterprise Standards: Process: How the agency works with the information Technology: Technical capabilities, limitations and safeguards

53 Realized in retrospect.... Educating Information Owners Provided a business opportunity: To review existing processes, identify limitations and determine current resources That resulted in: Gap Analysis of Process

54 Enterprise Standards Published 11/ Enterprise Standards Published ODOC Classification process had already narrowed the focus Gap Analysis of Processes completed All that was left: Compare current Information Technology practices and resources against Enterprise Standards

55 Gap Analysis: Technology FYI: Computer experts live and breath Tech Specs!!! Standards = Foreign Language Computer experts: Speak it fluently Know their systems in detail Can translate in terms of existing ability

56 Do we meet the standard? “Yes” No further action required “No, but our method is as good as or better than... ” Document Variance

57 Do we meet the standard? “No, and that might be a problem” Red Flag or “Gap” Plan Needed - Will getting there take: Time (within existing resources)? Money (to buy solutions)? Staff (additional personnel)? Plans will be assessed and prioritized based on: Risk and Available Resources

58 Gap Analysis = Risk Mitigation Risk Mitigation for ODOC Gap Analysis provides data for Risk Based prioritization of resources necessary for operations within current fiscal climate Final plan will be taken to ODOC Leadership for approval

59 Questions?

60 Oregon State Data Center Security Architecture Standards Information Security Plan and Standards Forum December 10, 2009

61 Security Architecture Principles Security Architecture must be: Cost Effective and Business Driven Supportable Standards Based

62 Cost Effective and Business Driven Flexible architecture provides for granularity of controls Ability to accommodate agency business requirements Consolidation of security controls to reduce administrative overhead

63 Supportable Standard processes and procedures in support of security controls Centralized management of security controls Increased logging and monitoring Integration permits greater security enforcement and intelligence Standard equipment allows for easier implementation and for replacement in the event of a failure

64 Standards Based Use standards-based technologies to provide security (e.g. AES, 802.1x, etc.) Increases the likelihood that security technologies are interoperable Ensures that implemented technologies have been subjected to the process review necessary to achieve the status of “standard”

65 Where we are… Secure Server Builds Site-to-site encryption Network Access Control Firewalls VLANs/MPLS Anti-Virus, Patching standardized Network Intrusion Detection Firewalls Log Aggregation Standardization

66 Where we are going… Network Admission Control Host Intrusion Prevention Consolidated Remote Access VPN Firewall Consolidation Increased Use of Log Aggregation Configuration Management

67 Security Policies State Security Policies Recent Implementation State Security Standards State Security Plan Privileged Access Policy

68 Questions?

69 Thank You! Security is an architecture, not an appliance Network Magazine

70 Recap and Next Steps Plan and Standards Published Survey Are you compliant? If not, do you have a plan? Do you have the resources to implement plan? Gap Analysis Workshop

71 Questions?

72 Thank You! Theresa Masse State Chief Information Security Officer DAS EISPD / Enterprise Security Office (503)