Enterprise Cybersecurity Strategy LaVerne H. Council Assistant Secretary for Information and Technology
Topics Creating an IT Organization that Supports Tomorrow’s VA Facing Our Challenges with TrAITs Closer Look: VA’s Enterprise Cybersecurity Strategy
OI&T’s Leadership is Moving VA into the Future
Facing Our Challenges with TrAITs “It’s our mission that the Veteran will be the vocal initiator driving every project, every decision for OI&T”
Why TrAITs TrAITs remind us to ask: How will the Veteran benefit from this piece of technology or this new decision? What benefit will this bring to a Veteran or their family?
Facing Our Challenges with TrAITs Transparency
Facing Our Challenges with TrAITs Innovation Teamwork
Closer Look: VA’s Cybersecurity Strategy “VA continues to face significant challenges in complying with the requirements of FISMA due to the nature and maturity of its information security program.” - Office of Inspector General, Federal Information Security Management Act Audits
Cyber Strategy Summary Today’s IT security organizations operate under tremendous threat Recent OPM attacks demonstrate significant risk to VA OI&T is leading the way with aggressive strategic planning and emphasis on Veteran-focused initiatives
Enterprise Cybersecurity Strategy Team “Nothing in IT is more important than protecting VA data and the information entrusted to us by Veterans.” LaVerne Council, Assistant Secretary for Information and Technology and Chief Information Officer
Enterprise Cybersecurity Strategy Team
Governance, Program Management, and Risk Management Key supporting disciplines for decision- making across VA within context of cybersecurity and privacy Balances needs of VA’s mission with protecting high value assets Includes continuous scanning of cybersecurity landscape to proactively position VA to address emerging threats Addresses risks, deficiencies, breaches, and lessons learned
Operations, Telecommunication, and Network Security Key supporting disciplines for securing VA information, data, and computing assets Includes people, products, and procedures to ensure data confidentiality, integrity, availability, assured delivery, and auditability of VA systems Addresses network, platform, and data security
Application and Software Development Disciplines needed to ensure applications used during provision of services to Veterans utilize the most secure practices for data storage, access, manipulation, and transmission Encompasses entire software lifecycle Software assurance, that is, the level of confidence VA software is free of vulnerabilities or defects that could lead to vulnerabilities, is a critical concern
Access Control (AC), Identification and Authentication (IA) Disciplines for reducing likelihood and impact of security incidents AC combines authentication and authorization processes that allow access to VA networks, hardware computing devices, and applications IA verifies a user, process, or device through specific credentials such as passwords, tokens, and biometrics as a prerequisite for granting access to system resources
Medical Cyber Focuses on devices not traditionally considered IT that can be networked or accessed electronically Must be protected from exploitation and from becoming operable vectors for cyberattacks as they collect and transmit PII and PHI Includes medical devices and “cyber physical” systems with similar electronic characteristics, such as HVAC and elevator systems
Security Architecture Key supporting disciplines for developing an enterprise information security architecture Supports business optimization Includes design and engineering skills needed to fully integrate security into VA’s overall business, applications, and IT systems architecture
Privacy Policy and legislatively driven requirements for PII and PHI Focused on implementing the “Best Practices: Elements of a Federal Privacy Program,” published by the Federal CIO Privacy Committee
Cybersecurity Training and Human Capital Hiring practices and skills maturation needed to create a workforce steeped in a culture of cybersecurity to proactively protect all data and information of the Veterans we serve
Enterprise Cybersecurity Strategy Team ECST will construct an accountable, actionable, near-, mid-, and long-range cybersecurity strategic plan that continuously considers and adapts to the newest technologies to secure VA’s IT enterprise. Identifying and addressing: Strengths Weakness Resources Constraints Capabilities, Drivers, Known and unknown threats
Questions?