Upload
dominic-mathews
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
© 2006 Verizon. All Rights Reserved.
Overview of State Governance Security LandscapeOverview of State Governance Security Landscape
Leslie Carter, State Subject Matter ExpertJanuary 18, 2007
Leslie Carter, State Subject Matter ExpertJanuary 18, 2007
2
AgendaAgenda
• Security Challenges in State Agencies
• Where State Agencies Need to Be
• Approaches to Meeting the Challenges
3
Security Is An Enterprise-Wide ChallengeSecurity Is An Enterprise-Wide Challenge
SecuritySecurityOperationsOperationsSecuritySecurity
OperationsOperations
SecurityProgram
SecuritySecurityOversightOversight
SecuritySecurityGovernanceGovernance
Senior Execs & CIO•Budgets
•Report Cards
•Laws & Mandates
CISO•No Budget
•Unable to Get Buy In
•Limited Visibility
•No Control
IT Operations•Reporting
•Burden
•Scarce Resources
4
The Security Challenges in Gov/EdThe Security Challenges in Gov/Ed
Governance
• Many states and municipalities are just beginning to put in place the necessary governance framework to enable effective information security
• Lack of attention has led to under funding
• Quickening pace of security laws, regulations, and mandates
Complexity (Tech, Organization/Accountability, Budget, Other)
• The competing challenges of service to the citizen and protection of citizen privacy are most intense at the state and local government levels
• Siloed federal approach to information exchange has resulted in crazy quilt of redundant, incompatible security approaches and infrastructures
• The result: Security breaches continue to dominate the headlines
5
Regulatory ChallengesRegulatory Challenges
• New (2007) California Statutes– Voter Privacy SB 506– Credit Card Receipts SB 1699– Domestic Violence Victims SB 1491– Identity Theft Legislation AB 424, AB 618, AB 2043, AB 2886, AB 1390– Motor Vehicle Dealer Access AB 2291– Wireless Network Security for Citizens AB 2415– Online Privacy Reproductive Health AB 2251– Online Privacy Public Officials AB 2006
• Federal Laws– The Children’s Online Privacy Protection Act of 1998– The Computer Fraud and Abuse Act of 1984 – The Computer Matching & Privacy Protection Act of 1988 & Amendments of 1990– The Driver’s Privacy Protection Act of 1994– The Electronic Communications Privacy Act of 1986 – The Fair Credit Reporting Act of 1970 – The Family Educational Rights and Privacy Act of 1974 – The Graham-Leach-Bliley Financial Services Modernization Act of 1999 – The Health Insurance Portability and Accountability Act of 1996 – The Privacy Act of 1974– REAL ID Act of 2005– Sarbanes Oxley– Homeland Security Initiatives– Federal Information Security Management Act– Federal Audit Requirements for agencies carrying out federal programs – Circular A-87 and A-133
FISMA Highlights§3544(b) - Agency Security ProgramFISMA Highlights§3544(b) - Agency Security Program
• Federal Information Security Management Act (FISMA)– Title III of E-Government Act of 2002– Applies to all federal agencies and 3rd parties (states and localities)
dealing with federal data and carrying out federal programs
FISMA Security Program Requirements
– Periodic risk assessments– Policies and procedures– Subordinate plans for networks, systems– Security awareness training– Periodic testing and evaluation of policies, procedures and practices– Remediation program for security weaknesses– Procedures for incident detection, reporting & response– Plans and procedures for continuity of operations
7
Complexity Leads to VulnerabilityComplexity Leads to Vulnerability
FederalFederalDepts.Depts.
State HHS AgenciesState HHS Agencies
Local, K-12Higher Ed
Health/Human Serv.
Education
HomelandSec.CommerceTransportation
Treasury/IRS
Interior
Energy
State & Local State & Local Public Safety & Educ Public Safety & Educ
State AgenciesState Agencies
State and Local State and Local Law EnforcementLaw Enforcement
Town CollegeHigh SchoolCity
• Who is securing all of these exchanges and gateways?Who is securing all of these exchanges and gateways?
8
A State Government’s Myriad InterfacesA State Government’s Myriad Interfaces
SegmentFederal Other
States
Intra
State
Local K-12 Business Citizen Total
Transportation 13 49 22 128 22 24 258
HHS 43 49 28 128 79 67 394
Fin & Admin 32 30 128 27 15 232
Education 17 9 207 6 10 249
Courts & Pub Safety 49 49 70 128 52 60 408
Natural Resources 26 6 20 39 25 116
Public Works 9 5 12 13 39
Other/Econ Develop 17 9 15 9 50
Total 206 153 193 512 207 252 223 1,746
9
FinancialInstitutions
EmployerRecords
Personal PropertyTax RecordsState, Local
& Fed Tax Records
Passports InsuranceCompanies
Business TaxRecords
DMV & VehicleRecords
Hunting& Fishing Licenses
ProfessionalLicenses &
Business Licenses
Cell Phone &Cable Provider
Records
UnemploymentRecords
CourtRecords
MilitaryRecords
FinancialAid Records
Program Interface ExampleProgram Interface Example
Child Support Child Support EnforcementEnforcement
InterfacesInterfaces
Child Support Child Support EnforcementEnforcement
InterfacesInterfaces
11
Security Life Cycle ApproachSecurity Life Cycle Approach
•Compliance Account Reporting •Key Business Indicators•Business Continuity
•Reviews•Programs•Assessments
•Prevention•Remediation•Asset Management•Infrastructure Mgmt./ Monitoring
Operational / Operational / Architectural ControlsArchitectural Controls
Business Business PriorityPriority
Policy/Policy/Procedures/ProcessProcedures/Process
Changing BusinessChanging BusinessDriversDrivers
Regulatory/GovernanceRegulatory/GovernanceDriversDrivers
12
Across-All-Borders Security ProgramAcross-All-Borders Security Program
• Event data collection• Event data normalization• Event consolidation• Behavioral models
• Global activity monitoring• Early warning system• Fraud correlation• Internet outage correlation• Dark space analysis
Carrier Carrier Network Network CloudCloud
Cross Cross EnterpriseEnterprise
EnterpriseEnterpriseCoreCore
• Threat correlation• Source correlation• Dynamic prioritization
• Event data collection• Event data normalization• Event consolidation• Behavioral models
• Global activity monitoring• Early warning system• Fraud correlation• Internet outage correlation• Dark space analysis
Be
yo
nd
CA
Go
v’t B
ord
ers
Inter-ag
en
cy/g
ov
’t
Intra-ag
ency
14
Current State & Agency Trends & ApproachesCurrent State & Agency Trends & Approaches
• Statewide and Agency CISO Appointments• Enterprise Security Architecture & Policies • Assessments and Compliance
– External Resources (Centralized & Federated Models)– State Auditors
• Business Case based on program/agency risk– The most successful link the security issues with business
impact at the agency or program level» Demonstrate business risks» Demonstrate quantifiable consequences» Demonstrate other losses (citizen trust, damage to reputation, etc.)» Highlight benefits of IT security and where risk will be reduced
15
Develop an Ongoing Security ProgramDevelop an Ongoing Security Program
– Quick assessment or scorecard that identifies the most pressing risks and vulnerabilities first
» Gives CIO & CISO a starting point, can start to show progress quickly» Prioritize, plan and budget the ongoing program» High level way to articulate the risks to business and program execs.
– Bring together key stakeholders to develop policies and define roles & responsibilities
» Agency business owners, auditors, IT managers, etc.» Agencies need to help assess program risk and support programs to
reduce risks » Large agency CISOs and CIOs should help drive and lead the process
– Build and fund the business case for an ongoing program» Ongoing periodic assessments and compliance based on risk and business
need» Policy review and updates as technology and the business changes» Ongoing funding streams