Enterprise Cybersecurity Strategy
LaVerne H. CouncilAssistant Secretary for Information and Technology
2
• Creating an IT Organization that Supports Tomorrow’s VA
• Facing Our Challenges with TrAITs
• Closer Look: VA’s Enterprise Cybersecurity Strategy
Topics
3
OI&T’s Leadership is Moving VA into the Future
4
Facing Our Challenges with TrAITs
“It’s our mission that the Veteran will be the vocal initiator driving every project, every decision for
OI&T”
5
Why TrAITs
• TrAITs remind us to ask:
– How will the Veteran benefit from this piece of technology or this new decision?
– What benefit will this bring to a Veteran or their family?
6
Facing Our Challenges with TrAITs
Transparency
7
Facing Our Challenges with TrAITs
Innovation
Teamwork
8
“VA continues to face significant challenges in complying with the requirements of FISMA due to the
nature and maturity of its information security program.”
- Office of Inspector General, Federal Information Security Management Act Audits
Closer Look: VA’s Cybersecurity Strategy
9
• Today’s IT security organizations operate under tremendous threat
• Recent OPM attacks demonstrate significant risk to VA
• OI&T is leading the way with aggressive strategic planning and emphasis on Veteran-focused initiatives
Cyber Strategy Summary
10
Enterprise Cybersecurity Strategy Team
“Nothing in IT is more important than protecting VA data and the information entrusted to us by Veterans.”
– LaVerne Council, Assistant Secretary for Information and Technology and Chief Information Officer
11
12
Enterprise Cybersecurity Strategy Team
13
Governance, Program Management, and Risk Management
• Key supporting disciplines for decision-making across VA within context of cybersecurity and privacy
• Balances needs of VA’s mission with protecting high value assets
• Includes continuous scanning of cybersecurity landscape to proactively position VA to address emerging threats
• Addresses risks, deficiencies, breaches, and lessons learned
14
Operations, Telecommunication, and Network Security
• Key supporting disciplines for securing VA information, data, and computing assets
• Includes people, products, and procedures to ensure data confidentiality, integrity, availability, assured delivery, and auditability of VA systems
• Addresses network, platform, and data security
15
Application and Software Development
• Disciplines needed to ensure applications used during provision of services to Veterans utilize the most secure practices for data storage, access, manipulation, and transmission
• Encompasses entire software lifecycle• Software assurance, that is, the level of
confidence VA software is free of vulnerabilities or defects that could lead to vulnerabilities, is a critical concern
16
Access Control (AC), Identification and Authentication (IA)
• Disciplines for reducing likelihood and impact of security incidents
• AC combines authentication and authorization processes that allow access to VA networks, hardware computing devices, and applications
• IA verifies a user, process, or device through specific credentials such as passwords, tokens, and biometrics as a prerequisite for granting access to system resources
17
Medical Cyber
• Focuses on devices not traditionally considered IT that can be networked or accessed electronically
• Must be protected from exploitation and from becoming operable vectors for cyberattacks as they collect and transmit PII and PHI
• Includes medical devices and “cyber physical” systems with similar electronic characteristics, such as HVAC and elevator systems
18
Security Architecture
• Key supporting disciplines for developing an enterprise information security architecture
• Supports business optimization• Includes design and engineering skills
needed to fully integrate security into VA’s overall business, applications, and IT systems architecture
19
Privacy
• Policy and legislatively driven requirements for PII and PHI
• Focused on implementing the “Best Practices: Elements of a Federal Privacy Program,” published by the Federal CIO Privacy Committee
20
Cybersecurity Training and Human Capital
• Hiring practices and skills maturation needed to create a workforce steeped in a culture of cybersecurity to proactively protect all data and information of the Veterans we serve
21
• ECST will construct an accountable, actionable, near-, mid-, and long-range cybersecurity strategic plan that continuously considers and adapts to the newest technologies to secure VA’s IT enterprise. o Identifying and addressing:
• Strengths • Weakness• Resources• Constraints• Capabilities, • Drivers, • Known and unknown threats
Enterprise Cybersecurity Strategy Team
22
Questions?