Transcript
Page 1: Enterprise Cybersecurity Strategy LaVerne H. Council Assistant Secretary for Information and Technology

Enterprise Cybersecurity Strategy

LaVerne H. CouncilAssistant Secretary for Information and Technology

Page 2: Enterprise Cybersecurity Strategy LaVerne H. Council Assistant Secretary for Information and Technology

2

• Creating an IT Organization that Supports Tomorrow’s VA

• Facing Our Challenges with TrAITs

• Closer Look: VA’s Enterprise Cybersecurity Strategy

Topics

Page 3: Enterprise Cybersecurity Strategy LaVerne H. Council Assistant Secretary for Information and Technology

3

OI&T’s Leadership is Moving VA into the Future

Page 4: Enterprise Cybersecurity Strategy LaVerne H. Council Assistant Secretary for Information and Technology

4

Facing Our Challenges with TrAITs

“It’s our mission that the Veteran will be the vocal initiator driving every project, every decision for

OI&T”

Page 5: Enterprise Cybersecurity Strategy LaVerne H. Council Assistant Secretary for Information and Technology

5

Why TrAITs

• TrAITs remind us to ask:

– How will the Veteran benefit from this piece of technology or this new decision?

– What benefit will this bring to a Veteran or their family?

Page 6: Enterprise Cybersecurity Strategy LaVerne H. Council Assistant Secretary for Information and Technology

6

Facing Our Challenges with TrAITs

Transparency

Page 7: Enterprise Cybersecurity Strategy LaVerne H. Council Assistant Secretary for Information and Technology

7

Facing Our Challenges with TrAITs

Innovation

Teamwork

Page 8: Enterprise Cybersecurity Strategy LaVerne H. Council Assistant Secretary for Information and Technology

8

“VA continues to face significant challenges in complying with the requirements of FISMA due to the

nature and maturity of its information security program.”

- Office of Inspector General, Federal Information Security Management Act Audits

Closer Look: VA’s Cybersecurity Strategy

Page 9: Enterprise Cybersecurity Strategy LaVerne H. Council Assistant Secretary for Information and Technology

9

• Today’s IT security organizations operate under tremendous threat

• Recent OPM attacks demonstrate significant risk to VA

• OI&T is leading the way with aggressive strategic planning and emphasis on Veteran-focused initiatives

Cyber Strategy Summary

Page 10: Enterprise Cybersecurity Strategy LaVerne H. Council Assistant Secretary for Information and Technology

10

Enterprise Cybersecurity Strategy Team

“Nothing in IT is more important than protecting VA data and the information entrusted to us by Veterans.”

– LaVerne Council, Assistant Secretary for Information and Technology and Chief Information Officer

Page 11: Enterprise Cybersecurity Strategy LaVerne H. Council Assistant Secretary for Information and Technology

11

Page 12: Enterprise Cybersecurity Strategy LaVerne H. Council Assistant Secretary for Information and Technology

12

Enterprise Cybersecurity Strategy Team

Page 13: Enterprise Cybersecurity Strategy LaVerne H. Council Assistant Secretary for Information and Technology

13

Governance, Program Management, and Risk Management

• Key supporting disciplines for decision-making across VA within context of cybersecurity and privacy

• Balances needs of VA’s mission with protecting high value assets

• Includes continuous scanning of cybersecurity landscape to proactively position VA to address emerging threats

• Addresses risks, deficiencies, breaches, and lessons learned

Page 14: Enterprise Cybersecurity Strategy LaVerne H. Council Assistant Secretary for Information and Technology

14

Operations, Telecommunication, and Network Security

• Key supporting disciplines for securing VA information, data, and computing assets

• Includes people, products, and procedures to ensure data confidentiality, integrity, availability, assured delivery, and auditability of VA systems

• Addresses network, platform, and data security

Page 15: Enterprise Cybersecurity Strategy LaVerne H. Council Assistant Secretary for Information and Technology

15

Application and Software Development

• Disciplines needed to ensure applications used during provision of services to Veterans utilize the most secure practices for data storage, access, manipulation, and transmission

• Encompasses entire software lifecycle• Software assurance, that is, the level of

confidence VA software is free of vulnerabilities or defects that could lead to vulnerabilities, is a critical concern

Page 16: Enterprise Cybersecurity Strategy LaVerne H. Council Assistant Secretary for Information and Technology

16

Access Control (AC), Identification and Authentication (IA)

• Disciplines for reducing likelihood and impact of security incidents

• AC combines authentication and authorization processes that allow access to VA networks, hardware computing devices, and applications

• IA verifies a user, process, or device through specific credentials such as passwords, tokens, and biometrics as a prerequisite for granting access to system resources

Page 17: Enterprise Cybersecurity Strategy LaVerne H. Council Assistant Secretary for Information and Technology

17

Medical Cyber

• Focuses on devices not traditionally considered IT that can be networked or accessed electronically

• Must be protected from exploitation and from becoming operable vectors for cyberattacks as they collect and transmit PII and PHI

• Includes medical devices and “cyber physical” systems with similar electronic characteristics, such as HVAC and elevator systems

Page 18: Enterprise Cybersecurity Strategy LaVerne H. Council Assistant Secretary for Information and Technology

18

Security Architecture

• Key supporting disciplines for developing an enterprise information security architecture

• Supports business optimization• Includes design and engineering skills

needed to fully integrate security into VA’s overall business, applications, and IT systems architecture

Page 19: Enterprise Cybersecurity Strategy LaVerne H. Council Assistant Secretary for Information and Technology

19

Privacy

• Policy and legislatively driven requirements for PII and PHI

• Focused on implementing the “Best Practices: Elements of a Federal Privacy Program,” published by the Federal CIO Privacy Committee

Page 20: Enterprise Cybersecurity Strategy LaVerne H. Council Assistant Secretary for Information and Technology

20

Cybersecurity Training and Human Capital

• Hiring practices and skills maturation needed to create a workforce steeped in a culture of cybersecurity to proactively protect all data and information of the Veterans we serve

Page 21: Enterprise Cybersecurity Strategy LaVerne H. Council Assistant Secretary for Information and Technology

21

• ECST will construct an accountable, actionable, near-, mid-, and long-range cybersecurity strategic plan that continuously considers and adapts to the newest technologies to secure VA’s IT enterprise. o Identifying and addressing:

• Strengths • Weakness• Resources• Constraints• Capabilities, • Drivers, • Known and unknown threats

Enterprise Cybersecurity Strategy Team

Page 22: Enterprise Cybersecurity Strategy LaVerne H. Council Assistant Secretary for Information and Technology

22

Questions?


Recommended