INFORMATION SECURITY GOVERNANCE
Texas Comptroller of Public Accounts
Dave GrayCyberSecurity Program Manager
DIR Information Security Forum - May 2015
AN AGENCY’S EVOLUTION TOWARDS SECURITY MATURITY
Who is Dave Gray ?
CISSP, PMP, CAP, Security+, ITIL, CEH, EnCE, MCSE, MCSA 1999-2006 – Texas Army National Guard
Texas Unit Commander, National Guard CERT Team Pilot Program (1 of 5) Information Assurance Manager
2006-2008 – US Army Computer Emergency Response Team (CERT) National Guard Detachment Commander, Fort Belvoir, Washington, DC
2008-2011 – Texas Army National Guard Information Technology Operations Manager Senior Information Assurance Officer (SIAO / CISO)
2011-2014 – Texas Comptroller of Public Accounts Senior Information Security Risk Analyst (Consultant)
2014-Present – Texas Comptroller of Public Accounts CyberSecurity Program Manager
The Information Security Challenge
Information security
The biggest challenge for an information society
Organizations
Are unique in their security requirements
Are unique in their level of information security maturity
Have different starting points for securing data and information
The InfoSec Journey
Progress over Perfection
Where to start?
Executive Leadership
Adopt Governance Frameworks
Policies and Standards
Subject Matter Experts
Self-Assessment
Strategy
Information Security Roles
Security roles described in the Texas Administrative Code
(TAC)
Agency Head (Executive Leadership)
Designated Information Security Officer (ISO or CISO)
Information Owner (i.e. Business Owner)
Information Custodian (i.e. “IT”)
User
CEO Perspective of InfoSec
“The InfoSec tugboat is plenty big enough to push the agency to better information security”
Agency Barge
CISO Perspective of InfoSec
“The InfoSec tugboat is barely big enough to guide the agency to better information security”
Agency Battleship
Staff Perspective of InfoSec
“We’re going to need a bigger boat”
Agency Iceberg
Information Security Governance What is Information Security Governance? Sample Governance Milestones Organizing Security Processes Create a Foundation Know Your Data Strategize & Prioritize Apply Frameworks Certify & Authorize Measure
Enterprise risk management policies, standards and
procedures
Continuous monitoring for proper implementation
Ensures accountability, fairness, and transparency
Serves as a system of checks-and-balances
What is Information Security Governance?
Information Security
Governance
Policies, Standards & Procedures
Compliance Requirements(TAC, IRS, FISMA, HIPAA, etc.)
Texas CyberSecurity Framework National Institute of Standards & Technology Framework
Governance Foundation
Sample Governance Milestones SGC – Security Governance Council ISSP – Information Security Strategic Plan IPPS – Information Protection Policies & Standards SIP – Security Initiatives Program GSS – General Support Systems MA – Major Applications C&A – Certification & Authorization SAP – Security Authorization Package POAM – Plan of Actions & Milestones ASP – Agency Security Plan (Performance Scorecard)
One Agency’s Approach
Pre-2012Independent AssessmentCISO OfficeCPO Office
2012Security InitiativesSecurity CouncilData Loss PreventionSeparation of DutiesNIST AdoptedPen Test
2013Certification & AuthorizationSystem Delivery LifecycleRisk Mgmt FrameworkSEIM / SETAEnhanced FirewallIT Operations Security DivisionPlan of Action & MilestonesNIST Policy AlignmentPen Test
2014General Support SystemsManaged SecurityAgency Security PlanOffice 365Email EncryptionIndependent Assessment
2015Security Policy PublishedSecurity Strategy PublishedProcedure Verification Identity Access Mgmt AssessmentData ClassificationInventory Asset MgmtConfiguration Mgmt
Chief Information Security Officer (CISO)
Deputy CISO & Privacy Officer
EA
CyberSecurity Program Manager
Continuity of Operations
Enterprise Risk Management
Incident Response
Data Loss Prevention
Regulatory Compliance
Certification & Authorization
Security Education Awareness
Privacy
Organizing Security Processes
NSOC
IRS
Agency 1
San Angelo
PCI B2B
DR Site
Field Offices
Leased Facilities
Agency 2
IRS
SQL Server
Accounting
City Data
County Data
MainframeFinancial
Transactions
PII
ACH
USBPDA Cell Phones
Tablets
Laptops
BYOD
VPN
FTP Email
Agency 3
Know Your Data
Strategize & Prioritize
Policy and Standards
InfoSec Strategy
Disaster Recovery
Information Security Continuous Monitoring
Role Based Access Controls
Data Loss Prevention
Importance
Urgency
Web Application Firewall
Network Zoning
Managed Security Services
Configuration Management
in flight
planned
complete
Identity Access Management
Business Continuity
Security Education
SAMPLE
Data Classification
Apply Security Frameworks Select
e.g. National Institute of Standards and Technology (NIST) Tailor
Select Classes, Families, Controls Document
Policy and standards for each control Communicate
Policies & Standards Align
Procedures to Policy & Standards
Policy & Standards
SMART
Specific, Measurable, Attainable, Relevant, Time Framed
Procedures
Procedure Essential Elements
Table of Contents Purpose Author Audience Summary Limitations Documented i.e. logging Compliance measurement Approval Related policies, standards and procedures Header/footer with version # and effective date Maturity level
MONITORSecurity Controls
Maintenance
CATEGORIZEInformation System
Initiation & Acquisition
SELECTSecurity Controls
DevelopmentImplementation
IMPLEMENTSecurity Controls
ImplementationASSESS
Security Controls
Implementation
AUTHORIZEInformation System
Operation
Risk Management Frameworkaligned to System
Development Life Cycle
SDLC Disposal
Governance Standards
Acceptable Criteria
Measures
Direction
Policy
Guidance & Oversight
Procedures
Measurable Steps
Performance
1
2 4
53
Framework Aligned
Certification & Authorization
General Support Systems (GSS) Active Directory, Data Center, Network etc.
Major Applications (MA) ERP, HR, etc.
Security Authorization Package (SAP) Executive Overview System Security Plan (SSP) Plan of Actions & Milestones (POAM) Authorization to Operate (ATO)
5 Optimized
4Managed
3 Defined
2Repeatable
1Initial
0Non-Existent
Sta
ff
Managem
ent
Established risk management framework, integrates improvements
Focusing on ways to improve, efficient, cost-effective
Documented, detailed, compliant, procedures exist
Managed, consistent, repeatable undocumented, reactive practices
Procedures do not exist
Exec
Mgm
t
Ad hoc, reactive, inconsistent
Measu
re
Maturity Metrics Identify
1. Privacy & Confidentiality2. Data Classification3. Critical Information Asset Inventory4. Enterprise Security Policy, Standards and Guidelines5. Control Oversight and Safeguard Assurance6. Information Security Risk Management7. Security Oversight and Governance8. Security Compliance and Regulatory Requirements Mgmt9. Cloud Usage and Security10. Security Assessment and Authorization11. External Vendors and Third Party Providers
Protect12. Enterprise Architecture, Roadmap & Emerging Technology13. Secure System Services, Acquisition and Development14. Security Awareness and Training15. Privacy Awareness and Training16. Cryptography17. Secure Configuration Management18. Change Management19. Contingency Planning20. Media21. Physical and Environmental Protection
Protect (continued)22. Personnel Security23. Third-Party Personnel Security24. System Configuration & Patch Management25. Access Control26. Account Management27. Security Systems Management28. Network Access and Perimeter Controls29. Internet Content Filtering30. Data Loss Prevention31. Identification & Authentication32. Spam Filtering33. Portable & Remote Computing34. System Communications Protection
Detect35. Vulnerability Assessment36. Malware Protection37. Security Monitoring and Event Analysis
Respond38. Cyber-Security Incident Response39. Privacy Incident Response
Recover40. Disaster Recovery Procedures
Security Maturity Scorecard
Submitted with Biennial Agency Security Plan (ASP)
Grades CPA on process (i.e. procedure) maturity0 – Non-Existent (procedures do not exist)1 – Initial (Ad hoc, inconsistent practices)2 – Repeatable (mostly undocumented reactive practices)3 – Defined (documented procedures exist)4 – Managed (procedures reflect “Risk Management Framework”5 – Optimized (procedures continually evaluated for improvement)
Communicate Scores to Exec
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 400.00
0.50
1.00
1.50
2.00
2.50
3.00
3.50
4.00
4.50
5.00
Security Success
Security Governance Established Governance Milestones Achieved Security Processes in Place Building Upon a Solid Foundation Data Identified and Inventoried Strategy in Place Frameworks Applied Systems Certified & Authorized Information Security Continuous Monitoring Established
Contact Information
Dave Gray CyberSecurity Program Manager 512-475-0911 / 512-913-0613 [email protected] www.linkedin.com/in/davidleegray
CPA Information Security 512-936-5671 [email protected]