View
217
Download
0
Category
Tags:
Preview:
Citation preview
1www.vita.virginia.gov
IT Risk Management in Government
Jonathan SmithSr. Risk Manager
Commonwealth Security and Risk ManagementOctober 1, 2013
www.vita.virginia.gov 1
2www.vita.virginia.gov
Agenda• Introduction• Background
– Virginia Information Technologies Agency– Commonwealth Security and Risk Management– Information Security and Reporting
• Measuring Commonwealth Risk• Governance, Risk Management, and Compliance
3
Virginia Information Technologies Agency
• Statewide IT infrastructure for in-scope government entities
• Prior to VITA there were 90+ independent autonomous IT shops
• IT infrastructure partnership (Commonwealth of Virginia & Northrop Grumman)
• Appx. 58,000 PC’s, 3500 servers, 60,000 accounts, over 2000 circuits and 2 Data Centers
• Centralized oversight of IT projects, security, procurement, standards, policy and procedures
www.vita.virginia.gov
4
Commonwealth Security and Risk Management
Security Operations• Operations and architectural design
Security Governance• Policies, standards and procedures• IT security audit program• VITA ISO duties
Risk Management• Commonwealth Risk Management program• Business impact analysis• Risk assessments• IT security incident response
www.vita.virginia.gov
5
§ 2.2-2009
www.vita.virginia.gov
§ 2.2-2009. Additional duties of the CIO relating to security of government information.
C. The CIO shall annually report to the Governor, the Secretary, and General Assembly those executive branch and independent agencies and institutions of higher education that have not implemented acceptable policies, procedures, and standards to control unauthorized uses, intrusions, or other security threats. For any executive branch or independent agency or institution of higher education whose security audit results and plans for corrective action are unacceptable, the CIO shall report such results to (i) the Secretary, (ii) any other affected cabinet secretary, (iii) the Governor, and (iv) the Auditor of Public Accounts. Upon review of the security audit results in question, the CIO may take action to suspend the public body's information technology projects pursuant to § 2.2-2015, limit additional information technology investments pending acceptable corrective actions, and recommend to the Governor and Secretary any other appropriate actions.
The CIO shall also include in this report (a) results of security audits, including those state agencies, independent agencies, and institutions of higher education that have not implemented acceptable regulations, standards, policies, and guidelines to control unauthorized uses, intrusions, or other security threats and (b) the extent to which security standards and guidelines have been adopted by state agencies.
6
Annual Report on Information Security
Assessment of the Commonwealth information security program:•Legislative requirement beginning in 2008•CIO annually reports to the Governor, Cabinet Secretaries, and General Assembly on:
– Agency Information Security Programs– Agency Risk Management Programs– Agency IT Security Audit Programs– Commonwealth Operational Security– IT Security Incidents
www.vita.virginia.gov
7
Understanding Commonwealth Risk
• Business Impact Analysis:– Identify primary and critical organizational business
processes– Identify IT systems that those business processes rely on– Identify Recovery Time Objectives (RTO)– Identify Recover Point Objectives (RPO)– Rate the business process for Availability
• Impact on life, safety, legal requirements, regulations, customer service and sensitive data if the business process or IT systems supporting the process is unavailable.
www.vita.virginia.gov
8
• Risk Assessments:– Identify sensitivity of IT system(Confidentiality, integrity,
and/or availability)– Assess the implementation of controls– Identify threats and potential risks– Rate the risks– Determine the probability of threat occurrence– Determine the potential impact if the threat occurs– Identify mitigating controls– Determine and implement mitigating controls– Determine Residual Risk: Create findings and corrective
actions when residual risk is too high
www.vita.virginia.gov
Understanding Commonwealth Risk
9
Understanding Commonwealth Risk
• IT Security AuditsInternal Audit, APA Audit, External (contractor)– Identify security audit findings– Create corrective action/remediation plans for findings– Track the remediation of the findings until closed– Validate remediation
• Vulnerability Scanning• Operational findings
www.vita.virginia.gov
10
What have we learned from the Annual Report?
www.vita.virginia.gov
•IT Security and Audit resources are not adequate across the Commonwealth as a whole
•Agencies are not properly planning for information security requirements
• Unless agency executives understand the impact of the risk carried, decisions made could potentially result in adverse consequences
11
Next steps for CSRM
• Moving to a risk based information security program
• Currently implementing a Governance, Risk Management and Compliance (GRC) tool
• Make risk recommendations for where to invest resources across the Commonwealth
• Adhere to a set level of risk tolerance across the Commonwealth
www.vita.virginia.gov
12
How Does CSRM Measure Agency Risk?
• Risk levels are primarily based on findings– Can come from any source
• Security audit, risk assessment, operational data, etc.
• Finding criticality level is based on several factors, examples include:– Business processes criticality level– Confidentiality of the data– Criticality of the application affected– Likelihood of occurrence– Magnitude of impact– Length of time finding open
www.vita.virginia.gov
13
Governance, Risk Management and Compliance (GRC) ToolWhy GRC?• Integrate the existing IT Security programs &
processes into a single centralized tool• Provide a better understanding of the risks that
Commonwealth Agencies carry• Provide Agency and Commonwealth Executives
understanding of where resources should be allocated to manage risk
www.vita.virginia.gov
14
Governance, Risk Management and Compliance (GRC) ToolWhat is captured in the GRC tool?• Business Processes• Applications• IT Security Audit Program Information• Risk Assessments• Findings• Remediation Plans• IT Security Incidents• Security Exceptions
www.vita.virginia.gov
15
Additional Benefits of a GRC tool
• Advanced Reporting• Dashboards• IT Asset Inventory• Control & Policy Library• Questionnaires/Assessments
www.vita.virginia.gov
16
What will CSRM do with the tool?
• Enhance reporting capabilities– Identify agencies carrying too much risk– Monitor remediation of risk at agencies– Show progress of agencies remediating risk– Identify operational issues increasing agency risk
• Make recommendations based on risk– Recommendations to AITR, ISO, agency head,
secretary, and/or Commonwealth CIO– Can include recommendation to restrict IT
investments until acceptable remediation is in place, underway, planned, or complete
www.vita.virginia.gov
17
What Challenges Has CSRM Faced?
• Normalizing data– Data comes from multiple sources
• Agency ISO• Agency Internal Audit• Agency Information Technology Department• Infrastructure partnership• Other VITA data sets
• Agency “Buy-in”• User training
www.vita.virginia.gov
18
Questions?
Questions?
Jonathan SmithSenior Risk ManagerCommonwealth Security and Risk ManagementVirginia Information Technologies Agency (VITA)Jonathan.M.Smith@Vita.Virginia.Gov CommonwealthSecurity@Vita.Virginia.Gov
www.vita.virginia.gov
Recommended