View
215
Download
0
Tags:
Embed Size (px)
Citation preview
Prepared: October, 2005 1
Ann Garrett, State Chief Information Security Officer
Statewide Security Update
October 25, 2005
Information Technology Advisory Board
Prepared: October, 2005 2
Agenda
2004 - Security Assessment Results Consequences of Assessment Statewide Security Initiatives Program
1. Improve Network Security Defenses 2. Improve Wireless Network Security3. Improve Risk and Business Continuity Management4. Complete Statewide Security Standards Framework 5. Improve Security Awareness & Training6. Statewide Approach to Security tools Anti-Virus
and Anti-Spyware
Questions
Prepared: October, 2005 3
2004 Security Assessment Scoring Distribution
Poor Minimal/Fair Solid Superior16% 60% 20% 4%
Poor Minimal/Fair Solid Superior12% 52% 36% 0%
Planned Security Practices (Quality)
Actual Security Practices (Execution)
Prepared: October, 2005 4
2004 Security AssessmentScoring Summary
Note: The circle indicates the State average for the agencies assessed in the study
1
2 .5
4
12 .54
Stronger Posture
Weaker Posture
Superior
Solid
Fair
MinimalPoor
Act
ual
Sec
uri
ty P
ract
ices
(E
xecu
tio
n)
Planned Security Practices (Quality)
Prepared: October, 2005 5
2004 Security AssessmentStatewide Average Scores by Category
Security Policies, Standards andProcedures
Organizational Security
Asset Classification and Control
Personnel Security
Physical Security
Communications andOperations Management
Access Administration
Access Technology
Applications Development andMaintenance
Business Impact/ContinuityManagement
Compliance
Average Quality
Average ExecutionOptimal Score
Prepared: October, 2005 6
Opportunities for Improvement
Insufficient Funding (~100%) Insufficient Staffing (84%) Lack of Security Training & Experience (76%) Outdated Desktop Operating Systems (72%) Outdated and Missing Business Continuity Plans
(69%) Gaps in Agency Network Security Defense (64%) Deficient Policies, Standards, and Procedures (60%)
Prepared: October, 2005 7
ConsequencesStatewide Significance
Assessment provided a baseline for metrics and a roadmap for planning improvements
Increased awareness at all levels of government of the importance of information security
Flexible assessment tool that can be used in years to come
Cost savings
Prepared: October, 2005 8
Legislative Response
LAW PASSED IN JULY 2004 (SB991)Shifted responsibilities from the IRMC to
the State CIO and the ITABGave State CIO clearer authority in project
approval and management, procurement and establishment of security standards
Established a statewide IT Fund and appropriated $4.8 million for 2004-2005. $3 million appropriated for security assessment and remediation
Prepared: October, 2005 9
Statewide Security Responsibilities
SCIO Security Responsibilities: Set statewide security standards Monitor and assess agency compliance Oversee information security incidents Information security considered in project
management cycle Select and deploy enterprise security technology Oversee security procurements Provide security education and training
Prepared: October, 2005 10
Statewide Security Initiatives
1. Improve network security defenses
2. Improve wireless network security
3. Improve risk management and business continuity planning
4. Complete statewide security framework (policies, procedures, standards and architecture)
5. Improve enterprise security awareness and training
6. Statewide approach to Anti-Virus/Anti-Spyware
Prepared: October, 2005 11
Statewide Security Initiatives
#1 Improve Network Security Defenses– (Next Generation Network (NGN), Firewalls, Intrusion Prevention System (IPS), NCID)
Implementing NGN with agency pilots MPLS – Multi-protocol label switching ESAP – Enterprise Service Access Point(s)
Approved Intrusion Protection System (IPS) project, RFP in process
Prepared: October, 2005 12
State Network
2,500 remote sites Public Network Internet Pipes = Multiple - Gigabit Ethernet
Connections Perimeter Defenses (Firewalls, IDS/IPS and ITS
Hosted Zones IPS/IDS) Centralized Security Incident Management, NC
Information Sharing Analysis Center
Prepared: October, 2005 13
Next Generation Network (NCIN3) Goals
Enhance Network Availability (99.99)• Reliable, Manageable, Scaleable
Enhance Security• Establish Layers of Security Controls
Enable Quality of Services features• Differentiated Service Offerings
Prepared: October, 2005 14
DOCInter-Agencyconnection
DOCInternet
connection WWW Servers
DBServers
PrivateServers
DOC Division 2 vrf
DOC Division 1 vrf
DOC
DOT
DHHS
ESC
Public Access
Public
Private
Multi-Agency ESAP Model
DOCSecurity
DOCESAP
Enterprise Services Access Point (ESAP) Model
Prepared: October, 2005 15
Statewide Security Initiatives
#2. Improve Agency Border/Perimeter Defense – Wireless
Conducted Agency Wireless Survey 01/05
Formed Agency Wireless Focus Group
Updated ‘Wireless Security IEEE 802.11 Communications Policy’ issued 2/15/05
Project underway to build a prototype to deploy a secure wireless environment using 802.1X and WPA2 at ITS
Prepared: October, 2005 16
Statewide Security Initiatives
#3. Improve Risk Management and Business Continuity Planning
Developed Risk Assessment Tool Purchased Strohl Business Impact Analysis and
Business Continuity Planning software for all executive branch agencies (available to locals thru ITS at reduced price)
Trained agencies in Fall ‘04 Agencies complete Business Impact Analysis
(BIA’s) in March ‘05 Consistent statewide approach for business
continuity management
Prepared: October, 2005 17
Statewide Security Initiatives
#4. Complete Statewide Security Standards Framework
Purchased ISO 17799 Policy Tool Kit 07/04 and updates in 07/05
Formed Agency Standards/Policy Focus Groups
Awarded RFP to Ciber to complete standards framework with training materials 11/04.
Chapters in review cycle, rollout is in progress All Statewide Security Standards/Policies are on
http://www.scio.state.nc.us
Prepared: October, 2005 18
Statewide Security Initiatives
July 2004 to June 2005 Enterprise Training PlanCourse Course Dates Number of
AttendeesHours of Training
per Person
Cost (K$)
Strohl Business Impact Analysis Training October 2004 95 16 $11.5
Strohl BIA Workshop January 2005 22 1 -
How to be an Effective Security Liaison January 2005 73 16 $52.9
Strohl BIA Workshop February 2005 37 1 -
Creating Information Security Awareness February 2005 67 16 $53.0
Strohl BIA Workshop March 2005 28 1 -
CISSP Prep Class March 2005 47 40 $62.9
Defense in Depth Conference May 2005 181 8 $115.9
Total: 535 - $296.20
Prepared: October, 2005 19
Statewide Security Initiatives
#5. Improve Enterprise Security Training & Awareness
July 2005 to June 2006 Enterprise Training Plan
Course Course Dates Number of Attendees
Hours of Training per Person
Cost (K$)
Patch Management – Software Vulnerability Mitigation
Oct. 11 – 12, 2005 51 16 $43.7
A Structured Approach to Incident Response
Jan 17 –19, 2006
Identity Management March 21 – 23, 2006
Information Security Essentials Conference
April 26, 2006
Other Security Training TBD
Total: 51 - $43.7
Prepared: October, 2005 20
Statewide Security Initiatives
#6 Statewide Approach to Anti-Virus and Anti-Spyware
Use statewide consolidated purchasing power and authority to: Lower overall statewide AV/AS costs and derive more
value from these solutions while providing greater AV/AS protection to state agencies.
Offer similar AV/AS pricing to all executive branch agencies as well as local government units, community colleges, and public schools (Based on support option)
Simplify AV/AS administration through an integrated solution
Prepared: October, 2005 21
Enterprise Security Infrastructure…
Is a key element of consolidation: Integrating IT infrastructure services, (network,
hosting, access etc.) through an enterprise wide risk management approach improves security and enables cost efficiencies
Why: Consistent approach to
Threats Technology Business Drivers Users Vendors Education