Prepared: October, 2005 1 Ann Garrett, State Chief Information Security Officer Statewide Security Update October 25, 2005 Information Technology Advisory

Prepared: October, 2005 1

Ann Garrett, State Chief Information Security Officer

Statewide Security Update

October 25, 2005

Information Technology Advisory Board


Agenda

2004 - Security Assessment Results Consequences of Assessment Statewide Security Initiatives Program

1. Improve Network Security Defenses 2. Improve Wireless Network Security3. Improve Risk and Business Continuity Management4. Complete Statewide Security Standards Framework 5. Improve Security Awareness & Training6. Statewide Approach to Security tools Anti-Virus

and Anti-Spyware

Questions


2004 Security Assessment Scoring Distribution

Poor Minimal/Fair Solid Superior16% 60% 20% 4%

Poor Minimal/Fair Solid Superior12% 52% 36% 0%

Planned Security Practices (Quality)

Actual Security Practices (Execution)


2004 Security AssessmentScoring Summary

Note: The circle indicates the State average for the agencies assessed in the study

1

2 .5

4

12 .54

Stronger Posture

Weaker Posture

Superior

Solid

Fair

MinimalPoor

Act

ual

Sec

uri

ty P

ract

ices

(E

xecu

tio

n)

Planned Security Practices (Quality)


2004 Security AssessmentStatewide Average Scores by Category

Security Policies, Standards andProcedures

Organizational Security

Asset Classification and Control

Personnel Security

Physical Security

Communications andOperations Management

Access Administration

Access Technology

Applications Development andMaintenance

Business Impact/ContinuityManagement

Compliance

Average Quality

Average ExecutionOptimal Score


Opportunities for Improvement

Insufficient Funding (~100%) Insufficient Staffing (84%) Lack of Security Training & Experience (76%) Outdated Desktop Operating Systems (72%) Outdated and Missing Business Continuity Plans

(69%) Gaps in Agency Network Security Defense (64%) Deficient Policies, Standards, and Procedures (60%)


ConsequencesStatewide Significance

Assessment provided a baseline for metrics and a roadmap for planning improvements

Increased awareness at all levels of government of the importance of information security

Flexible assessment tool that can be used in years to come

Cost savings


Legislative Response

LAW PASSED IN JULY 2004 (SB991)Shifted responsibilities from the IRMC to

the State CIO and the ITABGave State CIO clearer authority in project

approval and management, procurement and establishment of security standards

Established a statewide IT Fund and appropriated $4.8 million for 2004-2005. $3 million appropriated for security assessment and remediation


Statewide Security Responsibilities

SCIO Security Responsibilities: Set statewide security standards Monitor and assess agency compliance Oversee information security incidents Information security considered in project

management cycle Select and deploy enterprise security technology Oversee security procurements Provide security education and training


Statewide Security Initiatives

1. Improve network security defenses

2. Improve wireless network security

3. Improve risk management and business continuity planning

4. Complete statewide security framework (policies, procedures, standards and architecture)

5. Improve enterprise security awareness and training

6. Statewide approach to Anti-Virus/Anti-Spyware



#1 Improve Network Security Defenses– (Next Generation Network (NGN), Firewalls, Intrusion Prevention System (IPS), NCID)

Implementing NGN with agency pilots MPLS – Multi-protocol label switching ESAP – Enterprise Service Access Point(s)

Approved Intrusion Protection System (IPS) project, RFP in process


State Network

2,500 remote sites Public Network Internet Pipes = Multiple - Gigabit Ethernet

Connections Perimeter Defenses (Firewalls, IDS/IPS and ITS

Hosted Zones IPS/IDS) Centralized Security Incident Management, NC

Information Sharing Analysis Center


Next Generation Network (NCIN3) Goals

Enhance Network Availability (99.99)• Reliable, Manageable, Scaleable

Enhance Security• Establish Layers of Security Controls

Enable Quality of Services features• Differentiated Service Offerings


DOCInter-Agencyconnection

DOCInternet

connection WWW Servers

DBServers

PrivateServers

DOC Division 2 vrf

DOC Division 1 vrf

DOC

DOT

DHHS

ESC

Public Access

Public

Private

Multi-Agency ESAP Model

DOCSecurity

DOCESAP

Enterprise Services Access Point (ESAP) Model



#2. Improve Agency Border/Perimeter Defense – Wireless

Conducted Agency Wireless Survey 01/05

Formed Agency Wireless Focus Group

Updated ‘Wireless Security IEEE 802.11 Communications Policy’ issued 2/15/05

Project underway to build a prototype to deploy a secure wireless environment using 802.1X and WPA2 at ITS



#3. Improve Risk Management and Business Continuity Planning

Developed Risk Assessment Tool Purchased Strohl Business Impact Analysis and

Business Continuity Planning software for all executive branch agencies (available to locals thru ITS at reduced price)

Trained agencies in Fall ‘04 Agencies complete Business Impact Analysis

(BIA’s) in March ‘05 Consistent statewide approach for business

continuity management



#4. Complete Statewide Security Standards Framework

Purchased ISO 17799 Policy Tool Kit 07/04 and updates in 07/05

Formed Agency Standards/Policy Focus Groups

Awarded RFP to Ciber to complete standards framework with training materials 11/04.

Chapters in review cycle, rollout is in progress All Statewide Security Standards/Policies are on

http://www.scio.state.nc.us



July 2004 to June 2005 Enterprise Training PlanCourse Course Dates Number of

AttendeesHours of Training

per Person

Cost (K$)

Strohl Business Impact Analysis Training October 2004 95 16 $11.5

Strohl BIA Workshop January 2005 22 1 -

How to be an Effective Security Liaison January 2005 73 16 $52.9

Strohl BIA Workshop February 2005 37 1 -

Creating Information Security Awareness February 2005 67 16 $53.0

Strohl BIA Workshop March 2005 28 1 -

CISSP Prep Class March 2005 47 40 $62.9

Defense in Depth Conference May 2005 181 8 $115.9

Total: 535 - $296.20



#5. Improve Enterprise Security Training & Awareness

July 2005 to June 2006 Enterprise Training Plan

Course Course Dates Number of Attendees

Hours of Training per Person

Cost (K$)

Patch Management – Software Vulnerability Mitigation

Oct. 11 – 12, 2005 51 16 $43.7

A Structured Approach to Incident Response

Jan 17 –19, 2006

Identity Management March 21 – 23, 2006

Information Security Essentials Conference

April 26, 2006

Other Security Training TBD

Total: 51 - $43.7



#6 Statewide Approach to Anti-Virus and Anti-Spyware

Use statewide consolidated purchasing power and authority to: Lower overall statewide AV/AS costs and derive more

value from these solutions while providing greater AV/AS protection to state agencies.

Offer similar AV/AS pricing to all executive branch agencies as well as local government units, community colleges, and public schools (Based on support option)

Simplify AV/AS administration through an integrated solution


Enterprise Security Infrastructure…

Is a key element of consolidation: Integrating IT infrastructure services, (network,

hosting, access etc.) through an enterprise wide risk management approach improves security and enables cost efficiencies

Why: Consistent approach to

Threats Technology Business Drivers Users Vendors Education


NC - Statewide Security Initiatives Program – 2005 WINNER!!!


Questions? http://www.scio.state.nc.us

Questions? http://www.scio.state.nc.us

Documents

Prepared: October, 2005 1 Ann Garrett, State Chief Information Security Officer Statewide Security Update October 25, 2005 Information Technology Advisory