Enterprise Security Plan

and Standards Forum

Theresa A. Masse
State Chief Information Security Officer
John Ritchie
Senior Security Analyst

1
Agenda
 Background
 Statewide Information Security Plan
 Statewide Information Security
Standards
 Agency Next Steps
 Panel
 Wrap Up

2
 Background
 The combination of the Statewide Plan, Standards, and Policies in the
framework of 27001 & 27002 form the Enterprise Security Architecture
Enterprise Security Architecture

Enterprise Security Plan

ISO 27001
Information Security Managem ent System

ISO 27002 – Technical Standards

ISO Domains
1.0 Security Organization
ESO Strategic Initiative
Information Security
Communication Plan
Agency Information Security
Plans
ISO Domains
1.0 Security Organization ISO Domains ISO Domains
2.0 Security Policy 2.0 Security Policy 3.0 Compliance
ESO Strategic Initiative ESO Strategic Initiative ESO Strategic Initiative
Identify& Evaluate Security
Policy Development Vulnerability Assessment
Opportunities

ISO Domains
3.0 Compliance
6.0 Physical & Environmental
10.0 Business Continuity Plan
ESO Strategic Initiative
Information Security
Consulting Services
ISO Domains
4.0 Human Resources
ESO Strategic Initiative
User Awareness Program
ISO Domains
5.0 Asset Management
ESO Strategic Initiative
Information Security Risk
Assessment
ISO Domains
8.0 Incident Management
ESO Strategic Initiative
Statewide Incident Response
Program

ISO Domains
5.0 Asset Management 7.0 Access Control 9.0 Communications & Operations Management 11.0 System Development and Maintenance

Enterprise Security Standards& Processes

3
Enterprise Security Policies
Background
 Based on ISO 27001/27002
 Incorporating Best Practices from:
 National Institute of Standards and Technology
(NIST) recommended standards
 SANS Institute recommended standards and best
practices
 Burton Group recommended methodologies and
best practices
 Vetted by agencies

4
Background
ISO 27001
 Information Security Management
System (ISMS)
 Foundation - Security Risk
Assessment
 Aligns with Agency’s Strategic Risk
Management Policy and Direction

5
Background
ISO 27002
 Information Security Domains
 Controls minimize identified risk
 Risk Assessment identifies areas of
Security Control focus

6
 ISO 27002

 27002 consists of Risk

11 domains Assessment

Security
Organization Governance &

 Includes an outline Compliance

Security
Compliance

for each Domain and Policy

corresponding Human
Resources
Security
Infrastructure

Controls Asset
Physical and
Environmental
& Environment

Management
Security

Access Incident
Control Management Tactical
Security
Operations
Communications Business System
& Operations Continuity Development and
Management Management Maintenance

7
Background
 Policies and standards assist agencies in
achieving compliance with state laws
 ESO cannot establish plans, policies or
standards that are less restrictive than state
laws
 Specifically – ORS 182.122 Information
Systems Security & ORS 646A.600 the
Oregon Identity Theft Protection Act
 Agencies can implement more restrictive
controls as required for compliance with other
regulations - IRS, HIPAA, etc.
8
Security Plan
 Security Management Framework ISO
27001
 Agency Annual Risk Assessment
 Agency Information Systems Security Risk
Assessments
 Agency Information Security Management
System

9
Security Plan
 Security Governance and Compliance
ISO 27002
 Agency Security Policies & Governance
Processes
 Information Security Audits within Agency

10
Security Plan
 Security Infrastructure and Environment ISO
27002
 Agency Employee Security Policies
 Process for Access Control to Information Assets
within Agency
 Agency Information Security Awareness Training
 Agency compliance with Information Asset
Classification Policy # 107-004-050
 Agency compliance with the Transporting Information
Assets Policy #107-005-100
 DAS Building Security Access Controls Policy #
125-6-215
 Evaluation of Agency facilities for security
11
Security Plan
 Tactical Security Operations ISO 27002
 Agency compliance with the Enterprise Information
Security Standards
 Agency compliance with Employee Security policy
#107-004-053
 Agency compliance with the Information Security
Incident Response policy #107-004-120
 Agency BCP per policy # 107-001-010
 Agency BCP testing

 Agency DR testing

 Agency compliance with Sustainable Acquisition and

Disposal of Electronic Equipment (E-waste/Recovery
Policy)

12
Security Plan
 Implementation of Plan
 Implementation Metrics

 Submit agency plan to ESO – due July

2009

13
Security Standards
 Incorporating Best Practices from:
 International Organization for Standardization
(ISO) 27001 & 27002
 National Institute of Standards and Technology
(NIST) recommended standards
 SANS Institute recommended standards and best
practices
 Burton Group recommended methodologies and
best practices

14
Security Standards
 Technical Controls
 Four Domains From ISO 27002
 Access Control
 Information Asset Management
 Communications & Operations Management
 Information Systems Acquisition,
Development and Management

15
Security Standards
 Access Control
 Authentication Standards
 Authorization Standards
 Audit of Access Control Standards

16
Security Standards
 Information Asset Management
 Protection of Information Assets Standards
 Handling of Information Assets Standards

17
Security Standards
 Communications & Operations
Management
 Antivirus and Anti-malware Standards
 Workstation Management & Desktop
Security Standards
 Mobile Device Management Standards
 Server Management Standards
 Log Management Standards
 Information Backup Standards

18
Security Standards
 Communications & Operations
Management
 Security Zone and Network Security
Management (Local Area Network & Wide
Area Network) Standards
 Intrusion Detection Standards
 E-mail Standards
 Remote Access Standards
 Wireless Access Standards

19
Security Standards
 Information Systems Acquisition,
Development and Management
 Business Case Standard
 Encryption Standards
 Patch Management Standards
 Information System Development Lifecycle
Standards

20
Security Standards
 One Size Fits All?
 Small Agencies
 Most Standards Apply
 Large Agencies
 All Standards Apply
 State Data Center
 Most Standards Apply
 Will Assist Agencies

21
Security Standards
 Agencies Responsible for Data
 Classification
 Protection
 Agencies and Third Party Providers
 Contractors
 State Data Center

22
Security Standards
 Standards
 Minimum Requirements
 “Meet or Exceed”
 Recommended Best Practices
 Not Mandatory

23
Security Standards
 Standards
 Are Specific
 Are Interdependent
 Must Be Implemented In Entirety, but…
 Risk Assessment Drives
Implementation
 Compensating Controls
 Exceptions

24
Agency Next Steps
 Survey
 Are you compliant?
 If not, do you have a plan?
 Do you have the resources to implement
plan?
 Gap Analysis
 Workshop

25
Panel
 Robert Hulshof-Schmidt -State
Library, Program Manager, Government
Research Services
 David Wilson- Department of
Corrections, Information Security Officer
 Al Grapoli - Network, Security and
Voice Services Manager, DAS, State
Data Center

26
Oregon State Library
Information Security Plan and Guidelines
– Development and Implementation

Robert Hulshof-Schmidt ,
Program Manager,
Government Research Services
State Library

27
State Library Overview
 44 employees, 20+ regular volunteers

 4 Teams
 Administrative Services
 Government Research Services
 Library Development Services
 Talking Book & Braille Services

28
OSL Information Assets
 Mostly Levels 1 & 2
 No Level 4
 Level 3 almost exclusively in
Administrative Services
 Consolidated donor info
 Patron info streamlined and protected by
statute

29
OSL Info Environment
 Most staff are professional information
workers
 Three full-time IT staff
 Agency-wide values on research, openness,
information exchange
 Generally tech-savvy, gadget-owning staff
 At start of security planning:
 Lack of concern due to limited level 3 info
 Unclear connection to everyday work

30
Information Security Plan
 Used ESO template – covered most of
our needs
 Started good conversation on physical
security, not just electronic
 Dovetailed with IT initiative to create
stronger domain environment
 Valuable, but felt to most staff like a
“Business Office/IT” activity only

31
Making the Connection
 Management team conversation about
information security
 Everything connected to the enterprise carries
risk
 Even “local-only” connections put our
business at risk
 All staff have a role and a responsibility
 Statewide policies provide a good framework
 We need local guidelines

32
Creating Guidelines
Information Asset Use, Implementation,
and Security Guidelines
 Started with suite of seven statewide policies
related to topic
 Added reference to statewide policies related
to staff behavior (telework, professional
workplace, etc.)
 Added reference to OSL policies and
documents as relevant

33
Creating Guidelines
 Created plain-language definitions of
key terms
 Did not repeat content of policies
 Focused on areas that required agency-
specific clarification or interpretation
 Pulled common themes from various
policies into cohesive sections
 Allowed for streamlining

34
Creating Guidelines
1. Reference to relevant policies/authorization
2. Definitions
3. Appropriate usage times for state assets and
systems
4. Use of personal information systems
5. Use of networks (state and personal)
6. Use of Internet resources
7. Use of electronic communication tools
8. Passwords
9. Monitoring behavior
10. Responding to incidents (tied to plan)
11. Decision-making, approvals, and access

35
Guidelines Rollout
 Iterative development
 Management review
 Business office review
 IT review
 Key staff review
 Agency-wide announcement
 All staff training
 Three sessions
 One presenter
 IT and HR at all three sessions

36
Next Steps
 IT review of guidelines
 Performance gaps
 30-day action plan
 Long-term action plan
 SDC consultation
 Prepare for standards review and
implementation
 Set priorities based on risk and
resources

37
Questions?

 Guidelines available to share

 Robert Hulshof-Schmidt
 503.378.5030
 robert.hulshof-schmidt@state.or.us

38
Department of
Corrections
David Wilson,
Information Security Officer

39
DOC Mission Statement

The mission of the Oregon

Department of Corrections
is to promote public safety by
holding offenders accountable for their
actions and reducing the risk of future
criminal behavior.

40
Oregon Accountability
Model
 Criminal Risk Factor Assessment and
Case Planning
 Staff-Inmate Interactions
 Work and Programs
 Children and Families
 Re-entry
 Community Supervision and Programs

41
 Quick Facts
 14 Institutions

 4 Administration Sites

 2 County Parole & Probation Offices

42
 Quick Facts

 4,426 Employees
 1,970 Active Volunteers
 Offenders:
 Inmates 13,841
 Parole and Probation 2,794
 Local Control 890

Total Current Offenders 17,525

43
 Quick Facts
Others Accessing ODOC Information
 Contracted Service Providers
 Community Partners
 Courts and Legal Professionals
 Other Governmental Agencies
 The Public

44
ODOC Information Security
History
 Information Security Officer
 Collateral duty prior to October, 2009

 Projects through Office of Project

Management
 Information Security Administration
 Department-wide Records Management

45
 Project Methodology
 Initiated in April, 2008
 ODOC missed early compliance dates
 Combined project resources
 Chose to focus resources on:
 ID of agency Information Assets (IA’s)
 Organizing IA’s into a Special Retention
Schedule
 Use structure to identify “ownership”

46
Methodology Mistake

Information Owners
Not defined or identified at the
beginning of the projects.

47
 Informed Information
Owners Needed
 Realized need for:
 Definition of Information Owner role and
responsibilities
 Decision makers to decide Classification

 Identified need to:

 Educate decision makers
 Define Data Handling Standards
 Define Classification expectations

48
 “Snap Shot” Standards
Needed
Methodology and standards:
OVERWHELMING!

Found something simple:

PERS Data Handling Standards
http://www.oregon.gov/DAS/EISPD/ESO/IAC.shtml

Simple Matrix = Enterprise Standards

Reflects PROCESS expectations
49
 Curriculum Identified

 Protecting IA’s at the Right Level

 Balancing the Risk with the Cost: Confidentiality,
Integrity and Accessibility
 Public Records Requests - Simple Division
 Level 1 & 2: Releasable = Low Risk & Priority
 Level 3 & 4: Not releasable = High Risk & Priority
 Able to categorize by this division based on known
mandates and project team input
 Level 3 vs. Level 4
 Mandates vs. Business Decision
 Risk of Level 3: Mitigated by agency culture
 Cost of Level 4: Resources and Accessibility

50
 Information Owner
Decision
Information Owners were asked to look at
a draft list of their Level 3 and 4 IA’s
They were then asked to identify:
 Risk they where willing to accept
 Cost, in resources and accessibility, they were
willing to pay to mitigate that risk

“If you want to call it a Level 4, are you

willing to pay the cost of protection?”
51
 Did not understand it
then. . . .
Gap Analysis of Enterprise Standards:
 Process: How the agency works with the
information
 Technology: Technical capabilities, limitations
and safeguards

52
 Realized in
retrospect. . . .
Educating Information Owners

Provided a business opportunity:

To review existing processes, identify limitations
and determine current resources

That resulted in:

Gap Analysis of Process
53
Enterprise Standards
Published
11/2009 - Enterprise Standards Published
 ODOC Classification process had already
narrowed the focus
 Gap Analysis of Processes completed

All that was left:

Compare current Information Technology
practices and resources against
Enterprise Standards

54
 Gap Analysis:
Technology
FYI:
Computer experts live and breath
Tech Specs!!!

Standards = Foreign Language

Computer experts:
 Speak it fluently
 Know their systems in detail
 Can translate in terms of existing ability
55
Do we meet the standard?
“Yes”
No further action required

“No, but our method is as good as or

better than. . . ”
Document Variance

56
Do we meet the standard?
 “No, and that might be a problem”
 Red Flag or “Gap”
 Plan Needed - Will getting there take:
 Time (within existing resources)?
 Money (to buy solutions)?
 Staff (additional personnel)?

Plans will be assessed and prioritized

based on:
Risk and Available Resources
57
Gap Analysis = Risk
Mitigation
Risk Mitigation for ODOC
Gap Analysis provides data for
Risk Based
prioritization of resources necessary for
operations within current fiscal climate

Final plan will be taken to ODOC

Leadership for approval

58
Questions?

david.s.wilson@state.or.us

59
 Oregon State Data Center
Security Architecture Standards
Information Security Plan and Standards Forum
December 10, 2009

60
Security Architecture
Principles
Security Architecture must be:

 Cost Effective and Business Driven

 Supportable
 Standards Based

61
Cost Effective and Business
Driven
 Flexible architecture provides for
granularity of controls
 Ability to accommodate agency business
requirements
 Consolidation of security controls to
reduce administrative overhead

62
Supportable
 Standard processes and procedures in
support of security controls
 Centralized management of security controls
 Increased logging and monitoring
 Integration permits greater security
enforcement and intelligence
 Standard equipment allows for easier
implementation and for replacement in the
event of a failure

63
Standards Based
 Use standards-based technologies to
provide security (e.g. AES, 802.1x,
etc.)
 Increases the likelihood that security
technologies are interoperable
 Ensures that implemented technologies have
been subjected to the process review
necessary to achieve the status of “standard”

64
Where we are…
 Secure Server Builds
 Site-to-site encryption

Standardization
 Network Access Control
 Firewalls
 VLANs/MPLS
 Anti-Virus, Patching standardized
 Network Intrusion Detection

 Email Firewalls
 Log Aggregation
65
Where we are going…
 Network Admission Control
 Host Intrusion Prevention
 Consolidated Remote Access VPN
 Firewall Consolidation
 Increased Use of Log Aggregation
 Configuration Management

66
Security Policies
 State Security Policies
 http://oregon.gov/DAS/EISPD/ESO/Policies.shtml

 Recent Implementation
 State Security Standards
 State Security Plan
 Privileged Access Policy

67
Questions?

al.grapoli@state.or.us

68
Thank You!

Security is an architecture, not an

appliance

Network Magazine

69
Recap and Next Steps
 Plan and Standards Published
 Survey
 Are you compliant?
 If not, do you have a plan?
 Do you have the resources to implement
plan?
 Gap Analysis
 Workshop

70
Questions?

71
Thank You!

Theresa Masse
State Chief Information Security Officer
DAS EISPD / Enterprise Security Office
(503) 378-4896
theresa.a.masse@state.or.us
http://oregon.gov/DAS/EISPD/ESO

72