Documente Academic
Documente Profesional
Documente Cultură
Theresa A. Masse
State Chief Information Security Officer
John Ritchie
Senior Security Analyst
1
Agenda
Background
Statewide Information Security Plan
Statewide Information Security
Standards
Agency Next Steps
Panel
Wrap Up
2
Background
The combination of the Statewide Plan, Standards, and Policies in the
framework of 27001 & 27002 form the Enterprise Security Architecture
Enterprise Security Architecture
ISO 27001
Information Security Managem ent System
ISO Domains
ISO Domains
1.0 Security Organization 1.0 Security Organization ISO Domains ISO Domains
2.0 Security Policy 2.0 Security Policy 3.0 Compliance
ESO Strategic Initiative
Information Security ESO Strategic Initiative ESO Strategic Initiative ESO Strategic Initiative
Communication Plan Identify& Evaluate Security
Agency Information Security Policy Development Vulnerability Assessment
Opportunities
Plans
ISO Domains
3.0 Compliance ISO Domains ISO Domains
ISO Domains
6.0 Physical & Environmental 5.0 Asset Management 8.0 Incident Management
4.0 Human Resources
10.0 Business Continuity Plan
ESO Strategic Initiative ESO Strategic Initiative
ESO Strategic Initiative Information Security Risk Statewide Incident Response
ESO Strategic Initiative User Awareness Program Assessment Program
Information Security
Consulting Services
ISO Domains
5.0 Asset Management 7.0 Access Control 9.0 Communications & Operations Management 11.0 System Development and Maintenance
4
Background
ISO 27001
Information Security Management
System (ISMS)
Foundation - Security Risk
Assessment
Aligns with Agency’s Strategic Risk
Management Policy and Direction
5
Background
ISO 27002
Information Security Domains
Controls minimize identified risk
Risk Assessment identifies areas of
Security Control focus
6
ISO 27002
11 domains Assessment
Security
Organization Governance &
corresponding Human
Resources
Security
Infrastructure
Controls Asset
Physical and
Environmental
& Environment
Management
Security
Access Incident
Control Management Tactical
Security
Operations
Communications Business System
& Operations Continuity Development and
Management Management Maintenance
7
Background
Policies and standards assist agencies in
achieving compliance with state laws
ESO cannot establish plans, policies or
standards that are less restrictive than state
laws
Specifically – ORS 182.122 Information
Systems Security & ORS 646A.600 the
Oregon Identity Theft Protection Act
Agencies can implement more restrictive
controls as required for compliance with other
regulations - IRS, HIPAA, etc.
8
Security Plan
Security Management Framework ISO
27001
Agency Annual Risk Assessment
Agency Information Systems Security Risk
Assessments
Agency Information Security Management
System
9
Security Plan
Security Governance and Compliance
ISO 27002
Agency Security Policies & Governance
Processes
Information Security Audits within Agency
10
Security Plan
Security Infrastructure and Environment ISO
27002
Agency Employee Security Policies
Process for Access Control to Information Assets
within Agency
Agency Information Security Awareness Training
Agency compliance with Information Asset
Classification Policy # 107-004-050
Agency compliance with the Transporting Information
Assets Policy #107-005-100
DAS Building Security Access Controls Policy #
125-6-215
Evaluation of Agency facilities for security
11
Security Plan
Tactical Security Operations ISO 27002
Agency compliance with the Enterprise Information
Security Standards
Agency compliance with Employee Security policy
#107-004-053
Agency compliance with the Information Security
Incident Response policy #107-004-120
Agency BCP per policy # 107-001-010
Agency BCP testing
Agency DR testing
12
Security Plan
Implementation of Plan
Implementation Metrics
13
Security Standards
Incorporating Best Practices from:
International Organization for Standardization
(ISO) 27001 & 27002
National Institute of Standards and Technology
(NIST) recommended standards
SANS Institute recommended standards and best
practices
Burton Group recommended methodologies and
best practices
14
Security Standards
Technical Controls
Four Domains From ISO 27002
Access Control
Information Asset Management
Communications & Operations Management
Information Systems Acquisition,
Development and Management
15
Security Standards
Access Control
Authentication Standards
Authorization Standards
Audit of Access Control Standards
16
Security Standards
Information Asset Management
Protection of Information Assets Standards
Handling of Information Assets Standards
17
Security Standards
Communications & Operations
Management
Antivirus and Anti-malware Standards
Workstation Management & Desktop
Security Standards
Mobile Device Management Standards
Server Management Standards
Log Management Standards
Information Backup Standards
18
Security Standards
Communications & Operations
Management
Security Zone and Network Security
Management (Local Area Network & Wide
Area Network) Standards
Intrusion Detection Standards
E-mail Standards
Remote Access Standards
Wireless Access Standards
19
Security Standards
Information Systems Acquisition,
Development and Management
Business Case Standard
Encryption Standards
Patch Management Standards
Information System Development Lifecycle
Standards
20
Security Standards
One Size Fits All?
Small Agencies
Most Standards Apply
Large Agencies
All Standards Apply
State Data Center
Most Standards Apply
Will Assist Agencies
21
Security Standards
Agencies Responsible for Data
Classification
Protection
Agencies and Third Party Providers
Contractors
State Data Center
22
Security Standards
Standards
Minimum Requirements
“Meet or Exceed”
Recommended Best Practices
Not Mandatory
23
Security Standards
Standards
Are Specific
Are Interdependent
Must Be Implemented In Entirety, but…
Risk Assessment Drives
Implementation
Compensating Controls
Exceptions
24
Agency Next Steps
Survey
Are you compliant?
If not, do you have a plan?
Do you have the resources to implement
plan?
Gap Analysis
Workshop
25
Panel
Robert Hulshof-Schmidt -State
Library, Program Manager, Government
Research Services
David Wilson- Department of
Corrections, Information Security Officer
Al Grapoli - Network, Security and
Voice Services Manager, DAS, State
Data Center
26
Oregon State Library
Information Security Plan and Guidelines
– Development and Implementation
Robert Hulshof-Schmidt ,
Program Manager,
Government Research Services
State Library
27
State Library Overview
44 employees, 20+ regular volunteers
4 Teams
Administrative Services
Government Research Services
Library Development Services
Talking Book & Braille Services
28
OSL Information Assets
Mostly Levels 1 & 2
No Level 4
Level 3 almost exclusively in
Administrative Services
Consolidated donor info
Patron info streamlined and protected by
statute
29
OSL Info Environment
Most staff are professional information
workers
Three full-time IT staff
Agency-wide values on research, openness,
information exchange
Generally tech-savvy, gadget-owning staff
At start of security planning:
Lack of concern due to limited level 3 info
Unclear connection to everyday work
30
Information Security Plan
Used ESO template – covered most of
our needs
Started good conversation on physical
security, not just electronic
Dovetailed with IT initiative to create
stronger domain environment
Valuable, but felt to most staff like a
“Business Office/IT” activity only
31
Making the Connection
Management team conversation about
information security
Everything connected to the enterprise carries
risk
Even “local-only” connections put our
business at risk
All staff have a role and a responsibility
Statewide policies provide a good framework
We need local guidelines
32
Creating Guidelines
Information Asset Use, Implementation,
and Security Guidelines
Started with suite of seven statewide policies
related to topic
Added reference to statewide policies related
to staff behavior (telework, professional
workplace, etc.)
Added reference to OSL policies and
documents as relevant
33
Creating Guidelines
Created plain-language definitions of
key terms
Did not repeat content of policies
Focused on areas that required agency-
specific clarification or interpretation
Pulled common themes from various
policies into cohesive sections
Allowed for streamlining
34
Creating Guidelines
1. Reference to relevant policies/authorization
2. Definitions
3. Appropriate usage times for state assets and
systems
4. Use of personal information systems
5. Use of networks (state and personal)
6. Use of Internet resources
7. Use of electronic communication tools
8. Passwords
9. Monitoring behavior
10. Responding to incidents (tied to plan)
11. Decision-making, approvals, and access
35
Guidelines Rollout
Iterative development
Management review
Business office review
IT review
Key staff review
Agency-wide announcement
All staff training
Three sessions
One presenter
IT and HR at all three sessions
36
Next Steps
IT review of guidelines
Performance gaps
30-day action plan
Long-term action plan
SDC consultation
Prepare for standards review and
implementation
Set priorities based on risk and
resources
37
Questions?
Robert Hulshof-Schmidt
503.378.5030
robert.hulshof-schmidt@state.or.us
38
Department of
Corrections
David Wilson,
Information Security Officer
39
DOC Mission Statement
40
Oregon Accountability
Model
Criminal Risk Factor Assessment and
Case Planning
Staff-Inmate Interactions
Work and Programs
Children and Families
Re-entry
Community Supervision and Programs
41
Quick Facts
14 Institutions
4 Administration Sites
42
Quick Facts
4,426 Employees
1,970 Active Volunteers
Offenders:
Inmates 13,841
Parole and Probation 2,794
Local Control 890
43
Quick Facts
Others Accessing ODOC Information
Contracted Service Providers
Community Partners
Courts and Legal Professionals
Other Governmental Agencies
The Public
44
ODOC Information Security
History
Information Security Officer
Collateral duty prior to October, 2009
45
Project Methodology
Initiated in April, 2008
ODOC missed early compliance dates
Combined project resources
Chose to focus resources on:
ID of agency Information Assets (IA’s)
Organizing IA’s into a Special Retention
Schedule
Use structure to identify “ownership”
46
Methodology Mistake
Information Owners
Not defined or identified at the
beginning of the projects.
47
Informed Information
Owners Needed
Realized need for:
Definition of Information Owner role and
responsibilities
Decision makers to decide Classification
48
“Snap Shot” Standards
Needed
Methodology and standards:
OVERWHELMING!
50
Information Owner
Decision
Information Owners were asked to look at
a draft list of their Level 3 and 4 IA’s
They were then asked to identify:
Risk they where willing to accept
Cost, in resources and accessibility, they were
willing to pay to mitigate that risk
52
Realized in
retrospect. . . .
Educating Information Owners
54
Gap Analysis:
Technology
FYI:
Computer experts live and breath
Tech Specs!!!
56
Do we meet the standard?
“No, and that might be a problem”
Red Flag or “Gap”
Plan Needed - Will getting there take:
Time (within existing resources)?
Money (to buy solutions)?
Staff (additional personnel)?
58
Questions?
david.s.wilson@state.or.us
59
Oregon State Data Center
Security Architecture Standards
Information Security Plan and Standards Forum
December 10, 2009
60
Security Architecture
Principles
Security Architecture must be:
61
Cost Effective and Business
Driven
Flexible architecture provides for
granularity of controls
Ability to accommodate agency business
requirements
Consolidation of security controls to
reduce administrative overhead
62
Supportable
Standard processes and procedures in
support of security controls
Centralized management of security controls
Increased logging and monitoring
Integration permits greater security
enforcement and intelligence
Standard equipment allows for easier
implementation and for replacement in the
event of a failure
63
Standards Based
Use standards-based technologies to
provide security (e.g. AES, 802.1x,
etc.)
Increases the likelihood that security
technologies are interoperable
Ensures that implemented technologies have
been subjected to the process review
necessary to achieve the status of “standard”
64
Where we are…
Secure Server Builds
Site-to-site encryption
Standardization
Network Access Control
Firewalls
VLANs/MPLS
Anti-Virus, Patching standardized
Network Intrusion Detection
Email Firewalls
Log Aggregation
65
Where we are going…
Network Admission Control
Host Intrusion Prevention
Consolidated Remote Access VPN
Firewall Consolidation
Increased Use of Log Aggregation
Configuration Management
66
Security Policies
State Security Policies
http://oregon.gov/DAS/EISPD/ESO/Policies.shtml
Recent Implementation
State Security Standards
State Security Plan
Privileged Access Policy
67
Questions?
al.grapoli@state.or.us
68
Thank You!
Network Magazine
69
Recap and Next Steps
Plan and Standards Published
Survey
Are you compliant?
If not, do you have a plan?
Do you have the resources to implement
plan?
Gap Analysis
Workshop
70
Questions?
71
Thank You!
Theresa Masse
State Chief Information Security Officer
DAS EISPD / Enterprise Security Office
(503) 378-4896
theresa.a.masse@state.or.us
http://oregon.gov/DAS/EISPD/ESO
72