compliance based security fabric
Download
Skip this Video
Download Presentation
Compliance Based Security Fabric

Loading in 2 Seconds...

play fullscreen
1 / 20

Compliance Based Security Fabric - PowerPoint PPT Presentation


  • 428 Views
  • Uploaded on

Compliance Based Security Fabric. Information Systems Security Association Northwest Regional Security Conference Olympia, WA April 23, 2008. [email protected] Chief Information Officer Oregon Department of Transportation.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Compliance Based Security Fabric' - RexAlvis


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
compliance based security fabric

Compliance Based Security Fabric

Information Systems Security Association Northwest Regional Security Conference

Olympia, WA

April 23, 2008

[email protected]

Chief Information Officer

Oregon Department of Transportation

"Transformation of ODOT Business via Enterprise Security Bills, Policies, & IT Initiatives

security fabric strategy road map

Security Fabric Strategy Road Map

Transformation of ODOT Business via Enterprise Security Bills, Policies, & IT Initiatives

slide3

Overview of Bills, Policies & Initiatives

  • DAS 107-004-050 Information Asset Classification Policy
  • DAS 107-004-051 Controlling Portable and Removable Storage Devices
  • DAS 107-004-052 Information Security
  • DAS 107-004-053 Employee Security
  • DAS 107-004-100 Transporting Confidential Information
  • DAS Statewide Policy 1.3, Acceptable Use of Information Related Technology
  • Senate Bill 583, 2007 Legislative Session (ID Theft)
  • Various ODOT Security related policies
    • ODOT ADM 05-08-01 Acceptable Use Policy
    • ODOT ADM 04-20 Information Security
    • ODOT Information Security Guidelines
  • Administrative Criminal Background Checks Rules
  • Business Continuity Planning
  • Enterprise Content Management
  • Identity and Access Management (TIM/TAM)
  • Payment Card Industry (PCI) Compliance
resource work collaboration team
Resource Work Collaboration Team

Enterprise Security Policies Initiative

Resource Work Collaboration

Matt Garrett

Agency Director

DelegatedAuthority

Ben Berry

Agency CIO

Lisa Martinez

(Business)

Peter van den Berg

(Information Systems)

Project Manager

Other Lines of Business

DMV

Highway

Motor Carrier

IS

Keith Nardi

Deb Frazier

Ric Listella

Division Point Person

Information Security Unit (Karina Stewart)

Technology Management (Virginia Alster)

FileNet Program (Ron Winterrowd/Lisa Martinez)

Communications Plan (Team)

why a security fabric
Why a “Security Fabric”?

COMPREHENSIVE. Building a security fabric to cover all of our Point-to-Point information services is much more difficult to maintain.

INVISIBLE BUSINESS PROCESSES. Lots of business processes are invisible because staff do processes that are not necessarily written down.

LEVERAGE ACROSS AGENCY & ENTERPRISE. A security fabric is meant to leverage secure practices across multiple organizational functions and business units.

Legacy of Point-to-Point Services

what is a security fabric
What is a Security Fabric?

A Security Fabric is a services-driven design approach that integrates business and security strategies to provide a Common Holistic Approach to Security Compliance and that leverages existing and new security policy functionality across agency business lines.

  • The strategy of a Security Fabric includes:
      • Integration with elements of each of the security policies, where applicable.
      • Providing security through the sharing & reuse of security services and processes across the agency and/or enterprise.
      • Streamlines secure practices across existing business processes for greater efficiency and productivity.
  • The approach for a Security Fabric:
      • Leverage existing business practices, IT investments and standard operating processes.
      • Adopt Community of Practice templates for the Information Asset Classification Policy to ensure compliance with classifying data -- Data Classification Levels 1, 2, 3 & 4 for (Labeling, Handling, Storage, Retention and Disposable/Destruction).
  • Standards allow security processes to be designed for reuse:
      • Components that can be used over and over again among different lines of business. Example—Active Directory Group Policies or other physical standard security practices.
      • Use of standardized procedures, interfaces and standard data classification adherence.
slide7
Security Vision and Strategy:Holistic and Comprehensive Approach organized around Lines of Business– Not a Silo Approach

Submission

Processing

Submission

Processing

Submission

Processing

Submission

Processing

Submission

Processing

Submission

Processing

Information Asset

Classification

Customer Service

Customer Service

Customer Service

Customer Service

Customer Service

Controlling Portable and

Removable Storage Devices

Customer Service

Manage Taxpayer

Accounts

Manage Taxpayer

Accounts

Manage Taxpayer

Accounts

Manage Taxpayer

Accounts

Manage Taxpayer

Accounts

Information Security

Manage Taxpayer

Accounts

Reporting

Compliance

Employee Security

Reporting

Compliance

Reporting

Compliance

Reporting

Compliance

Reporting

Compliance

Reporting

Compliance

Filing & Payment

Compliance

Filing & Payment

Compliance

Filing & Payment

Compliance

Filing & Payment

Compliance

Filing & Payment

Compliance

Transporting Confidential

Information

Filing & Payment

Compliance

Criminal

Investigation

Criminal

Investigation

Criminal

Investigation

Criminal

Investigation

Criminal

Investigation

Criminal

Investigation

Acceptable Use of

Information Related Tech.

Internal

Management

Senate Bill 583

Internal

Management

Internal

Management

Internal

Management

Internal

Management

Internal

Management

Other Functional

Domains

Other Functional

Domains

Other Functional

Domains

Other Functional

Domains

Other Functional

Domains

Other Functional

Domains

Other Functional

Domains

Enterprise Security Domains

Define the statewide security policies, bills and initiatives that are within the scope of the change.

Agency

Policies & Practices

Define the ODOT internal policies and practices impacted by the Security Fabric effort.

Payment Card Industry - PCI

Identity & Access Management

Enterprise Content Management

Admin Criminal Background

ODOT Info. Security Guideline

ODOT Acceptable Use Pol.

ODOT Information Security Pol.

Agency

Service Domains

Define the ODOT Lines of Business services necessary to support execution of the Security Fabric

(cuts across multiple domains).

Highway Transportation

Motor Carrier

DMV

Rail and Others

approach to meeting security fabric goals
Approach to Meeting Security Fabric Goals

Security Fabric Project Manager

3. Develop Action Plan

4. Establish Deliverables & Project Plan

2. Gap Analysis

1. Project Assessment

DCP

DCP

DCP

Risk Management, Communication Management & Change Management

DCP (Decision Check Points)

security fabric strategy map
Security Fabric Strategy Map

Agency

Lines of Business

Process: Determine the security Gaps that will need to be filled.

Policy /

Procedure / Practice / Initiative

  • DAS 107-004-050 Information Asset Classification
  • DAS 107-004-051 Controlling Portable and Removable Storage Devices
  • DAS 107-004-052 Information Security
  • DAS 107-004-053 Employee Security
  • DAS 107-004-100 Transporting Information Assets
  • SB 583 Enrolled, 2007 Legislative Session, Oregon Consumer Theft Protection Act

DAS Policy

Current

State

Agency Policy

Current

State

Future State

Requirements

GAP Analysis

Senate Bill 583 Gap Analysis

DAS = Department of Administrative Services

slide12

Gather Requirements & Identify Gaps

Subject Matter Experts from Lines of Business

  • Project Team:
  • Review Results
  • Rank Gaps Based on Risks and Priorities
  • Develop Blueprint of Implementation Plan

High Opportunity

High Risk

Low Opportunity

Low Risk

slide13

Identify Key Business: Challenges and Opportunities

Reliant on Business Line Subject Matter Experts

Competes with Other Priorities

Undefined Roles and Responsibilities

Requires Routine Review and Assessment to Manage Risk

Reduce Agency Risk

Potential to Improve Business Processes

Recognize and Develop Partnerships

Develop and Share Best Practices

Successful Implementation Results in Improved Agency Compliance

Identify Business Contacts for Each Division, Region, and Branch

common security policy services
Common Security Policy Services

Inputs

  • BUSINESS PERSPECTIVE. Promotes a business perspective around potential secured shared services.
  • EFFICIENT. Drives efficiencies and reuse across the Agency.
  • BEST PRACTICES. The Common Security Practice Framework will be refined based on lessons learned from initial security service deployments.

Plan

Define, Design,

Build, Deploy

Common Security Policy Framework

Business Services

Generate Secure Customer Service

Maintain

Outputs

Generate Secure Cross Agency Response

slide16
Security Fabric Based on Key Areas: Holistic Security Practices; Platform, Templates and Toolsets; and Security Governance

Holistic Security Practices

Business unit from broad based Practices and Procedures

Agency Business Functional Services

Agency Application Services

Application integration / shared services

(FileNet, others)

Security Services

Information

Security Governance

Agency-wide utility functions and solutions (Active Directory, TIM/TAM, Encryption)

Agency Infrastructure Services

Enabling Security

Technology

(Middleware, physical tools and devices)

Platforms, Templates & Toolset

Current Activities

  • There are different types of line of business services that need protection, both Agency and Enterprise focused.
  • All require agency governance for an initial and ongoing sustainable Security Fabric presence.
  • ODOT is engaged in a multi-variant approach to focus on those areas that provide the highest level of security from easy to hard to implement. Given each policy’s target timeline, high value security responses will be addressed first!
slide17
As Security Fabric Strategy MaturesWe transition from Opportunistic and Project Level to Enterprise Level Security Policy Practice.

Enterprise

ISBRA

Security TIM/TAM

Identity Management

High

Digital

Signatures

Info Asset L1

Info Asset L2

SB 583

Scope

Active Directory Group Policies

Controlling Removable Storage Devices

Employee Security Policy

Integration

Info Asset Classification Level 4

Info Asset Classification Level 3

Transporting Info Assets

Acceptable Use Policy

Information Security Policy

Low

Opportunistic

Time/Maturity

Low

High

slide18

Today

Action Items & Implementation Dates

July 1, 2008

DAS 107-004-050

Level 4, Critical

Effective

January 1, 2009

DAS 107-004-050

Level 3, Restricted

Effective

July 30, 2009

DAS 107-004-052

Effective

January 1, 2008

SB 583 Section 12

Effective

January 31, 2008

DAS 107-004-053

Effective

June 27, 2007

DAS 107-004-100

Effective

July 1, 2009

DAS 107-004-050

Level 2, Limited

Effective

July 30, 2008

DAS 107-004-051

Effective

October 1, 2007

SB 583 (except Section 12)

Effective

  • Legend:
  • DAS 107-004-050 Information Asset Classification
  • DAS 107-004-051 Controlling Portable and Removable Storage Devices
  • DAS 107-004-052 Information Security
  • DAS 107-004-053 Employee Security
  • DAS 107-004-100 Transporting Information Assets
  • SB 583 Enrolled, 2007 Legislative Session, Oregon Consumer Theft Protection Act
sustainable security practice identification deployment
Sustainable Security Practice Identification & Deployment

Requires a Broad Based Security Policy and Governance Process

Starts with DAS Security Policies & SB 583 Business Process Requirements

  • Impacts to people, process & technology
  • Security services are delivered through Agency initiatives or projects
  • Security life cycle processes are supported by both Business and Information services
  • Development of security policy response is guided by multi-unit team (Resource Work Collaboration Team)
  • Communication & training are required for people supporting each of the sustainable Security Fabric life cycle processes

Measure

Effectiveness

Use/Reuse Policy Driven Service

Iterative Sustainable Security Fabric Services

Life Cycle

Operate / Monitor

Security

Service

Policy

Requirements

Service Repository

DeploySecurity

Service

Process ArchitecturalReview

GOVERNANCE

TestSecurity

Service

Design Security

Service response

ConstructSecurity Service

  • Governance Organization – manage & monitor ongoing security agreements
slide20

ISSA Northwest Regional Security Conference

Compliance-Based Security Fabric

ad