Compliance based security fabric
Download
1 / 20

Compliance Based Security Fabric - PowerPoint PPT Presentation


  • 428 Views
  • Updated On :

Compliance Based Security Fabric. Information Systems Security Association Northwest Regional Security Conference Olympia, WA April 23, 2008. [email protected] Chief Information Officer Oregon Department of Transportation.

Related searches for Compliance Based Security Fabric

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Compliance Based Security Fabric' - RexAlvis


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Compliance based security fabric l.jpg

Compliance Based Security Fabric

Information Systems Security Association Northwest Regional Security Conference

Olympia, WA

April 23, 2008

[email protected]

Chief Information Officer

Oregon Department of Transportation

"Transformation of ODOT Business via Enterprise Security Bills, Policies, & IT Initiatives


Security fabric strategy road map l.jpg

Security Fabric Strategy Road Map

Transformation of ODOT Business via Enterprise Security Bills, Policies, & IT Initiatives


Slide3 l.jpg

Overview of Bills, Policies & Initiatives

  • DAS 107-004-050 Information Asset Classification Policy

  • DAS 107-004-051 Controlling Portable and Removable Storage Devices

  • DAS 107-004-052 Information Security

  • DAS 107-004-053 Employee Security

  • DAS 107-004-100 Transporting Confidential Information

  • DAS Statewide Policy 1.3, Acceptable Use of Information Related Technology

  • Senate Bill 583, 2007 Legislative Session (ID Theft)

  • Various ODOT Security related policies

    • ODOT ADM 05-08-01 Acceptable Use Policy

    • ODOT ADM 04-20 Information Security

    • ODOT Information Security Guidelines

  • Administrative Criminal Background Checks Rules

  • Business Continuity Planning

  • Enterprise Content Management

  • Identity and Access Management (TIM/TAM)

  • Payment Card Industry (PCI) Compliance


Resource work collaboration team l.jpg
Resource Work Collaboration Team

Enterprise Security Policies Initiative

Resource Work Collaboration

Matt Garrett

Agency Director

DelegatedAuthority

Ben Berry

Agency CIO

Lisa Martinez

(Business)

Peter van den Berg

(Information Systems)

Project Manager

Other Lines of Business

DMV

Highway

Motor Carrier

IS

Keith Nardi

Deb Frazier

Ric Listella

Division Point Person

Information Security Unit (Karina Stewart)

Technology Management (Virginia Alster)

FileNet Program (Ron Winterrowd/Lisa Martinez)

Communications Plan (Team)


Why a security fabric l.jpg
Why a “Security Fabric”?

COMPREHENSIVE. Building a security fabric to cover all of our Point-to-Point information services is much more difficult to maintain.

INVISIBLE BUSINESS PROCESSES. Lots of business processes are invisible because staff do processes that are not necessarily written down.

LEVERAGE ACROSS AGENCY & ENTERPRISE. A security fabric is meant to leverage secure practices across multiple organizational functions and business units.

Legacy of Point-to-Point Services


What is a security fabric l.jpg
What is a Security Fabric?

A Security Fabric is a services-driven design approach that integrates business and security strategies to provide a Common Holistic Approach to Security Compliance and that leverages existing and new security policy functionality across agency business lines.

  • The strategy of a Security Fabric includes:

    • Integration with elements of each of the security policies, where applicable.

    • Providing security through the sharing & reuse of security services and processes across the agency and/or enterprise.

    • Streamlines secure practices across existing business processes for greater efficiency and productivity.

  • The approach for a Security Fabric:

    • Leverage existing business practices, IT investments and standard operating processes.

    • Adopt Community of Practice templates for the Information Asset Classification Policy to ensure compliance with classifying data -- Data Classification Levels 1, 2, 3 & 4 for (Labeling, Handling, Storage, Retention and Disposable/Destruction).

  • Standards allow security processes to be designed for reuse:

    • Components that can be used over and over again among different lines of business. Example—Active Directory Group Policies or other physical standard security practices.

    • Use of standardized procedures, interfaces and standard data classification adherence.


  • Slide7 l.jpg
    Security Vision and Strategy:Holistic and Comprehensive Approach organized around Lines of Business– Not a Silo Approach

    Submission

    Processing

    Submission

    Processing

    Submission

    Processing

    Submission

    Processing

    Submission

    Processing

    Submission

    Processing

    Information Asset

    Classification

    Customer Service

    Customer Service

    Customer Service

    Customer Service

    Customer Service

    Controlling Portable and

    Removable Storage Devices

    Customer Service

    Manage Taxpayer

    Accounts

    Manage Taxpayer

    Accounts

    Manage Taxpayer

    Accounts

    Manage Taxpayer

    Accounts

    Manage Taxpayer

    Accounts

    Information Security

    Manage Taxpayer

    Accounts

    Reporting

    Compliance

    Employee Security

    Reporting

    Compliance

    Reporting

    Compliance

    Reporting

    Compliance

    Reporting

    Compliance

    Reporting

    Compliance

    Filing & Payment

    Compliance

    Filing & Payment

    Compliance

    Filing & Payment

    Compliance

    Filing & Payment

    Compliance

    Filing & Payment

    Compliance

    Transporting Confidential

    Information

    Filing & Payment

    Compliance

    Criminal

    Investigation

    Criminal

    Investigation

    Criminal

    Investigation

    Criminal

    Investigation

    Criminal

    Investigation

    Criminal

    Investigation

    Acceptable Use of

    Information Related Tech.

    Internal

    Management

    Senate Bill 583

    Internal

    Management

    Internal

    Management

    Internal

    Management

    Internal

    Management

    Internal

    Management

    Other Functional

    Domains

    Other Functional

    Domains

    Other Functional

    Domains

    Other Functional

    Domains

    Other Functional

    Domains

    Other Functional

    Domains

    Other Functional

    Domains

    Enterprise Security Domains

    Define the statewide security policies, bills and initiatives that are within the scope of the change.

    Agency

    Policies & Practices

    Define the ODOT internal policies and practices impacted by the Security Fabric effort.

    Payment Card Industry - PCI

    Identity & Access Management

    Enterprise Content Management

    Admin Criminal Background

    ODOT Info. Security Guideline

    ODOT Acceptable Use Pol.

    ODOT Information Security Pol.

    Agency

    Service Domains

    Define the ODOT Lines of Business services necessary to support execution of the Security Fabric

    (cuts across multiple domains).

    Highway Transportation

    Motor Carrier

    DMV

    Rail and Others



    Approach to meeting security fabric goals l.jpg
    Approach to Meeting Security Fabric Goals

    Security Fabric Project Manager

    3. Develop Action Plan

    4. Establish Deliverables & Project Plan

    2. Gap Analysis

    1. Project Assessment

    DCP

    DCP

    DCP

    Risk Management, Communication Management & Change Management

    DCP (Decision Check Points)


    Security fabric strategy map l.jpg
    Security Fabric Strategy Map

    Agency

    Lines of Business

    Process: Determine the security Gaps that will need to be filled.

    Policy /

    Procedure / Practice / Initiative

    • DAS 107-004-050 Information Asset Classification

    • DAS 107-004-051 Controlling Portable and Removable Storage Devices

    • DAS 107-004-052 Information Security

    • DAS 107-004-053 Employee Security

    • DAS 107-004-100 Transporting Information Assets

    • SB 583 Enrolled, 2007 Legislative Session, Oregon Consumer Theft Protection Act

    DAS Policy

    Current

    State

    Agency Policy

    Current

    State

    Future State

    Requirements

    GAP Analysis

    Senate Bill 583 Gap Analysis

    DAS = Department of Administrative Services



    Slide12 l.jpg

    Gather Requirements & Identify Gaps

    Subject Matter Experts from Lines of Business

    • Project Team:

    • Review Results

    • Rank Gaps Based on Risks and Priorities

    • Develop Blueprint of Implementation Plan

    High Opportunity

    High Risk

    Low Opportunity

    Low Risk


    Slide13 l.jpg

    Identify Key Business: Challenges and Opportunities

    Reliant on Business Line Subject Matter Experts

    Competes with Other Priorities

    Undefined Roles and Responsibilities

    Requires Routine Review and Assessment to Manage Risk

    Reduce Agency Risk

    Potential to Improve Business Processes

    Recognize and Develop Partnerships

    Develop and Share Best Practices

    Successful Implementation Results in Improved Agency Compliance

    Identify Business Contacts for Each Division, Region, and Branch


    Common security policy services l.jpg
    Common Security Policy Services

    Inputs

    • BUSINESS PERSPECTIVE. Promotes a business perspective around potential secured shared services.

    • EFFICIENT. Drives efficiencies and reuse across the Agency.

    • BEST PRACTICES. The Common Security Practice Framework will be refined based on lessons learned from initial security service deployments.

    Plan

    Define, Design,

    Build, Deploy

    Common Security Policy Framework

    Business Services

    Generate Secure Customer Service

    Maintain

    Outputs

    Generate Secure Cross Agency Response


    Slide16 l.jpg
    Security Fabric Based on Key Areas: Holistic Security Practices; Platform, Templates and Toolsets; and Security Governance

    Holistic Security Practices

    Business unit from broad based Practices and Procedures

    Agency Business Functional Services

    Agency Application Services

    Application integration / shared services

    (FileNet, others)

    Security Services

    Information

    Security Governance

    Agency-wide utility functions and solutions (Active Directory, TIM/TAM, Encryption)

    Agency Infrastructure Services

    Enabling Security

    Technology

    (Middleware, physical tools and devices)

    Platforms, Templates & Toolset

    Current Activities

    • There are different types of line of business services that need protection, both Agency and Enterprise focused.

    • All require agency governance for an initial and ongoing sustainable Security Fabric presence.

    • ODOT is engaged in a multi-variant approach to focus on those areas that provide the highest level of security from easy to hard to implement. Given each policy’s target timeline, high value security responses will be addressed first!


    Slide17 l.jpg
    As Security Fabric Strategy MaturesWe transition from Opportunistic and Project Level to Enterprise Level Security Policy Practice.

    Enterprise

    ISBRA

    Security TIM/TAM

    Identity Management

    High

    Digital

    Signatures

    Info Asset L1

    Info Asset L2

    SB 583

    Scope

    Active Directory Group Policies

    Controlling Removable Storage Devices

    Employee Security Policy

    Integration

    Info Asset Classification Level 4

    Info Asset Classification Level 3

    Transporting Info Assets

    Acceptable Use Policy

    Information Security Policy

    Low

    Opportunistic

    Time/Maturity

    Low

    High


    Slide18 l.jpg

    Today

    Action Items & Implementation Dates

    July 1, 2008

    DAS 107-004-050

    Level 4, Critical

    Effective

    January 1, 2009

    DAS 107-004-050

    Level 3, Restricted

    Effective

    July 30, 2009

    DAS 107-004-052

    Effective

    January 1, 2008

    SB 583 Section 12

    Effective

    January 31, 2008

    DAS 107-004-053

    Effective

    June 27, 2007

    DAS 107-004-100

    Effective

    July 1, 2009

    DAS 107-004-050

    Level 2, Limited

    Effective

    July 30, 2008

    DAS 107-004-051

    Effective

    October 1, 2007

    SB 583 (except Section 12)

    Effective

    • Legend:

    • DAS 107-004-050 Information Asset Classification

    • DAS 107-004-051 Controlling Portable and Removable Storage Devices

    • DAS 107-004-052 Information Security

    • DAS 107-004-053 Employee Security

    • DAS 107-004-100 Transporting Information Assets

    • SB 583 Enrolled, 2007 Legislative Session, Oregon Consumer Theft Protection Act


    Sustainable security practice identification deployment l.jpg
    Sustainable Security Practice Identification & Deployment

    Requires a Broad Based Security Policy and Governance Process

    Starts with DAS Security Policies & SB 583 Business Process Requirements

    • Impacts to people, process & technology

    • Security services are delivered through Agency initiatives or projects

    • Security life cycle processes are supported by both Business and Information services

    • Development of security policy response is guided by multi-unit team (Resource Work Collaboration Team)

    • Communication & training are required for people supporting each of the sustainable Security Fabric life cycle processes

    Measure

    Effectiveness

    Use/Reuse Policy Driven Service

    Iterative Sustainable Security Fabric Services

    Life Cycle

    Operate / Monitor

    Security

    Service

    Policy

    Requirements

    Service Repository

    DeploySecurity

    Service

    Process ArchitecturalReview

    GOVERNANCE

    TestSecurity

    Service

    Design Security

    Service response

    ConstructSecurity Service

    • Governance Organization – manage & monitor ongoing security agreements


    Slide20 l.jpg

    ISSA Northwest Regional Security Conference

    Compliance-Based Security Fabric


    ad