Slide1 l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 17

oasis-open PowerPoint PPT Presentation


  • 129 Views
  • Uploaded on
  • Presentation posted in: General

www.oasis-open.org. Cybersecurity Issues Impacting Public Sector Financial Management OASIS e-Gov Washington Workshop, April 17 2009 John Sabo Director Global Government Relations CA, Inc. Member, OASIS IDtrust Member Section Steering Committee. Abstract.

Download Presentation

oasis-open

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Slide1 l.jpg

www.oasis-open.org

Cybersecurity Issues Impacting Public Sector Financial ManagementOASIS e-Gov Washington Workshop, April 17 2009John SaboDirector Global Government RelationsCA, Inc.Member, OASIS IDtrust Member Section Steering Committee


Abstract l.jpg

Abstract

  • Public financial management systems, e-procurement, and other services vital to government operations and citizen trust increasingly make use of information technology, networked infrastructures and Internet services. 

  • Cybersecurity risks continue to multiply as the threat landscape broadens.  As governmental services migrate to Internet and Internet Protocol-based infrastructures, managing cyber security risk takes on greater importance as government agencies cut ties to old business processes and fully embrace Internet-based services. 

  • This presentation will provide an overview of cybersecurity risk issues, a number of public-private sector partnership efforts to assess and mitigate cyber risks, and examples of work underway by Technical Committees in the OASIS IDtrust Member Section to develop standards to help address these challenges.


Cybersecurity government and business risk management issues l.jpg

Cybersecurity – Government and Business Risk Management Issues

  • 2007 Business Roundtable Report – growing Internet dependence

  • Control System vulnerabilities

  • Critical Infrastructure interdependencies

    • e.g., network availability for e-Gov applications

  • Convergence of communications with Internet Protocol-based networks/devices/security

  • Major global and federal government cybersecurity initiatives

  • Major initiatives such as Health IT, Smart Grid


Obama administration l.jpg

Obama Administration

  • E-Government – using cutting-edge technologies to create a new level of transparency, accountability, and participation for America's citizens, to reform government and to improve the exchange of information between the federal government and its citizens and partners.

  • Cybersecurity – deploying a new generation of secure hardware and software for our critical cyber infrastructure and protecting sensitive corporate and government information and industrial applications from unauthorized access, theft, and misuse, while ensuring the resilience of our information networks, systems and applications.

  • Data Privacy – managing data privacy and securing personal information by partnering with industry to develop and implement standards and solutions needed to protect the rights of individuals in the information age.


Foundation in place for cybersecurity risk management l.jpg

Foundation in Place for Cybersecurity Risk Management

  • Huge resource and intellectual investments

  • R&D – technology development in response to market needs – innovation

  • Technologies, standards – e.g., identity and access management, authorization, encryption

  • Evolving standards and standards development to address new risk management requirements

  • Operational capabilities via organizations such as Information Sharing and Analysis Centers

  • Trusted industry and industry - government working relationships

  • Increased focus on cyber risk management, e.g., IT Sector Coordinating Council risk assessment


It sector critical functions and cybersecurity l.jpg

IT Sector Critical Functions and Cybersecurity

  • IT Products and Services

  • Incident Management Capabilities

  • Domain Name Resolution

  • Identity Management and Trust Support Services

  • Internet-based Content, Information and Communications Services

  • Internet Routing, Access and Connection Services


Complexities of the it sector l.jpg

Complexities of the IT Sector

  • Domain Name System (DNS) root and Generic Top Level Domain (GTLD) operators

  • Internet Service Providers (ISPs)

  • Internet backbone providers

  • Internet portal and e-mail providers

  • Networking hardware companies (e.g., fiber-optics makers and line acceleration hardware manufacturers) and other hardware manufacturers (e.g., PC and server manufacturers and information storage)

  • Software companies

  • Security services vendors

  • Communications companies that characterize themselves as having an IT role

  • Edge and core service providers

  • IT system integrators

  • Global, Federal, State, and local governments…end users, businesses


It sector specific plan l.jpg

IT “Sector Specific Plan”

  • Prevention and protection through risk management

    • Understand and prioritize risks and implement protective measures

  • Situational awareness

    • share threat and vulnerability information among IT Sector, other sectors and government, including developing indications and warnings

    • Expand public-private analytical capabilities to proactively identify potential future incidents

  • Response, recovery and reconstitution

    • Communications, incident response and coordination, recovery, reconstitution, and law enforcement linkages


  • Federal comprehensive national cybersecurity initiative cnci l.jpg

    Federal Comprehensive National Cybersecurity Initiative (CNCI)

    • Trusted Internet Connections

    • Intrusion detection

    • Intrusion prevention

    • Research and development

    • Situational awareness

    • Cyber counter intelligence

    • Classified network security

    • Cyber education and training

    • Implementation of information security technologies

    • Deterrence strategies

    • Global supply chain security

    • Public/private collaboration


    A few current issues l.jpg

    A Few Current Issues

    • Administration’s 60-day Cybersecurity Review

      • What is the federal government’s role in protecting critical infrastructure and information networks against a nation state attack?

      • Role of private sector in protecting government networks – people, process, technology, regulation, and incentives

      • What thresholds do we recommend for defining and reporting cyber incidents and to whom does it get reported?

    • New Federal Leadership, Organizational Alignment

    • Legislation and Oversight

    • … all in context of incredible technological innovation


    Idtrust member section l.jpg

    IDtrust Member Section


    Idtrust member section12 l.jpg

    IDtrust Member Section

    • Evolution

      • PKI Forum (1999)

      • PKI Member Section (Nov 2002)

      • IDtrust Member Section (2007)

    • Steering Committee

      • June Leung, FundSERV

      • Abbie Barbir, Nortel

      • John Bradley

      • John Sabo, CA

      • Anil Saldhana, Red Hat

    • OASIS Staff – Dee Schur

    • 31 Sponsors/Contributing Member Organizations


    Strategic focus areas l.jpg

    Strategic Focus Areas

    • Identity and Trust Infrastructure Components

      • Standards, protocols, cost/benefits, risks

    • Identity and Trust Policies and Enforcement

      • Policy issues, policy mapping, assurance

    • Barriers and Emerging Issues

      • Data privacy, interoperability, extensible trust

    • Education and Outreach

      • White papers, research, conferences, Wiki

      • idtrust.xml.org


    Technical committees l.jpg

    Technical Committees

    • Digital Signature Services eXtended (DSS-X) - Advancing new profiles for the DSS OASIS Standard

    • Identity Metasystem Interoperability (IMI) - Advancing interoperability standard for Information Cards

    • Open Reputation Management Systems (ORMS)- Advancing the ability to use common data formats for representing reputation data

    • Extensible Resource Identifier (XRI) - Defining a resolution protocol for abstract structured identifiers used to identify and share resources across domains and applications

    • XRI Data Interchange (XDI) - Creating a standard for sharing, linking, and synchronizing data over the Internet and other networks using XML documents and Extensible Resource Identifiers (XRIs)

    • Enterprise Key Management Infrastructure (EKMI) - Defining symmetric key management protocols

    • Key Management Interoperability Protocol (KMIP) - Advancing interoperability standard for enterprise encryption key management


    What is kmip l.jpg

    What is KMIP

    The Key Management Interoperability Protocol (KMIP) enables key lifecycle management. KMIP supports legacy and new encryption applications, supporting symmetric keys, asymmetric keys, digital certificates, and other "shared secrets." KMIP offers developers templates to simplify the development and use of KMIP-enabled applications.

    KMIP defines the protocol for encryption client and key-management server communication. Supported key-lifecycle operations include generation, submission, retrieval, and deletion of cryptographic keys. Vendors will deliver KMIP-enabled encryption applications that support communication with compatible KMIP key-management servers.


    Slide16 l.jpg

    Enterprise Cryptographic Environments

    Production

    Database

    eCommerce

    Applications

    Disk

    Arrays

    LAN

    WAN

    VPN

    Backup

    Tape

    Enterprise

    Applications

    CRM

    Business

    Analytics

    Replica

    Backup

    System

    File Server

    Email

    Staging

    Portals

    Dev/Test Obfuscation

    Key Management Interoperability Protocol

    Backup

    Disk

    Collaboration &

    Content Mgmt

    Systems

    Enterprise Key Management

    KMIP: Single Protocol Supporting Enterprise Cryptographic Environments


    Slide17 l.jpg

    John Sabo

    [email protected]


  • Login