1 / 23

Statewide Security Update October 25, 2005

Information Technology Advisory Board. Statewide Security Update October 25, 2005. Ann Garrett, State Chief Information Security Officer. Agenda. 2004 - Security Assessment Results Consequences of Assessment Statewide Security Initiatives Program Improve Network Security Defenses

keaton
Download Presentation

Statewide Security Update October 25, 2005

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Information Technology Advisory Board Statewide Security UpdateOctober 25, 2005 Ann Garrett, State Chief Information Security Officer

  2. Agenda • 2004 - Security Assessment Results • Consequences of Assessment • Statewide Security Initiatives Program • Improve Network Security Defenses • Improve Wireless Network Security • Improve Risk and Business Continuity Management • Complete Statewide Security Standards Framework • Improve Security Awareness & Training • Statewide Approach to Security tools Anti-Virus and Anti-Spyware • Questions

  3. 2004 Security Assessment Scoring Distribution Planned Security Practices (Quality) Actual Security Practices (Execution)

  4. 2004 Security AssessmentScoring Summary Note: The circle indicates the State average for the agencies assessed in the study

  5. 2004 Security AssessmentStatewide Average Scores by Category

  6. Opportunities for Improvement • Insufficient Funding (~100%) • Insufficient Staffing (84%) • Lack of Security Training & Experience (76%) • Outdated Desktop Operating Systems (72%) • Outdated and Missing Business Continuity Plans (69%) • Gaps in Agency Network Security Defense (64%) • Deficient Policies, Standards, and Procedures (60%)

  7. ConsequencesStatewide Significance • Assessment provided a baseline for metrics and a roadmap for planning improvements • Increased awareness at all levels of government of the importance of information security • Flexible assessment tool that can be used in years to come • Cost savings

  8. Legislative Response LAW PASSED IN JULY 2004 (SB991) • Shifted responsibilities from the IRMC to the State CIO and the ITAB • Gave State CIO clearer authority in project approval and management, procurement and establishment of security standards • Established a statewide IT Fund and appropriated $4.8 million for 2004-2005. $3 million appropriated for security assessment and remediation

  9. Statewide Security Responsibilities SCIO Security Responsibilities: • Set statewide security standards • Monitor and assess agency compliance • Oversee information security incidents • Information security considered in project management cycle • Select and deploy enterprise security technology • Oversee security procurements • Provide security education and training

  10. Statewide Security Initiatives • Improve network security defenses • Improve wireless network security • Improve risk management and business continuity planning • Complete statewide security framework (policies, procedures, standards and architecture) • Improve enterprise security awareness and training • Statewide approach to Anti-Virus/Anti-Spyware

  11. Statewide Security Initiatives #1 Improve Network Security Defenses– (Next Generation Network (NGN), Firewalls, Intrusion Prevention System (IPS), NCID) • Implementing NGN with agency pilots • MPLS – Multi-protocol label switching • ESAP – Enterprise Service Access Point(s) • Approved Intrusion Protection System (IPS) project, RFP in process

  12. State Network • 2,500 remote sites • Public Network • Internet Pipes = Multiple - Gigabit Ethernet Connections • Perimeter Defenses (Firewalls, IDS/IPS and ITS Hosted Zones IPS/IDS) • Centralized Security Incident Management, NC Information Sharing Analysis Center

  13. Next Generation Network (NCIN3) Goals • Enhance Network Availability (99.99) • Reliable, Manageable, Scaleable • Enhance Security • Establish Layers of Security Controls • Enable Quality of Services features • Differentiated Service Offerings

  14. Enterprise Services Access Point (ESAP) Model

  15. Statewide Security Initiatives #2. Improve Agency Border/Perimeter Defense – Wireless • Conducted Agency Wireless Survey 01/05 • Formed Agency Wireless Focus Group • Updated ‘Wireless Security IEEE 802.11 Communications Policy’ issued 2/15/05 • Project underway to build a prototype to deploy a secure wireless environment using 802.1X and WPA2 at ITS

  16. Statewide Security Initiatives #3. Improve Risk Management and Business Continuity Planning • Developed Risk Assessment Tool • Purchased Strohl Business Impact Analysis and Business Continuity Planning software for all executive branch agencies (available to locals thru ITS at reduced price) • Trained agencies in Fall ‘04 • Agencies complete Business Impact Analysis (BIA’s) in March ‘05 • Consistent statewide approach for business continuity management

  17. Statewide Security Initiatives #4. Complete Statewide Security Standards Framework • Purchased ISO 17799 Policy Tool Kit 07/04 and updates in 07/05 • Formed Agency Standards/Policy Focus Groups • Awarded RFP to Ciber to complete standards framework with training materials 11/04. • Chapters in review cycle, rollout is in progress • All Statewide Security Standards/Policies are on http://www.scio.state.nc.us

  18. Statewide Security Initiatives July 2004 to June 2005 Enterprise Training Plan

  19. Statewide Security Initiatives #5. Improve Enterprise Security Training & Awareness July 2005 to June 2006 Enterprise Training Plan

  20. Statewide Security Initiatives #6 Statewide Approach to Anti-Virus and Anti-Spyware • Use statewide consolidated purchasing power and authority to: • Lower overall statewide AV/AS costs and derive more value from these solutions while providing greater AV/AS protection to state agencies. • Offer similar AV/AS pricing to all executive branch agencies as well as local government units, community colleges, and public schools (Based on support option) • Simplify AV/AS administration through an integrated solution

  21. Enterprise Security Infrastructure… Is a key element of consolidation: • Integrating IT infrastructure services, (network, hosting, access etc.) through an enterprise wide risk management approach improves security and enables cost efficiencies Why: • Consistent approach to • Threats • Technology • Business Drivers • Users • Vendors • Education

  22. NC - Statewide Security Initiatives Program – 2005 WINNER!!!

  23. Questions?http://www.scio.state.nc.us

More Related