August 2014 | Austin, Texas - PowerPoint PPT Presentation

slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
August 2014 | Austin, Texas PowerPoint Presentation
Download Presentation
August 2014 | Austin, Texas

play fullscreen
1 / 45
August 2014 | Austin, Texas
156 Views
Download Presentation
ashby
Download Presentation

August 2014 | Austin, Texas

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. The Texas Cybersecurity Framework and Information Security Plans August 2014 | Austin, Texas

  2. The Texas Framework and Agency Security PlansAgenda Texas Cybersecurity Framework Agency Security Plans Examples Questions

  3. The Texas Framework and Agency Security PlansAgenda Texas Cybersecurity Framework Agency Security Plans Examples Questions

  4. SISAC Policy Sub-committee Membership

  5. Statewide Security Program Overview Plan & Strategy Operations Identify Protect Detect Respond Recover Texas Cybersecurity Framework TAC 202 Control Catalog Vendor Services Alignment Agency Security Plan Template Risk Mgmt Security Services Direct Elected Services Cooperative Contract Procurement Offerings Managed Services Education & Awareness Security Officer Training Agency Personnel Awareness Public Awareness

  6. Overview of the Texas Cybersecurity Framework Texas Cybersecurity Framework TAC 202 Control Catalog Vendor Services Alignment Agency Security Plan Template Risk Mgmt • Agency Security Plan Template Delivered in January 2014 • Vendor Product / Service Template Delivered in March 2014 • Updated Texas Administrative Code Ch. 202 Expected February 2015 • Security Control Standards Catalog Expected February 2015 • Guidelines and Whitepapers Ongoing effort • Governance, Risk and Compliance solution expected to integrate all of these in Fall 2015

  7. 40 security objectives defined • Aligned to “Framework for Improving Critical Infrastructure Cybersecurity” released by NIST in February 2014 • Responsive to SB 1134 (Ellis) and SB 1597 (Zaffirini)

  8. The Journey of 1000 miles… To map your path you need to know where you are and where you are going

  9. Why didn’t DIR adopt the National Cybersecurity Framework? • A question of timing and goals • The framework “shell game” • The long-term solution lends itself to adaption to any framework or compliance regiment

  10. Why didn’t DIR adopt the National Cybersecurity Framework? Timing and goals Security plan template due from VendorOct 2013 SB 1597effective Sep 1 2013 IS Working Group MeetingFeb 28 2014 Agencies develop/adjust security plans Feb-Oct 2014 Jul 2013 RFO published Oct 2013 Draft security plan template to SISAC Policy Subcommittee Jan 2014Security plan template available to agencies Mar 26-27 2014DIRInformationSecurity Forum Oct 15 2014 Security plans to DIR from agencies

  11. The Texas Framework and Agency Security PlansAgenda Texas Cybersecurity Framework Agency Security Plans Examples Questions

  12. Security Plan Template • Available on the DIR website in the Texas Cybersecurity Framework section

  13. Agency Security Plans • Objective-based • Provides a uniform understanding of agency security program maturity

  14. Basic Information • The demographic information provides us the ability to make sense of the data

  15. Control activities • Agencies are asked to provide the controls they have in place for each security objective

  16. Pattern Controls • The template includes “pattern controls” expected at each maturity level • Details the processes at that level • Not focused on Technology

  17. Effectiveness • Level 4 relates to effectiveness in meeting the objective • Agencies at level 4 are asked to detail how they measure effectiveness

  18. Efficiency • Similarly, at level 5, agencies are asked to detail how they measure efficiency of controls

  19. The Plan • Finally, agencies are asked to indicate their information security plans for the next 12 months. • Challenges section is a pull-down menu

  20. The Texas Framework and Agency Security PlansAgenda Texas Cybersecurity Framework Agency Security Plans Examples Questions

  21. Example 1: Security Awareness and TrainingControl Objective • Define, prepare, deliver, and facilitate an ongoing awareness campaign utilizing a wide variety of mediums and delivery mechanisms to effectively and constantly educate the organization on security related information, threats, and technology risks. • Assume agency is at a maturity level 2 for this example The program identifies and focuses on the security topics that support the organization's mission. The program includes continual refresher activities throughout the year.  

  22. Example 1: Security Awareness and TrainingControl Activity Security awareness training consists of PowerPoint presentations with testing, that are taken on an annual basis by all staff.

  23. Example 1: Security Awareness and TrainingControl Activity Security awareness training consists of agency developed PowerPointpresentations delivered across our agency intranet. Each staff member must also pass an accompanyingwithtesting for each module, with at least 80% correct. , that are taken on an annual basis by all staff. The agency has a goal of 100% of staff trained within the first 6 months of employment. Security awareness training consists of PowerPoint presentations with testing, that are taken on an annual basis by all staff.

  24. Example 1: Security Awareness and TrainingRoadmap The agency has allocated funds for improving training programs.

  25. Example 1: Security Awareness and TrainingRoadmap The agency has met its goal of 100% of staff trained within the first 6 months of employment, but tracking has been a manual process. The agency has allocated funds to build a training management system, which will programmatically track compliance with for improving training programs requirements. The agency has allocated funds for improving training programs.

  26. Example 2: Access ControlControl Objective • Processes used to ensure access to applications, servers, databases, and network devices in the environment is limited to authorized personnel. Access is to be limited to authorized users, processes acting on behalf of authorized users, or authorized devices. Authorized users are further limited to the types of transactions and functions that they are permitted to exercise. Session limits, lockout features for failed login attempts, account expirations and disabling unused accounts are controls that provide access control. • Assume agency is at a level 4 and 5 for this example • Pattern Controls • Role-based access controls are implemented and the principle of "least privilege" is employed. Roles are defined for system access. Individual users are assigned permissions based on roles, no individual permissions are granted. Two factor authentication mechanisms are employed for systems identified as high risk by a documented risk management process.     • Onboarding: Access to systems is granted based on role-based controls in a documented and auditable manner. Off boarding: A defined and auditable process is in place to revoke all access permissions within 2 hours of a separation activity.

  27. Example 2: Access ControlControl Activity The organization is in the process of implementing an IAM system to ensure that access levels are role-based and that no shared accounts exist. Two factor authentication is in the process of being deployed for high risk systems.

  28. Example 2: Access ControlControl Activity The organization is in the process of implementing an IAM system to ensure that access levels are role-based and that no shared accounts exist. The system is expected to be fully deployed by Q4 of FY14. Two factor authentication is in the process of being deployed for high risk systems which contain PII, customer data or are critical to delivering the agency mission. The organization is in the process of implementing an IAM system to ensure that access levels are role-based and that no shared accounts exist. Two factor authentication is in the process of being deployed for high risk systems.

  29. Example 2: Access ControlEffectiveness Annual audits

  30. Example 2: Access ControlEffectiveness The agency’s internal audit team reviews access control exceptions reports for compliance with agency policy Aannually. Audits The agency has a goal of disabling non-current accounts within 12 hours. The agency has established a 99% effectiveness rate as a goal for all access control measures. Annual audits

  31. Example 2: Access ControlEfficiency Annual audits

  32. Example 2: Access ControlEfficiency Annual audits The agency’s business owners review metrics to ensure that access to business critical functions is not delayed for new employees. The provisioning team uses these metrics and feedback to ensure the team maintains adequate staff to meet the business owners needs. Annual audits

  33. Example 2: Access ControlRoadmap Continue implementing IAM as resources are available.

  34. Example 2: Access ControlRoadmap The agency will cContinueimplementing IAM as resources are available. Once the IAM system is fully implemented (expected by Q4 of FY14), the agency will investigate how to use this system for use as a single-sign on tool for additional agency web based applications. Continue implementing IAM as resources are available.

  35. Example 3: Data ClassificationControl Objective • Data classification provides a framework for managing data assets and information resources based on utility to the organization, intrinsic financial value and impact of loss and other associated risks. To apply the appropriate levels of protection as required by state and federal law as well as proprietary, ethical, operational, and privacy considerations, data, whether electronic or printed, must be classified. The data owner should consult with the Information Security organization and legal counsel on the classification of data as Restricted, Confidential, Agency-Internal, or Public. Consistent use of data classification reinforces with users the expected level of protection of data assets in accordance with required security policies. • Assume part of agency is at a level 2 and part at 4 for this example • Pattern Controls • Data classification policies and processes are defined and repeatable. Across the organization, there is a common understanding of what are the organization's most important and sensitive information. Data owners have been identified for most information. • Data is managed by technology that requires classification as new data is created. Automated policies ensure data is consistently classified across the organization. Data classification monitoring is continuous, proactive and preventative involving appropriate metrics. Resources are prioritized based on the classification / criticality / business value of hardware, devices, data, and software. Critical data has been de-duplicated, to minimize the copies that must be inventoried.    

  36. Example 3: Data ClassificationRoadmap Improve compliance with the data classification plan.

  37. Example 3: Data ClassificationRoadmap The agency has spent time and resources ensuring that PII and customer data is properly classified for business critical systems. Over the next 12 months, the agency will expand the scope of its data classification project to ensure that all program areas Improve complyiancewith the data classification plan. Improve compliance with the data classification plan.

  38. The Texas Framework and Agency Security PlansAgenda Texas Cybersecurity Framework Agency Security Plans Examples Questions

  39. What is DIR going to do with the data? • SB 1134 tells DIR to develop a framework • SB 1597 does not indicate what DIR is expected to do with agency security plans received • We will analyze the data for outliers • What can we do to help agencies with lower maturity? • We learn from agencies with higher maturity?

  40. What can agencies do with the data? • The Objectives establish a common and complete basis for a security program • Identifies areas for improvement that may require appropriations • Enables improved prioritization of resources • Provides a platform for describing the risks of the agency for non-technical audiences • Affords continuity during security staff transitions

  41. How should large organizations structure their response? • Framework is flexible enough for multiple scenarios • Single ISO for entity • Entity with multiple divisions • Large entities with multiple IT groups and funding sources

  42. How long does the template take? • Some larger agencies have spent multiple person weeks completing the template • Familiar technology / IT objectives are quicker to respond to • Objectives around security projects may take longer

  43. How do I submit the template to DIR? • Preferred submission method is through the TX-ISAC portal • DIR has instructions available for those unfamiliar with using the TX-ISAC portal Contact Ted James (ted.james@dir.texas.gov)

  44. Agency Security Plan Timeline Security plan template due from VendorOct 2013 SB 1597effective Sep 1 2013 IS Working Group MeetingFeb 28 2014 Agencies develop/adjust security plans Feb-Oct 2014 Jul 2013 RFO published Oct 2013 Draft security plan template to SISAC Policy Subcommittee Jan 2014Security plan template available to agencies Mar 26-27 2014DIRInformationSecurity Forum Oct 15 2014 Security plans to DIR from agencies Template and Whitepaper available at: http://www.dir.texas.gov/security/policy/Pages/framework.aspx

  45. Thank you dirsecurity@dir.texas.gov