1 / 16

IT Security in the Commonwealth A high-level review

IT Security in the Commonwealth A high-level review. Sam A. Nixon Jr. Chief Information Officer of the Commonwealth Governor’s Secure Commonwealth Panel HHR Sub-Panel December 16, 2013. www.vita.virginia.gov. 1. VITA’s Mission: Mandate for Change.

duane
Download Presentation

IT Security in the Commonwealth A high-level review

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT Security in the CommonwealthA high-level review Sam A. Nixon Jr. Chief Information Officer of the Commonwealth Governor’s Secure Commonwealth PanelHHR Sub-Panel December 16, 2013 www.vita.virginia.gov 1

  2. VITA’s Mission: Mandate for Change • Executive & Legislative Branch leaders called for • Business-like approach to managing IT services across the enterprise of state government • Concept of “Shared Services” (cloud computing) • Statewide IT infrastructure for government entities • Major Statutory Responsibilities: • Provisioning of IT Infrastructure Services (in-scope agencies) • Central oversight of IT procurement, projects, security, standards, policy and procedures, Wireless E-911, and contingent labor • Modernization is a journey • Step 1: Creation of VITA & statutory framework • Step 2: Transformation of infrastructure • Step 3: Enterprise Applications & Services

  3. Information Security in the Commonwealth VITA is tasked with security governance over all three branches of state government. VITA oversees delivery of infrastructure services to executive branch agencies. Agencies remain responsible for business applications and data. Shared responsibility.

  4. CoVA IT Infrastructure Computers 59,374 PCs 3,356 servers Mailboxes 58,948 accounts Data storage 1.5 petabytes Mainframes (2) IBM Unisys Communications 55,000 desk phones 6,100 handhelds (PDAs) 11,000 cell phones Networks 2,039 circuits Data Centers (2) CESC SWESC • Printers • 5,311 network • 22,000 desktop 2,247 Locations

  5. Exec Branch Business Applications • Core Applications: • 2,100 • Sensitive Systems: • 697 • Why does Security matter? Examples: • Health Care – PHI, Birth Records, Prescription Monitoring • Public Safety - Forensics Lab Data, Fingerprint System, Emergency Planning data • Transportation – Traffic Mgmt Systems, Road, Rail and Air • Taxation – Citizen and Business Financial Info, FTI (SSN) • VITA – Infrastructure & Security Architecture, Network, Employee Authorization

  6. Security Strategy

  7. Government Data Breaches & Attacks • Virginia Agencies • *95,513,983 attack attempts • >300K / day • *708,027,671 spam messages blocked • *Jan – Dec 13, 2013, transformed agencies only Security breaches of over 1 Million records Source: Privacy Rights Clearinghouse, A Chronology of Data Breaches, Aug 2013

  8. Increase in Security Incidents (2010-2013)

  9. Cyber Attack Map – July 2013

  10. VITA Has Broad Statutory Security Role • Set security architecture & standards • Oversee Northrop Grumman • Perform overall incident response • Share intelligence & information (FBI, DHS, State Police, VDEM) • Conduct risk management • Oversee & assist agencies • CIO has limited authority to ensure compliance

  11. NG Responsible for Infrastructure Security • Physical & logical security • Data center protection • Firewalls, intrusion monitors, encryption, compartmentalization, antivirus & spam filters • Detection, containment & removal of security incidents affecting the infrastructure • However, primary attack vector is against applications & not the infrastructure • NG assists with attacks against applications, but agencies remain responsible for applications & data

  12. Agency Responsibility Agencies in Compliance Appoint Information Security Officer 97% Develop & maintain IT security audit plan 71 State Agency IT Security Efforts Are Mixed Conduct IT security audits every 3 years (minimum) 63 Develop & maintain corrective action plans 56 Develop & maintain policies and procedures to control unauthorized uses and intrusions 42 Source: 2012 Commonwealth of Virginia Information Security Annual Report

  13. Priority – Cyber Security • Improve Analysis & Risk Assessment • Full packet analysis to address data exfiltration • Risk management tool (being pursued) to identify potential impact of breach or outage • Enhance Access Security • More secure remote network access (SSL VPN) • Password resets (from 90 to 45 days) • Two-factor authentication • Address Security Compliance • Increasing CoVA capabilities

  14. VITA & Agencies Lack Security Staff • VITA needs a cyber intelligence program to analyze threats and attacks • Need for risk-based decisions based on likelihood of attack attempts • Need analysis of malicious third parties that directly target the Commonwealth • State agency staffing constraints impede security gap correction & limit auditing • Agencies must test their applications against new patches & evolving federal requirements

  15. Future Governance of IT Security • Future Governance Considerations • Federal regulations & third-party mandates require new security efforts for agencies • Agency constraints impede security gap correction & limit auditing to find unknown gaps • EX: Annual security reviews, JAVA, Win 7 • Implementing a Commonwealth wide IT risk management program • Continued agility to rapidly respond to threats • IT Security demands a “First Defender” approach

  16. Questions? Samuel A. Nixon Jr. sam.nixon@vita.virginia.gov (804) 416-6004

More Related