210 likes | 706 Views
Compliance Based Security Fabric. Information Systems Security Association Northwest Regional Security Conference Olympia, WA April 23, 2008. Ben.Berry@ODOT.state.or.us Chief Information Officer Oregon Department of Transportation.
E N D
Compliance Based Security Fabric Information Systems Security Association Northwest Regional Security Conference Olympia, WA April 23, 2008 Ben.Berry@ODOT.state.or.us Chief Information Officer Oregon Department of Transportation "Transformation of ODOT Business via Enterprise Security Bills, Policies, & IT Initiatives
Security Fabric Strategy Road Map Transformation of ODOT Business via Enterprise Security Bills, Policies, & IT Initiatives
Overview of Bills, Policies & Initiatives • DAS 107-004-050 Information Asset Classification Policy • DAS 107-004-051 Controlling Portable and Removable Storage Devices • DAS 107-004-052 Information Security • DAS 107-004-053 Employee Security • DAS 107-004-100 Transporting Confidential Information • DAS Statewide Policy 1.3, Acceptable Use of Information Related Technology • Senate Bill 583, 2007 Legislative Session (ID Theft) • Various ODOT Security related policies • ODOT ADM 05-08-01 Acceptable Use Policy • ODOT ADM 04-20 Information Security • ODOT Information Security Guidelines • Administrative Criminal Background Checks Rules • Business Continuity Planning • Enterprise Content Management • Identity and Access Management (TIM/TAM) • Payment Card Industry (PCI) Compliance
Resource Work Collaboration Team Enterprise Security Policies Initiative Resource Work Collaboration Matt Garrett Agency Director DelegatedAuthority Ben Berry Agency CIO Lisa Martinez (Business) Peter van den Berg (Information Systems) Project Manager Other Lines of Business DMV Highway Motor Carrier IS Keith Nardi Deb Frazier Ric Listella Division Point Person Information Security Unit (Karina Stewart) Technology Management (Virginia Alster) FileNet Program (Ron Winterrowd/Lisa Martinez) Communications Plan (Team)
Why a “Security Fabric”? COMPREHENSIVE. Building a security fabric to cover all of our Point-to-Point information services is much more difficult to maintain. INVISIBLE BUSINESS PROCESSES. Lots of business processes are invisible because staff do processes that are not necessarily written down. LEVERAGE ACROSS AGENCY & ENTERPRISE. A security fabric is meant to leverage secure practices across multiple organizational functions and business units. Legacy of Point-to-Point Services
What is a Security Fabric? A Security Fabric is a services-driven design approach that integrates business and security strategies to provide a Common Holistic Approach to Security Compliance and that leverages existing and new security policy functionality across agency business lines. • The strategy of a Security Fabric includes: • Integration with elements of each of the security policies, where applicable. • Providing security through the sharing & reuse of security services and processes across the agency and/or enterprise. • Streamlines secure practices across existing business processes for greater efficiency and productivity. • The approach for a Security Fabric: • Leverage existing business practices, IT investments and standard operating processes. • Adopt Community of Practice templates for the Information Asset Classification Policy to ensure compliance with classifying data -- Data Classification Levels 1, 2, 3 & 4 for (Labeling, Handling, Storage, Retention and Disposable/Destruction). • Standards allow security processes to be designed for reuse: • Components that can be used over and over again among different lines of business. Example—Active Directory Group Policies or other physical standard security practices. • Use of standardized procedures, interfaces and standard data classification adherence.
Security Vision and Strategy:Holistic and Comprehensive Approach organized around Lines of Business– Not a Silo Approach Submission Processing Submission Processing Submission Processing Submission Processing Submission Processing Submission Processing Information Asset Classification Customer Service Customer Service Customer Service Customer Service Customer Service Controlling Portable and Removable Storage Devices Customer Service Manage Taxpayer Accounts Manage Taxpayer Accounts Manage Taxpayer Accounts Manage Taxpayer Accounts Manage Taxpayer Accounts Information Security Manage Taxpayer Accounts Reporting Compliance Employee Security Reporting Compliance Reporting Compliance Reporting Compliance Reporting Compliance Reporting Compliance Filing & Payment Compliance Filing & Payment Compliance Filing & Payment Compliance Filing & Payment Compliance Filing & Payment Compliance Transporting Confidential Information Filing & Payment Compliance Criminal Investigation Criminal Investigation Criminal Investigation Criminal Investigation Criminal Investigation Criminal Investigation Acceptable Use of Information Related Tech. Internal Management Senate Bill 583 Internal Management Internal Management Internal Management Internal Management Internal Management Other Functional Domains Other Functional Domains Other Functional Domains Other Functional Domains Other Functional Domains Other Functional Domains Other Functional Domains Enterprise Security Domains Define the statewide security policies, bills and initiatives that are within the scope of the change. Agency Policies & Practices Define the ODOT internal policies and practices impacted by the Security Fabric effort. Payment Card Industry - PCI Identity & Access Management Enterprise Content Management Admin Criminal Background ODOT Info. Security Guideline ODOT Acceptable Use Pol. ODOT Information Security Pol. Agency Service Domains Define the ODOT Lines of Business services necessary to support execution of the Security Fabric (cuts across multiple domains). Highway Transportation Motor Carrier DMV Rail and Others
Approach to Meeting Security Fabric Goals Security Fabric Project Manager 3. Develop Action Plan 4. Establish Deliverables & Project Plan 2. Gap Analysis 1. Project Assessment DCP DCP DCP Risk Management, Communication Management & Change Management DCP (Decision Check Points)
Security Fabric Strategy Map Agency Lines of Business Process: Determine the security Gaps that will need to be filled. Policy / Procedure / Practice / Initiative • DAS 107-004-050 Information Asset Classification • DAS 107-004-051 Controlling Portable and Removable Storage Devices • DAS 107-004-052 Information Security • DAS 107-004-053 Employee Security • DAS 107-004-100 Transporting Information Assets • SB 583 Enrolled, 2007 Legislative Session, Oregon Consumer Theft Protection Act • … • … DAS Policy Current State Agency Policy Current State Future State Requirements GAP Analysis Senate Bill 583 Gap Analysis DAS = Department of Administrative Services
Gather Requirements & Identify Gaps Subject Matter Experts from Lines of Business • Project Team: • Review Results • Rank Gaps Based on Risks and Priorities • Develop Blueprint of Implementation Plan High Opportunity High Risk Low Opportunity Low Risk
Identify Key Business: Challenges and Opportunities Reliant on Business Line Subject Matter Experts Competes with Other Priorities Undefined Roles and Responsibilities Requires Routine Review and Assessment to Manage Risk Reduce Agency Risk Potential to Improve Business Processes Recognize and Develop Partnerships Develop and Share Best Practices Successful Implementation Results in Improved Agency Compliance Identify Business Contacts for Each Division, Region, and Branch
Common Security Policy Services Inputs • BUSINESS PERSPECTIVE. Promotes a business perspective around potential secured shared services. • EFFICIENT. Drives efficiencies and reuse across the Agency. • BEST PRACTICES. The Common Security Practice Framework will be refined based on lessons learned from initial security service deployments. Plan Define, Design, Build, Deploy Common Security Policy Framework Business Services Generate Secure Customer Service Maintain Outputs Generate Secure Cross Agency Response
Security Fabric Based on Key Areas: Holistic Security Practices; Platform, Templates and Toolsets; and Security Governance Holistic Security Practices Business unit from broad based Practices and Procedures Agency Business Functional Services Agency Application Services Application integration / shared services (FileNet, others) Security Services Information Security Governance Agency-wide utility functions and solutions (Active Directory, TIM/TAM, Encryption) Agency Infrastructure Services Enabling Security Technology (Middleware, physical tools and devices) Platforms, Templates & Toolset Current Activities • There are different types of line of business services that need protection, both Agency and Enterprise focused. • All require agency governance for an initial and ongoing sustainable Security Fabric presence. • ODOT is engaged in a multi-variant approach to focus on those areas that provide the highest level of security from easy to hard to implement. Given each policy’s target timeline, high value security responses will be addressed first!
As Security Fabric Strategy MaturesWe transition from Opportunistic and Project Level to Enterprise Level Security Policy Practice. Enterprise ISBRA Security TIM/TAM Identity Management High Digital Signatures Info Asset L1 Info Asset L2 SB 583 Scope Active Directory Group Policies Controlling Removable Storage Devices Employee Security Policy Integration Info Asset Classification Level 4 Info Asset Classification Level 3 Transporting Info Assets Acceptable Use Policy Information Security Policy Low Opportunistic Time/Maturity Low High
Today Action Items & Implementation Dates July 1, 2008 DAS 107-004-050 Level 4, Critical Effective January 1, 2009 DAS 107-004-050 Level 3, Restricted Effective July 30, 2009 DAS 107-004-052 Effective January 1, 2008 SB 583 Section 12 Effective January 31, 2008 DAS 107-004-053 Effective June 27, 2007 DAS 107-004-100 Effective July 1, 2009 DAS 107-004-050 Level 2, Limited Effective July 30, 2008 DAS 107-004-051 Effective October 1, 2007 SB 583 (except Section 12) Effective • Legend: • DAS 107-004-050 Information Asset Classification • DAS 107-004-051 Controlling Portable and Removable Storage Devices • DAS 107-004-052 Information Security • DAS 107-004-053 Employee Security • DAS 107-004-100 Transporting Information Assets • SB 583 Enrolled, 2007 Legislative Session, Oregon Consumer Theft Protection Act
Sustainable Security Practice Identification & Deployment Requires a Broad Based Security Policy and Governance Process Starts with DAS Security Policies & SB 583 Business Process Requirements • Impacts to people, process & technology • Security services are delivered through Agency initiatives or projects • Security life cycle processes are supported by both Business and Information services • Development of security policy response is guided by multi-unit team (Resource Work Collaboration Team) • Communication & training are required for people supporting each of the sustainable Security Fabric life cycle processes Measure Effectiveness Use/Reuse Policy Driven Service Iterative Sustainable Security Fabric Services Life Cycle Operate / Monitor Security Service Policy Requirements Service Repository DeploySecurity Service Process ArchitecturalReview GOVERNANCE TestSecurity Service Design Security Service response ConstructSecurity Service • Governance Organization – manage & monitor ongoing security agreements
ISSA Northwest Regional Security Conference Compliance-Based Security Fabric