190 likes | 337 Views
Agency Name Security Program FY 2009. John Q. Public Agency Director/CIO/ISO. Security Program. (Agency Name) mission is to provide constituent internet interface for the sale of state logo widgets
E N D
Agency NameSecurity ProgramFY 2009 John Q. Public Agency Director/CIO/ISO
Security Program (Agency Name) mission is to provide constituent internet interface for the sale of state logo widgets This security program has been developed to support business processes and communications to support business goals
Security ProgramGovernance • Complies with Federal, Industry and State statutes and requirements such as HIPAA, PCI and the Georgia Enterprise Policies, Standards and Guidelines
Security ProgramGovernance • Key Components of Governance • Planning • Strategic Security Plan • Governance structures • State CIO Council • Information Security Officer Council • Agency Risk Management Board • Agency IT Leadership
Security ProgramGovernance • Key Components of Governance • Policy • Georgia Enterprise Policy • (Agency Policy) • Industry Practices • Federal Policies • Monitoring • Self-assessments • Third Party assessments • Georgia Dept of Audits
Security ProgramGovernance • Challenges and Keys to Success • Challenges • Resources • New Threats • Keys to Success • Resources to achieve goals • Meditation of shortfalls • Certification of assurance • Education • Executive • Employee
Security ProgramSystem Development Life Cycle • Four cycle as prescribed by OPB for IT equipment • In the third year of the current planning cycle • 25% IT equipment refresh budgeted • Security device refresh scheduled
Security ProgramAwareness and Training • Awareness and Training program based on federal model • User Awareness training completed • 120/125 employee participation • 96% ‘pass’ for Annual Awareness Training • Remedial training identified and scheduled • Training program underway for technical staff • Act-Online.net • Strategic Training Alliance • Executive training underway • Act-Online.net
Security ProgramCapital Planning • Security Priorities and Funding • Top Five Security Priorities • Third Party assessment to (1) High system • Refresh firewall pair (7 years old) • Refresh Intrusion system (5 years old) • SIEM acquisition • Training (ISO skills - administrative training) • Total FY 2009 Funding request $125K • Allowed FY 2009 Funding:$77K • Third Party assessment • Refresh firewall pair
Security ProgramInterconnecting Systems • PeopleSoft – State Accounting Office • Enterprise Active Directory/Exchange - GTA • GBA Physical Access Control System • PCI vendor – XYZ Corporation
Security ProgramPerformance Measures • Annual Agency Information Security Report • Due 30 June • Reporting to GTA • Reporting items as prescribed by Enterprise Standard
Security ProgramSecurity Planning • Approach for security planning is performed by examining each system • Security Program is based upon aggregating plans, assessments and audits • Current plans are attached to the Security Program document
Security ProgramContingency Planning • No formal agency Business Continuity Plan has been developed • IT has rudimentary planning underway • Several meetings with system owners • IT staff has begun requirements collection
Security ProgramRisk Management • Agency has a Risk Management Board that meets monthly • Structure and scope aligns with NIST 800-30 Risk Management • Security heavily involved
Security ProgramSecurity Assessments • Self-Assess with current IT staff • Performed quarterly • Third party assessments once a year • Georgia Dept of Audit every third year
Security ProgramSecurity Products and Accquisition • Conduct research and consult with GTA Office of Information Security • Current focus • Application firewall • Intrusion systems • Content filtering
Security ProgramIncident Response • Escalation procedures include security hand-off decision points • Procedures are periodically tested • Security personnel have been trained: • Cyber First Responder • Forensic Investigations (National White Collar Crime Center)
Security ProgramConfiguration Management • Configuration management is given high importance to maintain the integrity of the network and IT assets. • Agency has a Configuration Management Board (CMB) that meets weekly • The CMB coordinates with GTA’s CMB as it may impact enterprise operations
Security Program Questions