1 / 19

Agency Name Security Program FY 2009

Agency Name Security Program FY 2009. John Q. Public Agency Director/CIO/ISO. Security Program. (Agency Name) mission is to provide constituent internet interface for the sale of state logo widgets

forrest-lloyd
Download Presentation

Agency Name Security Program FY 2009

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Agency NameSecurity ProgramFY 2009 John Q. Public Agency Director/CIO/ISO

  2. Security Program (Agency Name) mission is to provide constituent internet interface for the sale of state logo widgets This security program has been developed to support business processes and communications to support business goals

  3. Security ProgramGovernance • Complies with Federal, Industry and State statutes and requirements such as HIPAA, PCI and the Georgia Enterprise Policies, Standards and Guidelines

  4. Security ProgramGovernance • Key Components of Governance • Planning • Strategic Security Plan • Governance structures • State CIO Council • Information Security Officer Council • Agency Risk Management Board • Agency IT Leadership

  5. Security ProgramGovernance • Key Components of Governance • Policy • Georgia Enterprise Policy • (Agency Policy) • Industry Practices • Federal Policies • Monitoring • Self-assessments • Third Party assessments • Georgia Dept of Audits

  6. Security ProgramGovernance • Challenges and Keys to Success • Challenges • Resources • New Threats • Keys to Success • Resources to achieve goals • Meditation of shortfalls • Certification of assurance • Education • Executive • Employee

  7. Security ProgramSystem Development Life Cycle • Four cycle as prescribed by OPB for IT equipment • In the third year of the current planning cycle • 25% IT equipment refresh budgeted • Security device refresh scheduled

  8. Security ProgramAwareness and Training • Awareness and Training program based on federal model • User Awareness training completed • 120/125 employee participation • 96% ‘pass’ for Annual Awareness Training • Remedial training identified and scheduled • Training program underway for technical staff • Act-Online.net • Strategic Training Alliance • Executive training underway • Act-Online.net

  9. Security ProgramCapital Planning • Security Priorities and Funding • Top Five Security Priorities • Third Party assessment to (1) High system • Refresh firewall pair (7 years old) • Refresh Intrusion system (5 years old) • SIEM acquisition • Training (ISO skills - administrative training) • Total FY 2009 Funding request $125K • Allowed FY 2009 Funding:$77K • Third Party assessment • Refresh firewall pair

  10. Security ProgramInterconnecting Systems • PeopleSoft – State Accounting Office • Enterprise Active Directory/Exchange - GTA • GBA Physical Access Control System • PCI vendor – XYZ Corporation

  11. Security ProgramPerformance Measures • Annual Agency Information Security Report • Due 30 June • Reporting to GTA • Reporting items as prescribed by Enterprise Standard

  12. Security ProgramSecurity Planning • Approach for security planning is performed by examining each system • Security Program is based upon aggregating plans, assessments and audits • Current plans are attached to the Security Program document

  13. Security ProgramContingency Planning • No formal agency Business Continuity Plan has been developed • IT has rudimentary planning underway • Several meetings with system owners • IT staff has begun requirements collection

  14. Security ProgramRisk Management • Agency has a Risk Management Board that meets monthly • Structure and scope aligns with NIST 800-30 Risk Management • Security heavily involved

  15. Security ProgramSecurity Assessments • Self-Assess with current IT staff • Performed quarterly • Third party assessments once a year • Georgia Dept of Audit every third year

  16. Security ProgramSecurity Products and Accquisition • Conduct research and consult with GTA Office of Information Security • Current focus • Application firewall • Intrusion systems • Content filtering

  17. Security ProgramIncident Response • Escalation procedures include security hand-off decision points • Procedures are periodically tested • Security personnel have been trained: • Cyber First Responder • Forensic Investigations (National White Collar Crime Center)

  18. Security ProgramConfiguration Management • Configuration management is given high importance to maintain the integrity of the network and IT assets. • Agency has a Configuration Management Board (CMB) that meets weekly • The CMB coordinates with GTA’s CMB as it may impact enterprise operations

  19. Security Program Questions

More Related