1 / 56

How Safe is Your State’s Data?

How Safe is Your State’s Data?. Virginia’s Common-Sense approach to Assessing Security. Virginia’s Common-Sense Approach to Assessing Security. Why did we choose to assess the Commonwealth of Virginia’s systems and data security? What was the timeframe from inception to completion?

step
Download Presentation

How Safe is Your State’s Data?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. How Safe is Your State’s Data? Virginia’s Common-Sense approach to Assessing Security

  2. Virginia’s Common-Sense Approach to Assessing Security • Why did we choose to assess the Commonwealth of Virginia’s systems and data security? • What was the timeframe from inception to completion? • What approach did we use to gather the data? • How did we evaluate the data? Auditor of Public Accounts

  3. Virginia’s Common-Sense Approach to Assessing Security • How did we report the results? • What were the lessons learned and what would we have done differently? • What was the response to the report we issued? Auditor of Public Accounts

  4. Virginia’s IT Governance • Virginia has had information technology security standards since 1990 • Creation of Virginia Information Technologies Agency (VITA) in 2003 • Commonwealth’s Chief Information Officer is responsible for information technology security

  5. Virginia’s IT Governance • VITA is responsible for information technology security audits, however they had not been doing them! • Funding issues • Efforts focused on Northrop Grumman public private partnership for IT infrastructure

  6. Why did we choose to assess the Commonwealth of Virginia’s systems and data security? • Security Breaches • Virginia Organization • Jan. 10, 2005 – George Mason University (Fairfax, VA) Names, photos, and Social Security numbers of 32,000 students and staff were compromised because of a hacker attack on the university’s main ID server. • Public Organization • On May 22, 2006, the U.S. Department of Veterans Affairs issued a statement that one of their analyst’s laptops was stolen containing 26.5 million names, social security numbers, dates of birth, and health records of active and retired veterans and spouses. • Private Organization • Financial services company ING had a laptop stolen from the Washington home of one of its employees on June 12, 2006 containing sensitive data, such as social security numbers, of 13,000 District of Columbia employees and retirees. Auditor of Public Accounts

  7. Why did we choose to assess the Commonwealth of Virginia’s systems and data security? • Virginia General Assembly passed Senate Joint Resolution 51 (SJR51) • Which basically said “APA you will assess the health of the security of the Commonwealth’s data.” Auditor of Public Accounts

  8. APA Audits • We had been covering IT security related to our financial and performance audits for some time • We had been issuing findings related to IT security in individual audit reports • Interpretation of SJR 51 was that we would review security of all data (not just financial or data that resides in a database)

  9. What was the timeframe from inception to completion? • Senate Joint Resolution 51 passed by House on March 9, 2006 • Checklist developed July 18, 2006 • Pilot study completed August 10, 2006 • Final agency report received October 23, 2006 • Report issued December 1, 2006 Auditor of Public Accounts

  10. What approach did we use to gather the data? • We developed a Checklist/Questionnaire based on current Commonwealth of Virginia Security Standards and Industry Best Practices (ISO17799, FISCAM, CobiT, and NIST) Auditor of Public Accounts

  11. Industry Best PracticesISO 17799 This International Standard establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. Auditor of Public Accounts

  12. Industry Best PracticesFederal Information System Controls Audit Manual (FISCAM) This manual describes the computer-related controls that auditors should consider when assessing the integrity, confidentiality, and availability of computerized data. It is a guide applied by GAO primarily in support of financial statement audits. Auditor of Public Accounts

  13. Industry Best PracticesControl Objectives for Information and related Technology (CobiT) • “Owned” by the IT Governance Institute whose goal is to advance international thinking and standards in directing and controlling an enterprise’s information technology • Provides good practices across a domain and process framework and presents activities in a manageable and logical structure • CobiT’s good practices represent the consensus of experts Auditor of Public Accounts

  14. Industry Best PracticesNational Institute of Standards and Technology(NIST) • The Information Technology Laboratory (ITL) at NIST provides US measures and standards framework for technology • Responsibilities include the development of management, administrative, technical, and physical standards and guidelines for federal information systems • ITL reports its research, guidelines and outreach efforts in the Special Publication 800 series Auditor of Public Accounts

  15. Industry Best PracticesNational Institute of Standards and TechnologyAn example from NIST Special Publication 800-26 Specific Control Objectives and Techniques Risk Management OMB Circular A-130, III 1.1 Critical Element: Is risk periodically assessed? 1.1.1 Is the current system configuration documented, including links to other systems? NIST SP 800-18 1.1.2 Are risk assessments performed and documented on a regular basis or whenever the system, facilities, or other conditions change? FISCAM SP-1 1.1.3 Has data sensitivity and integrity of the data been considered? FISCAM SP-1 From Appendix page A-3 Auditor of Public Accounts

  16. Industry Best PracticesAPA’s adaptation of the same questionAn example from APA Auditor Core Checklist • Has the agency completed and documented a Risk Assessment (RA) relating to its IT infrastructure? • Is the RA reviewed at least annually to check compliance with the Commonwealth of Virginia security standard? • Is the RA updated at least every three years? • Does the agency require all components of its IT infrastructure to be rated in the RA? Auditor of Public Accounts

  17. What approach did we use to gather the data? • Checklist/Questionnaire addressed four major areas: • Security Management Structure • Data protection, integrity, availability and confidentiality • IT System Configuration and change management • Monitoring and Logging Auditor of Public Accounts

  18. What approach did we use to gather the data? • Checklist/Questionnaire was distributed to a select (pilot) group of nine state agencies and institutions: • Based on diversity in terms of number of staff and size of budget (included both large and small agencies and higher education institutions) Auditor of Public Accounts

  19. What approach did we use to gather the data? • A core group of Audit Directors and Senior Audit staff members were identified and trained on the checklist and how to interpret/evaluate results • This included staff from non-IT related teams within the office Auditor of Public Accounts

  20. What approach did we use to gather the data? • Approach was to test for the existence of IT policies and procedures • IT related teams developed the checklist (identifying best practices) • Do not need to be an IT expert to evaluate the existence of policies and procedures identified in the checklist

  21. What approach did we use to gather the data? • After the pilot group responded to the checklist: • Checklist/Questionnaire was revised to ensure clarity • An APA audit staff member was assigned to each agency • Mass distribution to all agencies/institutions (104 agencies including judicial and legislative branch) Auditor of Public Accounts

  22. What approach did we use to gather the data? • Agencies were given five business days to complete the checklist/questionnaire and supply supporting documentation • Once the documentation was received by APA, two reviews were done • one by the assigned auditor • second by an a member of the Information Systems Security Team

  23. What approach did we use to gather the data? • Once the initial review was completed • Agency was given two additional days to respond to those questions where the APA determined the documentation to be inadequate • Mandatory participation was assured by Executive Order Auditor of Public Accounts

  24. What approach did we use to gather the data? • Security was achieved by either hand delivery of the checklist to/from the agency • Or, the APA provided a secure FTP site which could be used by the agencies to upload/download the checklist and supporting documentation Auditor of Public Accounts

  25. How did APA evaluate the data? • Each question was reviewed for appropriate policies and/or procedures • There were 146 questions on each checklist • Data was entered into an Access Database for analysis Auditor of Public Accounts

  26. How did APA evaluate the data? • Eleven of the 146 questions were identified as key evaluation criteria • Four of the eleven questions were titled the Big Four and included: • Business Impact Analysis • Risk Assessment • Business Continuity Plan • Disaster Recovery Plan Auditor of Public Accounts

  27. How did APA evaluate the data? The Questions that APA considered as Key Performance Indicators (KPIs) • Does the organizational structure include the assignment of an Information Security Officer (ISO)? • Does the agency have a Security Awareness Training program? • Has the agency completed and documented a Risk Assessment relating to its IT infrastructure? • Does the agency have a documented Business Impact Analysis? Auditor of Public Accounts

  28. How did APA evaluate the data? The Questions that APA considered as Key Performance Indicators (KPIs) • Does the organizational structure include the assignment of an Information Security Officer (ISO)? • Does the agency have a Security Awareness Training program? • Has the agency completed and documented a Risk Assessment relating to its IT infrastructure? • Does the agency have a documented Business Impact Analysis? Auditor of Public Accounts

  29. How did APA evaluate the data? The Questions that APA considered as Key Performance Indicators (KPIs) • Does the organizational structure include the assignment of an Information Security Officer (ISO)? • Does the agency have a Security Awareness Training program? • Has the agency completed and documented a Risk Assessment relating to its IT infrastructure? • Does the agency have a documented Business Impact Analysis? Auditor of Public Accounts

  30. How did APA evaluate the data? The Questions that APA considered as Key Performance Indicators (KPIs) • Does the organizational structure include the assignment of an Information Security Officer (ISO)? • Does the agency have a Security Awareness Training program? • Has the agency completed and documented a Risk Assessment relating to its IT infrastructure? • Does the agency have a documented Business Impact Analysis? Auditor of Public Accounts

  31. How did APA evaluate the data? • The Questions that APA considered as KPIs 5. Does the agency have a documented Business Continuity Plan? • Does the agency have a documented Disaster Recovery Plan? • Does the agency have policies and procedures for approving logical access? • Are users required to be authenticated for access to all systems and are exceptions approved by management and have risks of those exceptions been evaluated and accepted? Auditor of Public Accounts

  32. How did APA evaluate the data? • The Questions that APA considered as KPIs 5. Does the agency have a documented Business Continuity Plan? • Does the agency have a documented Disaster Recovery Plan? • Does the agency have policies and procedures for approving logical access? • Are users required to be authenticated for access to all systems and are exceptions approved by management and have risks of those exceptions been evaluated and accepted? Auditor of Public Accounts

  33. How did APA evaluate the data? • The Questions that APA considered as KPIs 5. Does the agency have a documented Business Continuity Plan? • Does the agency have a documented Disaster Recovery Plan? • Does the agency have policies and procedures for approving logical access? • Are users required to be authenticated for access to all systems and are exceptions approved by management and have risks of those exceptions been evaluated and accepted? Auditor of Public Accounts

  34. How did APA evaluate the data? • The Questions that APA considered as KPIs 5. Does the agency have a documented Business Continuity Plan? • Does the agency have a documented Disaster Recovery Plan? • Does the agency have policies and procedures for approving logical access? • Are users required to be authenticated for access to all systems and are exceptions approved by management and have risks of those exceptions been evaluated and accepted? Auditor of Public Accounts

  35. How did APA evaluate the data? • The Questions that APA considered as KPIs 9. Are there policies and procedures regarding password controls? 10. Does all the critical and sensitive assets have the appropriate physical safe guards in place to protect against unauthorized access and is it documented who approves these controls? 11. Does the Agency monitor their systems, applications and databases? Auditor of Public Accounts

  36. How did APA evaluate the data? • The Questions that APA considered as KPIs 9. Are there policies and procedures regarding password controls? 10. Does all the critical and sensitive assets have the appropriate physical safe guards in place to protect against unauthorized access and is it documented who approves these controls? 11. Does the Agency monitor their systems, applications and databases? Auditor of Public Accounts

  37. How did APA evaluate the data? • The Questions that APA considered as KPIs 9. Are there policies and procedures regarding password controls? 10. Does all the critical and sensitive assets have the appropriate physical safe guards in place to protect against unauthorized access and is it documented who approves these controls? 11. Does the Agency monitor their systems, applications and databases? Auditor of Public Accounts

  38. How did APA evaluate the data? • Final evaluation categories were: • Non-Existent (did not have any of the Big Four checked as yes) • Inadequate (had at least one of the Big Four but did not have all eleven checked as yes) • Adequate (had all eleven checked yes) Auditor of Public Accounts

  39. How did APA report the results? • Formal report to the General Assembly and to the Governor • Posted to the Auditor of Public Accounts website http://www.apa.virginia.gov/ • We structured the report to reflect history, current practices, best practices and recommendations Auditor of Public Accounts

  40. How did APA report the results? • Some parts of the report were written during the time the checklists were being completed and evaluated • History • Current practices • Best practices

  41. How did APA report the results? • The history included a brief description of the Virginia information technology structure • An introduction, as well as, a citizens perspective were included Auditor of Public Accounts

  42. How did APA report the results? • The current practices included executive branch agencies and higher educational institutions only • The current practice also included the security standards, policies and procedures in place at the time of the survey Auditor of Public Accounts

  43. How did APA report the results? • APA made four recommendations: • VITA should develop a plan to communicate infrastructure information and standards to agencies that it supports • Provide assistance and expertise to agencies • Assume responsibility for ensuring IT infrastructure meets agencies’ needs and is secure Auditor of Public Accounts

  44. How did APA report the results? • APA made four recommendations: 2) The General Assembly may wish to consider granting the Commonwealth’s Chief Information Officer authority over the judicial and legislative information security programs Auditor of Public Accounts

  45. How did APA report the results? • APA made four recommendations: 3) The CIO and Information Technology Investment Board should consider supplementing the Commonwealth’s security standard with the additional processes (industry best practices) identified in this report Auditor of Public Accounts

  46. How did APA report the results? • APA made four recommendations: 4) The Commonwealth needs to adopt a strategy to provide sufficient resources to develop a proper information security plan • Need to utilize a central resource such as VITA to assist small to medium sized agencies that do not have sufficient internal resources to develop a plan Auditor of Public Accounts

  47. How did APA report the results? • Then of course we added in all of the graphics which showed how many were adequate (21), inadequate (66), and non-existent (17) • We added the checklist in its entirety • We added the Best Practice comparisons Auditor of Public Accounts

  48. What were the lessons learned and what would we have done differently? • Checklist questions should all be phrased so that a positive answer is always “YES” • We focused on the existence of policies and procedures, to follow up we would expand this to include implementation • We learned that our approach “to not identify the critical questions in advance” was a crucial decision and the right one Auditor of Public Accounts

  49. How have we used the report? • Using results as a baseline in audit planning • Where adequate, we can incorporate tests to ensure policies and procedures have been implemented • Where inadequate, we can follow up on agencies efforts to address issues

  50. What was the response to the report we issued? • New Legislation • New Executive Orders • Improved Commonwealth Standards, Policies and Procedures • Increased awareness Auditor of Public Accounts

More Related