1 / 22

Christopher P. Buse Assistant Commissioner and CISO State of Minnesota

Christopher P. Buse Assistant Commissioner and CISO State of Minnesota. The IT Audit Report That I Should Have Wrote…..But Didn’t. Reflecting On What I Would Have Done Differently, Given What I Know Today. What’s In It For You. A chance to hear where I think I missed the mark

trent
Download Presentation

Christopher P. Buse Assistant Commissioner and CISO State of Minnesota

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Christopher P. Buse Assistant Commissioner and CISO State of Minnesota The IT Audit Report That I Should Have Wrote…..But Didn’t

  2. Reflecting On What I Would Have Done Differently, Given What I Know Today

  3. What’s In It For You A chance to hear where I think I missed the mark An opportunity to participate in a no holds barred conversation about complex IT management and security issues

  4. About Me • Helped develop the IT audit function • Appointed to serve as the first CISO • Now serve as Assistant Commissioner and CISO, overseeing “leadership” services • Enterprise Security • Enterprise Architecture • Product and Procurement Standards • Project and Portfolio Management Standards and Oversight • Geospatial Information Systems

  5. Reflecting On My Audit Career Immense pride in the team that we developed and work done Many IT audits that pointed out significant deficiencies in government systems Brought data interrogation to a new level throughout our audit organization Lots of media attention Numerous opportunities to testify before legislative bodies

  6. What Policymakers Needed to Hear… • Ineffective enterprise-wide IT governance • Virtually no architectural standards • Immature service delivery processes • Simply not enough money to throw at the IT model to ever make it secure • When it came to IT, our state was doing everything, everywhere, without appropriate planning, leadership, or governance

  7. Findings Did a good job documenting the condition and potential impact “Agency X did not remediate a serious vulnerability timely…” Little time spent ferreting out the underlying cause As a result, we often crafted recommendations to address symptoms, not the true problems “In the future, Agency X should remediate serious vulnerabilities more timely.. • Looking back, I now realize that I could have been more effective by • Focusing on root cause analysis • Crafting recommendations at true problems

  8. Audit Targets Since IT existed in agency silos, we generally audited silo by silo, often alongside financial auditors Though valuable, these audits did not • Provide a comprehensive view of key process controls • Pinpoint variations in the control posture • Offer an opportunity to craft global recommendations I now realize more than ever the value proposition of enterprise-wide process audits – I should have done more

  9. I If I Get To Lead a Government IT Audit Function Again Someday…..

  10. Enterprise IT Governance • Are there clear IT decision-making processes with decision rights clarity? Does the governance framework include critical components? • Strategic and tactical planning • Enterprise architecture • Project and portfolio management • IT security and risk management • Are the governance processes understood and followed by all government entities?

  11. State CIO IT Governance Framework Structure Vision, Planning, Operations Planning Technology Operations Alignment Technology Advisory Committee CIAO Executive & agency-based CIO Executive & agency-based CIO State Architect & agency CIO CISO & agency-based CIO Portfolio Mgr. & agency CIO Executive & Deputy GIS Officer & agency-based CIO Technology Accessibility Coordination and Communication: Information Standards and Risk Management Service strategy Planning Project & Portfolio Standards Information Security Risk Mgmt. State IT Planning Enterprise Architecture Geospatial Technology IT Project & Portfolio Mgmt. Business Input Business Input Business Input Business Input Business Input Business Input Business Input Business Input Customer Representation

  12. Enterprise Information Security Does our state perform all generally accepted core security services? Are these services performed consistently, in accordance with policies and standards? Do government leaders review metrics to gauge the effectiveness of enterprise-wide controls?

  13. NASCIO Core Security Services Taxonomy Help CIOs and other government leaders understand what needs to be done • Services • Key Outcomes • Tools Provide common framework for financial comparisons down the road

  14. Service Categories

  15. GRC Services • Information Security Program Management • Secure System Engineering • Information Security Training and Awareness • Business Continuity • Information Security Compliance Operational Services Information Security Monitoring Information Security Incident Response and Forensics Vulnerability and Threat Management Boundary Defense Endpoint Defense Identity and Access Management Physical Security

  16. Promoting Understandability Target audience: CIOs and other executives Consistent format to describe each security service Simple terms without jargon

  17. Secure System Engineering Responsible for designing appropriate security controls in new systems or systems that are undergoing substantial redesign, including both in-house and outsourced solutions

  18. Secure System Engineering Integrate information security design requirements in the system development life cycle Participate as a security consultant on significant technology projects Assist with the creation of system security plans, outlining key controls to address risks Assist with the creation of residual risk documentation for management acceptance Integrate security requirements into contracts for outsourced services Assist with the creation of information security policies, standards, procedures, and guidelines Assist with the creation of secure configuration standards for hardware, software, and network devices

  19. Secure System Engineering Standardized system security planning template(s) Governance, risk, and compliance software Various operational security tools Best practice frameworks for the management of IT, such as ITIL

  20. GRC Services • Information Security Program Management • Secure System Engineering • Information Security Training and Awareness • Business Continuity • Information Security Compliance Commissioner (State CIO) Legislative Relations & Legal Agency CIOs Deputy Commissioner (State CTO) Planning & Communications Innovation Agency Support Tu Tong Customer Support & Service Development Tarek Tomes Projects & Initiatives TBD IT Standards and Risk Management Chris Buse Service Delivery TBD Project Management Office Architecture Operations Financial Mgmt. Client Relations Operational Security Services • Information Security Monitoring • Information Security Incident Response and Forensics • Vulnerability and Threat Management • Identity and Access Management EUCC Security Service Desk Human Resources & Training Service Portfolio Mgmt. E-licensing Project Portfolio Mgmt. Application Mgmt. Information Technology (Internal) Operational Security Services • Boundary Defense • Endpoint Defense • Physical Security Data Center Relocation Process Controls & Improvement Standards GIS

  21. Final Thoughts Enterprise-wide IT audits can provide extremely important information to government leaders and policymakers • Risks • Cost savings I encourage you to use your vested authority to tell the big picture stories that too often go untold chris.buse@state.mn.us @BuseTweet

More Related