© 2006 Verizon. All Rights Reserved.

Overview of State Governance Security LandscapeOverview of State Governance Security Landscape

Leslie Carter, State Subject Matter ExpertJanuary 18, 2007

Leslie Carter, State Subject Matter ExpertJanuary 18, 2007

2

AgendaAgenda

• Security Challenges in State Agencies

• Where State Agencies Need to Be

• Approaches to Meeting the Challenges

3

Security Is An Enterprise-Wide ChallengeSecurity Is An Enterprise-Wide Challenge

SecuritySecurityOperationsOperationsSecuritySecurity

OperationsOperations

SecurityProgram

SecuritySecurityOversightOversight

SecuritySecurityGovernanceGovernance

Senior Execs & CIO•Budgets

•Report Cards

•Laws & Mandates

CISO•No Budget

•Unable to Get Buy In

•Limited Visibility

•No Control

IT Operations•Reporting

•Burden

•Scarce Resources

4

The Security Challenges in Gov/EdThe Security Challenges in Gov/Ed

Governance

• Many states and municipalities are just beginning to put in place the necessary governance framework to enable effective information security

• Lack of attention has led to under funding

• Quickening pace of security laws, regulations, and mandates

Complexity (Tech, Organization/Accountability, Budget, Other)

• The competing challenges of service to the citizen and protection of citizen privacy are most intense at the state and local government levels

• Siloed federal approach to information exchange has resulted in crazy quilt of redundant, incompatible security approaches and infrastructures

• The result: Security breaches continue to dominate the headlines

5

Regulatory ChallengesRegulatory Challenges

• New (2007) California Statutes– Voter Privacy SB 506– Credit Card Receipts SB 1699– Domestic Violence Victims SB 1491– Identity Theft Legislation AB 424, AB 618, AB 2043, AB 2886, AB 1390– Motor Vehicle Dealer Access AB 2291– Wireless Network Security for Citizens AB 2415– Online Privacy Reproductive Health AB 2251– Online Privacy Public Officials AB 2006

• Federal Laws– The Children’s Online Privacy Protection Act of 1998– The Computer Fraud and Abuse Act of 1984 – The Computer Matching & Privacy Protection Act of 1988 & Amendments of 1990– The Driver’s Privacy Protection Act of 1994– The Electronic Communications Privacy Act of 1986 – The Fair Credit Reporting Act of 1970 – The Family Educational Rights and Privacy Act of 1974 – The Graham-Leach-Bliley Financial Services Modernization Act of 1999 – The Health Insurance Portability and Accountability Act of 1996 – The Privacy Act of 1974– REAL ID Act of 2005– Sarbanes Oxley– Homeland Security Initiatives– Federal Information Security Management Act– Federal Audit Requirements for agencies carrying out federal programs – Circular A-87 and A-133

FISMA Highlights§3544(b) - Agency Security ProgramFISMA Highlights§3544(b) - Agency Security Program

• Federal Information Security Management Act (FISMA)– Title III of E-Government Act of 2002– Applies to all federal agencies and 3rd parties (states and localities)

dealing with federal data and carrying out federal programs

FISMA Security Program Requirements

– Periodic risk assessments– Policies and procedures– Subordinate plans for networks, systems– Security awareness training– Periodic testing and evaluation of policies, procedures and practices– Remediation program for security weaknesses– Procedures for incident detection, reporting & response– Plans and procedures for continuity of operations

7

Complexity Leads to VulnerabilityComplexity Leads to Vulnerability

FederalFederalDepts.Depts.

State HHS AgenciesState HHS Agencies

Local, K-12Higher Ed

Health/Human Serv.

Education

HomelandSec.CommerceTransportation

Treasury/IRS

Interior

Energy

State & Local State & Local Public Safety & Educ Public Safety & Educ

State AgenciesState Agencies

State and Local State and Local Law EnforcementLaw Enforcement

Town CollegeHigh SchoolCity

• Who is securing all of these exchanges and gateways?Who is securing all of these exchanges and gateways?

8

A State Government’s Myriad InterfacesA State Government’s Myriad Interfaces

SegmentFederal Other

States

Intra

State

Local K-12 Business Citizen Total

Transportation 13 49 22 128 22 24 258

HHS 43 49 28 128 79 67 394

Fin & Admin 32 30 128 27 15 232

Education 17 9 207 6 10 249

Courts & Pub Safety 49 49 70 128 52 60 408

Natural Resources 26 6 20 39 25 116

Public Works 9 5 12 13 39

Other/Econ Develop 17 9 15 9 50

Total 206 153 193 512 207 252 223 1,746

9

FinancialInstitutions

EmployerRecords

Personal PropertyTax RecordsState, Local

& Fed Tax Records

Passports InsuranceCompanies

Business TaxRecords

DMV & VehicleRecords

Hunting& Fishing Licenses

ProfessionalLicenses &

Business Licenses

Cell Phone &Cable Provider

Records

UnemploymentRecords

CourtRecords

MilitaryRecords

FinancialAid Records

Program Interface ExampleProgram Interface Example

Child Support Child Support EnforcementEnforcement

InterfacesInterfaces

Child Support Child Support EnforcementEnforcement

InterfacesInterfaces

© 2006 Verizon. All Rights Reserved.

Where Do Agencies Need to Be?Where Do Agencies Need to Be?

11

Security Life Cycle ApproachSecurity Life Cycle Approach

•Compliance Account Reporting •Key Business Indicators•Business Continuity

•Reviews•Programs•Assessments

•Prevention•Remediation•Asset Management•Infrastructure Mgmt./ Monitoring

Operational / Operational / Architectural ControlsArchitectural Controls

Business Business PriorityPriority

Policy/Policy/Procedures/ProcessProcedures/Process

Changing BusinessChanging BusinessDriversDrivers

Regulatory/GovernanceRegulatory/GovernanceDriversDrivers

12

Across-All-Borders Security ProgramAcross-All-Borders Security Program

• Event data collection• Event data normalization• Event consolidation• Behavioral models

• Global activity monitoring• Early warning system• Fraud correlation• Internet outage correlation• Dark space analysis

Carrier Carrier Network Network CloudCloud

Cross Cross EnterpriseEnterprise

EnterpriseEnterpriseCoreCore

• Threat correlation• Source correlation• Dynamic prioritization

• Event data collection• Event data normalization• Event consolidation• Behavioral models

• Global activity monitoring• Early warning system• Fraud correlation• Internet outage correlation• Dark space analysis

Be

yo

nd

CA

Go

v’t B

ord

ers

Inter-ag

en

cy/g

ov

’t

Intra-ag

ency

© 2006 Verizon. All Rights Reserved.

How Do Agencies Get There?How Do Agencies Get There?

14

Current State & Agency Trends & ApproachesCurrent State & Agency Trends & Approaches

• Statewide and Agency CISO Appointments• Enterprise Security Architecture & Policies • Assessments and Compliance

– External Resources (Centralized & Federated Models)– State Auditors

• Business Case based on program/agency risk– The most successful link the security issues with business

impact at the agency or program level» Demonstrate business risks» Demonstrate quantifiable consequences» Demonstrate other losses (citizen trust, damage to reputation, etc.)» Highlight benefits of IT security and where risk will be reduced

15

Develop an Ongoing Security ProgramDevelop an Ongoing Security Program

– Quick assessment or scorecard that identifies the most pressing risks and vulnerabilities first

» Gives CIO & CISO a starting point, can start to show progress quickly» Prioritize, plan and budget the ongoing program» High level way to articulate the risks to business and program execs.

– Bring together key stakeholders to develop policies and define roles & responsibilities

» Agency business owners, auditors, IT managers, etc.» Agencies need to help assess program risk and support programs to

reduce risks » Large agency CISOs and CIOs should help drive and lead the process

– Build and fund the business case for an ongoing program» Ongoing periodic assessments and compliance based on risk and business

need» Policy review and updates as technology and the business changes» Ongoing funding streams

© 2006 Verizon. All Rights Reserved.

Questions?Questions?

17

Get Involved With Other StatesGet Involved With Other States

• National Association of State CIO’s https://www.nascio.org/

– Real ID Committee– Security and Privacy Committee– Health IT