Slide 1 - VITA: Home

1

Commonwealth Information Security Officers Advisory Group (ISOAG) Meeting

JUNE 14, 2007

www.vita.virginia 1

2

WELCOME

Peggy Ward, VITA

www.vita.virginia 2

3

Happy Flag Day!

4

ISOAG June 2007 Agenda I. Welcome Peggy Ward, VITA

II. InfraGard Melissa McRae & Melissa Schuler, F.B.I.

III. Encryption Service Offering John Kissel, VITA

IV. Commonwealth Information Security Council Update!Encryption Committee Steve WerbyMaking Security an Executive Management PriorityJohn KarabaicSmall Agency Outreach John JenkinsIdentity and Access Management Patricia Paquette

V. RPB Data Center Move Larry Ellison, NG

VI. VITA IT Security Standard Technical Documentation Craig Luka, NG

VII. COV IT Security Standard Compliance Update Ed Miller, VITA

VIII. COV IT Security Policies, Standards and Guidelines Update Cathie Brown, VITA

IX. Information Risk Executive Council (IREC) Cathie Brown, VITA

X. Upcoming Events Peggy Ward, VITA

XI. Other Business Peggy Ward, VITA

InfraGard ProgramInfraGard ProgramPublic and Private Sector AlliancePublic and Private Sector Alliance

Protecting our Critical InfrastructureProtecting our Critical Infrastructure

66

A Brief History…A Brief History…

In 1996, FBI Cleveland Field Office cyber In 1996, FBI Cleveland Field Office cyber focused industry outreach initiative.focused industry outreach initiative.

In 1998, the FBI adopted the InfraGard In 1998, the FBI adopted the InfraGard program for NIPC private sector outreachprogram for NIPC private sector outreach

In 2003, the FBI Cyber Division was In 2003, the FBI Cyber Division was established and DHS formed taking NIPC established and DHS formed taking NIPC mission.mission.

Today, InfraGard is the FBI’s lead private Today, InfraGard is the FBI’s lead private and public sector information sharing tooland public sector information sharing tool

18,645 Members

77

“Critical infrastructures are those physical and cyber-based systems essential to the minimum operations of the economy and government. These systems are so vital, that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States.”

– William J. Clinton, 1998

Agriculture Banking/Finance Chemical Computer Security Defense

Emergency Service Energy Food Postal/Shipping

Public Health Transportation Telecommunication Water Supply

88

99

Cost of Capability

Availability of Capability

1955 1960 1970 1975 1985

Invasion

PrecisionGuided

MunitionsComputerStrategic

NuclearWeapons

Cruise Missile

Cyber Attack Cost & Means

1945 Today

MissilesICBM & SLBM

1010

The CyberWorld TodayThe CyberWorld Today

Immediately follow or Immediately follow or in conjunction with in conjunction with physical world eventsphysical world events

Becoming more Becoming more coordinated and coordinated and politically motivatedpolitically motivated

Don’t care about Don’t care about being detected or being detected or tracedtraced

Cyber Attacks:Cyber Attacks:

1111

Potential Sources of AttacksPotential Sources of Attacks

Terrorist GroupsTerrorist Groups

Targeted Nation-StatesTargeted Nation-States

Terrorist Sympathizers and Anti-U.S. Terrorist Sympathizers and Anti-U.S. HackersHackers

Thrill SeekersThrill Seekers

U.S. Hackers who need resourcesU.S. Hackers who need resources

1212

Cyber ThreatsCyber Threats

Unstructured ThreatsUnstructured Threats InsidersInsiders Recreational HackersRecreational Hackers

Structured ThreatsStructured Threats Organized CrimeOrganized Crime Industrial EspionageIndustrial Espionage

National Security National Security ThreatsThreats Intelligence AgenciesIntelligence Agencies Information WarfareInformation Warfare TerroristsTerrorists

1313

InfraGard Benefits InfraGard Benefits FBI Program vs Private SectorFBI Program vs Private Sector

Benefits

• Industry sector Subject Matter Experts• Initiation of new investigations• Early indication of sector specific attacks• Avenue to obtain feedback on intelligence• Ability to identify significant crime problems

• Trusted membership and Network of professionals• Timely/Non-public Intelligence Products• Secure forum to share information & discuss issues.• Avenue to provide positive intelligence• Ongoing relationship with the FBI

Also, It is “FREE!”

1414

InfraGard VPNHome Page

Graphic Unavailable for On-line Participants.

1515

InfraGard VPNAlerts & Advisories


1616

InfraGard VPNSpecific Critical Infrastructure Articles


1717

InfraGard VPNIT & Telecommunication Sector


1818

InfraGard VPNIT & Telecommunication Sector

Computer Security Articles


1919

InfraGard VPNIT & Telecommunication SectorCyber Threat Media Highlights


2020

InfraGard VPNMessage Board


2121

InfraGard VPNMessage Board

Topic: Computer Security


2222

InfraGard VPNResource Page

(DHS Open Source Reports, Presentations, etc…)


2323

InfraGard VPNDHS Daily Reports Page


2424

Special Interest Groups, e.g. Special Interest Groups, e.g. Research and TechnologyResearch and Technology

Partnerships, e.g. NIST & SBAPartnerships, e.g. NIST & SBA

Quarterly Meetings with valuable Quarterly Meetings with valuable speakersspeakers

Ability to Participate in FBI Citizen’s Ability to Participate in FBI Citizen’s AcademyAcademy

Other FeaturesOther FeaturesOther FeaturesOther Features

2525

InfraGard VPNSpecial Interest Groups

• Research and Technology InfraGard • Food/Agriculture InfraGard • Chemical InfraGard


2626

InfraGard VPNResearch and Technology InfraGard


2727

Partnership between: Partnership between: FBIFBI Small Business Administration (SBA) – assist small Small Business Administration (SBA) – assist small

businessesbusinesses National Institute of Standards and Technology National Institute of Standards and Technology

(NIST) – World leader in Information Security (NIST) – World leader in Information Security GuidelinesGuidelines

GoalGoal Provide Security Workshops poised to deliver Provide Security Workshops poised to deliver

information security training to the small business information security training to the small business community like no other. community like no other.

SBA/NIST/FBISBA/NIST/FBISBA/NIST/FBISBA/NIST/FBI

2828

How you can help as How you can help as IT Security ProfessionalsIT Security Professionals

Develop and implement security policies and Develop and implement security policies and procedures.procedures.

Know what you want to protect, and who will do it.Know what you want to protect, and who will do it.

Build some walls…Build some walls… Create a perimeter and guard it (routers, firewalls, IDS). Then, check Create a perimeter and guard it (routers, firewalls, IDS). Then, check

the guards (audit policy).the guards (audit policy).

Educate your users.Educate your users. The importance of security (personal & corporate data), strong The importance of security (personal & corporate data), strong

passwords, encryption, etc.passwords, encryption, etc.

2929

How you can help (Cont’d)How you can help (Cont’d)

BannersBanners Put people on notice. You ARE watching!Put people on notice. You ARE watching!

Employee AgreementsEmployee Agreements

Then:Then: LOG, LOG, LOG!LOG, LOG, LOG! MONITOR, MONITOR, MONITOR!MONITOR, MONITOR, MONITOR! TEST, TEST, TEST!TEST, TEST, TEST!

OK…OK…The Policies The Policies are in Place, the are in Place, the

Perimeter is Built, Perimeter is Built, and the Network is and the Network is

Secure!Secure!

What If They Sneak Through?What If They Sneak Through?

But…

3131

Respond quickly and without fail.Respond quickly and without fail.

Have key response personnel predetermined.Have key response personnel predetermined.

Consider content monitoring of the attack.Consider content monitoring of the attack.

Backups:Backups: Create backups of altered/damaged files, Create backups of altered/damaged files, LOGSLOGS.. Secure backups of original stateSecure backups of original state

Determine the cost of the attack.Determine the cost of the attack. Repairs, replacement, personnel, consultants, lost Repairs, replacement, personnel, consultants, lost

“business”.“business”.

Consider contacting the FBIConsider contacting the FBI

If They Sneak Through…If They Sneak Through…

Intrusion cases are already Intrusion cases are already won or lost long before law won or lost long before law

enforcement arrivesenforcement arrives

3333

versus

PotentialLoss

ProtectionCosts

Making the Right InvestmentMaking the Right Investment

3434

What the FBI can DoWhat the FBI can Do

Combine technical skills and investigative Combine technical skills and investigative experienceexperienceProvide national and global coverageProvide national and global coverageProvide long-term commitment of resources.Provide long-term commitment of resources.Apply more traditional investigative techniquesApply more traditional investigative techniquesPerform pattern analysisPerform pattern analysisIntegrate law enforcement and national security Integrate law enforcement and national security concerns.concerns.Establish a deterrent effect…even if the Establish a deterrent effect…even if the hacker/intruder is not prosecutedhacker/intruder is not prosecuted

CYBER CRIME IS THE FBI’S #3 PRIORITY

3535www.InfraGard.net

Federal Bureau of InvestigationFederal Bureau of Investigation

Richmond, VirginiaRichmond, Virginia

(804) 261-1044(804) 261-1044

www.InfraGard.netwww.InfraGard.net

Disk Encryption Overview

PC Hard drive EncryptionRated Service Price Offering

John Kissel, VITA June 14, 2007

38


Agenda

• Review

• Service Offering Rate

• Product Feature Summary

• Preliminary Configuration settings

• Status

39


Rated Service Offering• Monthly rate

– Approx $17.00 per encrypted PC Windows desktop/laptop/tablet

• Added to the current per unit rate

– Includes deployment and recurring support

• Deployment

– Applies to devices being refreshed during the scheduled refresh initiative as well as those devices not requiring refresh during the scheduled refresh initiative.

– Does not apply to legacy devices requiring encryption prior to the scheduled refresh initiative.

• Recurring support

– Applies to ALL devices that NG encrypts

40


Hard Drive Encryption - Service Offering

ItemDuring

Desktop Refresh

After Desktop Refresh

Software Product license ■ ■ ■

Product Client Access License(s) ■ ■ ■Technical Services Testing

Functionality testing ■ ■ T&MImage development ■ ■ T&M

package creation ■ ■ T&Mpackage creation 2 ■ ■ T&M

hardware compatability testing ■ ■ T&Muse scenerios ■ ■ T&M

Deployment testing ■ ■ T&MTraining

Site Support ■ ■ T&M Helpdesk ■ ■ T&M End user ■ ■ T&M

Comunications ■ ■ T&MDeployment

Deployment planning ■ ■ T&MDeployment preparation ■ ■ T&M

Deployment execution ■ ■ T&M

Software Product License maintenance ■ ■ ■ ■Client Access License Maintenance ■ ■ ■ ■

Technical Support Helpdesk (first call resolution) ■ ■ ■ ■Tier 2 support ■ ■ ■ ■

Maintenance ■ ■ ■ ■

Prior to Desktop Refresh

No

n-R

ecu

rrin

gR

ecu

rrin

g

Category

41


General Assumptions

• Degraded Desktop/Laptop performance during system startup may be realized.

• Increase in Helpdesk support calls is anticipated.

• Increase in support/administration effort.

– Extended system recovery times

• Implementation

– Desktop/Laptop preparation tasks must be performed

– All support calls will routed to the VCCC

– Encryption will be performed as part of the desktop refresh schedule

42


Procedures for Ordering

• If you choose not to wait for Transformation a RFS needs to be completed to request this service

• If you choose to wait for transformation it will be discussed at your kickoff meeting.

43

Commonwealth Information Security Council

Peggy Ward, VITA

Encryption CommitteeEncryption CommitteeJesse Crim (VCU)Jesse Crim (VCU)John Palese (DSS)John Palese (DSS)

Michael McDaniel (VRS)Michael McDaniel (VRS)Tripp Simms (VITA/NG)Tripp Simms (VITA/NG)

Steve Werby (DOC)Steve Werby (DOC)

4545

Encryption Committee - GoalsEncryption Committee - Goals

Survey agencies – IT and business perspectiveSurvey agencies – IT and business perspective Questionnaire to aid agencies in determining Questionnaire to aid agencies in determining

encryption needs and solutionsencryption needs and solutions Develop plan for educating usersDevelop plan for educating users Develop best practicesDevelop best practices Recommend solutions, preferably enterpriseRecommend solutions, preferably enterprise Develop end user training planDevelop end user training plan

Making Security an Executive Management Priority

Committee Members

John Karabaic, DMASJoe Hubbell, Va. LotteryShirley Payne, U.Va.

47

Ideas To Date

• Make recommendations for executive security awareness events, either standalone or as riders on other planned executive-level events such as a previous 2-day workshop on COOP.

• Solicit effective executive security awareness practices from agencies and present these as models other agencies might follow.

48

Ideas To Date - continued

• Collect and make available canned security awareness presentations tailored for executives.

• Form a speakers bureau of ISO/boss teams willing to give presentations to agency executives within their secretariat.

Interested in volunteering?

Contact Shirley [email protected]

50

Small Agency Outreach

Current Members Robert Jenkins (DJJ) Aaron Mathes (OAG) Goran Gustavsson (APA) Ross McDonald (DSS) Bob Auton (DJJ) Doug Mack (DJJ)

51


Contact & survey small agencies and benchmark were they are in the process Develop pool of available talent available to work in a shared service capacity to

provide Audit functions to Small Agencies Measure Small Agencies with Audit capabilities versus those without this

function Develop “Canned Solutions” i.e. quick fixes using best practices from those with

success in the areas such as policy, practice or procurement. Develop tool for communications such as a message board that has shared access. Create network of Subject Matter Experts (SME) to offer advice and guidance.

ARMICS and implementation options Resources to talk with Agency Management who may be reluctant or

unfamiliar with required actions needed for compliance matters VITA IT Security Policies and Standards (Business Impact Analysis, Risk

Assessment, Breaches/Detections, etc.) Other IT Services, such as possible tests/reviews/audits

52


Volunteers are welcome! If interested, contact Robert Jenkins 804-786-1608 [email protected]

Identity and Access Management and

Account Management

Committee Members

Patricia Paquette – DHP, [email protected] Garner – Tax, [email protected] Greenberg – DMV, [email protected] Rappe – ABC, [email protected] Batista, DMV, [email protected] McPherson, DSS, [email protected]

mailto:[email protected]






54

Identity and Access Management and

Account Management

“An identity management solution should not be made up of isolated silos of security technologies, but rather, consist of well integrated technologies that address the spectrum of scenarios in each stage of the identity life cycle.”

Frederick ChongMicrosoft Corp.

55

Identity and Access Managementand

Account Management

Goal - establish a secure and effective methodology focused on identification and authentication across the Commonwealth Standard process which includes:

Registering or identifying users Establishing roles and accounts Issuing credentials Using the credential, and Record keeping and auditing.

56

IT Infrastructure Transformation – RPB Mainframe and Server Move

Richmond Plaza Building Data Center Move

Larry Ellison, NG

57


Mainframe and Server Move Overview

• Mainframe Environment Profile– More system to system interaction

– Larger foot-print with multiple partitions per physical system

– Diverse user group

• Mainframe Environment Move and Test Approach– Duplication of hardware at CESC (buy new)

– Isolated Test environment at CESC to provide extended test window

• Server Environment Profile– More system isolation (Agency specific apps)

– Smaller foot-print (Isolated UNIX/Windows systems)

– Agency specific user group

• Server Environment Move and Test Approach– VLAN Extension approach (RPB to CESC)

– Disconnect/move/reconnect of hardware from RPB to CESC (physical or virtual)

– Unit testing of systems and applications prior to disconnect/move/reconnect

58


Mainframe Move and Test Strategy for CESC(Isolated Test Environment)

• Replicate RPB Internal Network (LAN) at CESC (~ 280 devices)

• Replicate all IBM, UNISYS, Prime-Power, and related hardware required for full application testing

• Replicate key Windows and UNIX servers required to support the Mainframe Test environment

• Provide isolated external connectivity to the CESC Test Environment from key agency locations (VPN or other dedicated connections)

• Test environment available for 60-90 days to facilitate full Operational Readiness and Application Regression testing of the environment, from isolated locations

• Maintain the same IP Addresses across the entire Mainframe environment

• Requires key Agencies to provide a dedicated/isolated test lab with dedicated link from Agency location to CESC, for testing

• Supports Connectivity Testing from remote locations during planned weekend maintenance windows

• Multiple Mock Cutover Tests prior to final Go-Live

59


CESC Isolated Mainframe Test EnvironmentOperations and Application Testing

(7/15 – 10/28)

CESC Data CenterRPB Data Center

Data ReplicationAs needed

Data ReplicationAs needed

Production Agency Locations

IBMTape 2

EMCCenteraTape 2

DMX20002

IBMMainframe

UnisysMainframe

SharedDASD

Servers

EMCCenteraTape 1

DMX20001

IBMMainframe

UnisysMainframe

IBMTape 1

SharedDASD

ServersData Replication

As needed

Isolated Key Agency Locations

App ServersFor Testing

ProductionApp Servers


60


CESC Isolated Mainframe Test EnvironmentConnectivity and Cutover Testing

(Selected Weekends from 7/15 – 10/28)

CESC Data CenterRPB Data Center – Offline during testing

Data Replication

Data Replication

Production AgencyLocations

IBMTape 2

EMCCenteraTape 2

DMX20002

IBMMainframe

UnisysMainframe

SharedDASD

Servers

EMCCenteraTape 1

DMX20001

IBMMainframe

UnisysMainframe

IBMTape 1

SharedDASD

ServersData Replication

App ServersFor Testing

ProductionApp Servers



61


Mainframe Test Objectives for CESC(Isolated Test Environment)

• Operations Testing

– All systems will IPL/Boot and communicate with peripherals

– Administrative functions (Monitoring and Management) operate as expected

– Data replication between CESC and RPB functions properly

– Internal CESC Network (LAN) and Firewalls function properly

– Print Infrastructure Functions Properly

– Tape Backup Infrastructure functions properly

– Control-M Infrastructure functions properly for support of Batch operations

– Point-to-point connections function properly

• Application Testing

– Applications will initiate and connect with database(s)

– Applications will update data and print reports as expected

– Regression test of all applications components on the Mainframe systems

• Network Connectivity Testing

– Controlled testing of external connectivity to CESC from remote sites

– Scheduled during pre-defined weekend Maintenance Periods from August – October

62


Tentative Testing and Cutover Timeline

ID Task Name Start FinishMay 2007 Jun 2007 Jul 2007 Aug 2007 Sep 2007 Oct 2007 Nov 2007

5/20 5/27 6/3 6/10 6/17 6/24 7/1 7/8 7/15 7/22 7/29 8/5 8/12 8/19 8/26 9/2 9/9 9/16 9/23 9/30 10/7 10/14 10/21 10/28 11/4

1

2

3

4

5

6

7

8

9

10

11

12

13

14

7/15/20075/15/2007Design test environment

8/5/20076/1/2007Build test environment

7/20/20076/8/2007Build Test Plans

10/28/20077/2/2007Operations Testing

10/28/20077/16/2007Application testing

8/5/20078/5/2007Network Connectivity Test 1


9/3/20079/1/2007Mock cutover 1


10/11/200710/9/2007Mock Cutover 2

10/28/200710/26/2007Mock Cutover 3

11/2/200710/29/2007Review and Signoff

11/9/200711/5/2007Final Cutover Prep

11/12/200711/12/2007Go Live

63


Mainframe Move Risk Mitigation

• Standup of an Isolated Test Environment – Replicate mainframe hardware and software infrastructure

– Replicate servers running tier 2 applications that interface with mainframes

– Replicate DASD and Tape storage infrastructure and data via high speed data links

– Create network that will support simultaneous dual access for large agencies (RPB and CESC)

– Replicate security environment including current complex firewall controls

• Detailed Analysis of entire infrastructure at RPB

– Application components

– Network components

– Server and Mainframe components

• Extended Test Period

– Provide agencies with at least 60 days to complete application testing

– Extended timeframe provides the opportunity for multiple test phases

– Mock move weekends have been scheduled and are designed to accommodate thorough integration testing of complex, interdependent applications

– Risk will be significantly mitigated through agencies having continuous access to a dedicated test environment rather than only a series of mock move tests over weekends

64


Mainframe Move Risk Mitigation (continued)

• Command Center – Provides a rapid response team to quickly address problems that surface during testing

– Staffed with operations, network, systems, and sub-system support specialists

– Support will be available 24 hours a day and weekends

• Test Coordination Support

– NG/VITA testing coordination teams will be assigned to each key mainframe using agency

– Test coordinators will work directly with Agency staff to jointly development test plans for each mainframe application

– Weekly reporting of testing progress by agency and associated applications will be generated and shared with agency managers

• Fallback Contingency – RPB processing infrastructure will remain intact for at least 2-3 weeks following the move

to provide fall-back capability

– Dual network access environment will remain intact for at least 2-3 weeks following the move to provide fall-back capability

• Freeze/limit Hardware/software changes during test/move window

65


Communication Plan Overview

• Comprehensive CH/COMM Plan to include email communications and supporting documentation

• Overview, Kick-Off and monthly meetings with each affected Agencies – Start June 7

• Detailed Planning Meetings with Agency Application Teams to develop test scenarios – (6/15 – 8/15)

• Checkpoints and signoffs in plan for agreement to start test planning, agreement that test plans are complete, application testing is complete and approval is given to move

• Detailed weekly status reviews with all Agency/VITA Test Teams throughout the entire test window – (7/15 – 10/28)

• Dedicated Test Coordinators from the Transformation Team, Current Ops Team, and the Agency

• 24x7 Command Center setup before, during, and post move/cutover

– Multiple locations linked by phone and/or video conferencing (Agency, RPB, CESC)

– Participation by Agency Application staff, Current Ops, VITA, Transformation, and Vendors (as needed)

– Representation by Network, Security, Mainframe, Server, Applications, etc

66


Application Testing Coordination

AgenciesInvolved inIsolated

TestEnvironment

Mainframe

Server

Network

Security

VITA TestCoordinators

Test CoordinatorApplication SpecNetwork Spec for

each agency


TestEnvironment


TestEnvironment


TestEnvironment

67


Agency Application Test Responsibilities• Assign dedicated resources and participate in detailed planning process - (starting June

15)– Assign dedicated resources to participate in the test activities

– Identify applications that need to be tested in isolated test environment

– Identify servers in RPB that would need to be included in isolated test environment in CESC to enable application testing

– Provide acceptable dates for tests and cutover

• Responsible for Application Freeze (7/15 – 11/12) – Commitment to Break-Fix only during the test window

– Joint approval (Agency, Current Ops, Transformation, VITA) for any additional changes that are required

– Participation in special CCB process for review of any proposed changes during test window

• Provide isolated test environment at Agency that will connect directly to isolated test infrastructure at CESC – (available by 7/15)

– Dedicated PC’s in a training room or test lab recommended

– Alternate methods for access to test environment directly from users workstations is being investigated

• Conduct all application tests – (from 7/15 – 10/28)

• Participate in cutover tests and verify network connectivity

68


Test and Move Coordination Roles

Agency Test Coordinators Field Operations Agency Application

SBE Kevin Kelley Mike Elliott Beth Nelson

DHRM Kevin Kelley TBD Steven Hastey

DSS Kevin Kelley Wayne Kniceley Harry Sutton

VRS Kevin Kelley Donald Garrett (Agency) Donald Garrett

VADOC Karen Lusk Karen Hardwick Geoff Lamberta

DMV Karen Lusk Bob Tingle Will Burke

VEC Karen Lusk Dave Thompson Victoria Caplan

VDH Karen Lusk Kenny White TBD

DOA/TRS Danny Wilmoth Wendy Hudson James Moore

DPB Danny Wilmoth David Allen Jowjou Hamilton

TAX Danny Wilmoth Cathy Franklin TBD

SCB Danny Wilmoth Richard Walls Anne Wilmoth

SCC Thomas Williams Blair Kirtley (Agency) Blair Kirtley

VDOT Thomas Williams Scot Jones Ray Haynes

VDACS Thomas Williams Kathy Ange Jerry Allgeier

69


Server Transformation and MoveAgenda

• Server Transformation Introduction

• Server Move Approach and Test Strategy

• Server Test Objectives

• High level Move and Cutover schedule

• Managing Risk

• Communication Plans

• Agency Responsibilities

• Questions

70


Server Move and Test Strategy for CESC• Virtualize as many servers at RPB to facilitate the move process and reduce risk

• Consolidate multiple SAN/Disk system at RPB onto a single SAN/Disk Platform

• Replicate the data on this consolidated SAN/Disk system from RPB to CESC

• Replicate RPB Internal Network (LAN) at CESC (~ 280 devices)

• Extend VLAN’s from current RPB Network Infrastructure to CESC

• Replicate EBARS Backup Environment at CESC

• Servers will be placed in either PODS or Standard Racks at CESC based on specific hardware, power, and cooling requirements

• We will maintain the same IP Addresses across the entire Server environment

• A two phased cutover approach will be utilized– Phase-1 is the movement of the servers onto an extended VLAN at CESC (located at CESC, but still part of the RPB LAN)

– Phase-2 requires servers be switched from the extended VLAN to a the local VLAN at CESC

• Servers will be moved in logical groups, based primarily on agency usage (VDOT, DEQ, GOV, etc,)

• Whenever possible Operation and Application Testing will be performed using the virtual server infrastructure to replicate systems from RPB to CESC

• In some instances duplicate server hardware will be purchased for CESC to facilitate Operation and Application Testing at CESC

71


RPB to CESC Server MovePhase-1 : Relocation

CESC Data CenterRPB Data Center

Current ProductionNetwork

SharedSAN/DISK

PIXFW

JuniperFW

6506

New Production Network

6506OutsideSwitches

65066509Inside

Switches

ServerFarm

4507CampusSwitch

Chk PointFW

OldSAN/DiskOld

SAN/DiskOldSAN/DiskOld

SAN/DiskOldSAN/DiskOld

SAN/DiskOldSAN/Disk

SharedSAN/DISK

NewFW

NewFW

6506NewOutsideSwitches

6506NewInside

Switches

ServerFarm

NewCampusSwitch

NewFW

Replicate DataTo CESC

Extend ServerVLANs

ConsolidateDisk at RPB

Virtual andPhysical

Server Moves

Core Network

PRODUCTION

Core Network

TEST ONLY

Servers are moved inGroups to CESC but are still using the network infrastructure at RPB

72


RPB to CESC Server MovePhase-2 : Network Swap

CESC Data CenterRPB Data Center - Offline

Current ProductionNetwork

SharedSAN/DISK

PIXFW

JuniperFW

6506

New Production Network

6506OutsideSwitches

65066509Inside

Switches

4507CampusSwitch

Chk PointFW

SharedSAN/DISK

NewFW

NewFW

6506NewOutsideSwitches

6506NewInside

Switches

ServerFarm

NewCampusSwitch

NewFW

Data Replicationdirection is switchedto go from CESC backto RPB in preparationfor DR at SWESC

Core Network

OFFLINE

Core Network

PRODUCTION

VLAN ExtensionsAre dropped

Servers are running atCESC and are now usingthe full network infrastructureat CESC

Old SAN/Disk arraysare no longer needed

73


Server Test Objectives for CESC

• Operations Testing– All systems will Boot and communicate with peripherals

– Administrative functions (Monitoring and Management) operate as expected

– Data replication between CESC and RPB functions properly

– VLAN Extension from RPB to CESC Network (LAN) and Firewalls function properly

– Print Infrastructure Functions Properly

– Tape Backup Infrastructure functions properly

– Control-M Infrastructure functions properly for support of Batch operations

– Point-to-point connections function properly

• Application Testing– Applications will initiate and connect with database(s)

– Applications will update data and print reports as expected

– Regression test of all applications components on the Mainframe systems

• Network Connectivity Testing– External access to Agency locations functions properly

– Access from RPB to CESC over extended VLAN functions properly

74


Testing and Cutover Timeline (Notional)

ID Task Name Start FinishMay 2007 Sep 2007Aug 2007Jun 2007 Oct 2007Jul 2007

8/19 9/9 9/167/8 9/30 10/79/26/10 7/15 8/127/1 8/56/35/20 8/266/17 9/236/24 10/145/27 7/297/22

1 5/23/20075/15/2007Finalize Rack and Power Requirements

2 7/28/20075/23/2007Obtain additional network hardware for CESC

5 8/15/20076/15/2007Agency staff on board for review and testing

6 8/3/20076/3/2007VLAN Extension to CESC

12 9/3/20076/17/2007Server Group 3

7 8/3/20076/3/2007EBARS standup at CESC

4 6/28/20076/3/2007Communication and Review with Agency

3 5/31/20075/23/2007Review Plan with Current Operations

8 8/3/20076/3/2007SAN Standup at CESC

9 9/17/20076/10/2007Additional discovery with App Team and CO

10 8/12/20076/10/2007Server Group 1

11 8/25/20076/10/2007Server Group 2

17

13 9/17/20076/17/2007Server Group 4

11/12/200711/9/2007Final Network Cutover

Nov 2007

10/21 10/28 11/4

16

14 10/1/20076/24/2007Server Group 5

15 10/15/20076/24/2007Server Group 6

10/29/20076/24/2007Server Group 7

75


Server Move Group Summary

• Server Group-1 : DFP, DCG, SBE , 25 servers

• Server Group-2 : DEQ, VDH, DPB, DCJS, 83 servers

• Server Group-3 : DGS, 124 servers

• Server Group-4 : GOV, DOF, VDACS, VGIN, 76 servers

• Server Group-5 : TAX, DSS, VEC, 112 servers

• Server Group-6 : VITA Group-1, 132 Servers

• Server Group-7 : VITA Group-2, 132 Servers

76


Server Move Group Detail

Agency IsolatedRelo Start

Relo Complet

e

Pod Candidat

eWintel

Wintel Blade

Non-Wintel

RPB Location - Racks VLAN Information

DFP X 11-Aug 12-Aug Y 2 0 0 166 58DCG X 11-Aug 12-Aug Y 4 0 0 160 303SBE 11-Aug 12-Aug Y 19 0 0 130, 131 59, 61

DEQ X 25-Aug 26-Aug N 7 40 1 68, 70, 72 16VDH 25-Aug 26-Aug Y 13 0 0 146 14DPB 25-Aug 26-Aug N 13 0 0 148, 149, 150 3, 66DCJS 25-Aug 26-Aug N 9 0 0 157, 158, 159 10

DGS X 1-Sep 3-Sep Y 124 0 0

141, 142, 143, 144, 151, 152, 153, 154, 155, 176, 178, 179 3, 5, 9. 48

GOV X 15-Sep 16-Sep N 32 0 0 137, 139, 180 52DOF 15-Sep 16-Sep Y 3 0 0 172 242VGIN 15-Sep 16-Sep Y 18 0 0 130, 172 242

VDACS X 15-Sep 16-Sep N 16 0 7 162, 163, 164, 165 106

TAX 6-Oct 8-Oct N 51 0 16

97, 98, 99, 107, 108, 111, 112, 115, 116, 118, 123, 169,177 15, 30, 40

DSS 6-Oct 8-Oct Y 16 0 0 170, 171 155

VEC 6-Oct 8-Oct Y 28 1 0 103, 104, 105 106, 181 31, 33, 40

VITA13-Oct27-Oct

14-Oct28-Oct Both 142 98 24

19, 21, 23, 94, 95, 109, 110, 113, 114, 124, 125, 126, 127, 128, 132, 133, 134, 135, 136, 167, 168, 185

3, 8, 14, 15, 30, 31, 33, 34, 38, 50, 51, 52, 56, 57, 59, 61, 63, 90, 97, 101, 103, 109, 115, 120, 121, 153, 155, 156, 157, 158, 159, 160, 161, 162, 163, 230, 234, 242, 247, 990, 993, 994, 995, 998

Total 497 139 48

77


Server Move Risk Mitigation

• VLAN Extensions

– Minimizes level of network and security changes required for the move to CESC

– Allows NG and the Agency to stage and pre-test selected Dev and/or Test servers PRIOR to moving production systems

• Migration of Current Systems

– Minimizes level of system changes required for the move to CESC

– Minimizes complexity of having to re-rack systems

– All required cables (Network, SAN, etc) can be pre-installed and tested prior to moving the systems to CESC

• System Virtualization

– Provides enhanced pre-move testing capabilities

– Minimizes system/application downtime during the move to CESC

– Provides quick, easy fall-back

78


Server Move Risk Mitigation (continued)

• Stand-by Hardware

– Mission Critical application hardware can be made available if hardware problems arise due to move related issues

• Tax related HP-UX hardware is an example of some of the systems that are being considered for stand-by hardware

– Any x86 server can have a stand-by virtual server in-place at both data center locations

• Move Specialists

– All system packaging, pre and post move verifications will be performed by hardware vendor Customer Engineers

• Customer Engineers (CE’s) are the vendor employees who are dispatched to diagnose and resolve hardware related issues as part of warranty and maintenance support services

– Representatives for each vendor will be either on-site or on-standby

• Move VITA last so that server move process is refined with smaller move groups

79


Communication Plan Overview

• Comprehensive CH/COMM Plan to include email communications and supporting documentation

• Overview, Kick-Off and monthly meetings with each affected Agency – Start June 7

• Detailed Planning Meetings with Agency Application Teams to develop test scenarios – (6/15 – 8/15)

• Checkpoints and signoffs in plan for agreement to start test planning, agreement that test plans are complete, application testing is complete and approval is given to move

• Detailed weekly status reviews with all Agency/VITA Test Teams throughout the entire test window – (7/15 – 10/28)

• Dedicated Test Coordinators from the Transformation Team, Current Ops Team, and the Agency

• 24x7 Command Center setup before, during, and post move/cutover

– Multiple locations linked by phone and/or video conferencing (Agency, RPB, CESC)

– Participation by Agency Application staff, Current Ops, VITA, Transformation, and Vendors (as needed)

– Representation by Network, Security, Mainframe, Server, Applications, etc

80


Agency Application Test Responsibilities

• Participate in Planning Process

– Identify applications that need to be tested on each server

– Provide acceptable dates for tests and cutover and confirm downtime windows

• Provide Agency resources to participate in application testing pre-move as well as during the actual cutover

• Prepare test scripts and desired test results for application tests

• Conduct application tests for validation of the move

• Participate in cutover tests and verify network connectivity

• Agency acceptance sign off

81


Test and Move Coordination Roles

AgencyTentative Relocation Weekend

TransformationCurrent Operations

Agency Application

Team

Primary HP Assignee

Secondary HP Assignee

SBE 11-Aug Bob Reviea Mike Elliott TBD Tao Tao Terry Miller

VDFP 11-Aug Brian Welliver TBD TBD Terry Miller Tom Springer

DCG 11-Aug Don Morgon TBD TBD Tom Springer Tao Tao

DEQ 25-Aug Brian Welliver Dan Gayk TBD Terry Miller Tom Springer

VDH 25-Aug Don Morgon Kenny White TBD Tom Springer Terry Miller

DCJS 25-Aug Bob Reviea TBD TBD Tao Tao Tom Springer

DPB 25-Aug Bob Reviea TBD TBD Tao Tao Terry Miller

DGS 1-Sep Don Morgon Barbara Garnett TBD Tom Springer Tao Tao

GOV 17-Sep Bob Reviea Barbara Garnett TBD Tao Tao Terry Miller

DOF 17-Sep Brian Welliver TBD TBD Terry Miller Tom Springer

VDACS 17-Sep Don Morgon Brenda Richart TBD Tom Springer Tao Tao

VEC 17-Sep Brian Welliver Brenda Richart TBD Terry Miller Tom Springer

TAX 6-Oct Bob Reviea Cathie Franklin TBD Tao Tao Tom Springer

VGIN 6-Oct Don Morgon TBD TBD Tom Springer Terry Miller

DSS 6-Oct Brian Welliver Mike Elliott TBD Terry Miller Tao Tao

VITA13-Oct

27-Oct TBD Dave Matthews TBD John Sewell Jeff Flanigan

82www.vita.virginia.gov expect the best

VITA IT Security Technical Documentation

Craig LukaSecurity Analyst

Northrop Grumman, VITA IT SecurityJune 14th, 2007

www.vita.virginia.gov 82

83www.vita.virginia.gov

Overview• What documentation has been developed?

– Enterprise Infrastructure Security Practices– Security Practices Self Assessment

• Why?– Define baseline security practices for

customer-based staff– COV ITRM Standard SEC501-01 compliance– Document current Agency security practices

and develop SEC501-01 Gap Analyses.– Reduce risk of unfavorable audit findings


Documentation Architecture• Documentation Framework

– Security practices document has been developed on industry best practices (SANS, NIST, Center For Internet Security)

– All SEC501-01 requirements from the technical requirements matrix are accounted for in the security practices document

– Self Assessment maps each SEC501-01 requirement to a set of security practices

• Serves as a cross reference between SEC501-01 and newly developed Enterprise Security Practices.


Workflow and Routing• Document Distribution

– EISP and self assessment are delivered to Regional Service Directors (RSDs)

– RSDs deliver documents to Agency-based Service Level Directors (SLDs)

– Customer-based technical staff and SLDs complete the self assessment

– Completed self assessments are returned to EISP team for quality assurance review

– Final documentation is delivered to Agency ISOs and reports are delivered to the CISO


Timeframe• June 1st: Documents delivered to RSDs• June 4th: RSDs deliver to SLDs and work

begins on the self assessments• June 4th – June 29th: Self assessment

submitters complete assessment and work with EISP team as needed for clarification

• June 29th: All assessments completed, reviewed and delivered to respective Agency ISOs.


What to Expect• The EISP team will work with customer-

based staff and SLDs as needed to assist in assessment completion

• Any clarifications or enhancements discovered while assessments are being completed will be added to the EISP and self assessment documents

• Agency ISOs will receive a copy of the EISP document and their Agency’s completed self assessment on June 29th


Questions ?

?

89

COV IT Security Standard Compliance – ISO Appointments & IT Security Audits

Ed Miller


90

Appointment of an Information Security Officer

The IT Security Policy (ITRM SEC500-02) requirement to

appoint an Information Security Officer (ISO)

91

ISO Designation RequirementITRM SEC500-02 requires each Agency Head to

“designate via e-mail…an ISO (Information Security Officer) for the Agency and provide the person’s name, title and contact information to VITA no less than biennially. The Agency Head is strongly encouraged to designate at least one backup for the ISO, as well” Send via Email to: [email protected] either be from the Agency Head or have the Agency head copied (cc:)

http://www.vita.virginia.gov/docs/psg/ITRMSEC500-02ITSecPolicy.pdf


92

List of Confirmed ISO’sAccountancy, Board ofAging, Department for theAgriculture and Consumer Services, Department ofBusiness Assistance, Virginia Department ofCenter for Behavioral RehabCenter for Innovative TechnologyChristopher Newport UniversityConservation and Recreation, Department ofCorrectional Education, Department ofCorrections, Department ofDepartment of Charitable GamingDepartment of Forensic SciencesEconomic Development Partnership, VirginiaElections, State Board ofEmployment Dispute Resolution, Department ofEnvironmental Quality, Department ofFire Programs, Department ofForestry, Department ofFrontier Culture Museum of VirginiaGame and Inland Fisheries, Department ofGovernor, Office of theHealth Professions, Department ofHuman Resource Management, Department ofJames Madison University

Juvenile Justice, Department ofLibrary of Virginia, TheLongwood UniversityMary Washington UniversityMedical Assistance Services, Department ofMental Health, Mental Retardation & Substance Abuse Svcs, Department ofMines, Minerals and Energy, Department ofMinority Business Enterprise, Department ofMotor Vehicle Dealer BoardMotor Vehicles, Department ofMuseum of Fine Arts, VirginiaMuseum of Natural History, VirginiaOld Dominion UniversityProfessional & Occupational Regulation, Department ofRacing Commission, VirginiaRail and Public Transportation, Department ofScience Museum of VirginiaSocial Services, Department ofState Police, Department ofTourism Commission, VirginiaTransportation, Department ofVirginia Commonwealth UniversityVirginia Information Technologies Agency

93

IT Security Audit Plan

The IT Security Audit Standard (ITRM SEC502-00) requirement to submit an annual IT security “audit plan” to the

CISO beginning February 1, 2007.

94

IT Security Audit Plan• The IT Security Audit Plan should identify all sensitive

system(s), the planned date of the audit(s) and the planned auditor for the audit(s).

• Each sensitive system must be audited at a frequency relative to its risk, or at least, once every 3 years.

• There is a template that can be used by the agency to

record this information on the VITA web at:

http://www.vita.virginia.gov/docs/securityTemplates/ITSecurityAuditPlanTemplate.doc

http://www.vita.virginia.gov/docs/securityTemplates/ITSecurityAuditPlanTemplate.doc

95

Exception Request• If your agency cannot submit their IT Security

Audit plan the Agency must submit an Exception Request for an extension of time in order to comply. The Exception Request must be approved by the Agency Head and sent to the CISO for review and approval.

• The IT Security Policy and Standard Exception request form is on the VITA web at

http://www.vita.virginia.gov/docs/securityTemplates/ITSecurityPolicyStandardExceptionRequestForm.doc


96

No Sensitive Systems?• In addition, there may be some agencies that do

not classify any of their databases or systems as “sensitive”. Under the requirements of SEC502-00, they do not have to submit an audit plan. However, to ensure that we are not missing any sensitive systems, we would like any Agency making that assertion to please notify us by email to vitasecurityservices.com that they will not be submitting an audit plan for that reason.

97

Agencies w/Audit Plans or ExtensionsBoard of Accountancy Center for the Innovative TechnologyChristopher Newport UniversityDepartment of Employment Dispute ResolutionDepartment for the AgingDepartment of Agriculture and Consumer ServicesDepartment of Alcoholic Beverage ControlDepartment of Conservation and RecreationDepartment of CorrectionsDepartment of EducationDepartment of Environmental QualityDepartment of Fine ArtsDepartment of Forensic SciencesDepartment of General ServicesDepartment of HealthDepartment of Health ProfessionsDepartment of Housing and Community DevelopmentDepartment of Human Resource ManagementDepartment of Juvenile JusticeDepartment of Medical Assistance ServicesDepartment of Mental Health, Mental Retardation & Substance AbuseDepartment of Mines, Mineral, and EnergyDepartment of Motor VehiclesDepartment of Planning and BudgetDepartment of Professional & Occupational RegulationDepartment of Rail and Public Transportation

Department of Rehabilitative ServicesDepartment of Social ServicesDepartment of State PoliceDepartment of TaxationDepartment of the TreasuryDepartment of TransportationGeorge Mason UniversityJames Madison UniversityJamestown-Yorktown FoundationLongwood UniversityMary Washington UniversityOffice of the Governor Old Dominion UniversityRadford UniversityRichard Bland CollegeState Compensation Board State Board of ElectionsState Council of Higher Education for VirginiaUniversity of Virginia CommonwealthVirginia Board for People with Rehabilitative ServicesVirginia Department for the Blind and Vision ImpairedVirginia Department for the Deaf and Hard of hearingVirginia Employment CommissionVirginia Information Technologies AgencyVirginia Racing CommissionVirginia State University

98

Where to find Policies/Templates/Forms

• Go to the VITA Website:www.vita.virginia.gov

Click Security and then Policies and Procedureshttp://www.vita.virginia.gov/docs/psg.cfm#securityPSGs

http://www.vita.virginia.gov/

http://www.vita.virginia.gov/docs/psg.cfm#securityPSGs

99

COV Information Technology Security Policy, Standards and Guidelines

Cathie Brown, CISM, CISSP


100

Compliance: IT Security Policy & Standard

July 1, 2007 Compliance Date• Key Steps to Compliance include:

– Designate an ISO– Inventory all systems– Perform Risk Assessment on sensitive systems – Perform Security Audits on sensitive systems– Document and exercise Contingency & DR Plans– Implement IT systems security standards – Document formal account management practices– Define appropriate data protection practices– Establish Security Awareness & Acceptable Use policies– Safeguard physical facilities– Report & Respond to IT Security Incidents– Implement IT Asset Controls

101

Exception Request• If your agency cannot comply July, 2007 the

Agency must submit an Exception Request for an extension of time. The Exception Requests must be approved by the Agency Head and sent to the CISO for review and approval.

• The IT Security Policy and Standard Exception request form is on the VITA web at



102

Status Update• Revised IT Security Policy & Standard

End date for ORCA Comments – 6/13

• IT Standard Use of Non-Commonwealth Computing Devices to Telework ITRM SEC511-00New COV StandardEnd date for ORCA Comments – 6/13

• IT Threat Management GuidelineComments have been addressedPublish by June 29, 2007

103

New! Data Breach NotificationIncluded in Revised IT Security Policy and Standard:• Data Breach Notification Requirements:

– Each agency will identify systems that contain PII (Personally Identifiable Information)

– Include provisions in any third party contracts requiring that the third party & third party subcontractors provide immediate notification of suspected breaches

– Provide appropriate notice to affected individuals upon the unauthorized release of any unencrypted PII by any mechanism (laptop, desktop, tablet, CD, DVD, etc.)

104

Revisions - IT Security Policy & Std• Highlights

– Expanded scope to include Legislative, Judicial, Independent and Higher Education

– System Security Plans for sensitive systems– Additional considerations for account management– Additional considerations for protection of data on

mobile storage media including encryption– Additional requirements for specialized IT security

training – Data Breach Notification

• Compliance date – 1/01/2008

105

New! IT Std Using Non-COV Devices to Telework• Purpose

– Establish a standard to protect COV data while teleworking with Non-COV Devices

• Acceptable Solutions– Standalone Computer– Internet Access to Web-Based Applications– Internet Access to Remote Desktop Applications

• Requirements– Storing COV data on a non-COV device is prohibited– Network traffic containing sensitive data must be encrypted– Provide training on remote access policies

• Security Incident Response– Non-COV device may be required during forensics or

investigation of a Security Incident– Acknowledgement form signed

106

IT Threat Management Guideline• Highlights

– IT Security Threat Detection– IT Security Incident Management– IT Security Monitoring and Logging– Example: Recording and Reporting Procedure– Example: Internal Incident Handling Procedure

107

QUESTIONS

108

Information Risk Executive Council

Cathie Brown, CISM, CISSP


109

Reminder – IREC Resource Available• Information Risk Executive Council

– Unlimited access to the following services• Strategic Research and Tools• Benchmarking and Diagnostic Tools• Teleconferences

• To register – https://www.irec.executiveboard.com/Public/Register.aspx

• For questions or problems, please contact:– Jennifer Smith

Account Manager, CIO Executive BoardCorporate Executive Board2000 Pennsylvania Avenue, NWWashington, DC 20006

– 202-587-3601 [email protected]

110

QUESTIONS

111

Upcoming Events

Peggy Ward


112

UPCOMING EVENTS!

ISOAG MEETING DATESWednesday, July 11, 2007

1:00 - 4:00 Tentative Agenda Items:

E-Discovery – OAGVITA transformed IT Infrastructure Architecture - Linda SmithNG IS Policy, Standards & Guidelines Update - Cathie BrownVITA IS Council Committee Updates - Committee Chairs

113

UPCOMING EVENTS!

VITA OFFICES MOVEFriday July 27, 2007

CAMS will move to 411 E. Franklin

www.vita.virginia.gov

114

Any Other Business ?

115

ADJOURN

THANK YOU FOR YOUR TIME AND

THOUGHTS!!!

Date post:	14-Aug-2015
Category:	Technology
Upload:	datacenters
View:	465 times
Download:	2 times