INFORMATION TECHNOLOGY FOR MINNESOTA GOVERNMENT. Doomed by Design: Unearthing the Problems with Government Security Programs

Transcription

1 INFORMATION TECHNOLOGY FOR MINNESOTA GOVERNMENT Doomed by Design: Unearthing the Problems with Government Security Programs Christopher Buse Assistant Commissioner & State CISO June 12, 2014 AGENDA State of the States Minnesota Plan Q&A

2 The State of the States Security significantly underfunded Diverse security posture between states Underlying data soft and sometimes unavailable Fragmented governance

3 14% CISOs believe that they have executive support 24% CISOs are confident in protecting state assets 86% CISOs cite funding as their key barrier 680% Increase in significant threats over past 5 years Most States Only Spend Between 1-2% of the IT Budget on Security 0 Government Spending Private Sector Spending

4 46% CISOs have a documented strategy 30% CISOs plan to develop a written strategy 82% CISOs are responsible for measurement and reporting 8% CISOs attempting to measure program effectiveness Good news: The enterprise CISO position is now firmly entrenched in most states Bad news: The enterprise CISO position is often one of coordinating cross-agency resources Limited ability to drive actions across organizational boundaries Security spend outside the control of the CISO

5 Executive Support Freedom To Act Resources Comprehensive Plan Is Your State Security Program Doomed by Design? It s Not Just Retail One of over 2,000 negative headlines on the recent South Carolina breach Hackers gain access to 780,000 individual health records 10

6 The Minnesota IT Consolidation Plan What About Us? Minnesota: a microcosm of the national scene Strong executive support Strategic and tactical plans Security spend is insufficient 2010 legislative study: State of Minnesota spend is 2% of state budget vs. industry standard investment of 5% Overall reduction in security spend in FY13 Silos of agency-based IT Restricted our ability to leverage economies of scale Hampered our ability to implement enterprise security strategies

7 IT Security Consolidation Plan Published in April 2014 Describes the desired end state, yet recognizes Reaching that end state will take a long-term commitment We need to use our existing resources better Outlines a shift in the service delivery model Establishes centrally delivered services Creates line of business security teams Details the breakdown of work between central and line of business teams Focuses on a subset of services to address first The Basic Concept: Consolidated Services Information Security program management Enterprise Services Delivered to All We will reorganize security resources into a single management structure that creates consistency and aligns resources Those services deemed to be enterprise services will be delivered by a centralized security team

8 The Basic Concept: Close-to-Business Services Even if we consolidate the common security services, we still don t have the resources for each agency-based office to manage close-to-the-business security services Close-to-Business Security Cluster 1 Cluster 2 Cluster 3 Cluster 4 Cluster 5 Cluster 6 Our plan is to cluster security teams into lines of business to provide closeto-the-business services to groups of agencies with similar business/security requirements sharing resources, but keeping the specialization where it needs to be The Basic Concept: Effective allocation of resources Staff will be assigned to a cluster or to the enterprise services based on their current work and expertise. Cluster 1 Cluster 2 Cluster 3 Cluster 4 Cluster 5 Cluster 6 Close-to-thebusiness services Close-to-thebusiness services Close-to-thebusiness services Close-to-thebusiness services Close-to-thebusiness services Close-to-thebusiness services Information Security program management Enterprise Services Delivered to All

9 Identity and Access Management Information Security Risk and Compliance Business Continuity and Disaster Recovery Information Security Training and Awareness Secure System Engineering Realigning Work Close-to-the-business services focus on implementation at the business and application level Information Security Incident Response and Forensics Information Security Program Management Information Security Monitoring Continuous Vulnerability Management Boundary Defense Endpoint Defense Physical Security Single management conserves resources and drives consistency Enterprise delivers common functions and tools to all Health Safety Environment General Government Economy Education Health BDs (17) Corrections Agriculture Administration Commerce Education Health Public Safety Animal Health BD Campaign Finance Commerce BDs (3) Arts BD Human Services Transportation Natural Resources Capital Area Architect BD AURI Center for Arts Education Ombudsman MH/DD POST BD Conservation Corps Investment BD Amateur Sports CM High Ed Facilities Authority Veterans Affairs Private Detectives BD Pollution Control MN.IT Combative Sports CM MN State Academies MNsure Sentencing Guidelines BWSR MMB Explore MN Office of Higher Education Ombudsman Families Racing CM MN Zoo Mediation Services DEED Targeted Councils (5) Uniform Laws CM Administrative Hearings Labor & Industry Workers Comp Court Governor Public Utilities CM Gambling Control Human Rights Revenue

10 A Look Ahead: Industry Trends Does Your Organization Have a Central Security Team? Does Your Organization Have Local Security Groups? Creating Central Group, 3% No Central Security, 4% Central Security Team, 94% Only Central Security 56% Use Local Security Groups 44% Conclusion: MN.IT s Proposed Model Aligns Well With National Trends Assistant Commissioner & CISO Information Standards and Risk Management Assistant Commissioner Service Delivery Enterprise Architect Information Security Oversight Director Client Computing & Customer Support Director Infrastructure as a Service Director Secure Systems Engineering Governance, Risk, & Compliance Endpoint Defense Border Defense Business Continuity Vulnerability Management Identity and Access Management Physical Security Information Security Incident Response Team Health LOB Service Delivery Team Safety LOB Service Delivery Team Environment LOB Service Delivery Team General Govt LOB Service Delivery Team Economic LOB Service Delivery Team 20 Education LOB Service Delivery Team

11 Detailed Service Deliverable Future Level of Effort Central Team Future Level of Effort LOB Team Service Delivery Method Information Security Program Management Minimal Information Security Monitoring Minimal Information Security Incident Response and Forensics Minimal Continuous Vulnerability Management Minimal Boundary Defense Minimal Endpoint Defense Minimal Moderate Secure Systems Engineering Information Security Training and Awareness Business Continuity Moderate Information Security Risk and Compliance Identity and Access Management Moderate Physical Security Primarily Centralized Primarily Centralized Primarily Centralized Primarily Centralized Primarily Centralized Primarily Centralized Central Direction / Hybrid Delivery Central Direction / Hybrid Delivery Central Direction / Hybrid Delivery Central Direction / Hybrid Delivery Central Direction / Hybrid Delivery Central Direction / Hybrid Delivery 21 Selected through planning team consensus Represent highest payback from a risk perspective Plan focuses on rollout of priority services first Plan does not include all service delivery details Priority Services Secure Systems Engineering Continuous Vulnerability Management Information Security Program Management Boundary Defense Information Security Monitoring

12 IT Security Consolidation: Value Proposition MN.IT can provide a full suite of security services to all customers Cost to the customer far less than ramping up alone Better service, as expertise is shared More agile service: getting the experts when and where they need to be More job opportunities and specialization skills for employees Will it be perfect? Priorities will still have to be set, but they will be done at an enterprise level No agency can opt out of security Customers Existing resources used as efficiently and effectively as possible Consistent security practices Metrics to understand security posture MN.IT Services More specialization and deeper bench strength Clear priorities for the enterprise Reduction in single points of failure More career opportunities for staff Better understanding of our risk posture Beneficiaries

13 Final Thoughts Auditing applications is easy and safe Policymakers may be better served by an assessment your state security program foundation Executive support Freedom to act Funding Comprehensive plans Thank