Enterprise Continuous Monitoring Bridging Shared Services, Clouds, and In-House Solutions

Transcription

1 Enterprise Continuous Monitoring Bridging Shared Services, Clouds, and In-House Solutions Benjamin Bergersen Certified in the Governance of Enterprise IT - CGEIT Certified Information Systems Security Architecture Professional CISSP-ISSAP CISA CISM CISSP ISSMP ITIL PMP Cloud Security Program Manager MAX.gov Shared Services Department of Education BERGERSEN 1

2 1. Need for Enterprise Continuous Monitoring 2. Regulations and Guidance 3. Case Studies and Tips BERGERSEN 2

3 1. Need for Enterprise Continuous Monitoring BERGERSEN 3

4 1. Need for Enterprise CM Enterprise continuous monitoring provides the visibility and controls needed to manage services in an ever changing IT environment. Companies and Federal agencies are implementing a hybrid IT service model including in-house, shared services, and cloud hosted solutions. This makes for potentially fragmented service management and delivery. BERGERSEN 4

5 1. Need (continued) To assure services and manage risk, a holistic view is needed across all services. This is in line with the new CIO being a service, value, and strategic leader; and not just an in-house developer or infrastructure provider. NIST SP defines continuous monitoring as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. BERGERSEN 5

6 1. Need (continued) Public and private sector organizations, visitors, and partners are utilizing cloud computing, e- collaboration, social networking, smart phones, removable media, and unified communications with different levels of visibility and control. Does your organization find out about service outages when your customer calls in? Is that too late? What about predictive metrics? BERGERSEN 6

7 Setting the Stage Public and private sector organizations, visitors, and partners are utilizing cloud computing, e- collaboration, social networking, smart phones, removable media, and unified communications with different levels of visibility and control. Does your organization find out about service outages when your customer calls in? Is that too late? What about predictive metrics? 7 BERGERSEN 7

8 1. Need (continued) Organizations can have their business unit IT service delivery adversely affected in the following scenarios: Incorrect assumptions Reduced situational awareness Delayed visibility Long decision making process Slow responsiveness to rapidly changing situations Reputation and budget Impacts Mission degradation and failure 8 BERGERSEN 8

9 1. Need (continued) We will explore how-to manage and excel at service delivery through enterprise continuous monitoring using methodologies and case studies across multiple management and delivery models. BERGERSEN 9

10 2. Regulations and Guidance BERGERSEN 10

11 2. Regulations and Guidance History: Clinger Cohen Act 1996 FISMA 2002 Current: Executive Order EO OMB Memorandum M OMB Memorandum M FISMA Modernization Act 2014 FITARA HR BERGERSEN 11

12 12

13 2. EO (2011) Promoting Efficient Spending "To promote further efficiencies in IT, agencies should consider the implementation of appropriate agency-wide IT solutions that consolidate activities such as desktop services, , and collaboration tools. How do you monitor all of these? BERGERSEN 13

14 2. OMB M (2011) CIO AUTHORITIES 2. Commodity IT. Agency CIOs must focus on eliminating duplication and rationalize their agency's IT investments BERGERSEN 14

15 2. OMB M (2011) CIOs FOCUS ON ELIMINATING DUPLICATION IN Collaboration tools Identity and access management Security Web infrastructure Finance Systems Human Resource Systems ** Think about integrated ECM for these BERGERSEN 15

16 2. OMB M (2011) CIOs must show a preference for using shared services as a provider or consumer instead of standing up separate independent services. (Remember to monitor these at the needed granularity based on risk and mission criticality info categorization, FIPS- 199) BERGERSEN 16

17 2. OMB M (2012) Implementing PortFolioSTAT Plan to Consolidate Commodity IT. By August 31, 2012, submit to OMB plan to consolidate IT portfolio, including the adoption of intra and inter agency shared IT services. These comprehensive plans will be informed by the PortfolioStat Process. BERGERSEN 17

18 2. FISMA Modernization Act (2014) Provide security protections commensurate with the risk and magnitude of the harm prevent destruction of (i) information collected or maintained by or on behalf of the agency BERGERSEN 18

19 2. FISMA Modernization Act (2014) includes (ii) information collected or maintained by or on behalf of the agency; and *** Remember to Monitor: Shared Services, Cloud, and in-house BERGERSEN 19

20 2. FISMA Modernization Act (2014) (ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; (This includes cloud implementations) BERGERSEN 20

21 2. Federal Information Technology Acquisition Reform Act (2014) Requires CIOs to: Certify that IT investments adequately implement incremental development Ensure that all requested IT positions meet ongoing requirements BERGERSEN 21

22 2. Federal Information Technology Acquisition Reform Act (2014) (Sec. 102) Sets forth requirements concerning OMB's risk management program for major IT investments. Requires the OMB Director to make publicly available the cost, schedule, and performance data for each major IT investment. BERGERSEN 22

23 2. Federal Information Technology Acquisition Reform Act (2014) RISK EXECUTIVE FUNCTION have a DASHBOARD Quarterly CIOs rate risk of IT investments egov to review projects that are HIGH for 4 consecutive quarters. BERGERSEN 23

24 2. Federal Information Technology Acquisition Reform Act (2014) RISK EXECUTIVE FUNCTION OMB Director, after 1 year, to deny additional funding CIO certifies that: (1) the root causes have been addressed, and (2) there is sufficient capability to deliver the remaining planned increments within the planned cost and schedule. BERGERSEN 24

25 3. Case Studies BERGERSEN 25

26 3. Case 1: Traditional ECM BERGERSEN 26

27 3. Case 2: CSP TIC Overlay + Agency SOC BERGERSEN 27

28 3. Case 3: CSP TIC Overlay + SOC BERGERSEN 28

29 3. Case 4: CSP TIC Overlay and MSS BERGERSEN 29

30 3. Case: ECM Dashboard with fictional metrics 30 BERGERSEN 30

31 3. Cases 5-7 A cloud bulk file transmission system is used to obtain audit provided by client (PBC) documents HR is outsourced. is migrated to the cloud with username/password. BERGERSEN 31

32 3. Cases 8-10 Intellectual Property (IP) is maintained via in house systems. Business Intelligence and analytics Software As a Service (SaaS) is utilized. You move to another data center during the consolidation initiatives. BERGERSEN 32

33 3. Tips (1-2 of 10) Map mission, to business functions, to IT services, to IT functions. Have different ECM views: customer, executive, manager, and staff. BERGERSEN 33

34 3. Tips (3 of 10) Calculate Costs / Benefits / Risks of : Your own Security Operations Center (SOC) Services behind a Trusted Internet Connection (TIC) Cloud Service Provider with a TIC Overlay Managed Security Services (MSS) for aggregating monitoring BERGERSEN 34

35 3. Tips (4-5 of 10) Utilize existing tools, open source, and commercial software based on time constraints, budget, and maturity requirements year over year. Check inherited risk register, POAMs, 3PAO report, vulnerabilities, and change control from different providers. BERGERSEN 35

36 3. Tips (6-8 of 10) Create workflows and mission dashboards. Require PIV/CAC card authentication. Require timely access for management reviews, audits, and incident response. BERGERSEN 36

37 3. Tips (9-10 of 10) Use FedRAMP and DoD Cloud Enhanced security controls. Create, monitor, and modify contracts and MOUs with: SLAs, incentives, penalties, and back-out clauses. BERGERSEN 37

38 Thank-you Benjamin Bergersen Certified in the Governance of Enterprise IT - CGEIT Certified Information Systems Security Architecture Professional CISSP-ISSAP CISA CISM CISSP ISSMP ITIL PMP Cloud Security Program Manager MAX.gov Shared Services Department of Education Ben.Bergersen@ed.gov BERGERSEN 38