IT Trends and the Cyber Security Agenda

Transcription

1 State of the States: IT Trends and the Cyber Security Agenda Executive Policy Forum on Cyber and Electronic Crime NGA Center for Best Practices September 9, 2008 Doug Robinson Executive Director NASCIO

2 About NASCIO NASCIO represents state chief information officers and information technology executives from the states, territories and D.C. NASCIO's mission is to foster government excellence through h quality business practices, information management, and technology policy.

3 Mission NASCIO's mission is to foster government excellence through quality business practices, information management, and technology policy. Goals NASCIO is the premier network and resource for state CIOs Advance state CIOs as key members of the leadership team NASCIO is a effective advocate for information technology policy at all levels of government

4 State IT Landscape Today Continued consolidation infrastructure, services and people Cyber security: Government At Risk! Critical infrastructure protection uneven investments Ramifications of data breach and citizen trust Insider threats and employee training State IT workforce: retirement wave, IT skills gap, challenge of recruiting Data management: quality and sharing Impact from federal laws, changing programs and unfunded mandates: REAL ID, Medicaid, Homeland Security

5 Multifaceted Role of the State CIO Manage, Deploy, and Develop State IT Resources Cross Boundary Collaboration Customer Service Frontline in Securing State IT Assets Legislation, Policy and Directives State CIO Enterprise Architecture Strategic Planning Provision of State IT Infrastructure State IT Governance Procurement

6 Challenges of State CIOs Bringing the focus to the enterprise Collaborating across and beyond government State IT workforce skills and demands Facilitating efficient, safe exchange of data Managing risks cyber security Building relationships in the face of change Managing and cultivating funding

7 State CIO Priorities: Consolidation: centralizing, consolidating services, operations, resources, infrastructure 2. Security: Tightening security safeguards, enterprise policies, 3. Disaster Recovery: Improving disaster recovery, business continuity planning and readiness 4. Electronic Records Management/Digital Preservation/Ediscovery: strategies, policies, services 5. Health Information Technology: Assessment, partnering 6. Shared Services: Sharing resources, services, infrastructure 7. Connectivity: Strengthening statewide connectivity, broadband 8. Governance: Improving IT governance 9. Interoperability: infrastructure and data 10. Human Capital/IT Workforce: attracting, developing and retaining IT personnel, retire wave planning NASCIO State CIO Survey Nov 2007

8 State CIO: IT and Solution Priorities 1. Virtualization computing and storage 2. Security enhancement tools 3. GIS and spatial analysis 4. Legacy modernization and upgrades 5. Identity Access and Management (IAM) 6. Networking, voice and data communications 7. Document/Content management 8. Wireless: Mobile, remote and fixed wireless 9. Service Oriented Architecture (SOA) and web services NASCIO State CIO Survey Nov 2007

9 States Adopting More Business Disciplines i in IT to Manage Risk Enterprise architecture: blueprint for better government Organizational Transformation / Change Management Enterprise Governance - Series Project and Portfolio Management Service Oriented Enterprise Service level management ITIL

10 Disaster Recovery & Business Continuity Government at Risk: critical infrastructure protection Aging state data centers Critical business recovery No state ready for pandemic IT resiliency and the continuity of government CIO challenge: making the business case for the investment

11 Facing the IT Workforce Challenge Over 27% of state IT workforce will be eligible to retire in 5 years Who will actually retire and when? How best to address the skills gap? Best practices for recruiting and retaining IT workforce

12 Cyber Security and the States Critical infrastructure protection Spam, hacking, spyware, malware, phishing and probes up! More aggressive threats organized criminal activity Insider threat is REAL! Growing role of state CISO Investments by state CIOs

13 The Insider Threat is REAL! IT security incidents: 61% caused by insiders Employee awareness and education is critical Asset management and data protection

14 Why Worry? Data breach at Progressive highlights insider threat (April 06, 2006) An employee at Progressive Casualty Insurance Co. wrongfully accessed information on foreclosure properties she was interested in buying. Progressive officials today confirmed that the company sent out letters in January to 13 people informing them that confidential information, including names, Social Security numbers, birth dates and property addresses had been wrongfully accessed by an employee who has since been fired.

15 Why you should worry Gap security breach exposes data on 800,000 (September 28, 2007) A laptop containing the personal information of job applicants was stolen from third-party vendor that manages job applicant data for Gap. Personal data for approximately 800,000 people who applied online or by phone for store positions at one of Gap Inc. s brands between July 2006 and June 2007 was contained on the stolen laptop.

16 Consequences are real Company Says Worker Stole, Sold Data (July 3, 2007) Fidelity National Information Services reported a worker at one of its subsidiaries i stole 2.3 million consumer records containing credit card, bank account and other personal information. The database administrator sold the information to an unidentified data broker, who sold some of it to direct marketing companies.

17 Loss of property Angry Employee Deletes All of Company's Data (January 24, 2008) When Marie Lupe Cooley, 41, of Jacksonville, Fla., saw a help-wanted ad in the newspaper for a position that looked suspiciously like her current job she assumed she was about to be fired. So, police say, she went to the architectural office where she works late Sunday night and erased 7 years' worth of drawings and blueprints, estimated to be worth $2.5 million

18 Loss of trust Sensitive data loss soars (July 11, 2007) The number of Ohio taxpayers whose personal information was on a stolen state t data device has more than tripled, climbing to 800,000, Gov. Ted Strickland announced. The names and Social Security numbers of 561,126 taxpayers were recently discovered as officials continue to review a copy of the data cartridge stolen from a state intern's car on June 10.

19 Loss of sensitive data Personal information of 30, patients available online for month (August 11, 2007) Patient records were available by web search during a four-week period after Sky Lakes Medical Center (Oregon) shut down its online bill-payment system, and a third-party, Verus, Inc., transferred the data from one server to another to perform maintenance. The hospital terminated its contract with Verus and shut down the system.

20 Corporate liability AG Announces Data Breach At New York Bank (May 21, 2008) Attorney General Richard Blumenthal today announced that a storage company for a New York bank lost an unencrypted backup tape containing Social Security numbers and bank account information belonging to as many as hundreds of thousands of Connecticut consumers and personal information of millions more nationwide.

21 Government sabotage San Francisco officials locked out of computer network (July 15, 2008) A disgruntled city computer engineer has virtually commandeered S.F's new multimillion-dollar computer network, altering it to deny access to top administrators even as he sits in jail on $5 million bail, authorities said. One official said he had been disciplined on the job in recent months for poor performance and that his supervisors had tried to fire him.

22 Don t be a news story [Insert your state government here ]

23 The IT Threat Landscape INTERNAL THREATS EXTERNAL THREATS Theft Fraud Negligent employees Sabotage Lack of compliance Business Partners Contractors Ex-employees Hackers Competitors Criminals Terrorists

24 Why Insider Threat is Worse Insiders have characteristics that outsiders don t: knowledge, access and trust Insider threats are the easiest to perpetrate, p most difficult to prevent, possibly hardest to detect Not just about technology! Effective solution must involve people, process and technology

25

26 CERT Insider Threat Analysis Studied 250 insider threat cases between percent were IT sabotage cases Most were premeditated attacks identifiable by red-flag behavior 30 percent of the attackers had been arrested previously Source: Carnegie Mellon Software Engineering Institute's Computer Emergency Response g g g p g y p Team, 2008.

27 Top Five Insider Threats PEOPLE 1. Malicious employees: sabotage, theft, fraud 2. Inattentive, complacent or untrained employees 3. Contractors, partners and outsourced services PROCESS 4. Inadequate IT security compliance, oversight, authority and training TECHNOLOGY 5. Pervasive computing technology is everywhere and data is on the move

28 Reduce Your Risk: Prevention #1 Security Awareness and Training! Periodic risk assessment Align process with ih policy Employee behavior stress? Disgruntled, demoted or fired employees Enforce compliance Trust, but Verify Social engineering No Tech Hacking

29 Practical Steps to Reduce Risk Strict password & account management Secure your data on the move laptops, PDAs, USB drives Create a data retention plan Enforce separation of duties Wall off data least access Monitor event logs early evidence Criminal background and credit checks

30 Cyber Security and State CIOs: A View Forward Complexity of data protection the need for classification policies The real cost of data breaches Stiff competition for state funding Growing world without wires Millennials as citizens and in the workforce

31 Doug Robinson Executive Director org