1 Cybersecurity in the States 2012: Priorities, Issues and Trends Commission on Maryland Cyber Security and Innovation June 8, 2012 Pam Walker, Director of Government Affairs National Association of State Chief Information Officers
2 About NASCIO National association representing state chief information officers and information technology executives from the states, territories and D.C. NASCIO's mission is to foster government excellence through quality business practices, information management, and technology policy. Founded in 1969 we re a legacy system
3 More Administrative Flexibility Needed for States Secure and Protect Citizen Data and State Digital Assets Support the Adoption and Expansion of the National Information Exchange Model (NIEM) Support State Role in Identity Management and Verification Solutions NASCIO 2012 Federal Advocacy Priorities
4 Fiscal recovery uneven, slow revenue growth, budgets are better, federal deficit reduction impact? CIOs seeking IT operational cost savings and alternative IT sourcing strategies Opportunities for change and innovation Living with the past - modernizing the legacy IT security and risk! Game has changed IT workforce: retirement wave, skills, recruiting State CIO positions major churn State IT Landscape Today
5 CIO Priorities, Trends and Perspectives
6 State CIO Priorities for Consolidation / Optimization: consolidating infrastructure and services, centralizing 2. Budget and Cost Control: managing budget reduction, strategies for savings 3. Governance: improving IT governance, authority, data governance, partnering, collaboration 4. Health Care: Affordable Care Act, health information and insurance exchanges, architecture, partnering, implementation, technology solutions, Medicaid systems 5. Cloud Computing: governance, service management, service catalogs, platform, infrastructure, security, privacy, data ownership, legal issues, vendor management 6. Security: risk assessment, governance, budget and resource requirements; security frameworks, data protection, training and awareness, insider threats, third party security 7. Broadband and Connectivity: strengthening statewide connectivity, public safety wireless network/interoperability, implementing BTOP grant 8. Shared Services: business models, sharing resources, services, infrastructure, independent of organizational structure, service portfolio management 9. Portal: maturing state portal, e-government, single view of the customer/citizen, emphasis on citizen interactive self-service, mobile apps, accessibility 10. Mobile Services/Mobility: devices, applications, workforce, security, policy issues, support, ownership, communications, wireless infrastructure Source: NASCIO State CIO Survey, October 2011
7 Cybersecurity in the States Critical infrastructure protection More aggressive threats organized crime, unorganized crime, hacktivism Spam, phishing, hacking, and network probes up Data breaches trust impact Insider threats, third party Executive support Inadequate funding Need more training, awareness
8 State governments at risk A call to secure citizen data and inspire public trust
9 Survey Results Deloitte and NASCIO issued the 2010 report of a national survey of state government cybersecurity focused on these key areas: information security governance, investments, use of security technologies, quality of operations, privacy, and identity and access management. 49 states responded to the survey
10 Governance The Enterprise CISO position is firmly established in the majority of states. To be successful, CISOs must continue to evolve this position to garner enterprise visibility, authority, executive support and business involvement.
11 1. To whom does your State s CISO, or equivalent responsible for information security, report? Secretary/Department head 8% General Counsel/Legal 0% Chief Information Officer (CIO), State IT Director or 76% Chief Financial Officer (CFO) 0% Chief Security Officer (CSO) 4% Homeland Security Director/Adviser Internal Audit 0% 0% Other 16% Not applicable/do not know 4% 76 percent of the respondents indicated that their State CISOs report directly to the Board of Directors or C- suite, with the largest number reporting to the Chief Information Officer (CIO). 11
12 2. Which functions are within the scope of the CISO or equivalent official? Information Security (IS) strategy and planning IS budgeting IS program measurement and reporting IS governance (architecture, policies, standards) IS compliance and monitoring IS risk assessment and management Incident management Network security and perimeter defense Technical infrastructure security User administration Identity and access management Vulnerability management IS monitoring IS communications, awareness and training Outsourced security functions Background checks Investigations and forensics Fraud management Disaster recovery planning Business continuity management Physical security Other Not applicable/do not know 10% 31% 29% 10% 4% 33% 24% 22% 14% 4% 43% 45% 49% 49% 57% 61% 67% 76% 82% 88% 92% 96% 94% The top five functions of the CISO includes: Information Security (IS) Strategy and Planning (96 percent), Incident Management (94 percent), IS Governance (92 percent), IS Communication (88 percent) and IS Risk Assessment (82 percent).
13 1. Does your State (or agency) have a documented and approved governance for information security (i.e. defined responsibilities, policies and procedures)? Documented and approved 65% Documented but not approved 6% Intend to have one documented and approved within the next 12 months No 10% 12% Not applicable/do not know (please describe below) 6% 65 percent of the respondents indicated that they have a documented and approved governance for information security.
14 6. Does your State (or agency) actively engage both business stakeholders and technology decision makers in identifying requirements for the State s information security strategy? Lines of business decision makers only 2% Technology decision makers only 21% Both lines of business and technology decision makers 71% Neither lines of business nor technology decision makers 4% Not applicable/do not know (please describe below) 2% 71 percent of the respondents indicated that they engage both lines of business and technology decision makers to indentify the State s information security strategy. 14
15 3. Which of the following best describes the state of senior executive support (Governor s Office or CIO) for security projects to effectively address regulatory or legal requirements? Commitment and adequate funding 14% Commitment but inadequate funding 55% No commitment but provide funds 4% No commitment or funds Not applicable/do not know 12% 14% 55 percent of the respondents indicated that they receive commitment from the senior executives but lack adequate funding for security projects to effectively address regulatory or legal requirements.
16 2. Which statement best represents how you measure and demonstrate the value and effectiveness of your information security organization s activities? We have established metrics that have been aligned to business value and report on a scheduled basis 13% We are working on establishing metrics and aligning them to business value 25% We have established metrics that are technical but not well understood by functions outside of information security 31% Little, if any, measurement is undertaken 23% We do not measure 4% Not applicable/do not know 4% 31 percent of the respondents indicated that they measure and demonstrate their value of information security enterprise activities by using technical metrics that are not well understood by non-information security functions.
17 3. How effective are applicable Federal and State regulatory security requirements at improving information security posture and at reducing data breach risks in your State (or agency)? Very effective 4% Somewhat effective 81% Not effective 13% Not applicable/do not know 2% 81 percent of the respondents indicated that the Federal and State regulatory security requirements are somewhat effective in improving the state s information security posture.
18 1. What are your State s top five (5) security initiatives for 2010? Information security strategy Information security governance (e.g., roles, reporting 27% 29% Aligning information security initiatives with those of the 21% Information security risk assessments Data protection 58% 60% Operationalizing information security 15% Information security measurement and reporting 42% Information security talent management 4% Information security training and awareness 54% Information security regulatory and legislative 21% Security infrastructure improvement 33% Application security 42% Identity and access management Security related to technology advancements (e.g., 19% 19% Information security compliance (e.g., internal / external 29% Managing insider threats 4% Managing or outsourcing of security services Disaster recovery Business continuity Other (please specify below) 10% 8% 6% 4% Not applicable/do not know (please describe below) 0% The respondents indicated that their 2010 top five security initiative includes data protection (60 percent), information security risk assessments (58 percent) information security training and awareness (54 percent), application security (42 percent) and information security measurement and reporting (42 percent).
19 What are your State s top five IT security initiatives? 1. Data Protection 2. Information Security Risk Assessments 3. Information Security Training and Awareness 4. Application Security 5. Information Security Measurement and Reporting
20 Lack of management support 10% Lack of executive support 25% Lack of support from business stakeholders 38% Lack of clarity on mandate, roles and responsibilities 25% Conflicting federal rules and requirements 6% Lack of sufficient funding 88% Lack of procurement oversight and control 19% Lack of visibility and influence within the enterprise 38% Lack of an information security strategy (i.e., shifting Inadequate availability of security professionals Inadequate competency of security professionals Lack of State sector focused laws and regulations Lack of documented processes Lack of legislative support Increasing sophistication of threats Emerging technologies Inadequate functionality and/or interoperability of 15% 13% 10% 17% 23% 21% 23% 40% 56% 2. What major barriers does your State face in addressing information security? Other 15% Not applicable/do not know 0%
21 5. What percentage of your department s overall IT budget is allocated to information security? 0% 11% 1-3% 50% 4-6% 15% Greater than 11% 7% Not applicable/do not know 17% 50 percent of the respondents indicated that 1-3 percent of their department s overall IT budget is allocated to information security.
22 2. Does your enterprise provide training to employees (at least annually) to identify and report suspicious activities? Yes 56% Yes, but only where mandated by laws/regulations 11% No 22% Not applicable/do not know (please describe below) 11% 56 percent of the respondents indicated that they provide training (at least annually) for employees to identify and report suspicious activities
23 4. Which of the following are the top three privacy concerns to your State? Unauthorized access to personal information 89% Managing third-party (contractors, service providers, 38% Intra-governmental sharing of information 20% Managing individual agency privacy requirements Aligning operational practices with policies Web-enabled systems and services 29% 27% 33% Cross-border flows of personal information 13% Internal privacy awareness and training 22% None of the above 2% Not applicable/do not know 7% The top three privacy concerns are the unauthorized access to personal information, (89 percent), followed by managing third-party(38 percent) and aligning operational practices with policies(33 percent).
24 1. Which statement best describes the level at which your State handles third party (contractors, service providers, business partners) security capabilities, controls & agency dependencies? Third-party security capabilities and controls are unknown 23% Knowledge of third-party security capabilities, controls and agency dependencies are identified 36% Knowledge of third-party security capabilities, controls and agency dependencies are identified and assessed 18% Knowledge of third-party security capabilities, controls and agency dependencies are regularly reviewed and tested 7% Not applicable/do not know 16% 36 percent of the respondents indicated that they have identified the knowledge of third-party security capabilities, controls, and agency dependencies; 23 percent indicated that the third-party security capabilities and controls are unknown.
25 2. How confident are you in the information security practices of your third parties (contractors, service providers, business partners)? Not very confident 20% Somewhat confident 69% Very confident 7% Extremely confident Not applicable/do not know 2% 2% 69 percent of the respondents indicated they are somewhat confident in the information security practices of their third parties whereas only seven percent indicated that they are very confident in the third party information security practices.
26 Growing IT Security Risks in the States Protecting legacy systems Expansion of wireless networks Online transactions Use of social media platforms Mobile devices and services Use of personally-owned devices (BYOD) for state business Adoption of cloud services; rouge cloud users Consumer digital devices in the workplace Third-party contractors and managed services
27 Business objectives Governance Acquisition strategy Jurisdictional issues Security and privacy concerns Policy and legal issues Exit strategy
28 Apply existing security framework and policies Consumer cloud vs. industrial strength Test drive: start with private cloud 3 rd party contracts protect state interests Enable legitimate business use Monitor & control unauthorized use Leverage FedRAMP
29 Today s State IT Workforce: Under Pressure State CIOs say % of state IT employees eligible for retirement within the next five years Fiscal stress - hiring freezes and elimination of vacant positions Nearly two-thirds say they anticipate having to reduce IT staff IT Security positions are difficult to recruit and retain Source: NASCIO State IT Workforce: Under Pressure, January 2011
30 Challenges Recruiting IT Security Professionals Skills and disciplines that present a challenge to fill Secuity 52.4% Project Management App & Mobile App 47.6% 50.0% Architecture 47.6% Analysis and Design 42.9% 40% 45% 50% 55% Comparison of total percentage of responses Source: NASCIO State IT Workforce: Under Pressure, January 2011
31 DHS National Cyber Security Review (NCSR): 2011 Baseline Assessment of the States Comprehensive risk-based survey of states and large urban areas Focus on 12 control areas using maturity model approach Key findings: identification of capabilities and gaps Potential areas to focus security programs for improvements Tool that can be used for additional cybersecurity reviews Metrics for cybersecurity investment justifications Reports to each respondent providing best practices and recommendations to improve cybersecurity posture What did we learn? States have major gaps in key areas
32 Looking Ahead: Action Items for States Looking Ahead More education and awareness of the risks More IT consolidation, shared services Consider NASCIO s Core Services Taxonomy for IT Security programs Outsourcing: more steering, less rowing IT implications of healthcare reform More intra-state, inter-state and federal collaboration Demand for performance, results State Centers of Excellence for cyber education & research Extending the enterprise: locals? Massive collaboration - Web 2.0 Funded research, scholarships, internships Sharing best practices, recognition
33 NASCIO Cybersecurity Call to Action Key Questions for State Leaders Have you created a culture of information security in your state government? Have you adopted a cybersecurity framework, based on national standards & guidelines? Have you acquired continuous vulnerability management capabilities? Have you documented the effectiveness of your cybersecurity with metrics and testing? Have you developed security awareness training for workers and contractors?
CYBERSECURITY WORKFORCE DEVELOPMENT MATRIX RESOURCE GUIDE October 2011 CIO.GOV Workforce Development Matrix Resource Guide 1 Table of Contents Introduction & Purpose... 2 The Workforce Development Matrix
Transforming the Way Government Builds Solutions > ACT-IAC Institute for Innovation 2013 American)Council)for)Technology Industry)Advisory)Council:)) The American Council for Technology (ACT) is a non-profit
National Spatial Data Infrastructure Strategic Plan 2014 2016 Federal Geographic Data Committee December 2013 Federal Geographic Data Committee Federal Geographic Data Committee, Reston, Virginia: 2013
Consumerization of IT: Risk Mitigation Strategies [Deliverable 2012-12-19] Consumerization of IT: Risk Mitigation Strategies I Acknowledgements This report has been produced by ENISA using input and comments
C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n G o v e r n a n c e a n d I n t e r n a l C o n t r o l C O S O I N T H E C Y B E R A G
Qatar National Cyber Security Strategy MAY 2014 i ii TABLE OF CONTENTS FOREWORD... v EXECUTIVE SUMMARY... vi 1. INTRODUCTION...1 2. THE IMPORTANCE OF CYBER SECURITY TO QATAR...3 2.1 Threats... 3 2.2 Challenges...
Checklist to Assess Security in IT Contracts Federal Agencies that outsource or contract IT services or solutions must determine if security is adequate in existing and new contracts. Executive Summary
25 POINT IMPLEMENTATION PLAN TO R EFOR M FEDER AL INFOR M ATION TECHNOLOGY M ANAGEMENT Vivek Kundra U.S. Chief Information Officer D E C E M B E R 9, 2 0 10 Table of Contents Introduction...................................
Priority III: A National Cyberspace Security Awareness and Training Program Everyone who relies on part of cyberspace is encouraged to help secure the part of cyberspace that they can influence or control.
110101001101101101010011000 11011010100110110101001100 11011010011011010100110000 10100110110101001100010010 Protecting Information The Role of Community Colleges in Cybersecurity Education A Report from
Attachment A-1b BOARD MONITORING REPORT - INFORMATION TECHNOLOGY EXECUTIVE SUMMARY Purpose Purpose The Houston Independent School District (HISD) exists to strengthen the social and economic foundation
A REPORT BY HARVARD BUSINESS REVIEW ANALYTIC SERVICES Meeting the Cyber Risk Challenge Sponsored by ABOUT ZURICH INSURANCE GROUP Zurich Insurance Group (Zurich) is a leading multi-line insurance provider
ENHANCING VALUE THROUGH COLLABORATION: A CALL TO ACTION GLOBAL REPORT JULY 2014 DISCLAIMER TABLE OF CONTENTS Introduction...1 Five Strategies for Internal Audit Success in the Year Ahead...5 Improve Upon
The Pennsylvania State University IT Assessment Executive Summary Final Summary of Recommendations June 16, 2011 Goldstein & Associates, LLC Contents Section Page Introduction 3 Summary Recommendations
www.pwc.com/cybersecurity Why you should adopt the NIST Cybersecurity Framework May 2014 The National Institute of Standards and Technology Cybersecurity Framework may be voluntary, but it offers potential
SOCIAL SECURITY ADMINISTRATION AGENCY STRATEGIC PLAN ALWAYS SERVING FORWARD LOOKING Our Commitment To The American People FISCAL YEARS 2014 2018 socialsecurity.gov Follow the Social Security Administration
The Computerworld Honors Program Honoring those who use Information Technology to benefit society Status: Laureate Final Copy of Case Study Year: 2013 Organization Name: Cybersecurity and Infrastructure
manufacturing service small business nonprofit government education health care Baldrige Excellence Builder Key questions for improving your organization s performance Improve Your Performance The Baldrige
Foreword FOREWORD I am pleased to present government s IM/IT Enablers Strategy for Citizens @ the Centre: B.C. Government 2.0. For the first time, we are laying out a vision and an action plan for a corporate
GUIDANCE ON EXHIBITS 53 AND 300 INFORMATION TECHNOLOGY AND E-GOVERNMENT Table of Contents 1. Why must I report on information technology (IT) investments? 2. What background information must I know? 3.
United States Government Accountability Office Report to Congressional Requesters April 2015 AIR TRAFFIC CONTROL FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to
Planning for the Future Strategic Plan U. S. S e c u r i t i e s a n d E x c h a n g e C o m m i s s i o n F I S C A L Y E A R S 2 0 1 4 2 0 1 8 D R A F T F O R C O M M E N T This document presents the
United States Department of Justice Federal Bureau of Investigation Information Technology Strategic Plan FY 2010 2015 CIO s Vision to deliver reliable and effective technology solutions needed to fulfill