Cybersecurity in the States 2012: Priorities, Issues and Trends

Size: px
Start display at page:

Download "Cybersecurity in the States 2012: Priorities, Issues and Trends"

Transcription

1 Cybersecurity in the States 2012: Priorities, Issues and Trends Commission on Maryland Cyber Security and Innovation June 8, 2012 Pam Walker, Director of Government Affairs National Association of State Chief Information Officers

2 About NASCIO National association representing state chief information officers and information technology executives from the states, territories and D.C. NASCIO's mission is to foster government excellence through quality business practices, information management, and technology policy. Founded in 1969 we re a legacy system

3 More Administrative Flexibility Needed for States Secure and Protect Citizen Data and State Digital Assets Support the Adoption and Expansion of the National Information Exchange Model (NIEM) Support State Role in Identity Management and Verification Solutions NASCIO 2012 Federal Advocacy Priorities

4 Fiscal recovery uneven, slow revenue growth, budgets are better, federal deficit reduction impact? CIOs seeking IT operational cost savings and alternative IT sourcing strategies Opportunities for change and innovation Living with the past - modernizing the legacy IT security and risk! Game has changed IT workforce: retirement wave, skills, recruiting State CIO positions major churn State IT Landscape Today

5 CIO Priorities, Trends and Perspectives

6 State CIO Priorities for Consolidation / Optimization: consolidating infrastructure and services, centralizing 2. Budget and Cost Control: managing budget reduction, strategies for savings 3. Governance: improving IT governance, authority, data governance, partnering, collaboration 4. Health Care: Affordable Care Act, health information and insurance exchanges, architecture, partnering, implementation, technology solutions, Medicaid systems 5. Cloud Computing: governance, service management, service catalogs, platform, infrastructure, security, privacy, data ownership, legal issues, vendor management 6. Security: risk assessment, governance, budget and resource requirements; security frameworks, data protection, training and awareness, insider threats, third party security 7. Broadband and Connectivity: strengthening statewide connectivity, public safety wireless network/interoperability, implementing BTOP grant 8. Shared Services: business models, sharing resources, services, infrastructure, independent of organizational structure, service portfolio management 9. Portal: maturing state portal, e-government, single view of the customer/citizen, emphasis on citizen interactive self-service, mobile apps, accessibility 10. Mobile Services/Mobility: devices, applications, workforce, security, policy issues, support, ownership, communications, wireless infrastructure Source: NASCIO State CIO Survey, October 2011

7 Cybersecurity in the States Critical infrastructure protection More aggressive threats organized crime, unorganized crime, hacktivism Spam, phishing, hacking, and network probes up Data breaches trust impact Insider threats, third party Executive support Inadequate funding Need more training, awareness

8 State governments at risk A call to secure citizen data and inspire public trust

9 Survey Results Deloitte and NASCIO issued the 2010 report of a national survey of state government cybersecurity focused on these key areas: information security governance, investments, use of security technologies, quality of operations, privacy, and identity and access management. 49 states responded to the survey

10 Governance The Enterprise CISO position is firmly established in the majority of states. To be successful, CISOs must continue to evolve this position to garner enterprise visibility, authority, executive support and business involvement.

11 1. To whom does your State s CISO, or equivalent responsible for information security, report? Secretary/Department head 8% General Counsel/Legal 0% Chief Information Officer (CIO), State IT Director or 76% Chief Financial Officer (CFO) 0% Chief Security Officer (CSO) 4% Homeland Security Director/Adviser Internal Audit 0% 0% Other 16% Not applicable/do not know 4% 76 percent of the respondents indicated that their State CISOs report directly to the Board of Directors or C- suite, with the largest number reporting to the Chief Information Officer (CIO). 11

12 2. Which functions are within the scope of the CISO or equivalent official? Information Security (IS) strategy and planning IS budgeting IS program measurement and reporting IS governance (architecture, policies, standards) IS compliance and monitoring IS risk assessment and management Incident management Network security and perimeter defense Technical infrastructure security User administration Identity and access management Vulnerability management IS monitoring IS communications, awareness and training Outsourced security functions Background checks Investigations and forensics Fraud management Disaster recovery planning Business continuity management Physical security Other Not applicable/do not know 10% 31% 29% 10% 4% 33% 24% 22% 14% 4% 43% 45% 49% 49% 57% 61% 67% 76% 82% 88% 92% 96% 94% The top five functions of the CISO includes: Information Security (IS) Strategy and Planning (96 percent), Incident Management (94 percent), IS Governance (92 percent), IS Communication (88 percent) and IS Risk Assessment (82 percent).

13 1. Does your State (or agency) have a documented and approved governance for information security (i.e. defined responsibilities, policies and procedures)? Documented and approved 65% Documented but not approved 6% Intend to have one documented and approved within the next 12 months No 10% 12% Not applicable/do not know (please describe below) 6% 65 percent of the respondents indicated that they have a documented and approved governance for information security.

14 6. Does your State (or agency) actively engage both business stakeholders and technology decision makers in identifying requirements for the State s information security strategy? Lines of business decision makers only 2% Technology decision makers only 21% Both lines of business and technology decision makers 71% Neither lines of business nor technology decision makers 4% Not applicable/do not know (please describe below) 2% 71 percent of the respondents indicated that they engage both lines of business and technology decision makers to indentify the State s information security strategy. 14

15 3. Which of the following best describes the state of senior executive support (Governor s Office or CIO) for security projects to effectively address regulatory or legal requirements? Commitment and adequate funding 14% Commitment but inadequate funding 55% No commitment but provide funds 4% No commitment or funds Not applicable/do not know 12% 14% 55 percent of the respondents indicated that they receive commitment from the senior executives but lack adequate funding for security projects to effectively address regulatory or legal requirements.

16 2. Which statement best represents how you measure and demonstrate the value and effectiveness of your information security organization s activities? We have established metrics that have been aligned to business value and report on a scheduled basis 13% We are working on establishing metrics and aligning them to business value 25% We have established metrics that are technical but not well understood by functions outside of information security 31% Little, if any, measurement is undertaken 23% We do not measure 4% Not applicable/do not know 4% 31 percent of the respondents indicated that they measure and demonstrate their value of information security enterprise activities by using technical metrics that are not well understood by non-information security functions.

17 3. How effective are applicable Federal and State regulatory security requirements at improving information security posture and at reducing data breach risks in your State (or agency)? Very effective 4% Somewhat effective 81% Not effective 13% Not applicable/do not know 2% 81 percent of the respondents indicated that the Federal and State regulatory security requirements are somewhat effective in improving the state s information security posture.

18 1. What are your State s top five (5) security initiatives for 2010? Information security strategy Information security governance (e.g., roles, reporting 27% 29% Aligning information security initiatives with those of the 21% Information security risk assessments Data protection 58% 60% Operationalizing information security 15% Information security measurement and reporting 42% Information security talent management 4% Information security training and awareness 54% Information security regulatory and legislative 21% Security infrastructure improvement 33% Application security 42% Identity and access management Security related to technology advancements (e.g., 19% 19% Information security compliance (e.g., internal / external 29% Managing insider threats 4% Managing or outsourcing of security services Disaster recovery Business continuity Other (please specify below) 10% 8% 6% 4% Not applicable/do not know (please describe below) 0% The respondents indicated that their 2010 top five security initiative includes data protection (60 percent), information security risk assessments (58 percent) information security training and awareness (54 percent), application security (42 percent) and information security measurement and reporting (42 percent).

19 What are your State s top five IT security initiatives? 1. Data Protection 2. Information Security Risk Assessments 3. Information Security Training and Awareness 4. Application Security 5. Information Security Measurement and Reporting

20 Lack of management support 10% Lack of executive support 25% Lack of support from business stakeholders 38% Lack of clarity on mandate, roles and responsibilities 25% Conflicting federal rules and requirements 6% Lack of sufficient funding 88% Lack of procurement oversight and control 19% Lack of visibility and influence within the enterprise 38% Lack of an information security strategy (i.e., shifting Inadequate availability of security professionals Inadequate competency of security professionals Lack of State sector focused laws and regulations Lack of documented processes Lack of legislative support Increasing sophistication of threats Emerging technologies Inadequate functionality and/or interoperability of 15% 13% 10% 17% 23% 21% 23% 40% 56% 2. What major barriers does your State face in addressing information security? Other 15% Not applicable/do not know 0%

21 5. What percentage of your department s overall IT budget is allocated to information security? 0% 11% 1-3% 50% 4-6% 15% Greater than 11% 7% Not applicable/do not know 17% 50 percent of the respondents indicated that 1-3 percent of their department s overall IT budget is allocated to information security.

22 2. Does your enterprise provide training to employees (at least annually) to identify and report suspicious activities? Yes 56% Yes, but only where mandated by laws/regulations 11% No 22% Not applicable/do not know (please describe below) 11% 56 percent of the respondents indicated that they provide training (at least annually) for employees to identify and report suspicious activities

23 4. Which of the following are the top three privacy concerns to your State? Unauthorized access to personal information 89% Managing third-party (contractors, service providers, 38% Intra-governmental sharing of information 20% Managing individual agency privacy requirements Aligning operational practices with policies Web-enabled systems and services 29% 27% 33% Cross-border flows of personal information 13% Internal privacy awareness and training 22% None of the above 2% Not applicable/do not know 7% The top three privacy concerns are the unauthorized access to personal information, (89 percent), followed by managing third-party(38 percent) and aligning operational practices with policies(33 percent).

24 1. Which statement best describes the level at which your State handles third party (contractors, service providers, business partners) security capabilities, controls & agency dependencies? Third-party security capabilities and controls are unknown 23% Knowledge of third-party security capabilities, controls and agency dependencies are identified 36% Knowledge of third-party security capabilities, controls and agency dependencies are identified and assessed 18% Knowledge of third-party security capabilities, controls and agency dependencies are regularly reviewed and tested 7% Not applicable/do not know 16% 36 percent of the respondents indicated that they have identified the knowledge of third-party security capabilities, controls, and agency dependencies; 23 percent indicated that the third-party security capabilities and controls are unknown.

25 2. How confident are you in the information security practices of your third parties (contractors, service providers, business partners)? Not very confident 20% Somewhat confident 69% Very confident 7% Extremely confident Not applicable/do not know 2% 2% 69 percent of the respondents indicated they are somewhat confident in the information security practices of their third parties whereas only seven percent indicated that they are very confident in the third party information security practices.

26 Growing IT Security Risks in the States Protecting legacy systems Expansion of wireless networks Online transactions Use of social media platforms Mobile devices and services Use of personally-owned devices (BYOD) for state business Adoption of cloud services; rouge cloud users Consumer digital devices in the workplace Third-party contractors and managed services

27 Business objectives Governance Acquisition strategy Jurisdictional issues Security and privacy concerns Policy and legal issues Exit strategy

28 Apply existing security framework and policies Consumer cloud vs. industrial strength Test drive: start with private cloud 3 rd party contracts protect state interests Enable legitimate business use Monitor & control unauthorized use Leverage FedRAMP

29 Today s State IT Workforce: Under Pressure State CIOs say % of state IT employees eligible for retirement within the next five years Fiscal stress - hiring freezes and elimination of vacant positions Nearly two-thirds say they anticipate having to reduce IT staff IT Security positions are difficult to recruit and retain Source: NASCIO State IT Workforce: Under Pressure, January 2011

30 Challenges Recruiting IT Security Professionals Skills and disciplines that present a challenge to fill Secuity 52.4% Project Management App & Mobile App 47.6% 50.0% Architecture 47.6% Analysis and Design 42.9% 40% 45% 50% 55% Comparison of total percentage of responses Source: NASCIO State IT Workforce: Under Pressure, January 2011

31 DHS National Cyber Security Review (NCSR): 2011 Baseline Assessment of the States Comprehensive risk-based survey of states and large urban areas Focus on 12 control areas using maturity model approach Key findings: identification of capabilities and gaps Potential areas to focus security programs for improvements Tool that can be used for additional cybersecurity reviews Metrics for cybersecurity investment justifications Reports to each respondent providing best practices and recommendations to improve cybersecurity posture What did we learn? States have major gaps in key areas

32 Looking Ahead: Action Items for States Looking Ahead More education and awareness of the risks More IT consolidation, shared services Consider NASCIO s Core Services Taxonomy for IT Security programs Outsourcing: more steering, less rowing IT implications of healthcare reform More intra-state, inter-state and federal collaboration Demand for performance, results State Centers of Excellence for cyber education & research Extending the enterprise: locals? Massive collaboration - Web 2.0 Funded research, scholarships, internships Sharing best practices, recognition

33 NASCIO Cybersecurity Call to Action Key Questions for State Leaders Have you created a culture of information security in your state government? Have you adopted a cybersecurity framework, based on national standards & guidelines? Have you acquired continuous vulnerability management capabilities? Have you documented the effectiveness of your cybersecurity with metrics and testing? Have you developed security awareness training for workers and contractors?

34 Connect with... nascio.org facebook.com linkedin.com youtube.com/nasciomedia twitter.com/nascio

Trends. AAMVA 2012 International Conference August 21, 2012

Trends. AAMVA 2012 International Conference August 21, 2012 State eid Priorities, Issues and Trends AAMVA 2012 International Conference August 21, 2012 Chad Grant, Senior Policy Analyst National Association of State Chief Information Officers About NASCIO National

More information

The Imperative for High Assurance Credentials: State Identity Credential and Access Management (SICAM) Guidance and Roadmap

The Imperative for High Assurance Credentials: State Identity Credential and Access Management (SICAM) Guidance and Roadmap The Imperative for High Assurance Credentials: State Identity Credential and Access Management (SICAM) Guidance and Roadmap AAMVA Region I Conference E-ID, DLDV, and Privacy Conducting Business Securely

More information

Emerging Trends in Information. Impacting the States

Emerging Trends in Information. Impacting the States Emerging Trends in Information Technology and Policies Impacting the States Doug Robinson, Executive Director National Association of State Chief Information Officers About NASCIO National association

More information

State of the States: IT Trends, Priorities and Issues

State of the States: IT Trends, Priorities and Issues State of the States: IT Trends, Priorities and Issues OSC Financial Conference 2012 Doug Robinson, Executive Director National Association of State Chief Information Officers Fiscal recovery: budgets are

More information

The Digital Identity Ecosystem of the States: Securing the Enterprise

The Digital Identity Ecosystem of the States: Securing the Enterprise The Digital Identity Ecosystem of the States: Securing the Enterprise Security Industry Alliance September 28, 2011 Doug Robinson, Executive Director National Association of State Chief Information Officers

More information

Under the Digital Dome: State IT Priorities, Trends and Perspectives

Under the Digital Dome: State IT Priorities, Trends and Perspectives Under the Digital Dome: State IT Priorities, Trends and Perspectives Best Practices Exchange 2014 Conference Montgomery, Alabama November 19, 2014 Doug Robinson, Executive Director National Association

More information

State Governments at Risk: The Data Breach Reality

State Governments at Risk: The Data Breach Reality State Governments at Risk: The Data Breach Reality NCSL Legislative Summit August 5, 2015 Doug Robinson, Executive Director National Association of State Chief Information Officers (NASCIO) About NASCIO

More information

Forces of Change: Perspectives and Trends on State Information Technology 2015 Annual NAJIS Conference October 6, 2015

Forces of Change: Perspectives and Trends on State Information Technology 2015 Annual NAJIS Conference October 6, 2015 Forces of Change: Perspectives and Trends on State Information Technology 2015 Annual NAJIS Conference October 6, 2015 Doug Robinson, Executive Director National Association of State Chief Information

More information

IT Trends and the Cyber Security Agenda

IT Trends and the Cyber Security Agenda State of the States: IT Trends and the Cyber Security Agenda Executive Policy Forum on Cyber and Electronic Crime NGA Center for Best Practices September 9, 2008 Doug Robinson Executive Director NASCIO

More information

SMART LEAN GOVERNMENT NASCIO. Direction, State Experiences and Federated Identity Management. April 29, 2014

SMART LEAN GOVERNMENT NASCIO. Direction, State Experiences and Federated Identity Management. April 29, 2014 SMART LEAN GOVERNMENT NASCIO Direction, State Experiences and Federated Identity Management April 29, 2014 Eric Sweden, Program Director, Enterprise Architecture & Governance Overview Enterprise.... Federation....

More information

NGA Paper. Act and Adjust: A Call to Action for Governors. for cybersecurity;

NGA Paper. Act and Adjust: A Call to Action for Governors. for cybersecurity; NGA Paper Act and Adjust: A Call to Action for Governors for Cybersecurity challenges facing the nation. Although implementing policies and practices that will make state systems and data more secure will

More information

State of the States: Priorities, Trends and Issues NCSL Fall Forum December 6, 2013

State of the States: Priorities, Trends and Issues NCSL Fall Forum December 6, 2013 State of the States: Priorities, Trends and Issues NCSL Fall Forum December 6, 2013 Mitch Herckis Director of Government Affairs National Association of State Chief Information Officers Today s State IT

More information

Managing Data as a Strategic Asset: Reality and Rewards

Managing Data as a Strategic Asset: Reality and Rewards Managing Data as a Strategic Asset: Reality and Rewards GTA Technology Summit 2015 May 11, 2015 Doug Robinson, Executive Director National Association of State Chief Information Officers (NASCIO) About

More information

State CIOs, Emerging Trends and the Forces of Change

State CIOs, Emerging Trends and the Forces of Change State CIOs, Emerging Trends and the Forces of Change xchange SLED Conference May 25, 2016 Doug Robinson, Executive Director National Association of State Chief Information Officers (NASCIO) About NASCIO

More information

National Cyber Security Policy -2013

National Cyber Security Policy -2013 National Cyber Security Policy -2013 Preamble 1. Cyberspace 1 is a complex environment consisting of interactions between people, software and services, supported by worldwide distribution of information

More information

NASA OFFICE OF INSPECTOR GENERAL

NASA OFFICE OF INSPECTOR GENERAL NASA OFFICE OF INSPECTOR GENERAL OFFICE OF AUDITS SUITE 8U71, 300 E ST SW WASHINGTON, D.C. 20546-0001 April 14, 2016 TO: SUBJECT: Renee P. Wynn Chief Information Officer Final Memorandum, Review of NASA

More information

Italy. EY s Global Information Security Survey 2013

Italy. EY s Global Information Security Survey 2013 Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information

More information

States at Risk: Cyber Threat Sophistication, Inadequate Budget and Talent

States at Risk: Cyber Threat Sophistication, Inadequate Budget and Talent SESSION ID: PNG-R04 States at Risk: Cyber Threat Sophistication, Inadequate Budget and Talent MODERATOR: Christopher Ipsen CIO Nevada Desert Research Institute PANELISTS: Tim Hastings Chief Information

More information

State IT Workforce: Recruiting and Retaining Tech Talent NCSL Legislative Summit Minneapolis, MN August 19, 2014

State IT Workforce: Recruiting and Retaining Tech Talent NCSL Legislative Summit Minneapolis, MN August 19, 2014 State IT Workforce: Recruiting and Retaining Tech Talent NCSL Legislative Summit Minneapolis, MN August 19, 2014 Doug Robinson, Executive Director National Association of State Chief Information Officers

More information

Cybersecurity Enhancement Account. FY 2017 President s Budget

Cybersecurity Enhancement Account. FY 2017 President s Budget Cybersecurity Enhancement Account FY 2017 President s Budget February 9, 2016 Table of Contents Section 1 Purpose... 3 1A Mission Statement... 3 1.1 Appropriations Detail Table... 3 1B Vision, Priorities

More information

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Page 1 of 7 The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Domain I provides a solid foundation for the governance of

More information

Note: NASCA is in the process of collecting the top pain points for 2016.

Note: NASCA is in the process of collecting the top pain points for 2016. Formed in 1976, NASCA brings together state general services professionals from the 50 states, the District of Columbia and the U.S. territories to develop creative and timely solutions to issues facing

More information

STATE OF MARYLAND 2017 INFORMATION TECHNOLOGY MASTER PLAN (ITMP) Department of Information Technology David Garcia; State CIO

STATE OF MARYLAND 2017 INFORMATION TECHNOLOGY MASTER PLAN (ITMP) Department of Information Technology David Garcia; State CIO STATE OF MARYLAND 2017 INFORMATION TECHNOLOGY MASTER PLAN (ITMP) Department of Information Technology David Garcia; State CIO Introduction Since taking office in January 2015, Governor Larry Hogan has

More information

Middle Class Economics: Cybersecurity Updated August 7, 2015

Middle Class Economics: Cybersecurity Updated August 7, 2015 Middle Class Economics: Cybersecurity Updated August 7, 2015 The President's 2016 Budget is designed to bring middle class economics into the 21st Century. This Budget shows what we can do if we invest

More information

Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record

Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record Roberta Stempfley Acting Assistant Secretary for Cybersecurity and Communications

More information

Pennsylvania s Alignment & Implementation of the Call to Action

Pennsylvania s Alignment & Implementation of the Call to Action Pennsylvania s Alignment & Implementation of the Call to Action Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov 1. Establish a Governance

More information

SITUATIONAL AWARENESS MITIGATE CYBERTHREATS

SITUATIONAL AWARENESS MITIGATE CYBERTHREATS Gaining the SITUATIONAL AWARENESS needed to MITIGATE CYBERTHREATS Industry Perspective EXECUTIVE SUMMARY To become more resilient against cyberthreats, agencies must improve visibility and understand events

More information

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years 2009 2013

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years 2009 2013 State of Minnesota Enterprise Security Strategic Plan Fiscal Years 2009 2013 Jointly Prepared By: Office of Enterprise Technology - Enterprise Security Office Members of the Information Security Council

More information

Cybersecurity The role of Internal Audit

Cybersecurity The role of Internal Audit Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government

More information

Nationwide Cyber Security Review (NCSR) Frequently Asked Questions

Nationwide Cyber Security Review (NCSR) Frequently Asked Questions Nationwide Cyber Security Review (NCSR) Frequently Asked Questions Table of Contents NCSR Frequently Asked Questions Nationwide Cyber Security Review (NCSR)... 1 Frequently Asked Questions... 1 1. What

More information

2012 Deloitte-NASCIO Cybersecurity Study State Officials Questionnaire - Aggregate Results (NASACT)

2012 Deloitte-NASCIO Cybersecurity Study State Officials Questionnaire - Aggregate Results (NASACT) 2012 Deloitte-NASCIO Cybersecurity Study State Officials Questionnaire - Aggregate Results (NASACT) November, 2012 Note: This document has been produced for the sole use of National Association of State

More information

The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session

The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session Robert Smith Systemwide IT Policy Director Compliance & Audit Educational Series 5/5/2016 1 Today s reality There are two kinds

More information

Information Systems Security Line of Business (ISS LoB)

Information Systems Security Line of Business (ISS LoB) Information Systems Security Line of Business (ISS LoB) Information Security and Privacy Advisory Board George Washington University Washington, DC March 22, 2007 Agenda Background Status Next Steps Background

More information

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity Cyber ROI A practical approach to quantifying the financial benefits of cybersecurity Cyber Investment Challenges In 2015, global cybersecurity spending is expected to reach an all-time high of $76.9

More information

Vendor Risk Management Financial Organizations

Vendor Risk Management Financial Organizations Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current

More information

Enterprise Security Tactical Plan

Enterprise Security Tactical Plan Enterprise Security Tactical Plan Fiscal Years 2011 2012 (July 1, 2010 to June 30, 2012) Prepared By: State Chief Information Security Officer The Information Security Council State of Minnesota Enterprise

More information

Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR 29 2013

Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR 29 2013 Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR 29 2013 Sempra Energy s gas and electric utilities collaborate with industry leaders and a wide range of

More information

CONSULTING IMAGE PLACEHOLDER

CONSULTING IMAGE PLACEHOLDER CONSULTING IMAGE PLACEHOLDER KUDELSKI SECURITY CONSULTING SERVICES CYBERCRIME MACHINE LEARNING ECOSYSTEM & INTRUSION DETECTION: CYBERCRIME OR REALITY? ECOSYSTEM COSTS BENEFITS BIG BOSS Criminal Organization

More information

FFIEC Cybersecurity Assessment Tool

FFIEC Cybersecurity Assessment Tool Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,

More information

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 OIG-16-A-03 November 12, 2015 All publicly available OIG reports (including

More information

Commonwealth IT Threat Management: Keeping Out the Cyber Villains Category: Cyber Security Initiatives. Initiation date: January 2012

Commonwealth IT Threat Management: Keeping Out the Cyber Villains Category: Cyber Security Initiatives. Initiation date: January 2012 Commonwealth IT Threat Management: Keeping Out the Cyber Villains Category: Cyber Security Initiatives Initiation date: January 2012 Completion date: June 2012 Nomination submitted by: Samuel A. Nixon

More information

State of South Carolina Initial Security Assessment

State of South Carolina Initial Security Assessment State of South Carolina Initial Security Assessment Deloitte & Touche LLP Date: May 1, 2013 Our services were performed in accordance with the Statement on Standards for Consulting Services that is issued

More information

Written Testimony. Mark Kneidinger. Director, Federal Network Resilience. Office of Cybersecurity and Communications

Written Testimony. Mark Kneidinger. Director, Federal Network Resilience. Office of Cybersecurity and Communications Written Testimony of Mark Kneidinger Director, Federal Network Resilience Office of Cybersecurity and Communications U.S. Department of Homeland Security Before the U.S. House of Representatives Committee

More information

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services ISSUE BRIEF Cloud Security for Federal Agencies Achieving greater efficiency and better security through federally certified cloud services This paper is intended to help federal agency executives to better

More information

Governmental Oversight and Accountability Committee

Governmental Oversight and Accountability Committee The Florida Senate BILL ANALYSIS AND FISCAL IMPACT STATEMENT (This document is based on the provisions contained in the legislation as of the latest date listed below.) Prepared By: The Professional Staff

More information

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

The Changing IT Risk Landscape Understanding and managing existing and emerging risks The Changing IT Risk Landscape Understanding and managing existing and emerging risks IIA @ Noon Kareem Sadek Senior Manager, Deloitte Canada Chris Close Senior Manager, Deloitte Canada December 2, 2015

More information

April 8, 2013. Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

April 8, 2013. Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899 Salt River Project P.O. Box 52025 Mail Stop: CUN204 Phoenix, AZ 85072 2025 Phone: (602) 236 6011 Fax: (602) 629 7988 James.Costello@srpnet.com James J. Costello Director, Enterprise IT Security April 8,

More information

Executive Management of Information Security

Executive Management of Information Security WHITE PAPER Executive Management of Information Security _experience the commitment Entire contents 2004, 2010 by CGI Group Inc. All rights reserved. Reproduction of this publication in any form without

More information

Audit of NRC s Network Security Operations Center

Audit of NRC s Network Security Operations Center Audit of NRC s Network Security Operations Center OIG-16-A-07 January 11, 2016 All publicly available OIG reports (including this report) are accessible through NRC s Web site at http://www.nrc.gov/reading-rm/doc-collections/insp-gen

More information

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC. Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies

More information

OFFICE OF ENTERPRISE TECHNOLOGY SERVICES QUARTERLY REPORT ON

OFFICE OF ENTERPRISE TECHNOLOGY SERVICES QUARTERLY REPORT ON OFFICE OF ENTERPRISE TECHNOLOGY SERVICES QUARTERLY REPORT ON PERIODIC INFORMATION SECURITY AND PENETRATION AUDITS OF THE EXECUTIVE BRANCH INFORMATION TECHNOLOGY SYSTEMS APRIL 1, 2016 SUBMITTED TO THE TWENTY-EIGHTH

More information

Into the cybersecurity breach

Into the cybersecurity breach Into the cybersecurity breach Tim Sanouvong State Sector Cyber Risk Services Deloitte & Touche LLP April 3, 2015 Agenda Setting the stage Cyber risks in state governments Cyber attack vectors Preparing

More information

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems U.S. Office of Personnel Management Actions to Strengthen Cybersecurity and Protect Critical IT Systems June 2015 1 I. Introduction The recent intrusions into U.S. Office of Personnel Management (OPM)

More information

Agency for State Technology

Agency for State Technology Agency for State Technology 2015-2018 Statewide Information Technology Security Plan The Way Forward Rick Scott, Governor Jason M. Allison, State CIO Table of Contents From the Desk of the State Chief

More information

Address C-level Cybersecurity issues to enable and secure Digital transformation

Address C-level Cybersecurity issues to enable and secure Digital transformation Home Overview Challenges Global Resource Growth Impacting Industries Address C-level Cybersecurity issues to enable and secure Digital transformation We support cybersecurity transformations with assessments,

More information

Office of the Chief Information Officer

Office of the Chief Information Officer Office of the Chief Information Officer Business Plan: 2012 2015 Department / Ministère: Executive Council Date: November 15, 2012 1 P a g e This Page Left Intentionally Blank 2 P a g e Contents The Business

More information

Chairman Johnson, Ranking Member Carper, and Members of the committee:

Chairman Johnson, Ranking Member Carper, and Members of the committee: UNITED STATES OFFICE OF PERSONNEL MANAGEMENT STATEMENT OF THE HONORABLE KATHERINE ARCHULETA DIRECTOR U.S. OFFICE OF PERSONNEL MANAGEMENT before the COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

More information

BOARD OF GOVERNORS MEETING JUNE 25, 2014

BOARD OF GOVERNORS MEETING JUNE 25, 2014 CYBER RISK UPDATE BOARD OF GOVERNORS MEETING JUNE 25, 2014 EXECUTIVE SUMMARY Cyber risk has become a major threat to organizations around the world, as highlighted in several well-publicized data breaches

More information

Cyber and Data Risk What Keeps You Up at Night?

Cyber and Data Risk What Keeps You Up at Night? Legal Counsel to the Financial Services Industry Cyber and Data Risk What Keeps You Up at Night? December 10, 2014 Introduction & Overview Today s Discussion: Evolving nature of data and privacy risks

More information

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES The implications for privacy and security in the emergence of HIEs The emergence of health information exchanges (HIE) is widely

More information

National Initiative for Cyber Security Education

National Initiative for Cyber Security Education 2014/PPWE/SEM2/007 Agenda Item: 5 National Initiative for Cyber Security Education Submitted by: United States Women Business and Smart Technology Seminar Beijing, China 23 May 2014 NICE OVERVIEW Women

More information

A Pulse on Virtualization & Cloud Computing

A Pulse on Virtualization & Cloud Computing A Pulse on Virtualization & Cloud Computing Prepared for Quest Software by Norwich University, School of Graduate and Continuing Studies April 2011 2010 Quest Software, Inc. ALL RIGHTS RESERVED Table of

More information

Is Your Company Ready for a Big Data Breach?

Is Your Company Ready for a Big Data Breach? Is Your Company Ready for a Big Data Breach? The Second Annual Study on Data Breach Preparedness Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication

More information

NASCIO 2014 State IT Recognition Awards

NASCIO 2014 State IT Recognition Awards NASCIO 2014 State IT Recognition Awards Project: California Cybersecurity Task Force Category: Cybersecurity Initiatives Project Initiation Date: September, 2012 Project Completion Date: May 2013 Carlos

More information

2014 Deloitte-NASCIO Cybersecurity Study State governments at risk: Time to move forward

2014 Deloitte-NASCIO Cybersecurity Study State governments at risk: Time to move forward 2014 Deloitte-NASCIO Cybersecurity Study State governments at risk: Time to move forward A publication of Deloitte and the National Association of State Chief Information Officers (NASCIO) Contents Message

More information

CYBER SECURITY, A GROWING CIO PRIORITY

CYBER SECURITY, A GROWING CIO PRIORITY www.wipro.com CYBER SECURITY, A GROWING CIO PRIORITY Bivin John Verghese, Practitioner - Managed Security Services, Wipro Ltd. Contents 03 ------------------------------------- Abstract 03 -------------------------------------

More information

Big Data, Big Risk, Big Rewards. Hussein Syed

Big Data, Big Risk, Big Rewards. Hussein Syed Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data

More information

Access Health CT: Connecticut s Health Insurance Marketplace

Access Health CT: Connecticut s Health Insurance Marketplace Access Health CT: Connecticut s Health Insurance Marketplace NASCIO 2014 State IT Recognition Awards Category: Digital Government: Government to Citizen Contact: Mark Raymond State of Connecticut Chief

More information

All Eyes: A Security Breach Exercise. Disaster Recovery/Security and Business Continuity Readiness

All Eyes: A Security Breach Exercise. Disaster Recovery/Security and Business Continuity Readiness All Eyes: A Security Breach Exercise Disaster Recovery/Security and Business Continuity Readiness Commonwealth of Pennsylvania Molly Dougherty, Director Continuity of Government and Records Information

More information

Leveraging MITA to Implement Service Oriented Architecture and Enterprise Data Management. Category: Cross Boundary Collaboration

Leveraging MITA to Implement Service Oriented Architecture and Enterprise Data Management. Category: Cross Boundary Collaboration Leveraging MITA to Implement Service Oriented Architecture and Enterprise Data Management Category: Cross Boundary Collaboration Initiation date: August 2011 Completion date: October 2013 Nomination submitted

More information

CYBER SECURITY GUIDANCE

CYBER SECURITY GUIDANCE CYBER SECURITY GUIDANCE With the pervasiveness of information technology (IT) and cyber networks systems in nearly every aspect of society, effectively securing the Nation s critical infrastructure requires

More information

GOVERNMENT USE OF MOBILE TECHNOLOGY

GOVERNMENT USE OF MOBILE TECHNOLOGY GOVERNMENT USE OF MOBILE TECHNOLOGY Barriers, Opportunities, and Gap Analysis DECEMBER 2012 Product of the Digital Services Advisory Group and Federal Chief Information Officers Council Contents Introduction...

More information

Don t Get Left in the Dust: How to Evolve from CISO to CIRO

Don t Get Left in the Dust: How to Evolve from CISO to CIRO SESSION ID: CXO-W04 Don t Get Left in the Dust: How to Evolve from CISO to CIRO JC-JC James Christiansen VP Information Risk Management Accuvant jchristiansen@accuvant.com Bradley J. Schaufenbuel, CISSP

More information

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education Before the U.S. House Oversight and Government Reform Committee Hearing on Agency Compliance with the Federal Information

More information

GAO ELECTRONIC GOVERNMENT ACT. Agencies Have Implemented Most Provisions, but Key Areas of Attention Remain

GAO ELECTRONIC GOVERNMENT ACT. Agencies Have Implemented Most Provisions, but Key Areas of Attention Remain GAO United States Government Accountability Office Report to the Committee on Homeland Security and Governmental Affairs, U.S. Senate September 2012 ELECTRONIC GOVERNMENT ACT Agencies Have Implemented

More information

RETHINKING CYBER SECURITY Changing the Business Conversation

RETHINKING CYBER SECURITY Changing the Business Conversation RETHINKING CYBER SECURITY Changing the Business Conversation October 2015 Introduction: Diane Smith Michigan Delegate Higher Education Conference Speaker Board Member 2 1 1. Historical Review Agenda 2.

More information

STATEMENT OF CHARLES EDWARDS DEPUTY INSPECTOR GENERAL U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE

STATEMENT OF CHARLES EDWARDS DEPUTY INSPECTOR GENERAL U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE STATEMENT OF CHARLES EDWARDS DEPUTY INSPECTOR GENERAL U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE COMMITTEE ON HOMELAND SECURITY SUBCOMMITTEE ON OVERSIGHT AND MANAGEMENT EFFICIENCY U.S. HOUSE OF REPRESENTATIVES

More information

Priority III: A National Cyberspace Security Awareness and Training Program

Priority III: A National Cyberspace Security Awareness and Training Program Priority III: A National Cyberspace Security Awareness and Training Program Everyone who relies on part of cyberspace is encouraged to help secure the part of cyberspace that they can influence or control.

More information

CIO-SP3 Service areas NIH Chief Information Officers-Solutions & Partners

CIO-SP3 Service areas NIH Chief Information Officers-Solutions & Partners CIO-SP3 Service areas NIH Chief Information Officers-Solutions & Partners PwC Contents Page 1 IT Services for Biomedical Research and Healthcare 2 Chief Information Officer (CIO) Support 3 5 3 Imaging

More information

Defending against modern cyber threats

Defending against modern cyber threats Defending against modern cyber threats Protecting Critical Assets October 2011 Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Agenda 1. The seriousness of today s situation

More information

Certified Identity and Access Manager (CIAM) Overview & Curriculum

Certified Identity and Access Manager (CIAM) Overview & Curriculum Identity and access management (IAM) is the most important discipline of the information security field. It is the foundation of any information security program and one of the information security management

More information

Deputy Chief Financial Officer Peggy Sherry. And. Chief Information Security Officer Robert West. U.S. Department of Homeland Security.

Deputy Chief Financial Officer Peggy Sherry. And. Chief Information Security Officer Robert West. U.S. Department of Homeland Security. Deputy Chief Financial Officer Peggy Sherry And Chief Information Security Officer Robert West U.S. Department of Homeland Security Testimony Before the Subcommittee on Government Organization, Efficiency

More information

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES Leonard Levy PricewaterhouseCoopers LLP Session ID: SEC-W03 Session Classification: Intermediate Agenda The opportunity Assuming

More information

The Heart of the Matter:

The Heart of the Matter: The Heart of the Matter: A Core Services Taxonomy for State IT Security Programs NASCIO Staff Contact: Charles Robb Senior Policy Analyst NASCIO NASCIO represents state chief information officers and information

More information

Information Security Program CHARTER

Information Security Program CHARTER State of Louisiana Information Security Program CHARTER Date Published: 12, 09, 2015 Contents Executive Sponsors... 3 Program Owner... 3 Introduction... 4 Statewide Information Security Strategy... 4 Information

More information

Mitigating and managing cyber risk: ten issues to consider

Mitigating and managing cyber risk: ten issues to consider Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed

More information

Breaking Down the Silos: A 21st Century Approach to Information Governance. May 2015

Breaking Down the Silos: A 21st Century Approach to Information Governance. May 2015 Breaking Down the Silos: A 21st Century Approach to Information Governance May 2015 Introduction With the spotlight on data breaches and privacy, organizations are increasing their focus on information

More information

State of Montana Strategic Plan for Information Technology 2014

State of Montana Strategic Plan for Information Technology 2014 State of Montana Strategic Plan for Information Technology 2014 This document is prepared under the authority of the Montana Information Technology Act of 2001. It is published biennially unless special

More information

State of Information Security

State of Information Security State of Information Security Second Annual Assessment Study 2013 Table of Contents: Synopsis and Methodology _ page 2 A Snapshot of Participants _ page 2 Survey Findings _ page 5 Final Thoughts _ page

More information

NARA s Information Security Program. OIG Audit Report No. 15-01. October 27, 2014

NARA s Information Security Program. OIG Audit Report No. 15-01. October 27, 2014 NARA s Information Security Program OIG Audit Report No. 15-01 October 27, 2014 Table of Contents Executive Summary... 3 Background... 4 Objectives, Scope, Methodology... 7 Audit Results... 8 Appendix

More information

Internal audit value optimization for insurance organizations

Internal audit value optimization for insurance organizations Internal audit value optimization for insurance organizations Webinar May 13, 2015 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

More information

State of New Hampshire Cybersecurity Strategy and Actions. Commissioner Toumpas

State of New Hampshire Cybersecurity Strategy and Actions. Commissioner Toumpas State of New Hampshire Cybersecurity Strategy and Actions Commissioner Goulet Director Plummer Commissioner Toumpas Assumptions The term statewide is meant to convey that scope is not limited to the executive

More information

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director January IIA / ISACA Joint Meeting Pre-meeting Cybersecurity Update for Internal Auditors Matt Wilson, Risk Assurance Director Introduction and agenda Themes from The Global State of Information Security

More information

Some thoughts about cloud computing risks. Andris Soroka 28 th of January, 2015 Riga, Latvia

Some thoughts about cloud computing risks. Andris Soroka 28 th of January, 2015 Riga, Latvia Some thoughts about cloud computing risks Andris Soroka 28 th of January, 2015 Riga, Latvia Role of DSS in Cyber-security Development in Baltics Cyber-Security Awareness Raising Technology and knowledge

More information

Seamus Reilly Director EY Information Security sreilly@uk.ey.com 0207 951 3179 Cyber Security

Seamus Reilly Director EY Information Security sreilly@uk.ey.com 0207 951 3179 Cyber Security Seamus Reilly Director EY Information Security sreilly@uk.ey.com 0207 951 3179 Cyber Security An Internal Audit perspective on the threats and responses within the Retail Sector 15 th May 2014 Agenda Introductions

More information

Company Background EMAGINED SECURITY. 2014 All rights reserved. www.emagined.com

Company Background EMAGINED SECURITY. 2014 All rights reserved. www.emagined.com Company Background Emagined Security, a privately owned and operated company, has been helping organizations with their security needs with an excellent track record of success since 2002. The company

More information

2012 Deloitte-NASCIO Cybersecurity Study State governments at risk: a call for collaboration and compliance

2012 Deloitte-NASCIO Cybersecurity Study State governments at risk: a call for collaboration and compliance 2012 Deloitte-NASCIO Cybersecurity Study State governments at risk: a call for collaboration and compliance A publication of Deloitte and the National Association of State Chief Information Officers Contents

More information

Cybersecurity Briefing

Cybersecurity Briefing Cybersecurity Briefing November 18, 2015 Agenda Cybersecurity FITARA Implementation Accomplishments BIA and BIE services and performance Priorities Next steps 2 Background on the OPM/DOI incident DOI has

More information