Hawaii s Phased Plan for Alignment and Implementa7on of NGA s A Call to Ac-on for Cybersecurity

Transcription

1 Hawaii s Phased Plan for Alignment and Implementa7on of NGA s A Call to Ac-on for Cybersecurity Sanjeev Sonny Bhagowalia Governor s Chief Advisor on Technology and Cybersecurity State of Hawaii 11

2 Defini7on: The Expanding Remit of Security Focus of CIO Effort Remit = Responsibility Information Security IT Security OT Security Physical Security IoT Security Offensive AND Defensive Cybersecurity Source: Top Security Trends and Takeaways for 2014, C. Byrnes, Gartner 2

3 Context: Government IT Security is Approximately 10% of Government IT Spend, Which is less than 1% of Government Spend, Which is 38.9% of US GDP Federal IT Spend = $ 80 B State/Local IT Spend = $ 40 B IT Security Forecast (Spending $ B) (Federal Only) IT Security Forecast (Spending $ B) Source: h]p:// (source: World Bank) Source: h]p:// Source: h]ps:// INPUT The Federal Government will spend $ 11.7 Billion in securing its computers against hackers and other Cybersecurity threats (about 10% of overall budget). With the number and complexity of cybera]acks on the rise, government analyst Input (now Deltek) predicted that government Cybersecurity spending will increase to $ 11.7 B in 2014, a compound annual growth rate of 8.1% Do We Spend Enough in IT and IT Security in the Nacon? Are You Spending Enough in the Informacon Age? 3

4 State Governments at Risk A Call to Ac7on % Topic Area % Topic Area 92 State officials feel that Cybersecurity is very important to the State 50 CISOs manage a team of 1-5 Cybersecurity professionals only 14 CISO s feel they receive appropriate execucve commitment and adequate funding for cybersecurity 24 CISO s feel very confident in proteccng state assets against external threats 32 CISO s feel that staff have the required Cybersecurity competency 86 CISOs indicate lack of sufficient funding is key barrier to address cybersecurity 70 CISOs have reported a breach 82 CISOs feel phishing: and pharming as their top Cybersecurity threat Cybersecurity Challenges concnue in 2012 amidst escalacng threats An urgent call to execute on a robust cybersecurity strategy, with strong governance and compliance monitoring measures Comparing State Government and Global Financial Services Industry (GFSI) responses Security budget has increased 14% >60% Year- over- Year trending (reporcng an increase of 1-5%) 4% 39% Dedicated security professionals 50% have 1-5 FTEs 47% have > 100 FTEs Source: h]p:// NASCIOCybersecurityStudy2012.pdf 4

5 The State of Hawaiʻi [Government] Crossroads of the Pacific An Emerging Asia- Pacific Region in the 21st Century Budget $ 70 B GDP [$11 B State (~30% Federal)] People 1.4 M residents [41K State Gov t employees] Organiza7on Execucve Branch = 18 Departments, 108 A]ached Agencies, and 162 Boards/Commissions Four Main County Governments Business 35 Lines of Business [includes Public Safety] 220 Business Services; 100 s of Manual, Silo, Paper Processes Technology Legacy IT was up to 30+ years old and Fragmented No interoperability, No Disaster Recovery etc. Business and IT/IRM Transforma7on Plan Underway Fed 100 Award- Winner; Numerous Other Awards 5

6 Hawaii s IA/IT Security and CyberSecurity Approach (No7onal) EO 13636** ü GROWING A ü ü SUSTAINABLE ECONOMY INVESTING IN PEOPLE TRANSFORMING GOVERNMENT ***NIST CyberFramework ü REENGINEER BUSINESS ü MODERNIZE TECHNOLOGY ü INFRASTRUCTURE IMPROVE TRANSPARENCY/ ACCOUNTABILITY Completed Underway ü STATEWIDE CYBER PLAN ü SECURITY OPERATIONS CENTER ü MAPPING TO NATIONAL ü CYBERSECURITY FRAMEWORK AND NGA CALL TO ACTION LINKAGE TO FEDERAL AND STATE CYBER EFFORTS 6

7 #1 Establish a Governance and Authority Structure for Cybersecurity Current State (Execu7ve Branch Only) Overall State Transforma7on Plan Completed Baseline Assessment (As- Is) Business and IT/IRM Transformacon Plan (To- Be; T&S Plan) 2012 State IA assessed & Benchmarked against state peer and due diligence standard Centralized Authority with Federated Governance Ini7ated State CIO responsible for Informacon Assurance (IA)/IT Security [State Law] State CIO Chairs CIO Council (comprised of 18 CIOs of Cabinet Departments) and Informacon Privacy and Security Council (IPSC) for all Security Ma]ers Each Agency assigns a DP Coordinator and adheres to enterprise policies Legislature, Judiciary and County CIOs invited to parccipate in CIO Council and IPSC IA Enterprise Policies/Procedures are in Forma7ve Phase IT polices and processes being developed in Working Groups Alignment with NIST Framework and NGA Call to Ac7on Begun Assessing alignment with NIST Cybersecurity Framework/NGA Call to Accon Opportunity: Improve Integracon of Resources and with Cybersecurity Program 7

8 Roles, Responsibility and Authority of Key Cybersecurity Stakeholders (No7onal) Category Stakeholders Key State Leaders Federal Government State Government Defense, Intelligence Community, Law Enforcement/ Juscce, Civilian Agencies Execu7ve, Judiciary, Legislacve Local Government Four Major Counces I/F Tribal Government Office of Hawaiian Affairs (OHA) I/F Industry All Academia University I/F Public Ciczens, Residents, Visitors CATC CIO TAG AG I/F E E E Cybersecurity Noconal Goal: A Neighborhood Watch Program - A Unity of Purpose and Aloha with Urgency A (Cyber)A]ack on one is a (Cyber)A]ack on us all Think Global/Act Local 8

9 #2 Risk Assessments and Allocate Resources Accordingly Current State (Execu7ve Branch Only) Overall State Transforma7on Plan Completed Baseline Assessment (As- Is) Business and IT/IRM Transformacon Plan (To- Be; T&S Plan) 2012 State IA assessed against 17 categories with Benchmarking against state peer and due diligence standard [60 Projects Iden-fied] Pilot Projects Five Pilot Projects Completed (e.g., Security Operacons Center) Leveraging US Department of Homeland Security Programs Cyber hygiene Assessment; Cyber Resilience Assessment Services MS- ISAC Alignment with NIST Framework and NGA Call to Ac7on Begun Assessing alignment with NIST Cybersecurity Framework/NGA Call to Accon with Threat Assessments Discussing How to Leverage HI Assets Naconal Guard Cyber Warriors University Cyber Range Contract Resources [e.g., On- Island expercse; Read- only Vendor SOCs] Opportunity: Improve Use/Allocacon of Resources, Programs across Departments 9

10 State of Hawaii Cybersecurity Plan (Phased Approach) The State of Hawaii (Governor s Chief Advisor and CIO) has inicated an Assessment of the Execucve Branch Cyber security readiness and develop a roadmap to allocate resources accordingly in order to align with the Call to Ac*on for Governors for Cybersecurity. The Planned complecon for this phase is Four (4) months. The assessment objeccves include: Alignment of the State Cyber security approach with the Naconal Cybersecurity Framework Idencficacon of known and prioriczed Security and Privacy Threats Preliminary assessment of Hawaii's Preparedness against Threats Development of a Roadmap to address security gaps idencfied in the assessment Establish the Framework Conduct Gap Analysis Prepare Roadmap Iden7fy Future Audit Requirements Map all current security projects against the NIST Cyber Security Framework Idencfy gaps in the security projects vs. the NIST Cyber Security Framework Prioricze the gaps per the threat landscape Lay out a plan for new required security projects to close the gaps in the states compliance to the NIST Cyber Security Framework Lay out a plan for subsequent/future audits for other already- deployed controls and for scll- to- be- deployed controls 10

11 #3 Implement Continuous Vulnerability Assessments and Threat Mitigation Practices Current State (Execu7ve Branch Only) Founda7onal Security Opera7ons Center (SOC) Established ü Thousands of Security events daily are analyzed and correlated for alercng and/or accon spanning thousands of desktops and servers ü Incident response team monitors and responds to threats and a]acks on our network and agency applicacons 8X5 ü Data Loss Prevencon (DLP) protects against data leakage along with a Suite of Tools Leveraging Federal Government Exper7se ü Adopcon of some free Managed Security Services from CIS/MS- ISAC ü Informing LE/IC of incidents, anomalies or threats Sharing Informa7on with State Government or through Vendor Exper7se ü Adaptacon of threat counter- measures and configuracons learnt from other States Opportuni7es: Improve use of Fragmented Resources across Departments Improve Training/Educacon/Knowledge Base Improve Applicacon- Level scanning Improve Digital Forensics capability Improve Lifecycle IRM/SDLC Processes 11

12 #4 Ensuring Compliance with Current Security Methodologies & Business Disciplines Current State (Execu7ve Branch Only) Security methodologies Enterprise Security Architecture (High- Level) with Suite of Tools (e.g., DLP) for all users in the Enterprise. Enterprise Open Gov, Mobile, Portal and Public- Facing Websites Outsourced Enterprise Data Center Study Complete RFP to be released Enterprise Networking Stabilized (99.9%) with 10 G/1G Backbone Enterprise Compucng Established with 1000X Increase (Private Cloud) Business disciplines ERP RFP Award Forthcoming (Security Built- in Requirements as- a- service) Tax RFP Released Security Built- in Requirements as- a- service) Health IT (Architecture established; Medicaid and Connector FISMA-, Privacy Act- and FTI- Compliant) BPR/Legacy Apps are relacve secure (due to major age of technology) Opportuni7es: Improve Monitoring of Staff for compliance Improve Security Awareness Training Improve IT Policies, Processes and Acquisicon/Supply Chain Security Improve Trusted Idencty in Cyberspace 12

13 5. #5 Creating a Culture of Risk Awareness Current State (Execu7ve Branch Only) Raising Security Awareness CIO Role as Operaconal Security Authority in Execucve Branch (State Law); TAG Role as Operaconal CyberSecurity Authority for Hawaii Criccal Infrastructure (Federal) Demonstracon/Briefings for Execucve Branch Leadership and Legislature in the SOC Regular Security Bullecns to all DP Coordinators through SOC Annual Parccipacon in Cyber Security Awareness Month (Governors Proclamacon) Informacon Exchange and Partnerships with External Encces ü US Government (MS- ISAC, US- CERT, FBI, DHS, State Fusion Centers; IC/DOD) ü State Government (Legislature, Judiciary) ü Local Government (Counces) ü Tribal Government (Nacve Hawaiian OHA) ü Industry (Read- only Monitoring with Vendors) Cabinet Meecngs, Nocficacons from Department Heads to End Users (e.g., BYOD) CIO Council, IPSC, IT Steering Commi]ees (Run by CIO) Opportuni7es: Improve Awareness Training for Employees, End Users and Technical Staff (e.g. Developers) Improve Amount of Access to Sensicve Federal Informacon for Cleared Employees Improve Parccipacon in Federal/State/Local/Tribal Cyber Exercises Improve Transparency and Accountability in a Security Se ng (e.g., Risk Dashboards) 13

14 Mission: Connec7ng Hawaii to the World with People and Technology USA Mainland A L O H A Emerging Asia- Pacific Region Goal: CyberSecurity Hub/Center Of Excellence M A H A L O 14