State of Oregon. State of Oregon 1

Transcription

1 State of Oregon State of Oregon 1

2 Table of Contents 1. Introduction Information Asset Management Communication Operations Workstation Management Log management Information Systems Acquisition, Development and Maintenance Encryption Information Systems Development Life Cycle State of Oregon 2

3 1. Introduction Department of Administrative Services (DAS) has established Statewide Information Security Standards for information systems security. To facilitate agency compliance with the information security standards, DAS hosted a security workshop for agency participation in the development of technical roadmaps. Scope The security workshop roadmap discussions were on selected information security standards. The information security standards which were discussed and roadmaps developed with active agency participation include: Standard Audit of Access Control Standard 2.1 Protection of information assets standards Standard 3.3 Workstation Management and Desktop Security Standard 3.9 Log Management Standard 4.4 Encryption Standard 4.6 Patch Management Standard 4.8 Information System Life Cycle Considering the dependencies among the different standards, Standard 1.5 Audit of Access Control and 3.9 Log Management tracks have been combined into one roadmap Standard Patch Management and 3.3 Workstation Management and Desktop Security have been combined into one roadmap Following roadmaps have been developed based on discussions with the agency participants, interdependencies and work steps required for compliance with individual standards. Recommendations: As agencies experience reduced funding and resources it may be appropriate to evaluate using some enterprise DAS services workstation management, log management, encryption, patch management, etc. DAS facilitates agency discussions on sharing compliance strategies. DAS facilitates agency discussions on enterprise master contracts for security tools encryption, log management, etc. State of Oregon 1

4 2. Information Asset Management 2.1 Management Roadmap 7 weeks 10 weeks on agency On going Develop Project Plan for implementation of information Security Standard 2.1 Develop Design/Architecture Documentation Rollout Plan for Implementation Phased Rollout Audit and Assessment 2.2 Prerequisites Information Asset Classification Agencies need to be compliant with Statewide Information Asset Classification (IAC) policy (effective 7/30/2007), purpose is to ensure State of Oregon information assets are identified, properly classified, and protected throughout their lifecycles. - Plan for identifying, classifying and protecting information assets needs to be in place - All information should have been identified, classified and ownership defined. A log management process and solution needs to be in place to achieve compliance with Standard Protection of Information Assets deployment. Established Encryption Management capability, including key management needs to be in place. Assumes project management structures are in place. State of Oregon 2

5 2.3 Technical Roadmap Information Asset Management 2.1 Protection of Information Assets Ongoing Deploy Design Planning Review current policies for compliance with IAC Conduct a risk assessment to identify and assess risk to all information systems Develop a prioritization based on system risk 2 Weeks 3 Weeks 2 Weeks Perform a gap analysis of current access provisioning, access management and logging systems on information systems based on ISO and Develop architectural designs Develop Rollout plan, phased based on risk profile of information systems 7 Weeks 3 weeks Develop audit and assessment plan Implement or configure access control on all systems Achieve Compliance with and Develop process for disposal of information systems in compliance with Policy# Achieve Compliance with and Develop continuous monitoring and alerting capability 2 Weeks Dependant on Agency compliance with Standards 4.4 Encryptions and 3.9. Log Management Standards State of Oregon 3

6 2.4 Technical Roadmap Major Work Streams The following table articulates the major activities per work stream. Furthermore, it provides an estimation of overall time to complete a task and the phase (illustrated in the roadmap) the activities should be performed. Phases Planning Key Activities Develop the project charter for the Protection of Information Assets, which define the mission, vision and scope and obtain approval Review current agency policies for compliance with Information Asset Classification statewide policy (effective 7/30/2007). Conduct risk assessment to identify and assess risk to all information systems. - Assessment of risk, including the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization Duration of Time 3 weeks Design Deploy Develop a prioritization based on system risk identified. - Prioritize the list of information assets as critical, essential and normal. Prioritization criteria should include characteristics like criticality, impact, costs of a failure, publicity, legal and ethical issues, etc. It will be important to establish a common understanding of the criteria. - Priority should be based on the information systems and information assets constrained in them. Priority should first be on level 3 and level 4 information assets first - Consult with DAS for assistance on logging, and monitoring controls required Perform a gap analysis of current access provisioning, access management and logging systems on information systems based on ISO and Develop architectural designs - Gap analysis is a process where the current state vs. the desired state for a process, system is prepared. The differences between the current state and the desired state are called gaps. These gaps then become the basis for prioritization, planning and basis for action to move to the desired state. Develop Rollout plan, phased based on risk profile of information systems and gaps analysis - The Rollout Plan is all about tactical execution. Including Names, dates, milestones, control gates, etc. - Detailed Work Breakdown Structure with dates and GANTT charts showing dependencies and progress are of tremendous value Implement or configure access control on all systems - Depending on the information asset stored /processed and its classification, access controls need to be in place to prevent unauthorized changes and unauthorized viewing. 7 weeks 3 weeks State of Oregon 4

7 Achieve Compliance with and With the implementation of the access controls for preventing unauthorized access and unauthorized changes for all information systems storing and processing all information levels 1-4, agency will be able to achieve compliance with and : Access control shall be in place to prevent unauthorized changes. Access logging shall be in place to identify what was changed and who changed it in accordance with the Access Control standards in section : Access control shall be in place to prevent unauthorized viewing. Access logging shall be in place to identify unauthorized attempts. - Work towards compliance with Standard 1.5 Audit of Access Controls. Develop processes for disposal of information systems in compliance with Statewide Sustainable Acquisition and Disposal of Electronic Equipment Policy# Ongoing Critical Path - Continuation of the work stream is dependent on Agency compliance with Standards 4.4 Encryptions and 3.9. Log Management Standards. Access logging should be enabled. Achieve Compliance with and Information should be encrypted at rest and in transit in accordance with the Encryption Standards in section Log review process in compliance with Standard 3.9 Log Management Standard needs to be in place. - Logs should be regularly reviewed and analyzed for indications of unauthorized or unusual activity. Suspicious activity shall be investigated, findings reported to appropriate management, and necessary follow-up actions taken Develop audit and assessment plan - Define security requirements, audit, monitor, report, and ensure that Information Security contribute to more effective compliance with current and emerging organizational and regulatory obligations. Monitor effectiveness of investments and reassess - Develop a process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in the information security policies, procedures, and practices of the organization Table 2.4 Information Asset Management Major Work Streams Ongoing State of Oregon 5

8 2.5 Technical Roadmap Resource Considerations The following table articulates estimated resource considerations for this function. Phases Type of Resource Hour Estimates Planning Agency Management 4 hours for meetings ISO 40 hours a week for 7 weeks 40 hours a week for 7 weeks Design IT Analyst 40 hours a week for 10 weeks System Engineer 40 hours a week for 10 weeks 40 hours a week for 10 weeks Deploy IT Analyst System Engineer Ongoing IT Auditor 40 hours for development of the Audit plan. Periodic audits - 40 hours a week for the first 8 weeks of this phase. Ongoing monitoring is based on agency environment and, Table 2.5 Information Asset Management Resource Considerations State of Oregon 6

9 3. Communication Operations 3.3 Workstation Management (combined with Standard 4.6 Patch management) Management Roadmap 8 weeks 3 On going Define Requirements to meet Standards Develop Implementati on Project Plans Define Policies Define Mitigation Controls Define Solutions and Processes to meet Standards Training & Awareness Phased Deployment On-going Monitoring & Vulnerability Assessment Review Implementation Strategy Including Mitigating Controls Prerequisites Following standards and processes need to be in place in order to comply with the Standard 3.3 Workstation and Desktop Security Standard and Standard 4.6 Patch Management Standard - Change/Release Management processes - Standard Encryption - Standard Anti-Virus and Anti-Malware Standard Project management structure to manage technical project planning, decision making, and execution Perform inventory of hardware and software systems to identify in-scope systems for compliance (and approved exceptions) IT Risk & Vulnerability Assessment processes and infrastructure to identify and prioritize risks to workstations, desktops, and servers State of Oregon 7

10 3.3.3 Technical Roadmap Communications & Operations Management 3.3 Workstation Management & Desktop Security Standards & 4.6 Patch Management Standards Ongoing Deploy Design Planning Identify systems which require security and patch management Define Workstation/ Desktop and Patch Management Policies - Criticality level, Acceptable time for deployment, Exception (identification & handling) Identify legacy systems that have security and patch update exceptions Define Mitigation plans for systems with exceptions Identify the OS and Applications of the relevant and exception systems 2 Weeks 4 Weeks 2 Weeks 6 Weeks Develop audit and assessment plan Identify technology requirements: -Manual vs. Automated Patching -Logging & Monitoring -Resource requirements Integrate with Change and Incident Management Update mitigation controls for legacy systems Pilot Implementation Training & Awareness On-Going monitoring of systems to be managed and patched. Create exception reports Update processes based on lessons learned 2 Weeks 8 Weeks 4 Weeks 8 Weeks 4 Weeks Phased deployment: -Test workstation/desktop images and Patches -Notify users of outage window -Post deployment review Monitor key sites & public information source for new threats State of Oregon 8

11 3.3.4 Major Work Streams The following table articulates the major activities per work stream. Furthermore, it provides an estimation of overall time to complete a task and the phase (illustrated in the roadmap) the activities should be performed. Phases Planning Design Deploy Key Activities Understand compliance requirements associated with Workstation Management/Desktop Security and Patch Management and identify in-scope systems Develop the project charter, which defines the mission, vision and scope and obtain approval Consider using DAS (TSC) for desktop support. Identify legacy systems which have security and patch update exceptions - Legacy systems need to be reviewed to identify those systems for which security and patch updates will not be possible based on technology limitations - Legacy systems need to be reviewed, prioritized, and approved based on risk (identify compensation controls) Identify the OS and Applications of the relevant exception systems - This catalog of relevant exception systems and applicable layers will be used to devise policies and mitigation plans Define Workstation/Desktop and Patch Management Policies - Policies should define criticality levels, acceptable deployment timeframes, and the process for identifying and addressing exception items Define Mitigation plans for systems with approved exceptions Identify technology requirements - Assessment of potential tools for consideration so that decisions can be made regarding automated vs manual patching, logging and monitoring, and internal vs external resourcing requirements Integrate with change and incident management processes - Workstation/Desktop and Patch Management needs to be integrated with change and incident management so that appropriate actions can be made based on automated/manual analysis - Integrate with existing tools for tracking, analysis, review, and approval of activities associated with identified exceptions Pilot implementation - Develop Pilot Rollout plan for limited systems to assess the design and implementation of policies, processes, and tools - Detailed Work Breakdown Structure with dates and GANTT charts showing dependencies and progress are of tremendous value Update processes based on lessons learned from pilot - Upon completion of pilot implementation, have agency management perform a lessons learned exercise and incorporate feedback from responsible parties Training for policy, tools, and awareness - Develop and rollout training for requirements, policy, and tools Duration of Time 6 weeks 8 weeks 8 weeks State of Oregon 9

12 Ongoing Phased deployment implementation - Develop Rollout plan, phased based on risk profile of systems - The Rollout Plan is all about tactical execution including Names, dates, milestones, control gates, etc. - Detailed Work Breakdown Structure with dates and GANTT charts showing dependencies and progress are of tremendous value - Perform post deployment review to update processes based on lessons learned Develop audit and assessment plan - Define requirements, audit, monitor, report, and ensure that Information Security contribute to more effective compliance with current and emerging organizational and regulatory obligations. Update mitigating controls for legacy systems - Perform regular checkpoints to review and update mitigating controls for legacy systems with approved exceptions to standard Continuous monitoring and review of standards - Develop a process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in the policies, procedures, and practices of the organization - Monitor key sites and public information sources for new threats Table 1.a Protection of Information Assets - Major Work streams Ongoing Resource Considerations The following table articulates estimated resource considerations for this function. Phases Type of Resource Hour Estimates Planning Agency Senior Management 4 hours for meetings System Engineer ISO 40 hours a week for 8 weeks 20 hours a week for 8 weeks 10 hours a week for 8 weeks Design IT Analyst 10 hours a week for 3 System Engineer 20 hours a week for 3 20 hours a week for 3 Deploy IT Analyst System Engineer Ongoing IT Auditor Table Resource Considerations State of Oregon 10

13 3.9 Log management (combined with Standard 1.5 Audit of Access Control) Management Roadmap 10 weeks 2 on Agency Evaluation On going Define Requirements to meet Standards Identify logging priority areas and events Define Policies Tools Assessment Define Solutions and Processes to meet Standards and Pilot Implementation Training & Awareness Phased Deployment On-going Monitoring Review Overall Strategy Prerequisites Following standards and processes need to be in place in order to comply with the Standard 3.9 Log Management Standard - Standard Information Systems Development Life Cycle Standards - Change/Release Management processes - Incident Management Standards - Standard Information Backup Standards - Standard Security Zone and Network Security Management Standards - Standard 3.15 Intrusion Detection Standards Project management structure to manage technical project planning, decision making, and execution Perform inventory of hardware and software systems to identify in-scope systems for logging IT Risk and Vulnerability Assessment processes and infrastructure to prioritize areas for logging and retention Technical Roadmap Communications & Operations Management 3.9 Log Management & 1.5 Audit of Access Control Ongoing Deploy Design Planning Understand compliance requirements Conduct a risk assessment to identify and assess priority areas for logging and prioritize based on risk Review agency success stories - processes & tools Review user accounts every 90 days Develop process for review of access logs and review of user accounts for dormant user accounts 2 Weeks 4 Weeks 4 Weeks Define Log Management Policy including security events, layers of interest, retention, log review etc. Training - process, tools, IT Develop audit and assessment plan Tools Assessment - Manual vs. automated, internal vs external resources, ROI, inhouse, OTS, etc. Phased deployment based on risk profiles Continuous monitoring and review of standards (change in business requirements, technology, deprecation, resources, etc.) Develop Architectural Design based on requirements and tools assessment Integrate with Change and Incident Management Achieve compliance with Standard All information systems shall support logging of access including logins to the information system, and granted and denied access to resources Pilot Implementation State of Oregon 11 Update processes based on lessons learned 2 Weeks 4 Weeks 4 Weeks 4 Weeks 2 Weeks 4 Weeks 4 Weeks

14 3.9.4 Technical Roadmap Major Work Streams The following table articulates the major activities per work stream. Furthermore, it provides an estimation of overall time to complete a task and the phase (illustrated in the roadmap) the activities should be performed. Phases Planning Design Key Activities Understand compliance requirements associated with Log Management (Statewide Information Security Standards Log Management) Develop the project charter for Log Management, which define the mission, vision and scope and obtain approval Conduct a risk assessment to identify and assess priority areas for logging and develop a prioritization based on risk - Assessment of risk, including the magnitude of harm that could result from identified events and/or anomalies. - Prioritize the list of information assets as critical, essential and normal. Prioritization criteria should include characteristics like criticality, impact, costs of a failure, publicity, legal and ethical issues, etc. It will be important to establish a common understanding of the criteria. Develop process for review of access logs and dormant accounts every 90 days ( in compliance with Standard 1.5.3) - Process should take into account the compliance requirements of 1.5. Audit of Access Control Standards and the risk assessment and prioritization exercise for the agency - Where possible and not dependent on the log management systems to be in place, enable access logging on information systems containing level 4 data. Logging should be on all view, add, modify and delete of information and all failed login attempts to these actions. Access logs should be reviewed daily for violations. Review agency success stories - Examples of lessons learned and successful implementation of tools to comply with Log Management requirements by other Agencies Define Log Management Policy - Policy should be based on requirements of Log Management Standard and apply to areas identified and prioritized by Risk Assessment and Prioritization - Policy should identify security events of note, layers of interest (network, server, database, etc), retention, and mechanisms to restrict access to logs Tools assessment - Document product requirements and selection criteria - Assessment of potential tools for consideration so that decisions can be made regarding automated vs manual options and internal vs external resourcing requirements - Identify candidate vendors and request proposals - Evaluate responses to determine whether to move forward with product selection and proof of concept - Initiate negotiations with selected vendor and establish scope for proof of concept Develop architectural design - Architectural design should be based on requirements and the decisions made during tools assessment Duration of Time State of Oregon 12

15 Deploy Integrate with change and incident management processes - Log management needs to be integrated with change and incident management so that appropriate actions can be made based on log management analysis - Integrate with existing tools for tracking, analysis, review, and approval of activities associated with identified events Pilot implementation - Develop Pilot Rollout plan for limited areas to assess the design and implementation of policies, processes, and tools - Detailed Work Breakdown Structure with dates and GANTT charts showing dependencies and progress are of tremendous value Update processes based on lessons learned from pilot - Upon completion of pilot implementation, have agency management perform a lessons learned exercise and incorporate feedback from responsible parties Training for policy and tools - Develop and rollout training for log management requirements, policy, and tools Phased deployment implementation - Develop Rollout plan, phased based on risk profile of information systems - The Rollout Plan is all about tactical execution including Names, dates, milestones, control gates, etc. - Detailed Work Breakdown Structure with dates and GANTT charts showing dependencies and progress are of tremendous value Update processes based on lessons learned from phased deployment - Upon completion of pilot implementation, have agency management perform a lessons learned exercise and incorporate feedback from responsible parties Review user accounts every 90 days - Based on process developed and applicable to the types of accounts identified 3 months Ongoing Ongoing Develop audit and assessment plan - Define requirements, audit, monitor, report, and ensure that Information Security contribute to more effective compliance with current and emerging organizational and regulatory obligations. Continuous monitoring and review of standards - Develop a process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in the information security policies, procedures, and practices of the organization - Perform regular checkpoints regarding requirements, technology options and deprecation, and resources Table 1.a Protection of Information Assets - Major Work streams 2 months Ongoing State of Oregon 13

16 3.9.5 Technical Roadmap Resource Considerations The following table articulates estimated resource considerations for this function. Phases Type of Resource Hour Estimates Planning Agency Senior Management 4 1-hour meetings ISO 10 hours for 10 weeks 20 hours for 10 weeks Design IT Analyst 40 hours each month for 2 System Engineer 40 hours each month for 2 40 hours each month for 2 Deploy IT Analyst System Engineer Ongoing IT Auditor, Table Resource Considerations State of Oregon 14

17 4. Information Systems Acquisition, Development and Maintenance 4.4 Encryption Management Roadmap 13 weeks 28 weeks upon agency On going Define Requirements to meet Encryption Standards Develop Encryption Mgmt Implementati on Project Plan Define Encryption Management Policy Define Solutions and Processes to meet Encryption Management Standards Training & Awareness Phased Deployment On-going Monitoring & Vulnerability Assessment Review Encr Strategy including Mitigation Controls Prerequisites Information Asset Classification Agencies need to be compliant with Statewide Information Asset Classification (IAC) policy (effective 7/30/2007), purpose is to ensure State of Oregon information assets are identified, properly classified, and protected throughout their lifecycles. - Plan for identifying, classifying and protecting information assets needs to be in place - All information should have been identified, classified and ownership defined. Data maps identifying data at rest and data-flow exist for Level 3 and Level 4 data types Agency has established risk assessment processes based on applicable threats to the confidentiality, integrity and availability of data structure needs to be in place Agency has access to a Key Management Infrastructure Technical Roadmap Information Systems Acquisition, Development and Management 4.4 Encryption Ongoing Deploy Design Planning Identify the regulatory and compliance requirements for data protection Develop encryption policy at agency level Provide training to administrators and end users Perform periodic Risk Assessment for existing emerging threats Perform discovery of all information systems assets 4.4.6: Define key management requirements Perform a phased implementation of the encryption tool Perform Periodic data discovery, usage & flow analysis Perform a discovery of sensitive data within agency information assets 4.4.7: Document key management procedures Perform test to validate implementation at each phase Monitor legislative & regulatory requirements Perform Risk Assessment for data usage scenarios 2 Weeks 3 Weeks 2 Weeks 4 Weeks 4.4.1, 4.4.2, 4.4.3, 4.4.5, 4.4.5: Define Technology requirements: Tools, Technology Vendors & SP s Post implementation review & lessons learned Monitor violation of encryption integrate with incident management Develop a implementation Project Plan for Encryption Define pilot requirements Metrics reporting: -Data Loss Incidents -Intentional vs. Accidental -Classification Level of Data Breach Implement & test the pilot Define Monitoring Requirements Develop a Training Plan and Encryption Rollout Plan 2 Weeks 2 Weeks 3 Weeks 8 Weeks 2 Week 2 Weeks 3 Weeks 6 Weeks 2 Weeks State of Oregon 15

18 4.4.4 Technical Roadmap Major Work Streams The following table articulates the major activities per work stream. Furthermore, it provides an estimation of overall time to complete a task and the phase (illustrated in the roadmap) the activities should be performed. Phases Planning Key Activities Identify the regulatory and compliance requirements for data protection Identify the data types and patterns which are subject to the data protection requirements Duration of Time Design Perform a discovery of all information system assets: - Identify all information systems within the agency operating environments such as development, quality assurance and production. - Map the system to the respective information technology services and applications supported - Identify system owners and support groups Perform a discovery of sensitive data within the agency information assets: - Data at rest discovery of all key systems which can potentially host confidential data - Data in motion discovery of the network environment to map out the data flows containing confidential data Perform a Risk Assessment of data usage scenarios: - Identify data usage scenarios most likely to occur within the agency - Identify likelihood of data loss and potential impact based on the information type Develop a Implementation Project Plan for Encryption Define encryption policy at agency level Define key management requirements Define processes required for encryption management: - Key management or escrow processes when using a key-based data encryption system - Replacement process for compromised key Define Technology Requirements which considers: - Encryption protocol and strength - Supported level of deployment of encryption - Support for external storage media - Wireless standards support Define Pilot Requirements based on: - Agency encryption requirements - Vendor solution Implement and Test Pilot - Implement pilot based on requirements - Validate pilot meets requirements - Perform post pilot assessment - Document lessons learned 3 weeks 3 weeks 8 weeks State of Oregon 16

19 Deploy Define Monitoring Requirements - Monitoring process and frequency - Monitoring tools - Monitoring parameters relating to encryption management - Alerting and reporting requirements Develop Training Plan and Encryption Rollout Plan - Develop or acquire training and material which is targeted towards the different management, operations, and support and employee roles to be used to enhance the general awareness in use of encryption. - Develop an encryption roll out plan Provide Training to administrators and end users Perform a phased implementation of the encryption tool 3 weeks 6 weeks Ongoing Perform test to validate implementation at each phase Post Implementation Review and Lessons Learned - Update implementation procedures based on lessons learned Perform a periodic Risk Assessment for existing and emerging threats - Monitor Legislative and Regulatory Requirements for inclusion to Risk Assessment Perform periodic data discovery usage and flow analysis On-going Metrics Reporting for the following metrics. - Data Loss Incident - Intentional vs. Accidental - Classification Level of Data Breach Revise metrics as needed Monitor encryption violation and integrate with incident management On-going On-going Table Encryption Major Work Streams State of Oregon 17

20 4.4.5 Resource Considerations The following table articulates estimated resource considerations for this function. Phases Type of Resource Hour Estimates Planning Agency Senior Management 4 one hour meetings ISO 10 hours for 13 weeks 20 hours for 13 weeks Design IT Analyst 20 hours for 28 weeks Systems Engineer 20 hours for 28 weeks 40 hours for 28 weeks Deploy Systems Engineer Ongoing IT Analyst Table Encryption Resource Considerations State of Oregon 18

21 4.8 Information Systems Development Life Cycle Management Roadmap 8 Weeks 32 Weeks upon agency On going Define Requirements to meet Standard Develop Project Plan Define Solutions and Processes to meet SDLC Standard Training & Awareness Phased Deployment Post Implementa tion Lessons Learned Periodic Review Prerequisites Inventory of hardware and software systems needs to be in place User access list based on role and responsibilities needs to be in place including: - Process for granting user access (regular and privileged accounts) - Process for determining appropriate level of access based on job function, which also includes segregation of duties - Process for tracking segregation of duties exceptions Change Management Process needs to be in place including: - Change procedures - Change Advisory Board Documentation requirements for support purposes needs to be in place SDLC process and project management structure needs to be in place State of Oregon 19

22 4.8.3 Technical Roadmap Information Systems Acquisition, Development and Management 4.8 Information Systems Development Life Cycle Standards Ongoing Deploy Design Planning Identify all systems in Dev, QA & Prod Assess existing access based on roles and responsibilities against security standard Provide Training & Awareness on: -Access Control -Change Management -Documentation Standards - Encryption Requirements Assess existing change management procedures against security standard Assess existing documentation processes against security standard 2 Weeks 4 Weeks 2 Weeks 3 Weeks Develop periodic assessment plan to review the foundational elements of the SDLC program Define or Update access control processes for granting, modification and termination of access based on job requirements Define or Update existing Change Management Processes to meet the standards requirements Define or Update procurement and development processes to include encryption requirements to meet standard Define or Update documentation requirements to meet security standards Develop Training Content 2 Weeks 2 Weeks 2 Weeks 2 Weeks 6 Weeks Define periodic audit activities to monitor the on-going effectiveness of SDLC program 4.8.3: Implement: Documentation Standards 4.8.1: Implement: Access Control 4.8.2: Implement: Change Management Control 4.8.4: Implement: Review of Encryption Requirements Develop a rollout plan 4 Weeks Post implementation review & lessons learned Technical Roadmap Major Work Streams The following table articulates the major activities per work stream. Furthermore, it provides an estimation of overall time to complete a task and the phase (illustrated in the roadmap) the activities should be performed. Phases Planning Key Activities Define the information systems development lifecycle planning and operational requirements needed to implement the standard. Develop an implementation project plan based to implement the information systems development lifecycle processes and controls. Perform a discovery of all information system assets: - Identify all information systems within the agency operating environments such as development, quality assurance and production. - Map the system to the respective information technology services and applications supported - Identify system owners and support groups Duration of Time State of Oregon 20

23 Design Deploy Perform an assessment of the following areas and identify gaps based on system development lifecycle standard. The gaps will form the basis of the activities which need to be performed in order to implement the standard: - Assess the access privileges of users, developers and administrators on each in-scope system based on industry best practices for their job roles and responsibilities, such that access is granted and is commensurate based on job requirements, access is reviewed and modified periodically, any segregation of duties conflicts are reviewed, approved and monitored - Assess change management procedures based on SDLC standards requirements and industry best practices so that changes are tested and approved prior to being implemented - Assess documentation required to initiate and manage projects, documents needed to operate and support systems meet the requirements of the SDLC standards Define or update the following processes in order to meet the SDLC standard: - Access control processes for granting, modification and termination of access based on job requirements - Change management processes for initiation, development and implementation of change - Systems development and procurement requirements to meet encryption requirements - Documentation needed to meet project initiation, project management, operations and support requirements Develop Training Content - Develop or acquire training and material which is targeted towards the different management, operations, and support and employee roles to be used to enhance the general awareness in access control, change management, systems procurement and documentation. Develop a roll out plan Provide training and awareness to management, operations, support and users as needed in the following areas: - Access Control: - Change Management: - Documentation Standards: - Systems Development/Procurement based on encryption needs: Achieve Compliance with With the implementation of documentation standards new or updated information system shall include adequate system documentation for agency to achieve compliance with Embed documentation requirements into the work processes - Require each work process to be reviewed and signed off after ensuring that documentation requirements have been met Achieve Compliance with With the implementation of access controls, access to operating system, source code, and operational or production software/program directories, locations, and configuration files shall be managed to enable the agency to achieve compliance with Identify all system and application owners - Send out the user/administrator access list to the system and application owners for review and verification - Obtain the access list from system/application owners and modify access privileges of users - Perform the above activities periodically 8 weeks 6 weeks State of Oregon 21

24 Ongoing Achieve Compliance with With the implementation of change control management process developing and modifying information systems require authorization to initiate or make changes, test and accept changes to production will enable agency to achieve compliance with Require the initiation of new development or change requests to be tracked and approved by management - Document the requirements and have them approved by the requestor within the agency - Require the requestor to test the new development or change request and signoff prior to management approval - Require management approval before moving new development or change into production environment - Document workflow and formalize the process Achieve Compliance with With the implementation of procurement requirements which require encryption capability for Level 3 and Level 4 systems agency will be able to achieve compliance with Define new procurement process which requires system classification and associated requirements such as encryption to be documented and approved as part of the procurement initiation - Define a Pilot process where the system/application to be procured is tested to meet the encryption requirements, and approved for procurement if all requirements are met - Define a post implementation review process of the system at which all the requirements are again reviewed to make sure that the system is configured correctly and meets the objectives. Post Implementation Review and Lessons Learned Develop periodic assessment plan to review the foundational elements of the SDLC program - Periodically assesses the appropriateness of SDLC organization roles i.e. roles are assigned to people who are experienced and have the right level of authority. - Perform a periodic assessment to review that SDLC processes and documentation requirements address risk and compliance needs. - SDLC processes and documentation may be updated based on the recommendations from the assessment. Define periodic audit activities to monitor the on-going effectiveness of SDLC program - Perform a periodic audit of access control for systems in-scope for SDLC. Review process for granting, modifying and termination of access. Also review the Segregation of Duties and the process for filing exceptions - Perform a periodic audit of the change management processes around the initiation, testing, implementing and post implementation review of change - Periodically audit the SDLC project management, operational and support documentation against the required standards Table SDLC Major Work Streams Ongoing Ongoing State of Oregon 22

25 4.8.5 Resource Considerations The following table articulates estimated resource considerations for this function. Phases Type of Resource Hour Estimates Planning Agency Senior Management 4 1-hour meetings ISO 10 hours a week for 11 weeks 20 hours a week for 11 weeks Design IT Analyst 40 hours a week for 18 weeks 20 hours a week for 18 weeks Deploy IT Analyst Ongoing IT Auditor Table SDLC Resource Considerations State of Oregon 23