INFORMATION TECHNOLOGY FOR MINNESOTA GOVERNMENT. Doomed by Design: Unearthing the Problems with Government Security Programs

Similar documents
658 Cedar Street Saint Paul, MN

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years

Table of Contents Biennial Budget Revenue, Department of

Cybersecurity in the States 2012: Priorities, Issues and Trends

Enterprise Security Tactical Plan

State of Minnesota IT Governance Framework

Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program

Governance, Risk, and Compliance (GRC) White Paper

Is Your Company Ready for a Big Data Breach?

Middle Class Economics: Cybersecurity Updated August 7, 2015

CONSULTING IMAGE PLACEHOLDER

Seamus Reilly Director EY Information Security Cyber Security

fs viewpoint

National Initiative for Cyber Security Education

Information Security Program CHARTER

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

A Primer on Cyber Threat Intelligence

NGA Paper. Act and Adjust: A Call to Action for Governors. for cybersecurity;

States at Risk: Cyber Threat Sophistication, Inadequate Budget and Talent

RSA, The Security Division of EMC. Zamanta Anguiano Sales Manager RSA

ALIGNING BUSINESS STRATEGY TO CLOUD APPLICATIONS

Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape

MULTI-AGENCY EMERGENCY PREPAREDNESS AT SELECTED STATE AGENCIES. Report 2007-S-29 OFFICE OF THE NEW YORK STATE COMPTROLLER

FISCAL YEAR 2017 OPERATING BUDGET. TESTIMONY OF David A. Garcia, Secretary

One Failure Leads to Another: Developing Leading Indicators for Security Threats and Risks

What s Holding Back the Cloud?

How To Understand Cloud Economics

The economics of IT risk and reputation

NARA s Information Security Program. OIG Audit Report No October 27, 2014

Cloud, where are we? Mark Potts, HP Fellow, CTO Cloud November 2014

Aftermath of a Data Breach Study

Evolution Of Cyber Threats & Defense Approaches

Be Prepared. For Anything. Cyber Security - Confronting Current & Future Threats The role of skilled professionals in maintaining cyber resilience

Private cloud computing

IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE

STATE OF MARYLAND 2017 INFORMATION TECHNOLOGY MASTER PLAN (ITMP) Department of Information Technology David Garcia; State CIO

State of South Carolina Initial Security Assessment

Managing the Unpredictable Human Element of Cybersecurity

Wasting Money on the Tools? Automating the Most Critical Security Controls. Mason Brown Director, The SANS Institute

Department of Finance & Management Strategic Plan V.3.3

Information Security for Managers

El Camino College Homeland Security Spring 2016 Courses

Security and Privacy Trends 2014

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

How to ensure control and security when moving to SaaS/cloud applications

FIVE PRACTICAL STEPS

Security Services. A Solution for Providing BPM of Security Services within the Enterprise Environment.

Fundamentals of Information Governance:

Don t Get Left in the Dust: How to Evolve from CISO to CIRO

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

IT Risk & Security Specialist Position Description

Protecting against cyber threats and security breaches

Close The Gaps Left By Traditional Vulnerability Management Through Continuous Monitoring Organizations Find Real Value With Continuous Monitoring

Is it Time to Trust the Cloud? Unpacking the Notorious Nine

Feature. Developing an Information Security and Risk Management Strategy

GAO DEPARTMENT OF HOMELAND SECURITY. Actions Taken Toward Management Integration, but a Comprehensive Strategy Is Still Needed

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Information Security Management Systems. Chief Operating Officer, Director of Strategy and Business Development, Chief Information Security Officer

Defining the Gap: The Cybersecurity Governance Study

1/8/2012. Gordon Shevlin, Allgress, Founder, CEO Kyle Starkey, CISO, Early Warning Services. Effectively Communicating IT Risk to Senior Management

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Hosting JDE EnterpriseOne in the Cloud Hear how one company went to the cloud

Cloud vs On-Premise Software: And the Winner is

How To Improve Your Business

Governmental Oversight and Accountability Committee

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

Information Security Training & Awareness

Defending Against Data Beaches: Internal Controls for Cybersecurity

Statement for the Record. Richard Bejtlich. Chief Security Strategist. FireEye, Inc. Before the. U.S. House of Representatives

How To Manage Cloud Management

The Role of Business Capabilities in Strategic Planning. Sneaking up on Quality Using Business Architecture in a learning corporation

Transcription:

INFORMATION TECHNOLOGY FOR MINNESOTA GOVERNMENT Doomed by Design: Unearthing the Problems with Government Security Programs Christopher Buse Assistant Commissioner & State CISO June 12, 2014 AGENDA State of the States Minnesota Plan Q&A

The State of the States Security significantly underfunded Diverse security posture between states Underlying data soft and sometimes unavailable Fragmented governance

14% CISOs believe that they have executive support 24% CISOs are confident in protecting state assets 86% CISOs cite funding as their key barrier 680% Increase in significant threats over past 5 years 6 5 4 3 2 1 Most States Only Spend Between 1-2% of the IT Budget on Security 0 Government Spending Private Sector Spending

46% CISOs have a documented strategy 30% CISOs plan to develop a written strategy 82% CISOs are responsible for measurement and reporting 8% CISOs attempting to measure program effectiveness Good news: The enterprise CISO position is now firmly entrenched in most states Bad news: The enterprise CISO position is often one of coordinating cross-agency resources Limited ability to drive actions across organizational boundaries Security spend outside the control of the CISO

Executive Support Freedom To Act Resources Comprehensive Plan Is Your State Security Program Doomed by Design? It s Not Just Retail One of over 2,000 negative headlines on the recent South Carolina breach Hackers gain access to 780,000 individual health records 10

The Minnesota IT Consolidation Plan What About Us? Minnesota: a microcosm of the national scene Strong executive support Strategic and tactical plans Security spend is insufficient 2010 legislative study: State of Minnesota spend is 2% of state budget vs. industry standard investment of 5% Overall reduction in security spend in FY13 Silos of agency-based IT Restricted our ability to leverage economies of scale Hampered our ability to implement enterprise security strategies

IT Security Consolidation Plan Published in April 2014 Describes the desired end state, yet recognizes Reaching that end state will take a long-term commitment We need to use our existing resources better Outlines a shift in the service delivery model Establishes centrally delivered services Creates line of business security teams Details the breakdown of work between central and line of business teams Focuses on a subset of services to address first The Basic Concept: Consolidated Services Information Security program management Enterprise Services Delivered to All We will reorganize security resources into a single management structure that creates consistency and aligns resources Those services deemed to be enterprise services will be delivered by a centralized security team

The Basic Concept: Close-to-Business Services Even if we consolidate the common security services, we still don t have the resources for each agency-based office to manage close-to-the-business security services Close-to-Business Security Cluster 1 Cluster 2 Cluster 3 Cluster 4 Cluster 5 Cluster 6 Our plan is to cluster security teams into lines of business to provide closeto-the-business services to groups of agencies with similar business/security requirements sharing resources, but keeping the specialization where it needs to be The Basic Concept: Effective allocation of resources Staff will be assigned to a cluster or to the enterprise services based on their current work and expertise. Cluster 1 Cluster 2 Cluster 3 Cluster 4 Cluster 5 Cluster 6 Close-to-thebusiness services Close-to-thebusiness services Close-to-thebusiness services Close-to-thebusiness services Close-to-thebusiness services Close-to-thebusiness services Information Security program management Enterprise Services Delivered to All

Identity and Access Management Information Security Risk and Compliance Business Continuity and Disaster Recovery Information Security Training and Awareness Secure System Engineering Realigning Work Close-to-the-business services focus on implementation at the business and application level Information Security Incident Response and Forensics Information Security Program Management Information Security Monitoring Continuous Vulnerability Management Boundary Defense Endpoint Defense Physical Security Single management conserves resources and drives consistency Enterprise delivers common functions and tools to all Health Safety Environment General Government Economy Education Health BDs (17) Corrections Agriculture Administration Commerce Education Health Public Safety Animal Health BD Campaign Finance Commerce BDs (3) Arts BD Human Services Transportation Natural Resources Capital Area Architect BD AURI Center for Arts Education Ombudsman MH/DD POST BD Conservation Corps Investment BD Amateur Sports CM High Ed Facilities Authority Veterans Affairs Private Detectives BD Pollution Control MN.IT Combative Sports CM MN State Academies MNsure Sentencing Guidelines BWSR MMB Explore MN Office of Higher Education Ombudsman Families Racing CM MN Zoo Mediation Services DEED Targeted Councils (5) Uniform Laws CM Administrative Hearings Labor & Industry Workers Comp Court Governor Public Utilities CM Gambling Control Human Rights Revenue 23 10 7 10 12 11 18

A Look Ahead: Industry Trends Does Your Organization Have a Central Security Team? Does Your Organization Have Local Security Groups? Creating Central Group, 3% No Central Security, 4% Central Security Team, 94% Only Central Security 56% Use Local Security Groups 44% Conclusion: MN.IT s Proposed Model Aligns Well With National Trends Assistant Commissioner & CISO Information Standards and Risk Management Assistant Commissioner Service Delivery Enterprise Architect Information Security Oversight Director Client Computing & Customer Support Director Infrastructure as a Service Director Secure Systems Engineering Governance, Risk, & Compliance Endpoint Defense Border Defense Business Continuity Vulnerability Management Identity and Access Management Physical Security Information Security Incident Response Team Health LOB Service Delivery Team Safety LOB Service Delivery Team Environment LOB Service Delivery Team General Govt LOB Service Delivery Team Economic LOB Service Delivery Team 20 Education LOB Service Delivery Team

Detailed Service Deliverable Future Level of Effort Central Team Future Level of Effort LOB Team Service Delivery Method Information Security Program Management Minimal Information Security Monitoring Minimal Information Security Incident Response and Forensics Minimal Continuous Vulnerability Management Minimal Boundary Defense Minimal Endpoint Defense Minimal Moderate Secure Systems Engineering Information Security Training and Awareness Business Continuity Moderate Information Security Risk and Compliance Identity and Access Management Moderate Physical Security Primarily Centralized Primarily Centralized Primarily Centralized Primarily Centralized Primarily Centralized Primarily Centralized Central Direction / Hybrid Delivery Central Direction / Hybrid Delivery Central Direction / Hybrid Delivery Central Direction / Hybrid Delivery Central Direction / Hybrid Delivery Central Direction / Hybrid Delivery 21 Selected through planning team consensus Represent highest payback from a risk perspective Plan focuses on rollout of priority services first Plan does not include all service delivery details Priority Services Secure Systems Engineering Continuous Vulnerability Management Information Security Program Management Boundary Defense Information Security Monitoring

IT Security Consolidation: Value Proposition MN.IT can provide a full suite of security services to all customers Cost to the customer far less than ramping up alone Better service, as expertise is shared More agile service: getting the experts when and where they need to be More job opportunities and specialization skills for employees Will it be perfect? Priorities will still have to be set, but they will be done at an enterprise level No agency can opt out of security Customers Existing resources used as efficiently and effectively as possible Consistent security practices Metrics to understand security posture MN.IT Services More specialization and deeper bench strength Clear priorities for the enterprise Reduction in single points of failure More career opportunities for staff Better understanding of our risk posture Beneficiaries

Final Thoughts Auditing applications is easy and safe Policymakers may be better served by an assessment your state security program foundation Executive support Freedom to act Funding Comprehensive plans Thank you! Chris.Buse@State.MN.US @BuseTweet

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information