Wisconsin National Governor s Association: Call To Action David Cagigal Chief Information Officer State of Wisconsin 101 E. Wilson St, 8th Floor Madison, WI 53703 608.261.8406 May 14, 2014
Cybersecurity Governance & Authority Authority: Department of Administration shall: 16.971 (2) (k) Ensure that all state data processing facilities develop proper privacy and security procedures and safeguards. 16.973 (5) Utilize all feasible technical means to ensure the security of all information submitted to the department for processing by agencies, local governmental units and entities in the private sector. Governance: IT Executive Steering Committee Established by Executive Order No. 99 on April 26, 2013 Consensus approach to IT Homeland Security Council Re-established by Executive Order No. 101 on May 3, 2013 CIO one of 16 members advises on Cyber Preparedness CIO Chairs the Wisconsin Cyber Working Group
Informed Policy 3 Homeland Security Cyber Governance Information & Recommendation Due Outs (tasking) Incident Analysis Threats Preparedness Status Reports Wisconsin Homeland Security Council (3 rd Wednesday) Relevant Questions Requests & Taskings Cyber Strategy Annual Reports Cyber Annex Summit due outs CyberSec Month Wisconsin Cyber Working Group (1 st Thursday)
Risk Assessment & Resource Allocation Risk Assessments: External State of Wisconsin Evals: U.S. Department of Homeland Security Deloitte / NASCIO Survey Gartner Assessment Homeland Security: Statewide CIKR Focus Interagency Members of HSC Collaborate on Risk Assessments Quadrennial Strategy w/ Cyber Objectives Annual Strategy Reports to Governor Resource Allocation: Currently developing training for Business Impact Analysis Cyber Security Road Map Risk = Threat x Vulnerability x Cost
Event Probability 5 State of Wisconsin Risk Matrix High Mitigate or Reduce Risk Driver s Licensing Zero RPO/RTO< 4 hrs Cat. 2: Hot Site Accept Risk Recreational Permits No specific RPO / RTO Cat. 4: Wait Avoid the Risk Life, Health, Safety Zero RPO/RTO Cat.1: Data Replication EC12 (Mainframe) EXAs (STAR) Share or Transfer Risk Procurement Systems 8 Hour RPO/RTO < 1 wk. Cat. 3: Cloud Provision on Demand Facilities Services Event Impact High
Vulnerability Assessment & Mitigation Vulnerability Assessment: Intrusion detection / prevention via SNORT MS-ISAC Albert Implementing Managed Security Services Contract Ongoing dialogue with: University of Wisconsin State of Michigan Mitigation: Appliances (e.g. Iron Port) Rapidly detecting and blocking malicious actors Developing Alternate Site Fail Over Strategy (Four Categories)
State Compliance with Security Standards & Frameworks Standards: State Must Comply With Numerous Standards DOA implemented the Information Technology Infrastructure Library (ITIL) for IT operations and compiles with:. HIPAA (Health Insurance Portability and Accountability Act) PCI (Payment Card Industry) CJIS (Criminal Justice Information Services), FERPA (Family Educational Rights and Privacy Act) FTI (Federal Tax Information) SSA (Audit authority) IRS (Audit authority) Homeland Security: ISACs Play Critical Role NIST Framework represents a rational overarching approach Wisconsin law requires safeguarding Personally Identifiable Information
Creating a culture of risk awareness 2013 Security Awareness Training: 19 State Agencies 58% Have Training In Place 32% Are Planning To Introduce Training In 2014 10% Have Been Unresponsive Or Non-committal 7 Boards, Offices & Commissions 12% Have Training In Place 6% Are Planning To Introduce Training In 2014 82% Have Been Unresponsive Or Non-committal 2014 Security Awareness Training Cyber Security Awareness Training 11 Modules Moving to an enterprise approach with Single Sign on Learning Management Software
Governor s Cybersecurity Dashboard: April 2014 CYBERSECURITY PROGRAM State Cybersecurity Initiatives: Description Status Progress Cost Completion Date Next Milestone 1. Managed Security Services RFP On Track Vendor Reference Checks Complete $35,880 (Staff) Plus TBD (Vendor) 5/31/14 Award Letter Call-to-Action on State Cybersecurity: 2. Security Awareness Training On Track 1 st Single Sign On Test 4/10/2014 Approx $123,760 12/31/14 Single Sign test for non DOA domains Action Status Progress 1. Governor / State role in Cyber Crime (DOJ) With HSA March 14 3. Femrite Alternate Site RFP On Track Bid Released 4/1/14 Approx $4.42 Million 9/1/14 Proposer Meeting 2. Governor / State role in Emergency Mgmt. (WEM) With HSA 4/10/14 3. Governor / State role as a regulator (PSC) With HSA 4/18/14 4. Enterprise Identity Management On Track Initiation TBD TBD Charter Approval 4. Governor / State role as a corporate entity (DOA) With HSA 4/10/14 5. Governor / State role on public awareness (DET) With HSA 4/10/14 5. DET Disaster Response Plan (Playbook) On Track Started Key Staff Interviews TBD 12/31/14 Publish Play Cards 2. Malware & Bots 3. Web Attacks 5. Distributed Denial of Service CYBERSECURITY MONTHLY REPORT CARD 1. Phishing / SPAM Scam e-mails 4. Port Scans Top 5 Risks & Significant Threats: 1. Phishing / SPAM / scam E-Mails 2. Malware and Bots (Botnet attacking or participating) 3. Web Attacks (Brute Force and SQL Injection) 4. Port Scans 5. Distributed Denial of Service Attacks Reasonable Considerable Substantial