Building a More Secure and Prosperous Texas through Expanded Cybersecurity Bob Butler Chairman, Texas Cybersecurity, Education and Economic Development Council April 2013
About the Texas Cybersecurity Council The Texas Cybersecurity, Education and Economic Development Council (TCEEDC) was Established in 2011 by the Texas Legislature and Governor by Senate Bill 988 The legislation directed that the council have nine members from across government, academia, and industry The Council was chartered to provide recommendations regarding ways to Improve the infrastructure of the state s cybersecurity operations with existing resources and through partnerships between government, business, and institutions of higher education Examine specific actions to accelerate the growth of cybersecurity as an industry in the state 2
Advancing a Cyber Secure Infrastructure for Texas Establish a state level coordinator for cybersecurity. Establish the Business Executives for Texas Security (BETS) partnership. Establish a Cyber Star program to foster improvement of cyber resiliency in both private and public infrastructure in the state as well as increasing public trust. Adopt the Community Cyber Security Maturity Model (CCSMM) as a statewide guide for development of the processes leading to a viable and sustainable cybersecurity program and to help develop a culture of cybersecurity throughout the State. Update the duties and powers of the Texas Department of Information Resources. 3
Proposed State Cyber Coordinator Role 4
Proposed CyberStar Program Process-driven model that encourages continuous innovation with risk mitigation Private and public sector mutually incented, and protected physically and legally Enables application of resilience framework across all objectives: protect/deter, detect/monitor, constrain/isolate, maintain/recover, and adapt 5
Developing the Cybersecurity Industry in the State Develop a comprehensive strategy and roadmap for a vibrant and robust cybersecurity industry and economy in the State. Increase the number of cybersecurity practitioners. Continue investment in cybersecurity programs throughout the education pipeline. Promote collaboration, innovation, and entrepreneurship in cybersecurity. 6
Proposed Texas Cybersecurity Education Pipeline 7
Questions? 8
Back-up 9
Proposed Cyber Star Build Plan Under the Business Executives for Texas Security (BETS) partnership, establish a Cyber Star Council (60 days) Members appointed by governor Two professional staff members hired to administer program Solicit concepts and white papers Council releases public solicitation seeking industry and academic best practices Council develops single program set of best practices from public input Council develops program participation criteria 10
National Best Practices (from SANS) Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware/Software on Laptops, Workstations, and Servers Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability (validated manually) Security Skills Assessment and Appropriate Training to Fill Gaps (validated manually) Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Limitation /Control of Network Ports, Protocols, Services Controlled Use of Administrative Privileges Boundary Defense Maintenance, Monitoring, Analysis of Security Audit Logs Controlled Access Based on the Need to Know Account Monitoring and Control Data Loss Prevention Incident Response Capability Secure Network Engineering Penetration Tests and Red Team Exercises 11
Participation Framework Public and private institutions in the state of Texas must work to develop a baseline set of measurable responsibilities, capacities and policies regarding their preparation for and capability to respond to cyber events that compromise the confidentiality, integrity, and availability of their information systems. These systems are critical to the economic and social well-being of the state's government, commercial, and educational entities Texas entities that meet the participation criteria and have implemented best practices may voluntarily self-certify annually to receive an approval certificate by the Council, and approval to publicly cite Cyber Star program certification. 12
Voluntary Self-Certification How it would work Texas company decides to voluntarily implement the Cyber Star best practices Company prepares brief summary of the steps taken to implement the best practices Company CEO sends a letter to the Cyber Star Council certifying that firm has implemented the best practices Council sends company an annual Cyber Star certificate and digital logo it can display Texas entities that meet participation criteria may also elect to contract with an approved, third-party Cyber Star certifier for an official certification each year. Entities receiving exceptional scores shall be eligible for annual program awards. 13
Third-Party Certification Option How it would work Texas company decides to voluntarily implement the Cyber Star best practices. Company decides to invest in a third party evaluation and contracts with a Cyber Star Council approved certifier (very similar to FISMA Compliance today). The Certifier evaluates company s cybersecurity and certifies they have successfully implemented Cyber Star best practices, giving them a score of 95%. Cyber Star Council recognizes company as an exceptional Cyber Star performer due to their outstanding certification score. 14