Building a More Secure and Prosperous Texas through Expanded Cybersecurity



Similar documents
Looking at the SANS 20 Critical Security Controls

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Jumpstarting Your Security Awareness Program

Critical Controls for Cyber Security.

The Protection Mission a constant endeavor

Application White Listing and Privilege Management: Picking Up Where Antivirus Leaves Off

THE TOP 4 CONTROLS.

The Future Is SECURITY THAT MAKES A DIFFERENCE. Overview of the 20 Critical Controls. Dr. Eric Cole

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Check Point and Security Best Practices. December 2013 Presented by David Rawle

Independent Security Operations Oversight and Assessment. Captain Timothy Holland PM NGEN

Security Management. Keeping the IT Security Administrator Busy

Assessing the Effectiveness of a Cybersecurity Program

Wasting Money on the Tools? Automating the Most Critical Security Controls. Mason Brown Director, The SANS Institute

SANS Top 20 Critical Controls for Effective Cyber Defense

Great Now We Have to Secure an Internet of Things. John Pescatore SANS Director, Emerging Security

SCAC Annual Conference. Cybersecurity Demystified

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Defending Against Data Beaches: Internal Controls for Cybersecurity

Information Technology Control Framework in the Federal Government Considerations for an Audit Strategy

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Solving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

White Paper: Consensus Audit Guidelines and Symantec RAS

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

Preparing for Performance Building the Cybersecurity Workforce We Need. Maurice Uenuma 13 November 2013

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Information Technology Risk Management

Cybersecurity Health Check At A Glance

PCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES

Leveraging SANS and NIST to Evaluate New Security Tools

IT Networking and Security

NERC CIP VERSION 5 COMPLIANCE

OFFICE OF ENTERPRISE TECHNOLOGY SERVICES QUARTERLY REPORT ON

Federal IPv6 Working Group Innovative IPv6 Implementation with Least Cost Funding

Network and Security Controls

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Top 20 Critical Security Controls

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

The Cyber OODA Loop: How Your Attacker Should Help You Design Your Defense. Tony Sager The Center for Internet Security

TABLE OF CONTENTS FOR AUDIT, COMPLIANCE, AND MANAGEMENT REVIEW COMMITTEE

University System of Maryland University of Maryland, College Park Division of Information Technology

Cybersecurity and internal audit. August 15, 2014

CYBERSECURITY & EXPECTATIONS FOR INDEPENDENT GROCERS

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Work With Genesis Insurance Company

Cybersecurity: What CFO s Need to Know

Actions and Recommendations (A/R) Summary

Attachment A. Identification of Risks/Cybersecurity Governance

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Department of Management Services. Request for Information

IT Networking and Security

Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Professional Services Overview

Click to edit Master title style

CHAPTER Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Altius IT Policy Collection Compliance and Standards Matrix

5 Steps to Advanced Threat Protection

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Protecting Organizations from Cyber Attack

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Connect with Addressing Intelligence to Automate IPv6 Planning, Transition & Cyber Security

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Security Assessment Report

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

Verve Security Center

Security Controls in Service Management

The ICS Approach to Security-Focused IT Solutions

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

Security Overview. BlackBerry Corporate Infrastructure

1B1 SECURITY RESPONSIBILITY

One-Man Shop. How to build a functional security program with limited resources DEF CON 22

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

CYBER SECURITY POLICY For Managers of Drinking Water Systems

I n f o r m a t i o n S e c u r i t y

developing your potential Cyber Security Training

BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT

Cisco Advanced Services for Network Security

Highlights of Cybersecurity Efforts in Other States. JCOTS Cybersecurity Advisory Committee

2014 Audit of the CFPB s Information Security Program

Network Marketing Strategy - Overview of the Colorado Cyber Security Program

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

Intel Security Certified Product Specialist Security Information Event Management (SIEM)

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.

Transcription:

Building a More Secure and Prosperous Texas through Expanded Cybersecurity Bob Butler Chairman, Texas Cybersecurity, Education and Economic Development Council April 2013

About the Texas Cybersecurity Council The Texas Cybersecurity, Education and Economic Development Council (TCEEDC) was Established in 2011 by the Texas Legislature and Governor by Senate Bill 988 The legislation directed that the council have nine members from across government, academia, and industry The Council was chartered to provide recommendations regarding ways to Improve the infrastructure of the state s cybersecurity operations with existing resources and through partnerships between government, business, and institutions of higher education Examine specific actions to accelerate the growth of cybersecurity as an industry in the state 2

Advancing a Cyber Secure Infrastructure for Texas Establish a state level coordinator for cybersecurity. Establish the Business Executives for Texas Security (BETS) partnership. Establish a Cyber Star program to foster improvement of cyber resiliency in both private and public infrastructure in the state as well as increasing public trust. Adopt the Community Cyber Security Maturity Model (CCSMM) as a statewide guide for development of the processes leading to a viable and sustainable cybersecurity program and to help develop a culture of cybersecurity throughout the State. Update the duties and powers of the Texas Department of Information Resources. 3

Proposed State Cyber Coordinator Role 4

Proposed CyberStar Program Process-driven model that encourages continuous innovation with risk mitigation Private and public sector mutually incented, and protected physically and legally Enables application of resilience framework across all objectives: protect/deter, detect/monitor, constrain/isolate, maintain/recover, and adapt 5

Developing the Cybersecurity Industry in the State Develop a comprehensive strategy and roadmap for a vibrant and robust cybersecurity industry and economy in the State. Increase the number of cybersecurity practitioners. Continue investment in cybersecurity programs throughout the education pipeline. Promote collaboration, innovation, and entrepreneurship in cybersecurity. 6

Proposed Texas Cybersecurity Education Pipeline 7

Questions? 8

Back-up 9

Proposed Cyber Star Build Plan Under the Business Executives for Texas Security (BETS) partnership, establish a Cyber Star Council (60 days) Members appointed by governor Two professional staff members hired to administer program Solicit concepts and white papers Council releases public solicitation seeking industry and academic best practices Council develops single program set of best practices from public input Council develops program participation criteria 10

National Best Practices (from SANS) Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware/Software on Laptops, Workstations, and Servers Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability (validated manually) Security Skills Assessment and Appropriate Training to Fill Gaps (validated manually) Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Limitation /Control of Network Ports, Protocols, Services Controlled Use of Administrative Privileges Boundary Defense Maintenance, Monitoring, Analysis of Security Audit Logs Controlled Access Based on the Need to Know Account Monitoring and Control Data Loss Prevention Incident Response Capability Secure Network Engineering Penetration Tests and Red Team Exercises 11

Participation Framework Public and private institutions in the state of Texas must work to develop a baseline set of measurable responsibilities, capacities and policies regarding their preparation for and capability to respond to cyber events that compromise the confidentiality, integrity, and availability of their information systems. These systems are critical to the economic and social well-being of the state's government, commercial, and educational entities Texas entities that meet the participation criteria and have implemented best practices may voluntarily self-certify annually to receive an approval certificate by the Council, and approval to publicly cite Cyber Star program certification. 12

Voluntary Self-Certification How it would work Texas company decides to voluntarily implement the Cyber Star best practices Company prepares brief summary of the steps taken to implement the best practices Company CEO sends a letter to the Cyber Star Council certifying that firm has implemented the best practices Council sends company an annual Cyber Star certificate and digital logo it can display Texas entities that meet participation criteria may also elect to contract with an approved, third-party Cyber Star certifier for an official certification each year. Entities receiving exceptional scores shall be eligible for annual program awards. 13

Third-Party Certification Option How it would work Texas company decides to voluntarily implement the Cyber Star best practices. Company decides to invest in a third party evaluation and contracts with a Cyber Star Council approved certifier (very similar to FISMA Compliance today). The Certifier evaluates company s cybersecurity and certifies they have successfully implemented Cyber Star best practices, giving them a score of 95%. Cyber Star Council recognizes company as an exceptional Cyber Star performer due to their outstanding certification score. 14

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information