• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Security Fabric Strategy Road Map
 

Security Fabric Strategy Road Map

on

  • 985 views

 

Statistics

Views

Total Views
985
Views on SlideShare
985
Embed Views
0

Actions

Likes
0
Downloads
31
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Audience Questions & Answers

Security Fabric Strategy Road Map Security Fabric Strategy Road Map Presentation Transcript

  • Security Fabric Strategy Road Map Transformation of ODOT Business via Enterprise Security Bills, Policies, & IT Initiatives Presented to CIO Management Council on September 14, 2007 Ben Berry, Chief Information Officer, ISB Lisa Martinez , Business Services Manager, SSB Peter van den Berg, Deputy Chief Information Officer, ISB
    • DAS 107-004-050 Information Asset Classification Policy
    • DAS 107-004-051 Controlling Portable and Removable Storage Devices
    • DAS 107-004-052 Information Security
    • DAS 107-004-053 Employee Security
    • DAS 107-004-100 Transporting Confidential Information
    • DAS Statewide Policy 1.3, Acceptable Use of Information Related Technology
    • Senate Bill 583, 2007 Legislative Session (ID Theft)
    • Various ODOT Security related policies
      • ODOT ADM 05-08-01 Acceptable Use Policy
      • ODOT ADM 04-20 Information Security
      • ODOT Information Security Guidelines
    • Administrative Criminal Background Checks Rules
    • Business Continuity Planning
    • Enterprise Content Management
    • Identity and Access Management (TIM/TAM)
    • Payment Card Industry (PCI) Compliance
    Overview of Bills, Policies and Initiatives
  • Resource Work Collaboration Team Matt Garrett Agency Director Ben Berry Agency CIO DMV IS Highway Enterprise Security Policies Initiative Resource Work Collaboration Delegated Authority Information Security Unit (Karina Stewart) Technology Management (Virginia Alster) FileNet Program (Ron Winterrowd/Lisa Martinez) Communications Plan (Team) Keith Nardi Deb Frazier Ric Listella Other Lines of Business Motor Carrier Lisa Martinez (Business) Peter van den Berg (Information Systems)
  • Why a “Security Fabric”?
    • COMPREHENSIVE. Building a security fabric to cover all of our Point-to-Point information services is much more difficult to maintain.
    • INVISIBLE BUSINESS PROCESSES. Lots of business processes are invisible because staff do processes that are not necessary written down.
    • LEVERAGE ACROSS ANGENCY and ENTERPRISE. A security fabric is meant to leverage secure practices across multiple organizational functions and business units.
    Legacy of Point to Point Services
  • What is a Security Fabric?
    • A Security Fabric is a services-driven design approach that integrates business and security strategies to provide a Common Holistic Approach to Security Compliance and that leverages existing and new security policy functionality across agency business lines.
    • The strategy of a Security Fabric includes:
        • Integration with elements of each of the security policies, where applicable.
        • Providing security through the sharing & reuse of security services and processes across the agency and/or enterprise
        • Streamlines secure practices across existing business processes for greater efficiency and productivity
    • The approach for a Security Fabric:
        • Leverage existing business practices, IT investments and standard operating processes
        • Adopt Community of Practice templates for the Information Asset Classification Policy to ensure compliance with classifying data -- Data Classification Levels 1, 2, 3 & 4 for (Labeling, Handling, Storage, Retention and Disposable/Destruction).
    • Standards allow security processes to be designed for reuse
        • Components that can be used over and over again among different lines of business. Example is Active Directory Group Policies or other physical standard security practices.
        • Use of standardized procedures, interfaces and standard data classification adherence.
  • Security Vision and Strategy: Holistic and Comprehensive Approach organized around Lines of Business– Not a Silo Approach Enterprise Security Domains Define the statewide security policies, bills and initiatives that are within the scope of the change. ODOT Acceptable Use Pol. ODOT Information Security Pol. ODOT Info. Security Guideline Admin Criminal Background Rail and Others Enterprise Content Management Identity & Access Management DMV Motor Carrier Highway Transportation Agency Service Domains Define the ODOT Lines of Business services necessary to support execution of the Security Fabric. (Cuts across multiple domains) Agency Policies & Practices Define the ODOT internal polices and practices impacted by the Security Fabric effort. Payment Card Industry - PCI Submission Processing Customer Service Manage Taxpayer Accounts Reporting Compliance Filing & Payment Compliance Criminal Investigation Internal Management Other Functional Domains Submission Processing Customer Service Manage Taxpayer Accounts Reporting Compliance Filing & Payment Compliance Criminal Investigation Internal Management Other Functional Domains Submission Processing Customer Service Manage Taxpayer Accounts Reporting Compliance Filing & Payment Compliance Criminal Investigation Internal Management Other Functional Domains Submission Processing Customer Service Manage Taxpayer Accounts Reporting Compliance Filing & Payment Compliance Criminal Investigation Internal Management Other Functional Domains Submission Processing Customer Service Manage Taxpayer Accounts Reporting Compliance Filing & Payment Compliance Criminal Investigation Internal Management Other Functional Domains Submission Processing Customer Service Manage Taxpayer Accounts Reporting Compliance Filing & Payment Compliance Criminal Investigation Internal Management Other Functional Domains Information Asset Classification Controlling Portable and Removable Storage Devices Information Security Employee Security Transporting Confidential Information Acceptable Use of Information Related Tech. Senate Bill 583 Other Functional Domains
  • Key Business Drivers & Challenges Impact
    • Enable the Agency transformational business plans and IT Strategic Plan by leveraging multiple use or dual use strategies for complying with the Security Policies.
    • Proactively blur the legacy and new information business requirements boundaries through an early adoption of the enterprise security policies. (Reduce time to market by early adoption.)
    Enable Transformation
    • Create a secure business and technology business processes and architecture that can support changing regulatory, business and customer needs.
    • Unlock the power of secure data transfer for transformation of the business, including mobile data where applicable.
    • Create a flexible security architecture that is aligned with the State’s Enterprise Security Office and the State Data Center.
    Agility
    • Leverage common processes, applications and infrastructure services to achieve operational security, efficiencies, and cost savings
    • Enable an ongoing low cost approach to maintain a secure presence for the Agency’s complex business processes to free capital for other value added capabilities.
    • Enable Information-based services to use IT security fabric based on existing middleware applications such as Active Directory, Tivoli’s Identity Management and Access Management security applications.
    Service Reuse
    • Improve the security of existing secure processes and systems by adopting a holistic integrated approach to common secure practices
    • Reduce the number of one off custom approaches to securing information assets.
    • Establish Common Security Services across multiple agency and enterprise policies
    • Reduce Complexity of Security Solutions
    Simplification ODOT Security Fabric Context Agency Business Requirements
  • Security Fabric Strategy Map In Future Implementation State, Gaps Exist That Will Need to be Filled GAP Analysis Future State Requirements Agency Policy Current State DAS Policy Current State Policy / Procedure / Practice / Initiative
    • DAS 107-004-050 Information Asset Classification  
    • DAS 107-004-051 Controlling Portable and Removable Storage Devices 
    • DAS 107-004-052 Information Security 
    • DAS 107-004-053 Employee Security
    • DAS 107-004-100 Transporting Information Assets
    • SB 583 Enrolled, 2007 Legislative Session, Oregon Consumer Theft Protection Act
    Agency Lines of Business Senate Bill 583 Gap Analysis X X X X X X X X X X
  • Common Security Policy Services Define, Design, Build, Deploy Plan (CoP) Maintain Generate Secure Customer Service Generate Secure Cross Agency Response
    • BUSINESS PERSPECTIVE. Promotes a business perspective around potential secured shared services.
    • EFFICIENT. Drives efficiencies and reuse across the Agency.
    • BEST PRACTICES. The Common Security Practice Framework will be refined based on lessons learned from initial security service deployments.
    Common Security Policy Framework Business Services Inputs Outputs
  • Security Fabric Framework Based Upon 3 Core Areas: Holistic Security Practices ; Platform, Templates and Toolsets ; and Security Governance Agency Business Functional Services Agency Application Services Agency Infrastructure Services Application integration / shared services (FileNet, others) Business unit from broad based Practices and Procedures Agency-wide utility functions and solutions (Active Directory, TIM/TAM, Encryption) Security Governance Platforms, Templates & Toolset
    • There are different types of line of business services that need protection, both Agency and Enterprise focused.
    • All require agency governance for an initial and ongoing sustainable security fabric presence.
    • ODOT is engaged in a multi-variant approach to focus on those areas that provide the highest level of security from easy to hard to implement. Given each policy’s target timeline, high value security responses will be addressed first!
    Enabling Security Technology (Middleware, physical tools and devices) Information Current Activities Holistic Security Practices Security Services
  • As Our Security Fabric Strategy Matures We Will Transition From Opportunistic and Project Level to Enterprise Level Security Policy Practice High Low High Low Scope Time/Maturity Enterprise Opportunistic Info Asset Classification Level 4 Info Asset Classification Level 3 Info Asset L2 SB 583 Digital Signatures Info Asset L1 Integration Active Directory Group Policies Employee Security Policy ISBRA Security TIM/TAM Identity Management Transporting Info Assets Information Security Policy Controlling Removable Storage Devices Acceptable Use Policy ID Theft Training
  • Action Items and Implementation Dates July 30, 2009 DAS 107-004-052 Effective June 27, 2007 DAS 107-004-100 Effective January 1, 2008 SB 583 Section 12 Effective January 31, 2008 DAS 107-004-053 Effective July 1, 2008 DAS 107-004-050 Level 4, Critical Effective July 30, 2008 DAS 107-004-051 Effective January 1, 2009 DAS 107-004-050 Level 3, Restricted Effective July 1, 2009 DAS 107-004-050 Level 2, Limited Effective To Day
    • Legend:
    • DAS 107-004-050 Information Asset Classification  
    • DAS 107-004-051 Controlling Portable and Removable Storage Devices 
    • DAS 107-004-052 Information Security 
    • DAS 107-004-053 Employee Security
    • DAS 107-004-100 Transporting Information Assets
    • SB 583 Enrolled, 2007 Legislative Session, Oregon Consumer Theft Protection Act
    October 1, 2007 SB 583 (except Section 12) Effective
  • Sustainable Security Practice Identification & Deployment: Requires a Broad Based Security Policy Governance Process
    • Impacts to People, Process & Technology
    • Security Services are Delivered Through Agency Initiatives or Projects
    • Security Life Cycle Processes are supported by both Business and Information Services
    • Development of Security Policy Response is Guided by multi-unit team (Resource Work Collaboration Team)
    • Communication & Training are required for people supporting each of the Sustainable Security Fabric lifecycle processes
    Starts with DAS Security Policies & SB 583 business process requirements Design security Service response Test security service Use/Reuse Policy driven Service Deploy Security Service Operate / Monitor Security Service Construct security service Process Architectural review Measure Effectiveness Service Repository Iterative Sustainable Security Fabric Services Life Cycle Policy Requirements GOVERNANCE
    • Governance Organization – Manage & monitor ongoing security agreements
    • Apply a multi phased approach to implement and maintain the
    • Proposed Security Fabric
      • Phase 1:
        • Conduct Management Awareness training by line of business
        • Achieve resource commitment and sponsorship
      • Phase 2:
        • Establish Security Task Force
        • Hire Project Manager
        • Establish deliverables
        • Develop necessary policies, guidelines, procedures
        • Develop Security Fabric Implementation Strategy
        • Develop agency wide communication/training plan
      • Phase 3:
        • Implement Security Fabric
        • Conduct agency wide awareness and compliance training
      • Phase 4:
        • Maintain Security Fabric
    Next Steps
  • CIO Management Council Briefing Security Fabric Strategy Road Map