Real World Application of US Technical Advisory Group IT ...Presentation Transcript
An Oregon State Government Case Study Real World Application of IT Standards Presented by Ben Berry , CIO Oregon Department of Transportation March 10, 2009 The United States JTC1-SC7 Technical Advisory Group (US-TAG) and MSI Systems Integrators Sponsor to the Spring 2009 Meeting Two World Trade Center in the “Mezzanine 5” room, Portland, Oregon http://www.oregon.gov/ODOT/CS/ISB/cio_report.shtml
Technology Standard: Information Technology Infrastructure Library (ITIL) US TAG members are co-authors (contributing authors) to ITIL v2 (a framework reference). Shared Vision State Data Center
Program & Customer Relationship Management Development & Testing Environment E-Gov and Line-of-Business Applications Agency-Specific State Data Center Infrastructure Utility Shared CNIC Roles & Responsibilities WAN Switches LAN Switches Routers Internetworking Software Management Software Distribution SLA Mgt. Change Mgmt. Process Reporting Security Charge Back Performance Management Data Gathering Surveillance Capacity Planning Data Cable Infrastructure End User Help Desk
ITIL Foundation IT Infrastructure Library Overview Business Technology ITIL – Planning to Implement Service Management The Business Perspective Application Management ICT Infrastructure Management Service Management Service Delivery Service Support Security Management
The State is currently focused on implementing an ITIL v2 service management framework, that is very closely linked with the standard, ISO/IEC 20000 IT Service Management, for which the US TAG has taken a leadership role in development.
ISO/IEC 20000 is now the fifth most referenced IT standard in ISO's catalog.
ITIL Foundation Process Chart Reference User
IT Service and Process Maturity Model
The model illustrated below describes an evolutionary improvement path from an ad hoc, immature process to a mature, disciplined process for improving service for all the State Data Center focus areas.
2010-11 Position 2009 Position 2008 Position 2007 Position 2006 Position Chaotic Reactive Proactive Service Value 2011-12 Position 2010-11 Position 2006 Position 2007 Position 2008 Position 2009 Position 2010 - 11 Position Reactive Proactive Analyze trends Set thresholds Predict problems Automate Mature problem, configuration, change, asset and performance mgt processes Best effort Fight fires Inventory Initiate problem mgt process Alert and event mgt Monitor availability Service Define services, classes, pricing Understand costs Set quality goals Guarantee SLAs Monitor and report on services Capacity planning Value IT and business metric linkage IT/business collaboration improves business process Real - time infrastructure Business planning Level 1 Level 2 Level 3 Level 4 Chaotic Ad hoc Undocumented Unpredictable Multiple help desks Minimal IT operations User call notification Level 0 Tool Leverage Service and Account Management Business Management Service Delivery Process Engineering Operational Process Engineering ROI Mgmt.
The higher the rated maturity of an organization (i.e. CMMI Levels), the more likely the organization will seek guidance against existing standards, such as ISO/IEC 20000 IT Service Management or ISO/IEC 38500 IT Governance.
W ell-defined processes and assessment mechanisms (as outlined in these standards) are hallmarks of CMMI Levels 3 and 4.
Oregon congratulates the US TAG on developing these standards. The State of Oregon has elected to apply these very relevant industry standards to improving capability and maturity in support of its State Data Center.
Capability Maturity Model Integration (CMMI) .
Utility Computing Maturity Model
The model illustrated below describes an evolutionary improvement path from a dedicated, non-standard, inefficient technical environment to a mature, efficient, on-demand utility computing service.
The ISO/IEC 27000 family of security standards originate within US TAG, JTC1-SC27 (IT Security), where this crew is IT Systems Engineering and Lifecycle.
As such, ODOT and Oregon’s State Data Center is a customer of these industry standards and the standards bodies that created the standards.
ODOT is working against ISO/IEC 27000 which has been very valuable as a standard, and to the industry standards development process as a whole.
Here are the asset accomplishments to date.
ISO/IEC 27000 Security Standards
Balanced Score Card of State Data Center Accomplishments Standardization Consolidation Increasing Capacity Operations 10 pSeries Utility Servers 5,391 FY07 Agency Requests Virtual & Blade Center Technology Installed High speed Redundant NW (area specific) 233 Server Consolidations Enterprise Event Monitoring 2 Mainframe Upgrades 9,706 FY08 Agency Requests 50% of NW & Security Equipment Standardized 3 to 1 MF Consolidation On-Net Phone Systems Upgrades iSeries Standard OS 40% Storage Capacity Increases Virtual Tape System Automated Tape Library Rate Methodology and Rates Power & Consumption Management Service Catalog New Disaster Recovery Requirements NW Intrusion Detection Security, Tools, & Adm. Standardization iSeries Upgrades 2 p590 Unix Servers NW Bandwidth Email hub Upgrades 73 Servers 172 FY07 Contracts & Maintenance Renewals 340 FY08 Contracts & Maintenance Renewals 435 TB of Tiered Storage Security Encryption Standardization Consolidation Increasing Capacity Operations Operations = IT Standards Implications
Technology Standard: ISO-based Information Security ISO 27001:2005 and 27002:2005 Shared Vision ODOT’sSecurity Fabric
As ODOT’s Security Fabric Strategy Matures we will transition from Opportunistic and Project Level to Enterprise Level Security Policy Practices High Low High Low Scope Time/Maturity Enterprise Opportunistic Info Asset Classification Pilot 1 - OIT Identity Theft SB 583 Digital Signatures Integration Active Directory Group Policies Employee Security Policy (Q1 2009) ISBRA Security TIM/TAM Identity Management Transporting Info Assets Information Security Policy Controlling Removable Storage Devices (Nov 2008) Acceptable Use Policy ID Theft Training Encrypt DMV Field Office Network Encrypt Laptops Cancelled Q1 2009 In Work Cancelled Not Planned Info Asset Classification Pilot 2 - SSB Info Asset Classification Pilot 3 – Region 2 Legend: Incident Management Plan Info Asset Classification Levels 4,3,2,and1 Information Security Business Risk Assessment
Enable the Agency transformational business plans and IT Strategic Plan by leveraging multiple use or dual use strategies for complying with the Security Policies.
Proactively blur the legacy and new information business requirements boundaries through an early adoption of the enterprise security policies. (Reduce time to market by early adoption.)
Create a secure business and technology business processes and architecture that can support changing regulatory, business and customer needs.
Unlock the power of secure data transfer for transformation of the business, including mobile data where applicable.
Create a flexible security architecture that is aligned with the State’s Enterprise Security Office and the State Data Center.
Leverage common processes, applications and infrastructure services to achieve operational security, efficiencies, and cost savings
Enable an ongoing low cost approach to maintain a secure presence for the Agency’s complex business processes to free capital for other value added capabilities.
Enable Information-based services to use IT security fabric based on existing middleware applications such as Active Directory, Identity and Access Management security applications.
Improve the security of existing secure processes and systems by adopting a holistic integrated approach to common secure practices
Reduce the number of one off custom approaches to securing information assets.
Establish Common Security Services across multiple agency and enterprise policies
Reduce Complexity of Security Solutions
Simplification ODOT Security Fabric Context Agency Business Requirements
Security Vision and Strategy: Holistic and Comprehensive Approach organized around Lines of Business The Goal: Not a Silo Approach Enterprise Security Domains Define the statewide security policies, bills and initiatives that are within the scope of the change. ODOT Acceptable Use Pol. ODOT Information Security Pol. ODOT Info. Security Guideline Admin Criminal Background Rail and Others Enterprise Content Management Identity & Access Management DMV Motor Carrier Highway Transportation Agency Service Domains Define the ODOT Lines of Business services necessary to support execution of the Security Fabric (cuts across multiple domains). Agency Policies & Practices Define the ODOT internal policies and practices impacted by the Security Fabric effort. Payment Card Industry - PCI Submission Processing Customer Service Manage Taxpayer Accounts Reporting Compliance Filing & Payment Compliance Criminal Investigation Internal Management Other Functional Domains Submission Processing Customer Service Manage Taxpayer Accounts Reporting Compliance Filing & Payment Compliance Criminal Investigation Internal Management Other Functional Domains Submission Processing Customer Service Manage Taxpayer Accounts Reporting Compliance Filing & Payment Compliance Criminal Investigation Internal Management Other Functional Domains Submission Processing Customer Service Manage Taxpayer Accounts Reporting Compliance Filing & Payment Compliance Criminal Investigation Internal Management Other Functional Domains Submission Processing Customer Service Manage Taxpayer Accounts Reporting Compliance Filing & Payment Compliance Criminal Investigation Internal Management Other Functional Domains Submission Processing Customer Service Manage Taxpayer Accounts Reporting Compliance Filing & Payment Compliance Criminal Investigation Internal Management Other Functional Domains Information Asset Classification Controlling Portable and Removable Storage Devices Information Security Employee Security Transporting Confidential Information Acceptable Use of Information Related Tech. Senate Bill 583 Other Functional Domains
Security Fabric Strategy Map In the Future Implementation State, gaps exist that will need to be filled GAP Analysis Future State Requirements Agency Policy Current State DAS Policy Current State Policy / Procedure / Practice / Initiative
DAS 107-004-050 Information Asset Classification
DAS 107-004-051 Controlling Portable and Removable Storage Devices
Agency Lines of Business Senate Bill 583 Gap Analysis (Identify Theft) Security Fabric X X X X X X X X X X
Security Fabric Framework Based Upon 3 Core Areas: Holistic Security Practices ; Platform, Templates and Toolsets ; and Security Governance Agency Business Functional Services Agency Application Services Agency Infrastructure Services Application integration / shared services (FileNet, others) Business unit from broad based Practices and Procedures Agency-wide utility functions and solutions (Active Directory, Identity & Access Mgt., Encryption) Security Governance Platforms, Templates & Toolset
Both Agency and Enterprise line of business services need protection and focus
All require agency governance for an initial & ongoing sustainable security presence.
ODOT is engaged in a multi-variant approach to focus on those areas that provide the highest level of security from easy to hard to implement.
Given each policy’s target timeline, high value security responses are addressed first!
Enabling Security Technology (Middleware, physical tools and devices) Information Current Activities Holistic Security Practices Security Services
Sustainable Security Practice of Identification & Deployment:
Impacts to People, Process & Technology
Security Services are Delivered Through Agency Initiatives or Projects
Security Life Cycle Processes are supported by both Business and Information Services
Development of Security Policy Response is Guided by multi-unit team (Resource Work Collaboration Team)
Communication & Training are required for people supporting each of the Sustainable Security Fabric lifecycle processes
Starts with Dept of Administrative Services Security Policies & Senate Bill 583 (Identity Theft) for Personal Identifiable Information requirements Design Security Service Response Test Security Service Use/Reuse Policy Driven Service Deploy Security Service Operate / Monitor Security Service Construct Security Service Conduct Process Architectural Review Measure Effectiveness Service Repository Iterative Sustainable Security Fabric Services Life Cycle Define Policy Requirements GOVERNANCE