Alberta's Approach To An Itm Control Framework
Upcoming SlideShare
Loading in...5
×
 

Alberta's Approach To An Itm Control Framework

on

  • 3,027 views

 

Statistics

Views

Total Views
3,027
Views on SlideShare
3,019
Embed Views
8

Actions

Likes
0
Downloads
51
Comments
0

1 Embed 8

http://www.slideshare.net 8

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Alberta's Approach To An Itm Control Framework Alberta's Approach To An Itm Control Framework Presentation Transcript

  • ALBERTA’S APPROACH TO AN INFORMATION AND TECHNOLOGY POLICY AND CONTROL FRAMEWORK
  • AGENDA
    • OAG, Privacy Commissioner and Quality
    • Alberta’s Approach to ITM Policies, Controls and Frameworks
    • The Web 2.0 Impact
    • What We Have Learned
  • OAG, PRIVACY COMMISSIONER RECENT MEDIA
  • OAG and Media
    • Alberta Gov't records at risk of hacking: A-G
    • EDMONTON  - The auditor's general office found electronic "footprints" showing that confidential government records had been accessed by outside sources, Fred Dunn said this morning as he outlined his annual report.
    • Alexandra Zabjek and Archie McLean, edmontonjournal.com
    • Published: Thursday, October 02
    • Trust betrayed by multiple lapses in Gov't computer security. Actual breaches minor, but why were databases left unprotected? Invaders from Eastern Europe and Asia could have already infiltrated Alberta - and the government's most top-secret information -- says Alberta's auditor general.
    • Paula Simons, The Edmonton Journal
    • Published: Friday, October 03
    • We are lucky indeed to have an active auditor general's office with the mandate and chutzpah to keep tabs on those who spend our money.
    • Edmonton Journal
    • Published: Saturday, October 04
  • Privacy Commissioner
    • Information and Privacy Commissioner in support of Auditor General Recommendations: Information and Privacy Commissioner Frank Work fully supports recommendations made by the Auditor General with respect to security and protection of information assets of the Government of Alberta. The Auditor General, among other things, is recommending establishment of a central security office to oversee all aspects of information security across all Government of Alberta ministries and departments.
  • Not just AB, Canada but all Governments GovernmentExec.COM
    • If Alberta is like almost every other government in the world, skilled hackers got in and out with little notice. ….. And they're probably still hiding in a closet ready to pounce.
    • In all fairness, Alberta is not alone . Attacks on Web applications are now considered one of the most worrisome for government information security folks.
    • Targeted attacks on computers and vulnerabilities in Web applications topped the list of threats to government and industry information systems in 2007, according to a new report from the SANS Institute. While proper security measures can help lock down agency systems, employees are easily duped by the increasingly sophisticated methods of hackers .
    • This is an arms race ; each time we set up a defense, the people who are attacking raise the sophistication of the attack," said Alan Paller, Director of Research at the SANS Institute. "For a lot of years, the sophistication was in how well they could find vulnerabilities in the system. What's different is that as they have been blocked in most simple vulnerabilities, they've come up with two completely new ones that most federal agencies aren't even thinking about."
    • One emerging threat lies with Web applications, which accounted for half the total vulnerabilities reported in 2007, according to TippingPoint, an intrusion prevention systems vendor in Austin, Texas. And that figure doesn't include custom-developed Web applications, which are particularly prevalent in government.
  • ALBERTA OAG
    • WE NEED THE AUDITOR TO SAVE OURSELVES FROM SELF DESTRUCTION, SELF MUTILATION AND
    • WE NEED TO PROTECT OUR INVESTMENTS, OUR INFORMATION BUT ALSO CONTINUE TO DELIVER SERVICE WHICH MEANS UNDERSTANDING AND BALANCING RISK
  • ALBERTA’S APPROACH IMT CONTROL FRAMEWORK
  • Alberta’s Challenges
    • ITM policies were developed in reaction to ‘new technology’ and OAG
      • could not keep up with continuous change
      • did not withstand the test of time
      • increased management burden
      • no alignment
    • Increased complexity of reorganizations and restructuring
    • Gaps and overlaps caused exposure to unnecessary business, project execution and operational risks (134 ‘policies’ – 4 Ministries)
    • Limited flexibility as policies were prescriptive
  • ALBERTA ITM Control Framework Overall Strategic Direction & Vision Strategic & Tactical Policies Supporting Controls (Processes, Standards, Guidelines)
  • Forrester Research IT Compliance Life Cycle Phase I Phase II Phase III - Ongoing Management
  • Drivers Enterprise governance IT governance Best practices Controls and Legislation Performance Business goals Conformance Basel II, Sarbanes-Oxley Act etc. COSO COBIT ITIL Security Quality Management IT Service Management ISO/IEC 2700x ISO/IEC 9001:2000 Balanced scorecard CoBIT, Legislation & Other Frameworks
  • CoBIT Maturity Model Understand where IT and business are for each control Maturity Level Status Establishment 0 – Non-existent No recognition of need to control No intent to assess the need for control 1 – Initial / ad hoc Some ad hoc recognition of need to control No awareness of need to assess what controls are needed 2 – Repeatable but intuitive Controls in place but not documented Assessment of control need occurs only when necessary 3 – Defined Controls are in place and adequately documented Critical controls and processes are identified based on value and risk drivers 4 – Managed and Measurable Effective control and risk management environment Control criticality regularly defined with full support of business owners 5 – Optimized Enterprise wide risk and control programme provides continuous and effective control and risk resolution Business changes consider the criticality of controls and cover any need to reassess control capability
  • Layers of ITM Control Framework
  • Layers in ITM Alignment Map ITM Control Framework Overview
  • Decide Who Owns (leads) What Control
    • Security/Privacy Incident Reporting
  • UNDERSTAND WHOSE CONTROLS Trigger OTHERS’ CONTROLS ITM Control Framework Overview
  • WEB 2.0 What do we need to know about and consider while we are developing policies, frameworks, standards and controls?
  • Web 2.0 at Advanced Education and Technology Internal P.S.I. Institutes Other Stakeholders Internal P.S.I. Institutes Other Stakeholders Identity Management A & A Real-Time Communications Dashboard Identity Management A & A Real-Time Communications Dashboard Business Apps (SFS, ATOMS, PAPRS, SHR) Information Strategy (Information & Knowledge) Web Strategy (Content, Information, Applications) Desktop Apps (Calendar, Word, PowerPoint) Unified Msg Web Conference Video Conference Instant Msg Collaboration Tools Presence (People, Place, Time) Presence (People, Place, Time) Collaboration Integration IP Enabling Contact Centers Public | Wireless Network | LAN/GOA Domain Presence (People, Place, Time) Supernet Room to Room Video over IP Centrix | PSTN VPNs Collaboration Integration
  • WEB 2.0 Impact Mid 1990-2000s WEB 2.0 Value Proposition Knowledge/Info Centralization Decentralization Training Waterfall/RUP meant training was at the end Training is at the beginning through Self Training and each other Cultural Change Business performed and information in silos Collaboration, openness, joint problem solving Business Work Style Feature and information and overload Simple, easy to use, business has become technology savvy through self training
  • WEB 2.0 Impact Mid 1990-2000s WEB 2.0 Value Proposition Home / Work Tools Work, more tools Home/Work tools the same Labour Shortages Attract Gen X, Y and Millenials Governments cutting Everyone recruiting Generation X Expectations Grassroots Managers understand how technology can help productivity IT Organization's Gate Keepers Privacy/security force IT to protect castles Business will go around any blocking we put in because they CAN and they WANT IT
  • Centralized Control Versus Decentralized Information Sharing (Balancing Opportunities/Risks) Mid 1990-2000s WEB 2.0 Value Proposition Privacy/Security IT and SMEs guardians End user behaviors guided by principles Managing Information and Records IT and SMEs guardians and overwhelmed by increased volume End users accountable for information supported by tools provided by IT and SME Information Silos Caused by not working together and sharing Caused by collaborating and working together but outside of centralized, controlled tools Policy, Authorized, Authoritative Sources Policy and authority decentralized - IT just starting to centralize IT now Policies and accountability principle based on understanding and trust
  • Centralized Control Versus Decentralized Information Sharing (Balancing Opportunities/Risks) Mid 1990-2000s WEB 2.0 Value Proposition Technology Delivery and Expectations IT plans aligned after business plans IT specific visions, plans and strategies plus business alignment Service Responsiveness IT and SMEs required to implement policies and controls Policies and controls need to demonstrate value Enterprise Tool Investments Created to share investment and reduce information silos Still required but only for information sources where information needs to be protected
  • ALBERTA’S PLANS, VISIONS AND STRATEGIES WHAT WE LEARNED ABOUT HOW WE NEED TO PLAN BECAUSE OF CONTROLS, EXPECTATIONS, AND WEB 2.0
  • Vision: All Plans – Relationships Web 2.0 Advanced Education & Technology Business Plan & Policy Cross- Government Initiatives GoA Information & Services Strategy GoA Enterprise Architecture GoA Business Plan STAKEHOLDER INPUT Post Secondary Institution Learners/Parents/ Public/other Stakeholders Research Institutes 3 Year ITM Plan Maintenance Operations Initiatives Standards ITM Policy Framework Operational Controls PSI Plans & Architecture 7 Year ITM Vision 5 Year ITM Strategies 1 Year Operational Plan
  • Advanced Education and Technology in 2014 Test & Demo Pilots 2014 “ Right Info” and “ Right Services” at the “ Right Time” at the “ Right Place” to Answer the “ Right Question” for the “ Right Person” Testing & Training Identity Management Strategy Information Management Strategy Web Strategy GOA Information & Services Strategy Unified Communications Strategy