ISM in the ILM (Information Lifecycle Security Management) Barry Caplin Chief Information Security Officer Minnesota Department of Human Services [email_address] May 18, 2006 10:00-11:00 a.m. Secure360

Agenda DHS Overview Enterprise Security Strategy Build Security In? Information Lifecycle Security Management

DHS Overview

Enterprise Security Strategy

Build Security In?

Information Lifecycle Security Management

MN DHS Mission - helps people meet their basic needs so they can live in dignity and achieve their highest potential Consumers include: seniors who need help paying for hospital and nursing home bills or who need home-delivered meals families with children in a financial crisis parents who need child support enforcement or child care money people with physical or developmental disabilities who need assistance to live as independently as possible

Mission - helps people meet their basic needs so they can live in dignity and achieve their highest potential

Consumers include:

seniors who need help paying for hospital and nursing home bills or who need home-delivered meals

families with children in a financial crisis

parents who need child support enforcement or child care money

people with physical or developmental disabilities who need assistance to live as independently as possible

MN DHS Direct service through: DHHS – Deaf and Hard of Hearing Services SOS – State Operated Services includes RTC’s – Regional Treatment Centers, including St. Peter, Moose Lake Forensics – St. Peter, Moose Lake, METO (MN Extended Treatment Options) State-run group homes New community-based treatment centers State-run nursing home – Ah-Gwah-Ching

Direct service through:

DHHS – Deaf and Hard of Hearing Services

SOS – State Operated Services includes

RTC’s – Regional Treatment Centers, including St. Peter, Moose Lake

Forensics – St. Peter, Moose Lake, METO (MN Extended Treatment Options)

State-run group homes

New community-based treatment centers

State-run nursing home – Ah-Gwah-Ching

MN DHS Administrations (Divisions): CFS – Children and Family Services – Child Support Enforcement, Endangerment, Social Services, Medical/Welfare Eligibility Chemical and Mental Health Services– including SOS Health Care Administration and Operations Continuing Care FMO – Finance and Management Operations – including Information Security, IT

Administrations (Divisions):

CFS – Children and Family Services – Child Support Enforcement, Endangerment, Social Services, Medical/Welfare Eligibility

Chemical and Mental Health Services– including SOS

Health Care Administration and Operations

Continuing Care

FMO – Finance and Management Operations – including Information Security, IT

MN DHS Programs are state-administered, county-delivered Including MinnesotaCare, Medical Assistance, General Assistance Medical Care, mental health services, alternative care services, chemical dependency services and regional treatment center services One of the largest state agencies 2500 CO, 5000 SOS distributed staff State and Federal funding

Programs are state-administered, county-delivered

Including MinnesotaCare, Medical Assistance, General Assistance Medical Care, mental health services, alternative care services, chemical dependency services and regional treatment center services

One of the largest state agencies

2500 CO, 5000 SOS distributed staff

State and Federal funding

Enterprise Security Strategy

Security Strategy - The 10000 Foot View Information Security Governance Framework (COBIT Security Baseline) People Organization Awareness Technology Operations Architecture Enterprise High-Level Functions Information Risk Management Information Policy Information Lifecycle Management Process

Information Security Governance Framework (COBIT Security Baseline)

People

Organization

Awareness

Technology

Operations

Architecture

Enterprise High-Level Functions

Information Risk Management

Information Policy

Information Lifecycle Management

Process

Security Strategy Governance organization operations architecture awareness people technology IRM Policy ILM Processes

Security Strategy 4 C’s Confidence Credibility Communication Compliance Governance organization operations architecture awareness people technology IRM Policy ILM Processes

Build Security In?

Build Security In What do we mean by this? Everyone says it… but how? https://buildsecurityin.us-cert.gov/portal/

What do we mean by this?

Everyone says it… but how?

https://buildsecurityin.us-cert.gov/portal/

Why Build Security In?

Why Build Security In?

Cost – “measure twice, cut once” Efficiency – build it “right” the first time Time – fixing problems later will likely delay production use Why Build Security In?

Cost – “measure twice, cut once”

Efficiency – build it “right” the first time

Time – fixing problems later will likely delay production use

SDLC SEI-CMMI (formerly CMM) ( http:// www.sei.cmu.edu/cmmi / ) IEEE and ISO 12207 standards ( http://www.acm.org/tsc/lifecycle.html ). Extreme Programming ( http://www.xprogramming.com/ , http://www.extremeprogramming.org/ ) On Wikipedia ( http:// en.wikipedia.org/wiki/Software_development_life_cycle )

SEI-CMMI (formerly CMM) ( http:// www.sei.cmu.edu/cmmi / )

IEEE and ISO 12207 standards ( http://www.acm.org/tsc/lifecycle.html ).

Extreme Programming ( http://www.xprogramming.com/ , http://www.extremeprogramming.org/ )

On Wikipedia

( http:// en.wikipedia.org/wiki/Software_development_life_cycle )

Information Lifecycle Security Management

Information Lifecycle Security Management

Operate Major Release Software Development Lifecycle (SDLC) Maintenance Lifecycle Dispose Information Lifecycle Security Management Deploy Develop Design Analysis Concept

Operate Major Release Deploy Develop Design Analysis Concept Information Lifecycle Security Management Preliminary Risk Analysis Business Impact Analysis Privacy and Security Requirements BCP/ COOP Privacy and Security Mitigation Plans Incident Response Plans Security Test Plans BCP/COOP Testing & Maintenance IT Audit Business Requirements Security Sign off Security Sign off

Business Requirements A statement of the business problem or challenge the business area needs to solve Should not include recommended technical solutions Constraints/Assumptions Concept Business Requirements

A statement of the business problem or challenge the business area needs to solve

Should not include recommended technical solutions

Constraints/Assumptions

Preliminary Risk Analysis Security Questionnaire Preliminary Privacy Analysis Preliminary Security Risk Analysis Risk Briefing Concept Risk of not doing Preliminary Risk Analysis

Security Questionnaire

Preliminary Privacy Analysis

Preliminary Security Risk Analysis

Risk Briefing

Risk of not doing

Privacy and Security Requirements Preliminary Privacy Assessment Preliminary Security Risk Assessment Privacy Requirements Security Requirements Preliminary Design Requirements Analysis Words To Live By: “ Minimum Necessary” Privacy and Security Requirements

Preliminary Privacy Assessment

Preliminary Security Risk Assessment

Privacy Requirements

Security Requirements

Preliminary Design Requirements

Business Impact Analysis Business/System Impact Analysis Analysis Business Impact Analysis

Business/System Impact Analysis

Security Sign-Off Keys: Business Requirements received Requirements understood (by business area) Risks acknowledged Security Sign off

Keys:

Business Requirements received

Requirements understood (by business area)

Risks acknowledged

Privacy and Security Requirements Vendor Security Questionnaire Security Architecture Assessment Information Policy Analysis Risk Assessment (OCTAVE) HIPAA Assessment Detailed Design Requirements Project Security Roadmap & Required Doc List Design Privacy and Security Requirements

Vendor Security Questionnaire

Security Architecture Assessment

Information Policy Analysis

Risk Assessment (OCTAVE)

HIPAA Assessment

Detailed Design Requirements

Project Security Roadmap & Required Doc List

Detailed Security Architecture Design Design Review Security Risk Mitigation Plans Action Plan for compliance design Design Privacy and Security Mitigation Plans Privacy and Security Mitigation Plans

Detailed Security Architecture Design

Design Review

Security Risk Mitigation Plans

Action Plan for compliance design

Business Continuity/Disaster Recovery Business Continuity Planning Disaster Recovery Planning Preliminary COOP (Continuity Of Operations Plan) Document Design BCP/ COOP

Business Continuity Planning

Disaster Recovery Planning

Preliminary COOP (Continuity Of Operations Plan) Document

Security Test Plans Test Data Plans Security Testing Plan Security Testing Use/Abuse Cases Code Review Tools Vulnerability Assessment Develop Security Test Plans

Test Data Plans

Security Testing Plan

Security Testing

Use/Abuse Cases

Code Review Tools

Vulnerability Assessment

Incident Response Plans Incident Response Plans Final COOP Develop Incident Response Plans

Incident Response Plans

Final COOP

Security Sign-Off Keys: Identified issues mitigated Assessments completed Security Requirements met Documentation completed BCP/COOP completed Security Sign off

Keys:

Identified issues mitigated

Assessments completed

Security Requirements met

Documentation completed

BCP/COOP completed

Deploy Change Management Monitoring Deploy

Change Management

Monitoring

IT Audit Security Policy Compliance Review (COBIT Audit Guideline) Operate IT Audit

Security Policy Compliance Review (COBIT Audit Guideline)

BCP/COOP Testing & Maintenance Plan Testing Plan Updates & Review BIA Updates Operate BCP/COOP Testing & Maintenance

Plan Testing

Plan Updates & Review

BIA Updates

Major Release What is a Major Release? Significant new functionality Code rewrites Significant architecture or design changes Site Dependent May require any/all ILSM steps Major Release

What is a Major Release?

Significant new functionality

Code rewrites

Significant architecture or design changes

Site Dependent

May require any/all ILSM steps

Information Disposal Measures based on: Business type Data classification Regulatory issues: PHI FTI Others… Dispose

Measures based on:

Business type

Data classification

Regulatory issues:

PHI

FTI

Others…

Operate Major Release Deploy Develop Design Analysis Concept Information Lifecycle Security Management Preliminary Risk Analysis Business Impact Analysis Privacy and Security Requirements BCP/ COOP Privacy and Security Mitigation Plans Incident Response Plans Security Test Plans BCP/COOP Testing & Maintenance IT Audit Business Requirements Security Sign off Security Sign off

Final Thoughts SMT buy in is critical Be consistent Advertise, advertise, advertise

SMT buy in is critical

Be consistent

Advertise, advertise, advertise

Discussion?