ISM in the ILM (Information Lifecycle Security Management) Barry Caplin Chief Information Security Officer Minnesota Depar...
 
Agenda <ul><li>DHS Overview </li></ul><ul><li>Enterprise Security Strategy </li></ul><ul><li>Build Security In? </li></ul>...
MN DHS <ul><li>Mission - helps people meet their basic needs so they can live in dignity and achieve their highest potenti...
MN DHS <ul><li>Direct service through: </li></ul><ul><li>DHHS – Deaf and Hard of Hearing Services </li></ul><ul><li>SOS – ...
MN DHS <ul><li>Administrations (Divisions): </li></ul><ul><li>CFS – Children and Family Services – Child Support Enforceme...
MN DHS <ul><li>Programs are state-administered, county-delivered </li></ul><ul><ul><li>Including MinnesotaCare, Medical As...
Enterprise Security Strategy
Security Strategy - The 10000 Foot View <ul><li>Information Security Governance Framework (COBIT Security Baseline) </li><...
Security Strategy Governance organization operations architecture awareness people technology IRM Policy ILM Processes
Security Strategy 4 C’s Confidence Credibility Communication Compliance Governance organization operations architecture aw...
Build Security In?
Build Security In <ul><li>What do we mean by this? </li></ul><ul><li>Everyone says it… but how? </li></ul><ul><li>https://...
Why Build Security In?
Why Build Security In?
<ul><li>Cost – “measure twice, cut once” </li></ul><ul><li>Efficiency – build it “right” the first time </li></ul><ul><li>...
SDLC <ul><li>SEI-CMMI (formerly CMM)  ( http:// www.sei.cmu.edu/cmmi / ) </li></ul><ul><li>IEEE and ISO 12207 standards ( ...
Information Lifecycle  Security Management
Information Lifecycle Security Management
Operate Major Release Software Development Lifecycle (SDLC) Maintenance Lifecycle Dispose Information Lifecycle Security M...
Operate Major Release Deploy Develop Design Analysis Concept Information Lifecycle Security Management Preliminary Risk An...
Business Requirements <ul><li>A statement of the business problem or challenge the business area needs to solve </li></ul>...
Preliminary Risk Analysis <ul><li>Security Questionnaire </li></ul><ul><li>Preliminary Privacy Analysis </li></ul><ul><li>...
Privacy and Security Requirements <ul><li>Preliminary Privacy Assessment </li></ul><ul><li>Preliminary Security Risk Asses...
Business Impact Analysis <ul><li>Business/System Impact Analysis </li></ul>Analysis Business Impact Analysis
Security Sign-Off <ul><li>Keys: </li></ul><ul><ul><li>Business Requirements received </li></ul></ul><ul><ul><li>Requiremen...
Privacy and Security Requirements <ul><li>Vendor Security Questionnaire </li></ul><ul><li>Security Architecture Assessment...
<ul><li>Detailed Security Architecture Design </li></ul><ul><li>Design Review </li></ul><ul><li>Security Risk Mitigation P...
Business Continuity/Disaster Recovery <ul><li>Business Continuity Planning </li></ul><ul><li>Disaster Recovery Planning </...
Security Test Plans <ul><li>Test Data Plans </li></ul><ul><li>Security Testing Plan </li></ul><ul><li>Security Testing </l...
Incident Response Plans <ul><li>Incident Response Plans </li></ul><ul><li>Final COOP </li></ul>Develop Incident Response P...
Security Sign-Off <ul><li>Keys: </li></ul><ul><ul><li>Identified issues mitigated </li></ul></ul><ul><ul><li>Assessments c...
Deploy <ul><li>Change Management </li></ul><ul><li>Monitoring </li></ul>Deploy
IT Audit <ul><li>Security Policy Compliance Review    (COBIT Audit Guideline) </li></ul>Operate IT Audit
BCP/COOP Testing & Maintenance <ul><li>Plan Testing </li></ul><ul><li>Plan Updates & Review </li></ul><ul><li>BIA Updates ...
Major Release <ul><li>What is a Major Release? </li></ul><ul><ul><li>Significant new functionality </li></ul></ul><ul><ul>...
Information Disposal <ul><li>Measures based on: </li></ul><ul><ul><li>Business type </li></ul></ul><ul><ul><li>Data classi...
Operate Major Release Deploy Develop Design Analysis Concept Information Lifecycle Security Management Preliminary Risk An...
Final Thoughts <ul><li>SMT buy in is critical </li></ul><ul><li>Be consistent </li></ul><ul><li>Advertise, advertise, adve...
Discussion?
Upcoming SlideShare
Loading in...5
×

Security Lifecycle Management

2,759

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,759
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
38
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Security Lifecycle Management"

  1. 1. ISM in the ILM (Information Lifecycle Security Management) Barry Caplin Chief Information Security Officer Minnesota Department of Human Services [email_address] May 18, 2006 10:00-11:00 a.m. Secure360
  2. 3. Agenda <ul><li>DHS Overview </li></ul><ul><li>Enterprise Security Strategy </li></ul><ul><li>Build Security In? </li></ul><ul><li>Information Lifecycle Security Management </li></ul>
  3. 4. MN DHS <ul><li>Mission - helps people meet their basic needs so they can live in dignity and achieve their highest potential </li></ul><ul><li>Consumers include: </li></ul><ul><ul><li>seniors who need help paying for hospital and nursing home bills or who need home-delivered meals </li></ul></ul><ul><ul><li>families with children in a financial crisis </li></ul></ul><ul><ul><li>parents who need child support enforcement or child care money </li></ul></ul><ul><ul><li>people with physical or developmental disabilities who need assistance to live as independently as possible </li></ul></ul>
  4. 5. MN DHS <ul><li>Direct service through: </li></ul><ul><li>DHHS – Deaf and Hard of Hearing Services </li></ul><ul><li>SOS – State Operated Services includes </li></ul><ul><ul><li>RTC’s – Regional Treatment Centers, including St. Peter, Moose Lake </li></ul></ul><ul><ul><li>Forensics – St. Peter, Moose Lake, METO (MN Extended Treatment Options) </li></ul></ul><ul><ul><li>State-run group homes </li></ul></ul><ul><ul><li>New community-based treatment centers </li></ul></ul><ul><ul><li>State-run nursing home – Ah-Gwah-Ching </li></ul></ul>
  5. 6. MN DHS <ul><li>Administrations (Divisions): </li></ul><ul><li>CFS – Children and Family Services – Child Support Enforcement, Endangerment, Social Services, Medical/Welfare Eligibility </li></ul><ul><li>Chemical and Mental Health Services– including SOS </li></ul><ul><li>Health Care Administration and Operations </li></ul><ul><li>Continuing Care </li></ul><ul><li>FMO – Finance and Management Operations – including Information Security, IT </li></ul>
  6. 7. MN DHS <ul><li>Programs are state-administered, county-delivered </li></ul><ul><ul><li>Including MinnesotaCare, Medical Assistance, General Assistance Medical Care, mental health services, alternative care services, chemical dependency services and regional treatment center services </li></ul></ul><ul><li>One of the largest state agencies </li></ul><ul><li>2500 CO, 5000 SOS distributed staff </li></ul><ul><li>State and Federal funding </li></ul>
  7. 8. Enterprise Security Strategy
  8. 9. Security Strategy - The 10000 Foot View <ul><li>Information Security Governance Framework (COBIT Security Baseline) </li></ul><ul><ul><li>People </li></ul></ul><ul><ul><ul><li>Organization </li></ul></ul></ul><ul><ul><ul><li>Awareness </li></ul></ul></ul><ul><ul><li>Technology </li></ul></ul><ul><ul><ul><li>Operations </li></ul></ul></ul><ul><ul><ul><li>Architecture </li></ul></ul></ul><ul><ul><li>Enterprise High-Level Functions </li></ul></ul><ul><ul><ul><li>Information Risk Management </li></ul></ul></ul><ul><ul><ul><li>Information Policy </li></ul></ul></ul><ul><ul><ul><li>Information Lifecycle Management </li></ul></ul></ul><ul><ul><ul><li>Process </li></ul></ul></ul>
  9. 10. Security Strategy Governance organization operations architecture awareness people technology IRM Policy ILM Processes
  10. 11. Security Strategy 4 C’s Confidence Credibility Communication Compliance Governance organization operations architecture awareness people technology IRM Policy ILM Processes
  11. 12. Build Security In?
  12. 13. Build Security In <ul><li>What do we mean by this? </li></ul><ul><li>Everyone says it… but how? </li></ul><ul><li>https://buildsecurityin.us-cert.gov/portal/ </li></ul>
  13. 14. Why Build Security In?
  14. 15. Why Build Security In?
  15. 16. <ul><li>Cost – “measure twice, cut once” </li></ul><ul><li>Efficiency – build it “right” the first time </li></ul><ul><li>Time – fixing problems later will likely delay production use </li></ul>Why Build Security In?
  16. 17. SDLC <ul><li>SEI-CMMI (formerly CMM) ( http:// www.sei.cmu.edu/cmmi / ) </li></ul><ul><li>IEEE and ISO 12207 standards ( http://www.acm.org/tsc/lifecycle.html ). </li></ul><ul><li>Extreme Programming ( http://www.xprogramming.com/ , http://www.extremeprogramming.org/ ) </li></ul><ul><li>On Wikipedia </li></ul><ul><li>( http:// en.wikipedia.org/wiki/Software_development_life_cycle ) </li></ul>
  17. 18. Information Lifecycle Security Management
  18. 19. Information Lifecycle Security Management
  19. 20. Operate Major Release Software Development Lifecycle (SDLC) Maintenance Lifecycle Dispose Information Lifecycle Security Management Deploy Develop Design Analysis Concept
  20. 21. Operate Major Release Deploy Develop Design Analysis Concept Information Lifecycle Security Management Preliminary Risk Analysis Business Impact Analysis Privacy and Security Requirements BCP/ COOP Privacy and Security Mitigation Plans Incident Response Plans Security Test Plans BCP/COOP Testing & Maintenance IT Audit Business Requirements Security Sign off Security Sign off
  21. 22. Business Requirements <ul><li>A statement of the business problem or challenge the business area needs to solve </li></ul><ul><li>Should not include recommended technical solutions </li></ul><ul><li>Constraints/Assumptions </li></ul>Concept Business Requirements
  22. 23. Preliminary Risk Analysis <ul><li>Security Questionnaire </li></ul><ul><li>Preliminary Privacy Analysis </li></ul><ul><li>Preliminary Security Risk Analysis </li></ul><ul><li>Risk Briefing </li></ul>Concept <ul><li>Risk of not doing </li></ul>Preliminary Risk Analysis
  23. 24. Privacy and Security Requirements <ul><li>Preliminary Privacy Assessment </li></ul><ul><li>Preliminary Security Risk Assessment </li></ul><ul><li>Privacy Requirements </li></ul><ul><li>Security Requirements </li></ul><ul><li>Preliminary Design Requirements </li></ul>Analysis Words To Live By: “ Minimum Necessary” Privacy and Security Requirements
  24. 25. Business Impact Analysis <ul><li>Business/System Impact Analysis </li></ul>Analysis Business Impact Analysis
  25. 26. Security Sign-Off <ul><li>Keys: </li></ul><ul><ul><li>Business Requirements received </li></ul></ul><ul><ul><li>Requirements understood (by business area) </li></ul></ul><ul><ul><li>Risks acknowledged </li></ul></ul>Security Sign off
  26. 27. Privacy and Security Requirements <ul><li>Vendor Security Questionnaire </li></ul><ul><li>Security Architecture Assessment </li></ul><ul><li>Information Policy Analysis </li></ul><ul><li>Risk Assessment (OCTAVE) </li></ul><ul><li>HIPAA Assessment </li></ul><ul><li>Detailed Design Requirements </li></ul><ul><li>Project Security Roadmap & Required Doc List </li></ul>Design Privacy and Security Requirements
  27. 28. <ul><li>Detailed Security Architecture Design </li></ul><ul><li>Design Review </li></ul><ul><li>Security Risk Mitigation Plans </li></ul><ul><li>Action Plan for compliance design </li></ul>Design Privacy and Security Mitigation Plans Privacy and Security Mitigation Plans
  28. 29. Business Continuity/Disaster Recovery <ul><li>Business Continuity Planning </li></ul><ul><li>Disaster Recovery Planning </li></ul><ul><li>Preliminary COOP (Continuity Of Operations Plan) Document </li></ul>Design BCP/ COOP
  29. 30. Security Test Plans <ul><li>Test Data Plans </li></ul><ul><li>Security Testing Plan </li></ul><ul><li>Security Testing </li></ul><ul><ul><li>Use/Abuse Cases </li></ul></ul><ul><ul><li>Code Review Tools </li></ul></ul><ul><li>Vulnerability Assessment </li></ul>Develop Security Test Plans
  30. 31. Incident Response Plans <ul><li>Incident Response Plans </li></ul><ul><li>Final COOP </li></ul>Develop Incident Response Plans
  31. 32. Security Sign-Off <ul><li>Keys: </li></ul><ul><ul><li>Identified issues mitigated </li></ul></ul><ul><ul><li>Assessments completed </li></ul></ul><ul><ul><li>Security Requirements met </li></ul></ul><ul><ul><li>Documentation completed </li></ul></ul><ul><ul><li>BCP/COOP completed </li></ul></ul>Security Sign off
  32. 33. Deploy <ul><li>Change Management </li></ul><ul><li>Monitoring </li></ul>Deploy
  33. 34. IT Audit <ul><li>Security Policy Compliance Review (COBIT Audit Guideline) </li></ul>Operate IT Audit
  34. 35. BCP/COOP Testing & Maintenance <ul><li>Plan Testing </li></ul><ul><li>Plan Updates & Review </li></ul><ul><li>BIA Updates </li></ul>Operate BCP/COOP Testing & Maintenance
  35. 36. Major Release <ul><li>What is a Major Release? </li></ul><ul><ul><li>Significant new functionality </li></ul></ul><ul><ul><li>Code rewrites </li></ul></ul><ul><ul><li>Significant architecture or design changes </li></ul></ul><ul><li>Site Dependent </li></ul><ul><li>May require any/all ILSM steps </li></ul>Major Release
  36. 37. Information Disposal <ul><li>Measures based on: </li></ul><ul><ul><li>Business type </li></ul></ul><ul><ul><li>Data classification </li></ul></ul><ul><li>Regulatory issues: </li></ul><ul><ul><li>PHI </li></ul></ul><ul><ul><li>FTI </li></ul></ul><ul><ul><li>Others… </li></ul></ul>Dispose
  37. 38. Operate Major Release Deploy Develop Design Analysis Concept Information Lifecycle Security Management Preliminary Risk Analysis Business Impact Analysis Privacy and Security Requirements BCP/ COOP Privacy and Security Mitigation Plans Incident Response Plans Security Test Plans BCP/COOP Testing & Maintenance IT Audit Business Requirements Security Sign off Security Sign off
  38. 39. Final Thoughts <ul><li>SMT buy in is critical </li></ul><ul><li>Be consistent </li></ul><ul><li>Advertise, advertise, advertise </li></ul>
  39. 40. Discussion?
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×