Security Lifecycle Management
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Security Lifecycle Management

on

  • 3,520 views



Statistics

Views

Total Views
3,520
Views on SlideShare
3,517
Embed Views
3

Actions

Likes
0
Downloads
24
Comments
0

1 Embed 3

http://www.slideshare.net 3

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Security Lifecycle Management Presentation Transcript

  • 1. ISM in the ILM (Information Lifecycle Security Management) Barry Caplin Chief Information Security Officer Minnesota Department of Human Services [email_address] May 18, 2006 10:00-11:00 a.m. Secure360
  • 2.  
  • 3. Agenda
    • DHS Overview
    • Enterprise Security Strategy
    • Build Security In?
    • Information Lifecycle Security Management
  • 4. MN DHS
    • Mission - helps people meet their basic needs so they can live in dignity and achieve their highest potential
    • Consumers include:
      • seniors who need help paying for hospital and nursing home bills or who need home-delivered meals
      • families with children in a financial crisis
      • parents who need child support enforcement or child care money
      • people with physical or developmental disabilities who need assistance to live as independently as possible
  • 5. MN DHS
    • Direct service through:
    • DHHS – Deaf and Hard of Hearing Services
    • SOS – State Operated Services includes
      • RTC’s – Regional Treatment Centers, including St. Peter, Moose Lake
      • Forensics – St. Peter, Moose Lake, METO (MN Extended Treatment Options)
      • State-run group homes
      • New community-based treatment centers
      • State-run nursing home – Ah-Gwah-Ching
  • 6. MN DHS
    • Administrations (Divisions):
    • CFS – Children and Family Services – Child Support Enforcement, Endangerment, Social Services, Medical/Welfare Eligibility
    • Chemical and Mental Health Services– including SOS
    • Health Care Administration and Operations
    • Continuing Care
    • FMO – Finance and Management Operations – including Information Security, IT
  • 7. MN DHS
    • Programs are state-administered, county-delivered
      • Including MinnesotaCare, Medical Assistance, General Assistance Medical Care, mental health services, alternative care services, chemical dependency services and regional treatment center services
    • One of the largest state agencies
    • 2500 CO, 5000 SOS distributed staff
    • State and Federal funding
  • 8. Enterprise Security Strategy
  • 9. Security Strategy - The 10000 Foot View
    • Information Security Governance Framework (COBIT Security Baseline)
      • People
        • Organization
        • Awareness
      • Technology
        • Operations
        • Architecture
      • Enterprise High-Level Functions
        • Information Risk Management
        • Information Policy
        • Information Lifecycle Management
        • Process
  • 10. Security Strategy Governance organization operations architecture awareness people technology IRM Policy ILM Processes
  • 11. Security Strategy 4 C’s Confidence Credibility Communication Compliance Governance organization operations architecture awareness people technology IRM Policy ILM Processes
  • 12. Build Security In?
  • 13. Build Security In
    • What do we mean by this?
    • Everyone says it… but how?
    • https://buildsecurityin.us-cert.gov/portal/
  • 14. Why Build Security In?
  • 15. Why Build Security In?
  • 16.
    • Cost – “measure twice, cut once”
    • Efficiency – build it “right” the first time
    • Time – fixing problems later will likely delay production use
    Why Build Security In?
  • 17. SDLC
    • SEI-CMMI (formerly CMM) ( http:// www.sei.cmu.edu/cmmi / )
    • IEEE and ISO 12207 standards ( http://www.acm.org/tsc/lifecycle.html ).
    • Extreme Programming ( http://www.xprogramming.com/ , http://www.extremeprogramming.org/ )
    • On Wikipedia
    • ( http:// en.wikipedia.org/wiki/Software_development_life_cycle )
  • 18. Information Lifecycle Security Management
  • 19. Information Lifecycle Security Management
  • 20. Operate Major Release Software Development Lifecycle (SDLC) Maintenance Lifecycle Dispose Information Lifecycle Security Management Deploy Develop Design Analysis Concept
  • 21. Operate Major Release Deploy Develop Design Analysis Concept Information Lifecycle Security Management Preliminary Risk Analysis Business Impact Analysis Privacy and Security Requirements BCP/ COOP Privacy and Security Mitigation Plans Incident Response Plans Security Test Plans BCP/COOP Testing & Maintenance IT Audit Business Requirements Security Sign off Security Sign off
  • 22. Business Requirements
    • A statement of the business problem or challenge the business area needs to solve
    • Should not include recommended technical solutions
    • Constraints/Assumptions
    Concept Business Requirements
  • 23. Preliminary Risk Analysis
    • Security Questionnaire
    • Preliminary Privacy Analysis
    • Preliminary Security Risk Analysis
    • Risk Briefing
    Concept
    • Risk of not doing
    Preliminary Risk Analysis
  • 24. Privacy and Security Requirements
    • Preliminary Privacy Assessment
    • Preliminary Security Risk Assessment
    • Privacy Requirements
    • Security Requirements
    • Preliminary Design Requirements
    Analysis Words To Live By: “ Minimum Necessary” Privacy and Security Requirements
  • 25. Business Impact Analysis
    • Business/System Impact Analysis
    Analysis Business Impact Analysis
  • 26. Security Sign-Off
    • Keys:
      • Business Requirements received
      • Requirements understood (by business area)
      • Risks acknowledged
    Security Sign off
  • 27. Privacy and Security Requirements
    • Vendor Security Questionnaire
    • Security Architecture Assessment
    • Information Policy Analysis
    • Risk Assessment (OCTAVE)
    • HIPAA Assessment
    • Detailed Design Requirements
    • Project Security Roadmap & Required Doc List
    Design Privacy and Security Requirements
  • 28.
    • Detailed Security Architecture Design
    • Design Review
    • Security Risk Mitigation Plans
    • Action Plan for compliance design
    Design Privacy and Security Mitigation Plans Privacy and Security Mitigation Plans
  • 29. Business Continuity/Disaster Recovery
    • Business Continuity Planning
    • Disaster Recovery Planning
    • Preliminary COOP (Continuity Of Operations Plan) Document
    Design BCP/ COOP
  • 30. Security Test Plans
    • Test Data Plans
    • Security Testing Plan
    • Security Testing
      • Use/Abuse Cases
      • Code Review Tools
    • Vulnerability Assessment
    Develop Security Test Plans
  • 31. Incident Response Plans
    • Incident Response Plans
    • Final COOP
    Develop Incident Response Plans
  • 32. Security Sign-Off
    • Keys:
      • Identified issues mitigated
      • Assessments completed
      • Security Requirements met
      • Documentation completed
      • BCP/COOP completed
    Security Sign off
  • 33. Deploy
    • Change Management
    • Monitoring
    Deploy
  • 34. IT Audit
    • Security Policy Compliance Review (COBIT Audit Guideline)
    Operate IT Audit
  • 35. BCP/COOP Testing & Maintenance
    • Plan Testing
    • Plan Updates & Review
    • BIA Updates
    Operate BCP/COOP Testing & Maintenance
  • 36. Major Release
    • What is a Major Release?
      • Significant new functionality
      • Code rewrites
      • Significant architecture or design changes
    • Site Dependent
    • May require any/all ILSM steps
    Major Release
  • 37. Information Disposal
    • Measures based on:
      • Business type
      • Data classification
    • Regulatory issues:
      • PHI
      • FTI
      • Others…
    Dispose
  • 38. Operate Major Release Deploy Develop Design Analysis Concept Information Lifecycle Security Management Preliminary Risk Analysis Business Impact Analysis Privacy and Security Requirements BCP/ COOP Privacy and Security Mitigation Plans Incident Response Plans Security Test Plans BCP/COOP Testing & Maintenance IT Audit Business Requirements Security Sign off Security Sign off
  • 39. Final Thoughts
    • SMT buy in is critical
    • Be consistent
    • Advertise, advertise, advertise
  • 40. Discussion?