Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Statewide Security Plan and Standards Forum (ppt)


Published on

Published in: Technology
  • ★★ How Long Does She Want You to Last? ★★ A recent study proved that the average man lasts just 2-5 minutes in bed (during intercourse). The study also showed that many women need at least 7-10 minutes of intercourse to reach "The Big O" - and, worse still... 30% of women never get there during intercourse. Clearly, most men are NOT fulfilling there women's needs in bed. Now, as I've said many times - how long you can last is no guarantee of being a GREAT LOVER. But, not being able to last 20, 30 minutes or more, is definitely a sign that you're not going to "set your woman's world on fire" between the sheets. Question is: "What can you do to last longer?" Well, one of the best recommendations I can give you today is to read THIS report. In it, you'll discover a detailed guide to an Ancient Taoist Thrusting Technique that can help any man to last much longer in bed. I can vouch 100% for the technique because my husband has been using it for years :) Here's the link to the report ♣♣♣
    Are you sure you want to  Yes  No
    Your message goes here
  • Hi there! Get Your Professional Job-Winning Resume Here - Check our website!
    Are you sure you want to  Yes  No
    Your message goes here

Statewide Security Plan and Standards Forum (ppt)

  1. 1. Enterprise Security Plan and Standards Forum Theresa A. Masse State Chief Information Security Officer John Ritchie Senior Security Analyst
  2. 2. Agenda <ul><li>Background </li></ul><ul><li>Statewide Information Security Plan </li></ul><ul><li>Statewide Information Security Standards </li></ul><ul><li>Agency Next Steps </li></ul><ul><li>Panel </li></ul><ul><li>Wrap Up </li></ul>
  3. 3. Background <ul><li>The combination of the Statewide Plan, Standards, and Policies in the framework of 27001 & 27002 form the Enterprise Security Architecture </li></ul>
  4. 4. Background <ul><li>Based on ISO 27001/27002 </li></ul><ul><li>Incorporating Best Practices from: </li></ul><ul><ul><li>National Institute of Standards and Technology (NIST) recommended standards </li></ul></ul><ul><ul><li>SANS Institute recommended standards and best practices </li></ul></ul><ul><ul><li>Burton Group recommended methodologies and best practices </li></ul></ul><ul><li>Vetted by agencies </li></ul>
  5. 5. Background <ul><li>ISO 27001 </li></ul><ul><li>Information Security Management System (ISMS) </li></ul><ul><li>Foundation - Security Risk Assessment </li></ul><ul><li>Aligns with Agency’s Strategic Risk Management Policy and Direction </li></ul>
  6. 6. Background <ul><li>ISO 27002 </li></ul><ul><li>Information Security Domains </li></ul><ul><li>Controls minimize identified risk </li></ul><ul><li>Risk Assessment identifies areas of Security Control focus </li></ul>
  7. 7. ISO 27002 <ul><li>27002 consists of 11 domains </li></ul><ul><li>Includes an outline for each Domain and corresponding Controls </li></ul>Security Policy Security Organization Compliance Asset Management Access Control Human Resources Physical and Environmental Security System Development and Maintenance Communications & Operations Management Business Continuity Management Incident Management Security Governance & Compliance Security Infrastructure & Environment Tactical Security Operations Risk Assessment
  8. 8. Background <ul><li>Policies and standards assist agencies in achieving compliance with state laws </li></ul><ul><li>ESO cannot establish plans, policies or standards that are less restrictive than state laws </li></ul><ul><li>Specifically – ORS 182.122 Information Systems Security & ORS 646A.600 the Oregon Identity Theft Protection Act </li></ul><ul><li>Agencies can implement more restrictive controls as required for compliance with other regulations - IRS, HIPAA, etc. </li></ul>
  9. 9. Security Plan <ul><li>Security Management Framework ISO 27001 </li></ul><ul><ul><li>Agency Annual Risk Assessment </li></ul></ul><ul><ul><li>Agency Information Systems Security Risk Assessments </li></ul></ul><ul><ul><li>Agency Information Security Management System </li></ul></ul>
  10. 10. Security Plan <ul><li>Security Governance and Compliance ISO 27002 </li></ul><ul><ul><li>Agency Security Policies & Governance Processes </li></ul></ul><ul><ul><li>Information Security Audits within Agency </li></ul></ul>
  11. 11. Security Plan <ul><li>Security Infrastructure and Environment ISO 27002 </li></ul><ul><ul><li>Agency Employee Security Policies </li></ul></ul><ul><ul><li>Process for Access Control to Information Assets within Agency </li></ul></ul><ul><ul><li>Agency Information Security Awareness Training </li></ul></ul><ul><ul><li>Agency compliance with Information Asset Classification Policy # 107-004-050 </li></ul></ul><ul><ul><li>Agency compliance with the Transporting Information Assets Policy #107-005-100 </li></ul></ul><ul><ul><li>DAS Building Security Access Controls Policy # 125-6-215 </li></ul></ul><ul><ul><li>Evaluation of Agency facilities for security </li></ul></ul>
  12. 12. Security Plan <ul><li>Tactical Security Operations ISO 27002 </li></ul><ul><ul><li>Agency compliance with the Enterprise Information Security Standards </li></ul></ul><ul><ul><li>Agency compliance with Employee Security policy #107-004-053 </li></ul></ul><ul><ul><li>Agency compliance with the Information Security Incident Response policy #107-004-120 </li></ul></ul><ul><ul><li>Agency BCP per policy # 107-001-010 </li></ul></ul><ul><ul><ul><li>Agency BCP testing </li></ul></ul></ul><ul><ul><ul><li>Agency DR testing </li></ul></ul></ul><ul><ul><li>Agency compliance with Sustainable Acquisition and Disposal of Electronic Equipment (E-waste/Recovery Policy) </li></ul></ul>
  13. 13. Security Plan <ul><li>Implementation of Plan </li></ul><ul><ul><li>Implementation Metrics </li></ul></ul><ul><li>Submit agency plan to ESO – due July 2009 </li></ul>
  14. 14. Security Standards <ul><li>Incorporating Best Practices from: </li></ul><ul><ul><li>International Organization for Standardization (ISO) 27001 & 27002 </li></ul></ul><ul><ul><li>National Institute of Standards and Technology (NIST) recommended standards </li></ul></ul><ul><ul><li>SANS Institute recommended standards and best practices </li></ul></ul><ul><ul><li>Burton Group recommended methodologies and best practices </li></ul></ul>
  15. 15. Security Standards <ul><li>Technical Controls </li></ul><ul><li>Four Domains From ISO 27002 </li></ul><ul><ul><li>Access Control </li></ul></ul><ul><ul><li>Information Asset Management </li></ul></ul><ul><ul><li>Communications & Operations Management </li></ul></ul><ul><ul><li>Information Systems Acquisition, Development and Management </li></ul></ul>
  16. 16. Security Standards <ul><li>Access Control </li></ul><ul><ul><li>Authentication Standards </li></ul></ul><ul><ul><li>Authorization Standards </li></ul></ul><ul><ul><li>Audit of Access Control Standards </li></ul></ul>
  17. 17. Security Standards <ul><li>Information Asset Management </li></ul><ul><ul><li>Protection of Information Assets Standards </li></ul></ul><ul><ul><li>Handling of Information Assets Standards </li></ul></ul>
  18. 18. Security Standards <ul><li>Communications & Operations Management </li></ul><ul><ul><li>Antivirus and Anti-malware Standards </li></ul></ul><ul><ul><li>Workstation Management & Desktop Security Standards </li></ul></ul><ul><ul><li>Mobile Device Management Standards </li></ul></ul><ul><ul><li>Server Management Standards </li></ul></ul><ul><ul><li>Log Management Standards </li></ul></ul><ul><ul><li>Information Backup Standards </li></ul></ul>
  19. 19. Security Standards <ul><li>Communications & Operations Management </li></ul><ul><ul><li>Security Zone and Network Security Management (Local Area Network & Wide Area Network) Standards </li></ul></ul><ul><ul><li>Intrusion Detection Standards </li></ul></ul><ul><ul><li>E-mail Standards </li></ul></ul><ul><ul><li>Remote Access Standards </li></ul></ul><ul><ul><li>Wireless Access Standards </li></ul></ul>
  20. 20. Security Standards <ul><li>Information Systems Acquisition, Development and Management </li></ul><ul><ul><li>Business Case Standard </li></ul></ul><ul><ul><li>Encryption Standards </li></ul></ul><ul><ul><li>Patch Management Standards </li></ul></ul><ul><ul><li>Information System Development Lifecycle Standards </li></ul></ul>
  21. 21. Security Standards <ul><li>One Size Fits All? </li></ul><ul><ul><li>Small Agencies </li></ul></ul><ul><ul><ul><li>Most Standards Apply </li></ul></ul></ul><ul><ul><li>Large Agencies </li></ul></ul><ul><ul><ul><li>All Standards Apply </li></ul></ul></ul><ul><ul><li>State Data Center </li></ul></ul><ul><ul><ul><li>Most Standards Apply </li></ul></ul></ul><ul><ul><ul><li>Will Assist Agencies </li></ul></ul></ul>
  22. 22. Security Standards <ul><li>Agencies Responsible for Data </li></ul><ul><ul><li>Classification </li></ul></ul><ul><ul><li>Protection </li></ul></ul><ul><li>Agencies and Third Party Providers </li></ul><ul><ul><li>Contractors </li></ul></ul><ul><ul><li>State Data Center </li></ul></ul>
  23. 23. Security Standards <ul><li>Standards </li></ul><ul><ul><li>Minimum Requirements </li></ul></ul><ul><ul><li>“Meet or Exceed” </li></ul></ul><ul><li>Recommended Best Practices </li></ul><ul><ul><li>Not Mandatory </li></ul></ul>
  24. 24. Security Standards <ul><li>Standards </li></ul><ul><ul><li>Are Specific </li></ul></ul><ul><ul><li>Are Interdependent </li></ul></ul><ul><ul><li>Must Be Implemented In Entirety, but… </li></ul></ul><ul><li>Risk Assessment Drives Implementation </li></ul><ul><ul><li>Compensating Controls </li></ul></ul><ul><ul><li>Exceptions </li></ul></ul>
  25. 25. Agency Next Steps <ul><li>Survey </li></ul><ul><ul><li>Are you compliant? </li></ul></ul><ul><ul><li>If not, do you have a plan? </li></ul></ul><ul><ul><li>Do you have the resources to implement plan? </li></ul></ul><ul><li>Gap Analysis </li></ul><ul><li>Workshop </li></ul>
  26. 26. Panel <ul><li>Robert Hulshof-Schmidt -State Library, Program Manager, Government Research Services </li></ul><ul><li>David Wilson - Department of Corrections, Information Security Officer </li></ul><ul><li>Al Grapoli - Network, Security and Voice Services Manager, DAS, State Data Center </li></ul>
  27. 27. Information Security Plan and Guidelines – Development and Implementation Robert Hulshof-Schmidt , Program Manager, Government Research Services State Library Oregon State Library
  28. 28. State Library Overview <ul><li>44 employees, 20+ regular volunteers </li></ul><ul><li>4 Teams </li></ul><ul><ul><li>Administrative Services </li></ul></ul><ul><ul><li>Government Research Services </li></ul></ul><ul><ul><li>Library Development Services </li></ul></ul><ul><ul><li>Talking Book & Braille Services </li></ul></ul>
  29. 29. OSL Information Assets <ul><li>Mostly Levels 1 & 2 </li></ul><ul><li>No Level 4 </li></ul><ul><li>Level 3 almost exclusively in Administrative Services </li></ul><ul><ul><li>Consolidated donor info </li></ul></ul><ul><ul><li>Patron info streamlined and protected by statute </li></ul></ul>
  30. 30. OSL Info Environment <ul><li>Most staff are professional information workers </li></ul><ul><li>Three full-time IT staff </li></ul><ul><li>Agency-wide values on research, openness, information exchange </li></ul><ul><li>Generally tech-savvy, gadget-owning staff </li></ul><ul><li>At start of security planning: </li></ul><ul><ul><li>Lack of concern due to limited level 3 info </li></ul></ul><ul><ul><li>Unclear connection to everyday work </li></ul></ul>
  31. 31. Information Security Plan <ul><li>Used ESO template – covered most of our needs </li></ul><ul><li>Started good conversation on physical security, not just electronic </li></ul><ul><li>Dovetailed with IT initiative to create stronger domain environment </li></ul><ul><li>Valuable, but felt to most staff like a “Business Office/IT” activity only </li></ul>
  32. 32. Making the Connection <ul><li>Management team conversation about information security </li></ul><ul><ul><li>Everything connected to the enterprise carries risk </li></ul></ul><ul><ul><li>Even “local-only” connections put our business at risk </li></ul></ul><ul><ul><li>All staff have a role and a responsibility </li></ul></ul><ul><ul><li>Statewide policies provide a good framework </li></ul></ul><ul><ul><li>We need local guidelines </li></ul></ul>
  33. 33. Creating Guidelines <ul><li>Information Asset Use, Implementation, and Security Guidelines </li></ul><ul><li>Started with suite of seven statewide policies related to topic </li></ul><ul><li>Added reference to statewide policies related to staff behavior (telework, professional workplace, etc.) </li></ul><ul><li>Added reference to OSL policies and documents as relevant </li></ul>
  34. 34. Creating Guidelines <ul><li>Created plain-language definitions of key terms </li></ul><ul><li>Did not repeat content of policies </li></ul><ul><li>Focused on areas that required agency-specific clarification or interpretation </li></ul><ul><li>Pulled common themes from various policies into cohesive sections </li></ul><ul><ul><li>Allowed for streamlining </li></ul></ul>
  35. 35. Creating Guidelines <ul><li>Reference to relevant policies/authorization </li></ul><ul><li>Definitions </li></ul><ul><li>Appropriate usage times for state assets and systems </li></ul><ul><li>Use of personal information systems </li></ul><ul><li>Use of networks (state and personal) </li></ul><ul><li>Use of Internet resources </li></ul><ul><li>Use of electronic communication tools </li></ul><ul><li>Passwords </li></ul><ul><li>Monitoring behavior </li></ul><ul><li>Responding to incidents (tied to plan) </li></ul><ul><li>Decision-making, approvals, and access </li></ul>
  36. 36. Guidelines Rollout <ul><li>Iterative development </li></ul><ul><ul><li>Management review </li></ul></ul><ul><ul><li>Business office review </li></ul></ul><ul><ul><li>IT review </li></ul></ul><ul><ul><li>Key staff review </li></ul></ul><ul><li>Agency-wide announcement </li></ul><ul><li>All staff training </li></ul><ul><ul><li>Three sessions </li></ul></ul><ul><ul><li>One presenter </li></ul></ul><ul><ul><li>IT and HR at all three sessions </li></ul></ul>
  37. 37. Next Steps <ul><li>IT review of guidelines </li></ul><ul><ul><li>Performance gaps </li></ul></ul><ul><ul><li>30-day action plan </li></ul></ul><ul><ul><li>Long-term action plan </li></ul></ul><ul><ul><li>SDC consultation </li></ul></ul><ul><li>Prepare for standards review and implementation </li></ul><ul><li>Set priorities based on risk and resources </li></ul>
  38. 38. Questions? <ul><li>Guidelines available to share </li></ul><ul><li>Robert Hulshof-Schmidt </li></ul><ul><ul><li>503.378.5030 </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul>
  39. 39. David Wilson , Information Security Officer Department of Corrections
  40. 40. DOC Mission Statement <ul><li>The mission of the Oregon Department of Corrections is to promote public safety by holding offenders accountable for their actions and reducing the risk of future criminal behavior. </li></ul>
  41. 41. Oregon Accountability Model <ul><li>Criminal Risk Factor Assessment and Case Planning </li></ul><ul><li>Staff-Inmate Interactions </li></ul><ul><li>Work and Programs </li></ul><ul><li>Children and Families </li></ul><ul><li>Re-entry </li></ul><ul><li>Community Supervision and Programs </li></ul>
  42. 42. Quick Facts <ul><li>14 Institutions </li></ul><ul><li>4 Administration Sites </li></ul><ul><li>2 County Parole & Probation Offices </li></ul>
  43. 43. Quick Facts <ul><li>4,426 Employees </li></ul><ul><li>1,970 Active Volunteers </li></ul><ul><li>Offenders: </li></ul><ul><ul><li>Inmates 13,841 </li></ul></ul><ul><ul><li>Parole and Probation 2,794 </li></ul></ul><ul><ul><li>Local Control 890 </li></ul></ul><ul><li>Total Current Offenders 17,525 </li></ul>
  44. 44. Quick Facts <ul><li>Others Accessing ODOC Information </li></ul><ul><ul><li>Contracted Service Providers </li></ul></ul><ul><ul><li>Community Partners </li></ul></ul><ul><ul><li>Courts and Legal Professionals </li></ul></ul><ul><ul><li>Other Governmental Agencies </li></ul></ul><ul><ul><li>The Public </li></ul></ul>
  45. 45. ODOC Information Security History <ul><li>Information Security Officer </li></ul><ul><ul><li>Collateral duty prior to October, 2009 </li></ul></ul><ul><li>Projects through Office of Project Management </li></ul><ul><ul><li>Information Security Administration </li></ul></ul><ul><ul><li>Department-wide Records Management </li></ul></ul>
  46. 46. Project Methodology <ul><li>Initiated in April, 2008 </li></ul><ul><li>ODOC missed early compliance dates </li></ul><ul><li>Combined project resources </li></ul><ul><li>Chose to focus resources on: </li></ul><ul><ul><li>ID of agency Information Assets (IA’s) </li></ul></ul><ul><ul><li>Organizing IA’s into a Special Retention Schedule </li></ul></ul><ul><ul><li>Use structure to identify “ownership” </li></ul></ul>
  47. 47. Methodology Mistake <ul><li>Information Owners </li></ul><ul><li>Not defined or identified at the </li></ul><ul><li>beginning of the projects. </li></ul>
  48. 48. Informed Information Owners Needed <ul><li>Realized need for: </li></ul><ul><ul><li>Definition of Information Owner role and responsibilities </li></ul></ul><ul><ul><li>Decision makers to decide Classification </li></ul></ul><ul><li>Identified need to: </li></ul><ul><ul><li>Educate decision makers </li></ul></ul><ul><ul><li>Define Data Handling Standards </li></ul></ul><ul><ul><li>Define Classification expectations </li></ul></ul>
  49. 49. “Snap Shot” Standards Needed <ul><li>Methodology and standards: </li></ul><ul><li>OVERWHELMING! </li></ul><ul><li>Found something simple: </li></ul><ul><li>PERS Data Handling Standards </li></ul><ul><li>http:// </li></ul><ul><li>Simple Matrix = Enterprise Standards </li></ul><ul><li>Reflects PROCESS expectations </li></ul>
  50. 50. Curriculum Identified <ul><li>Protecting IA’s at the Right Level </li></ul><ul><ul><ul><li>Balancing the Risk with the Cost: Confidentiality, Integrity and Accessibility </li></ul></ul></ul><ul><li>Public Records Requests - Simple Division </li></ul><ul><ul><ul><li>Level 1 & 2: Releasable = Low Risk & Priority </li></ul></ul></ul><ul><ul><ul><li>Level 3 & 4: Not releasable = High Risk & Priority </li></ul></ul></ul><ul><ul><ul><li>Able to categorize by this division based on known mandates and project team input </li></ul></ul></ul><ul><li>Level 3 vs. Level 4 </li></ul><ul><ul><ul><li>Mandates vs. Business Decision </li></ul></ul></ul><ul><ul><ul><li>Risk of Level 3: Mitigated by agency culture </li></ul></ul></ul><ul><ul><ul><li>Cost of Level 4: Resources and Accessibility </li></ul></ul></ul>
  51. 51. Information Owner Decision <ul><li>Information Owners were asked to look at a draft list of their Level 3 and 4 IA’s </li></ul><ul><li>They were then asked to identify: </li></ul><ul><ul><li>Risk they where willing to accept </li></ul></ul><ul><ul><li>Cost, in resources and accessibility, they were willing to pay to mitigate that risk </li></ul></ul><ul><li>“If you want to call it a Level 4, are you willing to pay the cost of protection?” </li></ul>
  52. 52. Did not understand it then. . . . <ul><li>Gap Analysis of Enterprise Standards: </li></ul><ul><ul><li>Process: How the agency works with the information </li></ul></ul><ul><ul><li>Technology: Technical capabilities, limitations and safeguards </li></ul></ul>
  53. 53. Realized in retrospect. . . . <ul><li>Educating Information Owners </li></ul><ul><li>Provided a business opportunity: </li></ul><ul><li>To review existing processes, identify limitations and determine current resources </li></ul><ul><li>That resulted in: </li></ul><ul><li>Gap Analysis of Process </li></ul>
  54. 54. Enterprise Standards Published <ul><li>11/2009 - Enterprise Standards Published </li></ul><ul><ul><li>ODOC Classification process had already narrowed the focus </li></ul></ul><ul><ul><li>Gap Analysis of Processes completed </li></ul></ul><ul><li>All that was left: </li></ul><ul><li>Compare current Information Technology practices and resources against </li></ul><ul><li>Enterprise Standards </li></ul>
  55. 55. Gap Analysis: Technology <ul><li>FYI: </li></ul><ul><li>Computer experts live and breath </li></ul><ul><li>Tech Specs!!! </li></ul><ul><li>Standards = Foreign Language </li></ul><ul><li>Computer experts: </li></ul><ul><ul><li>Speak it fluently </li></ul></ul><ul><ul><li>Know their systems in detail </li></ul></ul><ul><ul><li>Can translate in terms of existing ability </li></ul></ul>
  56. 56. Do we meet the standard? <ul><li>“ Yes” </li></ul><ul><li>No further action required </li></ul><ul><li>“ No, but our method is as good as or better than. . . ” </li></ul><ul><li>Document Variance </li></ul>
  57. 57. Do we meet the standard? <ul><li>“ No, and that might be a problem” </li></ul><ul><ul><li>Red Flag or “Gap” </li></ul></ul><ul><ul><li>Plan Needed - Will getting there take: </li></ul></ul><ul><ul><ul><li>Time (within existing resources)? </li></ul></ul></ul><ul><ul><ul><li>Money (to buy solutions)? </li></ul></ul></ul><ul><ul><ul><li>Staff (additional personnel)? </li></ul></ul></ul><ul><li>Plans will be assessed and prioritized based on: </li></ul><ul><li>Risk and Available Resources </li></ul>
  58. 58. Gap Analysis = Risk Mitigation <ul><li>Risk Mitigation for ODOC </li></ul><ul><li>Gap Analysis provides data for </li></ul><ul><li>Risk Based </li></ul><ul><li>prioritization of resources necessary for operations within current fiscal climate </li></ul><ul><li>Final plan will be taken to ODOC Leadership for approval </li></ul>
  59. 59. [email_address] Questions?
  60. 60. <ul><li>Oregon State Data Center </li></ul><ul><li>Security Architecture Standards </li></ul><ul><li>Information Security Plan and Standards Forum </li></ul><ul><li>December 10, 2009 </li></ul>
  61. 61. Security Architecture Principles <ul><li>Security Architecture must be: </li></ul><ul><li>Cost Effective and Business Driven </li></ul><ul><li>Supportable </li></ul><ul><li>Standards Based </li></ul>
  62. 62. Cost Effective and Business Driven <ul><li>Flexible architecture provides for granularity of controls </li></ul><ul><li>Ability to accommodate agency business requirements </li></ul><ul><li>Consolidation of security controls to reduce administrative overhead </li></ul>
  63. 63. Supportable <ul><li>Standard processes and procedures in support of security controls </li></ul><ul><li>Centralized management of security controls </li></ul><ul><li>Increased logging and monitoring </li></ul><ul><li>Integration permits greater security enforcement and intelligence </li></ul><ul><li>Standard equipment allows for easier implementation and for replacement in the event of a failure </li></ul>
  64. 64. Standards Based <ul><li>Use standards-based technologies to provide security (e.g. AES, 802.1x, etc.) </li></ul><ul><ul><li>Increases the likelihood that security technologies are interoperable </li></ul></ul><ul><ul><li>Ensures that implemented technologies have been subjected to the process review necessary to achieve the status of “standard” </li></ul></ul>
  65. 65. Where we are… <ul><li>Secure Server Builds </li></ul><ul><li>Site-to-site encryption </li></ul><ul><li>Network Access Control </li></ul><ul><ul><li>Firewalls </li></ul></ul><ul><ul><li>VLANs/MPLS </li></ul></ul><ul><li>Anti-Virus, Patching standardized </li></ul><ul><li>Network Intrusion Detection </li></ul><ul><li>Email Firewalls </li></ul><ul><li>Log Aggregation </li></ul>Standardization
  66. 66. Where we are going… <ul><li>Network Admission Control </li></ul><ul><li>Host Intrusion Prevention </li></ul><ul><li>Consolidated Remote Access VPN </li></ul><ul><li>Firewall Consolidation </li></ul><ul><li>Increased Use of Log Aggregation </li></ul><ul><li>Configuration Management </li></ul>
  67. 67. Security Policies <ul><li>State Security Policies </li></ul><ul><ul><li>http:// </li></ul></ul><ul><li>Recent Implementation </li></ul><ul><ul><li>State Security Standards </li></ul></ul><ul><ul><li>State Security Plan </li></ul></ul><ul><ul><li>Privileged Access Policy </li></ul></ul>
  68. 68. [email_address] Questions?
  69. 69. Thank You! <ul><li>Security is an architecture, not an appliance </li></ul><ul><li>Network Magazine </li></ul>
  70. 70. Recap and Next Steps <ul><li>Plan and Standards Published </li></ul><ul><li>Survey </li></ul><ul><ul><li>Are you compliant? </li></ul></ul><ul><ul><li>If not, do you have a plan? </li></ul></ul><ul><ul><li>Do you have the resources to implement plan? </li></ul></ul><ul><li>Gap Analysis </li></ul><ul><li>Workshop </li></ul>
  71. 71. Questions?
  72. 72. Thank You! <ul><li>Theresa Masse </li></ul><ul><li>State Chief Information Security Officer </li></ul><ul><li>DAS EISPD / Enterprise Security Office </li></ul><ul><li>(503) 378-4896 </li></ul><ul><li>[email_address] </li></ul><ul><li> </li></ul>