070614F-ISOAPresentation.ppt

1
Commonwealth
Information Security Officers
Advisory Group (ISOAG) Meeting
JUNE 14, 2007
www.vita.virginia 1

2
WELCOME
Peggy Ward, VITA
www.vita.virginia 2

4
ISOAG June 2007 Agenda
I. Welcome Peggy Ward, VITA
II. InfraGard Melissa McRae & Melissa Schuler, F.B.I.
III. Encryption Service Offering John Kissel, VITA
IV. Commonwealth Information Security Council Update!
Encryption Committee Steve Werby
Making Security an Executive Management Priority John Karabaic
Small Agency Outreach John Jenkins
Identity and Access Management Patricia Paquette
V. RPB Data Center Move Larry Ellison, NG
VI. VITA IT Security Standard Technical Documentation Craig Luka, NG
VII. COV IT Security Standard Compliance Update Ed Miller, VITA
VIII. COV IT Security Policies, Standards and Guidelines Update Cathie Brown, VITA
IX. Information Risk Executive Council (IREC) Cathie Brown, VITA
X. Upcoming Events Peggy Ward, VITA
XI. Other Business Peggy Ward, VITA

InfraGard Program
Public and Private Sector Alliance
Protecting our Critical Infrastructure

6
A Brief History…
In 1996, FBI Cleveland Field Office cyber
focused industry outreach initiative.
In 1998, the FBI adopted the InfraGard
program for NIPC private sector outreach
In 2003, the FBI Cyber Division was
established and DHS formed taking NIPC
mission.
Today, InfraGard is the FBI’s lead private
and public sector information sharing tool
18,645 Members

7
“Critical infrastructures are those physical and cyber-based systems essential
to the minimum operations of the economy and government. These systems
are so vital, that their incapacity or destruction would have a debilitating
impact on the defense or economic security of the United States.”
– William J. Clinton, 1998
Agriculture Banking/Finance Chemical Computer Security Defense
Emergency Service Energy Food Postal/Shipping
Public Health Transportation Telecommunication Water Supply

9
Cost of
Capability
Availability of Capability
1955 1960 1970 1975 1985
Invasion
Precision
Guided
Munitions
Computer
Strategic
Nuclear
Weapons
Cruise Missile
Cyber Attack
Cost & Means
1945 Today
Missiles
ICBM & SLBM

10
The CyberWorld Today
Immediately follow or
in conjunction with
physical world events
Becoming more
coordinated and
politically motivated
Don’t care about
being detected or
traced
Cyber Attacks:

11
Potential Sources of Attacks
Terrorist Groups
Targeted Nation-States
Terrorist Sympathizers and Anti-U.S.
Hackers
Thrill Seekers
U.S. Hackers who need resources

12
Cyber Threats
Unstructured
Threats
 Insiders
 Recreational
Hackers
Structured Threats
 Organized Crime
 Industrial Espionage
National Security
Threats
 Intelligence
Agencies
 Information Warfare

13
InfraGard Benefits
FBI Program vs Private Sector
Benefits
• Industry sector Subject Matter Experts
• Initiation of new investigations
• Early indication of sector specific attacks
• Avenue to obtain feedback on intelligence
• Ability to identify significant crime problems
• Trusted membership and Network of professionals
• Timely/Non-public Intelligence Products
• Secure forum to share information & discuss issues.
• Avenue to provide positive intelligence
• Ongoing relationship with the FBI
Also, It is “FREE!”

14
InfraGard VPN
Home Page
Graphic Unavailable for
On-line Participants.

15
InfraGard VPN
Alerts & Advisories

16
InfraGard VPN
Specific Critical Infrastructure Articles

17
InfraGard VPN
IT & Telecommunication Sector

18
InfraGard VPN
Computer Security Articles

19
InfraGard VPN
Cyber Threat Media Highlights

20
InfraGard VPN
Message Board

21
InfraGard VPN
Message Board
Topic: Computer Security

22
InfraGard VPN
Resource Page
(DHS Open Source Reports, Presentations, etc…)

23
InfraGard VPN
DHS Daily Reports Page

24
Special Interest Groups, e.g.
Research and Technology
Partnerships, e.g. NIST & SBA
Quarterly Meetings with valuable
speakers
Ability to Participate in FBI Citizen’s
Academy
Other Features

25
InfraGard VPN
Special Interest Groups
• Research and Technology InfraGard
• Food/Agriculture InfraGard
• Chemical InfraGard

26
InfraGard VPN
Research and Technology InfraGard

27
Partnership between:
 FBI
 Small Business Administration (SBA) – assist small
businesses
 National Institute of Standards and Technology
(NIST) – World leader in Information Security
Guidelines
Goal
 Provide Security Workshops poised to deliver
information security training to the small business
community like no other.
SBA/NIST/FBI

28
How you can help as
IT Security Professionals
Develop and implement security policies and
procedures.
 Know what you want to protect, and who will do it.
Build some walls…
 Create a perimeter and guard it (routers, firewalls, IDS). Then, check
the guards (audit policy).
Educate your users.
 The importance of security (personal & corporate data), strong
passwords, encryption, etc.

29
How you can help (Cont’d)
Banners
 Put people on notice. You ARE watching!
Employee Agreements
Then:
 LOG, LOG, LOG!
 MONITOR, MONITOR, MONITOR!
 TEST, TEST, TEST!

OK…The Policies
are in Place, the
Perimeter is Built,
and the Network is
Secure!
What If They Sneak Through?
But…

31
Respond quickly and without fail.
Have key response personnel predetermined.
Consider content monitoring of the attack.
Backups:
 Create backups of altered/damaged files, LOGS.
 Secure backups of original state
Determine the cost of the attack.
 Repairs, replacement, personnel, consultants, lost
“business”.
Consider contacting the FBI
If They Sneak Through…

Intrusion cases are already
won or lost long before law
enforcement arrives

33
versus
Potential
Loss
Protection
Costs
Making the Right Investment

34
What the FBI can Do
Combine technical skills and investigative
experience
Provide national and global coverage
Provide long-term commitment of
resources.
Apply more traditional investigative
techniques
Perform pattern analysis
Integrate law enforcement and national
security concerns.
CYBER CRIME IS THE FBI’S #3 PRIORITY

Federal Bureau of Investigation
Richmond, Virginia
(804) 261-1044
www.InfraGard.net

Disk Encryption Overview
PC Hard drive Encryption
Rated Service Price Offering
John Kissel, VITA
June 14, 2007

38
Agenda
• Review
• Service Offering Rate
• Product Feature Summary
• Preliminary Configuration settings
• Status

39
Rated Service Offering
• Monthly rate
– Approx $17.00 per encrypted PC Windows desktop/laptop/tablet
• Added to the current per unit rate
– Includes deployment and recurring support
• Deployment
– Applies to devices being refreshed during the scheduled refresh
initiative as well as those devices not requiring refresh during the
scheduled refresh initiative.
– Does not apply to legacy devices requiring encryption prior to the
scheduled refresh initiative.
• Recurring support
– Applies to ALL devices that NG encrypts

40
Hard Drive Encryption - Service Offering
Item
During
Desktop
Refresh
After
Desktop
Refresh
Software Product license ■ ■ ■
Product Client Access License(s) ■ ■ ■
Technical Services Testing
Functionality testing ■ ■ T&M
Image development ■ ■ T&M
package creation ■ ■ T&M
package creation 2 ■ ■ T&M
hardware compatability testing ■ ■ T&M
use scenerios ■ ■ T&M
Deployment testing ■ ■ T&M
Training
Site Support ■ ■ T&M
Helpdesk ■ ■ T&M
End user ■ ■ T&M
Comunications ■ ■ T&M
Deployment
Deployment planning ■ ■ T&M
Deployment preparation ■ ■ T&M
Deployment execution ■ ■ T&M
Software Product License maintenance ■ ■ ■ ■
Client Access License Maintenance ■ ■ ■ ■
Technical Support Helpdesk (first call resolution) ■ ■ ■ ■
Tier 2 support ■ ■ ■ ■
Maintenance ■ ■ ■ ■
Prior to Desktop
Refresh
Non-Recurring
Recurring
Category

41
General Assumptions
• Degraded Desktop/Laptop performance during system startup may
be realized.
• Increase in Helpdesk support calls is anticipated.
• Increase in support/administration effort.
– Extended system recovery times
• Implementation
– Desktop/Laptop preparation tasks must be performed
– All support calls will routed to the VCCC
– Encryption will be performed as part of the desktop refresh
schedule

42
Procedures for Ordering
• If you choose not to wait for Transformation a RFS needs to be
completed to request this service
• If you choose to wait for transformation it will be discussed at your
kickoff meeting.

43
Commonwealth
Information Security Council
Peggy Ward, VITA

Encryption Committee
Jesse Crim (VCU)
John Palese (DSS)
Michael McDaniel (VRS)
Tripp Simms (VITA/NG)
Steve Werby (DOC)

45
Encryption Committee - Goals
 Survey agencies – IT and business perspective
 Questionnaire to aid agencies in determining
encryption needs and solutions
 Develop plan for educating users
 Develop best practices
 Recommend solutions, preferably enterprise
 Develop end user training plan

Making Security an Executive
Management Priority
Committee Members
John Karabaic, DMAS
Joe Hubbell, Va. Lottery
Shirley Payne, U.Va.

47
Ideas To Date
• Make recommendations for executive
security awareness events, either
standalone or as riders on other
planned executive-level events such as
a previous 2-day workshop on COOP.
• Solicit effective executive security
awareness practices from agencies and
present these as models other agencies
might follow.

48
Ideas To Date - continued
• Collect and make available canned
security awareness presentations
tailored for executives.
• Form a speakers bureau of ISO/boss
teams willing to give presentations to
agency executives within their
secretariat.

Interested in volunteering?
Contact Shirley
payne@virignia.edu

50
Small Agency Outreach
 Current Members
 Robert Jenkins (DJJ)
 Aaron Mathes (OAG)
 Goran Gustavsson (APA)
 Ross McDonald (DSS)
 Bob Auton (DJJ)
 Doug Mack (DJJ)

51
 Contact & survey small agencies and benchmark were they are in the process
 Develop pool of available talent available to work in a shared service capacity to
provide Audit functions to Small Agencies
 Measure Small Agencies with Audit capabilities versus those without this
function
 Develop “Canned Solutions” i.e. quick fixes using best practices from those with
success in the areas such as policy, practice or procurement.
 Develop tool for communications such as a message board that has shared access.
 Create network of Subject Matter Experts (SME) to offer advice and guidance.
 ARMICS and implementation options
 Resources to talk with Agency Management who may be reluctant or
unfamiliar with required actions needed for compliance matters
 VITA IT Security Policies and Standards (Business Impact Analysis, Risk
Assessment, Breaches/Detections, etc.)
 Other IT Services, such as possible tests/reviews/audits

52
Volunteers are welcome!
 If interested, contact Robert Jenkins
 804-786-1608
 robert.jenkins@djj.virginia.gov

Identity and Access
Management and
Account Management
Committee Members
Patricia Paquette – DHP,
pat.paquette@dhp.virginia.gov
Mike Garner – Tax, mike.garner@tax.virginia.gov
Marie Greenberg – DMV,
marie.greenberg@dmv.virginia.gov
Jim Rappe – ABC, james.rappe@abc.virginia.gov
Maria Batista, DMV, maria.batista@dmv.virginia.gov
Joel McPherson, DSS,
joel.mcpherson@dss.virginia.gov

54
Identity and Access Management
and
Account Management
“An identity management solution
should not be made up of isolated
silos of security technologies, but
rather, consist of well integrated
technologies that address the
spectrum of scenarios in each stage
of the identity life cycle.”
Frederick Chong
Microsoft Corp.

55
Identity and Access Management
and
Account Management
Goal - establish a secure and effective
methodology focused on identification and
authentication across the Commonwealth
Standard process which includes:
 Registering or identifying users
 Establishing roles and accounts
 Issuing credentials
 Using the credential, and
 Record keeping and auditing.

IT Infrastructure Transformation – RPB Mainframe and Server Move
56
Richmond Plaza Building Data Center Move
Larry Ellison, NG

57
Mainframe and Server
Move Overview
• Mainframe Environment Profile
– More system to system interaction
– Larger foot-print with multiple partitions per physical system
– Diverse user group
• Mainframe Environment Move and Test Approach
– Duplication of hardware at CESC (buy new)
– Isolated Test environment at CESC to provide extended test window
• Server Environment Profile
– More system isolation (Agency specific apps)
– Smaller foot-print (Isolated UNIX/Windows systems)
– Agency specific user group
• Server Environment Move and Test Approach
– VLAN Extension approach (RPB to CESC)
– Disconnect/move/reconnect of hardware from RPB to CESC (physical or virtual)
– Unit testing of systems and applications prior to disconnect/move/reconnect

58
Mainframe Move and Test Strategy for CESC
(Isolated Test Environment)
• Replicate RPB Internal Network (LAN) at CESC (~ 280 devices)
• Replicate all IBM, UNISYS, Prime-Power, and related hardware required for full
application testing
• Replicate key Windows and UNIX servers required to support the Mainframe Test
environment
• Provide isolated external connectivity to the CESC Test Environment from key
agency locations (VPN or other dedicated connections)
• Test environment available for 60-90 days to facilitate full Operational Readiness
and Application Regression testing of the environment, from isolated locations
• Maintain the same IP Addresses across the entire Mainframe environment
• Requires key Agencies to provide a dedicated/isolated test lab with dedicated link
from Agency location to CESC, for testing
• Supports Connectivity Testing from remote locations during planned weekend
maintenance windows
• Multiple Mock Cutover Tests prior to final Go-Live

59
CESC Isolated Mainframe Test Environment
Operations and Application Testing
(7/15 – 10/28)
CESC Data Center
RPB Data Center
Data Replication
As needed
Data Replication
As needed
Production Agency
Locations
IBM
Tape 2
EMC
Centera
Tape 2
DMX2000
2
IBM
Mainframe
Unisys
Mainframe
Shared
DASD
Servers
EMC
Centera
Tape 1
DMX2000
1
IBM
Mainframe
Unisys
Mainframe
IBM
Tape 1
Shared
DASD
Servers
Data Replication
As needed
Isolated Key Agency
Locations
App Servers
For Testing
Production
App Servers
Isolated Key Agency
Locations

60
CESC Isolated Mainframe Test Environment
Connectivity and Cutover Testing
(Selected Weekends from 7/15 – 10/28)
CESC Data Center
RPB Data Center – Offline during testing
Data Replication
Data Replication
Production Agency
Locations
IBM
Tape 2
EMC
Centera
Tape 2
DMX2000
2
IBM
Mainframe
Unisys
Mainframe
Shared
DASD
Servers
EMC
Centera
Tape 1
DMX2000
1
IBM
Mainframe
Unisys
Mainframe
IBM
Tape 1
Shared
DASD
Servers
Data Replication
App Servers
For Testing
Production
App Servers
Isolated Key Agency
Locations
Isolated Key Agency
Locations

61
Mainframe Test Objectives for CESC
(Isolated Test Environment)
• Operations Testing
– All systems will IPL/Boot and communicate with peripherals
– Administrative functions (Monitoring and Management) operate as expected
– Data replication between CESC and RPB functions properly
– Internal CESC Network (LAN) and Firewalls function properly
– Print Infrastructure Functions Properly
– Tape Backup Infrastructure functions properly
– Control-M Infrastructure functions properly for support of Batch operations
– Point-to-point connections function properly
• Application Testing
– Applications will initiate and connect with database(s)
– Applications will update data and print reports as expected
– Regression test of all applications components on the Mainframe systems
• Network Connectivity Testing
– Controlled testing of external connectivity to CESC from remote sites
– Scheduled during pre-defined weekend Maintenance Periods from August – October

62
Tentative Testing and Cutover Timeline
ID Task Name Start Finish
May 2007 Jun 2007 Jul 2007 Aug 2007 Sep 2007 Oct 2007 Nov 2007
5/20 5/27 6/3 6/10 6/17 6/24 7/1 7/8 7/15 7/22 7/29 8/5 8/12 8/19 8/26 9/2 9/9 9/16 9/23 9/30 10/7 10/14 10/21 10/28 11/4
1
2
3
4
5
6
7
8
9
10
11
12
13
14
7/15/2007
5/15/2007
Design test environment
8/5/2007
6/1/2007
Build test environment
7/20/2007
6/8/2007
Build Test Plans
10/28/2007
7/2/2007
Operations Testing
10/28/2007
7/16/2007
Application testing
8/5/2007
8/5/2007
Network Connectivity Test 1
8/19/2007
8/19/2007
9/3/2007
9/1/2007
Mock cutover 1
9/16/2007
9/16/2007
10/11/2007
10/9/2007
Mock Cutover 2
10/28/2007
10/26/2007
Mock Cutover 3
11/2/2007
10/29/2007
Review and Signoff
11/9/2007
11/5/2007
Final Cutover Prep
11/12/2007
11/12/2007
Go Live

63
Mainframe Move Risk Mitigation
• Standup of an Isolated Test Environment
– Replicate mainframe hardware and software infrastructure
– Replicate servers running tier 2 applications that interface with mainframes
– Replicate DASD and Tape storage infrastructure and data via high speed data links
– Create network that will support simultaneous dual access for large agencies (RPB and
CESC)
– Replicate security environment including current complex firewall controls
• Detailed Analysis of entire infrastructure at RPB
– Application components
– Network components
– Server and Mainframe components
• Extended Test Period
– Provide agencies with at least 60 days to complete application testing
– Extended timeframe provides the opportunity for multiple test phases
– Mock move weekends have been scheduled and are designed to accommodate thorough
integration testing of complex, interdependent applications
– Risk will be significantly mitigated through agencies having continuous access to a
dedicated test environment rather than only a series of mock move tests over weekends

64
Mainframe Move Risk Mitigation
(continued)
• Command Center
– Provides a rapid response team to quickly address problems that surface during testing
– Staffed with operations, network, systems, and sub-system support specialists
– Support will be available 24 hours a day and weekends
• Test Coordination Support
– NG/VITA testing coordination teams will be assigned to each key mainframe using agency
– Test coordinators will work directly with Agency staff to jointly development test plans for
each mainframe application
– Weekly reporting of testing progress by agency and associated applications will be
generated and shared with agency managers
• Fallback Contingency
– RPB processing infrastructure will remain intact for at least 2-3 weeks following the move
to provide fall-back capability
– Dual network access environment will remain intact for at least 2-3 weeks following the
move to provide fall-back capability
• Freeze/limit Hardware/software changes during test/move window

65
Communication Plan
Overview
• Comprehensive CH/COMM Plan to include email communications and supporting
documentation
• Overview, Kick-Off and monthly meetings with each affected Agencies – Start June 7
• Detailed Planning Meetings with Agency Application Teams to develop test scenarios –
(6/15 – 8/15)
• Checkpoints and signoffs in plan for agreement to start test planning, agreement that
test plans are complete, application testing is complete and approval is given to move
• Detailed weekly status reviews with all Agency/VITA Test Teams throughout the entire
test window – (7/15 – 10/28)
• Dedicated Test Coordinators from the Transformation Team, Current Ops Team, and
the Agency
• 24x7 Command Center setup before, during, and post move/cutover
– Multiple locations linked by phone and/or video conferencing (Agency, RPB, CESC)
– Participation by Agency Application staff, Current Ops, VITA, Transformation, and Vendors (as
needed)
– Representation by Network, Security, Mainframe, Server, Applications, etc

66
Application Testing Coordination
Agencies
Involved in
Isolated
Test
Environment
Mainframe
Server
Network
Security
VITA Test
Coordinators
Test Coordinator
Application Spec
Network Spec for
each agency
Agencies
Involved in
Isolated
Test
Environment
Agencies
Involved in
Isolated
Test
Environment
Agencies
Involved in
Isolated
Test
Environment

67
Agency Application Test Responsibilities
• Assign dedicated resources and participate in detailed planning process - (starting
June 15)
– Assign dedicated resources to participate in the test activities
– Identify applications that need to be tested in isolated test environment
– Identify servers in RPB that would need to be included in isolated test environment in CESC to
enable application testing
– Provide acceptable dates for tests and cutover
• Responsible for Application Freeze (7/15 – 11/12)
– Commitment to Break-Fix only during the test window
– Joint approval (Agency, Current Ops, Transformation, VITA) for any additional changes that are
required
– Participation in special CCB process for review of any proposed changes during test window
• Provide isolated test environment at Agency that will connect directly to isolated test
infrastructure at CESC – (available by 7/15)
– Dedicated PC’s in a training room or test lab recommended
– Alternate methods for access to test environment directly from users workstations is being
investigated
• Conduct all application tests – (from 7/15 – 10/28)
• Participate in cutover tests and verify network connectivity

68
Test and Move Coordination Roles
Agency Test Coordinators Field Operations Agency Application
SBE Kevin Kelley Mike Elliott Beth Nelson
DHRM Kevin Kelley TBD Steven Hastey
DSS Kevin Kelley Wayne Kniceley Harry Sutton
VRS Kevin Kelley Donald Garrett (Agency) Donald Garrett
VADOC Karen Lusk Karen Hardwick Geoff Lamberta
DMV Karen Lusk Bob Tingle Will Burke
VEC Karen Lusk Dave Thompson Victoria Caplan
VDH Karen Lusk Kenny White TBD
DOA/TRS Danny Wilmoth Wendy Hudson James Moore
DPB Danny Wilmoth David Allen Jowjou Hamilton
TAX Danny Wilmoth Cathy Franklin TBD
SCB Danny Wilmoth Richard Walls Anne Wilmoth
SCC Thomas Williams Blair Kirtley (Agency) Blair Kirtley
VDOT Thomas Williams Scot Jones Ray Haynes
VDACS Thomas Williams Kathy Ange Jerry Allgeier

69
Server Transformation and Move
Agenda
• Server Transformation Introduction
• Server Move Approach and Test Strategy
• Server Test Objectives
• High level Move and Cutover schedule
• Managing Risk
• Communication Plans
• Agency Responsibilities
• Questions

70
Server Move and Test Strategy for CESC
• Virtualize as many servers at RPB to facilitate the move process and reduce risk
• Consolidate multiple SAN/Disk system at RPB onto a single SAN/Disk Platform
• Replicate the data on this consolidated SAN/Disk system from RPB to CESC
• Replicate RPB Internal Network (LAN) at CESC (~ 280 devices)
• Extend VLAN’s from current RPB Network Infrastructure to CESC
• Replicate EBARS Backup Environment at CESC
• Servers will be placed in either PODS or Standard Racks at CESC based on specific
hardware, power, and cooling requirements
• We will maintain the same IP Addresses across the entire Server environment
• A two phased cutover approach will be utilized
– Phase-1 is the movement of the servers onto an extended VLAN at CESC (located at CESC, but
still part of the RPB LAN)
– Phase-2 requires servers be switched from the extended VLAN to a the local VLAN at CESC
• Servers will be moved in logical groups, based primarily on agency usage (VDOT, DEQ,
GOV, etc,)
• Whenever possible Operation and Application Testing will be performed using the virtual
server infrastructure to replicate systems from RPB to CESC
• In some instances duplicate server hardware will be purchased for CESC to facilitate
Operation and Application Testing at CESC

71
RPB to CESC Server Move
Phase-1 : Relocation
CESC Data Center
RPB Data Center
Current Production
Network
Shared
SAN/DISK
PIX
FW
Juniper
FW
6506
New Production
Network
6506
Outside
Switches
6506
6509
Inside
Switches
Server
Farm
4507
Campus
Switch
Chk Point
FW
Old
SAN/Disk
Old
SAN/Disk
Old
SAN/Disk
Old
SAN/Disk
Old
SAN/Disk
Old
SAN/Disk
Old
SAN/Disk
Shared
SAN/DISK
New
FW
New
FW
6506
New
Outside
Switches
6506
New
Inside
Switches
Server
Farm
New
Campus
Switch
New
FW
Replicate Data
To CESC
Extend Server
VLANs
Consolidate
Disk at RPB
Virtual and
Physical
Server Moves
Core
Network
PRODUCTION
Core
Network
TEST ONLY
Servers are moved in
Groups to CESC but are
still using the network
infrastructure at RPB

72
RPB to CESC Server Move
Phase-2 : Network Swap
CESC Data Center
RPB Data Center - Offline
Current Production
Network
Shared
SAN/DISK
PIX
FW
Juniper
FW
6506
New Production
Network
6506
Outside
Switches
6506
6509
Inside
Switches
4507
Campus
Switch
Chk Point
FW
Shared
SAN/DISK
New
FW
New
FW
6506
New
Outside
Switches
6506
New
Inside
Switches
Server
Farm
New
Campus
Switch
New
FW
Data Replication
direction is switched
to go from CESC back
to RPB in preparation
for DR at SWESC
Core
Network
OFFLINE
Core
Network
PRODUCTION
VLAN Extensions
Are dropped
Servers are running at
CESC and are now using
the full network infrastructure
at CESC
Old SAN/Disk arrays
are no longer needed

73
Server Test Objectives for CESC
• Operations Testing
– All systems will Boot and communicate with peripherals
– Administrative functions (Monitoring and Management) operate as expected
– Data replication between CESC and RPB functions properly
– VLAN Extension from RPB to CESC Network (LAN) and Firewalls function properly
– Print Infrastructure Functions Properly
– Tape Backup Infrastructure functions properly
– Control-M Infrastructure functions properly for support of Batch operations
– Point-to-point connections function properly
• Application Testing
– Applications will initiate and connect with database(s)
– Applications will update data and print reports as expected
– Regression test of all applications components on the Mainframe systems
• Network Connectivity Testing
– External access to Agency locations functions properly
– Access from RPB to CESC over extended VLAN functions properly

74
Testing and Cutover Timeline
(Notional)
ID Task Name Start Finish
May 2007 Sep 2007
Aug 2007
Jun 2007 Oct 2007
Jul 2007
8/19 9/9 9/16
7/8 9/30 10/7
9/2
6/10 7/15 8/12
7/1 8/5
6/3
5/20 8/26
6/17 9/23
6/24 10/14
5/27 7/29
7/22
1 5/23/2007
5/15/2007
Finalize Rack and Power
Requirements
2 7/28/2007
5/23/2007
Obtain additional network
hardware for CESC
5 8/15/2007
6/15/2007
Agency staff on board for
review and testing
6 8/3/2007
6/3/2007
VLAN Extension to CESC
12 9/3/2007
6/17/2007
Server Group 3
7 8/3/2007
6/3/2007
EBARS standup at CESC
4 6/28/2007
6/3/2007
Communication and
Review with Agency
3 5/31/2007
5/23/2007
Review Plan with Current
Operations
8 8/3/2007
6/3/2007
SAN Standup at CESC
9 9/17/2007
6/10/2007
Additional discovery with
App Team and CO
10 8/12/2007
6/10/2007
Server Group 1
11 8/25/2007
6/10/2007
Server Group 2
17
13 9/17/2007
6/17/2007
Server Group 4
11/12/2007
11/9/2007
Final Network Cutover
Nov 2007
10/21 10/28 11/4
16
14 10/1/2007
6/24/2007
Server Group 5
15 10/15/2007
6/24/2007
Server Group 6
10/29/2007
6/24/2007
Server Group 7

75
Server Move Group Summary
• Server Group-1 : DFP, DCG, SBE , 25 servers
• Server Group-2 : DEQ, VDH, DPB, DCJS, 83 servers
• Server Group-3 : DGS, 124 servers
• Server Group-4 : GOV, DOF, VDACS, VGIN, 76 servers
• Server Group-5 : TAX, DSS, VEC, 112 servers
• Server Group-6 : VITA Group-1, 132 Servers
• Server Group-7 : VITA Group-2, 132 Servers

76
Server Move Group Detail
Agency Isolated
Relo
Start
Relo
Complet
e
Pod
Candidat
e
Wintel
Wintel
Blade
Non-
Wintel
RPB Location - Racks VLAN Information
DFP X 11-Aug 12-Aug Y 2 0 0 166 58
DCG X 11-Aug 12-Aug Y 4 0 0 160 303
SBE 11-Aug 12-Aug Y 19 0 0 130, 131 59, 61
DEQ X 25-Aug 26-Aug N 7 40 1 68, 70, 72 16
VDH 25-Aug 26-Aug Y 13 0 0 146 14
DPB 25-Aug 26-Aug N 13 0 0 148, 149, 150 3, 66
DCJS 25-Aug 26-Aug N 9 0 0 157, 158, 159 10
DGS X 1-Sep 3-Sep Y 124 0 0
141, 142, 143, 144, 151,
152, 153, 154, 155, 176,
178, 179 3, 5, 9. 48
GOV X 15-Sep 16-Sep N 32 0 0 137, 139, 180 52
DOF 15-Sep 16-Sep Y 3 0 0 172 242
VGIN 15-Sep 16-Sep Y 18 0 0 130, 172 242
VDACS X 15-Sep 16-Sep N 16 0 7 162, 163, 164, 165 106
TAX 6-Oct 8-Oct N 51 0 16
97, 98, 99, 107, 108, 111,
112, 115, 116, 118, 123,
169,177 15, 30, 40
DSS 6-Oct 8-Oct Y 16 0 0 170, 171 155
VEC 6-Oct 8-Oct Y 28 1 0 103, 104, 105 106, 181 31, 33, 40
VITA
13-Oct
27-Oct
14-Oct
28-Oct Both 142 98 24
19, 21, 23, 94, 95, 109,
110, 113, 114, 124, 125,
126, 127, 128, 132, 133,
134, 135, 136, 167, 168,
185
3, 8, 14, 15, 30, 31, 33, 34, 38, 50, 51,
52, 56, 57, 59, 61, 63, 90, 97, 101, 103,
109, 115, 120, 121, 153, 155, 156, 157,
158, 159, 160, 161, 162, 163, 230, 234,
242, 247, 990, 993, 994, 995, 998
Total 497 139 48

77
Server Move Risk Mitigation
• VLAN Extensions
– Minimizes level of network and security changes required for the move to CESC
– Allows NG and the Agency to stage and pre-test selected Dev and/or Test servers PRIOR to
moving production systems
• Migration of Current Systems
– Minimizes level of system changes required for the move to CESC
– Minimizes complexity of having to re-rack systems
– All required cables (Network, SAN, etc) can be pre-installed and tested prior to moving the
systems to CESC
• System Virtualization
– Provides enhanced pre-move testing capabilities
– Minimizes system/application downtime during the move to CESC
– Provides quick, easy fall-back

78
Server Move Risk Mitigation
(continued)
• Stand-by Hardware
– Mission Critical application hardware can be made available if hardware problems arise due
to move related issues
• Tax related HP-UX hardware is an example of some of the systems that are being
considered for stand-by hardware
– Any x86 server can have a stand-by virtual server in-place at both data center locations
• Move Specialists
– All system packaging, pre and post move verifications will be performed by hardware vendor
Customer Engineers
• Customer Engineers (CE’s) are the vendor employees who are dispatched to diagnose
and resolve hardware related issues as part of warranty and maintenance support
services
– Representatives for each vendor will be either on-site or on-standby
• Move VITA last so that server move process is refined with smaller move groups

79
Communication Plan
Overview
• Comprehensive CH/COMM Plan to include email communications and supporting
documentation
• Overview, Kick-Off and monthly meetings with each affected Agency – Start June 7
• Detailed Planning Meetings with Agency Application Teams to develop test scenarios –
(6/15 – 8/15)
• Checkpoints and signoffs in plan for agreement to start test planning, agreement that
test plans are complete, application testing is complete and approval is given to move
• Detailed weekly status reviews with all Agency/VITA Test Teams throughout the entire
test window – (7/15 – 10/28)
• Dedicated Test Coordinators from the Transformation Team, Current Ops Team, and
the Agency
• 24x7 Command Center setup before, during, and post move/cutover
– Multiple locations linked by phone and/or video conferencing (Agency, RPB, CESC)
– Participation by Agency Application staff, Current Ops, VITA, Transformation, and Vendors (as
needed)
– Representation by Network, Security, Mainframe, Server, Applications, etc

80
Agency Application Test Responsibilities
• Participate in Planning Process
– Identify applications that need to be tested on each server
– Provide acceptable dates for tests and cutover and confirm downtime windows
• Provide Agency resources to participate in application testing pre-move as well as
during the actual cutover
• Prepare test scripts and desired test results for application tests
• Conduct application tests for validation of the move
• Participate in cutover tests and verify network connectivity
• Agency acceptance sign off

81
Test and Move Coordination Roles
Agency
Tentative
Relocation
Weekend
Transformation
Current
Operations
Agency
Application
Team
Primary HP
Assignee
Secondary HP
Assignee
SBE 11-Aug Bob Reviea Mike Elliott TBD Tao Tao Terry Miller
VDFP 11-Aug Brian Welliver TBD TBD Terry Miller Tom Springer
DCG 11-Aug Don Morgon TBD TBD Tom Springer Tao Tao
DEQ 25-Aug Brian Welliver Dan Gayk TBD Terry Miller Tom Springer
VDH 25-Aug Don Morgon Kenny White TBD Tom Springer Terry Miller
DCJS 25-Aug Bob Reviea TBD TBD Tao Tao Tom Springer
DPB 25-Aug Bob Reviea TBD TBD Tao Tao Terry Miller
DGS 1-Sep Don Morgon Barbara Garnett TBD Tom Springer Tao Tao
GOV 17-Sep Bob Reviea Barbara Garnett TBD Tao Tao Terry Miller
DOF 17-Sep Brian Welliver TBD TBD Terry Miller Tom Springer
VDACS 17-Sep Don Morgon Brenda Richart TBD Tom Springer Tao Tao
VEC 17-Sep Brian Welliver Brenda Richart TBD Terry Miller Tom Springer
TAX 6-Oct Bob Reviea Cathie Franklin TBD Tao Tao Tom Springer
VGIN 6-Oct Don Morgon TBD TBD Tom Springer Terry Miller
DSS 6-Oct Brian Welliver Mike Elliott TBD Terry Miller Tao Tao
VITA
13-Oct
27-Oct TBD Dave Matthews TBD John Sewell Jeff Flanigan

82
www.vita.virginia.gov expect the best
VITA IT Security Technical
Documentation
Craig Luka
Security Analyst
Northrop Grumman, VITA IT Security
June 14th, 2007
www.vita.virginia.gov 82

83
www.vita.virginia.gov
Overview
• What documentation has been developed?
– Enterprise Infrastructure Security Practices
– Security Practices Self Assessment
• Why?
– Define baseline security practices for
customer-based staff
– COV ITRM Standard SEC501-01 compliance
– Document current Agency security practices
and develop SEC501-01 Gap Analyses.
– Reduce risk of unfavorable audit findings

84
Documentation Architecture
• Documentation Framework
– Security practices document has been
developed on industry best practices (SANS,
NIST, Center For Internet Security)
– All SEC501-01 requirements from the technical
requirements matrix are accounted for in the
security practices document
– Self Assessment maps each SEC501-01
requirement to a set of security practices
• Serves as a cross reference between SEC501-01 and
newly developed Enterprise Security Practices.

85
Workflow and Routing
• Document Distribution
– EISP and self assessment are delivered to
Regional Service Directors (RSDs)
– RSDs deliver documents to Agency-based
Service Level Directors (SLDs)
– Customer-based technical staff and SLDs
complete the self assessment
– Completed self assessments are returned to
EISP team for quality assurance review
– Final documentation is delivered to Agency
ISOs and reports are delivered to the CISO

86
Timeframe
• June 1st: Documents delivered to RSDs
• June 4th: RSDs deliver to SLDs and
work begins on the self assessments
• June 4th – June 29th: Self assessment
submitters complete assessment and work
with EISP team as needed for clarification
• June 29th: All assessments completed,
reviewed and delivered to respective
Agency ISOs.

87
What to Expect
• The EISP team will work with customer-
based staff and SLDs as needed to assist
in assessment completion
• Any clarifications or enhancements
discovered while assessments are being
completed will be added to the EISP and
self assessment documents
• Agency ISOs will receive a copy of the
EISP document and their Agency’s
completed self assessment on June 29th

88
Questions ?
?

89
COV IT Security Standard
Compliance –
ISO Appointments & IT Security
Audits
Ed Miller

90
Appointment of an Information
Security Officer
The IT Security Policy (ITRM
SEC500-02) requirement to
appoint an Information Security
Officer (ISO)

91
ISO Designation Requirement
ITRM SEC500-02 requires each Agency Head to
“designate via e-mail…an ISO (Information
Security Officer) for the Agency and provide the
person’s name, title and contact information to
VITA no less than biennially. The Agency Head
is strongly encouraged to designate at least
one backup for the ISO, as well” Send via
Email to:
VITASecurityServices@Vita.Virginia.Gov
Must either be from the Agency Head or have
the Agency head copied (cc:)

92
List of Confirmed ISO’s
Accountancy, Board of
Aging, Department for the
Agriculture and Consumer Services, Department of
Business Assistance, Virginia Department of
Center for Behavioral Rehab
Center for Innovative Technology
Christopher Newport University
Conservation and Recreation, Department of
Correctional Education, Department of
Corrections, Department of
Department of Charitable Gaming
Department of Forensic Sciences
Economic Development Partnership, Virginia
Elections, State Board of
Employment Dispute Resolution, Department of
Environmental Quality, Department of
Fire Programs, Department of
Forestry, Department of
Frontier Culture Museum of Virginia
Game and Inland Fisheries, Department of
Governor, Office of the
Health Professions, Department of
Human Resource Management, Department of
James Madison University
Juvenile Justice, Department of
Library of Virginia, The
Longwood University
Mary Washington University
Medical Assistance Services, Department of
Mental Health, Mental Retardation & Substance Abuse Svcs,
Department of
Mines, Minerals and Energy, Department of
Minority Business Enterprise, Department of
Motor Vehicle Dealer Board
Motor Vehicles, Department of
Museum of Fine Arts, Virginia
Museum of Natural History, Virginia
Old Dominion University
Professional & Occupational Regulation, Department of
Racing Commission, Virginia
Rail and Public Transportation, Department of
Science Museum of Virginia
Social Services, Department of
State Police, Department of
Tourism Commission, Virginia
Transportation, Department of
Virginia Commonwealth University
Virginia Information Technologies Agency

93
IT Security Audit Plan
The IT Security Audit Standard (ITRM
SEC502-00) requirement to submit an
annual IT security “audit plan” to the
CISO beginning February 1, 2007.

94
IT Security Audit Plan
• The IT Security Audit Plan should identify all sensitive
system(s), the planned date of the audit(s) and the
planned auditor for the audit(s).
• Each sensitive system must be audited at a frequency
relative to its risk, or at least, once every 3 years.
• There is a template that can be used by the agency to
record this information on the VITA web at:
http://www.vita.virginia.gov/docs/securityTemplates/ITSecurityAuditPlanTemplate.doc

95
Exception Request
• If your agency cannot submit their IT Security
Audit plan the Agency must submit an
Exception Request for an extension of time in
order to comply. The Exception Request must
be approved by the Agency Head and sent to
the CISO for review and approval.
• The IT Security Policy and Standard Exception
request form is on the VITA web at
http://www.vita.virginia.gov/docs/securityTemplates/ITSecurityPolicyStandardExcepti
onRequestForm.doc

96
No Sensitive Systems?
• In addition, there may be some agencies that do
not classify any of their databases or systems as
“sensitive”. Under the requirements of SEC502-
00, they do not have to submit an audit plan.
However, to ensure that we are not missing any
sensitive systems, we would like any Agency
making that assertion to please notify us by
email to vitasecurityservices.com that they will
not be submitting an audit plan for that reason.

97
Agencies w/Audit Plans or Extensions
Board of Accountancy
Center for the Innovative Technology
Christopher Newport University
Department of Employment Dispute Resolution
Department for the Aging
Department of Agriculture and Consumer Services
Department of Alcoholic Beverage Control
Department of Conservation and Recreation
Department of Corrections
Department of Education
Department of Environmental Quality
Department of Fine Arts
Department of Forensic Sciences
Department of General Services
Department of Health
Department of Health Professions
Department of Housing and Community Development
Department of Human Resource Management
Department of Juvenile Justice
Department of Medical Assistance Services
Department of Mental Health, Mental Retardation & Substance
Abuse
Department of Mines, Mineral, and Energy
Department of Motor Vehicles
Department of Planning and Budget
Department of Professional & Occupational Regulation
Department of Rail and Public Transportation
Department of Rehabilitative Services
Department of Social Services
Department of State Police
Department of Taxation
Department of the Treasury
Department of Transportation
George Mason University
James Madison University
Jamestown-Yorktown Foundation
Longwood University
Mary Washington University
Office of the Governor
Old Dominion University
Radford University
Richard Bland College
State Compensation Board
State Board of Elections
State Council of Higher Education for Virginia
University of Virginia Commonwealth
Virginia Board for People with Rehabilitative Services
Virginia Department for the Blind and Vision Impaired
Virginia Department for the Deaf and Hard of hearing
Virginia Employment Commission
Virginia Information Technologies Agency
Virginia Racing Commission
Virginia State University

98
Where to find Policies/Templates/Forms
• Go to the VITA Website:
Click Security and then Policies and Procedures
http://www.vita.virginia.gov/docs/psg.cfm#securityPSGs

99
COV Information Technology Security
Policy, Standards and Guidelines
Cathie Brown, CISM, CISSP

100
Compliance: IT Security Policy & Standard
July 1, 2007 Compliance Date
• Key Steps to Compliance include:
– Designate an ISO
– Inventory all systems
– Perform Risk Assessment on sensitive systems
– Perform Security Audits on sensitive systems
– Document and exercise Contingency & DR Plans
– Implement IT systems security standards
– Document formal account management practices
– Define appropriate data protection practices
– Establish Security Awareness & Acceptable Use policies
– Safeguard physical facilities
– Report & Respond to IT Security Incidents
– Implement IT Asset Controls

101
Exception Request
• If your agency cannot comply July, 2007 the
Agency must submit an Exception Request for
an extension of time. The Exception Requests
must be approved by the Agency Head and
sent to the CISO for review and approval.
• The IT Security Policy and Standard Exception
request form is on the VITA web at
http://www.vita.virginia.gov/docs/securityTemplates/ITSecurityPolicyStandardExcepti
onRequestForm.doc

102
Status Update
• Revised IT Security Policy & Standard
End date for ORCA Comments – 6/13
• IT Standard Use of Non-Commonwealth Computing
Devices to Telework ITRM SEC511-00
New COV Standard
End date for ORCA Comments – 6/13
• IT Threat Management Guideline
Comments have been addressed
Publish by June 29, 2007

103
New! Data Breach Notification
Included in Revised IT Security Policy and Standard:
• Data Breach Notification Requirements:
– Each agency will identify systems that contain PII (Personally
Identifiable Information)
– Include provisions in any third party contracts requiring that
the third party & third party subcontractors provide immediate
notification of suspected breaches
– Provide appropriate notice to affected individuals upon the
unauthorized release of any unencrypted PII by any
mechanism (laptop, desktop, tablet, CD, DVD, etc.)

104
Revisions - IT Security Policy & Std
• Highlights
– Expanded scope to include Legislative, Judicial,
Independent and Higher Education
– System Security Plans for sensitive systems
– Additional considerations for account management
– Additional considerations for protection of data on
mobile storage media including encryption
– Additional requirements for specialized IT security
training
– Data Breach Notification
• Compliance date – 1/01/2008

105
New! IT Std Using Non-COV Devices to Telework
• Purpose
– Establish a standard to protect COV data while teleworking
with Non-COV Devices
• Acceptable Solutions
– Standalone Computer
– Internet Access to Web-Based Applications
– Internet Access to Remote Desktop Applications
• Requirements
– Storing COV data on a non-COV device is prohibited
– Network traffic containing sensitive data must be encrypted
– Provide training on remote access policies
• Security Incident Response
– Non-COV device may be required during forensics or
investigation of a Security Incident
– Acknowledgement form signed

106
IT Threat Management Guideline
• Highlights
– IT Security Threat Detection
– IT Security Incident Management
– IT Security Monitoring and Logging
– Example: Recording and Reporting Procedure
– Example: Internal Incident Handling
Procedure

108
Information Risk Executive Council
Cathie Brown, CISM, CISSP

109
Reminder – IREC Resource Available
• Information Risk Executive Council
– Unlimited access to the following services
• Strategic Research and Tools
• Benchmarking and Diagnostic Tools
• Teleconferences
• To register
– https://www.irec.executiveboard.com/Public/Register.aspx
• For questions or problems, please contact:
– Jennifer Smith
Account Manager, CIO Executive Board
Corporate Executive Board
2000 Pennsylvania Avenue, NW
Washington, DC 20006
– 202-587-3601 jsmith@executiveboard.com

111
Upcoming Events
Peggy Ward

112
UPCOMING EVENTS!
ISOAG MEETING DATES
Wednesday, July 11, 2007
1:00 - 4:00
Tentative Agenda Items:
E-Discovery – OAG
VITA transformed IT Infrastructure Architecture - Linda Smith
NG IS Policy, Standards & Guidelines Update - Cathie Brown
VITA IS Council Committee Updates - Committee Chairs

113
UPCOMING EVENTS!
VITA OFFICES MOVE
Friday July 27, 2007
CAMS will move to 411 E. Franklin

www.vita.virginia.go 114
Any Other Business ?

115
ADJOURN
THANK YOU FOR
YOUR TIME AND
THOUGHTS
!!!

070614F-ISOAPresentation.ppt

Recommended

Recommended

More Related Content

Similar to 070614F-ISOAPresentation.ppt

Similar to 070614F-ISOAPresentation.ppt (20)

Recently uploaded

Recently uploaded (20)

070614F-ISOAPresentation.ppt

Editor's Notes