Office of Information and Technology (OI&T) Field Security Operations Field Security Service - On behalf of Office of Information and Technology (OI&T) Field Security Operations, it is great to be here this morning! - I want to share with you some of our support for VA achieving the “Gold Standard” in data security.
Overview Field Security Operations Information Protection Questions and Answers - Field Security Operations provides support of the field through support and leadership for YOUR facility Information Security Officer (ISO) - Secondly, Information Protection is charged with managing the initiatives to move the VA toward methodologies which will allow us to securely transmit and store sensitive information. Examples are the hard drive encryption, PKI ect. - Finally, I want to emphasize and the importance of YOU in the role of Information Protection, but I will discuss that more toward the end of the presentation.
Office of Information and Technology Field Security Operations - We should start with a short discussion of Field Security Operations and the how the ISOs align within our organizational structure.
OI&T Field Security Operations Director of IT Field Security Operations Enterprise Security Solutions Service (SCMS & TIS) Critical Infrastructure Protection Service IT Field Security Service Security Project Management Office Data Center ISO Support Division Technical Security Officers (TSO) Division Information Security Officers Division Continuity of Operation Planning (COOP) Division Field Security Operations has three divisions. - Critical Infrastructure Protection Services that includes the Network Security Operation Centers (NSOCs), Managed Security Services Division; and Operations and Maintenance Division. - Field Security Service that includes the Technical Security Officer (TSOs), Information Security Officers (ISOs), new Data Center ISO Support and IT COOP. - Enterprise Security Solutions Service consists of the examination of emerging technologies, provides security configurations guidelines, requirements integration, and security solutions. Region 1 Region 2 Region 3 Region 4 Region 5 Network 18, 19, 20, 21 & 22 POs Network 12, 15, 16, 17 & 23 POs SOC Network 6, 7, 8, 9, 10 & 11 POs Network 1, 2, 3, 4 & 5 POs VBA NCA VACO AAC
Office of Information and Technology Field Security Service - Lets further discuss Field Security Service
Field Security Service Mission The mission of the OI&T Field Security Service (FSS) is to ensure the privacy, confidentiality, integrity, and availability of VA information assets associated with the services offered by the Department of Veterans Affairs. In addition, FSS provides assurance that cost effective security controls are in place to protect automated systems from financial fraud, waste, and abuse.
Field Security Service IT Field Security Service Enterprise Technical Security Officer (TSO) Data Center Support Division Information Security Officers Division Continuity of Operation Planning (COOP) Division Region 1 Region 2 Region 3 Region 4 Region 5 Region TSO Region TSO Region TSO Region TSO Region TSO Network 18, 19, 20, 21 & 22 POs Network 6, 7, 8, 9, 10 & 11 POs Network 1, 2, 3, 4 & 5 POs Network 12, 15, 16, 17 & 23 POs SOC VBA NCA VACO AAC
IT Boundaries - Field Security Service followed the IT boundaries - Wanted to provide a visual
Field Security Service Leadership Team IT FSS Director (Supervisor) Randy Ledsome Region 1 ISO (Supervisor) John White Region 2 ISO (Supervisor) Alan Mattson Region 3 ISO (Supervisor) Barbara Smith Region 4 ISO (Supervisor) Alan Papier Region 5 ISO (Supervisor) Dennis Smith IT COOP (Team Lead) Don Sheehan Network 18 ISO (Team Lead) Steve Kerby Network 19 ISO (Team Lead) Armando Diaz De Leon Network 20 ISO (Team Lead) Michael Sutherland Network 21 ISO (Team Lead) Mary Ebner Network 22 ISO (Team Lead) Doug Foster Network 12 ISO (Team Lead) Steve Deyoe Network 15 ISO (Team Lead) VACANT Terry Taylor (Acting) Network 16 ISO (Team Lead) Dan Cleaver Network 17 ISO (Team Lead) Diane Dixon Network 23 ISO (Team Lead) Craig Heitz Network 6 ISO (Team Lead) VACANT Steve Blackwell (Acting) Network 7 ISO (Team Lead) Greg Walker Network 8 ISO (Team Lead) Dale Bogle Network 9 ISO (Team Lead) Chris Varacalli Network 10 ISO (Team Lead) Kristin Steel Network 11 ISO (Team Lead) Mark Latendresse (Acting) Network 1 ISO (Team Lead) Tim ODonnell Network 2 ISO (Team Lead) Chafica Angeli Network 3 ISO (Team Lead) Alan Papier (Acting) Network 4 ISO (Team Lead) Starr Washington Network 5 ISO (Team Lead) Michael Barnes Network VBA – St Petersburg ISO (Team Lead) Jessica Lewis Network VBA – St Paul ISO (Team Lead) Connie Hamm Network VBA – San Diego ISO (Team Lead) Patrice Volante Network VACO ISO (Team Lead) Louise Lovett-Robinson NCA ISO Judi Huffman - All the ISOs are aligned to a Region and within that region a Network. Supervision and guidance is provided through this structure. - The goal of this leadership structure is to enable standardization and greater customer service. Note: This presentation only includes staff in Team Lead and Supervisor positions.
ISO Standardization Position Descriptions (including series and grades) Performance Standards Roles and Responsibilities Guidance and Procedure Training and Education Lets start out by saying that all ISOs were owned by the local medical centers, and the grades, series and roles & responsibilities. Example: Some ISOs has addition duties of photographer, locksmith, etc. Standard PDs for the various levels of ISOs (Regional, Network and Facility) that complement each other. Standard PS for the various levels of ISOs Standard R&R Training and education…such as the OCIS TEAP CSP training. Recommend all take and pass the CSP-100 training
Office of Information and Technology Information Protection - Let’s now discuss Information Protection, and please note while these two entitles are spoken about separately they really operate as one. Before when I discussed the goal of standardizing, it is the Information Protection side which identifies how our security tools and applications can be standardized (…as much as possible)
Information Protection Management Controls Policy Directives Memoranda Operational Controls Training Human Resources Standard Operating Procedures - Information Protection follows the structure of the National Institute of Standards and Technology (NIST) 800-53, which Congress has mandated by the FISMA (say it) for all Executive Agencies. - As this slide illustrates, it covers the Management, Operational and Technical controls. If you recall back when I discussed Technical Security Officers and Information Security Officers… The difference can be seen more clearly here, in that, TSOs generally operation within the area of Technical Controls While ISO generally ensure Management and Operational Controls are met. Technical Controls Remote Access Security Network Transmission Security Removable Media and Storage Security Email and Document Security Laptop Encryption Smart Phone/Blackberry Encryption
Information Protection Technology Summary \ Security Issue Technical Solution Removable Media and Storage Only authorized Users And devices User Only Government Furnished devices; Encrypted; password protected Smart Phones/Blackberry Devices No clear text; Encrypted data Transmissions Network Transmissions Remote Access Reduce VPN access; Scan all equipment connecting to VA network - RESCUE Here is a summary of Information Protection Technology. (FIRST ARROW) Removable Media and Storage: VA Directive 6601, Removable Storage Media – mandates the use of FIPS 140-2 thumb drives VA sensitive information must be in a VA protected environment at all times, or it must be encrypted. Technology available to encrypt removable storage media such as external hard drives, CDs and DVDs can be obtained through your local IT Field Operations Services (IRM or Desktop Support). Port Security and Device Control restricts removal of information based on assigned user roles and permissions. Allows only approved devices to use USB ports i.e., only FIPS certified thumb drives (SECOND ARROW) SmartPhones/Blackberry Devices: Standardize models/versions of Blackberrys and SmartPhones supported by VA. Apply standard security policies to the devices such as encryption/content protection, strong password, patches, antivirus software (THIRD ARROW) Secure Network Transmissions: Benefits: Prevent User ID, Passwords and data from being transmitted over the network in the clear. Brings VA into compliance with HIPAA and FISMA. Supports PKI infrastructure and smartcard devices for HSPD-12. Enterprise standardization of terminal emulator technology such as ETA/IFCAP, Vista Mail, CPRS. (FOURTH ARROW) Remote Access: Government Furnished Equipment (GFE) The GFE Remote Access solution ensures that remote devices such as laptops are encrypted and security policies are updated by performing a host check, an integrity check and remediating if necessary. Non-VA Owned Other Equipment (OE) restricts access to a virtual desktop. No information can be saved locally, if information needs to be saved it will be saved to an internal VA server. (FIFTH ARROW) Email and Documents: RMS: Provides a secure mechanism for email and document collaboration to small groups until the group determines to reclassify the information for public use Provides a secure mechanism to prevent emails from being forwarded printed and copied Provides a secure mechanism to prevent documents from being viewed, printed, copied by unauthorized users Public Key Infrastructure (PKI): Encrypts email and can be used internally and externally. Integrates with RMS. RMS will result in reducing the use of PKI for internal correspondance. Internet Gateway Email Scans Scanning is conducted on email that passes through the VA Internet Gateways. Emails can be scanned for medical, privacy, customer, HIPAA, and other terms that are classified as sensitive. Currently the gateway is scanning for messages with social security numbers. The sender will receive an email notification that their message contained sensitive information. PKI, Internet Gateway Scans, RMS - Full document control. Email and Documents Layered approach to provide Comprehensive information protection of VA sensitive data Control data storage and transmission
Field Security Operations and Field Security Service Summary Field Security Operations and Field Security Service Information Protection Information Protection is EVERYONE’s Responsibility! - In summary, I believe Field Security Operations and these Information Protection activities will support the VA in achieving the “Gold Standard” in data security. - At our annual InfoSec Conference 2 weeks ago, one the guest speaker was a 23 year-old Veteran who had served in Iraq. He spoke to us of his challenges after coming home after a major injury. He told us a story….While in Iraq, one of his duties was to go to the desert with his fellow marines, where they would form a line, and walk up and down the desert in the hot sun looking for unexploded bombs. He recalls that at the time he saw no value it what he was doing, but yet everyday was detailed to do this mudane task. After his injury and reflecting back while in the hospital…he came to realize that “his” small piece of the puzzle to pick-up unexploded bombs, saved countless civilian and military lives. GO to next slide to explain…
General Questions? Randy Ledsome Director of Field Security Service 570-830-7025 Randy.Ledsome2@va.gov