1 IT Security in the Commonwealth A high-level review Sam A. Nixon Jr. Chief Information Officer of the Commonwealth Governors Secure Commonwealth Panel.

Slides:



Advertisements
Similar presentations
NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.
Advertisements

1 IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1,
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
© 2012 Gigamon. All rights reserved. The Dynamic World of Threat Detection, Containment & Response 1.
Gaining Senior Leadership Support for Continuity of Operations
Cybersecurity Update December 5, Agenda Cybersecurity – A growing problem Cybersecurity in other states (NASCIO/Deloitte Study) Structure Challenges.
EMS Checklist (ISO model)
1 IT Infrastructure program contract modifications Debbie Secor Customer Service and Project Management Office Director Communications.
Abstract To provide efficient and effective access to enterprise information that meets stakeholder needs and supports mission success, NASA is implementing.
Khammar Mrabit Director Office of Nuclear Security
Why Security? A Commitment for [the Agency’s] Executives [CIO’s name] EC Presentation [date]
1 Vince Galotti Chief/ATMICAO 27 March 2007 REGULATING THROUGH SAFETY PERFORMANCE TARGETS.
Internal Control–Integrated Framework
Doug Couto Information Systems and Technology Committee (ABJ50) Washington, DC January 25, 2011.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
1 Evolving the Cyber Security Program Michael Watson Chief Information Security Officer ISACA 3/12/
Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
© BT PLC 2005 ‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’ Malcolm Page BT UK AFCEA Lisbon 2005.
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Prepared: October, Ann Garrett, State Chief Information Security Officer Statewide Security Update October 25, 2005 Information Technology Advisory.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
1 July 08, 2010 Information Security Officer Meeting.
Enterprise Architecture The Arkansas Approach. Key Areas What is enterprise architecture? Why is it important? How you can participate Current status.
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.
Information Technology Audit
IT Project Management in Virginia IT Project Management Audits in Virginia _____________________________________ NSAA IT Conference.
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
1 VEIAA – The VITA story... Sam A. Nixon Jr. Chief Information Officer of the Commonwealth August 8,
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Chapter 6 of the Executive Guide manual Technology.
1 IT Security in the Commonwealth Sam A. Nixon Jr. Chief Information Officer of the Commonwealth Michael Watson Commonwealth Chief Information Security.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Enterprise Cybersecurity Strategy
1 expect the best Lemuel C. Stewart, Jr. Chief Information Officer of the Commonwealth Information Technology Investment Board September.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.
IS3220 Information Technology Infrastructure Security
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
OFFICE OF VA ENTERPRISE ARCHITECTURE VA EA Cybersecurity Content Line of Sight Report April 29, 2016.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Welcome Information Security Office Services Available to Counties Security Operations Center Questions.
Advanced Planning Brief to Industry Jerry L. Davis DAS, Office of Information Security June 9, 2011.
Information Security Officer Meeting
Thomas A. Baden Jr. | Commissioner and State Chief Information Officer
Information Security Program
Cybersecurity - What’s Next? June 2017
Team 1 – Incident Response
Agenda Control systems defined
Evolving the Cyber Security Program
Securing Information Systems
General Counsel and Chief Privacy Officer
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Managing IT Risk in a digital Transformation AGE
Technology Solutions Cybersecurity Report to the KCTCS Board of Regents March 14, 2019.
Data Breach of United States Office of Personnel Management
Anatomy of a Common Cyber Attack
Presentation transcript:

1 IT Security in the Commonwealth A high-level review Sam A. Nixon Jr. Chief Information Officer of the Commonwealth Governors Secure Commonwealth Panel HHR Sub-Panel December 16,

2 VITAs Mission: Mandate for Change Executive & Legislative Branch leaders called for o Business-like approach to managing IT services across the enterprise of state government Concept of Shared Services (cloud computing) o Statewide IT infrastructure for government entities Major Statutory Responsibilities: –Provisioning of IT Infrastructure Services (in-scope agencies) –Central oversight of IT procurement, projects, security, standards, policy and procedures, Wireless E-911, and contingent labor Modernization is a journey –Step 1: Creation of VITA & statutory framework –Step 2: Transformation of infrastructure –Step 3: Enterprise Applications & Services

3 Information Security in the Commonwealth VITA is tasked with security governance over all three branches of state government. VITA oversees delivery of infrastructure services to executive branch agencies. Agencies remain responsible for business applications and data. Shared responsibility.

4 Printers 5,311 network 22,000 desktop CoVA IT Infrastructure 2,247 Locations Communications 55,000 desk phones 6,100 handhelds (PDAs) 11,000 cell phones Networks 2,039 circuits Data Centers (2) CESC SWESC Computers 59,374 PCs 3,356 servers Mailboxes 58,948 accounts Data storage 1.5 petabytes Mainframes (2) IBM Unisys

5 Exec Branch Business Applications Core Applications: –2,100 Sensitive Systems: –697 Why does Security matter? Examples: –Health Care – PHI, Birth Records, Prescription Monitoring –Public Safety - Forensics Lab Data, Fingerprint System, Emergency Planning data –Transportation – Traffic Mgmt Systems, Road, Rail and Air –Taxation – Citizen and Business Financial Info, FTI (SSN) –VITA – Infrastructure & Security Architecture, Network, Employee Authorization

6 Security Strategy

7 Government Data Breaches & Attacks Source: Privacy Rights Clearinghouse, A Chronology of Data Breaches, Aug 2013 Virginia Agencies *95,513,983 attack attempts >300K / day *708,027,671 spam messages blocked *Jan – Dec 13, 2013, transformed agencies only Security breaches of over 1 Million records

8 Increase in Security Incidents ( )

9 Cyber Attack Map – July 2013

10 VITA Has Broad Statutory Security Role Set security architecture & standards Oversee Northrop Grumman Perform overall incident response Share intelligence & information (FBI, DHS, State Police, VDEM) Conduct risk management Oversee & assist agencies –CIO has limited authority to ensure compliance

11 NG Responsible for Infrastructure Security Physical & logical security –Data center protection –Firewalls, intrusion monitors, encryption, compartmentalization, antivirus & spam filters Detection, containment & removal of security incidents affecting the infrastructure However, primary attack vector is against applications & not the infrastructure –NG assists with attacks against applications, but agencies remain responsible for applications & data

12 State Agency IT Security Efforts Are Mixed Source: 2012 Commonwealth of Virginia Information Security Annual Report Agencies in ComplianceAgency Responsibility 71Develop & maintain IT security audit plan 97% Appoint Information Security Officer 63Conduct IT security audits every 3 years (minimum) 56Develop & maintain corrective action plans 42Develop & maintain policies and procedures to control unauthorized uses and intrusions

13 Priority – Cyber Security Improve Analysis & Risk Assessment –Full packet analysis to address data exfiltration –Risk management tool (being pursued) to identify potential impact of breach or outage Enhance Access Security –More secure remote network access (SSL VPN) –Password resets (from 90 to 45 days) –Two-factor authentication Address Security Compliance –Increasing CoVA capabilities

14 VITA & Agencies Lack Security Staff VITA needs a cyber intelligence program to analyze threats and attacks –Need for risk-based decisions based on likelihood of attack attempts –Need analysis of malicious third parties that directly target the Commonwealth State agency staffing constraints impede security gap correction & limit auditing –Agencies must test their applications against new patches & evolving federal requirements

15 Future Governance of IT Security Future Governance Considerations –Federal regulations & third-party mandates require new security efforts for agencies –Agency constraints impede security gap correction & limit auditing to find unknown gaps EX: Annual security reviews, JAVA, Win 7 –Implementing a Commonwealth wide IT risk management program –Continued agility to rapidly respond to threats IT Security demands a First Defender approach

16 Questions? Samuel A. Nixon Jr. (804)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.