Cybersecurity Update December 5, 2012. Agenda Cybersecurity – A growing problem Cybersecurity in other states (NASCIO/Deloitte Study) Structure Challenges.

Slides:



Advertisements
Similar presentations
Symantec 2004 Pulse of IT Security in Canada Volume II Survey shows Increases in Concern and Spending for IT Security Andrew Bisson Director, Planning.
Advertisements

1 IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1,
EMS Checklist (ISO model)
The Core Security Services Taxonomy
January 10, 2008www.infosecurity.ca.gov/1 Role, Responsibility and Authority of New Office Presented by Colleen Pedroza, State Chief Information Security.
Developing a Successful Integrated Audit Approach September 14, 2010.
Privacy Reporting and Investment Certification TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
© Prentice Hall CHAPTER 15 Managing the IS Function.
Doug Couto Information Systems and Technology Committee (ABJ50) Washington, DC January 25, 2011.
Chapter 14 Fraud Risk Assessment.
 National association Pamela Walker, Director of Government Affairs National Association of State Chief Information Officers NLC Congressional City Conference:
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Enterprise Security A Framework For Tomorrow Christopher P. Buse, CPA, CISA, CISSP Chief Information Security Officer State of Minnesota.
Security and Personnel
David A. Brown Chief Information Security Officer State of Ohio
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.
1 Telstra in Confidence Managing Security for our Mobile Technology.
Security Controls – What Works
Adopt & Adapt Tips on Enterprise Data Management Annette Pence September 10, 2009 MITRE.
WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.
(ISC) Global Information Security Workforce Study (GISWS) Results U.S. Federal Government.
Prepared: October, Ann Garrett, State Chief Information Security Officer Statewide Security Update October 25, 2005 Information Technology Advisory.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
1 July 08, 2010 Information Security Officer Meeting.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Corporate Ethics Compliance *
Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.
Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.
 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,
Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.
Topic: Information Security Risk Management Framework: China Aerospace Systems Engineering Corporation (Case Study) Supervisor: Dr. Raymond Choo Student:
Lessons Learned in Smart Grid Cyber Security
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
Joseph Ferracin Director IT Security Solutions Managing Security.
Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.
Fraud and Prevention: Lessons from the Fire Service August 24,
Managing the Privacy Function at a Large Company Kimberly S. Gray, Esq., CIPP Chief Privacy Officer Highmark Inc.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
© 2006 Verizon. All Rights Reserved. Overview of State Governance Security Landscape Leslie Carter, State Subject Matter Expert January 18, 2007 Leslie.
1 August 18, 2010 Disaster Recovery Coordinators’ Meeting.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
The Direction of Information Security and Privacy in State Government Presented by Colleen Pedroza Chief Information Security Officer California State.
Enterprise Cybersecurity Strategy
New A.M. Best Cyber Questionnaire
October 10, Better Together – The Road to Responsible Information Management Presented by Colleen Pedroza, State Information Security Officer.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo.
Current risk and compliance priorities for law firms PETER SCOTT CONSULTING.
Information Security tools for records managers Frank Rankin.
WHEN, NOT IF THE CYBER SECURITY CHALLENGES AMONG LOCAL GOVERNMENT UMBC Public Policy Forum Baltimore Maryland April 15, 2016 Gayle B. Guilford CISO Baltimore.
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
Moving to BYOD Gary Audin 1.
Advanced Planning Brief to Industry Jerry L. Davis DAS, Office of Information Security June 9, 2011.
Cyber Security Phillip Davies Head of Content, Cyber and Investigations.
Information Security Officer Meeting
Society for Maintenance and Reliability Professionals (SMRP)
Law Firm Data Security: What In-house Counsel Need to Know
Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.
BruinTech Vendor Meet & Greet December 3, 2015
Thomas A. Baden Jr. | Commissioner and State Chief Information Officer
Information Security Program
An Update on FERPA and Student Privacy
Cybersecurity - What’s Next? June 2017
Team 1 – Incident Response
Enterprise Cybersecurity Upgrade Initiation Department of Information Technology Maria Sanchez, Acting State CIO November 13, 2018.
The State of Cybersecurity in State Government NAST March 26, 2019
Enterprise Cybersecurity Initiative Department of Information Technology Vince Martinez, State CIO, Executive Sponsor Lorenzo Ornelas, Managing Director.
Presentation transcript:

Cybersecurity Update December 5, 2012

Agenda Cybersecurity – A growing problem Cybersecurity in other states (NASCIO/Deloitte Study) Structure Challenges Chief Information Security Officer Recommendations

Cybersecurity: A Growing Problem

94 million records containing personally identifiable information (PII) exposed since 2009 The Department of Homeland Security: – >650% increase in cyber incidents at federal agencies – From 5,503 in FY 2006, to 41,776 in FY 2010

A Growing Problem DATA BREACH COSTS Avg. Cost Per Breached Record: $194 Avg. Cost of Data Breach for an Organization: $5.5 million

A Growing Problem New threats are emerging – Decrease in: Traditional attacks such as physical attacks (stealing a laptop) or attacking web sites – Increase in: Foreign state sponsored attacks - 6% to 12% External financial fraud - 4% to 12%

A Growing Problem Hackers are more sophisticated and aggressive: – Financially motivated - Steal data to make money – Politically motivated Hacktivists are motivated by a political or social cause and desire to make political statements. – Use new, rapidly changing technologies

A Growing Problem

Defense Secretary Leon Panetta warned that Americas enemies are taking aim at the systems that run everything, from the electrical grid to transportation systems to the nations financial infrastructure. The U.S. military is trying to get ready for a worst- case scenario, the rest of the government and the private sector must get moving now.

Cybersecurity In Other States

Cybersecurity in Other States Most states have a more centralized model of IT and Cybersecurity Management 96% of states have a Chief Information Security Officer (CISO) now in place with some authority to set statewide policy, procedure and a security framework for agencies – 56% have authority over the executive branch agencies – 14% have statewide authority over legislative, executive and judicial government agencies – 12% their own agency only – 18% other

Cybersecurity in Other States: Chief Information Security Officer Most state CISOs operate in a federated environment where IT and security resources are spread across various state agencies and departments California – 2010 law required each state agency to hire an Information Security Officer (ISO). The ISO reports to the state CISO and establishes a structure for the governance and management of security.

STATE CISOs ARE RESPONSIBLE FOR: Cybersecurity planning and strategyProgram measurement and reporting Information sharingCybersecurity monitoring Incident managementRisk assessment and management Awareness and TrainingCompliance and monitoring Cybersecurity governance (policies, procedures, architecture) Vulnerability management Cybersecurity in Other States: Chief Information Security Officer

Cybersecurity in Other States: Challenges Challenges are the same as ours Top 5 barriers to address Cybersecurity: – Funding – 86% – Increase sophistication of threats – 52% – Inadequate availability of cybersecurity professionals – 46% – Lack of visibility/influence within the enterprise (state) – 42% – Emerging technologies – 36%

Budget/Funding – Cybersecurity budgets average 1-2 % of overall IT budget – 17% of states dont know – big problem Cybersecurity in Other States: Challenges

Staffing 50% report a staff of fewer than 5 employees 38% report 6 to 15 Outsourcing and Staff Augmentation On The Rise Outsourcing has grown from 9% to 12% between 2010 and 2012 Staff Augmentation has grown from 22% to 28% State of Delaware Required to designate one to three ISOs Provides the training and tools employees need Created a 2 year ISO certification program

KEY COMPARISON: STATES VS. FINANCIAL INDUSTRY Security Budget Increases States: 14% Increase Financial: >60% Increase Year-Over-Year Trending States: 4% report an increase of 1-5% Financial: 39% report an increase of 1-5% Dedicated Sec. Professionals States: 50% have 1-5 FTEs Financial: 47% have >100 FTEs Cybersecurity in Other States: Challenges

SURVEY RESULTS OF STATE CISOs Only 14% feel they have appropriate executive commitment/adequate funding 70% have reported a breach Only 24% feel confident in ability to protect state assets Only 32% staff have the required cybersecurity competency 86% indicate lack of sufficient funding is the key barrier to address security 82% feel that phishing is the top cybersecurity threat

Other state priorities are similar to ours Top five initiatives for CISOs – Risk Assessments52% – Training and awareness46% – Data protection44% – Cybersecurity strategy44% – Governance42% Cybersecurity in Other States: Challenges

Recommendations: What the State Security Experts Say Manage Security at the Statewide Level Create policies, processes and a security framework for all agencies to use. Work Together Security professionals are in high demand Skilled employees in one agency can be shared across the state Share Technologies and Competencies Agencies can specialize in a certain discipline, such as identity management, and share their knowledge with other agencies

Dont forget third party providers. – Vendors help deliver products/services or manage critical functions – Some have access to state personal and sensitive state data New technologies are an opportunity – Review and improve security measures and practices when deploying new technology. – Cloud solutions and mobile solutions are examples Recommendations: What the State Security Experts Say

ID and report agency compliance requirements – Compliance requirements and audit findings should be reported to state business leaders – This is an opportunity to communicate security needs Privacy Officer – Name a statewide Privacy Officers Privacy officer decides what needs to be protected CISO determines how to protect data determine what data needs to be protected Recommendations: What the State Security Experts Say

Questions? Jimmy Earley, Division Director Division of State Information Technology Phone: (803)