Enterprise Security A Framework For Tomorrow Christopher P. Buse, CPA, CISA, CISSP Chief Information Security Officer State of Minnesota.

Slides:



Advertisements
Similar presentations
Board Governance: A Key to Quality Organizations
Advertisements

Chemawawin Cree Nation. Community Planning Change, Expectations and Performance Some Observations Chief Clarence Easter Chemawawin Cree Nation Aboriginal.
Role of Senior Management
Life Science Services and Solutions
12 August 2004 Strategic Alignment By Maria Rojas.
IMFO Audit & Risk Indaba June 2012
Administration, Management, and Coordination of Supportive Housing: Guidelines from CSH’s Dimensions of Quality MHSA TA Operations Call September 1, 2010.
1 The Nebraska Leadership Initiative Overview of Rationale and Research A Collaboration between NCSA, NDE, and ESUs.
Enterprise Architecture. 2 Agenda What is Enterprise Architecture (EA)? Roles in EA? Why is EA Important? Tangible Benefits from EA? What Do We Need to.
Alabama Geospatial Office Established May 2007 Mike Vanhook State GIS Coordinator.
Sustaining Community Based Programs CYFAR Conference Boston, 2005.
IT Governance and Management
Advisor: Jim French, Dept of Ecology Team Members: Scott Andersen, WSDOT Gary Duffield, DIS Doug Selix, OFM Thelma Smith, WSDOT Brian Sylvester, DOP.
LandWarNet 2020 and Beyond Enterprise Architecture
The topics addressed in this briefing include:
Student Assessment Inventory for School Districts Inventory Planning Training.
MARCH 2010Developed by Agency Human Resource Services, DHRM1 Organizational Design What Is It? Organizational Design is the creation of roles, processes,
Chapter 2 Strategic Training
How can projects be controlled?
MGT-555 PERFORMANCE AND CAREER MANAGEMENT
Charting a course PROCESS.
Competency Models Impact on Talent Management
Control environment and control activities. Day II Session III and IV.
Information Technology Audit
Governor Kaine’s Management Scorecard 2007 Presented by: Tim Bass, Senior Advisor Office of the Governor AGA Winter Seminar, February 14, 2007.
Project Human Resource Management
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
PAD190 PRINCIPLES OF PUBLIC ADMINISTRATION
Agenda 1. Definition and Purpose of Data Governance
2014 E DUCATIONAL T ECHNOLOGY P LAN P ROJECT K ICKOFF.
Inventory, Monitoring, and Assessments A Strategy to Improve the IM&A System Update and Feedback Session with Employees and Partners December 5, 2011.
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
Natick Public Schools Technology Presentation February 6, 2006 Dennis Roche, CISA Director of Technology.
Outcomes of the 16 th Regional Disaster Managers Meeting held from 9 th – 11 th August 2010 Presentation to the Pacific Humanitarian Team Monday 6 th December.
Organize to improve Data Quality Data Quality?. © 2012 GS1 To fully exploit and utilize the data available, a strategic approach to data governance at.
INTOSAI Public Debt Working Group Updating of the Strategic Plan Richard Domingue Office of the Auditor General of Canada June 14, 2010.
Planning for Sustainability National Child Traumatic Stress Network All Network Meeting February 6, 2007.
Unite and Deliver An update Francesco Galtieri UN Development Operations Coordination Office (DOCO), New York JPO Workshop, Maputo, May 2009.
System Establishing Your Management Reporting System.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
EPA Geospatial Segment United States Environmental Protection Agency Office of Environmental Information Enterprise Architecture Program Segment Architecture.
Catawba County Board of Commissioners Retreat June 11, 2007 It is a great time to be an innovator 2007 Technology Strategic Plan *
Workshop on Statistical Organization and Management for SADC Member States – UNSD Group 1 Discussions Legislation Leadership Planning Luanda, 03 December.
Setting Up and Sustaining a PMO/PMCOE: Real Life Experiences.
Agency Name Security Program FY 2009 John Q. Public Agency Director/CIO/ISO.
How to Be on the Board Without Walking the Plank Effective Boards.
Consultant Advance Research Team. Outline UNDERSTANDING M&E DATA NEEDS PEOPLE, PARTNERSHIP AND PLANNING 1.Organizational structures with HIV M&E functions.
Information Security IBK3IBV01 College 3 Paul J. Cornelisse.
Company: Cincinnati Insurance Company Position: IT Governance Risk & Compliance Service Manager Location: Fairfield, OH About the Company : The Cincinnati.
12-CRS-0106 REVISED 8 FEB 2013 APO (Align, Plan and Organise)
1 CREATING AND MANAGING CERT. 2 Internet Wonderful and Terrible “The wonderful thing about the Internet is that you’re connected to everyone else. The.
Virginia Office of Public-Private Partnerships (VAP3) Adopted Public-Private Transportation Act (PPTA) enabling legislation in 1995 Public-Private Education.
Leadership Guide for Strategic Information Management Leadership Guide for Strategic Information Management for State DOTs NCHRP Project Information.
Information Sharing for Integrated Care A 5 Step Blueprint.
Driving Value from IT Services using ITIL and COBIT 5 July 24, 2013 Gary Hardy ITWinners.
Financial Services Sector Coordinating Council (FSSCC) 2011 KEY FSSCC INITIATIVES 2011 Key FSSCC Initiatives Project Name: Project Description: All-Hazards.
Practical IT Research that Drives Measurable Results Establish an Effective IT Steering Committee.
Managing Enterprise Architecture
PMO Awareness and Support Presentation
Information Sharing for Integrated care A 5 Step Blueprint
IT Governance at the SCO
Transforming The Way We Think and Work
CHIEF OPERATING OFFICER Buffalo Public Schools
Wyoming association of sheriffs and chiefs of police
Legislative-Citizen Commission on Minnesota Resources July 18, 2018
Governance Lisa Lugo Senior Vice President Strategic Operations
Investing in Data Management Capabilities
APR Informational Webinar
Bridging the ITSM Information Gap
Presentation transcript:

Enterprise Security A Framework For Tomorrow Christopher P. Buse, CPA, CISA, CISSP Chief Information Security Officer State of Minnesota

Agenda Describe the approach we are taking to build a world class security function Reminisce about what I would have done differently as an auditor Q & A

In the Beginning Accepted role as first CISO of our state in June 2006 Attractive aspects of the job –Freedom to build a program from scratch – Powerful enabling legislation –$1.9M start up appropriation

Legislation Develop security policies and standards Install and administer data security systems Responsible for state networks connected to the internet Agencies must comply

Inherent Challenges Lots of decentralized technology silos No history of collaboration No governance structure to make decisions Few staff $1.9M start up appropriation Unknown risk profile

Starting With a Blank Sheet of Paper

State of the State Many critical duties are simply not done Important functions may not be available in the event of a crisis Non-existentInitialRepeatableDefinedManagedOptimized = Desired State= Current State

Security Program Foundation Clarified authority and responsibility to make decisions Resources –Gained approval for legislative initiative –Embarked on a journey to sell merits to policymakers LegislatureGovernorCIO

Governance Information Security Council formed in July 2006 Mission: Identify what needs to be done to secure the government LegislatureGovernorCIO CISO Information Security Council

Future Program Attributes Increased focus on security planning activities –Proactive vs. reactive –Highly adaptable to changing conditions

Future Program Attributes Comprehensive, clearly outlining the baseline requirements that all agencies must follow –Policies & Procedures –Standards –Guidelines = Not Negotiable

Future Program Attributes Important security decisions in the hands of people best suited to make those decisions –Most security decisions made locally by people who understand agency activities –Central leader with overall responsibility –Centralized support teams to help agency security professionals

Future Program Attributes Broad-based support from people who will be expected to implement the provisions –State agency executive management –Security leaders in state agencies –Information technology professionals

Future Program Attributes Championed by government leaders at the highest levels –Governor –State Chief Information Officer and Chief Information Security Officer –Commissioners –Legislative leaders

Future Program Attributes Supported by appropriate resources, including technical tools, training, and people –What should we being doing? –Are there personnel needs that must be addressed? –What tools and training will be necessary to deliver results? Desired Outcomes Personnel Tools

Future Program Attributes Takes advantage of the size of government to leverage financial and human resources –Central experts to service all agencies –Enterprise tools –Reuse of individual agency efforts

Future Program Attributes Includes methods to ensure compliance –Central team of technical audit professionals –Provide immediate feedback to remedy problems before they appear in audit reports

Vision Government entities must unite –Common set of formalized policies and standards –World class security tools Federated architecture –Local risk-based decisions –Central management of enterprise security tools

Security Solutions Working to identify long-term outcomes Five year planning horizon Priority areas will become part of a two year tactical plan LegislatureGovernorCIO CISO Information Security Council Desired Outcomes Personnel Tools

High-Level Strategic Outcome “ Manage a sustainable information security program that helps government entities make risk-based decisions that are reasonable and appropriate”

Sustainable? Supported by the government leaders at the highest level, including future leaders Adds value to government entities and helps them achieve their mission Includes broad and active participation of stakeholders Built on repeatable and documented processes

Reasonable and Appropriate? Aligned with industry best practices Ensures compliance Reduces risk to a level that management is willing to accept Assessed regularly for applicability and cost effectiveness

Other Accomplishments Portable computing devices security OET internal security Participation in development projects Direct assistance to agencies Sponsoring and hosting training Human resource development

Legislative Initiative Did not get what we wanted Increased enterprise security base funding –$5.9 million per year this biennium –$4.4 million per year thereafter It’s all of our money

Looking Back… Did many great audits Spent too much time on F/S stuff Did not tell the Legislature many critical things that they needed to know –No leadership, vision, or comprehensive plan –Current approach has no chance of success and demonstrates poor stewardship of pubic funds

Today…. Trying to fix the problems that I never communicated to policymakers Good at my job because of my audit and financial background Working closely with our auditors

Tomorrow Unsure where fate will eventually lead me If it is audit, I think that my new experiences will make me better next time around

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.