Cybersecurity Issues Impacting Public Sector Financial Management OASIS e-Gov Washington Workshop, April 17 2009 John Sabo Director Global Government Relations.

Slides:

Advertisements

Similar presentations

International Telecommunication Union An Insight into BDT Programme 3 Marco Obiso ICT Applications and Cybersecurity Division Telecommunication Development.

Advertisements

AFCEA DC Cyber Security Symposium Military Joint Cyber Command Panel Harry Raduege Lieutenant General, USAF (Ret) Chairman, Center for Network Innovation.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Security Controls – What Works

SECR 5140-FL Critical Infrastructure Protection Dr. Barry S. Hess Spring 2 Semester Week 3: 1 April 2006.

Using Cryptographic ICs For Security and Product Management Misconceptions about security Network and system security Key Management The Business of Security.

Understanding Active Directory

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Why Managers Must Understand IT Managers play a key role –Frame opportunities and threats so others can understand them –Evaluate and prioritize problems.

Stephen S. Yau CSE , Fall Security Strategies.

Overview 4Core Technology Group, Inc. is a woman/ veteran owned full-service IT and Cyber Security firm based in Historic Petersburg, Virginia. Founded.

1 Webinar on: Establishing a Fully Integrated National Food Safety System with Strengthened Inspection, Laboratory and Response Capacity Sponsored by Partnership.

Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September.

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 1 MAP Value Proposition.

IT security seminar Copenhagen, April 4th 2002 M. Jean-Michel HUBERT Chairman of the French Regulation Authority IRG Chairman.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM or

Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

© 2011 IBM Corporation Smarter Software for a Smarter Planet The Capabilities of IBM Software Borislav Borissov SWG Manager, IBM.

Lessons Learned in Smart Grid Cyber Security

US-CERT National Cyber Security Division/ U.S. Computer Emergency Readiness Team (US-CERT) Overview Lawrence Hale Deputy Director, US-CERT.

Presentation title SUB TITLE HERE Intelligent 21st Century Strategies for Broadband and Cyber Infrastructures Security By Dr. Emmanuel Hooper, PhD, PhD,

Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

Jeju, 13 – 16 May 2013Standards for Shared ICT CYBERSECURITY-RELATED STANDARDS ACTIVITY IN THE TELECOMMUNICATIONS INDUSTRY ASSOCIATION Eric Barnhart, Fellow.

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.

Transforming Services Creating Efficiencies Empowering Citizens Transforming Services Creating Efficiencies Empowering Citizens Transforming Services Creating.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ Identity and Privacy: the.

1 © 2003 Cisco Systems, Inc. All rights reserved. CIAG-HLS Security For Infrastructure Protection: Public-Private Partnerships KEN WATSON 15 OCT.

Trusted Federated Identity and Access Management to provide the Cornerstone for Cyber Defense.

1 The OASIS KMIP Standard: Interoperability for the Cryptographic Ecosystem Jon Geater OASIS KMIP TC With thanks to Bob Griffin, co-chair,

HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.

Jerry Cochran Principal Security Strategist Trustworthy Computing Group Microsoft Corporation.

DOCUMENT #:GSC15-PLEN-62 FOR:Presentation SOURCE:ISACC AGENDA ITEM:Opening Plenary (6.14) CONTACT(S):Jim MacFie Cloud Computing Jim MacFie Chairman, ISACC.

1 IBM TIVOLI Business Continuance Seminar Training Document.

Frankfurt (Germany), 6-9 June 2011 Iiro Rinta-Jouppi – Sweden – RT 3c – Paper 0210 COMMUNICATION & DATA SECURITY.

International Telecommunication Union Geneva, 9(pm)-10 February 2009 BEST PRACTICES FOR ORGANIZING NATIONAL CYBERSECURITY EFFORTS James Ennis US Department.

Cloud Computing, Policy Management and Standardization Europe Identity Conference 2011 John Sabo, Director Global Government Relations, CA Technologies.

Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.

Microsoft Belgium Security Summit Georges Ataya S olvay B usiness S chool, ISACA Belux Detlef Eckert Microsoft EMEA.

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

National Cybersecurity Center of Excellence Increasing the deployment and use of standards-based security technologies Mid-Atlantic Federal Lab Consortium.

UNCLASSIFIED Homeland Security Introduction to the National Cybersecurity & Communications Integration Center (NCCIC) “A Partnership for Strength” 1.

UNCLASSIFIED 1 National Security in Cyberspace: It Takes a Nation Sandra Stanar-Johnson NSA/CSS Representative to the Department of Homeland Security February.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Alliance Key Manager for Windows Azure Puts Encryption Key Management and Data Breach Security at Your Fingertips COMPANY PROFILE: TOWNSEND SECURITY Townsend.

Update on ETSI Security work Charles Brookson OCG Security Chairman DOCUMENT #:GSC13-PLEN-57 FOR:Information SOURCE:Charles Brookson AGENDA ITEM:6.3

CNCI-SCRM STANDARDIZATION Discussion Globalization Task Force OASD-NII / DoD CIO Unclassified / FOUO.

LSEC H2020-DS - & CIP Ulrich Seldeslachts, Brussels, January 27th, 2016.

IS3220 Information Technology Infrastructure Security

1 Industry Advisory Council’s Enterprise Architecture Shared Interest Group (IAC EA SIG) Collaborative Approach to Addressing Common Government- Industry.

FFIEC Cybersecurity Assessment Tool Maine Credit Union League September 23, 2015 Patrick Truett, Information Systems Officer National Credit Union Administration.

Security Policy and Key Management Centrally Manage Encryption Keys - Oracle TDE, SQL Server TDE and Vormetric. Tina Stewart, Vice President.

Chapter ９ : Knowledge Transfer in the E-World KNOWLEDGE TRANSFER IN THE E-WORLD Chapter 4.

OASIS IDtrust Member Section June Leung Chair, OASIS IDtrust Member Section Steering Committee

Information Security Program

Information Technology Sector

8 Building Blocks of National Cyber Strategies

By: Tekeste Berhan Habtu Chief Executive Officer Venue: African Union

Securing Your Digital Transformation

Organization for the Advancement of Structured Information Standards

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

John Carlson Senior Director, BITS

Cybersecurity Issues Impacting Public Sector Financial Management OASIS e-Gov Washington Workshop, April John Sabo Director.

The People Ready Vision for Business in the Enterprise

MAZARS’ CONSULTING PRACTICE

Presentation transcript:

Cybersecurity Issues Impacting Public Sector Financial Management OASIS e-Gov Washington Workshop, April John Sabo Director Global Government Relations CA, Inc. Member, OASIS IDtrust Member Section Steering Committee

Abstract n Public financial management systems, e-procurement, and other services vital to government operations and citizen trust increasingly make use of information technology, networked infrastructures and Internet services. n Cybersecurity risks continue to multiply as the threat landscape broadens. As governmental services migrate to Internet and Internet Protocol-based infrastructures, managing cyber security risk takes on greater importance as government agencies cut ties to old business processes and fully embrace Internet-based services. n This presentation will provide an overview of cybersecurity risk issues, a number of public-private sector partnership efforts to assess and mitigate cyber risks, and examples of work underway by Technical Committees in the OASIS IDtrust Member Section to develop standards to help address these challenges.

3 Cybersecurity – Government and Business Risk Management Issues n 2007 Business Roundtable Report – growing Internet dependence n Control System vulnerabilities n Critical Infrastructure interdependencies l e.g., network availability for e-Gov applications n Convergence of communications with Internet Protocol-based networks/devices/security n Major global and federal government cybersecurity initiatives n Major initiatives such as Health IT, Smart Grid

4 Obama Administration n E-Government – using cutting-edge technologies to create a new level of transparency, accountability, and participation for America's citizens, to reform government and to improve the exchange of information between the federal government and its citizens and partners. n Cybersecurity – deploying a new generation of secure hardware and software for our critical cyber infrastructure and protecting sensitive corporate and government information and industrial applications from unauthorized access, theft, and misuse, while ensuring the resilience of our information networks, systems and applications. n Data Privacy – managing data privacy and securing personal information by partnering with industry to develop and implement standards and solutions needed to protect the rights of individuals in the information age.

5 Foundation in Place for Cybersecurity Risk Management n Huge resource and intellectual investments n R&D – technology development in response to market needs – innovation n Technologies, standards – e.g., identity and access management, authorization, encryption n Evolving standards and standards development to address new risk management requirements n Operational capabilities via organizations such as Information Sharing and Analysis Centers n Trusted industry and industry - government working relationships n Increased focus on cyber risk management, e.g., IT Sector Coordinating Council risk assessment

6 IT Sector Critical Functions and Cybersecurity n IT Products and Services n Incident Management Capabilities n Domain Name Resolution n Identity Management and Trust Support Services n Internet-based Content, Information and Communications Services n Internet Routing, Access and Connection Services

7 Complexities of the IT Sector n Domain Name System (DNS) root and Generic Top Level Domain (GTLD) operators n Internet Service Providers (ISPs) n Internet backbone providers n Internet portal and providers n Networking hardware companies (e.g., fiber-optics makers and line acceleration hardware manufacturers) and other hardware manufacturers (e.g., PC and server manufacturers and information storage) n Software companies n Security services vendors n Communications companies that characterize themselves as having an IT role n Edge and core service providers n IT system integrators n Global, Federal, State, and local governments…end users, businesses

8 IT “Sector Specific Plan” n Prevention and protection through risk management n Understand and prioritize risks and implement protective measures n Situational awareness n share threat and vulnerability information among IT Sector, other sectors and government, including developing indications and warnings n Expand public-private analytical capabilities to proactively identify potential future incidents n Response, recovery and reconstitution n Communications, incident response and coordination, recovery, reconstitution, and law enforcement linkages

Federal Comprehensive National Cybersecurity Initiative (CNCI) 1. Trusted Internet Connections 2. Intrusion detection 3. Intrusion prevention 4. Research and development 5. Situational awareness 6. Cyber counter intelligence 7. Classified network security 8. Cyber education and training 9. Implementation of information security technologies 10. Deterrence strategies 11. Global supply chain security 12. Public/private collaboration

A Few Current Issues n Administration’s 60-day Cybersecurity Review l What is the federal government’s role in protecting critical infrastructure and information networks against a nation state attack? l Role of private sector in protecting government networks – people, process, technology, regulation, and incentives l What thresholds do we recommend for defining and reporting cyber incidents and to whom does it get reported? n New Federal Leadership, Organizational Alignment n Legislation and Oversight n … all in context of incredible technological innovation

IDtrust Member Section

n Evolution l PKI Forum (1999) l PKI Member Section (Nov 2002) l IDtrust Member Section (2007) n Steering Committee l June Leung, FundSERV l Abbie Barbir, Nortel l John Bradley l John Sabo, CA l Anil Saldhana, Red Hat n OASIS Staff – Dee Schur n 31 Sponsors/Contributing Member Organizations

Strategic Focus Areas n Identity and Trust Infrastructure Components l Standards, protocols, cost/benefits, risks n Identity and Trust Policies and Enforcement l Policy issues, policy mapping, assurance n Barriers and Emerging Issues l Data privacy, interoperability, extensible trust n Education and Outreach l White papers, research, conferences, Wiki l idtrust.xml.org

Technical Committees n Digital Signature Services eXtended (DSS-X) - Advancing new profiles for the DSS OASIS Standard n Identity Metasystem Interoperability (IMI) - Advancing interoperability standard for Information Cards n Open Reputation Management Systems (ORMS)- Advancing the ability to use common data formats for representing reputation data n Extensible Resource Identifier (XRI) - Defining a resolution protocol for abstract structured identifiers used to identify and share resources across domains and applications n XRI Data Interchange (XDI) - Creating a standard for sharing, linking, and synchronizing data over the Internet and other networks using XML documents and Extensible Resource Identifiers (XRIs) n Enterprise Key Management Infrastructure (EKMI) - Defining symmetric key management protocols n Key Management Interoperability Protocol (KMIP) - Advancing interoperability standard for enterprise encryption key management

15 What is KMIP The Key Management Interoperability Protocol (KMIP) enables key lifecycle management. KMIP supports legacy and new encryption applications, supporting symmetric keys, asymmetric keys, digital certificates, and other "shared secrets." KMIP offers developers templates to simplify the development and use of KMIP-enabled applications. KMIP defines the protocol for encryption client and key- management server communication. Supported key- lifecycle operations include generation, submission, retrieval, and deletion of cryptographic keys. Vendors will deliver KMIP-enabled encryption applications that support communication with compatible KMIP key-management servers.

16 Enterprise Cryptographic Environments Enterprise Key Management Disk Arrays Backup Disk Backup Tape Backup System Collaboration & Content Mgmt Systems File Server Portals Production Database Replica Staging Key Management Interoperability Protocol Enterprise Applications eCommerce Applications Business Analytics Dev/Test Obfuscation WAN LAN VPN CRM KMIP: Single Protocol Supporting Enterprise Cryptographic Environments

John Sabo