© 2006 Verizon. All Rights Reserved. Overview of State Governance Security Landscape Leslie Carter, State Subject Matter Expert January 18, 2007 Leslie.

Slides:



Advertisements
Similar presentations
IT Security Policy Framework
Advertisements

Cybersecurity Update December 5, Agenda Cybersecurity – A growing problem Cybersecurity in other states (NASCIO/Deloitte Study) Structure Challenges.
Health Insurance Portability and Accountability Act (HIPAA)
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Discovery – The Next Generation!: Business Context of Risk Presentation to the North London Branch British Computer Society 19 March, 2008 Dr. Victoria.
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
DHS, National Cyber Security Division Overview
Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.
Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Silo Compliance Risk vs. Enterprise Compliance Risk Presented to: ORIMS PD Day By: Joe Hardy & Tony Carlisle.
WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Governance, Risk, and Compliance Bill Greene Senior Industry Director.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
How Recent Government Initiatives Will Impact IT on Your Campus, October 10, 2000 Preconference Seminar 13P - How Recent Government Initiatives Will Impact.
Evolving IT Framework Standards (Compliance and IT)
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.
Identity Protection (Red Flag/PCI Compliance/SSN Remediation) SACUBO Fall Workshop Savannah, GA November 3, 2009.
Managing the Privacy Function at a Large Company Kimberly S. Gray, Esq., CIPP Chief Privacy Officer Highmark Inc.
Presented by: Jay Maxwell CIO, AAMVA The Driver’s License: Finally, National Standards Presented by: Jay Maxwell CIO, AAMVA.
The 2009 HIMSS Security Survey: Insights into the Status of Healthcare Security Implementation sponsored by Symantec Meeting of the HIT Standards Committee,
Compliance Management Platform ™. Compliance Management Platform Compliance is the New Marketing – Position yourself to thrive in the new regulatory and.
Professional Values and Basic Business Legislation.
Privacy & Security Policy Meets Technology at the Crossroads: Best Practice Methods & Approaches to Developing Organizational Frameworks to Avoid Collision.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
NATO Advanced Research Workshop “Best Practices and Innovative Approaches to Develop Cyber Security and Resiliency Policy Framework” Scenario for Discussion.
2011 East African Internet Governance Forum (EA – IGF) Rwanda Cyber briefing: Positive steps and challenges Didier Nkurikiyimfura IT Security Division.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
SPH Information Security Update September 10, 2010.
The Audit as a Management Tool Vermont State Auditor’s Office – April 2009.
Risk Management & Corporate Governance 1. What is Risk?  Risk arises from uncertainty; but all uncertainties do not carry risk.  Possibility of an unfavorable.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
Territory Insurance Conference, resilient future Mr Ralph Bönig, Special Counsel, Finlaysons Cyber Times and the Insurance Industry Territory Insurance.
Culture Clash: Law, Business and Technology Mitch Dembin Chief Security Advisor (US) Microsoft Corporation.
Company: Cincinnati Insurance Company Position: IT Governance Risk & Compliance Service Manager Location: Fairfield, OH About the Company : The Cincinnati.
Regulation Inside Government: Reducing Administrative Burden Issues and Approaches Case Study: Canada OECD Workshop Mexico City – March 14-15, 2006 Gilles.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Visibility. Intelligence. response Information Security: Risk Management or Business Enablement? Mike Childs Vice President Rook Security.
Protecting Yourself from Fraud including Identity Theft Personal Finance.
Legal framework Look at the legal compliance and framework a business is subject to.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 4: Laws, Regulations, and Compliance
Legal, Regulations, Investigations, and Compliance Chapter 9 Part 2 Pages 1006 to 1022.
Internal Controls For Municipalities Vermont State Auditor’s Office – August 2008.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
IS3220 Information Technology Infrastructure Security
Alex Ezrakhovich Process Approach for an Integrated Management System Change driven.
CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
OFFICE OF VA ENTERPRISE ARCHITECTURE VA EA Cybersecurity Content Line of Sight Report April 29, 2016.
Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Juniper Security Threat Response Manager (STRM)
Internal Service Departments, General Operations, and Commissioners Proposed 2017 Budget August 9, 2016.
Information Security Program
and Security Management: ISO 28000
Securing Critical Assets: Arizona’s Security & Privacy Initiatives
Governance, Risk, and Compliance Bill Greene Senior Industry Director
IS4680 Security Auditing for Compliance
Cyber Trends and Market Update
Higher Education Privacy Update
Presentation transcript:

© 2006 Verizon. All Rights Reserved. Overview of State Governance Security Landscape Leslie Carter, State Subject Matter Expert January 18, 2007 Leslie Carter, State Subject Matter Expert January 18, 2007

2 Agenda Security Challenges in State Agencies Where State Agencies Need to Be Approaches to Meeting the Challenges

3 Security Is An Enterprise-Wide Challenge SecurityOperationsSecurityOperations Security Program SecurityOversight SecurityGovernance Senior Execs & CIO Budgets Report Cards Laws & Mandates CISO No Budget Unable to Get Buy In Limited Visibility No Control IT Operations Reporting Burden Scarce Resources

4 The Security Challenges in Gov/Ed Governance Many states and municipalities are just beginning to put in place the necessary governance framework to enable effective information security Lack of attention has led to under funding Quickening pace of security laws, regulations, and mandates Complexity (Tech, Organization/Accountability, Budget, Other) The competing challenges of service to the citizen and protection of citizen privacy are most intense at the state and local government levels Siloed federal approach to information exchange has resulted in crazy quilt of redundant, incompatible security approaches and infrastructures The result: Security breaches continue to dominate the headlines

5 Regulatory Challenges New (2007) California Statutes –Voter Privacy SB 506 –Credit Card Receipts SB 1699 –Domestic Violence Victims SB 1491 –Identity Theft Legislation AB 424, AB 618, AB 2043, AB 2886, AB 1390 –Motor Vehicle Dealer Access AB 2291 –Wireless Network Security for Citizens AB 2415 –Online Privacy Reproductive Health AB 2251 –Online Privacy Public Officials AB 2006 Federal Laws –The Children’s Online Privacy Protection Act of 1998 –The Computer Fraud and Abuse Act of 1984 –The Computer Matching & Privacy Protection Act of 1988 & Amendments of 1990 –The Driver’s Privacy Protection Act of 1994 –The Electronic Communications Privacy Act of 1986 –The Fair Credit Reporting Act of 1970 –The Family Educational Rights and Privacy Act of 1974 –The Graham-Leach-Bliley Financial Services Modernization Act of 1999 –The Health Insurance Portability and Accountability Act of 1996 –The Privacy Act of 1974 –REAL ID Act of 2005 –Sarbanes Oxley –Homeland Security Initiatives –Federal Information Security Management Act –Federal Audit Requirements for agencies carrying out federal programs – Circular A-87 and A-133

FISMA Highlights §3544(b) - Agency Security Program Federal Information Security Management Act (FISMA) –Title III of E-Government Act of 2002 –Applies to all federal agencies and 3 rd parties (states and localities) dealing with federal data and carrying out federal programs FISMA Security Program Requirements –Periodic risk assessments –Policies and procedures –Subordinate plans for networks, systems –Security awareness training –Periodic testing and evaluation of policies, procedures and practices –Remediation program for security weaknesses –Procedures for incident detection, reporting & response –Plans and procedures for continuity of operations

7 Complexity Leads to Vulnerability FederalDepts. State HHS Agencies Local, K-12 Higher Ed Health/ Human Serv. Education Homeland Sec. Commerce Transportation Treasury/ IRS Interior Energy State & Local Public Safety & Educ State Agencies State and Local Law Enforcement Town College High School City Who is securing all of these exchanges and gateways? Who is securing all of these exchanges and gateways?

8 A State Government’s Myriad Interfaces Segment FederalOther States Intra State LocalK-12BusinessCitizenTotal Transportation HHS Fin & Admin Education Courts & Pub Safety Natural Resources Public Works Other/Econ Develop Total ,746

9 Financial Institutions Employer Records Personal Property Tax Records State, Local & Fed Tax Records Passports Insurance Companies Business Tax Records DMV & Vehicle Records Hunting & Fishing Licenses Professional Licenses & Business Licenses Cell Phone & Cable Provider Records Unemployment Records Court Records Military Records Financial Aid Records Program Interface Example Child Support EnforcementInterfaces EnforcementInterfaces

© 2006 Verizon. All Rights Reserved. Where Do Agencies Need to Be?

11 Security Life Cycle Approach Compliance Account Reporting Key Business Indicators Business Continuity Reviews Programs Assessments Prevention Remediation Asset Management Infrastructure Mgmt./ Monitoring Operational / Architectural Controls Business BusinessPriority Policy/Procedures/Process Changing Business Drivers Regulatory/GovernanceDrivers

12 Across-All-Borders Security Program Event data collection Event data normalization Event consolidation Behavioral models Global activity monitoring Early warning system Fraud correlation Internet outage correlation Dark space analysis Carrier Network Cloud CrossEnterprise Enterprise Core Threat correlation Source correlation Dynamic prioritization Event data collection Event data normalization Event consolidation Behavioral models Global activity monitoring Early warning system Fraud correlation Internet outage correlation Dark space analysis Beyond CA Gov’t Borders Inter-agency/gov’t Intra-agency

© 2006 Verizon. All Rights Reserved. How Do Agencies Get There?

14 Current State & Agency Trends & Approaches Statewide and Agency CISO Appointments Enterprise Security Architecture & Policies Assessments and Compliance –External Resources (Centralized & Federated Models) –State Auditors Business Case based on program/agency risk –The most successful link the security issues with business impact at the agency or program level »Demonstrate business risks »Demonstrate quantifiable consequences »Demonstrate other losses (citizen trust, damage to reputation, etc.) »Highlight benefits of IT security and where risk will be reduced

15 Develop an Ongoing Security Program –Quick assessment or scorecard that identifies the most pressing risks and vulnerabilities first »Gives CIO & CISO a starting point, can start to show progress quickly »Prioritize, plan and budget the ongoing program »High level way to articulate the risks to business and program execs. –Bring together key stakeholders to develop policies and define roles & responsibilities »Agency business owners, auditors, IT managers, etc. »Agencies need to help assess program risk and support programs to reduce risks »Large agency CISOs and CIOs should help drive and lead the process –Build and fund the business case for an ongoing program »Ongoing periodic assessments and compliance based on risk and business need »Policy review and updates as technology and the business changes »Ongoing funding streams

© 2006 Verizon. All Rights Reserved. Questions?

17 Get Involved With Other States National Association of State CIO’s –Real ID Committee –Security and Privacy Committee –Health IT

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.