Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tune IT Up Campaign Overview Mark Kaletka Computing Division 9/29/2009 Mark Kaletka Computing Division 9/29/2009.

Published byClaude Poole Modified over 8 years ago

Similar presentations

Presentation on theme: "Tune IT Up Campaign Overview Mark Kaletka Computing Division 9/29/2009 Mark Kaletka Computing Division 9/29/2009."— Presentation transcript:

1 Tune IT Up Campaign Overview Mark Kaletka Computing Division 9/29/2009 Mark Kaletka Computing Division 9/29/2009

2 A “Few” of the Lab’s IT Directives & Regulations One of the items specified in that contract is the list of regulations that Fermilab must comply with, and a process for updating that list managed through our DOE site office; One of the items specified in that contract is the list of regulations that Fermilab must comply with, and a process for updating that list managed through our DOE site office; – Applicable Standards and Guidance – Legislation – Office of Management and Budget (OMB) Memorandum 03-33 Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 September 26, 2003. – Office of Management and Budget (OMB) Memorandum 99-05 Instructions For Complying With The President's Memorandum Of May 14, 1998, "Privacy and Personal Information in Federal Records, January 7, 1999. – Public Law 107-347 (44 U.S.C. Ch 36) E-Government Act of 2002, Title III— Information Security, also known as the Federal Information Security Management Act (FISMA) of 2002. – Office of Management and Budget (OMB) Circular No. A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources, February 8, 1996. – Public Law, Information Technology Management Reform Act of 1996 (Clinger-Cohen Act) – NIST Guidance – Federal Information Processing Standards (FIPS) – FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, July 2005. – FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004. – Special Publications – SP 800-70, The NIST Security Configuration Checklists Program,May 2005. – SP 800-65, Integrating Security into the Capital Planning and Investment Control Process, January 2005. – SP 800-64, Security Considerations in the Information System Development Life Cycle, October 2003 (publication original release date) (revision 1 released June 2004). – SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, June 2004. – SP 800-53, Recommended Security Controls for Federal Information Systems, February 2005. – SP 800-48, Wireless Network Security: 802.11, Bluetooth, and Handheld Devices, November 2002. – SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, May 2004. – SP 800-34, Contingency Planning Guide for Information Technology Systems, June 2002. – SP 800-30, Risk Management Guide for Information Technology Systems, July 2002. – SP 800-26, Rev. 1 NIST DRAFT Special Publication 800-26, Revision 1: Guide for Information Security Program Assessments and System Reporting Form. – SP 800-18, Rev. 1 Guide for Developing Security Plans for Federal Information Systems February 2006. – DOE Policy and Guidance – Revitalization of the Department of Energy Cyber Security Program (1/2006) – Department of Energy Cyber Security Management Program Order 205.1, (Draft) – Department of Energy Cyber Security Management Program, (3/21/2003) – Notice 205.1-1 Incident Prevention Warning and Response Manual – Notice 205.2 Foreign National Access to DOE Cyber Systems (extended to 9/30/06) – Notice 205.3 Password Generation, Protection and Use, (extended to 9/30/06) – Notice 205.4 Handling Cyber Alerts and Advisories, and Reporting Cyber Security Incidents (extended to 07/06/05) – Notice 205.8 Cyber Security Requirements for Wireless Devices and Information Systems, (3/18/06) – Notice 205.9 Certification and Accreditation Process for Information Systems, including National Security Systems, (3/18/06) – Notice 205.10 Cyber Security Requirements for Risk Management, (3/18/06) – Notice 205.11 Security Requirements for Remote Access to DOE and Applicable Contractor Information Technology Systems (3/1/8/06) – Notice 205.12 Clearing, Sanitizing, and Destroying Information System Storage Media, Memory Devices, and Other Related Hardware (2/19/2004) – Notice 205.13 Extension of DOE Directive on Cyber Security, (7/6/2004)

3 Audit not Quite “Fail” Safeguards and Security Audit of Computer Security Program in May 2009 resulted in 6 findings; Safeguards and Security Audit of Computer Security Program in May 2009 resulted in 6 findings; – For us this is like going from A+ to C-.

4

5

6 Audit Findings = Consequences… Findings have serious consequences for the Lab; Findings have serious consequences for the Lab; There is a contract between FRA and DOE to manage Fermilab; There is a contract between FRA and DOE to manage Fermilab; Consequences of failing to meet terms of contract can be both tangible (financial, resources, rebid our contract) and intangible (credibility of lab to conduct scientific program); Consequences of failing to meet terms of contract can be both tangible (financial, resources, rebid our contract) and intangible (credibility of lab to conduct scientific program); – Just like safety, quality assurance; Auditors will keep coming back, we need to work together Lab-wide to improve; Auditors will keep coming back, we need to work together Lab-wide to improve; We want to fix the underlying causes that led to audit findings; We want to fix the underlying causes that led to audit findings; – Not just address isolated consequences;

7

8 Launch!Launch! Lab Director (Pier) instructed CIO (Vicky White) to lead a lab wide response; Lab Director (Pier) instructed CIO (Vicky White) to lead a lab wide response; CIO placed me (Mark Kaletka) in charge of leading the lab wide response; CIO placed me (Mark Kaletka) in charge of leading the lab wide response; Progress is being monitored by DOE Site office; Progress is being monitored by DOE Site office; The response is the Tune IT Up Campaign; The response is the Tune IT Up Campaign;Tune IT Up CampaignTune IT Up Campaign

9 Message from the Director I have directed Vicky White, Fermilab’s chief information officer, to take whatever steps are necessary to address the findings in this audit and to bring Fermilab cybersecurity up to the same standard of excellence we require for every other area of laboratory operations. With my full support, she will lead a campaign, “Tune IT Up,” that will involve every Fermilab employee and user in making changes to the way we manage computers. We will need to move quickly. Just like safety, cybersecurity is the responsibility of every person at the laboratory. Line managers are responsible for understanding and enforcing policies on computer security. System administrators must follow the requirements for configuration of the machines under their control. Each user is responsible for understanding and following the Fermilab Policy on Computing. Employees with higher levels of responsibility, for example those handling privacy information, must exercise a higher level of care handling the information under their control. I have directed Vicky White, Fermilab’s chief information officer, to take whatever steps are necessary to address the findings in this audit and to bring Fermilab cybersecurity up to the same standard of excellence we require for every other area of laboratory operations. With my full support, she will lead a campaign, “Tune IT Up,” that will involve every Fermilab employee and user in making changes to the way we manage computers. We will need to move quickly. Just like safety, cybersecurity is the responsibility of every person at the laboratory. Line managers are responsible for understanding and enforcing policies on computer security. System administrators must follow the requirements for configuration of the machines under their control. Each user is responsible for understanding and following the Fermilab Policy on Computing. Employees with higher levels of responsibility, for example those handling privacy information, must exercise a higher level of care handling the information under their control.Fermilab Policy on ComputingFermilab Policy on Computing

10 Message from the CIO It’s time for a tune-up! Today we launch a campaign to tune up our Information Technology (IT) to fully comply with our published security baselines and policies. We do this not only to comply with the audit requirements but to strengthen computing at Fermilab to support our physics mission. In the coming months every desktop and laptop owned by Fermilab will receive either a physical or virtual visit from a trained system administrator who will check it for full compliance with required baseline configurations. Those who do not need administrative privileges to carry out their job functions will no longer have such privileges. Those who do will maintain administrative privileges and will be retrained in how to ensure that their systems meet requirements. We will incorporate every machine into the automated inventory and patching systems provided for Windows, Linux and Mac systems. We will remove from the network desktops and laptops that are not running an approved OS with a published security baseline. We will take out of service desktops and laptops that are too old to be updated or are running systems that cannot be brought up to standards; or we will fully document the need to run them and put in place compensatory controls (such as isolating them in their own network segment). It’s time for a tune-up! Today we launch a campaign to tune up our Information Technology (IT) to fully comply with our published security baselines and policies. We do this not only to comply with the audit requirements but to strengthen computing at Fermilab to support our physics mission. In the coming months every desktop and laptop owned by Fermilab will receive either a physical or virtual visit from a trained system administrator who will check it for full compliance with required baseline configurations. Those who do not need administrative privileges to carry out their job functions will no longer have such privileges. Those who do will maintain administrative privileges and will be retrained in how to ensure that their systems meet requirements. We will incorporate every machine into the automated inventory and patching systems provided for Windows, Linux and Mac systems. We will remove from the network desktops and laptops that are not running an approved OS with a published security baseline. We will take out of service desktops and laptops that are too old to be updated or are running systems that cannot be brought up to standards; or we will fully document the need to run them and put in place compensatory controls (such as isolating them in their own network segment).

11

12 Campaign Goals Review and update all security baselines and policies (including password and authentication policies). Review and update all security baselines and policies (including password and authentication policies). Ensure that all computers at Fermilab conform to security baselines and security plans and that all applications are patched. Ensure that all computers at Fermilab conform to security baselines and security plans and that all applications are patched. Improve efficiency and consistency of management of desktop and laptops and move towards standards and central management of all systems with least user privilege granted. Improve efficiency and consistency of management of desktop and laptops and move towards standards and central management of all systems with least user privilege granted. Ensure all systems deviating from baselines are assessed and approved (or have corrective action plans) – or are detected and responded to. Ensure all systems deviating from baselines are assessed and approved (or have corrective action plans) – or are detected and responded to.

13 Campaign Goals Ensure that all sensitive data and PII are in systems protected with moderate level controls detailed in “major application” security plans, that those people who have access to such data are approved, and that all lab contracts related to such data are reviewed. Ensure that all sensitive data and PII are in systems protected with moderate level controls detailed in “major application” security plans, that those people who have access to such data are approved, and that all lab contracts related to such data are reviewed. Tune up and increase training and education on cyber secure behaviors and how to recognize and protect sensitive data and PII. Tune up and increase training and education on cyber secure behaviors and how to recognize and protect sensitive data and PII. Tune up and make more rigorous our internal assessments and ST&E of our cyber security program. Tune up and make more rigorous our internal assessments and ST&E of our cyber security program.

14 Strategies to Achieve the Goals Consolidate the management of IT under a CIO in order to procure, operate, dispose of and protect IT assets in a more standard, cost effective and secure manner. Consolidate the management of IT under a CIO in order to procure, operate, dispose of and protect IT assets in a more standard, cost effective and secure manner. Enhance the computer security program (which provides the guidelines for operating IT in a secure manner, based on program requirements and assessment/acceptance of a certain level of risk) to increase audit, oversight and training capabilities. Enhance the computer security program (which provides the guidelines for operating IT in a secure manner, based on program requirements and assessment/acceptance of a certain level of risk) to increase audit, oversight and training capabilities. Create additional IT policies and begin to lay out an enterprise architecture – in order to set requirements and guidance for selecting, procuring and operating IT assets (including software assets) Create additional IT policies and begin to lay out an enterprise architecture – in order to set requirements and guidance for selecting, procuring and operating IT assets (including software assets)

15 TimelineTimeline The campaign is expected to last approximately six months with an intense period of activity in the period mid July to mid October, 2009 followed by an ongoing program of work for the remainder of 2009 to ensure that the goals of the campaign are met and that the IT management practices put into place are sustainable. The campaign is expected to last approximately six months with an intense period of activity in the period mid July to mid October, 2009 followed by an ongoing program of work for the remainder of 2009 to ensure that the goals of the campaign are met and that the IT management practices put into place are sustainable. At that time attention will turn to beginning execution of Information Systems projects that are not part of this campaign but are part of the corrective action plan for the audit findings. At that time attention will turn to beginning execution of Information Systems projects that are not part of this campaign but are part of the corrective action plan for the audit findings.

16 DeliverablesDeliverables Services Management Services Management Password Policy Password Policy Baseline Security Baseline Security Information Security Information Security Antivirus Alerts Antivirus Alerts

17 Color Key Completed Completed In Progress In Progress Yet to Start Yet to Start

18 Services Management Form a policy committee to write and maintain configuration requirements for Mac and Linux desktops. Form a policy committee to write and maintain configuration requirements for Mac and Linux desktops. Enforce configuration requirements for all desktop machines. Enforce configuration requirements for all desktop machines. Require supervisors to approve employee requests to run non-standard services, such as Web services. Require supervisors to approve employee requests to run non-standard services, such as Web services.

19 Password Policy Enforce DOE password complexity requirements in the Windows domain. Enforce DOE password complexity requirements in the Windows domain. Stop adding new IMAP accounts and begin setting up all new accounts on the Exchange e-mail server. Stop adding new IMAP accounts and begin setting up all new accounts on the Exchange e-mail server. Enforce a 10-character minimum for passwords on the IMAP e-mail server. Enforce a 10-character minimum for passwords on the IMAP e-mail server. Enforce password complexity guidelines for local Windows accounts. Enforce password complexity guidelines for local Windows accounts. Migrate laboratory employees’ e-mail accounts from IMAP to Exchange e-mail server. Migrate laboratory employees’ e-mail accounts from IMAP to Exchange e-mail server.

20 Baseline Security Disable remote access to local accounts with administrative privileges. Disable remote access to local accounts with administrative privileges. Require supervisors to approve employee requests for local administrative privileges. Require supervisors to approve employee requests for local administrative privileges.

21 Information Security Review roles and responsibilities associated with system identified in review as needing improvement. Review roles and responsibilities associated with system identified in review as needing improvement. Review architecture and configuration of system identified in review as needing improvement. Review architecture and configuration of system identified in review as needing improvement. Implement architectural review recommendations. Implement architectural review recommendations. Reduce usage of personally identifiable information. Reduce usage of personally identifiable information. Hold basic and advanced trainings for handling personally identifiable information. Hold basic and advanced trainings for handling personally identifiable information.

22 Antivirus Alerts Automate response procedure for antivirus alerts. Automate response procedure for antivirus alerts. Create new policy for response procedure for antivirus alerts. Create new policy for response procedure for antivirus alerts. Centralize management of system administrators. Centralize management of system administrators.

23 Baseline Assessment As part of the lab-wide Tune IT Up campaign, every employee and visitor at the lab who uses a laptop, desktop or smart phone to connect to the Fermilab network for daily work must fill out an assessment form. As part of the lab-wide Tune IT Up campaign, every employee and visitor at the lab who uses a laptop, desktop or smart phone to connect to the Fermilab network for daily work must fill out an assessment form. The laboratory is taking this inventory to gather up-to-date information about the laptops, desktops and smart phones used to connect to the Fermilab network. Using this information will allow the laboratory to better support and protect computers and to ensure that systems are appropriately configured. The vulnerability of even one computer can cause a disruption across the entire laboratory. The laboratory is taking this inventory to gather up-to-date information about the laptops, desktops and smart phones used to connect to the Fermilab network. Using this information will allow the laboratory to better support and protect computers and to ensure that systems are appropriately configured. The vulnerability of even one computer can cause a disruption across the entire laboratory. To date, 1276 users (58% of the Lab’s employees) have completed surveys for 2043 computers; To date, 1276 users (58% of the Lab’s employees) have completed surveys for 2043 computers;

24

25

26

27

28

29

30

Download ppt "Tune IT Up Campaign Overview Mark Kaletka Computing Division 9/29/2009 Mark Kaletka Computing Division 9/29/2009."

Similar presentations

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
IT Security Law for Federal Agencies As of: 30 December 2002.

IT Security Law for Federal Agencies As of: 30 December 2002.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
U.S. General Services Administration Presentation to: ACT-IAC Cybersecurity SIG Improving Cybersecurity through Acquisition Emile Monette Senior Advisor.

U.S. General Services Administration Presentation to: ACT-IAC Cybersecurity SIG Improving Cybersecurity through Acquisition Emile Monette Senior Advisor.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
Policy Formulation, the Real Scoop Computer Security Awareness Day Mark Leininger September 11, 2007.

Policy Formulation, the Real Scoop Computer Security Awareness Day Mark Leininger September 11, 2007.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Information Security Policies and Standards

Information Security Policies and Standards
Tune IT Up Campaign Overview Mark Kaletka Computing Division 9/29/2009 Mark Kaletka Computing Division 9/29/2009.

Tune IT Up Campaign Overview Mark Kaletka Computing Division 9/29/2009 Mark Kaletka Computing Division 9/29/2009.
IT PLANNING Enterprise Architecture (EA) & Updates to the Plan.

IT PLANNING Enterprise Architecture (EA) & Updates to the Plan.
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Network security policy: best practices

Network security policy: best practices

Similar presentations

Ads by Google