Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 IT Security in the Commonwealth A high-level review Sam A. Nixon Jr. Chief Information Officer of the Commonwealth Governors Secure Commonwealth Panel.

Published byEduardo Crafford Modified over 10 years ago

Similar presentations

Presentation on theme: "1 IT Security in the Commonwealth A high-level review Sam A. Nixon Jr. Chief Information Officer of the Commonwealth Governors Secure Commonwealth Panel."— Presentation transcript:

1 1 IT Security in the Commonwealth A high-level review Sam A. Nixon Jr. Chief Information Officer of the Commonwealth Governors Secure Commonwealth Panel HHR Sub-Panel December 16, 2013 www.vita.virginia.gov 1

2 2 VITAs Mission: Mandate for Change Executive & Legislative Branch leaders called for o Business-like approach to managing IT services across the enterprise of state government Concept of Shared Services (cloud computing) o Statewide IT infrastructure for government entities Major Statutory Responsibilities: –Provisioning of IT Infrastructure Services (in-scope agencies) –Central oversight of IT procurement, projects, security, standards, policy and procedures, Wireless E-911, and contingent labor Modernization is a journey –Step 1: Creation of VITA & statutory framework –Step 2: Transformation of infrastructure –Step 3: Enterprise Applications & Services

3 3 Information Security in the Commonwealth www.vita.virginia.gov VITA is tasked with security governance over all three branches of state government. VITA oversees delivery of infrastructure services to executive branch agencies. Agencies remain responsible for business applications and data. Shared responsibility.

4 4 www.vita.virginia.gov Printers 5,311 network 22,000 desktop CoVA IT Infrastructure 2,247 Locations Communications 55,000 desk phones 6,100 handhelds (PDAs) 11,000 cell phones Networks 2,039 circuits Data Centers (2) CESC SWESC Computers 59,374 PCs 3,356 servers Mailboxes 58,948 accounts Data storage 1.5 petabytes Mainframes (2) IBM Unisys

5 5 www.vita.virginia.gov Exec Branch Business Applications Core Applications: –2,100 Sensitive Systems: –697 Why does Security matter? Examples: –Health Care – PHI, Birth Records, Prescription Monitoring –Public Safety - Forensics Lab Data, Fingerprint System, Emergency Planning data –Transportation – Traffic Mgmt Systems, Road, Rail and Air –Taxation – Citizen and Business Financial Info, FTI (SSN) –VITA – Infrastructure & Security Architecture, Network, Employee Authorization

6 6 Security Strategy

7 7 www.vita.virginia.gov Government Data Breaches & Attacks Source: Privacy Rights Clearinghouse, A Chronology of Data Breaches, Aug 2013 Virginia Agencies *95,513,983 attack attempts >300K / day *708,027,671 spam messages blocked *Jan – Dec 13, 2013, transformed agencies only Security breaches of over 1 Million records

8 8 Increase in Security Incidents (2010-2013)

9 9 Cyber Attack Map – July 2013

10 10 VITA Has Broad Statutory Security Role Set security architecture & standards Oversee Northrop Grumman Perform overall incident response Share intelligence & information (FBI, DHS, State Police, VDEM) Conduct risk management Oversee & assist agencies –CIO has limited authority to ensure compliance www.vita.virginia.gov

11 11 NG Responsible for Infrastructure Security Physical & logical security –Data center protection –Firewalls, intrusion monitors, encryption, compartmentalization, antivirus & spam filters Detection, containment & removal of security incidents affecting the infrastructure However, primary attack vector is against applications & not the infrastructure –NG assists with attacks against applications, but agencies remain responsible for applications & data www.vita.virginia.gov

12 12 State Agency IT Security Efforts Are Mixed www.vita.virginia.gov Source: 2012 Commonwealth of Virginia Information Security Annual Report Agencies in ComplianceAgency Responsibility 71Develop & maintain IT security audit plan 97% Appoint Information Security Officer 63Conduct IT security audits every 3 years (minimum) 56Develop & maintain corrective action plans 42Develop & maintain policies and procedures to control unauthorized uses and intrusions

13 13 Priority – Cyber Security Improve Analysis & Risk Assessment –Full packet analysis to address data exfiltration –Risk management tool (being pursued) to identify potential impact of breach or outage Enhance Access Security –More secure remote network access (SSL VPN) –Password resets (from 90 to 45 days) –Two-factor authentication Address Security Compliance –Increasing CoVA capabilities www.vita.virginia.gov

14 14 VITA & Agencies Lack Security Staff VITA needs a cyber intelligence program to analyze threats and attacks –Need for risk-based decisions based on likelihood of attack attempts –Need analysis of malicious third parties that directly target the Commonwealth State agency staffing constraints impede security gap correction & limit auditing –Agencies must test their applications against new patches & evolving federal requirements www.vita.virginia.gov

15 15 Future Governance of IT Security Future Governance Considerations –Federal regulations & third-party mandates require new security efforts for agencies –Agency constraints impede security gap correction & limit auditing to find unknown gaps EX: Annual security reviews, JAVA, Win 7 –Implementing a Commonwealth wide IT risk management program –Continued agility to rapidly respond to threats IT Security demands a First Defender approach www.vita.virginia.gov

16 16 Questions? Samuel A. Nixon Jr. sam.nixon@vita.virginia.gov (804) 416-6004 www.vita.virginia.gov

Download ppt "1 IT Security in the Commonwealth A high-level review Sam A. Nixon Jr. Chief Information Officer of the Commonwealth Governors Secure Commonwealth Panel."

Similar presentations

NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.

NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.
1 www.vita.virginia.gov IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1, 2013 www.vita.virginia.gov.

1 IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1,
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
© 2012 Gigamon. All rights reserved. The Dynamic World of Threat Detection, Containment & Response 1.

© 2012 Gigamon. All rights reserved. The Dynamic World of Threat Detection, Containment & Response 1.
Gaining Senior Leadership Support for Continuity of Operations

Gaining Senior Leadership Support for Continuity of Operations
Cybersecurity Update December 5, 2012. Agenda Cybersecurity – A growing problem Cybersecurity in other states (NASCIO/Deloitte Study) Structure Challenges.

Cybersecurity Update December 5, Agenda Cybersecurity – A growing problem Cybersecurity in other states (NASCIO/Deloitte Study) Structure Challenges.
EMS Checklist (ISO model)

EMS Checklist (ISO model)
1 www.vita.virginia.gov IT Infrastructure program contract modifications Debbie Secor Customer Service and Project Management Office Director Communications.

1 IT Infrastructure program contract modifications Debbie Secor Customer Service and Project Management Office Director Communications.
Abstract To provide efficient and effective access to enterprise information that meets stakeholder needs and supports mission success, NASA is implementing.

Abstract To provide efficient and effective access to enterprise information that meets stakeholder needs and supports mission success, NASA is implementing.
Khammar Mrabit Director Office of Nuclear Security

Khammar Mrabit Director Office of Nuclear Security
Why Security? A Commitment for [the Agency’s] Executives [CIO’s name] EC Presentation [date]

Why Security? A Commitment for [the Agency’s] Executives [CIO’s name] EC Presentation [date]
1 Vince Galotti Chief/ATMICAO 27 March 2007 REGULATING THROUGH SAFETY PERFORMANCE TARGETS.

1 Vince Galotti Chief/ATMICAO 27 March 2007 REGULATING THROUGH SAFETY PERFORMANCE TARGETS.
Internal Control–Integrated Framework

Internal Control–Integrated Framework
Doug Couto Information Systems and Technology Committee (ABJ50) Washington, DC January 25, 2011.

Doug Couto Information Systems and Technology Committee (ABJ50) Washington, DC January 25, 2011.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
1 www.vita.virginia.gov Evolving the Cyber Security Program Michael Watson Chief Information Security Officer ISACA 3/12/2015 www.vita.virginia.gov 1.

1 Evolving the Cyber Security Program Michael Watson Chief Information Security Officer ISACA 3/12/
Security Controls – What Works

Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
© BT PLC 2005 ‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’ Malcolm Page BT UK AFCEA Lisbon 2005.

© BT PLC 2005 ‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’ Malcolm Page BT UK AFCEA Lisbon 2005.

Similar presentations

Ads by Google