1. Enterprise Security A Framework For Tomorrow Christopher P. Buse, CPA, CISA, CISSP Chief Information Security Officer State of Minnesota

2. Agenda Describe the approach we are taking to build a world class security function Reminisce about what I would have done differently as an auditor Q & A

3. In the Beginning Accepted role as first CISO of our state in June 2006 Attractive aspects of the job –Freedom to build a program from scratch – Powerful enabling legislation –$1.9M start up appropriation

4. Legislation Develop security policies and standards Install and administer data security systems Responsible for state networks connected to the internet Agencies must comply

5. Inherent Challenges Lots of decentralized technology silos No history of collaboration No governance structure to make decisions Few staff $1.9M start up appropriation Unknown risk profile

6. Starting With a Blank Sheet of Paper

7. State of the State Many critical duties are simply not done Important functions may not be available in the event of a crisis 012345 Non-existentInitialRepeatableDefinedManagedOptimized = Desired State= Current State

8. Security Program Foundation Clarified authority and responsibility to make decisions Resources –Gained approval for legislative initiative –Embarked on a journey to sell merits to policymakers LegislatureGovernorCIO

9. Governance Information Security Council formed in July 2006 Mission: Identify what needs to be done to secure the government LegislatureGovernorCIO CISO Information Security Council

10. Future Program Attributes Increased focus on security planning activities –Proactive vs. reactive –Highly adaptable to changing conditions

11. Future Program Attributes Comprehensive, clearly outlining the baseline requirements that all agencies must follow –Policies & Procedures –Standards –Guidelines = Not Negotiable

12. Future Program Attributes Important security decisions in the hands of people best suited to make those decisions –Most security decisions made locally by people who understand agency activities –Central leader with overall responsibility –Centralized support teams to help agency security professionals

13. Future Program Attributes Broad-based support from people who will be expected to implement the provisions –State agency executive management –Security leaders in state agencies –Information technology professionals

14. Future Program Attributes Championed by government leaders at the highest levels –Governor –State Chief Information Officer and Chief Information Security Officer –Commissioners –Legislative leaders

15. Future Program Attributes Supported by appropriate resources, including technical tools, training, and people –What should we being doing? –Are there personnel needs that must be addressed? –What tools and training will be necessary to deliver results? Desired Outcomes Personnel Tools

16. Future Program Attributes Takes advantage of the size of government to leverage financial and human resources –Central experts to service all agencies –Enterprise tools –Reuse of individual agency efforts

17. Future Program Attributes Includes methods to ensure compliance –Central team of technical audit professionals –Provide immediate feedback to remedy problems before they appear in audit reports

18. Vision Government entities must unite –Common set of formalized policies and standards –World class security tools Federated architecture –Local risk-based decisions –Central management of enterprise security tools

19. Security Solutions Working to identify long-term outcomes Five year planning horizon Priority areas will become part of a two year tactical plan LegislatureGovernorCIO CISO Information Security Council Desired Outcomes Personnel Tools

20. High-Level Strategic Outcome “ Manage a sustainable information security program that helps government entities make risk-based decisions that are reasonable and appropriate”

21. Sustainable? Supported by the government leaders at the highest level, including future leaders Adds value to government entities and helps them achieve their mission Includes broad and active participation of stakeholders Built on repeatable and documented processes

22. Reasonable and Appropriate? Aligned with industry best practices Ensures compliance Reduces risk to a level that management is willing to accept Assessed regularly for applicability and cost effectiveness

24. Other Accomplishments Portable computing devices Email security OET internal security Participation in development projects Direct assistance to agencies Sponsoring and hosting training Human resource development

25. Legislative Initiative Did not get what we wanted Increased enterprise security base funding –$5.9 million per year this biennium –$4.4 million per year thereafter It’s all of our money

26. Looking Back… Did many great audits Spent too much time on F/S stuff Did not tell the Legislature many critical things that they needed to know –No leadership, vision, or comprehensive plan –Current approach has no chance of success and demonstrates poor stewardship of pubic funds

27. Today…. Trying to fix the problems that I never communicated to policymakers Good at my job because of my audit and financial background Working closely with our auditors

28. Tomorrow Unsure where fate will eventually lead me If it is audit, I think that my new experiences will make me better next time around