Enterprise Cybersecurity Strategy

LaVerne H. CouncilAssistant Secretary for Information and Technology

2

• Creating an IT Organization that Supports Tomorrow’s VA

• Facing Our Challenges with TrAITs

• Closer Look: VA’s Enterprise Cybersecurity Strategy

Topics

3

OI&T’s Leadership is Moving VA into the Future

4

Facing Our Challenges with TrAITs

“It’s our mission that the Veteran will be the vocal initiator driving every project, every decision for

OI&T”

5

Why TrAITs

• TrAITs remind us to ask:

– How will the Veteran benefit from this piece of technology or this new decision?

– What benefit will this bring to a Veteran or their family?

6

Facing Our Challenges with TrAITs

Transparency

7

Facing Our Challenges with TrAITs

Innovation

Teamwork

8

“VA continues to face significant challenges in complying with the requirements of FISMA due to the

nature and maturity of its information security program.”

- Office of Inspector General, Federal Information Security Management Act Audits

Closer Look: VA’s Cybersecurity Strategy

9

• Today’s IT security organizations operate under tremendous threat

• Recent OPM attacks demonstrate significant risk to VA

• OI&T is leading the way with aggressive strategic planning and emphasis on Veteran-focused initiatives

Cyber Strategy Summary

10

Enterprise Cybersecurity Strategy Team

“Nothing in IT is more important than protecting VA data and the information entrusted to us by Veterans.”

– LaVerne Council, Assistant Secretary for Information and Technology and Chief Information Officer

11

12

Enterprise Cybersecurity Strategy Team

13

Governance, Program Management, and Risk Management

• Key supporting disciplines for decision-making across VA within context of cybersecurity and privacy

• Balances needs of VA’s mission with protecting high value assets

• Includes continuous scanning of cybersecurity landscape to proactively position VA to address emerging threats

• Addresses risks, deficiencies, breaches, and lessons learned

14

Operations, Telecommunication, and Network Security

• Key supporting disciplines for securing VA information, data, and computing assets

• Includes people, products, and procedures to ensure data confidentiality, integrity, availability, assured delivery, and auditability of VA systems

• Addresses network, platform, and data security

15

Application and Software Development

• Disciplines needed to ensure applications used during provision of services to Veterans utilize the most secure practices for data storage, access, manipulation, and transmission

• Encompasses entire software lifecycle• Software assurance, that is, the level of

confidence VA software is free of vulnerabilities or defects that could lead to vulnerabilities, is a critical concern

16

Access Control (AC), Identification and Authentication (IA)

• Disciplines for reducing likelihood and impact of security incidents

• AC combines authentication and authorization processes that allow access to VA networks, hardware computing devices, and applications

• IA verifies a user, process, or device through specific credentials such as passwords, tokens, and biometrics as a prerequisite for granting access to system resources

17

Medical Cyber

• Focuses on devices not traditionally considered IT that can be networked or accessed electronically

• Must be protected from exploitation and from becoming operable vectors for cyberattacks as they collect and transmit PII and PHI

• Includes medical devices and “cyber physical” systems with similar electronic characteristics, such as HVAC and elevator systems

18

Security Architecture

• Key supporting disciplines for developing an enterprise information security architecture

• Supports business optimization• Includes design and engineering skills

needed to fully integrate security into VA’s overall business, applications, and IT systems architecture

19

Privacy

• Policy and legislatively driven requirements for PII and PHI

• Focused on implementing the “Best Practices: Elements of a Federal Privacy Program,” published by the Federal CIO Privacy Committee

20

Cybersecurity Training and Human Capital

• Hiring practices and skills maturation needed to create a workforce steeped in a culture of cybersecurity to proactively protect all data and information of the Veterans we serve

21

• ECST will construct an accountable, actionable, near-, mid-, and long-range cybersecurity strategic plan that continuously considers and adapts to the newest technologies to secure VA’s IT enterprise. o Identifying and addressing:

• Strengths • Weakness• Resources• Constraints• Capabilities, • Drivers, • Known and unknown threats

Enterprise Cybersecurity Strategy Team

22

Questions?