Government Technology Conference –...

Government Technology Conference – SouthwestJune 13, 2011

Implementing an Information S it PSecurity Program

William TompkinsInformation Security Officer

Chris CutlerNetwork Infrastructure & Support Section

DirectorDirector

Teacher Retirement System of Texas

William TompkinsWilliam TompkinsWilliam TompkinsWilliam Tompkins

William Tompkins is the Information Security Officer at Teacher Retirement System of Texas. He has more than 27 years of technical, managerial and consulting experience in information technology and more than more than 17 years in information security. Over the past 25 years he has developed and implemented y p y p pinformation security programs in multiple state agencies and within the Univ. of Texas HSC at San Antonio. He is internationally recognized as a leader in information technology security.

Willi l d h ISSA H ll f F i 2006 b h ISSA I i lWilliam was elected to the ISSA Hall of Fame in 2006 by the ISSA International Board of Directors (Information Systems Security Association) . He is a Certified Information Systems Security Professional and a Certified Business Continuity Professional.

Mr. Tompkins holds two Bachelor of Science degrees, Psychology and Computer Information Science, from Troy State University in Alabama and Certification in Risk Management from University of Texas at Austin Division of Continuing Education

2

Education.

Implementing an Information Security Program6/13/2011

Chris CutlerChris Cutler

Chris has over 22 years of experience in State Government, including 19 years in Information Technology Management. He has worked for the Teacher R ti t S t f T (TRS) i J 1994 d tl h ldRetirement System of Texas (TRS) since January 1994 and currently holds the position of Director of Network Infrastructure & Support. In this position, he manages teams that are responsible for all phases of network and systems management including LAN/WAN systems, server/desktop y g g y , pcomputing, enterprise client/server applications, IT service desk, site support and telecommunications.

Chris holds a M.B.A. in Management Information Systems at St. Edward's i i d A i C f i S d iUniversity and a B.B.A. in Computer Information Systems and Business

Management at McMurry University. Technical certifications include Novell Master CNE, Microsoft MCSE and ITIL v3 Foundations.

3Implementing an Information Security Program6/13/2011

AgendaGovernance Architecture &

AgendaRisk ProgramData Classification

Architecture & Infrastructure

Network Security ArchitectureRemote Access

ControlsEducation

Remote AccessIT Systems Management (ITIL)Change managementL i it i t i

AvailabilityPhysical

Logging, monitoring, metricsPenetration testingEmerging Trends

Vi t li tiIncidence Response VirtualizationWeb Application IDSPersonal / Remote DevicesSocial MediaSocial Media

6/13/20114Implementing an Information Security Program

Excerpt from Federal SentencingExcerpt from Federal Sentencing GuidelinesGuidelinesExcerpt from Federal Sentencing Excerpt from Federal Sentencing GuidelinesGuidelines

“An effective compliance program means a program thatAn effective compliance program means a program that has been reasonably designed, implemented and enforced so that it generally will be effective in preventing and detecting criminal conduct. Failure to prevent or detect the instant offense, by itself, does not

th t th t ff ti Th h ll kmean that the program was not effective. The hallmark of an effective program is that the organization exercises due diligence in seeking to prevent and detect criminaldue diligence in seeking to prevent and detect criminal conduct by its employees and other agents.”


GovernanceMission

Governance

GoalsPolicy

GuidelinesSt d dStandards

Procedures6Implementing an Information Security Program

6/13/2011

GovernanceCore Team

Governance

• CompositionCore Team

– Organization-widerepresentation(as much as possible)

• Tasks– Data classification [ Owners ! ]Data classification [ Owners ! ]– Documentation (Security Policy/Manual)

– Education


Risk Management ProgramRisk Management Program

• Establish Information Risk Management Policy• Establish Information Risk Management Policy– Document roles & responsibilities

• Identify and measure risksIdentify and measure risks– Project sizing (scope, constraints)

– Threat analysis – Asset identification and valuation– Vulnerability analysis (identification of all vulnerabilities that could increase

frequency or impact of threat)q y p )

– Risk evaluation

86/13/2011

Implementing an Information Security Program

Risk Program (continued)Risk Program (continued)

• Establish Risk Acceptance criteriaEstablish Risk Acceptance criteria.• Mitigate risk.

S f d l ti d iti ti– Safeguard selection and mitigation analysis:

• Evaluate safeguards and the degree to which• Evaluate safeguards and the degree to which they mitigate the risk

– Cost benefit analysisy• Monitor information risk management

performance

9

performance.6/13/2011


D tD tDataDataClassificationClassificationClassificationClassification

6/13/2011

Implementing an Information Security Program 10

What Does Classification Enable?What Does Classification Enable?

• Organization’s processes to:Organization s processes to:– Secure information as needed

• Confidential PII PHIConfidential, PII, PHI

– Retain and manage needed dataDispose of data with authority and without risk– Dispose of data with authority and without risk

– Identify and preserve data in crisesA f i d d d f l l– Access for operations and produce data for legal and auditing

116/13/2011


Classification CriteriaClassification Criteria• Value - Classify information that is valuable to anValue Classify information that is valuable to an

organization or its competitors.

• Age - Classification is lowered if information’s valueAge Classification is lowered if information s value decreases on a specific date. Ex: press release.

• Useful Life - Classification is lowered if informationUseful Life Classification is lowered if information becomes obsolete due to new information or changes that evolve over time, usually years. Ex: product specs

• Personal Association - Information may be associated with specific individuals or addressed by privacy law.


ControlsControlsControlsControls

6/13/2011


ControlsControls• TechnicalTechnical

– O/S and application controls – Firewall, router, mail filters, ,– Audit logs

Ad i i t ti• Administrative– Document unit processesp– Walkthroughs– Enforcement


MalwareMalware

• is malicious software that is installed without the user’s knowledge. It includes:– virusesviruses– worms– trojansdi t ti• disrupts operation

• steals information• self‐propagatesself propagates• in some cases it destroys data

Implementing an Information Security Program6/13/2011

15

Countermeasures to Malware• Keep your PC updated.

– Visit Microsoft Update – --or-- turn on Automatic Updates.

• Use an Internet firewall (IPS & IDS)Use an Internet firewall (IPS & IDS) • Subscribe to industry standard antivirus software and

keep it current.• User education !

– Never open an e-mail attachment from someone you don't know.– Avoid opening an e-mail attachment from

someone you know, unless you know exactlywhat the attachment is. The sender may be unaware that it contains a virus.

Source: http://www.microsoft.com/athome/security/viruses/default.mspx6/13/2011

16

Email Internet & Social MediaEmail, Internet & Social Media

• Email for official correspondence– Standardized “Subject:” line ?– Standardized content?– Delivery confirmation?y– Read confirmation?

• Email for personal correspondenceEmail for personal correspondence• Prohibited use ?

176/13/2011


Email Internet & Social MediaEmail, Internet & Social Media

• Internet for official business– Access to other businesses (insuranceAccess to other businesses (insurance,

investments)– Access to other state (government)Access to other state (government)

agencies

P hibit d ?• Prohibited use ?

186/13/2011


EducationEducationEducationEducation

6/13/2011


Documentation / EducationDocumentation / Education

li• Policy

• Security Manual

• Procedures


Security ManualSecurity Manual

• Reflects organization’s applicable laws and regulationsg

• Guidelines• Standards• Standards• Few procedures• Define responsibilities


Recurring educationRecurring educationRecurring educationRecurring education

Security related education:

New employees

C t lCurrent employees

Transfers and TempsTransfers and Temps(e.g., help during “busy season”)

226/13/2011


Recurring educationRecurring educationNew EmployeeNew Employeess

Human Resources

Manager/Team Leader

Information Security OfficerInformation Security Officer

BC / DR Coordinator

236/13/2011


AvailabilityAvailabilityAvailabilityAvailability

6/13/2011


Goals (A il bilit )

• Business Continuity Planning - minimize

Goals (Availability)

y gloss resulting from inadequate or failed internal processes, people, and systemsp p p y

• Disaster Recovery Planning - minimize y geffects of a disaster on organization technical operations and to ensure that the resources, p ,personnel, and business processes are able to resume operation in a timely manner

25

p y6/13/2011


Phases (A il bilit )Phases (Availability)

• Scope and Plan Initiation

• Business Impact Assessmentp– The purpose of the Business Impact Analysis project is to provide the

Senior Management Team with the information to make a sound business decision in the development of pragmatic disaster recovery strategies

• Plan Development

• Plan Approval and Implementation

266/13/2011


Ph i lPh i lPhysicalPhysicalSecuritySecuritySecuritySecurity

6/13/2011


Physical SecurityPhysical Security• Is often the ‘face’ of your organization to visitors

• A foundation for any information protection programA foundation for any information protection program

• Access controls should match those of the information security programinformation security program

–Identification–Authentication–Access Control


Physical SecurityPhysical Security

• Offices

• Laptops

• Bl kb• Blackberrys

• USB (‘flash’ drives thumb drives)USB ( flash drives, thumb drives)

296/13/2011


Incident Response / ManagementIncident Response / ManagementIncident Response / ManagementIncident Response / Management

• Forming teamD i• Documenting – Procedures– Responsibilities

C ll Li• Call List . . .


ArchitectureArchitectureArchitectureArchitecture&&&&

InfrastructureInfrastructure6/13/2011


Network Security ArchitectureNetwork Security Architecture


Seven Layers of DefenseSeven Layers of DefenseLayer 1 Layer 2 Layer 3 Layer 4 Layer 5 Layer 6 Layer 7

OutsideRouter

Firewall &Web IDS

SPAM &ContentFiltering

EmailMalwareScanning

ServerMalware

Protection

PCMalware

ProtectionSecurity

Awarenessg


Virtual Private Networks (VPN)Virtual Private Networks (VPN)

• Provide a secure path to a system not attachedProvide a secure path to a system not attached to your network.

• Need to extend appropriate controls to thoseNeed to extend appropriate controls to those systems.

• Requires good authentication system.Requires good authentication system.• Use approved (FIPS140) devices and software

to encrypt your data.to encrypt your data.• Can provide secure road-warrior or remote site

connectivity.connectivity.6/13/2011

34Implementing an Information Security Program

Remote AccessRemote Access


Secure File TransfersSecure File Transfers• Inventory all file transfers inside and outside theInventory all file transfers inside and outside the organization

• Ensure end‐to‐end encryption of sensitive / yp /confidential information

• Standardize and centralize processesp


ITIL – IT Systems ManagementITIL IT Systems Management


Change ManagementChange ManagementFormal Authorization of any Changesy g• Evaluate business drivers of proposed change• Verification of technical correctness• Validate changes and test impact• Documents all changes• Prevents self-sabotage of security infrastructure• Links to COOP and business continuity plans to

keep them up to datekeep them up to date• Enables an organization to survive a

compromised system or security administratorp y y6/13/2011

39Implementing an Information Security Program

Logging, Monitoring, MetricsLogging, Monitoring, Metrics• [logging] Consistently gathered, preferably in an automated way[logging] Consistently gathered, preferably in an automated way• [monitoring] Consistently measured, without subjective criteria

MetricsMetrics• Expressed as a cardinal number or percentage, not with qualitative

labels like “high”, “medium” or “low”g ,• Expressed using at least one unit of measure, such as “defects”,

“hours” or “dollars”• Ideally: Contextually specific, relevant enough to decision-makers

so that they can take action


Security Penetration TestingSecurity Penetration Testing

• Test every 1‐2 yearsTest every 1 2 years

• Change security vendors often

i l f i h• Put special focus areas in each test

• Don’t forget about testinginternally

• Test web applicationspp


Trends: Personal \ Remote DevicesTrends: Personal \ Remote Devices


Trends: VirtualizationTrends: Virtualization


Trends: VirtualizationTrends: Virtualization

• Apply all your standard security policies toApply all your standard security policies to your virtual server environment

• Compensate for immature virtual• Compensate for immature virtual configuration and monitoring tools

T k d d VM lik• Track and destroy your VMs like you do your server images

• Keep hypervisor patched and updated - Forrester


Forrester

Trends: Web Application SecurityTrends: Web Application Security

• Consider adding a Web Application Firewall Co s de add g a eb pp cat o e a(WAF)

• Vulnerable Web Applications are the No.1 attack ppvector today (Forrester)

• Compliance mandates (i.e. PCI DSS)

• Protects all web applicationswithout additional codingwithout additional coding

• Can help with Web performanceand optimizationand optimization


Trends: Social MediaTrends: Social Media


Use of Social Networking sitesUse of Social Networking sites

D t li k b d• Do not click on banner ads.• Be vigilant for other attacks, such as bogus

d iupdate notices.• Strong and regularly changed passwords g g y g p

are a must.•• Social media passwords should be Social media passwords should be pp

different from those used to access internal different from those used to access internal organization’s networks and services. organization’s networks and services.

476/13/2011


Productivity & Internet AbuseProductivity & Internet Abuse

• 64% of employees say they use the Internet for personal interest duringInternet for personal interest during working hours

• 37% of workers say they surf the Web constantly at work

Data sources include: U.S. DEPARTMENT OF COMMERCE // Economics and Statistics Administration National Telecommunications and I f ti Ad i i t ti // G fi ld d Ri t E l t b t ti ti

48

Information Administration // Greenfield and Rivet. Employee computer abuse statistics

6/13/2011


william tompkins@trs state tx us chris cutler@trs state tx [email protected] [email protected]

496/13/2011


506/13/2011


516/13/2011


Government Technology Conference –...

Documents

Transcript of Government Technology Conference –...