INFORMATION TECHNOLOGY FOR MINNESOTA GOVERNMENT Christopher Buse Assistant Commissioner & State CISO...
-
Upload
ethan-rodgers -
Category
Documents
-
view
225 -
download
0
Transcript of INFORMATION TECHNOLOGY FOR MINNESOTA GOVERNMENT Christopher Buse Assistant Commissioner & State CISO...
INFORMATION TECHNOLOGY FOR MINNESOTA GOVERNMENT
Christopher BuseAssistant Commissioner & State CISO
June 12, 2014
Doomed by Design: Unearthing the Problems with
Government Security Programs
• State of the States• Minnesota Plan• Q&A
AGENDA
The State of the States
Security significantly underfunded
Diverse security posture between states
Underlying data soft and sometimes unavailable
Fragmented governance
A National Lens
14% CISOs believe that they have executive support
24% CISOs are confident in protecting state assets
86% CISOs cite funding as their key barrier
680%
Increase in significant threats over past 5 years
By The Numbers
State of IT Security: % of budget spent
Gover
nmen
t Spe
ndin
g
Privat
e Se
ctor
Spe
ndin
g0
1
2
3
4
5
6
Most States Only Spend Between 1-2% of the IT Budget on Security
46% CISOs have a documented strategy
30% CISOs plan to develop a written strategy
82% CISOs are responsible for measurement and reporting
8% CISOs attempting to measure program effectiveness
Program Strategy
Authority
Good news: The enterprise CISO position is now firmly entrenched in most states
Bad news: The enterprise CISO position is often one of coordinating cross-agency resources
Limited ability to drive actions across organizational boundaries
Security spend outside the control of the CISO
Pillars of Success
Executive Support
FreedomTo Act
ResourcesComprehensive Plan
Is Your State Security Program Doomed by Design?
It’s Not Just Retail …
One of over 2,000 negative headlines on the recent South Carolina breach
Hackers gain access to 780,000
individual health records
The Minnesota IT Consolidation Plan
Minnesota: a microcosm of the national sceneStrong executive supportStrategic and tactical plansSecurity spend is insufficient
2010 legislative study: State of Minnesota spend is 2% of state budget vs. industry standard investment of 5%
Overall reduction in security spend in FY13
Silos of agency-based IT Restricted our ability to leverage economies of scale Hampered our ability to implement enterprise security
strategies
What About Us?
Published in April 2014Describes the desired end state, yet recognizes
Reaching that end state will take a long-term commitment We need to use our existing resources better
Outlines a shift in the service delivery model Establishes centrally delivered services Creates line of business security teams Details the breakdown of work between central and line of business
teams
Focuses on a subset of services to address first
IT Security Consolidation Plan
The Basic Concept: Consolidated Services
Those services deemed to be enterprise services will be delivered by a centralized security team
We will reorganize security resources into a single management structure that creates consistency and aligns resources
Enterprise Services Delivered to All
Information Security program management
Close-to-Business Security
Even if we consolidate the common security services, we still don’t have the resources for each agency-based office to
manage close-to-the-business security services
Cluster 1 Cluster 2 Cluster 3 Cluster 4 Cluster 5 Cluster 6
Our plan is to cluster security teams into “lines of business” to provide close-to-the-business services to groups of agencies
with similar business/security requirements … sharing resources, but keeping the specialization where it needs to be
The Basic Concept: Close-to-Business Services
The Basic Concept: Effective allocation of resources
Enterprise Services Delivered to All
Information Security program management
Close-to-the-business services
Close-to-the-business services
Close-to-the-business services
Close-to-the-business services
Close-to-the-business services
Cluster 1
Close-to-the-business services
Cluster 2 Cluster 3 Cluster 4 Cluster 5 Cluster 6
Staff will be assigned to a cluster or to the enterprise services based on their current work and expertise.
Realigning Work
Physical Security
Endpoint Defense
Boundary Defense
Continuous Vulnerability M
anagement
Information Security
Monitoring
Information Security Incident
Response and Forensics
Secure System Engineering
Information Security Training and Awareness
Information Security Program Management
Identity and Access Management
Information Security Risk and Compliance
Business Continuity and Disaster Recovery
Close-to-the-business services focus on implementation at the business and application level
Enterprise delivers common functions and tools to all
Single management conserves resources and drives consistency
Health Safety Environment General
GovernmentEconomy Education
Health BDs (17) Corrections Agriculture Administration Commerce Education
Health Public Safety Animal Health BD Campaign Finance Commerce BDs (3) Arts BD
Human Services Transportation Natural Resources Capital Area Architect BD AURICenter for Arts
Education
Ombudsman MH/DD POST BD Conservation Corps Investment BD Amateur Sports CMHigh Ed Facilities
Authority
Veterans Affairs Private Detectives BD Pollution Control MN.IT Combative Sports CM MN State Academies
MNsure Sentencing Guidelines BWSR MMB Explore MNOffice of Higher
Education
Ombudsman Families Racing CM MN Zoo Mediation Services DEED Targeted Councils (5)
Uniform Laws CM Administrative Hearings Labor & Industry
Workers Comp Court Governor Public Utilities CM
Gambling Control Human Rights Revenue
Lines of Business
23 10 7 10 12 11
A Look Ahead: Industry Trends
No Central Security, 4%
Central Se-curity Team,
94%
Creating Cen-tral Group;
3%Use
Local Secu-rity
Groups44%
Only Central Security
56%
Does Your Organization Have a Central Security Team?
Does Your Organization Have Local Security Groups?
Conclusion: MN.IT’s Proposed Model Aligns Well With National
Trends
Assistant Commissioner & CISOInformation Standards and Risk Management
Assistant CommissionerService Delivery
Enterprise ArchitectInformation Security Oversight Director
Client Computing & Customer Support
Director
Infrastructure as a Service Director
Secure Systems Engineering
Governance, Risk, & Compliance
Endpoint Defense Border Defense
Business Continuity Vulnerability ManagementIdentity and Access
ManagementPhysical Security
Information Security Incident Response Team
Health LOB Service Delivery Team
Safety LOB Service Delivery Team
Environment LOB Service Delivery Team
General Govt LOB Service Delivery Team
Economic LOB Service Delivery Team
Education LOB Service Delivery Team
Functional Organization Chart
Detailed Service Deliverable Future Level of EffortCentral Team
Future Level of Effort
LOB Team
Service Delivery Method
Information Security Program Management Significant MinimalPrimarily Centralized
Information Security Monitoring Significant MinimalPrimarily Centralized
Information Security Incident Response and Forensics Significant Minimal
Primarily Centralized
Continuous Vulnerability Management Significant MinimalPrimarily Centralized
Boundary Defense Significant MinimalPrimarily Centralized
Endpoint Defense Significant MinimalPrimarily Centralized
Secure Systems Engineering SignificantModerate
Central Direction / Hybrid Delivery
Information Security Training and Awareness SignificantSignificant
Central Direction / Hybrid Delivery
Business Continuity SignificantSignificant
Central Direction / Hybrid Delivery
Information Security Risk and Compliance SignificantModerate
Central Direction / Hybrid Delivery
Identity and Access Management SignificantSignificant
Central Direction / Hybrid Delivery
Physical Security SignificantModerate
Central Direction / Hybrid Delivery
Service Delivery Methodology
Selected through planning team consensus
Represent highest payback from a risk perspective
Plan focuses on rollout of priority services first
Plan does not include all service delivery details
Priority Services
• Secure Systems Engineering
• Continuous Vulnerability Management
• Information Security Program Management
• Boundary Defense• Information Security
Monitoring
MN.IT can provide a full suite of security services to all customers Cost to the customer far less than ramping up alone Better service, as expertise is shared More agile service: getting the experts when and where they
need to be More job opportunities and specialization skills for employees
Will it be perfect? Priorities will still have to be set, but they will be done at an
enterprise level No agency can “opt out” of security
IT Security Consolidation: Value Proposition
Customers Existing resources used as efficiently and
effectively as possible Consistent security practices Metrics to understand security posture
MN.IT Services More specialization and deeper bench
strength Clear priorities for the enterprise Reduction in single points of failure More career opportunities for staff Better understanding of our risk posture
Beneficiaries
Auditing applications is easy and safe
Policymakers may be better served by an assessment your state security program foundation
Executive support Freedom to act Funding Comprehensive plans
Final Thoughts