Security Fabric Strategy Road Map

1
Security Fabric Strategy Road Map

• Transformation of ODOT Business via Enterprise
  Security Bills, Policies, IT Initiatives
• Presented to CIO Management Council on September
  14, 2007

Ben Berry, Chief Information Officer, ISB Lisa
Martinez, Business Services Manager, SSB Peter
van den Berg, Deputy Chief Information Officer,
ISB
2
Overview of Bills, Policies and Initiatives

• DAS 107-004-050 Information Asset Classification
  Policy
• DAS 107-004-051 Controlling Portable and
  Removable Storage Devices
• DAS 107-004-052 Information Security
• DAS 107-004-053 Employee Security
• DAS 107-004-100 Transporting Confidential
  Information
• DAS Statewide Policy 1.3, Acceptable Use of
  Information Related Technology
• Senate Bill 583, 2007 Legislative Session (ID
  Theft)
• Various ODOT Security related policies
• ODOT ADM 05-08-01 Acceptable Use Policy
• ODOT ADM 04-20 Information Security
• ODOT Information Security Guidelines
• Administrative Criminal Background Checks Rules
• Business Continuity Planning
• Enterprise Content Management
• Identity and Access Management (TIM/TAM)
• Payment Card Industry (PCI) Compliance

3
Resource Work Collaboration Team
Enterprise Security Policies Initiative Resource
Work Collaboration
Matt Garrett Agency Director
Delegated Authority
Ben Berry Agency CIO
Lisa Martinez (Business)
Peter van den Berg (Information Systems)
Ryan DSouza Project Mgr
Other Lines of Business
DMV
IS
Highway
Motor Carrier
Keith Nardi Deb Frazier
Ric Listella
Information Security Unit (Karina
Stewart) Technology Management (Virginia
Alster) FileNet Program (Ron Winterrowd/Lisa
Martinez) Communications Plan (Team)
4
Why a Security Fabric?
Legacy of Point to Point Services

• COMPREHENSIVE. Building a security fabric to
  cover all of our Point-to-Point information
  services is much more difficult to maintain.
• INVISIBLE BUSINESS PROCESSES. Lots of business
  processes are invisible because staff do
  processes that are not necessarily written down.
• LEVERAGE ACROSS AGENCY and ENTERPRISE. A
  security fabric is meant to leverage secure
  practices across multiple organizational
  functions and business units.

5
What is a Security Fabric?

• A Security Fabric is a services-driven design
  approach that integrates business and security
  strategies to provide a Common Holistic Approach
  to Security Compliance and that leverages
  existing and new security policy functionality
  across agency business lines.
• The strategy of a Security Fabric includes
• Integration with elements of each of the security
  policies, where applicable.
• Providing security through the sharing reuse of
  security services and processes across the agency
  and/or enterprise.
• Streamlines secure practices across existing
  business processes for greater efficiency and
  productivity.
• The approach for a Security Fabric
• Leverage existing business practices, IT
  investments and standard operating processes.
• Adopt Community of Practice templates for the
  Information Asset Classification Policy to
  ensure compliance with classifying data -- Data
  Classification Levels 1, 2, 3 4 for (Labeling,
  Handling, Storage, Retention and
  Disposable/Destruction).
• Standards allow security processes to be designed
  for reuse
• Components that can be used over and over again
  among different lines of business. ExampleActive
  Directory Group Policies or other physical
  standard security practices.
• Use of standardized procedures, interfaces and
  standard data classification adherence.

6
Security Vision and StrategyHolistic and
Comprehensive Approach organized around Lines of
Business Not a Silo Approach
Enterprise Security Domains Define the statewide
security policies, bills and initiatives that are
within the scope of the change.
Agency Policies Practices Define the ODOT
internal policies and practices impacted by the
Security Fabric effort.
Payment Card Industry - PCI
Identity Access Management
Enterprise Content Management
Admin Criminal Background
ODOT Info. Security Guideline
ODOT Acceptable Use Pol.
ODOT Information Security Pol.
Agency Service Domains Define the ODOT Lines of
Business services necessary to support execution
of the Security Fabric (cuts across multiple
domains).
Highway Transportation
Motor Carrier
DMV
Rail and Others
7
Key Business Drivers Challenges Impact
8
Security Fabric Strategy Map
Agency Lines of Business
In Future Implementation State, Gaps Exist That
Will Need to be Filled
Policy / Procedure / Practice / Initiative

• DAS 107-004-050 Information Asset Classification 
  
• DAS 107-004-051 Controlling Portable and
  Removable Storage Devices 
• DAS 107-004-052 Information Security 
• DAS 107-004-053 Employee Security
• DAS 107-004-100 Transporting Information Assets
• SB 583 Enrolled, 2007 Legislative Session, Oregon
  Consumer Theft Protection Act

Agency Policy Current State
DAS Policy Current State
Future State Requirements
GAP Analysis
Senate Bill 583 Gap Analysis
9
Common Security Policy Services
Inputs
Plan (CoP)

• BUSINESS PERSPECTIVE. Promotes a business
  perspective around potential secured shared
  services.
• EFFICIENT. Drives efficiencies and reuse across
  the Agency.
• BEST PRACTICES. The Common Security Practice
  Framework will be refined based on lessons
  learned from initial security service deployments.

Define, Design, Build, Deploy
Common Security Policy Framework


Business Services
Generate Secure Customer Service
Maintain
Outputs
Generate Secure Cross Agency Response
10
Security Fabric Framework Based Upon 3 Core
Areas Holistic Security Practices Platform,
Templates and Toolsets and Security Governance
Holistic Security Practices
Business unit from broad based Practices and
Procedures
Agency Business Functional Services
Agency Application Services
Application integration / shared
services (FileNet, others)
Security Services
Information
Security Governance
Agency-wide utility functions and solutions
(Active Directory, TIM/TAM, Encryption)
Agency Infrastructure Services
Enabling Security Technology (Middleware,
physical tools and devices)
Platforms, Templates Toolset
Current Activities

• There are different types of line of business
  services that need protection, both Agency and
  Enterprise focused.
• All require agency governance for an initial and
  ongoing sustainable Security Fabric presence.
• ODOT is engaged in a multi-variant approach to
  focus on those areas that provide the highest
  level of security from easy to hard to implement.
  Given each policys target timeline, high value
  security responses will be addressed first!

11
As Our Security Fabric Strategy Matures We Will
Transition From Opportunistic and Project Level
to Enterprise Level Security Policy Practice
Enterprise
ISBRA
Security TIM/TAM Identity Management
High
Digital Signatures
Info Asset L1
Info Asset L2
SB 583
Scope
Active Directory Group Policies
Employee Security Policy
Controlling Removable Storage Devices
Integration
Info Asset Classification Level 4
Info Asset Classification Level 3
Transporting Info Assets
Acceptable Use Policy
Information Security Policy
Low
Opportunistic
Time/Maturity
Low
High
12
Action Items and Implementation Dates
Today
July 1, 2008 DAS 107-004-050 Level 4,
Critical Effective
January 1, 2009 DAS 107-004-050 Level 3,
Restricted Effective
July 30, 2009 DAS 107-004-052 Effective
January 1, 2008 SB 583 Section 12 Effective
January 31, 2008 DAS 107-004-053 Effective
June 27, 2007 DAS 107-004-100 Effective
July 1, 2009 DAS 107-004-050 Level 2,
Limited Effective
July 30, 2008 DAS 107-004-051 Effective
October 1, 2007 SB 583 (except Section
12) Effective

• Legend
• DAS 107-004-050 Information Asset Classification 
  
• DAS 107-004-051 Controlling Portable and
  Removable Storage Devices 
• DAS 107-004-052 Information Security 
• DAS 107-004-053 Employee Security
• DAS 107-004-100 Transporting Information Assets
• SB 583 Enrolled, 2007 Legislative Session, Oregon
  Consumer Theft Protection Act

13
Sustainable Security Practice Identification
Deployment Requires a Broad Based Security
Policy
Governance Process
Starts with DAS Security Policies SB 583
Business Process Requirements

• Impacts to people, process technology
• Security services are delivered through Agency
  initiatives or projects
• Security life cycle processes are supported by
  both Business and Information services
• Development of security policy response is guided
  by multi-unit team (Resource Work Collaboration
  Team)
• Communication training are required for people
  supporting each of the sustainable Security
  Fabric life cycle processes

Use/Reuse Policy Driven Service
Measure Effectiveness
Iterative Sustainable Security Fabric Services
Life Cycle
Operate / Monitor Security Service
Policy Requirements
Service Repository
DeploySecurity Service
Process ArchitecturalReview

• GOVERNANCE

Design Security Service response
TestSecurity Service
ConstructSecurity Service

• Governance Organization manage monitor
  ongoing security agreements

14
CIO Management Council Briefing
Security Fabric Strategy Road Map