CSE IT Security

1
CSE - IT Security The Way Ahead Communications
Security Establishment IT Security
Dorene Hartling, CSE Associate Deputy Chief, IT
Security Communications Security Establishment
2
Outline

• CSE IT Security Mandate
• Global / GoC Context
• Background
• Status
• Policy Compliance
• Challenges
• CSE IT Security The Way Ahead
• Cyber Protection Supply Arrangement
• Enhancing the GoC Security Posture

3
IT Security Mandate

• CSE has legislated authority to
• Provide advice, guidance and services to help
  ensure protection of electronic information and
  information infrastructures of importance to the
  Government of Canada
• Intercept private communications for purposes
  of protecting systems and networks of the
  Government of Canada, with ministerial
  authorization
• Provide technical and operational assistance to
  law enforcement and security agencies
• - National Defence Act, C-36, December 2001

4
Global Security Context

• Proliferation of and dependence on electronic
  systems by Western society
• Every hour 35 million messages are sent
• Every day 50,000 new wireless users
• There are currently 677 million Internet Users
• Every minute 17.7 million emails sent
• Predicted 1.2 billion Spam messages 2004

5
Background

• April 2004 approved National Security Policy
• Expenditure Review Committee conceptual
  recommendations from the PWGSC Review of
  Procurement Concept Paper (Sept 2004)
• Office of the Auditor General (OAG) tabled a
  report on February 15th, 2005 as a follow-up to
  the GoC IT Security 2002 report
• The OAG findings Unsatisfactory progress since
  2002 audit in the following areas of IT Security
  
• Compliance with the GSP and MITS
• IT Security standards
• Effectiveness of the Government Security Policy
• Business Continuity Planning
• Risk Management

6
Background

• Challenges
• Lack of business awareness of IT security risks
• Departments and agencies need to adequately
  assess threats and risks to their business
• Departmental capacity of skilled IT security
  resources and financial resources
• Lack of compliance with the Policy and associated
  standards
• Number of IT Security standards still need to be
  developed

7
CSE - IT Security the Way Ahead Supporting the
GoC Security Agenda
8
Cyber Protection Supply Arrangement (CPSA)
Information Technology Infrastructure Security
and Protection Services (ITISPS) Supply
Arrangement (SA) Renewal
9
CPSA Objectives

• Enhance the GoC overall security posture
• Offer direct support to departments including
  implementation and response to OAG findings
• Comprehensive IT Security Risk Management
  Services
• Connect business threat and risk assessments with
  IT security issues

10
CPSA Governance

• TBS Deputy CIO is the sponsor for the CPSA
• CSE IT Security is the technical authority
• Presented our CPSA strategy to the CIOC and
  received full support in January of 2005
• Established a Consultation Exec Committee which
  met in January 2005 (15 departments)
• Established Technical Working Group to assist in
  formalizing the Statement of Work and compiling
  departmental survey results

11
Expected Benefits to GoC

• Progress towards GoC-wide IT Security Framework
• Horizontal approach to addressing the needs of
  GoC clients
• Compliance with Government Security Policy
• Alignment with MITS Standard requirements
• Consistency and quality assurance
• Economy of scale, re-use and a GoC wide approach
  to IT Security

12
CPSA What it means for you?

• Access to
• new strategic consulting streams of services
• Increased categories of IT Security technical
  skills
• Broadened scope of qualified suppliers
• A multi-faceted security approach
• A flexible security service based on each
  departments requirements

13
CPSA Proposed Services Streams
14
Stream 1 IT Security Management Consulting
Services

• Qualified Contractors have capacity to
• Represent leading-edge thinking
• Provide analysis from world-wide best practices
• Provide strategic planning, advice and guidance
• Experience to transform challenges into options
• Provide client relations management strategies
  and solutions

15
Stream 2 Comprehensive IT Security Risk
Management Services

• Qualified Contractor must be able to
• Use standards-based methodologies
• Provide extended continuous learning of
  methodologies and IT Security environment
• Translate the GoC Policy Framework related to IT
  Security into operational requirements and
  solutions

16
Stream 3 IT Security Skill Groups

• Add cyber related skills to existing groups in
  three categories Junior, Intermediate, Senior
• New IT Security Generalist/Specialist
• New Computer Forensics Specialist
• Interdepartmental Consultation Survey will query
  and confirm demand for additional new skill groups

17
Stream 4 TEMPEST

• Engineering Support Services
• Testing Services
• Installation Services

18
Enhancing the IT Security Posture
19
CSE Awareness Training Priorities

• Implement a follow-on program to the CSE IT
  Security Cyber Protection Forum based on
  evaluation results
• Enhance the CSE IT Security Web services
  offerings advice, tools, product distribution and
  access
• TBS/CSE are co-operating in the development of
  priorities (ongoing)
• For the development of standards
• To assist departments in strengthening their IT
  security practices

20
CSE Awareness and Training Priorities

• Develop an expanded CSE IT Security awareness
  program
• Modernize IT Learning Center course material,
  develop new training products

21
Leveraging the work

• Implement a re-use, sharing capability for CPSA
  products and results
• Consider Intellectual Property
• Facilitate re-use
• Share the results
• Connect to Expenditure Review Committee

22

• Questions?