Ann Garrett, State Chief Information Security Officer

1
Statewide Security UpdateOctober 25, 2005
Information Technology Advisory Board

• Ann Garrett, State Chief Information Security
  Officer

2
Agenda

• 2004 - Security Assessment Results
• Consequences of Assessment
• Statewide Security Initiatives Program
• Improve Network Security Defenses
• Improve Wireless Network Security
• Improve Risk and Business Continuity Management
• Complete Statewide Security Standards Framework
• Improve Security Awareness Training
• Statewide Approach to Security tools Anti-Virus
  and Anti-Spyware
• Questions

3
2004 Security Assessment Scoring Distribution
Planned Security Practices (Quality)
Actual Security Practices (Execution)
4
2004 Security AssessmentScoring Summary
Note The circle indicates the State average for
the agencies assessed in the study
5
2004 Security AssessmentStatewide Average Scores
by Category
6
Opportunities for Improvement

• Insufficient Funding (100)
• Insufficient Staffing (84)
• Lack of Security Training Experience (76)
• Outdated Desktop Operating Systems (72)
• Outdated and Missing Business Continuity Plans
  (69)
• Gaps in Agency Network Security Defense (64)
• Deficient Policies, Standards, and Procedures
  (60)

7
ConsequencesStatewide Significance

• Assessment provided a baseline for metrics and a
  roadmap for planning improvements
• Increased awareness at all levels of government
  of the importance of information security
• Flexible assessment tool that can be used in
  years to come
• Cost savings

8
Legislative Response

• LAW PASSED IN JULY 2004 (SB991)
• Shifted responsibilities from the IRMC to the
  State CIO and the ITAB
• Gave State CIO clearer authority in project
  approval and management, procurement and
  establishment of security standards
• Established a statewide IT Fund and appropriated
  4.8 million for 2004-2005. 3 million
  appropriated for security assessment and
  remediation

9
Statewide Security Responsibilities

• SCIO Security Responsibilities
• Set statewide security standards
• Monitor and assess agency compliance
• Oversee information security incidents
• Information security considered in project
  management cycle
• Select and deploy enterprise security technology
• Oversee security procurements
• Provide security education and training

10
Statewide Security Initiatives

• Improve network security defenses
• Improve wireless network security
• Improve risk management and business continuity
  planning
• Complete statewide security framework (policies,
  procedures, standards and architecture)
• Improve enterprise security awareness and
  training
• Statewide approach to Anti-Virus/Anti-Spyware

11
Statewide Security Initiatives

• 1 Improve Network Security Defenses (Next
  Generation Network (NGN), Firewalls, Intrusion
  Prevention System (IPS), NCID)
• Implementing NGN with agency pilots
• MPLS Multi-protocol label switching
• ESAP Enterprise Service Access Point(s)
• Approved Intrusion Protection System (IPS)
  project, RFP in process

12
State Network

• 2,500 remote sites
• Public Network
• Internet Pipes Multiple - Gigabit Ethernet
  Connections
• Perimeter Defenses (Firewalls, IDS/IPS and ITS
  Hosted Zones IPS/IDS)
• Centralized Security Incident Management, NC
  Information Sharing Analysis Center

13
Next Generation Network (NCIN3) Goals

• Enhance Network Availability (99.99)
• Reliable, Manageable, Scaleable
• Enhance Security
• Establish Layers of Security Controls
• Enable Quality of Services features
• Differentiated Service Offerings

14
Enterprise Services Access Point (ESAP) Model
15
Statewide Security Initiatives

• 2. Improve Agency Border/Perimeter Defense
  Wireless
• Conducted Agency Wireless Survey 01/05
• Formed Agency Wireless Focus Group
• Updated Wireless Security IEEE 802.11
  Communications Policy issued 2/15/05
• Project underway to build a prototype to deploy a
  secure wireless environment using 802.1X and WPA2
  at ITS

16
Statewide Security Initiatives

• 3. Improve Risk Management and Business
  Continuity Planning
• Developed Risk Assessment Tool
• Purchased Strohl Business Impact Analysis and
  Business Continuity Planning software for all
  executive branch agencies (available to locals
  thru ITS at reduced price)
• Trained agencies in Fall 04
• Agencies complete Business Impact Analysis
  (BIAs) in March 05
• Consistent statewide approach for business
  continuity management

17
Statewide Security Initiatives

• 4. Complete Statewide Security Standards
  Framework
• Purchased ISO 17799 Policy Tool Kit 07/04 and
  updates in 07/05
• Formed Agency Standards/Policy Focus Groups
• Awarded RFP to Ciber to complete standards
  framework with training materials 11/04.
• Chapters in review cycle, rollout is in progress
• All Statewide Security Standards/Policies are on
• http//www.scio.state.nc.us

18
Statewide Security Initiatives

• July 2004 to June 2005 Enterprise Training Plan

19
Statewide Security Initiatives

• 5. Improve Enterprise Security Training
  Awareness
• July 2005 to June 2006 Enterprise Training Plan

20
Statewide Security Initiatives

• 6 Statewide Approach to Anti-Virus and
  Anti-Spyware
• Use statewide consolidated purchasing power and
  authority to
• Lower overall statewide AV/AS costs and derive
  more value from these solutions while providing
  greater AV/AS protection to state agencies.
• Offer similar AV/AS pricing to all executive
  branch agencies as well as local government
  units, community colleges, and public schools
  (Based on support option)
• Simplify AV/AS administration through an
  integrated solution

21
Enterprise Security Infrastructure

• Is a key element of consolidation
• Integrating IT infrastructure services, (network,
  hosting, access etc.) through an enterprise wide
  risk management approach improves security and
  enables cost efficiencies
• Why
• Consistent approach to
• Threats
• Technology
• Business Drivers
• Users
• Vendors
• Education

22
NC - Statewide Security Initiatives Program
2005 WINNER!!!
23
Questions? http//www.scio.state.nc.us