ISM in the ILM (Information Lifecycle Security Management)

1
ISM in the ILM(Information Lifecycle Security
Management)
Secure360

• Barry Caplin
• Chief Information Security Officer
• Minnesota Department of Human Services
• barry.caplin_at_state.mn.us
• May 18, 2006
• 945-1045 a.m.

2
(No Transcript)
3
Agenda

• DHS Overview
• Enterprise Security Strategy
• Build Security In?
• Information Lifecycle Security Management

4
MN DHS

• Mission - helps people meet their basic needs so
  they can live in dignity and achieve their
  highest potential
• Consumers include
• seniors who need help paying for hospital and
  nursing home bills or who need home-delivered
  meals
• families with children in a financial crisis
• parents who need child support enforcement or
  child care money
• people with physical or developmental
  disabilities who need assistance to live as
  independently as possible

5
MN DHS

• Direct service through
• DHHS Deaf and Hard of Hearing Services
• SOS State Operated Services includes
• RTCs Regional Treatment Centers, including St.
  Peter, Moose Lake
• Forensics St. Peter, Moose Lake, METO (MN
  Extended Treatment Options)
• State-run group homes
• New community-based treatment centers
• State-run nursing home Ah-Gwah-Ching

6
MN DHS

• Administrations (Divisions)
• CFS Children and Family Services Child
  Support Enforcement, Endangerment, Social
  Services, Medical/Welfare Eligibility
• Chemical and Mental Health Services including
  SOS
• Health Care Administration and Operations
• Continuing Care
• FMO Finance and Management Operations
  including Information Security, IT

7
MN DHS

• Programs are state-administered, county-delivered
• Including MinnesotaCare, Medical Assistance,
  General Assistance Medical Care, mental health
  services, alternative care services, chemical
  dependency services and regional treatment center
  services
• One of the largest state agencies
• 2500 CO, 5000 SOS distributed staff
• State and Federal funding

8
Enterprise Security Strategy
9
Security Strategy - The 10000 Foot View

• Information Security Governance Framework (COBIT
  Security Baseline)
• People
• Organization
• Awareness
• Technology
• Operations
• Architecture
• Enterprise High-Level Functions
• Information Risk Management
• Information Policy
• Information Lifecycle Management
• Process

10
Security Strategy
4 Cs
Confidence
Credibility
Communication
Compliance
11
Build Security In?
12
Build Security In

• What do we mean by this?
• Everyone says it but how?
• https//buildsecurityin.us-cert.gov/portal/

13
Why Build Security In?
14
Why Build Security In?
15
Why Build Security In?

• Cost measure twice, cut once
• Efficiency build it right the first time
• Time fixing problems later will likely delay
  production use

16
SDLC

• SEI-CMMI (formerly CMM) (http//www.sei.cmu.edu/c
  mmi/)
• IEEE and ISO 12207 standards (http//www.acm.org/t
  sc/lifecycle.html).
• Extreme Programming (http//www.xprogramming.com/,
  http//www.extremeprogramming.org/)
• On Wikipedia
• (http//en.wikipedia.org/wiki/Software_developmen
  t_life_cycle)

17
Information Lifecycle Security Management
18
Information Lifecycle Security Management
19
Information Lifecycle Security Management
Software Development Lifecycle (SDLC)
Maintenance Lifecycle
Operate
Dispose
Major Release
20
Information Lifecycle Security Management
Major Release
Operate
Deploy
Develop
Design
Analysis
Concept
21
Business Requirements
Concept

• A statement of the business problem or challenge
  the business area needs to solve
• Should not include recommended technical
  solutions
• Constraints/Assumptions

22
Preliminary Risk Analysis
Concept

• Security Questionnaire
• Preliminary Privacy Analysis
• Preliminary Security Risk Analysis
• Risk Briefing

• Risk of not doing

23
Privacy and Security Requirements
Analysis

• Preliminary Privacy Assessment
• Preliminary Security Risk Assessment
• Privacy Requirements
• Security Requirements
• Preliminary Design Requirements

Words To Live By Minimum Necessary
24
Business Impact Analysis
Analysis

• Business/System Impact Analysis

25
Security Sign-Off

• Keys
• Business Requirements received
• Requirements understood (by business area)
• Risks acknowledged

26
Privacy and Security Requirements
Design

• Vendor Security Questionnaire
• Security Architecture Assessment
• Information Policy Analysis
• Risk Assessment (OCTAVE)
• HIPAA Assessment
• Detailed Design Requirements
• Project Security Roadmap Required Doc List

27
Privacy and Security Mitigation Plans

• Detailed Security Architecture Design
• Design Review
• Security Risk Mitigation Plans
• Action Plan for compliance design

Design
28
Business Continuity/Disaster Recovery

• Business Continuity Planning
• Disaster Recovery Planning
• Preliminary COOP (Continuity Of Operations Plan)
  Document

Design
29
Security Test Plans
Develop

• Test Data Plans
• Security Testing Plan
• Security Testing
• Use/Abuse Cases
• Code Review Tools
• Vulnerability Assessment

30
Incident Response Plans
Develop

• Incident Response Plans
• Final COOP

31
Security Sign-Off

• Keys
• Identified issues mitigated
• Assessments completed
• Security Requirements met
• Documentation completed
• BCP/COOP completed

32
Deploy
Deploy

• Change Management
• Monitoring

33
IT Audit
Operate

• Security Policy Compliance Review (COBIT Audit
  Guideline)

34
BCP/COOP Testing Maintenance

• Plan Testing
• Plan Updates Review
• BIA Updates

Operate
35
Major Release

• What is a Major Release?
• Significant new functionality
• Code rewrites
• Significant architecture or design changes
• Site Dependent
• May require any/all ILSM steps

Major Release
36
Information Disposal

• Measures based on
• Business type
• Data classification
• Regulatory issues
• PHI
• FTI
• Others

Dispose
37
Information Lifecycle Security Management
Major Release
Operate
Deploy
Develop
Design
Analysis
Concept
38
Final Thoughts

• SMT buy in is critical
• Be consistent
• Advertise, advertise, advertise

39
Discussion?