Transcript Security Program Executive Presentation Template.ppt

Agency Name
Security Program
FY 2009
John Q. Public
Agency Director/CIO/ISO
Security Program
(Agency Name) mission is to provide
constituent internet interface for the sale of
state logo widgets
This security program has been developed
to support business processes and
communications to support business goals
Security Program
Governance
• Complies with Federal, Industry and State
statutes and requirements such as HIPAA,
PCI and the Georgia Enterprise Policies,
Standards and Guidelines
Security Program
Governance
• Key Components of Governance
– Planning
• Strategic Security Plan
– Governance structures
•
•
•
•
State CIO Council
Information Security Officer Council
Agency Risk Management Board
Agency IT Leadership
Security Program
Governance
• Key Components of Governance
– Policy
•
•
•
•
Georgia Enterprise Policy
(Agency Policy)
Industry Practices
Federal Policies
– Monitoring
• Self-assessments
• Third Party assessments
• Georgia Dept of Audits
Security Program
Governance
• Challenges and Keys to Success
– Challenges
• Resources
• New Threats
– Keys to Success
• Resources to achieve goals
– Meditation of shortfalls
– Certification of assurance
• Education
– Executive
– Employee
Security Program
System Development Life Cycle
• Four cycle as prescribed by OPB for IT
equipment
• In the third year of the current planning
cycle
– 25% IT equipment refresh budgeted
– Security device refresh scheduled
Security Program
Awareness and Training
• Awareness and Training program based on
federal model
• User Awareness training completed
– 120/125 employee participation
– 96% ‘pass’ for Annual Awareness Training
– Remedial training identified and scheduled
• Training program underway for technical staff
– Act-Online.net
– Strategic Training Alliance
• Executive training underway
– Act-Online.net
Security Program
Capital Planning
• Security Priorities and Funding
– Top Five Security Priorities
•
•
•
•
•
–
Third Party assessment to (1) High system
Refresh firewall pair (7 years old)
Refresh Intrusion system (5 years old)
SIEM acquisition
Training (ISO skills - administrative training)
Total FY 2009 Funding request $125K
– Allowed FY 2009 Funding:$77K
• Third Party assessment
• Refresh firewall pair
Security Program
Interconnecting Systems
•
•
•
•
PeopleSoft – State Accounting Office
Enterprise Active Directory/Exchange - GTA
GBA Physical Access Control System
PCI vendor – XYZ Corporation
Security Program
Performance Measures
• Annual Agency Information Security Report
– Due 30 June
– Reporting to GTA
– Reporting items as prescribed by Enterprise Standard
Security Program
Security Planning
• Approach for security planning is
performed by examining each system
• Security Program is based upon
aggregating plans, assessments and
audits
– Current plans are attached to the Security
Program document
Security Program
Contingency Planning
• No formal agency Business Continuity
Plan has been developed
• IT has rudimentary planning underway
– Several meetings with system owners
– IT staff has begun requirements collection
Security Program
Risk Management
• Agency has a Risk Management Board
that meets monthly
• Structure and scope aligns with NIST 80030 Risk Management
• Security heavily involved
Security Program
Security Assessments
• Self-Assess with current IT staff
– Performed quarterly
• Third party assessments once a year
• Georgia Dept of Audit every third year
Security Program
Security Products and Accquisition
• Conduct research and consult with GTA
Office of Information Security
• Current focus
– Application firewall
– Intrusion systems
– Content filtering
Security Program
Incident Response
• Escalation procedures include security
hand-off decision points
• Procedures are periodically tested
• Security personnel have been trained:
– Cyber First Responder
– Forensic Investigations (National White Collar
Crime Center)
Security Program
Configuration Management
• Configuration management is given high
importance to maintain the integrity of the
network and IT assets.
• Agency has a Configuration Management
Board (CMB) that meets weekly
• The CMB coordinates with GTA’s CMB as
it may impact enterprise operations
Security Program
Questions