1 expect the best Jeff Deason Chief Information Security Officer Virginia Information Technologies...
-
Upload
ethel-shields -
Category
Documents
-
view
215 -
download
2
Transcript of 1 expect the best Jeff Deason Chief Information Security Officer Virginia Information Technologies...
1
expect the best
www.vita.virginia.gov
Jeff DeasonChief Information Security OfficerVirginia Information Technologies Agency
Joint Commission on Technology and ScienceAdvisory Committee on PrivacyJune 23, 2005
State Agency Database Security in the Commonwealth
www.vita.virginia.gov 2expect the best
Today’s Topics
• Security Services Mission • VITA’s Security Transition to Governance• Mature Enterprise Security Program • Where are we today?• What are we doing?• State Database Audits• Senate Bill 1252• Questions
www.vita.virginia.gov 3expect the best
Mission
Provide comprehensive information securityservices that allow state agencies to
accomplish their respective missions in asafe and secure technology environment.
www.vita.virginia.gov 4expect the best
Transition from Operations to Governance
FY04
Operations
FY05
Operations/Governance
FY06
Governance
VITA
EnterpriseVITA / Enterprise
www.vita.virginia.gov 5expect the best
Mature Enterprise Security Program
Security Awareness
Program Compliance
Protection• Incident Management• Secure Infrastructure• VITA Critical Infrastructure and Business Continuity
• Incident Management• Secure Infrastructure• VITA Critical Infrastructure and Business Continuity
• Security Policies, Standards and Procedures• Risk Management
• Information Security Training and Awareness
www.vita.virginia.gov 6expect the best
Where are we today?
• As noted by the APA, current Commonwealth information security and protection is inadequate.
• Inconsistent security tools and programs.• The enterprise information security
program which we are now implementing will address these inadequacies.
www.vita.virginia.gov 7expect the best
What are we doing?
• Constructing a new internal service fund:– $1.53 million for incident management.– $1.74 million for database risk assessments.
• Pursuing state homeland security grants:– $950,000 for incident management.
• Developing database audit standards.• Will leverage this large, necessary
investment through public-private partnerships.
www.vita.virginia.gov 8expect the best
State Database Audits
• Current Code language provides needed flexibility for database audits based on:– Sensitivity and Criticality of information.– Exposure to risk.
• There are approximately 1685 applications in VITA customer agencies.– These applications access an unknown number of
databases.– Determining the number of databases is a major
challenge.
www.vita.virginia.gov 9expect the best
Senate Bill 1252• As introduced:
– Would have required semi-annual database audits.• It is difficult to justify the cost of auditing every database
twice each year.
• As amended:– Would have required annual database audits and
increased reporting.• Annual audits are more easily cost-justified than semi-
annual audits.• Reporting requirements are a positive step as they
increase the visibility of the audits.• Including incident reports in annual audit reports provides
a fuller view of actual risks.