Real World Application of US Technical Advisory Group IT ...

An Oregon State Government Case Study

Real World Application of IT Standards

Presented by

Ben Berry, CIOOregon Department of Transportation

March 10, 2009

The United States JTC1-SC7 Technical Advisory Group (US-TAG) and MSI Systems Integrators Sponsor to the Spring 2009 Meeting

Two World Trade Center in the “Mezzanine 5” room, Portland, Oregonhttp://www.oregon.gov/ODOT/CS/ISB/cio_report.shtml

2Oregon State Data Center July 2008

2009 2011IT Environment

Oregon’s Trend Expectations


Shared

Vision

State State Data Data

CenterCenter

Technology Standard: Information Technology Infrastructure Library (ITIL)US TAG members are co-authors (contributing authors) to ITIL v2 (a framework reference).


• Network Consulting• Network Design• Installation Mgt.• SW Support• Performance Analysis/Rpts.• Capacity Planning• Problem Management• NOC support 24x7

(Network Operations Center)

• Interface Engine• Data Integration

SystemIntegration

Network Services

SINGLE INFRASTRUCTURE MANAGED

A G

E N

C Y

B

U S

I N

E S

S

V A

L U

E

CNIC Key Concepts

• Internet or E-Government

• Line of Business Systems

• Process Control Systems

• Web-based Employee Services

• Supply Chain Mgt Linkages

• Customer Care applications

• HR & Finance Applications

Strategic Planning

Applications

Highest Customer Visibility

Highest Customer Visibility

Hardware & MaintenanceServices

Lowest Customer Visibility

Lowest Customer Visibility

• User Devices• Servers• Disaster Recovery• Cabling Services

• Consolidation• Server Mgt.• Database Mgt.• Email /

messaging• Imaging/

Archiving

Data Center

Help Desk• Call Mgt.• Trouble Tickets• 1st Tier Resolution

• Tools Admin.• Alerts Mgt.• Critical Call Mgt.

IT Monitoring Security• Internet Mgt.• Intrusion Detect.• Content

Inspection- Email- Internet- FTP

Utility Value Proposition

Utility Value PropositionUtility Value Proposition

• Allocation of resources to areas of greatest business value for the enterprise

• Technology guarantee; optimizing network backbone performance

• Service Level Agreements

• Constant predictable infrastructure budgeting Statewide: capital/operating

• State Data Center Single-point responsibility for Infrastructure Mgt. & Risk

• Flexibility to leverage State with single infrastructure contracts


Program & Customer Relationship Management

Program & Customer Relationship Management

Development & Testing Environment

Development & Testing Environment

E-Gov and Line-of-Business ApplicationsE-Gov and Line-of-Business Applications

Agency-Specific

State Data Center Infrastructure Utility

Shared

CNIC Roles & Responsibilities CNIC Roles & Responsibilities

WAN SwitchesWAN Switches LAN SwitchesLAN Switches RoutersRouters InternetworkingInternetworking

Software Management

Software Management

Software DistributionSoftware

Distribution

SLA Mgt.SLA Mgt. Change Mgmt. Process

Change Mgmt. Process ReportingReporting SecuritySecurity Charge BackCharge Back

Performance

Management

Performance

Management

Data Gathering

Data GatheringSurveillanceSurveillanceCapacity

PlanningCapacityPlanning

Data Cable InfrastructureData Cable Infrastructure

End User Help DeskEnd User Help Desk


ITIL Foundation IT Infrastructure Library Overview

Bu

siness

Tech

no

log

y

ITIL – Planning to Implement Service Management

The Business Perspective

Application Management

ICT Infrastructure Management

Service Management

Service Delivery

Service Support

Security Management

• The State is currently focused on implementing an ITIL v2 service management framework, that is very closely linked with the standard, ISO/IEC 20000 IT Service Management, for which the US TAG has taken a leadership role in development.

• ISO/IEC 20000 is now the fifth most referenced IT standard in ISO's catalog.


ITIL Foundation Process Chart Reference

User


IT Service and Process Maturity ModelThe model illustrated below describes an evolutionary improvement path from an ad hoc, immature process to a mature, disciplined process for improving service for all the State Data Center focus areas.

2010-11 Position

2009 Position

2008 Position

2007 Position

2006 Position

Chaotic

ReactiveProactive

Service

Value

2006Position

2007Position

2008Position

2009Position

2010- 11Position

ReactiveProactive Analyze trends

Set thresholds

Predict problems

Automate

Mature problem, configuration, change, asset and performance mgt processes

Best effort

Fight fires

Inventory

Initiate problem mgt process

Alert and event mgt

Monitor availability

Service Define services,

classes, pricing Understand costs Set quality goals Guarantee SLAs Monitor and

report on services Capacity

planning

Value IT and business

metric linkage IT/business

collaboration improves business process

Real-time infrastructure

Business planning

Level 1

Level 2

Level 3

Level 4

Chaotic Ad hoc

Undocumented

Unpredictable

Multiple help desks

Minimal IToperations

User call notification

Level 0

Tool Leverage

Service and Account Management

Business Management

Service Delivery Process Engineering

Operational Process Engineering

ROI Mgmt.

2011-12 Position

2010-11Position


• The higher the rated maturity of an organization (i.e. CMMI Levels), the more likely the organization will seek guidance against existing standards, such as ISO/IEC 20000 IT Service Management or ISO/IEC 38500 IT Governance.

• Well-defined processes and assessment mechanisms (as outlined in these standards) are hallmarks of CMMI Levels 3 and 4.

• Oregon congratulates the US TAG on developing these standards. The State of Oregon has elected to apply these very relevant industry standards to improving capability and maturity in support of its State Data Center.

Capability Maturity Model Integration (CMMI).


Utility Computing Maturity ModelThe model illustrated below describes an evolutionary improvement path from a dedicated, non-standard, inefficient technical environment to a mature, efficient, on-demand utility computing service.

DedicatedSystems

Utility Computing Maturity Model

Business InterfaceArbitrary SLA’s Basic Class Of Service

Business Level ReportingNo SLA’s End-End Service Mgmt Utility Services

IT OrganizationDistributed FunctionsDistributed Competence

Centers Of Excellence Simple Service MgmtDiscipline

Comprehensive Svc MgmtDiscipline

IT Value Center

IT Processes

Squeaky Wheel Basic Mgmt Workflows Routine Task Automation Comprehensive Automation Fully Automated IT

Software CapabilityNon-StandardizedNo Hardware Abstraction

Basic Storage AbstractionCentralized Mgmt Tools

Std Software ToolsBasic Auto Provisioning

Service Lifecycle MgmtActionable Infrastructure

End-End Utility Mgmt

Hardware CapabilityDistributed, Proprietary Shared Storage Shared Server Pools Hierarchical Modular

ArchitectureCommodity Hardware

SharedInfrastructure

AssistedManagement

ServiceManagement

UtilityComputing

12/2

006

12/2

007

12/2

008

12/2

010

12/2

012


• The ISO/IEC 27000 family of security standards originate within US TAG, JTC1-SC27 (IT Security), where this crew is IT Systems Engineering and Lifecycle.

• As such, ODOT and Oregon’s State Data Center is a customer of these industry standards and the standards bodies that created the standards.

• ODOT is working against ISO/IEC 27000 which has been very valuable as a standard, and to the industry standards development process as a whole.

• Here are the asset accomplishments to date.

ISO/IEC 27000 Security Standards


StandardizationConsolidation

IncreasingCapacity

Operations

10 pSeries Utility Servers

5,391 FY07 Agency Requests

Virtual & Blade Center Technology Installed

High speed Redundant NW (area specific)

233 Server Consolidations

Enterprise Event Monitoring

2 Mainframe Upgrades


50% of NW & Security Equipment Standardized

3 to 1 MF Consolidation On-Net Phone Systems Upgrades

iSeries Standard OS

40% Storage Capacity Increases

Virtual Tape System Automated Tape Library

Rate Methodology and Rates

Power & Consumption Management

Service Catalog

New Disaster Recovery Requirements

NW Intrusion Detection

Security, Tools, & Adm. Standardization

iSeries Upgrades

2 p590 Unix Servers

NW Bandwidth

Email hub Upgrades

73 Servers

172 FY07 Contracts & Maintenance Renewals


435 TB of Tiered Storage

Security EncryptionStandardizationConsolidation

IncreasingCapacity

Operations

Balanced Score Cardof State Data Center Accomplishments

StandardizationConsolidation

IncreasingCapacity

Operations

10 pSeries Utility Servers


Virtual & Blade Center Technology Installed

High speed Redundant NW (area specific)

233 Server Consolidations

Enterprise Event Monitoring

2 Mainframe Upgrades


50% of NW & Security Equipment Standardized

3 to 1 MF Consolidation On-Net Phone Systems Upgrades

iSeries Standard OS

40% Storage Capacity Increases

Virtual Tape System Automated Tape Library

Rate Methodology and Rates

Power & Consumption Management

Service Catalog

New Disaster Recovery Requirements

NW Intrusion Detection

Security, Tools, & Adm. Standardization

iSeries Upgrades

2 p590 Unix Servers

NW Bandwidth

Email hub Upgrades

73 Servers



435 TB of Tiered Storage

Security EncryptionStandardizationConsolidation

IncreasingCapacity

OperationsOperations

= IT Standards Implications


Shared

Vision

ODOT’sODOT’sSecurity Security FabricFabric

Technology Standard: ISO-based Information Security ISO 27001:2005 and 27002:2005

ODOT INFORMATION

ASSETS

Employee Mgmt.

?

Document and Records

Mgmt.

FacilitiesMgmt.

DataGathering

Application Development

BusinessProcess Mgmt.

?

ODOT INFORMATION

ASSETS

Employee Mgmt.

?

Document and Records

Mgmt.

FacilitiesMgmt.

DataGathering

Application Development

BusinessProcess Mgmt.

?

aa


As ODOT’s Security Fabric Strategy Matures we will transition from Opportunistic and Project Level to Enterprise Level Security Policy Practices

High

Low

HighLow

Sco

pe

Time/Maturity

Enterprise

Opportunistic

Info Asset Classification Pilot 1 -

OIT

Identity TheftSB 583

DigitalSignatures

Integration

Active Directory Group Policies Employee Security Policy (Q1 2009)

ISBRA Security TIM/TAMIdentity Management

Transporting Info Assets Information Security Policy

Controlling Removable Storage Devices (Nov 2008)

Acceptable Use PolicyID Theft Training

Encrypt DMV Field Office Network

Encrypt Laptops

Cancelled Q1 2009

In Work Cancelled Not Planned

Info Asset Classification Pilot 2 - SSB

Info Asset Classification Pilot 3 – Region 2

Legend:

Incident Management Plan

Info Asset Classification Levels 4,3,2,and1

Information Security Business Risk Assessment


Agency Business

Requirements ODOT Security Fabric Context

Simplification

• Improve the security of existing secure processes and systems by adopting a holistic integrated approach to common secure practices

• Reduce the number of one off custom approaches to securing information assets. • Establish Common Security Services across multiple agency and enterprise policies• Reduce Complexity of Security Solutions

Service

Reuse

• Leverage common processes, applications and infrastructure services to achieve operational security, efficiencies, and cost savings

• Enable an ongoing low cost approach to maintain a secure presence for the Agency’s complex business processes to free capital for other value added capabilities.

• Enable Information-based services to use IT security fabric based on existing middleware applications such as Active Directory, Identity and Access Management security applications.

Agility

• Create a secure business and technology business processes and architecture that can support changing regulatory, business and customer needs.

• Unlock the power of secure data transfer for transformation of the business, including mobile data where applicable.

• Create a flexible security architecture that is aligned with the State’s Enterprise Security Office and the State Data Center.

Enable Transformation

• Enable the Agency transformational business plans and IT Strategic Plan by leveraging multiple use or dual use strategies for complying with the Security Policies.

• Proactively blur the legacy and new information business requirements boundaries through an early adoption of the enterprise security policies. (Reduce time to market by early adoption.)


Security Vision and Strategy:Holistic and Comprehensive Approach organized around Lines of Business

The Goal: Not a Silo Approach

Sub

missio

nP

rocessing

Custo

me

r Service

Ma

na

ge T

axp

ayer

Acco

un

ts

Rep

ortin

g C

omp

liance

Filing

& P

aym

ent

Com

plian

ce

Crim

inal

Investig

ation

Intern

al

Ma

na

gem

en

t

Oth

er F

unctio

nal

Dom

ains

Sub

missio

nP

rocessing

Custo

me

r Service

Ma

na

ge T

axp

ayer

Acco

un

ts

Rep

ortin

g C

omp

liance

Filing

& P

aym

ent

Com

plian

ce

Crim

inal

Investig

ation

Intern

al

Ma

na

gem

en

t

Oth

er F

unctio

nal

Dom

ains

Sub

missio

nP

rocessing

Custo

me

r Service

Ma

na

ge T

axp

ayer

Acco

un

ts

Rep

ortin

g C

omp

liance

Filing

& P

aym

ent

Com

plian

ce

Crim

inal

Investig

ation

Intern

al

Ma

na

gem

en

t

Oth

er F

unctio

nal

Dom

ains

Sub

missio

nP

rocessing

Custo

me

r Service

Ma

na

ge T

axp

ayer

Acco

un

ts

Rep

ortin

g C

omp

liance

Filing

& P

aym

ent

Com

plian

ce

Crim

inal

Investig

ation

Intern

al

Ma

na

gem

en

t

Oth

er F

unctio

nal

Dom

ains

Sub

missio

nP

rocessing

Custo

me

r Service

Ma

na

ge T

axp

ayer

Acco

un

ts

Rep

ortin

g C

omp

liance

Filing

& P

aym

ent

Com

plian

ce

Crim

inal

Investig

ation

Intern

al

Ma

na

gem

en

t

Oth

er F

unctio

nal

Dom

ains

Sub

missio

nP

rocessing

Custo

me

r Service

Ma

na

ge T

axp

ayer

Acco

un

ts

Rep

ortin

g C

omp

liance

Filing

& P

aym

ent

Com

plian

ce

Crim

inal

Investig

ation

Intern

al

Ma

na

gem

en

t

Oth

er F

unctio

nal

Dom

ains

Info

rma

tion

As

se

t C

las

sific

atio

n

Co

ntro

lling

Po

rtab

le a

nd

Re

mo

va

ble

Sto

rag

e D

ev

ice

s

Info

rma

tion

Se

cu

rity

Em

plo

yee Secu

rity

Tra

ns

po

rting

Co

nfid

en

tial

Info

rma

tion

Ac

ce

pta

ble

Us

e o

f In

form

atio

n R

ela

ted

Te

ch

.

Se

na

te B

ill 58

3

Oth

er Fu

nctio

nal

Do

main

s

Enterprise Security DomainsDefine the

statewide security policies, bills and initiatives that are within the scope of

the change.

OD

OT

Acceptable U

se Pol.

OD

OT

Acceptable U

se Pol.

OD

OT

Information S

ecurity Pol.

OD

OT

Information S

ecurity Pol.

OD

OT

Info. Security G

uidelineO

DO

T Info. S

ecurity Guideline

Adm

in Crim

inal Background

Adm

in Crim

inal Background

Rail and Others

Enterprise C

ontent Managem

entE

nterprise Content M

anagement

Identity & A

ccess Managem

entIdentity &

Access M

anagement

DMV

Motor Carrier

Highway Transportation

AgencyService

DomainsDefine the ODOT Lines of Business

services necessary to support

execution of the Security Fabric

(cuts across multiple domains).

Agency Policies & Practices

Define the ODOT internal policies and practices

impacted by the Security Fabric

effort.

Paym

ent Card Industry - P

CI

Paym

ent Card Industry - P

CI


Security Fabric Strategy MapIn the Future Implementation State, gaps exist that will need to be filled

X X X

X X

X

X X X X

GAP AnalysisFuture State

Requirements

Agency PolicyCurrent

State

DAS PolicyCurrent

State

Policy / Procedure / Practice / Initiative

DAS 107-004-050 Information Asset Classification

DAS 107-004-051 Controlling Portable and Removable Storage Devices

DAS 107-004-052 Information Security

DAS 107-004-053 Employee Security

DAS 107-004-100 Transporting Information Assets

SB 583 Enrolled, 2007 Legislative Session, Oregon Consumer Theft Protection Act

… … .

AgencyLines of Business

Microsoft Word Document

Senate Bill 583 Gap Analysis(Identify Theft)

Security Fabric


Security Fabric Framework Based Upon 3 Core Areas: Holistic Security Practices; Platform, Templates and Toolsets; and Security Governance

Agency Business Functional Services

Agency Application Services

Agency Infrastructure Services

Application integration / shared services(FileNet, others)

Business unit from broad based Practices and

Procedures

Agency-wide utility functions and solutions (Active

Directory, Identity & Access Mgt., Encryption)

Sec

uri

ty G

ove

rnan

ce

Platforms, Templates & Toolset

• Both Agency and Enterprise line of business services need protection and focus• .

• All require agency governance for an initial & ongoing sustainable security presence.

• ODOT is engaged in a multi-variant approach to focus on those areas that provide the highest level of security from easy to hard to implement.

• Given each policy’s target timeline, high value security responses are addressed first!

Enabling SecurityTechnology

(Middleware, physical tools and devices)

Info

rmat

ion

Current Activities

Holistic Security Practices

Sec

uri

ty S

ervi

ces


Sustainable Security Practice of Identification & Deployment:

• Impacts to People, Process & Technology

• Security Services are Delivered Through Agency Initiatives or Projects

• Security Life Cycle Processes are supported by both Business and Information Services

• Development of Security Policy Response is Guided by multi-unit team (Resource Work Collaboration Team)

• Communication & Training are required for people supporting each of the Sustainable Security Fabric lifecycle processes

Starts with Dept of Administrative Services Security Policies &

Senate Bill 583 (Identity Theft) for Personal Identifiable Information

requirements

Design Security Service Response

TestSecurityService

Use/Reuse Policy Driven Service

DeploySecurityService

Operate / MonitorSecurityService

ConstructSecurity Service

Conduct ProcessArchitecturalReview

MeasureEffectiveness

Service Repository

Iterative Sustainable

Security Fabric

Services Life Cycle

Define Policy Requirements

• Governance Organization – Manage & monitor ongoing security agreements

Requires a Broad Based Security Policy Governance Process

• Chart speaks to several aspects of US TAG standards development (e.g. systems engineering and lifecycle, IT governance, et al). Again, ISO/IEC 38500 falls under the aegis of the US TAG!


State of Oregon

“Real World Application of IT Standards"

InformationInformationSystemsSystems

Oregon Department of TransportationOregon Department of Transportation

InformationInformationSystemsSystems

Oregon Department of TransportationOregon Department of Transportation

Real World Application of US Technical Advisory Group IT ...

Business

Transcript of Real World Application of US Technical Advisory Group IT ...