Security Fabric Strategy Road Map
-
date post
21-Oct-2014 -
Category
Technology
-
view
1.125 -
download
4
description
Transcript of Security Fabric Strategy Road Map
IRS Enterprise Architecture 1
Security Fabric Strategy Road Map
Transformation of ODOT Business via Enterprise Security Bills, Policies, & IT InitiativesPresented to CIO Management Council on September 14, 2007
Ben Berry, Chief Information Officer, ISBLisa Martinez, Business Services Manager, SSBPeter van den Berg, Deputy Chief Information
Officer, ISB
Elements of the Initiatives
I dentify Classify Protect Manage
ODOT Controlled InitiativesDAS/Legislative Initiatives
IRS Enterprise Architecture 2
1. DAS 107-004-050 Information Asset Classification Policy2. DAS 107-004-051 Controlling Portable and Removable Storage Devices3. DAS 107-004-052 Information Security4. DAS 107-004-053 Employee Security5. DAS 107-004-100 Transporting Confidential Information6. DAS Statewide Policy 1.3, Acceptable Use of Information Related Technology 7. Senate Bill 583, 2007 Legislative Session (ID Theft)8. Various ODOT Security related policies
• ODOT ADM 05-08-01 Acceptable Use Policy • ODOT ADM 04-20 Information Security• ODOT Information Security Guidelines
9. Administrative Criminal Background Checks Rules10.Business Continuity Planning11.Enterprise Content Management12.Identity and Access Management (TIM/TAM) 13.Payment Card Industry (PCI) Compliance
Overview of Bills, Policies and Initiatives
IRS Enterprise Architecture 3
Resource Work Collaboration Team
Matt GarrettAgency Director
Ben BerryAgency CIO
DMV ISHighway
Enterprise Security Policies InitiativeResource Work Collaboration
Delegated Authority
Information Security Unit (Karina Stewart)Technology Management (Virginia Alster)FileNet Program (Ron Winterrowd/Lisa Martinez)Communications Plan (Team)
Keith NardiDeb Frazier
Ric Listella
Other Lines of Business Motor Carrier
Lisa Martinez(Business)
Peter van den Berg(Information Systems)
IRS Enterprise Architecture 4
Why a “Security Fabric”?
• COMPREHENSIVE. Building a security fabric to cover all of our Point-to-Point information services is much more difficult to maintain.
• INVISIBLE BUSINESS PROCESSES. Lots of business processes are invisible because staff do processes that are not necessary written down.
• LEVERAGE ACROSS ANGENCY and ENTERPRISE. A security fabric is meant to leverage secure practices across multiple organizational functions and business units.
A pplication
A pplicationA pplication
A pplication
L o a dP r o g r a m
E x t r a c tP r o g r a m
E x t r a c tP r o g r a m
L o a dP r o g r a m
E x t r a c tP r o g r a m L o a d
P r o g r a m
D ow nloadFile
D ow nloa dFile
Transaction
File
M essageQ ue ue
D ow nloadF ile
T ransaction
F ile
M essa geQue ue
BusinessUnit B
BusinessUnit A
BusinessUnit C
A pplicationA pplication
A pplicationA pplication
A pplication
Legacy of Point to Point Services
IRS Enterprise Architecture 5
What is a Security Fabric?
A Security Fabric is a services-driven design approach that integrates business and security strategies to provide a Common Holistic Approach to Security Compliance and that leverages existing and new security policy functionality across agency business lines.
• The strategy of a Security Fabric includes:• Integration with elements of each of the security policies, where applicable.• Providing security through the sharing & reuse of security services and processes
across the agency and/or enterprise• Streamlines secure practices across existing business processes for greater efficiency
and productivity• The approach for a Security Fabric:
• Leverage existing business practices, IT investments and standard operating processes• Adopt Community of Practice templates for the Information Asset Classification Policy
to ensure compliance with classifying data -- Data Classification Levels 1, 2, 3 & 4 for (Labeling, Handling, Storage, Retention and Disposable/Destruction).
• Standards allow security processes to be designed for reuse• Components that can be used over and over again among different lines of business.
Example is Active Directory Group Policies or other physical standard security practices.• Use of standardized procedures, interfaces and standard data classification adherence.
IRS Enterprise Architecture 6
Security Vision and Strategy:Holistic and Comprehensive Approach organized around Lines of Business– Not a Silo Approach
Subm
issionP
rocessing
Custom
er Service
Manage T
axpayerA
ccounts
Reporting
Com
pliance
Filing &
Paym
entC
ompliance
Crim
inalInvestigation
InternalM
anagement
Other F
unctionalD
omains
Subm
issionP
rocessing
Custom
er Service
Manage T
axpayerA
ccounts
Reporting
Com
pliance
Filing &
Paym
entC
ompliance
Crim
inalInvestigation
InternalM
anagement
Other F
unctionalD
omains
Subm
issionP
rocessing
Custom
er Service
Manage T
axpayerA
ccounts
Reporting
Com
pliance
Filing &
Paym
entC
ompliance
Crim
inalInvestigation
InternalM
anagement
Other F
unctionalD
omains
Subm
issionP
rocessing
Custom
er Service
Manage T
axpayerA
ccounts
Reporting
Com
pliance
Filing &
Paym
entC
ompliance
Crim
inalInvestigation
InternalM
anagement
Other F
unctionalD
omains
Subm
issionP
rocessing
Custom
er Service
Manage T
axpayerA
ccounts
Reporting
Com
pliance
Filing &
Paym
entC
ompliance
Crim
inalInvestigation
InternalM
anagement
Other F
unctionalD
omains
Subm
issionP
rocessing
Custom
er Service
Manage T
axpayerA
ccounts
Reporting
Com
pliance
Filing &
Paym
entC
ompliance
Crim
inalInvestigation
InternalM
anagement
Other F
unctionalD
omains
Info
rmatio
n A
sset C
lassification
Co
ntro
lling
Po
rtable an
d R
emo
vable S
torag
e Devices
Info
rmatio
n S
ecurity
Em
plo
ye
e S
ec
urity
Tran
spo
rting
Co
nfid
ential
Info
rmatio
n
Accep
table U
se of
Info
rmatio
n R
elated T
ech.
Sen
ate Bill 583
Oth
er F
un
ctio
na
lD
om
ain
s
Enterprise Security Domains
Define the statewide security policies,
bills and initiatives that are within the
scope of the change.
OD
OT
Accep
table U
se Po
l.O
DO
T A
cceptab
le Use P
ol.
OD
OT
Info
rmatio
n S
ecurity P
ol.
OD
OT
Info
rmatio
n S
ecurity P
ol.
OD
OT
Info
. Secu
rity Gu
idelin
eO
DO
T In
fo. S
ecurity G
uid
eline
Ad
min
Crim
inal B
ackgro
un
dA
dm
in C
rimin
al Backg
rou
nd
Rail and Others
En
terprise C
on
tent M
anag
emen
tE
nterp
rise Co
nten
t Man
agem
ent
Iden
tity & A
ccess Man
agem
ent
Iden
tity & A
ccess Man
agem
ent
DMV
Motor Carrier
Highway Transportation
AgencyService
DomainsDefine the ODOT Lines of Business
services necessary to support execution of the Security Fabric.(Cuts across multiple
domains)
Agency Policies & Practices
Define the ODOT internal polices and
practices impacted by the Security Fabric
effort.
Paym
ent C
ard In
du
stry - PC
IP
aymen
t Card
Ind
ustry - P
CI
IRS Enterprise Architecture 7
Key Business Drivers & Challenges ImpactAgency Business
Requirements ODOT Security Fabric ContextSimplification • Improve the security of existing secure processes and systems by adopting a holistic integrated
approach to common secure practices• Reduce the number of one off custom approaches to securing information assets. • Establish Common Security Services across multiple agency and enterprise policies• Reduce Complexity of Security Solutions
Service Reuse • Leverage common processes, applications and infrastructure services to achieve operational security, efficiencies, and cost savings
• Enable an ongoing low cost approach to maintain a secure presence for the Agency’s complex business processes to free capital for other value added capabilities.
• Enable Information-based services to use IT security fabric based on existing middleware applications such as Active Directory, Tivoli’s Identity Management and Access Management security applications.
Agility • Create a secure business and technology business processes and architecture that can support changing regulatory, business and customer needs.
• Unlock the power of secure data transfer for transformation of the business, including mobile data where applicable.
• Create a flexible security architecture that is aligned with the State’s Enterprise Security Office and the State Data Center.
Enable Transformation
• Enable the Agency transformational business plans and IT Strategic Plan by leveraging multiple use or dual use strategies for complying with the Security Policies.
• Proactively blur the legacy and new information business requirements boundaries through an early adoption of the enterprise security policies. (Reduce time to market by early adoption.)
IRS Enterprise Architecture 8
Security Fabric Strategy Map
In Future Implementation State, Gaps Exist That Will Need to be Filled
X X X
X X
X
X X X X
GAP AnalysisFuture State
Requirements
Agency PolicyCurrent
State
DAS PolicyCurrent
State
Policy / Procedure / Practice / Initiative
DAS 107-004-050 Information Asset Classification
DAS 107-004-051 Controlling Portable and Removable Storage Devices
DAS 107-004-052 Information Security
DAS 107-004-053 Employee Security
DAS 107-004-100 Transporting Information Assets
SB 583 Enrolled, 2007 Legislative Session, Oregon Consumer Theft Protection Act
… …
AgencyLines of Business
Microsoft Word Document
Senate Bill 583 Gap Analysis
IRS Enterprise Architecture 9
Common Security Policy ServicesD
efine, D
esign
,B
uild
, Dep
loy
Plan
(Co
P)
Main
tain
Generate Secure
Customer Service
Generate Secure Cross
Agency Response
• BUSINESS PERSPECTIVE. Promotes a business perspective around potential secured shared services.
• EFFICIENT. Drives efficiencies and reuse across the Agency.
• BEST PRACTICES. The Common Security Practice Framework will be refined based on lessons learned from initial security service deployments.
Co
mm
on
Secu
rity Po
licy Fram
ewo
rk
Business Services
Inputs
Outputs
IRS Enterprise Architecture 10
Security Fabric Framework Based Upon 3 Core Areas: Holistic Security Practices; Platform, Templates and Toolsets; and Security Governance
Agency Business Functional Services
Agency Application Services
Agency Infrastructure Services
Application integration / shared services(FileNet, others)
Business unit from broad based Practices and
Procedures
Agency-wide utility functions and solutions (Active Directory, TIM/TAM,
Encryption)
Sec
uri
ty G
ove
rnan
ce
Platforms, Templates & Toolset
• There are different types of line of business services that need protection, both Agency and Enterprise focused.
• All require agency governance for an initial and ongoing sustainable security fabric presence.
• ODOT is engaged in a multi-variant approach to focus on those areas that provide the highest level of security from easy to hard to implement. Given each policy’s target timeline, high value security responses will be addressed first!
Enabling SecurityTechnology
(Middleware, physical tools and devices)
Info
rmat
ion
Current Activities
Holistic Security Practices
Se
cu
rity
Se
rvic
es
IRS Enterprise Architecture 11
As Our Security Fabric Strategy Matures We Will Transition From Opportunistic and Project Level to Enterprise Level Security Policy Practice
High
Low
HighLow
Sco
pe
Time/Maturity
Enterprise
Opportunistic
Info Asset Classification Level 4
Info Asset Classification Level 3
Info Asset L2 SB 583
DigitalSignatures Info Asset L1
Integration
Active Directory Group Policies
Employee Security Policy
ISBRA Security TIM/TAMIdentity Management
Transporting Info Assets Information Security Policy
Controlling Removable Storage Devices
Acceptable Use PolicyID Theft Training
IRS Enterprise Architecture 12
Action Items and Implementation Dates
July 30, 2009DAS 107-004-052Effective
June 27, 2007DAS 107-004-100Effective
January 1, 2008SB 583 Section 12Effective
January 31, 2008DAS 107-004-053Effective
July 1, 2008DAS 107-004-050Level 4, CriticalEffective
July 30, 2008DAS 107-004-051Effective
January 1, 2009DAS 107-004-050Level 3, RestrictedEffective
July 1, 2009DAS 107-004-050Level 2, LimitedEffective
To Day
Legend: DAS 107-004-050 Information Asset Classification DAS 107-004-051 Controlling Portable and Removable Storage Devices DAS 107-004-052 Information Security DAS 107-004-053 Employee Security DAS 107-004-100 Transporting Information Assets SB 583 Enrolled, 2007 Legislative Session, Oregon Consumer Theft Protection Act
October 1, 2007SB 583 (except Section 12)Effective
IRS Enterprise Architecture 13
Sustainable Security Practice Identification & Deployment: Requires a Broad Based Security Policy Governance Process
• Impacts to People, Process & Technology
• Security Services are Delivered Through Agency Initiatives or Projects
• Security Life Cycle Processes are supported by both Business and Information Services
• Development of Security Policy Response is Guided by multi-unit team (Resource Work Collaboration Team)
• Communication & Training are required for people supporting each of the Sustainable Security Fabric lifecycle processes
Starts with DAS Security Policies & SB 583 business process
requirements
Design security Service response
Testsecurityservice
Use/Reuse Policy driven Service
DeploySecurityService
Operate / MonitorSecurityService
Constructsecurity service
Process Architecturalreview
MeasureEffectiveness
Service Repository
Iterative Sustainable
Security Fabric
Services Life Cycle
Policy Requirements
• Governance Organization – Manage & monitor ongoing security agreements
IRS Enterprise Architecture 14
Apply a multi phased approach to implement and maintain theProposed Security Fabric
Phase 1:• Conduct Management Awareness training by line of business• Achieve resource commitment and sponsorship
Phase 2:• Establish Security Task Force• Hire Project Manager• Establish deliverables• Develop necessary policies, guidelines, procedures• Develop Security Fabric Implementation Strategy• Develop agency wide communication/training plan
Phase 3:• Implement Security Fabric• Conduct agency wide awareness and compliance training
Phase 4:• Maintain Security Fabric
Next Steps
IRS Enterprise Architecture 15
CIO Management Council Briefing
Security Fabric Strategy Road Map Security Fabric Strategy Road Map