1 IT Security in the Commonwealth A high-level review Sam A. Nixon Jr. Chief Information Officer of the Commonwealth Governors Secure Commonwealth Panel.

1

IT Security in the CommonwealthA high-level review

Sam A. Nixon Jr.Chief Information Officer of the Commonwealth

Governor’s Secure Commonwealth PanelHHR Sub-Panel December 16, 2013

www.vita.virginia.gov 1

2

VITA’s Mission: Mandate for Change• Executive & Legislative Branch leaders called for

o Business-like approach to managing IT services across the enterprise of state government

• Concept of “Shared Services” (cloud computing) o Statewide IT infrastructure for government entities

• Major Statutory Responsibilities:– Provisioning of IT Infrastructure Services (in-scope agencies)– Central oversight of IT procurement, projects, security,

standards, policy and procedures, Wireless E-911, and contingent labor

• Modernization is a journey– Step 1: Creation of VITA & statutory framework– Step 2: Transformation of infrastructure– Step 3: Enterprise Applications & Services

3

Information Security in the Commonwealth

www.vita.virginia.gov

VITA is tasked with security governance over all three branches of state government.

VITA oversees delivery of infrastructure services to executive branch agencies. Agencies remain responsible for business applications and data. Shared responsibility.

4www.vita.virginia.gov

Printers 5,311 network 22,000 desktop

CoVA IT Infrastructure

2,247 Locations

Communications55,000 desk phones6,100 handhelds

(PDAs)11,000 cell phones

Networks2,039 circuits

Data Centers (2)CESCSWESC

Computers59,374 PCs 3,356 servers

Mailboxes58,948 accounts

Data storage1.5 petabytes

Mainframes (2)IBMUnisys

5www.vita.virginia.gov

Exec Branch Business Applications• Core Applications:

– 2,100• Sensitive Systems:

– 697• Why does Security matter? Examples:

– Health Care – PHI, Birth Records, Prescription Monitoring

– Public Safety - Forensics Lab Data, Fingerprint System, Emergency Planning data

– Transportation – Traffic Mgmt Systems, Road, Rail and Air

– Taxation – Citizen and Business Financial Info, FTI (SSN)

– VITA – Infrastructure & Security Architecture, Network, Employee Authorization

6

Security Strategy

Enterprise Logging

Network Defense Content Security End-Point Defense Data Security

OPE

RA

TIO

NS

&

SER

VIC

ES

Architecture Design & Development Security Lifecycle Managem

ent

IT Service Managem

entTE

CH

NO

LOG

YPE

OPL

E

Audit & Assets

Event Monitoring

Incident Detection, Analysis, & Response

Forensics Vuln Mgmt Compliance Mgmt

Threat Assessment

Contract

Policies & Procedures

Training & Awareness

Security Admin

Physical Security

PersonnelSecurity

Firewalls Web App Firewalls

IDS/IPS

Anti-Spam Web Filtering

Anti-Virus

HIPS/HIDS Desktop Firewall

Anti-Virus

VPNs

Hard Disk Encryption

7www.vita.virginia.gov

Government Data Breaches & Attacks

Source: Privacy Rights Clearinghouse, A Chronology of Data Breaches, Aug 2013

Virginia Agencies• *95,513,983 attack

attempts• >300K / day

• *708,027,671 spam messages blocked

*Jan – Dec 13, 2013, transformed agencies only

Security breaches of over 1 Million records

Financial30%

Government 25%

Fi-nan-cial30%

Retail18%

Non-Profit

3%

Other12%

Health,13%

8

Increase in Security Incidents (2010-2013)

2010 4Q

2011 2Q

2011 4Q

2012 2Q

2012 Q4

2013 Q2

2013 Q4

0

50

100

150

200

250

300

350

9

Cyber Attack Map – July 2013

10

VITA Has Broad Statutory Security Role• Set security architecture & standards• Oversee Northrop Grumman• Perform overall incident response• Share intelligence & information (FBI, DHS,

State Police, VDEM)• Conduct risk management• Oversee & assist agencies

– CIO has limited authority to ensure compliance

www.vita.virginia.gov

11

NG Responsible for Infrastructure Security• Physical & logical security

– Data center protection– Firewalls, intrusion monitors, encryption,

compartmentalization, antivirus & spam filters• Detection, containment & removal of security

incidents affecting the infrastructure • However, primary attack vector is against

applications & not the infrastructure– NG assists with attacks against applications, but

agencies remain responsible for applications & data

www.vita.virginia.gov

12

State Agency IT Security Efforts Are Mixed

www.vita.virginia.gov

Source: 2012 Commonwealth of Virginia Information Security Annual Report

Agencies in Compliance

Agency Responsibility

71Develop & maintain IT security audit plan

97%Appoint Information Security Officer

63Conduct IT security audits every 3 years (minimum)

56Develop & maintain corrective action plans

42Develop & maintain policies and procedures to control unauthorized uses and intrusions

13

Priority – Cyber Security• Improve Analysis & Risk Assessment

– Full packet analysis to address data exfiltration– Risk management tool (being pursued) to

identify potential impact of breach or outage• Enhance Access Security

– More secure remote network access (SSL VPN)– Password resets (from 90 to 45 days)– Two-factor authentication

• Address Security Compliance– Increasing CoVA capabilities

www.vita.virginia.gov

14

VITA & Agencies Lack Security Staff• VITA needs a cyber intelligence program to

analyze threats and attacks– Need for risk-based decisions based on

likelihood of attack attempts – Need analysis of malicious third parties that

directly target the Commonwealth • State agency staffing constraints impede

security gap correction & limit auditing– Agencies must test their applications against

new patches & evolving federal requirements

www.vita.virginia.gov

15

Future Governance of IT Security

• Future Governance Considerations– Federal regulations & third-party mandates

require new security efforts for agencies– Agency constraints impede security gap

correction & limit auditing to find unknown gaps• EX: Annual security reviews, JAVA, Win 7

– Implementing a Commonwealth wide IT risk management program

– Continued agility to rapidly respond to threats• IT Security demands a “First Defender” approach

www.vita.virginia.gov

16

Questions?

Samuel A. Nixon [email protected](804) 416-6004

www.vita.virginia.gov