Enterprise Security A Framework For Tomorrow Christopher P. Buse, CPA, CISA, CISSP Chief Information Security Officer State of Minnesota.

Enterprise SecurityA Framework For Tomorrow

Christopher P. Buse, CPA, CISA, CISSP

Chief Information Security Officer

State of Minnesota

Agenda

• Describe the approach we are taking to build a world class security function

• Reminisce about what I would have done differently as an auditor

• Q & A

In the Beginning

• Accepted role as first CISO of our state in June 2006

• Attractive aspects of the job– Freedom to build a program from scratch– Powerful enabling legislation– $1.9M start up appropriation

Legislation

• Develop security policies and standards

• Install and administer data security systems

• Responsible for state networks connected to the internet

• Agencies must comply

Inherent Challenges

• Lots of decentralized technology silos

• No history of collaboration

• No governance structure to make decisions

• Few staff

• $1.9M start up appropriation

• Unknown risk profile

Starting With a Blank Sheet of Paper

State of the State

• Many critical duties are simply not done

• Important functions may not be available in the event of a crisis

0 1 2 3 4 5

Non-existent Initial Repeatable Defined Managed Optimized

= Desired State = Current State

Security Program Foundation

• Clarified authority and responsibility to make decisions

• Resources– Gained approval for

legislative initiative– Embarked on a

journey to sell merits to policymakers

LegislatureGovernor CIO

Governance

• Information Security Council formed in July 2006

• Mission: Identify what needs to be done to secure the government

LegislatureGovernor CIO

CISOInformationSecurityCouncil

Future Program Attributes

• Increased focus on security planning activities– Proactive vs. reactive– Highly adaptable to changing conditions

Future Program Attributes

• Comprehensive, clearly outlining the baseline requirements that all agencies must follow– Policies & Procedures– Standards– Guidelines

= Not Negotiable

Future Program Attributes

• Important security decisions in the hands of people best suited to make those decisions– Most security decisions made locally by

people who understand agency activities– Central leader with overall responsibility– Centralized support teams to help agency

security professionals

Future Program Attributes

• Broad-based support from people who will be expected to implement the provisions– State agency executive management– Security leaders in state agencies– Information technology professionals

Future Program Attributes

• Championed by government leaders at the highest levels– Governor– State Chief Information Officer and Chief

Information Security Officer– Commissioners– Legislative leaders

Future Program Attributes

• Supported by appropriate resources, including technical tools, training, and people– What should we being

doing?– Are there personnel needs

that must be addressed?– What tools and training will

be necessary to deliver results?

Desired Outcomes

Personnel

To

ols

Future Program Attributes

• Takes advantage of the size of government to leverage financial and human resources– Central experts to service all agencies– Enterprise tools– Reuse of individual agency efforts

Future Program Attributes

• Includes methods to ensure compliance– Central team of technical audit professionals– Provide immediate feedback to remedy

problems before they appear in audit reports

Vision

• Government entities must unite– Common set of formalized policies and

standards– World class security tools

• Federated architecture– Local risk-based decisions– Central management of enterprise security

tools

Security Solutions

• Working to identify long-term outcomes

• Five year planning horizon

• Priority areas will become part of a two year tactical plan

LegislatureGovernor CIO

CISOInformationSecurityCouncil

DesiredOutcomes

Personnel

Tools

High-Level Strategic Outcome

“Manage a sustainable information security program that helps government entities make risk-based decisions that are reasonable and appropriate”

Sustainable?

• Supported by the government leaders at the highest level, including future leaders

• Adds value to government entities and helps them achieve their mission

• Includes broad and active participation of stakeholders

• Built on repeatable and documented processes

Reasonable and Appropriate?

• Aligned with industry best practices

• Ensures compliance

• Reduces risk to a level that management is willing to accept

• Assessed regularly for applicability and cost effectiveness

Other Accomplishments

• Portable computing devices• Email security• OET internal security• Participation in development projects• Direct assistance to agencies• Sponsoring and hosting training• Human resource development

Legislative Initiative

• Did not get what we wanted

• Increased enterprise security base funding– $5.9 million per year this biennium– $4.4 million per year thereafter

• It’s all of our money

Looking Back…

• Did many great audits• Spent too much time on F/S stuff• Did not tell the Legislature many critical

things that they needed to know– No leadership, vision, or comprehensive plan– Current approach has no chance of success

and demonstrates poor stewardship of pubic funds

Today….

• Trying to fix the problems that I never communicated to policymakers

• Good at my job because of my audit and financial background

• Working closely with our auditors

Tomorrow

• Unsure where fate will eventually lead me

• If it is audit, I think that my new experiences will make me better next time around