An Oregon State Government Case Study Real World Application of IT Standards Presented by Ben Berry, CIO Oregon Department of Transportation March 10, 2009 The United States JTC1-SC7 Technical Advisory Group (US-TAG) and MSI Systems Integrators Sponsor to the Spring 2009 Meeting Two World Trade Center in the “Mezzanine 5” room, Portland, Oregon http://www.oregon.gov/ODOT/CS/ISB/cio_report.shtml
21
Embed
Real World Application of US Technical Advisory Group IT ...
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
An Oregon State Government Case Study
Real World Application of IT Standards
Presented by
Ben Berry, CIOOregon Department of Transportation
March 10, 2009
The United States JTC1-SC7 Technical Advisory Group (US-TAG) and MSI Systems Integrators Sponsor to the Spring 2009 Meeting
Two World Trade Center in the “Mezzanine 5” room, Portland, Oregonhttp://www.oregon.gov/ODOT/CS/ISB/cio_report.shtml
2Oregon State Data Center July 2008
2009 2011IT Environment
Oregon’s Trend Expectations
4Oregon State Data Center July 2008
Shared
Vision
State State Data Data
CenterCenter
Technology Standard: Information Technology Infrastructure Library (ITIL)US TAG members are co-authors (contributing authors) to ITIL v2 (a framework reference).
5Oregon State Data Center July 2008
• Network Consulting• Network Design• Installation Mgt.• SW Support• Performance Analysis/Rpts.• Capacity Planning• Problem Management• NOC support 24x7
(Network Operations Center)
• Interface Engine• Data Integration
SystemIntegration
Network Services
SINGLE INFRASTRUCTURE MANAGED
A G
E N
C Y
B
U S
I N
E S
S
V A
L U
E
CNIC Key Concepts
• Internet or E-Government
• Line of Business Systems
• Process Control Systems
• Web-based Employee Services
• Supply Chain Mgt Linkages
• Customer Care applications
• HR & Finance Applications
Strategic Planning
Applications
Highest Customer Visibility
Highest Customer Visibility
Hardware & MaintenanceServices
Lowest Customer Visibility
Lowest Customer Visibility
• User Devices• Servers• Disaster Recovery• Cabling Services
• Consolidation• Server Mgt.• Database Mgt.• Email /
messaging• Imaging/
Archiving
Data Center
Help Desk• Call Mgt.• Trouble Tickets• 1st Tier Resolution
• Tools Admin.• Alerts Mgt.• Critical Call Mgt.
IT Monitoring Security• Internet Mgt.• Intrusion Detect.• Content
Inspection- Email- Internet- FTP
Utility Value Proposition
Utility Value PropositionUtility Value Proposition
• Allocation of resources to areas of greatest business value for the enterprise
WAN SwitchesWAN Switches LAN SwitchesLAN Switches RoutersRouters InternetworkingInternetworking
Software Management
Software Management
Software DistributionSoftware
Distribution
SLA Mgt.SLA Mgt. Change Mgmt. Process
Change Mgmt. Process ReportingReporting SecuritySecurity Charge BackCharge Back
Performance
Management
Performance
Management
Data Gathering
Data GatheringSurveillanceSurveillanceCapacity
PlanningCapacityPlanning
Data Cable InfrastructureData Cable Infrastructure
End User Help DeskEnd User Help Desk
7Oregon State Data Center July 2008
ITIL Foundation IT Infrastructure Library Overview
Bu
siness
Tech
no
log
y
ITIL – Planning to Implement Service Management
The Business Perspective
Application Management
ICT Infrastructure Management
Service Management
Service Delivery
Service Support
Security Management
• The State is currently focused on implementing an ITIL v2 service management framework, that is very closely linked with the standard, ISO/IEC 20000 IT Service Management, for which the US TAG has taken a leadership role in development.
• ISO/IEC 20000 is now the fifth most referenced IT standard in ISO's catalog.
8Oregon State Data Center July 2008
ITIL Foundation Process Chart Reference
User
9Oregon State Data Center July 2008
IT Service and Process Maturity ModelThe model illustrated below describes an evolutionary improvement path from an ad hoc, immature process to a mature, disciplined process for improving service for all the State Data Center focus areas.
2010-11 Position
2009 Position
2008 Position
2007 Position
2006 Position
Chaotic
ReactiveProactive
Service
Value
2006Position
2007Position
2008Position
2009Position
2010- 11Position
ReactiveProactive Analyze trends
Set thresholds
Predict problems
Automate
Mature problem, configuration, change, asset and performance mgt processes
Best effort
Fight fires
Inventory
Initiate problem mgt process
Alert and event mgt
Monitor availability
Service Define services,
classes, pricing Understand costs Set quality goals Guarantee SLAs Monitor and
report on services Capacity
planning
Value IT and business
metric linkage IT/business
collaboration improves business process
Real-time infrastructure
Business planning
Level 1
Level 2
Level 3
Level 4
Chaotic Ad hoc
Undocumented
Unpredictable
Multiple help desks
Minimal IToperations
User call notification
Level 0
Tool Leverage
Service and Account Management
Business Management
Service Delivery Process Engineering
Operational Process Engineering
ROI Mgmt.
2011-12 Position
2010-11Position
10Oregon State Data Center July 2008
• The higher the rated maturity of an organization (i.e. CMMI Levels), the more likely the organization will seek guidance against existing standards, such as ISO/IEC 20000 IT Service Management or ISO/IEC 38500 IT Governance.
• Well-defined processes and assessment mechanisms (as outlined in these standards) are hallmarks of CMMI Levels 3 and 4.
• Oregon congratulates the US TAG on developing these standards. The State of Oregon has elected to apply these very relevant industry standards to improving capability and maturity in support of its State Data Center.
Capability Maturity Model Integration (CMMI).
11Oregon State Data Center July 2008
Utility Computing Maturity ModelThe model illustrated below describes an evolutionary improvement path from a dedicated, non-standard, inefficient technical environment to a mature, efficient, on-demand utility computing service.
DedicatedSystems
Utility Computing Maturity Model
Business InterfaceArbitrary SLA’s Basic Class Of Service
Business Level ReportingNo SLA’s End-End Service Mgmt Utility Services
IT OrganizationDistributed FunctionsDistributed Competence
Centers Of Excellence Simple Service MgmtDiscipline
Hardware CapabilityDistributed, Proprietary Shared Storage Shared Server Pools Hierarchical Modular
ArchitectureCommodity Hardware
SharedInfrastructure
AssistedManagement
ServiceManagement
UtilityComputing
12/2
006
12/2
007
12/2
008
12/2
010
12/2
012
12Oregon State Data Center July 2008
• The ISO/IEC 27000 family of security standards originate within US TAG, JTC1-SC27 (IT Security), where this crew is IT Systems Engineering and Lifecycle.
• As such, ODOT and Oregon’s State Data Center is a customer of these industry standards and the standards bodies that created the standards.
• ODOT is working against ISO/IEC 27000 which has been very valuable as a standard, and to the industry standards development process as a whole.
• Here are the asset accomplishments to date.
ISO/IEC 27000 Security Standards
13Oregon State Data Center July 2008
StandardizationConsolidation
IncreasingCapacity
Operations
10 pSeries Utility Servers
5,391 FY07 Agency Requests
Virtual & Blade Center Technology Installed
High speed Redundant NW (area specific)
233 Server Consolidations
Enterprise Event Monitoring
2 Mainframe Upgrades
9,706 FY08 Agency Requests
50% of NW & Security Equipment Standardized
3 to 1 MF Consolidation On-Net Phone Systems Upgrades
iSeries Standard OS
40% Storage Capacity Increases
Virtual Tape System Automated Tape Library
Rate Methodology and Rates
Power & Consumption Management
Service Catalog
New Disaster Recovery Requirements
NW Intrusion Detection
Security, Tools, & Adm. Standardization
iSeries Upgrades
2 p590 Unix Servers
NW Bandwidth
Email hub Upgrades
73 Servers
172 FY07 Contracts & Maintenance Renewals
340 FY08 Contracts & Maintenance Renewals
435 TB of Tiered Storage
Security EncryptionStandardizationConsolidation
IncreasingCapacity
Operations
Balanced Score Cardof State Data Center Accomplishments
StandardizationConsolidation
IncreasingCapacity
Operations
10 pSeries Utility Servers
5,391 FY07 Agency Requests
Virtual & Blade Center Technology Installed
High speed Redundant NW (area specific)
233 Server Consolidations
Enterprise Event Monitoring
2 Mainframe Upgrades
9,706 FY08 Agency Requests
50% of NW & Security Equipment Standardized
3 to 1 MF Consolidation On-Net Phone Systems Upgrades
iSeries Standard OS
40% Storage Capacity Increases
Virtual Tape System Automated Tape Library
Rate Methodology and Rates
Power & Consumption Management
Service Catalog
New Disaster Recovery Requirements
NW Intrusion Detection
Security, Tools, & Adm. Standardization
iSeries Upgrades
2 p590 Unix Servers
NW Bandwidth
Email hub Upgrades
73 Servers
172 FY07 Contracts & Maintenance Renewals
340 FY08 Contracts & Maintenance Renewals
435 TB of Tiered Storage
Security EncryptionStandardizationConsolidation
IncreasingCapacity
OperationsOperations
= IT Standards Implications
14Oregon State Data Center July 2008
Shared
Vision
ODOT’sODOT’sSecurity Security FabricFabric
Technology Standard: ISO-based Information Security ISO 27001:2005 and 27002:2005
ODOT INFORMATION
ASSETS
Employee Mgmt.
?
Document and Records
Mgmt.
FacilitiesMgmt.
DataGathering
Application Development
BusinessProcess Mgmt.
?
ODOT INFORMATION
ASSETS
Employee Mgmt.
?
Document and Records
Mgmt.
FacilitiesMgmt.
DataGathering
Application Development
BusinessProcess Mgmt.
?
aa
15Oregon State Data Center July 2008
As ODOT’s Security Fabric Strategy Matures we will transition from Opportunistic and Project Level to Enterprise Level Security Policy Practices
High
Low
HighLow
Sco
pe
Time/Maturity
Enterprise
Opportunistic
Info Asset Classification Pilot 1 -
OIT
Identity TheftSB 583
DigitalSignatures
Integration
Active Directory Group Policies Employee Security Policy (Q1 2009)
ISBRA Security TIM/TAMIdentity Management
Transporting Info Assets Information Security Policy
Controlling Removable Storage Devices (Nov 2008)
Acceptable Use PolicyID Theft Training
Encrypt DMV Field Office Network
Encrypt Laptops
Cancelled Q1 2009
In Work Cancelled Not Planned
Info Asset Classification Pilot 2 - SSB
Info Asset Classification Pilot 3 – Region 2
Legend:
Incident Management Plan
Info Asset Classification Levels 4,3,2,and1
Information Security Business Risk Assessment
16Oregon State Data Center July 2008
Agency Business
Requirements ODOT Security Fabric Context
Simplification
• Improve the security of existing secure processes and systems by adopting a holistic integrated approach to common secure practices
• Reduce the number of one off custom approaches to securing information assets. • Establish Common Security Services across multiple agency and enterprise policies• Reduce Complexity of Security Solutions
Service
Reuse
• Leverage common processes, applications and infrastructure services to achieve operational security, efficiencies, and cost savings
• Enable an ongoing low cost approach to maintain a secure presence for the Agency’s complex business processes to free capital for other value added capabilities.
• Enable Information-based services to use IT security fabric based on existing middleware applications such as Active Directory, Identity and Access Management security applications.
Agility
• Create a secure business and technology business processes and architecture that can support changing regulatory, business and customer needs.
• Unlock the power of secure data transfer for transformation of the business, including mobile data where applicable.
• Create a flexible security architecture that is aligned with the State’s Enterprise Security Office and the State Data Center.
Enable Transformation
• Enable the Agency transformational business plans and IT Strategic Plan by leveraging multiple use or dual use strategies for complying with the Security Policies.
• Proactively blur the legacy and new information business requirements boundaries through an early adoption of the enterprise security policies. (Reduce time to market by early adoption.)
17Oregon State Data Center July 2008
Security Vision and Strategy:Holistic and Comprehensive Approach organized around Lines of Business
The Goal: Not a Silo Approach
Sub
missio
nP
rocessing
Custo
me
r Service
Ma
na
ge T
axp
ayer
Acco
un
ts
Rep
ortin
g C
omp
liance
Filing
& P
aym
ent
Com
plian
ce
Crim
inal
Investig
ation
Intern
al
Ma
na
gem
en
t
Oth
er F
unctio
nal
Dom
ains
Sub
missio
nP
rocessing
Custo
me
r Service
Ma
na
ge T
axp
ayer
Acco
un
ts
Rep
ortin
g C
omp
liance
Filing
& P
aym
ent
Com
plian
ce
Crim
inal
Investig
ation
Intern
al
Ma
na
gem
en
t
Oth
er F
unctio
nal
Dom
ains
Sub
missio
nP
rocessing
Custo
me
r Service
Ma
na
ge T
axp
ayer
Acco
un
ts
Rep
ortin
g C
omp
liance
Filing
& P
aym
ent
Com
plian
ce
Crim
inal
Investig
ation
Intern
al
Ma
na
gem
en
t
Oth
er F
unctio
nal
Dom
ains
Sub
missio
nP
rocessing
Custo
me
r Service
Ma
na
ge T
axp
ayer
Acco
un
ts
Rep
ortin
g C
omp
liance
Filing
& P
aym
ent
Com
plian
ce
Crim
inal
Investig
ation
Intern
al
Ma
na
gem
en
t
Oth
er F
unctio
nal
Dom
ains
Sub
missio
nP
rocessing
Custo
me
r Service
Ma
na
ge T
axp
ayer
Acco
un
ts
Rep
ortin
g C
omp
liance
Filing
& P
aym
ent
Com
plian
ce
Crim
inal
Investig
ation
Intern
al
Ma
na
gem
en
t
Oth
er F
unctio
nal
Dom
ains
Sub
missio
nP
rocessing
Custo
me
r Service
Ma
na
ge T
axp
ayer
Acco
un
ts
Rep
ortin
g C
omp
liance
Filing
& P
aym
ent
Com
plian
ce
Crim
inal
Investig
ation
Intern
al
Ma
na
gem
en
t
Oth
er F
unctio
nal
Dom
ains
Info
rma
tion
As
se
t C
las
sific
atio
n
Co
ntro
lling
Po
rtab
le a
nd
Re
mo
va
ble
Sto
rag
e D
ev
ice
s
Info
rma
tion
Se
cu
rity
Em
plo
yee Secu
rity
Tra
ns
po
rting
Co
nfid
en
tial
Info
rma
tion
Ac
ce
pta
ble
Us
e o
f In
form
atio
n R
ela
ted
Te
ch
.
Se
na
te B
ill 58
3
Oth
er Fu
nctio
nal
Do
main
s
Enterprise Security DomainsDefine the
statewide security policies, bills and initiatives that are within the scope of
the change.
OD
OT
Acceptable U
se Pol.
OD
OT
Acceptable U
se Pol.
OD
OT
Information S
ecurity Pol.
OD
OT
Information S
ecurity Pol.
OD
OT
Info. Security G
uidelineO
DO
T Info. S
ecurity Guideline
Adm
in Crim
inal Background
Adm
in Crim
inal Background
Rail and Others
Enterprise C
ontent Managem
entE
nterprise Content M
anagement
Identity & A
ccess Managem
entIdentity &
Access M
anagement
DMV
Motor Carrier
Highway Transportation
AgencyService
DomainsDefine the ODOT Lines of Business
services necessary to support
execution of the Security Fabric
(cuts across multiple domains).
Agency Policies & Practices
Define the ODOT internal policies and practices
impacted by the Security Fabric
effort.
Paym
ent Card Industry - P
CI
Paym
ent Card Industry - P
CI
18Oregon State Data Center July 2008
Security Fabric Strategy MapIn the Future Implementation State, gaps exist that will need to be filled
X X X
X X
X
X X X X
GAP AnalysisFuture State
Requirements
Agency PolicyCurrent
State
DAS PolicyCurrent
State
Policy / Procedure / Practice / Initiative
DAS 107-004-050 Information Asset Classification
DAS 107-004-051 Controlling Portable and Removable Storage Devices
Requires a Broad Based Security Policy Governance Process
• Chart speaks to several aspects of US TAG standards development (e.g. systems engineering and lifecycle, IT governance, et al). Again, ISO/IEC 38500 falls under the aegis of the US TAG!
21Oregon State Data Center July 2008
State of Oregon
“Real World Application of IT Standards"
InformationInformationSystemsSystems
Oregon Department of TransportationOregon Department of Transportation
InformationInformationSystemsSystems
Oregon Department of TransportationOregon Department of Transportation