Top Banner
IRS Enterprise Architecture 1 Security Fabric Strategy Road Map Transformation of ODOT Business via Enterprise Security Bills, Policies, & IT Initiatives Presented to CIO Management Council on September 14, 2007 Ben Berry, Chief Information Officer, ISB Lisa Martinez, Business Services Manager, SSB Peter van den Berg, Deputy Chief Information Officer, ISB Elem ents ofthe Initiatives Id en tify C la ssify P ro tect M anage O DO T C ontrolled Initiatives D AS/Legislative Initiatives
15

Security Fabric Strategy Road Map

Oct 21, 2014

Download

Technology

 
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Security Fabric Strategy Road Map

IRS Enterprise Architecture 1

Security Fabric Strategy Road Map

Transformation of ODOT Business via Enterprise Security Bills, Policies, & IT InitiativesPresented to CIO Management Council on September 14, 2007

Ben Berry, Chief Information Officer, ISBLisa Martinez, Business Services Manager, SSBPeter van den Berg, Deputy Chief Information

Officer, ISB

Elements of the Initiatives

I dentify Classify Protect Manage

ODOT Controlled InitiativesDAS/Legislative Initiatives

Page 2: Security Fabric Strategy Road Map

IRS Enterprise Architecture 2

1. DAS 107-004-050 Information Asset Classification Policy2. DAS 107-004-051 Controlling Portable and Removable Storage Devices3. DAS 107-004-052 Information Security4. DAS 107-004-053 Employee Security5. DAS 107-004-100 Transporting Confidential Information6. DAS Statewide Policy 1.3, Acceptable Use of Information Related Technology 7. Senate Bill 583, 2007 Legislative Session (ID Theft)8. Various ODOT Security related policies

• ODOT ADM 05-08-01 Acceptable Use Policy • ODOT ADM 04-20 Information Security• ODOT Information Security Guidelines

9. Administrative Criminal Background Checks Rules10.Business Continuity Planning11.Enterprise Content Management12.Identity and Access Management (TIM/TAM) 13.Payment Card Industry (PCI) Compliance

Overview of Bills, Policies and Initiatives

Page 3: Security Fabric Strategy Road Map

IRS Enterprise Architecture 3

Resource Work Collaboration Team

Matt GarrettAgency Director

Ben BerryAgency CIO

DMV ISHighway

Enterprise Security Policies InitiativeResource Work Collaboration

Delegated Authority

Information Security Unit (Karina Stewart)Technology Management (Virginia Alster)FileNet Program (Ron Winterrowd/Lisa Martinez)Communications Plan (Team)

Keith NardiDeb Frazier

Ric Listella

Other Lines of Business Motor Carrier

Lisa Martinez(Business)

Peter van den Berg(Information Systems)

Page 4: Security Fabric Strategy Road Map

IRS Enterprise Architecture 4

Why a “Security Fabric”?

• COMPREHENSIVE. Building a security fabric to cover all of our Point-to-Point information services is much more difficult to maintain.

• INVISIBLE BUSINESS PROCESSES. Lots of business processes are invisible because staff do processes that are not necessary written down.

• LEVERAGE ACROSS ANGENCY and ENTERPRISE. A security fabric is meant to leverage secure practices across multiple organizational functions and business units.

A pplication

A pplicationA pplication

A pplication

L o a dP r o g r a m

E x t r a c tP r o g r a m

E x t r a c tP r o g r a m

L o a dP r o g r a m

E x t r a c tP r o g r a m L o a d

P r o g r a m

D ow nloadFile

D ow nloa dFile

Transaction

File

M essageQ ue ue

D ow nloadF ile

T ransaction

F ile

M essa geQue ue

BusinessUnit B

BusinessUnit A

BusinessUnit C

A pplicationA pplication

A pplicationA pplication

A pplication

Legacy of Point to Point Services

Page 5: Security Fabric Strategy Road Map

IRS Enterprise Architecture 5

What is a Security Fabric?

A Security Fabric is a services-driven design approach that integrates business and security strategies to provide a Common Holistic Approach to Security Compliance and that leverages existing and new security policy functionality across agency business lines.

• The strategy of a Security Fabric includes:• Integration with elements of each of the security policies, where applicable.• Providing security through the sharing & reuse of security services and processes

across the agency and/or enterprise• Streamlines secure practices across existing business processes for greater efficiency

and productivity• The approach for a Security Fabric:

• Leverage existing business practices, IT investments and standard operating processes• Adopt Community of Practice templates for the Information Asset Classification Policy

to ensure compliance with classifying data -- Data Classification Levels 1, 2, 3 & 4 for (Labeling, Handling, Storage, Retention and Disposable/Destruction).

• Standards allow security processes to be designed for reuse• Components that can be used over and over again among different lines of business.

Example is Active Directory Group Policies or other physical standard security practices.• Use of standardized procedures, interfaces and standard data classification adherence.

Page 6: Security Fabric Strategy Road Map

IRS Enterprise Architecture 6

Security Vision and Strategy:Holistic and Comprehensive Approach organized around Lines of Business– Not a Silo Approach

Subm

issionP

rocessing

Custom

er Service

Manage T

axpayerA

ccounts

Reporting

Com

pliance

Filing &

Paym

entC

ompliance

Crim

inalInvestigation

InternalM

anagement

Other F

unctionalD

omains

Subm

issionP

rocessing

Custom

er Service

Manage T

axpayerA

ccounts

Reporting

Com

pliance

Filing &

Paym

entC

ompliance

Crim

inalInvestigation

InternalM

anagement

Other F

unctionalD

omains

Subm

issionP

rocessing

Custom

er Service

Manage T

axpayerA

ccounts

Reporting

Com

pliance

Filing &

Paym

entC

ompliance

Crim

inalInvestigation

InternalM

anagement

Other F

unctionalD

omains

Subm

issionP

rocessing

Custom

er Service

Manage T

axpayerA

ccounts

Reporting

Com

pliance

Filing &

Paym

entC

ompliance

Crim

inalInvestigation

InternalM

anagement

Other F

unctionalD

omains

Subm

issionP

rocessing

Custom

er Service

Manage T

axpayerA

ccounts

Reporting

Com

pliance

Filing &

Paym

entC

ompliance

Crim

inalInvestigation

InternalM

anagement

Other F

unctionalD

omains

Subm

issionP

rocessing

Custom

er Service

Manage T

axpayerA

ccounts

Reporting

Com

pliance

Filing &

Paym

entC

ompliance

Crim

inalInvestigation

InternalM

anagement

Other F

unctionalD

omains

Info

rmatio

n A

sset C

lassification

Co

ntro

lling

Po

rtable an

d R

emo

vable S

torag

e Devices

Info

rmatio

n S

ecurity

Em

plo

ye

e S

ec

urity

Tran

spo

rting

Co

nfid

ential

Info

rmatio

n

Accep

table U

se of

Info

rmatio

n R

elated T

ech.

Sen

ate Bill 583

Oth

er F

un

ctio

na

lD

om

ain

s

Enterprise Security Domains

Define the statewide security policies,

bills and initiatives that are within the

scope of the change.

OD

OT

Accep

table U

se Po

l.O

DO

T A

cceptab

le Use P

ol.

OD

OT

Info

rmatio

n S

ecurity P

ol.

OD

OT

Info

rmatio

n S

ecurity P

ol.

OD

OT

Info

. Secu

rity Gu

idelin

eO

DO

T In

fo. S

ecurity G

uid

eline

Ad

min

Crim

inal B

ackgro

un

dA

dm

in C

rimin

al Backg

rou

nd

Rail and Others

En

terprise C

on

tent M

anag

emen

tE

nterp

rise Co

nten

t Man

agem

ent

Iden

tity & A

ccess Man

agem

ent

Iden

tity & A

ccess Man

agem

ent

DMV

Motor Carrier

Highway Transportation

AgencyService

DomainsDefine the ODOT Lines of Business

services necessary to support execution of the Security Fabric.(Cuts across multiple

domains)

Agency Policies & Practices

Define the ODOT internal polices and

practices impacted by the Security Fabric

effort.

Paym

ent C

ard In

du

stry - PC

IP

aymen

t Card

Ind

ustry - P

CI

Page 7: Security Fabric Strategy Road Map

IRS Enterprise Architecture 7

Key Business Drivers & Challenges ImpactAgency Business

Requirements ODOT Security Fabric ContextSimplification • Improve the security of existing secure processes and systems by adopting a holistic integrated

approach to common secure practices• Reduce the number of one off custom approaches to securing information assets. • Establish Common Security Services across multiple agency and enterprise policies• Reduce Complexity of Security Solutions

Service Reuse • Leverage common processes, applications and infrastructure services to achieve operational security, efficiencies, and cost savings

• Enable an ongoing low cost approach to maintain a secure presence for the Agency’s complex business processes to free capital for other value added capabilities.

• Enable Information-based services to use IT security fabric based on existing middleware applications such as Active Directory, Tivoli’s Identity Management and Access Management security applications.

Agility • Create a secure business and technology business processes and architecture that can support changing regulatory, business and customer needs.

• Unlock the power of secure data transfer for transformation of the business, including mobile data where applicable.

• Create a flexible security architecture that is aligned with the State’s Enterprise Security Office and the State Data Center.

Enable Transformation

• Enable the Agency transformational business plans and IT Strategic Plan by leveraging multiple use or dual use strategies for complying with the Security Policies.

• Proactively blur the legacy and new information business requirements boundaries through an early adoption of the enterprise security policies. (Reduce time to market by early adoption.)

Page 8: Security Fabric Strategy Road Map

IRS Enterprise Architecture 8

Security Fabric Strategy Map

In Future Implementation State, Gaps Exist That Will Need to be Filled

X X X

X X

X

X X X X

GAP AnalysisFuture State

Requirements

Agency PolicyCurrent

State

DAS PolicyCurrent

State

Policy / Procedure / Practice / Initiative

DAS 107-004-050 Information Asset Classification 

DAS 107-004-051 Controlling Portable and Removable Storage Devices 

DAS 107-004-052 Information Security 

DAS 107-004-053 Employee Security

DAS 107-004-100 Transporting Information Assets

SB 583 Enrolled, 2007 Legislative Session, Oregon Consumer Theft Protection Act

… …

AgencyLines of Business

Microsoft Word Document

Senate Bill 583 Gap Analysis

Page 9: Security Fabric Strategy Road Map

IRS Enterprise Architecture 9

Common Security Policy ServicesD

efine, D

esign

,B

uild

, Dep

loy

Plan

(Co

P)

Main

tain

Generate Secure

Customer Service

Generate Secure Cross

Agency Response

• BUSINESS PERSPECTIVE. Promotes a business perspective around potential secured shared services.

• EFFICIENT. Drives efficiencies and reuse across the Agency.

• BEST PRACTICES. The Common Security Practice Framework will be refined based on lessons learned from initial security service deployments.

Co

mm

on

Secu

rity Po

licy Fram

ewo

rk

Business Services

Inputs

Outputs

Page 10: Security Fabric Strategy Road Map

IRS Enterprise Architecture 10

Security Fabric Framework Based Upon 3 Core Areas: Holistic Security Practices; Platform, Templates and Toolsets; and Security Governance

Agency Business Functional Services

Agency Application Services

Agency Infrastructure Services

Application integration / shared services(FileNet, others)

Business unit from broad based Practices and

Procedures

Agency-wide utility functions and solutions (Active Directory, TIM/TAM,

Encryption)

Sec

uri

ty G

ove

rnan

ce

Platforms, Templates & Toolset

• There are different types of line of business services that need protection, both Agency and Enterprise focused.

• All require agency governance for an initial and ongoing sustainable security fabric presence.

• ODOT is engaged in a multi-variant approach to focus on those areas that provide the highest level of security from easy to hard to implement. Given each policy’s target timeline, high value security responses will be addressed first!

Enabling SecurityTechnology

(Middleware, physical tools and devices)

Info

rmat

ion

Current Activities

Holistic Security Practices

Se

cu

rity

Se

rvic

es

Page 11: Security Fabric Strategy Road Map

IRS Enterprise Architecture 11

As Our Security Fabric Strategy Matures We Will Transition From Opportunistic and Project Level to Enterprise Level Security Policy Practice

High

Low

HighLow

Sco

pe

Time/Maturity

Enterprise

Opportunistic

Info Asset Classification Level 4

Info Asset Classification Level 3

Info Asset L2 SB 583

DigitalSignatures Info Asset L1

Integration

Active Directory Group Policies

Employee Security Policy

ISBRA Security TIM/TAMIdentity Management

Transporting Info Assets Information Security Policy

Controlling Removable Storage Devices

Acceptable Use PolicyID Theft Training

Page 12: Security Fabric Strategy Road Map

IRS Enterprise Architecture 12

Action Items and Implementation Dates

July 30, 2009DAS 107-004-052Effective

June 27, 2007DAS 107-004-100Effective

January 1, 2008SB 583 Section 12Effective

January 31, 2008DAS 107-004-053Effective

July 1, 2008DAS 107-004-050Level 4, CriticalEffective

July 30, 2008DAS 107-004-051Effective

January 1, 2009DAS 107-004-050Level 3, RestrictedEffective

July 1, 2009DAS 107-004-050Level 2, LimitedEffective

To Day

Legend: DAS 107-004-050 Information Asset Classification  DAS 107-004-051 Controlling Portable and Removable Storage Devices  DAS 107-004-052 Information Security  DAS 107-004-053 Employee Security DAS 107-004-100 Transporting Information Assets SB 583 Enrolled, 2007 Legislative Session, Oregon Consumer Theft Protection Act

October 1, 2007SB 583 (except Section 12)Effective

Page 13: Security Fabric Strategy Road Map

IRS Enterprise Architecture 13

Sustainable Security Practice Identification & Deployment: Requires a Broad Based Security Policy Governance Process

• Impacts to People, Process & Technology

• Security Services are Delivered Through Agency Initiatives or Projects

• Security Life Cycle Processes are supported by both Business and Information Services

• Development of Security Policy Response is Guided by multi-unit team (Resource Work Collaboration Team)

• Communication & Training are required for people supporting each of the Sustainable Security Fabric lifecycle processes

Starts with DAS Security Policies & SB 583 business process

requirements

Design security Service response

Testsecurityservice

Use/Reuse Policy driven Service

DeploySecurityService

Operate / MonitorSecurityService

Constructsecurity service

Process Architecturalreview

MeasureEffectiveness

Service Repository

Iterative Sustainable

Security Fabric

Services Life Cycle

Policy Requirements

• Governance Organization – Manage & monitor ongoing security agreements

Page 14: Security Fabric Strategy Road Map

IRS Enterprise Architecture 14

Apply a multi phased approach to implement and maintain theProposed Security Fabric

Phase 1:• Conduct Management Awareness training by line of business• Achieve resource commitment and sponsorship

Phase 2:• Establish Security Task Force• Hire Project Manager• Establish deliverables• Develop necessary policies, guidelines, procedures• Develop Security Fabric Implementation Strategy• Develop agency wide communication/training plan

Phase 3:• Implement Security Fabric• Conduct agency wide awareness and compliance training

Phase 4:• Maintain Security Fabric

Next Steps

Page 15: Security Fabric Strategy Road Map

IRS Enterprise Architecture 15

CIO Management Council Briefing

Security Fabric Strategy Road Map Security Fabric Strategy Road Map