Professional Documents
Culture Documents
AUSTIN, TEXAS
Agenda
3.27.2014
Agenda
3.27.2014
Organization
Represents
Ken Palmquist
DIR
Ed Tjarks
Khatija Syeda
Fred Lawson
Darrell Bateman
Article 3 (Education)
Jeff McCabe
Texas A&M
Article 3 (Education)
John Skaarup
Article 3 (Education)
Richard Morse
Article 4 (Judiciary)
Alan Ferretti
Miguel Scott
Angela Gower
Joshua Kuntz
Chad Lersch
Lon Bernquist
DIR
Policy
Christian Byrnes
Gartner
Private Sector
Mike Wyatt
Deloitte
Private Sector
Clarence Campbell
3.27.2014
Article 8 (Regulatory)
General Council
Protect
Detect
Respond
Recover
Control
Catalog
Vendor
Services
Alignment
Agency
Security
Plan
Template
Risk
Mgmt
Plan &
Strategy
Security Services
Direct Elected
Services
Cooperative Contract
Procurement
Offerings
Managed
Services
3.27.2014
Agency Personnel
Awareness
Public Awareness
FUNCTIONAL
SECURITY OBJECTIVE
AREA
Identify
Protect
Detect
Malware Protection
Vulnerability Assessment
Security Monitoring and Event Analysis
Respond
Recover
Jul 2013
RFO
published
Oct 2013
Draft security
plan template to
SISAC Policy
Subcommittee
3.27.2014
IS Working
Group Meeting
Feb 28 2014
Jan 2014
Security plan
template available
to agencies
Oct 15 2014
Security plans to
DIR from agencies
Functional
Areas / Control
Family
Controls /
Objectives
Sub Category
3.27.2014
Texas
Framew
ork
National
Framewor
k
NIST
800-53
SANS Top
20
Controls
18
20
40
22
243
184
98
3.27.2014
Agenda
3.27.2014
10
3.27.2014
11
DIR DESCRIPTION
KEYWORDS
None, Nonexistent
The organization has an ad hoc, inconsistent, or reactive approach to meeting the objective.
Ad-hoc, Initial
The organization has a consistent overall approach to meeting the objective, but it is still mostly reactive
and undocumented. The organization does not routinely measure or enforce policy compliance.
Managed, Consistent,
Repeatable
The organization has a documented, detailed approach to meeting the objective, and regularly measures Compliant, Defined
its compliance.
The organization uses an established risk management framework to measure and evaluate risk and
integrate improvements beyond the requirements of applicable regulations.
Risk-Based, Managed
The organization has refined its standards and practices focusing on ways to improve its capabilities in
the most efficient and cost-effective manner.
Efficient, Optimized,
Economized
3.27.2014
12
Basic Information
1.
General Information
1 AGENCY NAME:
3.27.2014
1.4
DEDICATED SECURITY
STAFF:
1.5
DEDICATED SECURITY
BUDGET:
13
Control activities
Agencies are
asked to provide
the controls they
have in place for
each security
objective
3.27.2014
FUNCTIONAL
AREA
Protect
SECURITY
OBJECTIVE
NIST
FRAMEWORK RELEVANT CONTROL ACTIVITIES IN PLACE
MAPPING
Security
PR.AT-1
Awareness
and Training
14
Pattern Controls
DIR has provided
pattern controls
expected at each
maturity level
Details the
processes at that
level
Not focused on
Technology
3.27.2014
Level 2
Functions follow standards and
can be consistently repeated
PATTERN CONTROLS
PERCENT OF
AGENCY AT
LEVEL 2
15%
Level 3
Functions follow standards that
have been well defined in
alignment with security
requirements
PATTERN CONTROLS
PERCENT OF
AGENCY AT
LEVEL 3
85%
15
Effectiveness
Agencies at level 4
are asked to detail
how they measure
effectiveness
Level 4
Functions are monitored and measured with oversight and assurance.
PATTERN CONTROLS
3.27.2014
PERCENT OF
AGENCY AT
LEVEL 4
20%
16
Efficiency
Similarly, at level
5, agencies are
asked to detail
how they
measure
efficiency of
controls
3.27.2014
Level 5
Functions have a high level of efficiency and integration with IT or
business processes
PATTERN CONTROLS
PERCENT OF
AGENCY AT
LEVEL 5
10%
17
Roadmap
Finally, agencies
are asked to
indicate their
roadmap for the
next 12 months.
Challenges section
is a pull-down menu
3.27.2014
ROADMAP
(What Steps will With The Agency Take In The
Next 12 Months To Improve Its Maturity)
CHALLENGES TO
IMPLEMENTATION
18
Agenda
3.27.2014
19
Control Objective
3.27.2014
20
Control Activity
Security awareness
training consists of
PowerPoint
presentations with
testing, that are
taken on an annual
basis by all staff.
3.27.2014
21
Control Activity
Security awareness
training consists of
PowerPoint
presentations with
testing, that are
taken on an annual
basis by all staff.
3.27.2014
Roadmap
3.27.2014
23
Roadmap
3.27.2014
24
Control Objective
Processes used to ensure access to applications, servers, databases, and
network devices in the environment is limited to authorized personnel. Access is
to be limited to authorized users, processes acting on behalf of authorized users,
or authorized devices. Authorized users are further limited to the types of
transactions and functions that they are permitted to exercise. Session limits,
lockout features for failed login attempts, account expirations and disabling
unused accounts are controls that provide access control.
3.27.2014
25
Control Activity
The organization is in
the process of
implementing an IAM
system to ensure that
access levels are rolebased and that no
shared accounts exist.
Two factor
authentication is in the
process of being
deployed for high risk
systems.
3.27.2014
26
Control Activity
The organization is in
the process of
implementing an IAM
system to ensure that
access levels are rolebased and that no
shared accounts exist.
Two factor
authentication is in the
process of being
deployed for high risk
systems.
3.27.2014
27
Effectiveness
Annual audits
3.27.2014
28
Effectiveness
Annual audits
The agencys internal audit team
reviews access control exceptions
reports for compliance with agency
policy Aannually. Audits
The agency has a goal of disabling
non-current accounts within 12
hours.
The agency has established a 99%
effectiveness rate as a goal for all
access control measures.
3.27.2014
29
Efficiency
Annual audits
3.27.2014
30
Efficiency
Annual audits
3.27.2014
31
Roadmap
Continue
implementing IAM
as resources are
available.
3.27.2014
32
Roadmap
Continue
implementing IAM
as resources are
available.
The agency will cContinue implementing IAM as resources are
available.
Once the IAM system is fully implemented (expected by Q4 of FY14),
the agency will investigate how to use this system for use as a singlesign on tool for additional agency web based applications.
3.27.2014
33
Control Objective
Data classification provides a framework for managing data assets and information
resources based on utility to the organization, intrinsic financial value and impact of loss and
other associated risks. To apply the appropriate levels of protection as required by state and
federal law as well as proprietary, ethical, operational, and privacy considerations, data,
whether electronic or printed, must be classified. The data owner should consult with the
Information Security organization and legal counsel on the classification of data as
Restricted, Confidential, Agency-Internal, or Public. Consistent use of data classification
reinforces with users the expected level of protection of data assets in accordance with
required security policies.
Data classification policies and processes are defined and repeatable. Across the organization,
there is a common understanding of what are the organization's most important and sensitive
information. Data owners have been identified for most information.
4.
Data is managed by technology that requires classification as new data is created. Automated
policies ensure data is consistently classified across the organization. Data classification
monitoring is continuous, proactive and preventative involving appropriate metrics. Resources are
prioritized based on the classification / criticality / business value of hardware, devices, data, and
software. Critical data has been de-duplicated, to minimize the copies that must be inventoried.
3.27.2014
34
Roadmap
Improve compliance
with the data
classification plan.
3.27.2014
35
Roadmap
Improve compliance
with the data
classification plan.
The agency has spent time and resources ensuring that PII and
customer data is properly classified for business critical systems.
Over the next 12 months, the agency will expand the scope of its data
classification project to ensure that all program areas Improve
complyiance with the data classification plan.
3.27.2014
36
Agenda
3.27.2014
37
3.27.2014
38
Appropriations
Focus resources
Build a common lexicon
Provide visibility during transitions
3.27.2014
39
3.27.2014
40
Jul 2013
RFO
published
Oct 2013
Draft security
plan template to
SISAC Policy
Subcommittee
IS Working
Group Meeting
Feb 28 2014
Jan 2014
Security plan
template available
to agencies
Oct 15 2014
Security plans to
DIR from agencies
3.27.2014
41
Agenda
3.27.2014
42