security lifecycle management

ISM in the ILM(Information Lifecycle Security

Management)Barry Caplin

Chief Information Security OfficerMinnesota Department of Human Services

barry.caplin@state.mn.us

May 18, 2006 10:00-11:00 a.m.

Secure360

Agenda

• DHS Overview

• Enterprise Security Strategy

• Build Security In?

• Information Lifecycle Security Management

MN DHS

• Mission - helps people meet their basic needs so they can live in dignity and achieve their highest potential

• Consumers include:– seniors who need help paying for hospital and nursing

home bills or who need home-delivered meals– families with children in a financial crisis– parents who need child support enforcement or child

care money– people with physical or developmental disabilities who

need assistance to live as independently as possible

MN DHS

Direct service through:• DHHS – Deaf and Hard of Hearing Services• SOS – State Operated Services includes

– RTC’s – Regional Treatment Centers, including St. Peter, Moose Lake

– Forensics – St. Peter, Moose Lake, METO (MN Extended Treatment Options)

– State-run group homes– New community-based treatment centers– State-run nursing home – Ah-Gwah-Ching

MN DHS

Administrations (Divisions):• CFS – Children and Family Services – Child

Support Enforcement, Endangerment, Social Services, Medical/Welfare Eligibility

• Chemical and Mental Health Services– including SOS

• Health Care Administration and Operations• Continuing Care• FMO – Finance and Management Operations –

including Information Security, IT

MN DHS

• Programs are state-administered, county-delivered

– Including MinnesotaCare, Medical Assistance, General Assistance Medical Care, mental health services, alternative care services, chemical dependency services and regional treatment center services

• One of the largest state agencies• 2500 CO, 5000 SOS distributed staff• State and Federal funding

Enterprise Security Strategy

Security Strategy - The 10000 Foot View

Information Security Governance Framework (COBIT Security Baseline)– People

• Organization• Awareness

– Technology• Operations• Architecture

– Enterprise High-Level Functions• Information Risk Management• Information Policy• Information Lifecycle Management• Process

Security StrategyGovernance

orga

niza

tion

operationsarchitecture

awar

enes

s

people technology

IRM

Policy

ILM

Processes

Security StrategyGovernance

orga

niza

tion

operationsarchitecture

awar

enes

s

people technology

IRM

Policy

ILM

Processes

4 C’s

Confidence

Credibility

Communication

Compliance

Build Security In?

Build Security In

• What do we mean by this?

• Everyone says it… but how?

• https://buildsecurityin.us-cert.gov/portal/

Why Build Security In?

Why Build Security In?

• Cost – “measure twice, cut once”

• Efficiency – build it “right” the first time

• Time – fixing problems later will likely delay production use

Why Build Security In?

SDLC

• SEI-CMMI (formerly CMM) (http://www.sei.cmu.edu/cmmi/)

• IEEE and ISO 12207 standards (http://www.acm.org/tsc/lifecycle.html).

• Extreme Programming (http://www.xprogramming.com/, http://www.extremeprogramming.org/)

• On Wikipedia

(http://en.wikipedia.org/wiki/Software_development_life_cycle)

Information Lifecycle Security Management

Information Lifecycle Security Management

Operate

MajorRelease

DeployDevelopDesignAnalysisConcept

Software Development Lifecycle (SDLC)Maintenance Lifecycle

Dispose

Information Lifecycle Security Management

OperateMajor

ReleaseDeployDevelopDesignAnalysisConcept

PreliminaryRisk

Analysis

BusinessImpact

Analysis

Privacy andSecurity

Requirements

BCP/COOP

Privacy and Security

MitigationPlans

IncidentResponse

Plans

SecurityTestPlans

BCP/COOPTesting &

Maintenance

IT AuditBusinessRequirements

SecuritySignoff

SecuritySignoff

Information Lifecycle Security Management

Business Requirements

• A statement of the business problem or challenge the business area needs to solve

• Should not include recommended technical solutions

• Constraints/Assumptions

BusinessRequirements

Concept

Preliminary Risk Analysis

• Security Questionnaire• Preliminary Privacy Analysis• Preliminary Security Risk Analysis• Risk Briefing

PreliminaryRisk

Analysis

Concept

• Risk of not doing

Privacy andSecurity

Requirements

Privacy and Security Requirements

• Preliminary Privacy Assessment• Preliminary Security Risk Assessment• Privacy Requirements• Security Requirements• Preliminary Design Requirements

Analysis

Words To Live By:“Minimum Necessary”

Business Impact Analysis

• Business/System Impact Analysis BusinessImpact

Analysis

Analysis

Security Sign-Off

• Keys:– Business Requirements received– Requirements understood (by business area)– Risks acknowledged

SecuritySignoff

Privacy andSecurity

Requirements

Privacy and Security Requirements

• Vendor Security Questionnaire• Security Architecture Assessment• Information Policy Analysis• Risk Assessment (OCTAVE)• HIPAA Assessment• Detailed Design Requirements• Project Security Roadmap & Required Doc

List

Design

• Detailed Security Architecture Design• Design Review• Security Risk Mitigation Plans• Action Plan for compliance design

Privacy and Security

MitigationPlans

Design

Privacy and Security Mitigation Plans

Business Continuity/Disaster Recovery

• Business Continuity Planning• Disaster Recovery Planning• Preliminary COOP (Continuity Of Operations

Plan) Document

BCP/COOP

Design

Security Test Plans

• Test Data Plans• Security Testing Plan• Security Testing

– Use/Abuse Cases– Code Review Tools

• Vulnerability Assessment

SecurityTestPlans

Develop

Incident Response Plans

• Incident Response Plans• Final COOP

IncidentResponse

Plans

Develop

Security Sign-Off

• Keys:– Identified issues mitigated– Assessments completed– Security Requirements met– Documentation completed– BCP/COOP completed

SecuritySignoff

Deploy

• Change Management• Monitoring

Deploy

IT Audit

• Security Policy Compliance Review (COBIT Audit Guideline)

IT Audit

Operate

BCP/COOP Testing & Maintenance

• Plan Testing• Plan Updates & Review• BIA Updates

BCP/COOPTesting &

Maintenance

Operate

Major Release

• What is a Major Release?– Significant new functionality– Code rewrites– Significant architecture or design changes

• Site Dependent• May require any/all ILSM steps

MajorRelease

Information Disposal

• Measures based on:– Business type– Data classification

• Regulatory issues:– PHI– FTI– Others…

Dispose

OperateMajor

ReleaseDeployDevelopDesignAnalysisConcept

PreliminaryRisk

Analysis

BusinessImpact

Analysis

Privacy andSecurity

Requirements

BCP/COOP

Privacy and Security

MitigationPlans

IncidentResponse

Plans

SecurityTestPlans

BCP/COOPTesting &

Maintenance

IT AuditBusinessRequirements

SecuritySignoff

SecuritySignoff

Information Lifecycle Security Management

Final Thoughts

• SMT buy in is critical• Be consistent• Advertise, advertise, advertise

Discussion?