security design review process - washington technology · security design review process november...
TRANSCRIPT
Security Design Review Process
November 30, 2016
Washington State Office of Cyber Security
Agenda
• The Value of IT Security
• Why We do Security Design Reviews
• Streamlining the Process
• What’s New
The Value of IT Security
• Reduce Business Risk
• Protect Reputation
• Reduce Cost
• Enable the Mission of the Agency
IT Security is a Business Issue, not an IT Issue
IT Security is an enabler
The Value of IT Security
“Agencies that operate some or all of their
information systems outside of this (SGN)
environment will still adhere to the IT security
standards” OCIO Standard No. 141.10
Why We do Security Design Reviews
Risk doesn’t go away – it follows the data
Manage acceptable risk to state government
data and IT assets
Why we do them
• How we share data
• How we protect data
• How we scope and assess risk
Why we do them
Provide a consistent approach to implementing
security best practices
Why we do them
Increasingly, security is a
shared responsibility
Why we do them
“Security at AWS is a shared
responsibility between AWS
and customers”
“We are asked this question a lot:
'What keeps you up at night?'
What keeps us up at night in AWS
security is the customer not
configuring their applications
correctly to keep themselves
secure”
Why we do them
Liability is not shared
Q. “Does having a BAA with Microsoft ensure my organization’s compliance with
HIPAA and the HITECH Act?”
“Your organization is responsible for ensuring that you have an adequate compliance
program and internal processes in place, and that your particular use of Microsoft services
aligns with HIPAA and the HITECH Act.”
A. No. By offering a BAA, Microsoft helps support your HIPAA compliance, but using
Microsoft services does not on its own achieve it.
From Microsoft HIPAA FAQ
• Data Classification
• Data Flows
• Users
• How security controls will be implemented
What is Needed for a Design Review?
Streamlining the Process
• Pre-approved cloud connectivity use cases
• Relying on standardized audits and certifications
• Focusing on high-consequence risks early
• Fast-tracking
Pre-approved Cloud Use Cases
Speeds approval by using pre-approved cloud connectivity use cases
• Internet Only
• Agency Network extension
• Internet with Agency Network Extension
Internet
Account or Enrollment
CGW or Gateway
VPC or VNET
Pre-approved Use Cases
Logging and Log Analysis
MFA for Administration Management
Provide UTM Functionality (FW and IPS/IDS)
Compliant End-User Authentication
VPN
DMZ VRF
Agency-CloudVRF
PE
Proper Segmentation
Internet with Agency Network Extension
Agency
Responsibilities:
Audit and Certifications
Agencies can complete the entire checklist themselves, or they can rely on audits that have already been conducted:
• SOC 2 Type II
• ISO 27001
• FedRAMP (500 pages)
How Well is it Managed?
“For all its benefits, FedRAMP only goes so far. The program certifies that
CSPs have the capability to securely store data, but
does not tackle the security of the data itself.”
Certifications Alone are not Enough
Identify Major Risks Early
Fast-tracking
Data category 1 and 2 projects can be
fast-tracked, depending on risk
Integrity
Data
Classification System of
Record
Importance of
the Information
When They are Required
OCIO Standard 141.10, “Securing Information
Technology Assets”, Section 1.2.1
How much do they cost?
Security Design Reviews are included
are included as part of agencies’ security
infrastructure allocation
What’s New
• Office Hours at OCS• 9:00 – Noon every Tuesday
• Monthly Training• Alternating Technical and Policy Workshops every 1st Thursday of
the month
• Security Design Review SharePoint Customer Site
• http://designreview.ocs.wa.gov
Questions?