Security Design Review Process

November 30, 2016

Washington State Office of Cyber Security

Agenda

• The Value of IT Security

• Why We do Security Design Reviews

• Streamlining the Process

• What’s New

The Value of IT Security

• Reduce Business Risk

• Protect Reputation

• Reduce Cost

• Enable the Mission of the Agency

IT Security is a Business Issue, not an IT Issue

IT Security is an enabler

The Value of IT Security

“Agencies that operate some or all of their

information systems outside of this (SGN)

environment will still adhere to the IT security

standards” OCIO Standard No. 141.10

Why We do Security Design Reviews

Risk doesn’t go away – it follows the data

Manage acceptable risk to state government

data and IT assets

Why we do them

• How we share data

• How we protect data

• How we scope and assess risk

Why we do them

Provide a consistent approach to implementing

security best practices

Why we do them

Increasingly, security is a

shared responsibility

Why we do them

“Security at AWS is a shared

responsibility between AWS

and customers”

“We are asked this question a lot:

'What keeps you up at night?'

What keeps us up at night in AWS

security is the customer not

configuring their applications

correctly to keep themselves

secure”

Why we do them

Liability is not shared

Q. “Does having a BAA with Microsoft ensure my organization’s compliance with

HIPAA and the HITECH Act?”

“Your organization is responsible for ensuring that you have an adequate compliance

program and internal processes in place, and that your particular use of Microsoft services

aligns with HIPAA and the HITECH Act.”

A. No. By offering a BAA, Microsoft helps support your HIPAA compliance, but using

Microsoft services does not on its own achieve it.

From Microsoft HIPAA FAQ

• Data Classification

• Data Flows

• Users

• How security controls will be implemented

What is Needed for a Design Review?

Streamlining the Process

• Pre-approved cloud connectivity use cases

• Relying on standardized audits and certifications

• Focusing on high-consequence risks early

• Fast-tracking

Pre-approved Cloud Use Cases

Speeds approval by using pre-approved cloud connectivity use cases

• Internet Only

• Agency Network extension

• Internet with Agency Network Extension

Internet

Account or Enrollment

CGW or Gateway

VPC or VNET

Pre-approved Use Cases

Logging and Log Analysis

MFA for Administration Management

Provide UTM Functionality (FW and IPS/IDS)

Compliant End-User Authentication

VPN

DMZ VRF

Agency-CloudVRF

PE

Proper Segmentation

Internet with Agency Network Extension

Agency

Responsibilities:

Audit and Certifications

Agencies can complete the entire checklist themselves, or they can rely on audits that have already been conducted:

• SOC 2 Type II

• ISO 27001

• FedRAMP (500 pages)

How Well is it Managed?

“For all its benefits, FedRAMP only goes so far. The program certifies that

CSPs have the capability to securely store data, but

does not tackle the security of the data itself.”

Certifications Alone are not Enough

Identify Major Risks Early

Fast-tracking

Data category 1 and 2 projects can be

fast-tracked, depending on risk

Integrity

Data

Classification System of

Record

Importance of

the Information

When They are Required

OCIO Standard 141.10, “Securing Information

Technology Assets”, Section 1.2.1

How much do they cost?

Security Design Reviews are included

are included as part of agencies’ security

infrastructure allocation

What’s New

• Office Hours at OCS• 9:00 – Noon every Tuesday

• Monthly Training• Alternating Technical and Policy Workshops every 1st Thursday of

the month

• Security Design Review SharePoint Customer Site

• http://designreview.ocs.wa.gov

Questions?