security lifecycle management
DESCRIPTION
TRANSCRIPT
ISM in the ILM(Information Lifecycle Security
Management)Barry Caplin
Chief Information Security OfficerMinnesota Department of Human Services
May 18, 2006 10:00-11:00 a.m.
Secure360
Agenda
• DHS Overview
• Enterprise Security Strategy
• Build Security In?
• Information Lifecycle Security Management
MN DHS
• Mission - helps people meet their basic needs so they can live in dignity and achieve their highest potential
• Consumers include:– seniors who need help paying for hospital and nursing
home bills or who need home-delivered meals– families with children in a financial crisis– parents who need child support enforcement or child
care money– people with physical or developmental disabilities who
need assistance to live as independently as possible
MN DHS
Direct service through:• DHHS – Deaf and Hard of Hearing Services• SOS – State Operated Services includes
– RTC’s – Regional Treatment Centers, including St. Peter, Moose Lake
– Forensics – St. Peter, Moose Lake, METO (MN Extended Treatment Options)
– State-run group homes– New community-based treatment centers– State-run nursing home – Ah-Gwah-Ching
MN DHS
Administrations (Divisions):• CFS – Children and Family Services – Child
Support Enforcement, Endangerment, Social Services, Medical/Welfare Eligibility
• Chemical and Mental Health Services– including SOS
• Health Care Administration and Operations• Continuing Care• FMO – Finance and Management Operations –
including Information Security, IT
MN DHS
• Programs are state-administered, county-delivered
– Including MinnesotaCare, Medical Assistance, General Assistance Medical Care, mental health services, alternative care services, chemical dependency services and regional treatment center services
• One of the largest state agencies• 2500 CO, 5000 SOS distributed staff• State and Federal funding
Enterprise Security Strategy
Security Strategy - The 10000 Foot View
Information Security Governance Framework (COBIT Security Baseline)– People
• Organization• Awareness
– Technology• Operations• Architecture
– Enterprise High-Level Functions• Information Risk Management• Information Policy• Information Lifecycle Management• Process
Security StrategyGovernance
orga
niza
tion
operationsarchitecture
awar
enes
s
people technology
IRM
Policy
ILM
Processes
Security StrategyGovernance
orga
niza
tion
operationsarchitecture
awar
enes
s
people technology
IRM
Policy
ILM
Processes
4 C’s
Confidence
Credibility
Communication
Compliance
Build Security In?
Build Security In
• What do we mean by this?
• Everyone says it… but how?
• https://buildsecurityin.us-cert.gov/portal/
Why Build Security In?
Why Build Security In?
• Cost – “measure twice, cut once”
• Efficiency – build it “right” the first time
• Time – fixing problems later will likely delay production use
Why Build Security In?
SDLC
• SEI-CMMI (formerly CMM) (http://www.sei.cmu.edu/cmmi/)
• IEEE and ISO 12207 standards (http://www.acm.org/tsc/lifecycle.html).
• Extreme Programming (http://www.xprogramming.com/, http://www.extremeprogramming.org/)
• On Wikipedia
(http://en.wikipedia.org/wiki/Software_development_life_cycle)
Information Lifecycle Security Management
Information Lifecycle Security Management
Operate
MajorRelease
DeployDevelopDesignAnalysisConcept
Software Development Lifecycle (SDLC)Maintenance Lifecycle
Dispose
Information Lifecycle Security Management
OperateMajor
ReleaseDeployDevelopDesignAnalysisConcept
PreliminaryRisk
Analysis
BusinessImpact
Analysis
Privacy andSecurity
Requirements
BCP/COOP
Privacy and Security
MitigationPlans
IncidentResponse
Plans
SecurityTestPlans
BCP/COOPTesting &
Maintenance
IT AuditBusinessRequirements
SecuritySignoff
SecuritySignoff
Information Lifecycle Security Management
Business Requirements
• A statement of the business problem or challenge the business area needs to solve
• Should not include recommended technical solutions
• Constraints/Assumptions
BusinessRequirements
Concept
Preliminary Risk Analysis
• Security Questionnaire• Preliminary Privacy Analysis• Preliminary Security Risk Analysis• Risk Briefing
PreliminaryRisk
Analysis
Concept
• Risk of not doing
Privacy andSecurity
Requirements
Privacy and Security Requirements
• Preliminary Privacy Assessment• Preliminary Security Risk Assessment• Privacy Requirements• Security Requirements• Preliminary Design Requirements
Analysis
Words To Live By:“Minimum Necessary”
Business Impact Analysis
• Business/System Impact Analysis BusinessImpact
Analysis
Analysis
Security Sign-Off
• Keys:– Business Requirements received– Requirements understood (by business area)– Risks acknowledged
SecuritySignoff
Privacy andSecurity
Requirements
Privacy and Security Requirements
• Vendor Security Questionnaire• Security Architecture Assessment• Information Policy Analysis• Risk Assessment (OCTAVE)• HIPAA Assessment• Detailed Design Requirements• Project Security Roadmap & Required Doc
List
Design
• Detailed Security Architecture Design• Design Review• Security Risk Mitigation Plans• Action Plan for compliance design
Privacy and Security
MitigationPlans
Design
Privacy and Security Mitigation Plans
Business Continuity/Disaster Recovery
• Business Continuity Planning• Disaster Recovery Planning• Preliminary COOP (Continuity Of Operations
Plan) Document
BCP/COOP
Design
Security Test Plans
• Test Data Plans• Security Testing Plan• Security Testing
– Use/Abuse Cases– Code Review Tools
• Vulnerability Assessment
SecurityTestPlans
Develop
Incident Response Plans
• Incident Response Plans• Final COOP
IncidentResponse
Plans
Develop
Security Sign-Off
• Keys:– Identified issues mitigated– Assessments completed– Security Requirements met– Documentation completed– BCP/COOP completed
SecuritySignoff
Deploy
• Change Management• Monitoring
Deploy
IT Audit
• Security Policy Compliance Review (COBIT Audit Guideline)
IT Audit
Operate
BCP/COOP Testing & Maintenance
• Plan Testing• Plan Updates & Review• BIA Updates
BCP/COOPTesting &
Maintenance
Operate
Major Release
• What is a Major Release?– Significant new functionality– Code rewrites– Significant architecture or design changes
• Site Dependent• May require any/all ILSM steps
MajorRelease
Information Disposal
• Measures based on:– Business type– Data classification
• Regulatory issues:– PHI– FTI– Others…
Dispose
OperateMajor
ReleaseDeployDevelopDesignAnalysisConcept
PreliminaryRisk
Analysis
BusinessImpact
Analysis
Privacy andSecurity
Requirements
BCP/COOP
Privacy and Security
MitigationPlans
IncidentResponse
Plans
SecurityTestPlans
BCP/COOPTesting &
Maintenance
IT AuditBusinessRequirements
SecuritySignoff
SecuritySignoff
Information Lifecycle Security Management
Final Thoughts
• SMT buy in is critical• Be consistent• Advertise, advertise, advertise
Discussion?