slide 1 - vita: home
TRANSCRIPT
1
Commonwealth Information Security Officers Advisory Group (ISOAG) Meeting
JUNE 14, 2007
www.vita.virginia 1
2
WELCOME
Peggy Ward, VITA
www.vita.virginia 2
3
Happy Flag Day!
4
ISOAG June 2007 Agenda I. Welcome Peggy Ward, VITA
II. InfraGard Melissa McRae & Melissa Schuler, F.B.I.
III. Encryption Service Offering John Kissel, VITA
IV. Commonwealth Information Security Council Update!Encryption Committee Steve WerbyMaking Security an Executive Management PriorityJohn KarabaicSmall Agency Outreach John JenkinsIdentity and Access Management Patricia Paquette
V. RPB Data Center Move Larry Ellison, NG
VI. VITA IT Security Standard Technical Documentation Craig Luka, NG
VII. COV IT Security Standard Compliance Update Ed Miller, VITA
VIII. COV IT Security Policies, Standards and Guidelines Update Cathie Brown, VITA
IX. Information Risk Executive Council (IREC) Cathie Brown, VITA
X. Upcoming Events Peggy Ward, VITA
XI. Other Business Peggy Ward, VITA
InfraGard ProgramInfraGard ProgramPublic and Private Sector AlliancePublic and Private Sector Alliance
Protecting our Critical InfrastructureProtecting our Critical Infrastructure
66
A Brief History…A Brief History…
In 1996, FBI Cleveland Field Office cyber In 1996, FBI Cleveland Field Office cyber focused industry outreach initiative.focused industry outreach initiative.
In 1998, the FBI adopted the InfraGard In 1998, the FBI adopted the InfraGard program for NIPC private sector outreachprogram for NIPC private sector outreach
In 2003, the FBI Cyber Division was In 2003, the FBI Cyber Division was established and DHS formed taking NIPC established and DHS formed taking NIPC mission.mission.
Today, InfraGard is the FBI’s lead private Today, InfraGard is the FBI’s lead private and public sector information sharing tooland public sector information sharing tool
18,645 Members
77
“Critical infrastructures are those physical and cyber-based systems essential to the minimum operations of the economy and government. These systems are so vital, that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States.”
– William J. Clinton, 1998
Agriculture Banking/Finance Chemical Computer Security Defense
Emergency Service Energy Food Postal/Shipping
Public Health Transportation Telecommunication Water Supply
88
99
Cost of Capability
Availability of Capability
1955 1960 1970 1975 1985
Invasion
PrecisionGuided
MunitionsComputerStrategic
NuclearWeapons
Cruise Missile
Cyber Attack Cost & Means
1945 Today
MissilesICBM & SLBM
1010
The CyberWorld TodayThe CyberWorld Today
Immediately follow or Immediately follow or in conjunction with in conjunction with physical world eventsphysical world events
Becoming more Becoming more coordinated and coordinated and politically motivatedpolitically motivated
Don’t care about Don’t care about being detected or being detected or tracedtraced
Cyber Attacks:Cyber Attacks:
1111
Potential Sources of AttacksPotential Sources of Attacks
Terrorist GroupsTerrorist Groups
Targeted Nation-StatesTargeted Nation-States
Terrorist Sympathizers and Anti-U.S. Terrorist Sympathizers and Anti-U.S. HackersHackers
Thrill SeekersThrill Seekers
U.S. Hackers who need resourcesU.S. Hackers who need resources
1212
Cyber ThreatsCyber Threats
Unstructured ThreatsUnstructured Threats InsidersInsiders Recreational HackersRecreational Hackers
Structured ThreatsStructured Threats Organized CrimeOrganized Crime Industrial EspionageIndustrial Espionage
National Security National Security ThreatsThreats Intelligence AgenciesIntelligence Agencies Information WarfareInformation Warfare TerroristsTerrorists
1313
InfraGard Benefits InfraGard Benefits FBI Program vs Private SectorFBI Program vs Private Sector
Benefits
• Industry sector Subject Matter Experts• Initiation of new investigations• Early indication of sector specific attacks• Avenue to obtain feedback on intelligence• Ability to identify significant crime problems
• Trusted membership and Network of professionals• Timely/Non-public Intelligence Products• Secure forum to share information & discuss issues.• Avenue to provide positive intelligence• Ongoing relationship with the FBI
Also, It is “FREE!”
1414
InfraGard VPNHome Page
Graphic Unavailable for On-line Participants.
1515
InfraGard VPNAlerts & Advisories
Graphic Unavailable for On-line Participants.
1616
InfraGard VPNSpecific Critical Infrastructure Articles
Graphic Unavailable for On-line Participants.
1717
InfraGard VPNIT & Telecommunication Sector
Graphic Unavailable for On-line Participants.
1818
InfraGard VPNIT & Telecommunication Sector
Computer Security Articles
Graphic Unavailable for On-line Participants.
1919
InfraGard VPNIT & Telecommunication SectorCyber Threat Media Highlights
Graphic Unavailable for On-line Participants.
2020
InfraGard VPNMessage Board
Graphic Unavailable for On-line Participants.
2121
InfraGard VPNMessage Board
Topic: Computer Security
Graphic Unavailable for On-line Participants.
2222
InfraGard VPNResource Page
(DHS Open Source Reports, Presentations, etc…)
Graphic Unavailable for On-line Participants.
2323
InfraGard VPNDHS Daily Reports Page
Graphic Unavailable for On-line Participants.
2424
Special Interest Groups, e.g. Special Interest Groups, e.g. Research and TechnologyResearch and Technology
Partnerships, e.g. NIST & SBAPartnerships, e.g. NIST & SBA
Quarterly Meetings with valuable Quarterly Meetings with valuable speakersspeakers
Ability to Participate in FBI Citizen’s Ability to Participate in FBI Citizen’s AcademyAcademy
Other FeaturesOther FeaturesOther FeaturesOther Features
2525
InfraGard VPNSpecial Interest Groups
• Research and Technology InfraGard • Food/Agriculture InfraGard • Chemical InfraGard
Graphic Unavailable for On-line Participants.
2626
InfraGard VPNResearch and Technology InfraGard
Graphic Unavailable for On-line Participants.
2727
Partnership between: Partnership between: FBIFBI Small Business Administration (SBA) – assist small Small Business Administration (SBA) – assist small
businessesbusinesses National Institute of Standards and Technology National Institute of Standards and Technology
(NIST) – World leader in Information Security (NIST) – World leader in Information Security GuidelinesGuidelines
GoalGoal Provide Security Workshops poised to deliver Provide Security Workshops poised to deliver
information security training to the small business information security training to the small business community like no other. community like no other.
SBA/NIST/FBISBA/NIST/FBISBA/NIST/FBISBA/NIST/FBI
2828
How you can help as How you can help as IT Security ProfessionalsIT Security Professionals
Develop and implement security policies and Develop and implement security policies and procedures.procedures.
Know what you want to protect, and who will do it.Know what you want to protect, and who will do it.
Build some walls…Build some walls… Create a perimeter and guard it (routers, firewalls, IDS). Then, check Create a perimeter and guard it (routers, firewalls, IDS). Then, check
the guards (audit policy).the guards (audit policy).
Educate your users.Educate your users. The importance of security (personal & corporate data), strong The importance of security (personal & corporate data), strong
passwords, encryption, etc.passwords, encryption, etc.
2929
How you can help (Cont’d)How you can help (Cont’d)
BannersBanners Put people on notice. You ARE watching!Put people on notice. You ARE watching!
Employee AgreementsEmployee Agreements
Then:Then: LOG, LOG, LOG!LOG, LOG, LOG! MONITOR, MONITOR, MONITOR!MONITOR, MONITOR, MONITOR! TEST, TEST, TEST!TEST, TEST, TEST!
OK…OK…The Policies The Policies are in Place, the are in Place, the
Perimeter is Built, Perimeter is Built, and the Network is and the Network is
Secure!Secure!
What If They Sneak Through?What If They Sneak Through?
But…
3131
Respond quickly and without fail.Respond quickly and without fail.
Have key response personnel predetermined.Have key response personnel predetermined.
Consider content monitoring of the attack.Consider content monitoring of the attack.
Backups:Backups: Create backups of altered/damaged files, Create backups of altered/damaged files, LOGSLOGS.. Secure backups of original stateSecure backups of original state
Determine the cost of the attack.Determine the cost of the attack. Repairs, replacement, personnel, consultants, lost Repairs, replacement, personnel, consultants, lost
“business”.“business”.
Consider contacting the FBIConsider contacting the FBI
If They Sneak Through…If They Sneak Through…
Intrusion cases are already Intrusion cases are already won or lost long before law won or lost long before law
enforcement arrivesenforcement arrives
3333
versus
PotentialLoss
ProtectionCosts
Making the Right InvestmentMaking the Right Investment
3434
What the FBI can DoWhat the FBI can Do
Combine technical skills and investigative Combine technical skills and investigative experienceexperienceProvide national and global coverageProvide national and global coverageProvide long-term commitment of resources.Provide long-term commitment of resources.Apply more traditional investigative techniquesApply more traditional investigative techniquesPerform pattern analysisPerform pattern analysisIntegrate law enforcement and national security Integrate law enforcement and national security concerns.concerns.Establish a deterrent effect…even if the Establish a deterrent effect…even if the hacker/intruder is not prosecutedhacker/intruder is not prosecuted
CYBER CRIME IS THE FBI’S #3 PRIORITY
3535www.InfraGard.net
Federal Bureau of InvestigationFederal Bureau of Investigation
Richmond, VirginiaRichmond, Virginia
(804) 261-1044(804) 261-1044
www.InfraGard.netwww.InfraGard.net
Disk Encryption Overview
PC Hard drive EncryptionRated Service Price Offering
John Kissel, VITA June 14, 2007
38
Disk Encryption Overview
Agenda
• Review
• Service Offering Rate
• Product Feature Summary
• Preliminary Configuration settings
• Status
39
Disk Encryption Overview
Rated Service Offering• Monthly rate
– Approx $17.00 per encrypted PC Windows desktop/laptop/tablet
• Added to the current per unit rate
– Includes deployment and recurring support
• Deployment
– Applies to devices being refreshed during the scheduled refresh initiative as well as those devices not requiring refresh during the scheduled refresh initiative.
– Does not apply to legacy devices requiring encryption prior to the scheduled refresh initiative.
• Recurring support
– Applies to ALL devices that NG encrypts
40
Disk Encryption Overview
Hard Drive Encryption - Service Offering
ItemDuring
Desktop Refresh
After Desktop Refresh
Software Product license ■ ■ ■
Product Client Access License(s) ■ ■ ■Technical Services Testing
Functionality testing ■ ■ T&MImage development ■ ■ T&M
package creation ■ ■ T&Mpackage creation 2 ■ ■ T&M
hardware compatability testing ■ ■ T&Muse scenerios ■ ■ T&M
Deployment testing ■ ■ T&MTraining
Site Support ■ ■ T&M Helpdesk ■ ■ T&M End user ■ ■ T&M
Comunications ■ ■ T&MDeployment
Deployment planning ■ ■ T&MDeployment preparation ■ ■ T&M
Deployment execution ■ ■ T&M
Software Product License maintenance ■ ■ ■ ■Client Access License Maintenance ■ ■ ■ ■
Technical Support Helpdesk (first call resolution) ■ ■ ■ ■Tier 2 support ■ ■ ■ ■
Maintenance ■ ■ ■ ■
Prior to Desktop Refresh
No
n-R
ecu
rrin
gR
ecu
rrin
g
Category
41
Disk Encryption Overview
General Assumptions
• Degraded Desktop/Laptop performance during system startup may be realized.
• Increase in Helpdesk support calls is anticipated.
• Increase in support/administration effort.
– Extended system recovery times
• Implementation
– Desktop/Laptop preparation tasks must be performed
– All support calls will routed to the VCCC
– Encryption will be performed as part of the desktop refresh schedule
42
Disk Encryption Overview
Procedures for Ordering
• If you choose not to wait for Transformation a RFS needs to be completed to request this service
• If you choose to wait for transformation it will be discussed at your kickoff meeting.
43
Commonwealth Information Security Council
Peggy Ward, VITA
Encryption CommitteeEncryption CommitteeJesse Crim (VCU)Jesse Crim (VCU)John Palese (DSS)John Palese (DSS)
Michael McDaniel (VRS)Michael McDaniel (VRS)Tripp Simms (VITA/NG)Tripp Simms (VITA/NG)
Steve Werby (DOC)Steve Werby (DOC)
4545
Encryption Committee - GoalsEncryption Committee - Goals
Survey agencies – IT and business perspectiveSurvey agencies – IT and business perspective Questionnaire to aid agencies in determining Questionnaire to aid agencies in determining
encryption needs and solutionsencryption needs and solutions Develop plan for educating usersDevelop plan for educating users Develop best practicesDevelop best practices Recommend solutions, preferably enterpriseRecommend solutions, preferably enterprise Develop end user training planDevelop end user training plan
Making Security an Executive Management Priority
Committee Members
John Karabaic, DMASJoe Hubbell, Va. LotteryShirley Payne, U.Va.
47
Ideas To Date
• Make recommendations for executive security awareness events, either standalone or as riders on other planned executive-level events such as a previous 2-day workshop on COOP.
• Solicit effective executive security awareness practices from agencies and present these as models other agencies might follow.
48
Ideas To Date - continued
• Collect and make available canned security awareness presentations tailored for executives.
• Form a speakers bureau of ISO/boss teams willing to give presentations to agency executives within their secretariat.
Interested in volunteering?
Contact Shirley [email protected]
50
Small Agency Outreach
Current Members Robert Jenkins (DJJ) Aaron Mathes (OAG) Goran Gustavsson (APA) Ross McDonald (DSS) Bob Auton (DJJ) Doug Mack (DJJ)
51
Small Agency Outreach
Contact & survey small agencies and benchmark were they are in the process Develop pool of available talent available to work in a shared service capacity to
provide Audit functions to Small Agencies Measure Small Agencies with Audit capabilities versus those without this
function Develop “Canned Solutions” i.e. quick fixes using best practices from those with
success in the areas such as policy, practice or procurement. Develop tool for communications such as a message board that has shared access. Create network of Subject Matter Experts (SME) to offer advice and guidance.
ARMICS and implementation options Resources to talk with Agency Management who may be reluctant or
unfamiliar with required actions needed for compliance matters VITA IT Security Policies and Standards (Business Impact Analysis, Risk
Assessment, Breaches/Detections, etc.) Other IT Services, such as possible tests/reviews/audits
52
Small Agency Outreach
Volunteers are welcome! If interested, contact Robert Jenkins 804-786-1608 [email protected]
Identity and Access Management and
Account Management
Committee Members
Patricia Paquette – DHP, [email protected] Garner – Tax, [email protected] Greenberg – DMV, [email protected] Rappe – ABC, [email protected] Batista, DMV, [email protected] McPherson, DSS, [email protected]
54
Identity and Access Management and
Account Management
“An identity management solution should not be made up of isolated silos of security technologies, but rather, consist of well integrated technologies that address the spectrum of scenarios in each stage of the identity life cycle.”
Frederick ChongMicrosoft Corp.
55
Identity and Access Managementand
Account Management
Goal - establish a secure and effective methodology focused on identification and authentication across the Commonwealth Standard process which includes:
Registering or identifying users Establishing roles and accounts Issuing credentials Using the credential, and Record keeping and auditing.
56
IT Infrastructure Transformation – RPB Mainframe and Server Move
Richmond Plaza Building Data Center Move
Larry Ellison, NG
57
IT Infrastructure Transformation – RPB Mainframe and Server Move
Mainframe and Server Move Overview
• Mainframe Environment Profile– More system to system interaction
– Larger foot-print with multiple partitions per physical system
– Diverse user group
• Mainframe Environment Move and Test Approach– Duplication of hardware at CESC (buy new)
– Isolated Test environment at CESC to provide extended test window
• Server Environment Profile– More system isolation (Agency specific apps)
– Smaller foot-print (Isolated UNIX/Windows systems)
– Agency specific user group
• Server Environment Move and Test Approach– VLAN Extension approach (RPB to CESC)
– Disconnect/move/reconnect of hardware from RPB to CESC (physical or virtual)
– Unit testing of systems and applications prior to disconnect/move/reconnect
58
IT Infrastructure Transformation – RPB Mainframe and Server Move
Mainframe Move and Test Strategy for CESC(Isolated Test Environment)
• Replicate RPB Internal Network (LAN) at CESC (~ 280 devices)
• Replicate all IBM, UNISYS, Prime-Power, and related hardware required for full application testing
• Replicate key Windows and UNIX servers required to support the Mainframe Test environment
• Provide isolated external connectivity to the CESC Test Environment from key agency locations (VPN or other dedicated connections)
• Test environment available for 60-90 days to facilitate full Operational Readiness and Application Regression testing of the environment, from isolated locations
• Maintain the same IP Addresses across the entire Mainframe environment
• Requires key Agencies to provide a dedicated/isolated test lab with dedicated link from Agency location to CESC, for testing
• Supports Connectivity Testing from remote locations during planned weekend maintenance windows
• Multiple Mock Cutover Tests prior to final Go-Live
59
IT Infrastructure Transformation – RPB Mainframe and Server Move
CESC Isolated Mainframe Test EnvironmentOperations and Application Testing
(7/15 – 10/28)
CESC Data CenterRPB Data Center
Data ReplicationAs needed
Data ReplicationAs needed
Production Agency Locations
IBMTape 2
EMCCenteraTape 2
DMX20002
IBMMainframe
UnisysMainframe
SharedDASD
Servers
EMCCenteraTape 1
DMX20001
IBMMainframe
UnisysMainframe
IBMTape 1
SharedDASD
ServersData Replication
As needed
Isolated Key Agency Locations
App ServersFor Testing
ProductionApp Servers
Isolated Key Agency Locations
60
IT Infrastructure Transformation – RPB Mainframe and Server Move
CESC Isolated Mainframe Test EnvironmentConnectivity and Cutover Testing
(Selected Weekends from 7/15 – 10/28)
CESC Data CenterRPB Data Center – Offline during testing
Data Replication
Data Replication
Production AgencyLocations
IBMTape 2
EMCCenteraTape 2
DMX20002
IBMMainframe
UnisysMainframe
SharedDASD
Servers
EMCCenteraTape 1
DMX20001
IBMMainframe
UnisysMainframe
IBMTape 1
SharedDASD
ServersData Replication
App ServersFor Testing
ProductionApp Servers
Isolated Key Agency Locations
Isolated Key Agency Locations
61
IT Infrastructure Transformation – RPB Mainframe and Server Move
Mainframe Test Objectives for CESC(Isolated Test Environment)
• Operations Testing
– All systems will IPL/Boot and communicate with peripherals
– Administrative functions (Monitoring and Management) operate as expected
– Data replication between CESC and RPB functions properly
– Internal CESC Network (LAN) and Firewalls function properly
– Print Infrastructure Functions Properly
– Tape Backup Infrastructure functions properly
– Control-M Infrastructure functions properly for support of Batch operations
– Point-to-point connections function properly
• Application Testing
– Applications will initiate and connect with database(s)
– Applications will update data and print reports as expected
– Regression test of all applications components on the Mainframe systems
• Network Connectivity Testing
– Controlled testing of external connectivity to CESC from remote sites
– Scheduled during pre-defined weekend Maintenance Periods from August – October
62
IT Infrastructure Transformation – RPB Mainframe and Server Move
Tentative Testing and Cutover Timeline
ID Task Name Start FinishMay 2007 Jun 2007 Jul 2007 Aug 2007 Sep 2007 Oct 2007 Nov 2007
5/20 5/27 6/3 6/10 6/17 6/24 7/1 7/8 7/15 7/22 7/29 8/5 8/12 8/19 8/26 9/2 9/9 9/16 9/23 9/30 10/7 10/14 10/21 10/28 11/4
1
2
3
4
5
6
7
8
9
10
11
12
13
14
7/15/20075/15/2007Design test environment
8/5/20076/1/2007Build test environment
7/20/20076/8/2007Build Test Plans
10/28/20077/2/2007Operations Testing
10/28/20077/16/2007Application testing
8/5/20078/5/2007Network Connectivity Test 1
8/19/20078/19/2007Network Connectivity Test 2
9/3/20079/1/2007Mock cutover 1
9/16/20079/16/2007Network Connectivity Test 3
10/11/200710/9/2007Mock Cutover 2
10/28/200710/26/2007Mock Cutover 3
11/2/200710/29/2007Review and Signoff
11/9/200711/5/2007Final Cutover Prep
11/12/200711/12/2007Go Live
63
IT Infrastructure Transformation – RPB Mainframe and Server Move
Mainframe Move Risk Mitigation
• Standup of an Isolated Test Environment – Replicate mainframe hardware and software infrastructure
– Replicate servers running tier 2 applications that interface with mainframes
– Replicate DASD and Tape storage infrastructure and data via high speed data links
– Create network that will support simultaneous dual access for large agencies (RPB and CESC)
– Replicate security environment including current complex firewall controls
• Detailed Analysis of entire infrastructure at RPB
– Application components
– Network components
– Server and Mainframe components
• Extended Test Period
– Provide agencies with at least 60 days to complete application testing
– Extended timeframe provides the opportunity for multiple test phases
– Mock move weekends have been scheduled and are designed to accommodate thorough integration testing of complex, interdependent applications
– Risk will be significantly mitigated through agencies having continuous access to a dedicated test environment rather than only a series of mock move tests over weekends
64
IT Infrastructure Transformation – RPB Mainframe and Server Move
Mainframe Move Risk Mitigation (continued)
• Command Center – Provides a rapid response team to quickly address problems that surface during testing
– Staffed with operations, network, systems, and sub-system support specialists
– Support will be available 24 hours a day and weekends
• Test Coordination Support
– NG/VITA testing coordination teams will be assigned to each key mainframe using agency
– Test coordinators will work directly with Agency staff to jointly development test plans for each mainframe application
– Weekly reporting of testing progress by agency and associated applications will be generated and shared with agency managers
• Fallback Contingency – RPB processing infrastructure will remain intact for at least 2-3 weeks following the move
to provide fall-back capability
– Dual network access environment will remain intact for at least 2-3 weeks following the move to provide fall-back capability
• Freeze/limit Hardware/software changes during test/move window
65
IT Infrastructure Transformation – RPB Mainframe and Server Move
Communication Plan Overview
• Comprehensive CH/COMM Plan to include email communications and supporting documentation
• Overview, Kick-Off and monthly meetings with each affected Agencies – Start June 7
• Detailed Planning Meetings with Agency Application Teams to develop test scenarios – (6/15 – 8/15)
• Checkpoints and signoffs in plan for agreement to start test planning, agreement that test plans are complete, application testing is complete and approval is given to move
• Detailed weekly status reviews with all Agency/VITA Test Teams throughout the entire test window – (7/15 – 10/28)
• Dedicated Test Coordinators from the Transformation Team, Current Ops Team, and the Agency
• 24x7 Command Center setup before, during, and post move/cutover
– Multiple locations linked by phone and/or video conferencing (Agency, RPB, CESC)
– Participation by Agency Application staff, Current Ops, VITA, Transformation, and Vendors (as needed)
– Representation by Network, Security, Mainframe, Server, Applications, etc
66
IT Infrastructure Transformation – RPB Mainframe and Server Move
Application Testing Coordination
AgenciesInvolved inIsolated
TestEnvironment
Mainframe
Server
Network
Security
VITA TestCoordinators
Test CoordinatorApplication SpecNetwork Spec for
each agency
AgenciesInvolved inIsolated
TestEnvironment
AgenciesInvolved inIsolated
TestEnvironment
AgenciesInvolved inIsolated
TestEnvironment
67
IT Infrastructure Transformation – RPB Mainframe and Server Move
Agency Application Test Responsibilities• Assign dedicated resources and participate in detailed planning process - (starting June
15)– Assign dedicated resources to participate in the test activities
– Identify applications that need to be tested in isolated test environment
– Identify servers in RPB that would need to be included in isolated test environment in CESC to enable application testing
– Provide acceptable dates for tests and cutover
• Responsible for Application Freeze (7/15 – 11/12) – Commitment to Break-Fix only during the test window
– Joint approval (Agency, Current Ops, Transformation, VITA) for any additional changes that are required
– Participation in special CCB process for review of any proposed changes during test window
• Provide isolated test environment at Agency that will connect directly to isolated test infrastructure at CESC – (available by 7/15)
– Dedicated PC’s in a training room or test lab recommended
– Alternate methods for access to test environment directly from users workstations is being investigated
• Conduct all application tests – (from 7/15 – 10/28)
• Participate in cutover tests and verify network connectivity
68
IT Infrastructure Transformation – RPB Mainframe and Server Move
Test and Move Coordination Roles
Agency Test Coordinators Field Operations Agency Application
SBE Kevin Kelley Mike Elliott Beth Nelson
DHRM Kevin Kelley TBD Steven Hastey
DSS Kevin Kelley Wayne Kniceley Harry Sutton
VRS Kevin Kelley Donald Garrett (Agency) Donald Garrett
VADOC Karen Lusk Karen Hardwick Geoff Lamberta
DMV Karen Lusk Bob Tingle Will Burke
VEC Karen Lusk Dave Thompson Victoria Caplan
VDH Karen Lusk Kenny White TBD
DOA/TRS Danny Wilmoth Wendy Hudson James Moore
DPB Danny Wilmoth David Allen Jowjou Hamilton
TAX Danny Wilmoth Cathy Franklin TBD
SCB Danny Wilmoth Richard Walls Anne Wilmoth
SCC Thomas Williams Blair Kirtley (Agency) Blair Kirtley
VDOT Thomas Williams Scot Jones Ray Haynes
VDACS Thomas Williams Kathy Ange Jerry Allgeier
69
IT Infrastructure Transformation – RPB Mainframe and Server Move
Server Transformation and MoveAgenda
• Server Transformation Introduction
• Server Move Approach and Test Strategy
• Server Test Objectives
• High level Move and Cutover schedule
• Managing Risk
• Communication Plans
• Agency Responsibilities
• Questions
70
IT Infrastructure Transformation – RPB Mainframe and Server Move
Server Move and Test Strategy for CESC• Virtualize as many servers at RPB to facilitate the move process and reduce risk
• Consolidate multiple SAN/Disk system at RPB onto a single SAN/Disk Platform
• Replicate the data on this consolidated SAN/Disk system from RPB to CESC
• Replicate RPB Internal Network (LAN) at CESC (~ 280 devices)
• Extend VLAN’s from current RPB Network Infrastructure to CESC
• Replicate EBARS Backup Environment at CESC
• Servers will be placed in either PODS or Standard Racks at CESC based on specific hardware, power, and cooling requirements
• We will maintain the same IP Addresses across the entire Server environment
• A two phased cutover approach will be utilized– Phase-1 is the movement of the servers onto an extended VLAN at CESC (located at CESC, but still part of the RPB LAN)
– Phase-2 requires servers be switched from the extended VLAN to a the local VLAN at CESC
• Servers will be moved in logical groups, based primarily on agency usage (VDOT, DEQ, GOV, etc,)
• Whenever possible Operation and Application Testing will be performed using the virtual server infrastructure to replicate systems from RPB to CESC
• In some instances duplicate server hardware will be purchased for CESC to facilitate Operation and Application Testing at CESC
71
IT Infrastructure Transformation – RPB Mainframe and Server Move
RPB to CESC Server MovePhase-1 : Relocation
CESC Data CenterRPB Data Center
Current ProductionNetwork
SharedSAN/DISK
PIXFW
JuniperFW
6506
New Production Network
6506OutsideSwitches
65066509Inside
Switches
ServerFarm
4507CampusSwitch
Chk PointFW
OldSAN/DiskOld
SAN/DiskOldSAN/DiskOld
SAN/DiskOldSAN/DiskOld
SAN/DiskOldSAN/Disk
SharedSAN/DISK
NewFW
NewFW
6506NewOutsideSwitches
6506NewInside
Switches
ServerFarm
NewCampusSwitch
NewFW
Replicate DataTo CESC
Extend ServerVLANs
ConsolidateDisk at RPB
Virtual andPhysical
Server Moves
Core Network
PRODUCTION
Core Network
TEST ONLY
Servers are moved inGroups to CESC but are still using the network infrastructure at RPB
72
IT Infrastructure Transformation – RPB Mainframe and Server Move
RPB to CESC Server MovePhase-2 : Network Swap
CESC Data CenterRPB Data Center - Offline
Current ProductionNetwork
SharedSAN/DISK
PIXFW
JuniperFW
6506
New Production Network
6506OutsideSwitches
65066509Inside
Switches
4507CampusSwitch
Chk PointFW
SharedSAN/DISK
NewFW
NewFW
6506NewOutsideSwitches
6506NewInside
Switches
ServerFarm
NewCampusSwitch
NewFW
Data Replicationdirection is switchedto go from CESC backto RPB in preparationfor DR at SWESC
Core Network
OFFLINE
Core Network
PRODUCTION
VLAN ExtensionsAre dropped
Servers are running atCESC and are now usingthe full network infrastructureat CESC
Old SAN/Disk arraysare no longer needed
73
IT Infrastructure Transformation – RPB Mainframe and Server Move
Server Test Objectives for CESC
• Operations Testing– All systems will Boot and communicate with peripherals
– Administrative functions (Monitoring and Management) operate as expected
– Data replication between CESC and RPB functions properly
– VLAN Extension from RPB to CESC Network (LAN) and Firewalls function properly
– Print Infrastructure Functions Properly
– Tape Backup Infrastructure functions properly
– Control-M Infrastructure functions properly for support of Batch operations
– Point-to-point connections function properly
• Application Testing– Applications will initiate and connect with database(s)
– Applications will update data and print reports as expected
– Regression test of all applications components on the Mainframe systems
• Network Connectivity Testing– External access to Agency locations functions properly
– Access from RPB to CESC over extended VLAN functions properly
74
IT Infrastructure Transformation – RPB Mainframe and Server Move
Testing and Cutover Timeline (Notional)
ID Task Name Start FinishMay 2007 Sep 2007Aug 2007Jun 2007 Oct 2007Jul 2007
8/19 9/9 9/167/8 9/30 10/79/26/10 7/15 8/127/1 8/56/35/20 8/266/17 9/236/24 10/145/27 7/297/22
1 5/23/20075/15/2007Finalize Rack and Power Requirements
2 7/28/20075/23/2007Obtain additional network hardware for CESC
5 8/15/20076/15/2007Agency staff on board for review and testing
6 8/3/20076/3/2007VLAN Extension to CESC
12 9/3/20076/17/2007Server Group 3
7 8/3/20076/3/2007EBARS standup at CESC
4 6/28/20076/3/2007Communication and Review with Agency
3 5/31/20075/23/2007Review Plan with Current Operations
8 8/3/20076/3/2007SAN Standup at CESC
9 9/17/20076/10/2007Additional discovery with App Team and CO
10 8/12/20076/10/2007Server Group 1
11 8/25/20076/10/2007Server Group 2
17
13 9/17/20076/17/2007Server Group 4
11/12/200711/9/2007Final Network Cutover
Nov 2007
10/21 10/28 11/4
16
14 10/1/20076/24/2007Server Group 5
15 10/15/20076/24/2007Server Group 6
10/29/20076/24/2007Server Group 7
75
IT Infrastructure Transformation – RPB Mainframe and Server Move
Server Move Group Summary
• Server Group-1 : DFP, DCG, SBE , 25 servers
• Server Group-2 : DEQ, VDH, DPB, DCJS, 83 servers
• Server Group-3 : DGS, 124 servers
• Server Group-4 : GOV, DOF, VDACS, VGIN, 76 servers
• Server Group-5 : TAX, DSS, VEC, 112 servers
• Server Group-6 : VITA Group-1, 132 Servers
• Server Group-7 : VITA Group-2, 132 Servers
76
IT Infrastructure Transformation – RPB Mainframe and Server Move
Server Move Group Detail
Agency IsolatedRelo Start
Relo Complet
e
Pod Candidat
eWintel
Wintel Blade
Non-Wintel
RPB Location - Racks VLAN Information
DFP X 11-Aug 12-Aug Y 2 0 0 166 58DCG X 11-Aug 12-Aug Y 4 0 0 160 303SBE 11-Aug 12-Aug Y 19 0 0 130, 131 59, 61
DEQ X 25-Aug 26-Aug N 7 40 1 68, 70, 72 16VDH 25-Aug 26-Aug Y 13 0 0 146 14DPB 25-Aug 26-Aug N 13 0 0 148, 149, 150 3, 66DCJS 25-Aug 26-Aug N 9 0 0 157, 158, 159 10
DGS X 1-Sep 3-Sep Y 124 0 0
141, 142, 143, 144, 151, 152, 153, 154, 155, 176, 178, 179 3, 5, 9. 48
GOV X 15-Sep 16-Sep N 32 0 0 137, 139, 180 52DOF 15-Sep 16-Sep Y 3 0 0 172 242VGIN 15-Sep 16-Sep Y 18 0 0 130, 172 242
VDACS X 15-Sep 16-Sep N 16 0 7 162, 163, 164, 165 106
TAX 6-Oct 8-Oct N 51 0 16
97, 98, 99, 107, 108, 111, 112, 115, 116, 118, 123, 169,177 15, 30, 40
DSS 6-Oct 8-Oct Y 16 0 0 170, 171 155
VEC 6-Oct 8-Oct Y 28 1 0 103, 104, 105 106, 181 31, 33, 40
VITA13-Oct27-Oct
14-Oct28-Oct Both 142 98 24
19, 21, 23, 94, 95, 109, 110, 113, 114, 124, 125, 126, 127, 128, 132, 133, 134, 135, 136, 167, 168, 185
3, 8, 14, 15, 30, 31, 33, 34, 38, 50, 51, 52, 56, 57, 59, 61, 63, 90, 97, 101, 103, 109, 115, 120, 121, 153, 155, 156, 157, 158, 159, 160, 161, 162, 163, 230, 234, 242, 247, 990, 993, 994, 995, 998
Total 497 139 48
77
IT Infrastructure Transformation – RPB Mainframe and Server Move
Server Move Risk Mitigation
• VLAN Extensions
– Minimizes level of network and security changes required for the move to CESC
– Allows NG and the Agency to stage and pre-test selected Dev and/or Test servers PRIOR to moving production systems
• Migration of Current Systems
– Minimizes level of system changes required for the move to CESC
– Minimizes complexity of having to re-rack systems
– All required cables (Network, SAN, etc) can be pre-installed and tested prior to moving the systems to CESC
• System Virtualization
– Provides enhanced pre-move testing capabilities
– Minimizes system/application downtime during the move to CESC
– Provides quick, easy fall-back
78
IT Infrastructure Transformation – RPB Mainframe and Server Move
Server Move Risk Mitigation (continued)
• Stand-by Hardware
– Mission Critical application hardware can be made available if hardware problems arise due to move related issues
• Tax related HP-UX hardware is an example of some of the systems that are being considered for stand-by hardware
– Any x86 server can have a stand-by virtual server in-place at both data center locations
• Move Specialists
– All system packaging, pre and post move verifications will be performed by hardware vendor Customer Engineers
• Customer Engineers (CE’s) are the vendor employees who are dispatched to diagnose and resolve hardware related issues as part of warranty and maintenance support services
– Representatives for each vendor will be either on-site or on-standby
• Move VITA last so that server move process is refined with smaller move groups
79
IT Infrastructure Transformation – RPB Mainframe and Server Move
Communication Plan Overview
• Comprehensive CH/COMM Plan to include email communications and supporting documentation
• Overview, Kick-Off and monthly meetings with each affected Agency – Start June 7
• Detailed Planning Meetings with Agency Application Teams to develop test scenarios – (6/15 – 8/15)
• Checkpoints and signoffs in plan for agreement to start test planning, agreement that test plans are complete, application testing is complete and approval is given to move
• Detailed weekly status reviews with all Agency/VITA Test Teams throughout the entire test window – (7/15 – 10/28)
• Dedicated Test Coordinators from the Transformation Team, Current Ops Team, and the Agency
• 24x7 Command Center setup before, during, and post move/cutover
– Multiple locations linked by phone and/or video conferencing (Agency, RPB, CESC)
– Participation by Agency Application staff, Current Ops, VITA, Transformation, and Vendors (as needed)
– Representation by Network, Security, Mainframe, Server, Applications, etc
80
IT Infrastructure Transformation – RPB Mainframe and Server Move
Agency Application Test Responsibilities
• Participate in Planning Process
– Identify applications that need to be tested on each server
– Provide acceptable dates for tests and cutover and confirm downtime windows
• Provide Agency resources to participate in application testing pre-move as well as during the actual cutover
• Prepare test scripts and desired test results for application tests
• Conduct application tests for validation of the move
• Participate in cutover tests and verify network connectivity
• Agency acceptance sign off
81
IT Infrastructure Transformation – RPB Mainframe and Server Move
Test and Move Coordination Roles
AgencyTentative Relocation Weekend
TransformationCurrent Operations
Agency Application
Team
Primary HP Assignee
Secondary HP Assignee
SBE 11-Aug Bob Reviea Mike Elliott TBD Tao Tao Terry Miller
VDFP 11-Aug Brian Welliver TBD TBD Terry Miller Tom Springer
DCG 11-Aug Don Morgon TBD TBD Tom Springer Tao Tao
DEQ 25-Aug Brian Welliver Dan Gayk TBD Terry Miller Tom Springer
VDH 25-Aug Don Morgon Kenny White TBD Tom Springer Terry Miller
DCJS 25-Aug Bob Reviea TBD TBD Tao Tao Tom Springer
DPB 25-Aug Bob Reviea TBD TBD Tao Tao Terry Miller
DGS 1-Sep Don Morgon Barbara Garnett TBD Tom Springer Tao Tao
GOV 17-Sep Bob Reviea Barbara Garnett TBD Tao Tao Terry Miller
DOF 17-Sep Brian Welliver TBD TBD Terry Miller Tom Springer
VDACS 17-Sep Don Morgon Brenda Richart TBD Tom Springer Tao Tao
VEC 17-Sep Brian Welliver Brenda Richart TBD Terry Miller Tom Springer
TAX 6-Oct Bob Reviea Cathie Franklin TBD Tao Tao Tom Springer
VGIN 6-Oct Don Morgon TBD TBD Tom Springer Terry Miller
DSS 6-Oct Brian Welliver Mike Elliott TBD Terry Miller Tao Tao
VITA13-Oct
27-Oct TBD Dave Matthews TBD John Sewell Jeff Flanigan
82www.vita.virginia.gov expect the best
VITA IT Security Technical Documentation
Craig LukaSecurity Analyst
Northrop Grumman, VITA IT SecurityJune 14th, 2007
www.vita.virginia.gov 82
83www.vita.virginia.gov
Overview• What documentation has been developed?
– Enterprise Infrastructure Security Practices– Security Practices Self Assessment
• Why?– Define baseline security practices for
customer-based staff– COV ITRM Standard SEC501-01 compliance– Document current Agency security practices
and develop SEC501-01 Gap Analyses.– Reduce risk of unfavorable audit findings
84www.vita.virginia.gov
Documentation Architecture• Documentation Framework
– Security practices document has been developed on industry best practices (SANS, NIST, Center For Internet Security)
– All SEC501-01 requirements from the technical requirements matrix are accounted for in the security practices document
– Self Assessment maps each SEC501-01 requirement to a set of security practices
• Serves as a cross reference between SEC501-01 and newly developed Enterprise Security Practices.
85www.vita.virginia.gov
Workflow and Routing• Document Distribution
– EISP and self assessment are delivered to Regional Service Directors (RSDs)
– RSDs deliver documents to Agency-based Service Level Directors (SLDs)
– Customer-based technical staff and SLDs complete the self assessment
– Completed self assessments are returned to EISP team for quality assurance review
– Final documentation is delivered to Agency ISOs and reports are delivered to the CISO
86www.vita.virginia.gov
Timeframe• June 1st: Documents delivered to RSDs• June 4th: RSDs deliver to SLDs and work
begins on the self assessments• June 4th – June 29th: Self assessment
submitters complete assessment and work with EISP team as needed for clarification
• June 29th: All assessments completed, reviewed and delivered to respective Agency ISOs.
87www.vita.virginia.gov
What to Expect• The EISP team will work with customer-
based staff and SLDs as needed to assist in assessment completion
• Any clarifications or enhancements discovered while assessments are being completed will be added to the EISP and self assessment documents
• Agency ISOs will receive a copy of the EISP document and their Agency’s completed self assessment on June 29th
88www.vita.virginia.gov
Questions ?
?
89
COV IT Security Standard Compliance – ISO Appointments & IT Security Audits
Ed Miller
www.vita.virginia.gov 89
90
Appointment of an Information Security Officer
The IT Security Policy (ITRM SEC500-02) requirement to
appoint an Information Security Officer (ISO)
91
ISO Designation RequirementITRM SEC500-02 requires each Agency Head to
“designate via e-mail…an ISO (Information Security Officer) for the Agency and provide the person’s name, title and contact information to VITA no less than biennially. The Agency Head is strongly encouraged to designate at least one backup for the ISO, as well” Send via Email to: [email protected] either be from the Agency Head or have the Agency head copied (cc:)
92
List of Confirmed ISO’sAccountancy, Board ofAging, Department for theAgriculture and Consumer Services, Department ofBusiness Assistance, Virginia Department ofCenter for Behavioral RehabCenter for Innovative TechnologyChristopher Newport UniversityConservation and Recreation, Department ofCorrectional Education, Department ofCorrections, Department ofDepartment of Charitable GamingDepartment of Forensic SciencesEconomic Development Partnership, VirginiaElections, State Board ofEmployment Dispute Resolution, Department ofEnvironmental Quality, Department ofFire Programs, Department ofForestry, Department ofFrontier Culture Museum of VirginiaGame and Inland Fisheries, Department ofGovernor, Office of theHealth Professions, Department ofHuman Resource Management, Department ofJames Madison University
Juvenile Justice, Department ofLibrary of Virginia, TheLongwood UniversityMary Washington UniversityMedical Assistance Services, Department ofMental Health, Mental Retardation & Substance Abuse Svcs, Department ofMines, Minerals and Energy, Department ofMinority Business Enterprise, Department ofMotor Vehicle Dealer BoardMotor Vehicles, Department ofMuseum of Fine Arts, VirginiaMuseum of Natural History, VirginiaOld Dominion UniversityProfessional & Occupational Regulation, Department ofRacing Commission, VirginiaRail and Public Transportation, Department ofScience Museum of VirginiaSocial Services, Department ofState Police, Department ofTourism Commission, VirginiaTransportation, Department ofVirginia Commonwealth UniversityVirginia Information Technologies Agency
93
IT Security Audit Plan
The IT Security Audit Standard (ITRM SEC502-00) requirement to submit an annual IT security “audit plan” to the
CISO beginning February 1, 2007.
94
IT Security Audit Plan• The IT Security Audit Plan should identify all sensitive
system(s), the planned date of the audit(s) and the planned auditor for the audit(s).
• Each sensitive system must be audited at a frequency relative to its risk, or at least, once every 3 years.
• There is a template that can be used by the agency to
record this information on the VITA web at:
http://www.vita.virginia.gov/docs/securityTemplates/ITSecurityAuditPlanTemplate.doc
95
Exception Request• If your agency cannot submit their IT Security
Audit plan the Agency must submit an Exception Request for an extension of time in order to comply. The Exception Request must be approved by the Agency Head and sent to the CISO for review and approval.
• The IT Security Policy and Standard Exception request form is on the VITA web at
http://www.vita.virginia.gov/docs/securityTemplates/ITSecurityPolicyStandardExceptionRequestForm.doc
96
No Sensitive Systems?• In addition, there may be some agencies that do
not classify any of their databases or systems as “sensitive”. Under the requirements of SEC502-00, they do not have to submit an audit plan. However, to ensure that we are not missing any sensitive systems, we would like any Agency making that assertion to please notify us by email to vitasecurityservices.com that they will not be submitting an audit plan for that reason.
97
Agencies w/Audit Plans or ExtensionsBoard of Accountancy Center for the Innovative TechnologyChristopher Newport UniversityDepartment of Employment Dispute ResolutionDepartment for the AgingDepartment of Agriculture and Consumer ServicesDepartment of Alcoholic Beverage ControlDepartment of Conservation and RecreationDepartment of CorrectionsDepartment of EducationDepartment of Environmental QualityDepartment of Fine ArtsDepartment of Forensic SciencesDepartment of General ServicesDepartment of HealthDepartment of Health ProfessionsDepartment of Housing and Community DevelopmentDepartment of Human Resource ManagementDepartment of Juvenile JusticeDepartment of Medical Assistance ServicesDepartment of Mental Health, Mental Retardation & Substance AbuseDepartment of Mines, Mineral, and EnergyDepartment of Motor VehiclesDepartment of Planning and BudgetDepartment of Professional & Occupational RegulationDepartment of Rail and Public Transportation
Department of Rehabilitative ServicesDepartment of Social ServicesDepartment of State PoliceDepartment of TaxationDepartment of the TreasuryDepartment of TransportationGeorge Mason UniversityJames Madison UniversityJamestown-Yorktown FoundationLongwood UniversityMary Washington UniversityOffice of the Governor Old Dominion UniversityRadford UniversityRichard Bland CollegeState Compensation Board State Board of ElectionsState Council of Higher Education for VirginiaUniversity of Virginia CommonwealthVirginia Board for People with Rehabilitative ServicesVirginia Department for the Blind and Vision ImpairedVirginia Department for the Deaf and Hard of hearingVirginia Employment CommissionVirginia Information Technologies AgencyVirginia Racing CommissionVirginia State University
98
Where to find Policies/Templates/Forms
• Go to the VITA Website:www.vita.virginia.gov
Click Security and then Policies and Procedureshttp://www.vita.virginia.gov/docs/psg.cfm#securityPSGs
99
COV Information Technology Security Policy, Standards and Guidelines
Cathie Brown, CISM, CISSP
www.vita.virginia.gov 99
100
Compliance: IT Security Policy & Standard
July 1, 2007 Compliance Date• Key Steps to Compliance include:
– Designate an ISO– Inventory all systems– Perform Risk Assessment on sensitive systems – Perform Security Audits on sensitive systems– Document and exercise Contingency & DR Plans– Implement IT systems security standards – Document formal account management practices– Define appropriate data protection practices– Establish Security Awareness & Acceptable Use policies– Safeguard physical facilities– Report & Respond to IT Security Incidents– Implement IT Asset Controls
101
Exception Request• If your agency cannot comply July, 2007 the
Agency must submit an Exception Request for an extension of time. The Exception Requests must be approved by the Agency Head and sent to the CISO for review and approval.
• The IT Security Policy and Standard Exception request form is on the VITA web at
http://www.vita.virginia.gov/docs/securityTemplates/ITSecurityPolicyStandardExceptionRequestForm.doc
102
Status Update• Revised IT Security Policy & Standard
End date for ORCA Comments – 6/13
• IT Standard Use of Non-Commonwealth Computing Devices to Telework ITRM SEC511-00New COV StandardEnd date for ORCA Comments – 6/13
• IT Threat Management GuidelineComments have been addressedPublish by June 29, 2007
103
New! Data Breach NotificationIncluded in Revised IT Security Policy and Standard:• Data Breach Notification Requirements:
– Each agency will identify systems that contain PII (Personally Identifiable Information)
– Include provisions in any third party contracts requiring that the third party & third party subcontractors provide immediate notification of suspected breaches
– Provide appropriate notice to affected individuals upon the unauthorized release of any unencrypted PII by any mechanism (laptop, desktop, tablet, CD, DVD, etc.)
104
Revisions - IT Security Policy & Std• Highlights
– Expanded scope to include Legislative, Judicial, Independent and Higher Education
– System Security Plans for sensitive systems– Additional considerations for account management– Additional considerations for protection of data on
mobile storage media including encryption– Additional requirements for specialized IT security
training – Data Breach Notification
• Compliance date – 1/01/2008
105
New! IT Std Using Non-COV Devices to Telework• Purpose
– Establish a standard to protect COV data while teleworking with Non-COV Devices
• Acceptable Solutions– Standalone Computer– Internet Access to Web-Based Applications– Internet Access to Remote Desktop Applications
• Requirements– Storing COV data on a non-COV device is prohibited– Network traffic containing sensitive data must be encrypted– Provide training on remote access policies
• Security Incident Response– Non-COV device may be required during forensics or
investigation of a Security Incident– Acknowledgement form signed
106
IT Threat Management Guideline• Highlights
– IT Security Threat Detection– IT Security Incident Management– IT Security Monitoring and Logging– Example: Recording and Reporting Procedure– Example: Internal Incident Handling Procedure
107
QUESTIONS
108
Information Risk Executive Council
Cathie Brown, CISM, CISSP
www.vita.virginia.gov 108
109
Reminder – IREC Resource Available• Information Risk Executive Council
– Unlimited access to the following services• Strategic Research and Tools• Benchmarking and Diagnostic Tools• Teleconferences
• To register – https://www.irec.executiveboard.com/Public/Register.aspx
• For questions or problems, please contact:– Jennifer Smith
Account Manager, CIO Executive BoardCorporate Executive Board2000 Pennsylvania Avenue, NWWashington, DC 20006
– 202-587-3601 [email protected]
110
QUESTIONS
111
Upcoming Events
Peggy Ward
www.vita.virginia.gov 111
112
UPCOMING EVENTS!
ISOAG MEETING DATESWednesday, July 11, 2007
1:00 - 4:00 Tentative Agenda Items:
E-Discovery – OAGVITA transformed IT Infrastructure Architecture - Linda SmithNG IS Policy, Standards & Guidelines Update - Cathie BrownVITA IS Council Committee Updates - Committee Chairs
113
UPCOMING EVENTS!
VITA OFFICES MOVEFriday July 27, 2007
CAMS will move to 411 E. Franklin
www.vita.virginia.gov
114
Any Other Business ?
115
ADJOURN
THANK YOU FOR YOUR TIME AND
THOUGHTS!!!