state enterprise security plan

T E X A S D E P A R T M E N T O F I N F O R M A T I O N R E S O U R C E S

State Enterprise Security Plan

Securing Texas Information Resources

Fiscal Years 2007–2012

M A Y 3 1 , 2 0 0 7

Letter from the State’s Chief Technology Officer

May 31, 2007 Too often, information technology (IT) security has been relegated to the same category as training—a discretionary spending priority that is last to be funded and first to be cut during annual budget cycles. The business case for a new approach to IT security is compelling. The security and integrity of Texas’s information and communications infrastructure underpin the activities and safety of every state agency and of every Texas citizen.

Information resources are among the most valuable assets of any organization or individual. The information resources of Texas are under attack virtually every minute of every hour of every day through theft, tampering, and destruction. The safety and security of state information resources are a fundamental management responsibility that cannot be delegated and is not optional. The security of these resources must be factored into every aspect of state agency operations.

It is the responsibility and commitment of the Department of Information Resources (DIR) to foster partnerships with each state agency to:

• Ensure that systems and applications operate effectively with appropriate confidentiality, integrity, and availability

• Protect information commensurate with the level of risk and magnitude of harm resulting from loss, misuse, unauthorized access, or modification

• Regularly assess operations for IT vulnerabilities and risk mitigation opportunities

This State Enterprise Security Plan provides goals, objectives, and a plan of action to secure state information resources. It is consistent with the vision articulated in the Governor’s Texas Homeland Security Strategic Plan: 2005–2010and in Shared Success, DIR’s 2005 State Strategic Plan for Information Resources Management. It also builds on the findings of the 2005 State IT Security Assessment to enhance and sustain cost-effective IT security for the state. Brian S. Rawson Executive Director Texas Department of Information Resources

Contents

Executive Summary....................................................................... 1

Section 1. Threats and Vulnerabilities............................................. 7

Section 2. Roles and Responsibilities............................................ 11

Section 3. Goals and Objectives ................................................. 17

Section 4. Strategies ................................................................... 35

Section 5. Moving Forward ......................................................... 41

Appendix A. Tactical Checklists ................................................... 43

Appendix B. State and Federal Homeland Security Strategies ........ 55

Appendix C. Authorities and References ....................................... 57

Appendix D. Cybersecurity Resources........................................... 59

Glossary.................................................................................... 61

Endnotes ................................................................................... 69

About this Report

This State Enterprise Security Plan is an implementing component of DIR’s Shared Success, the State Strategic Plan for Information Resources Management (SSP)1 and the Governor’s Texas Homeland Security Strategic Plan (TxHSSP).2 It complements and is aligned with the National Strategy to Secure Cyberspace (NSSC),3 the implementing component of the National Strategy for Homeland Security (NSHS).4 This plan also integrates recommendations from the 2005 State IT Security Assessment (SITSA).5

This report is available for public use through the Texas State Publications Depository Program at the Texas State Library and other state depository libraries. It is available electronically through the DIR Web site at www.dir.state.tx.us.

Note: For the purposes of this report, the term “state agency” is used to indicate a state agency or a state institution of higher education.

i v T E X A S D E P A R T M E N T O F I N F O R M A T I O N R E S O U R C E S | M A Y 3 1 , 2 0 0 7

Executive Summary

Threats and Vulnerabilities

On an average day, there are reports of almost 250 successful attacks against the state’s information resources.6 A major computer security incident that has significant financial and operational impact is an annual event for most Texas organizations.7 Cyber-terrorists, spies, hackers, and thieves are not just targeting our computers; they are targeting the information that our networks store and transmit.

Whether the source of an attack is an insider, a hacker, or a terrorist, the consequences are often the same—loss of revenue, loss of sensitive information, erosion of consumer and constituent confidence, interruption or denial of business operations, and even loss of life. These threats to state security also are increasing in number and sophistication. To cope with the continuous reality of these threats, state agencies must constantly assess vulnerabilities and manage risk to keep our vital networks open and operational, but secure.

Cybersecurity in Texas is evolving from a discretionary afterthought to a fundamental enabler of the state’s safety and economic well-being. Like any important aspect of a successful business plan, security must have the active support of executive leadership, management authority that matches responsibility, and it must have a budget.

Effective state security budgets are not arbitrary—they reflect a rational IT security business case that builds upon tailored risk assessments and resulting gap analysis and prioritization. The Department of Information Resources (DIR) is working in partnership with state agencies and other eligible entities to facilitate these assessments, provide low-cost network and security operations services, and track the effectiveness of statewide IT security investments.

Of primary interest to DIR are the critical infrastructures and key resources (CI/KR) belonging to state entities, including hardware and software infrastructures and personnel that are vital to the operations and safety of all government sectors. All state agencies rely upon these assets to fulfill their distinct mission requirements. The diversity of resources demands a state enterprise security strategy and implementation plan that allows individual agencies to execute their respective core missions within the context of a secure state infrastructure.

Roles and Responsibilities

While DIR took the lead in preparing this plan, success depends on the engagement and active participation of each state entity. Security and cybersecurity strategic planning is a process, not a destination. It is a difficult challenge that requires continuous, coordinated, and focused effort. Consequently, this plan is a prioritized action plan that specifies implementation responsibilities and outcomes that will help to better protect statewide assets.

S T A T E E N T E R P R I S E S E C U R I T Y P L A N | E X E C U T I V E S U M M A R Y 1

DIR’s Role in Securing Cyberspace

Concerns about information security have risen dramatically in recent years. Accordingly, DIR—the chief technology office for the state—established the Information Technology (IT) Security Division in 2004 and designated its director as the state’s first Chief Information Security Officer. DIR’s IT Security Division now also reflects the convergence of network security as integral to telecommunications services.

DIR provides information security services specifically targeted for Texas state agencies, local governments, and public educational entities. In addition to providing general policy templates, maintaining an emergency alert system, and providing guidance on information security issues, DIR is poised to significantly expand enterprise security services that will prevent, reduce, respond, and recover from IT-related threats and vulnerabilities. DIR helps to ensure that all Texas state entities are implementing security controls in ways that are consistent with the overall strategy for the state.

Role of State Agencies and Institutions of Higher Education

The protection of government and personal information and the associated infrastructure is a fundamental management responsibility. State agencies and institutions of higher education must take positive actions to protect data and critical infrastructures through equal measures of qualified personnel, cost-effective investment strategies, sophisticated hardware and software, meaningful training, and enlightened security policies and management. The Office of the Attorney General and the Department of Public Safety also have specific cyber law enforcement capabilities and responsibilities.

Shared Responsibilities

The figure opposite shows the division of responsibilities for security of the state’s information and communications technology. DIR manages the shared state network, hosting consolidated data centers and associated operating systems and providing external security services through the Network and Security Operations Center (NSOC). Agencies and DIR collaboratively participate in information sharing partnerships, training, analysis, and policy development. Agencies continue to retain ownership of, and responsibility for, their data, applications, desktops, user access and identification (ID), and internal security policies. Individual users also have a personal responsibility to follow state and agency policies and participate as the first line of defense at every layer of the enterprise.

Other DIR Partners

A number of federal agencies and the private sector have specific responsibilities with potential impact on the cybersecurity posture of the state:

• The Department of Homeland Security (DHS) has specific federal responsibilities regarding the coordination of the efforts of state security partners, including the coordination of cybersecurity protective programs and contingency plans.8

2 T E X A S D E P A R T M E N T O F I N F O R M A T I O N R E S O U R C E S | M A Y 3 1 , 2 0 0 7

• Department of Justice, FBI, intelligence community, and other federal agencies provide the state with information sharing, investigative coordination, and analytic support.

• Private sector partners include the commercial owner/operators of the state’s critical infrastructure as well as the citizens who are the ultimate stakeholders for state government

————————————————————————————————————————— Shared Responsibilities for State Information and Communications Technology


Goals and Objectives

State enterprise security goals are consistent with the SSP, the TxHSSP, and the National Strategy for Homeland Security. They are general rather than specific and serve to focus our long-term statewide IT security efforts.

State enterprise security objectives describe a specific result, event, or outcome for a particular goal. Strategic objectives are near term, specific, and help to focus efforts toward achieving the goals. Objectives will be attained and sustained within the five-year time frame of the TxHSSP (fiscal 2005–2010).

The following table presents the state enterprise security goals and objectives mapped to their associated strategies.

STATE ENTERPRISE SECURITY STRATEGIES

GOALS OBJECTIVES 1 2 3 4 5 6 7 8

1. Establish a statewide analysis, monitoring, and reporting capability to address all cybersecurity incident-related matters on a 24/7 basis

1 2 3 4 5 6

2. Integrate training, education, and certification across all jurisdictions and disciplines

1 3 4 6 7 8

PREVENT CYBER ATTACKS and incidents against critical infrastructure

3. Support improved budget tracking processes and group purchase agreements to ensure that state information and communications systems have strong IT security, authentication, and identification features

1 4 5 6

4. Identify risks and vulnerabilities for critical infrastructure and key resources

1 2 3 4 5 6 7

5. Increase awareness and information sharing about cybersecurity attacks, threats, and vulnerabilities

1 2 3 4 5 6 7 8

REDUCE VULNERABILITY to cyber attacks and other disruptions

6. Identify and facilitate implementation of cybersecurity best practices

1 2 3 4 5 6 7 8

7. Establish a capability for responding to state-level cybersecurity incidents

1 3 4 5 6 7 8

8. Promote cybersecurity exercises and integrate cybersecurity elements into homeland security exercises

1 3 4 5 7 8

RESPOND AND RECOVER to minimize the impact of successful cyber attacks and disruptions

9. Integrate cybersecurity into continuity of operations and continuity of government plans

1 2 3 4 5 7 8


Strategies

The State Enterprise Security Plan not only presents guiding goals and objectives—it describes priority actions (strategies) to achieve them. The plan defines eight strategies to safeguard the integrity of state information and communications assets and it assigns specific implementation responsibilities. While the strategies apply specifically to DIR, the statewide security posture depends upon the collective actions of individual state agencies and institutions.

Each strategy is consistent with state and federal guidance, is directly linked to the state enterprise security goals and objectives, and is part of a comprehensive security program that includes all stakeholders.

1. Align Texas cybersecurity initiatives and resources to ensure consistent adherence to the State Enterprise Security Plan and satisfy statewide cybersecurity goals and objectives

2. Conduct statewide annual cybersecurity risk, vulnerability, systems, and equipment assessments and track strengths, weaknesses, and remediation activities for all eligible entities.

3. Establish a state Computer Security Incident Response Team (CSIRT) to rapidly identify, contain, and recover from any attack or attempt to disrupt the state’s critical IT infrastructure

4. Identify, develop, and maintain best practice rules, performance standards, templates, and guidelines to help reduce agency workload while providing timely, complete, and accurate data for internal and external monitoring and management

5. Establish a Network and Security Operations Center to initially focus on network security system services for those agencies and networks that are part of the consolidated Network Operations Center

6. Leverage technology to improve cybersecurity information sharing and enhance security communication, collaboration, and information sharing capabilities throughout the state

7. Promote cybersecurity awareness, training, education, and certification programs to ensure that IT security professionals, agency leadership, and network users at all levels are able to perform cybersecurity responsibilities

8. Integrate cybersecurity into state homeland security exercises and promote tailored exercises to help reduce network vulnerabilities and minimize the severity of cyber attacks


Moving Forward

The best way to prevent security incidents and sustain operations is to regularly test and affirm network security effectiveness before an incident occurs. In a major collaborative initiative, DIR is dramatically expanding its affordable and actionable test and assessment services to include all eligible state entities. Through the NSOC, DIR will sustain these and other security services on a cost-recovery basis that reflects the convergence of security as an integral expectation of telecommunications services.

Despite the best precautions, networks are susceptible to attack and compromise. To improve the state’s ability to respond and recover from damage to its information resources, DIR is launching another major statewide collaborative initiative to improve statewide ability to report and analyze relevant data. This initiative will improve our ability to prevent, protect against, respond, and recover from significant security incidents. In addition to improvements in its analysis, reporting, and monitoring capabilities, DIR is developing a comprehensive program that will initiate, sustain, and expand a statewide Computer Security Incident Response Team.

DIR is committed to creating a security environment that evolves beyond compliance and enforcement to one of collaboration and partnership. Implementation of the preliminary steps outlined in this plan will improve the security posture of the state enterprise and ensure that Texas will be positioned to protect its vital information and communications assets.


SECT ION 1 Threats and Vulnerabilities

The state has a huge repository of personal identity information or privacy data—e.g., law enforcement and medical data, or Social Security, driver’s license, and credit card numbers— that has drawn the attention of criminals and terrorists. Each state entity must implement policy and technical standards with their information resource architectures to protect this category of sensitive information.

What’s at Stake

Critical Infrastructures

The protection of the state’s critical infrastructure is vital to the safety, security, and economic well-being of all Texans. Critical IT infrastructures include physical or cyber assets that are so vital that their incapacity or destruction would have a debilitating impact on security, state economic security, or state public health or safety.

All state agencies rely upon critical information and communications infrastructure, a large portion of which is privately owned and operated or controlled by other government agencies. This diversity demands strategies and implementation plans that are focused on partnerships and shared responsibility to maximize the state’s technology infrastructure and allow individual agencies to focus efforts on their respective core businesses.

Key cyber resources within DIR’s purview include TexasOnline.com—the state’s business portal and official state Web site that enables other state agencies and participating local governments to interact with their constituencies electronically. DIR also manages the state’s communications network, TEX-AN, the Capitol Complex Telephone System, and select, shared IT services for state entities. Shared service offerings include federated identity management, network security services, messaging and collaboration, and the state data center system. DIR is expanding the use of the state data center to bring together the state’s largest data center environments, enabling agencies to share resources and increase their security and disaster recovery capability.

Key Resources

Key resources are publicly or privately controlled assets that are essential to the basic operations of the economy and government. Key resources include personnel and the hardware and software infrastructure.

HUMAN RESOUR C E S

The success of an agency’s IT security program is largely determined by the quality of its personnel. The organization with the most stable, competent IT security staff and management

S T A T E E N T E R P R I S E S E C U R I T Y P L A N | S E C T I O N 1 | T H R E A T S A N D V U L N E R A B I L I T I E S 7

will usually outperform other, less-qualified organizations with higher budgets and more modern equipment.

Good security practices begin with senior management awareness and priorities. The security of agency information resources is a core leadership responsibility of every agency director. Management plays the primary role in setting security priorities for staffing, funding, awareness, and the integration of IT security and operations. To maximize the utility of their information resources while managing security risks, the state’s leaders must establish and adhere to rational management processes and policies. Agency leaders must also be able to recruit and retain qualified individuals and keep them refreshed on current technologies and practices.

H A RDW AR E AN D S OF T WAR E I N FR A S TR UC T UR E

In a large, decentralized state government environment, effective coordination of limited IT security hardware and software resources among agencies is vital for a successful, sustained response to security challenges. While each agency must manage and acquire the unique tools necessary to conduct operations, many of the IT security hardware and software functions and best-value applications are similar. Information security is a very horizontal discipline—technology and practices from one agency can usually be applied to another.

A statewide enterprise approach helps the state to strategically deploy security assets, manage access and secure state information assets, deliver services, and manage costs. Agencies need the ability to choose the security systems best suited for their security environment, use enterprise hardware solutions where possible, and obtain the best value for their investment.

The Case for Action

Sound strategies begin with a clear understanding of the risk environment—a combination of threat, vulnerability, the likelihood of occurrence, and consequences. A recent survey reveals that cybercrime is more costly to U.S. businesses than physical crime. Lost revenue, wasted staff time, system down time, and damage to customer goodwill have become more serious problems than conventional crime to many businesses.9

Types of threats and/or attacks include: • Viruses • Identity Theft • Credit Card Fraud • Data Mining • Extortion • Financial Institution Fraud • Worms • Denial of Service

Cyber terrorists, spies, hackers, and thieves are continually probing Texas systems to steal and profit from our information resources or to simply render them useless. To cope with the continuous reality of these threats, state agencies must constantly assess vulnerabilities and manage risk to keep networks open and operational, but secure. A successful response must include equal measures of qualified personnel, cost-effective investment strategies, sophisticated hardware and software, meaningful training, and enlightened security policies and management.


Cyber Threats

Cyber attacks can result in serious consequences that interrupt or deny business operations, cause loss of revenue and intellectual property or even loss of life. These attacks are not theoretical or just another potential risk. Whether an attack originates from a terrorist, hacker, natural disaster, or insider, the resulting damage to our critical infrastructure is the same.

Insider Threats

The greatest threat to our cyber networks stems from insiders—individuals who have authorized physical or electronic access to an organization’s information resources. The insider’s access authorization may only be technical (e.g., a former employee who retains a valid user ID and password), or it may exceed the intended security policy. The analysis and prevention of insider threats focuses on capabilities, and sometimes, the insider’s intent to steal, abuse, or otherwise harm an organization’s information resources.

An outside hacker must first penetrate an organization’s perimeter defenses—where most IT security resources are focused. However, insiders with authorized access within that perimeter may use their privileges to facilitate or gain unfettered access to other enterprise systems, files, or services that exceed their need-to-know. Insiders have, for example, introduced viruses into network resources by placing contaminated disks into the systems and by downloading contaminated Internet attachments. These unintentional insider-facilitated attacks provide malicious outsiders an open door to the network through the Internet that they can use to exfiltrate sensitive information or launch additional attacks. Anticipating termination, some users may prepare backdoor access to the computer system, insert alternative passwords, or simply stockpile proprietary data for later use.

External Threats

External network connections are critical to the operations of most organizations, but they also provide a pathway into state information resources. This access offers hackers an opportunity to disrupt, destroy, or steal state information resources. Until recently, the technical prowess required to carry out cyber attacks was very high. Today, new hacker-friendly technologies have become more accessible to moderately skilled attackers, including terrorists. These sophisticated tools, in conjunction with increasing numbers of malicious hackers, have increased the threat to information and communication systems exponentially. The growth of e-commerce and data mining has given rise to well-organized criminal elements who seek to profit from stolen personal information, such as Social Security and bank account numbers.

These external threats to state IT security will continue to increase in number and sophistication. The following chart tracks Carnegie Mellon’s Computer Emergency Response Team/Coordination Center (CERT/CC) reports showing that cyber incidents and attacks are increasing at an alarming rate, as are the numbers of vulnerabilities that an attacker can exploit. CERT/CC stopped tracking these incidents in 2003 because the number became too numerous to count.

S T A T E E N T E R P R I S E S E C U R I T Y P L A N | S E C T I O N 1 | T H R E A T S A N D V U L N E R A B I L I T I E S 9

Number of Security Incidents, 1995–2003

0

25,000

50,000

75,000

100,000

125,000

150,000

1995 1996 1997 1998 1999 2000 2001 2002 2003

Cyber Terrorism

Cyber terrorists enjoy the advantage of being able to conduct all the necessary precursors and launch the actual attack from the safety of their home. These terrorists include “hacktivists” who use the Internet to aggressively advocate their cause and cyber junkies who enjoy creating havoc or gaining notoriety, as well as those who want to create panic as a means to destroy our way of life. These attackers often enter and exit a network without the user ever realizing that the system has been compromised. A stealthy, coordinated attack on our infrastructure using hidden logic bombs or denial of service attacks could amplify the effects of a traditional terrorist attack.10

Agency coordination is very important in combating hacking, identity theft, and other types of cybercrime because the groups involved operate in a worldwide environment that does not respect international borders.11 According to the 2005 FBI Computer Crime Survey—conducted in four states (New York, Texas, Iowa, and Nebraska)—almost 75% of the attempted computer intrusions reported by the respondents originated from outside of the U.S. The FBI report is particularly relevant to Texas since 65% of the responses in that report (out of 2,066 total) came from government and private industry organizations within the state.12 The Defense Intelligence Agency believes that adversarial information operations, or the use of information warfare tools and techniques, are the greatest threat to our national information and communications infrastructure.13

Physical Attacks

Information systems are also impacted by physical attacks, such as theft or natural disasters, as experienced during the hurricane season of 2005. IT security is a major factor in business continuity, whether the source of the attack is a terrorist, hacker, thief, or natural disaster.


SECT ION 2 Roles and Responsibilities

Cybersecurity in Texas state government is not the responsibility of a single agency. It is a shared responsibility of all agencies, working collaboratively, to build a secure enterprise infrastructure that supports the individual, mission-critical business processes of each state entity. A secure enterprise infrastructure depends on more than compliance and enforcement—to thrive, it requires collaboration among federal, state, and local government, institutions of higher education, and private sector partners.

The SSP describes the Texas Model of the Enterprise for sharing and managing the state’s technology investment. It reflects the latest legislative guidance and provides a vision of greater cost efficiencies, improved services, and a shared technology infrastructure that is flexible, innovative, and supports agencies in meeting their missions. The base of the Texas Model—the statewide infrastructure layer— delivers shared IT security functions that, similar to utility services, all agencies must have but are not unique or specific to an individual agency.

Texas Model of the Enterprise

Building on the statewide infrastructure layer is the collaboration layer. This layer supports the shared development of rules, guidelines, standards, and practices that contribute to effective enterprise management of information resources and practices. One practice includes guiding the development of integrated IT security architectures that advance information sharing among agencies. Another practice employed in this layer is a collaborative approach for standardizing agency IT security processes where common needs exist.

Leveraging each preceding layer, the most important is the agency layer, which supports the unique functionality that an agency must deliver to successfully support its mission. Together, the layers of the Texas Model of the Enterprise comprise the vision for effective technology planning and security service delivery in the state.

State Agencies

Texas Department of Information Resources

DIR’s mission is to ensure the effective and efficient use of public funds through the successful application of statewide services and technologies that are beneficial, secure, and accessible and utilize a standard infrastructure. DIR provides security services specifically targeted to Texas state agencies, local governments, and educational entities to help them identify, assess, respond to, and prevent IT-related security incidents. In coordination with federal and state

S T A T E E N T E R P R I S E S E C U R I T Y P L A N | S E C T I O N 2 | R O L E S A N D R E S P O N S I B I L I T I E S 11

counterparts, DIR provides security policy templates, maintains an emergency alert program, provides external vulnerability assessments, and develops best practice rules, policies, and guidelines on information security issues. The director of DIR’s IT Security Division serves as the state’s Chief Information Security Officer (CISO).

In compliance with Chapter 2059 of the Texas Government Code (TGC § 2059), DIR provides sustainable NSOC services for participating state agencies and may also provide these external services to local governments, the Legislature, special districts, and institutions of higher education. DIR will fulfill the network security requirements of all state entities to the extent practicable, providing a cost-effective, first priority source of external network security services.

On a strategic level, DIR’s security duties are as follows: • Develop and approve updates to IT security requirements • Provide statewide IT security policy, standards, guidelines, and procedures • Ensure that the state’s IT security program is established and implemented in compliance

with state laws and regulations and federal laws where applicable • Report to the Governor and the Legislature on the status of the state’s IT security program • Provide policy expertise for issues involving the storage, transmission, sharing, or disposal

of personal information • Enforce state security policy, including establishing the appropriate measures and remedial

actions for agencies for non-compliance • Act as the State CISO

On a tactical level, DIR’s security duties are as follows: • Identify vulnerabilities in state systems and recommend corrective action • Develop, manage, and maintain a statewide security program that includes policy,

standards, guidelines, procedures, best security practices, IT disaster recovery planning guidelines, IT security certification and accreditation guidelines, security awareness training, sensitive data protection standards, and an incident response reporting capability

• Coordinate with state agency information security officers (ISOs), federal and local government, and private industry to improve security for state systems

• Support Texas Office of Homeland Security initiatives through participation in the Texas Homeland Security Council and development of departmental implementation plans that support the TxHSSP

Texas Department of Public Safety

DIR is not the only state agency with specific computer security responsibilities that extend to other state entities. The Texas Department of Public Safety's (DPS) Criminal Law Enforcement Division has a number of service organizations that pursue computer crime investigations: • The Criminal Intelligence Service manages the Computer Information Technology &

Electronic Crime (CITEC) program. The CITEC pursues investigations where computer systems and/or the Internet are used to facilitate a crime or to store evidence of a crime. Personnel assigned to CITEC are trained in the investigation of high-tech offenses and in the recovery of digital evidence from computer systems. Investigations include network


intrusions, denial-of- service attacks, Web site defacements, child pornography, gambling, terrorist (e-mail) threats, tampering with a government record, and identity theft or fraud.

• The Special Crimes Service investigates certain computer crimes that are related to organized crime, pari-mutuel betting at horse and dog racetracks in Texas, parole violators, and high-risk sex offenders.

• The Narcotics Service has a Technical Unit that conducts certain types of computer crime investigations.

• The Crime Laboratory Service provides expert forensic laboratory services to Texas law enforcement agencies, including computer data recovery and analysis.

Texas Office of Attorney General

The Texas Office of the Attorney General’s (OAG’s) Criminal Enforcement Division provides prosecutorial assistance to Texas law enforcement entities, county attorneys, and district attorneys. The Cyber Crimes Unit brings together the OAG’s law enforcement investigations and prosecutors to ensure a safe electronic environment for the communication of information and ideas and for the transaction of commerce. Members of this unit have expertise in investigating and prosecuting Internet- and computer-related crimes, including predators (Internet pedophiles), online child pornography, and children’s online privacy. Another key function of the Cyber Crimes Unit is the investigation and prosecution of computer security breaches involving suspected malicious or damaging computer intrusions that violate the Texas Breach of Computer Security Statute, Texas Penal Code, Section 33.02.

All State Agencies and Institutions of Higher Education

Each agency is responsible for developing an IT security program to protect the agency’s communications systems, computer systems, networks, and data, in accordance with state IT security policy. The Texas Administrative Code (TAC 202)14 specifies the major components that must be included in every IT security program. At a minimum, each program must contain the following elements: Security Policy, Risk Assessment and Management, Systems Development Life Cycle Methodology, Security Certification and Accreditation, Disaster Recovery Planning, Security Awareness Training, Incident Response Process, and External Connections Review.

Each state agency head must designate an individual (or individuals) independent of the information security program to review, at least annually, the agency’s information security program for compliance with state standards, based on business risk management decisions. Each state agency must affirm compliance with state standards in its biennial Information Resources Strategic Plan.

Additionally, each agency’s IT security responsibilities are as follows: • Plan and budget for network security system service costs15 and ensure that security

investment is addressed for each “major information resources project”16 • Ensure the confidentiality, integrity, availability, and accountability of all agency IT assets,

including information while it is being processed, stored, and/or transmitted electronically


• Ensure that the agency’s IT security program is established and implemented in compliance with state security policies and standards and state and federal laws and regulations, as applicable

• Incorporate and implement periodic information vulnerability assessments into agency security policy

• Participate in current and ongoing statewide assessment activities • Participate in collaborative opportunities, such as the statewide computer security incident

response and recovery program • Demonstrate compliance with security requirements • Ensure separation of duties and adhere to a configuration/change management process

to maintain the security of the information resources • Ensure that user access within the agency infrastructure is established on the principle of

least privilege and adequate policies and processes exist for user provisioning, privilege management, and review of user access rights

• Establish a means to track and provide information regarding requested and allocated technology security budgets

• Leverage DIR’s information sharing, analysis, and response capabilities • Work with DIR to plan, execute, and evaluate new technologies and programs • Fund and participate in cybersecurity awareness, training, and technical certifications • Participate in IT security forums, seminars, and conferences • Demonstrate due diligence and periodically testing and exercising cybersecurity and

disaster recovery plans

State Employees, Contractors, and Users of State Information Resources

The IT security responsibilities of all state employees and contract personnel are as follows: • Be aware of their personal responsibility to protect state IT assets • Follow IT security program guidelines, best practices, and standard operating procedures • Be accountable for their actions relating to the use of all information systems • Use IT resources only for intended purposes as defined by state and federal laws, policies,

and regulations • Provide the first line of defense for potential computer security incidents • Participate in two-way exchange of IT security information • Participate in IT security training and exercises

Local Governments

DIR encourages local governments to adopt the following security practices: • Follow DIR’s IT security guidelines and standards to the fullest extent possible • Take advantage of DIR-sponsored IT security training, exercises, and assessments • Manage computer systems security while maintaining awareness of threats, vulnerabilities,

and consequences to ensure that they do not enable attacks against CI/KR • Participate in significant national, regional, and local awareness programs to encourage

local governments and citizens to manage computer systems appropriately


• Establish cybersecurity programs, including awareness of current threats and training for audits and standards compliance

Federal Departments and Agencies

All federal departments and agencies must manage the security of their computer systems while maintaining awareness of vulnerabilities and consequences to ensure that computer systems are not used to enable attacks against the nation’s critical infrastructure or key resources. State and local entities often have the opportunity to coordinate cybersecurity issues with regional federal representatives who have jurisdictions that encompass Texas. A number of federal agencies have specific additional responsibilities outlined in the National Strategy to Secure Cyberspace.

Department of Homeland Security

DHS is a principle federal focal point for the security of cyberspace.17 DHS has specific responsibilities affecting the confidentiality, integrity, and availability of state information resources. These duties include coordinating efforts to prevent damage, unauthorized use, or exploitation, and enabling the restoration of information and communications systems.

Other IT security responsibilities are as follows: • Develop a comprehensive national plan for securing national CI/KR • Develop and publish best practices that are applicable to state and local governments • Coordinate protective programs and contingency plans with state and local governments • Provide technical assistance to other government entities and the private sector with

respect to emergency recovery plans for failures of critical information systems • Facilitate cross-sector cyber analysis and assist in understanding and mitigating cyber risk

and in developing effective and appropriate protective measures

Within the IT security risk management framework, DHS is also tasked to: • Provide cyber-specific warnings and expert advice to reduce vulnerabilities and minimize

the severity of attacks on the cyber elements of CI/KR • Promote a comprehensive national awareness program • Work with security partners to mitigate risk • Lead the development of a national threat assessment

Department of Justice and Other Federal Agencies

• Improve information sharing and investigative coordination with state and local law enforcement communities, other agencies, and the private sector

• Develop and implement efforts to reduce attacks and threats by developing more robust data to characterize cyber crime and intrusions

• Provide sufficient investigative and forensic resources and training to facilitate expeditious investigation and resolution of CI/KR incidents

• Provide counterintelligence to prevent and detect cyber-based intelligence collection against government and other U.S. commercial and educational organizations


• Attribute the source of cyber attacks or actions to enable timely and effective response

Private Sector

The private sector includes commercial owner/operators of the vast majority of the state’s critical infrastructure as well as the citizens, who are the ultimate stakeholders for state government. There are also a number of helpful professional private sector associations and organizations that are committed to education and protection of the state’s and the nation’s IT infrastructure, e.g., the SANS Institute and Information Sharing and Analysis Centers (ISACs).

The private sector is encouraged to implement the following recommendations consistent with the National Strategy to Secure Cyberspace: • Manage computer system security to minimize CI/KR vulnerabilities and consequences • Exercise continuity plans and consider service provider diversity to reduce risk • Consider active involvement in sector-wide (ISAC) programs to share information • Evaluate the security of networks that affect the nation’s CI/KR, including:

– Conduct audits to ensure the effectiveness and use of best practices – Develop continuity plans that consider off-site staff and equipment – Participate in industry-wide information sharing and best practices dissemination

• Set near-term research and development priorities for highly secure and trustworthy operating systems

• Promote more secure “out of the box” software industry products, increased user awareness, ease of use, and adherence to industry guidelines and best practices


SECT ION 3 Goals and Objectives

The State Enterprise Security Plan is designed to complement and support the TxHSSP and the SSP. It is consistent with the National Strategy to Secure Cyberspace. This plan also leverages the findings of the 2005 State IT Security Assessment (SITSA) to address specific gaps in the state’s ability to detect, deter, and respond to IT security threats and helps prioritize statewide IT security efforts and investments.

As described in Section 1, the cybersecurity threat in Texas is real, constant, and, at the same time, continuously changing and adapting to our cyber defenses. This plan outlines the state’s IT security goals and objectives to address these threats and then describes each in detail. Section 4 addresses the specific strategies that will meet these goals and objectives and improve the statewide IT security posture.

S T A T E E N T E R P R I S E S E C U R I T Y P L A N | S E C T I O N 3 | G O A L S A N D O B J E C T I V E S 17

State Enterprise Security Goals and Objectives

State enterprise security goals are the desired ends that the state will continually work toward to improve capabilities to prevent, protect, respond, and recover from cyber incidents. Goals are general rather than specific and serve to focus our long-term statewide IT security efforts.

Strategic objectives—presented in detail beginning on the next page—describe a specific result, event, or outcome for a particular goal. Strategic objectives are specific and help focus efforts toward achieving the goals. They are also near term. Objectives will be attained and sustained within the five-year time frame of the TxHSSP.

The following table presents the state enterprise security goals and objectives mapped to their associated strategies, which are detailed in Section 4.

STATE ENTERPRISE SECURITY STRATEGIES

GOALS OBJECTIVES 1 2 3 4 5 6 7 8

1. Establish a statewide analysis, monitoring, and reporting capability to address all cybersecurity incident-related matters on a 24/7 basis (p. 19)

1 2 3 4 5 6

2. Integrate training, education, and certification across all jurisdictions and disciplines (p. 20)

1 3 4 6 7 8

PREVENT CYBER ATTACKS and incidents against critical infrastructure

3. Support improved budget tracking processes and group purchase agreements to ensure that state information and communications systems have strong IT security, authentication, and identification features (p. 21)

1 4 5 6

4. Identify risks and vulnerabilities for critical infrastructure and key resources (p. 23)

1 2 3 4 5 6 7

5. Increase awareness and information sharing about cybersecurity attacks, threats, and vulnerabilities (p. 26)

1 2 3 4 5 6 7 8

REDUCE VULNERABILITY to cyber attacks and other disruptions

6. Identify and facilitate implementation of cybersecurity best practices (p. 28)

1 2 3 4 5 6 7 8

7. Establish a capability for responding to state-level cybersecurity incidents (p. 29)

1 3 4 5 6 7 8

8. Promote cybersecurity exercises and integrate cybersecurity elements into homeland security exercises (p. 32)

1 3 4 5 7 8

RESPOND AND RECOVER to minimize the impact of successful cyber attacks and disruptions

9. Integrate cybersecurity into continuity of operations and continuity of government plans (p. 33)

1 2 3 4 5 7 8

See Appendix B for a matrix mapping the state enterprise security goals and objectives to state and federal homeland security strategies.


PREVENT CYBER ATTACKS Objective 1 Establish a statewide analysis, monitoring, and reporting capability to address all cybersecurity incident-related matters on a 24/7 basis

Rapid advances in science and technology have accelerated the convergence of computer and communications networks. These advances have also accelerated the increasing variety, uncertainty, and scale of the associated cybersecurity challenges. As Texas develops a statewide network infrastructure, it must also establish corresponding statewide IT security capabilities in concert with increased functionality and efficiency. The state must ensure that government communications and computer networks are secured as part of its overall information and communications technology security strategy. The state also needs to strengthen the protection of critical infrastructure through additional collaborative information sharing and planning opportunities among agencies.

DIR will use the findings from its 2005 SITSA, a confidential assessment requested by the Legislature,18 as a guide for advancing a program to protect the state’s technology assets and infrastructure.

Expected cybersecurity benefits include: • Expanded and enhanced availability of security services to agencies • Faster response time to recognize a terrorism event (or external/internal threat), activate a

computer incident response team, and warn effective network users • Broadened scope and availability of security training • Improved security planning and collaboration opportunities • Reduced internal dependencies through resource sharing within Texas, among other

states, and nationally • Expanded statewide online analysis and interagency information sharing • Reduced impact of ongoing and future attacks or incidents (downtime, number of systems

affected, number and severity of attacks, cost) • Alignment with the statewide network operations center infrastructure as directed in

statute19 20 and as outlined in the SSP • Rapid notification of local leadership of security issues as specified in TxHSSP21 • Improved event and trend analyses, guidelines, best practices and recommendations • Improved cyber emergency operational plan integration with the National Incident

Management System


PREVENT CYBER ATTACKS Objective 2 Integrate training, education, and certification across all jurisdictions and disciplines

Human error is an important and, potentially, the most damaging factor in the majority of IT security incidents. For agency leadership, IT security professionals, and all other network users, security awareness training is an essential tool. While not every user can be a security expert, individuals can reduce their organization’s risk by following guidelines, such as selecting good passwords, not opening certain e-mail attachments, and locking screens or logging off when not at their desk. For individuals to understand and follow basic best practices, they must first be made aware of the threats that exist and what they can do as individuals on a daily basis to defend against those threats. Employees are often the first to receive malicious code, making effective agency-wide training a critical element in preventing the execution of attachments or Web files that could escalate into a major security incident.

To keep pace with emerging threats, defend sophisticated IT systems, and take advantage of new technologies and capabilities, security professionals need continuous and frequent access to quality training. A recent national survey by the Computing Technology Industry Association22 attributed fully 80% of recent major IT security breaches to human error and lack of awareness through poor training (either wholly or in part). Most organizations experience approximately 20% fewer security incidents when at least 25% of their staff have received IT security training. Security training, education, and relevant certifications are key steps to improving security.

IT security experts also emphasize the importance of recognizing continuing professional education (CPE) as a critical component of successful technology management. Education, awareness, and training may be an organization’s most important security measure. Only by understanding emerging threats and vulnerabilities to its information and communication technology systems can an agency begin to cope effectively with other control measures.

DIR advanced training initiatives will include a more comprehensive approach to technology security training for state and other government agencies. Expected benefits agencies include: • Improved IT security as documented by third-party assessments, reduced incidents, and

lower remediation costs • Agency leadership, security staff, and users have CPE and qualification standards • Minimum state IT security education, certification, and CPE standards for ISOs and IRMs • Selected agency personnel are well trained as CSIRT participants and trainers • Increased emergency response effectiveness through better understanding of the National

Incident Management System (NIMS) • IT security training and registration is accessible via a cybersecurity Web portal • Cybersecurity exercises maintain and verify personal and agency skills and readiness • Reduced time and expense to respond and recover from computer incidents compared to

agencies using untrained/non-certified personnel • Improved agency understanding of critical data sharing linkages and dependencies

between agencies


PREVENT CYBER ATTACKS Objective 3 Support improved budget tracking processes and group purchase agreements to ensure that state information and communications systems have strong IT security, authentication, and identification features

Compared to industry and government norms, most Texas agencies are under-investing in IT security. However, there is no firm guidance or set formula for “how much is enough” to spend on IT or security-related issues. Security spending is best determined through due diligence and risk analysis efforts. Risk analysis methods can help to determine the value of the information the agency processes and stores, its critical information systems and processes, the threats to its information and IT systems, and appropriate countermeasures. Each agency must ultimately determine “how much is enough” to counter the threats that it faces, protect the information it processes and stores, and provide adequate continuity and recovery capabilities.

When information security investments have to compete for resources, security analysts need to help the financial decision makers understand the value of security. These decision makers may readily accept the need to purchase a new information or communication system, but they often do not account for the cost of keeping it operational in the face of a barrage of cyber attacks.23 To better assess the effectiveness of IT security expenditures to deter and prevent attacks, Texas agencies also need a better process to help them to identify and quantify those investments as dedicated line items.

Group buying power is one of the most effective tools that an organization can employ to overcome this problem and save money. With an entity the size of the state of Texas, there is tremendous leverage with vendor pricing. Texas is able to negotiate much better pricing on items and services than agencies can on their own, and all state agencies should be able to benefit from the best available rates.

In addition to cost savings, group purchase agreements for IT security tools help foster a statewide marketplace for more secure technologies through large procurements of advanced information assurance technologies. An important aspect of the threat reduction goal is the deployment of computing systems that are designed to be highly secure, trustworthy, and resilient. The state must seek to ensure that future components of the cyber infrastructure are designed and built to be inherently secure and dependable for their users. The state government will also advance the introduction of the best, proven technology through collaboration with federal and local governments through cybersecurity awareness, training, and information exchange.

Expected IT security benefits for participating agencies include: • Dedicated budgets to help focus attention and measure effectiveness of security spending • Accurate tracking of agency risk assessments and associated security investments • Improved return on investment decisions resulting in deployment of highly secure and

reliable systems with reduced number of security incidents • DIR Planned Procurement Schedule to address group purchasing priorities • Compliance with IT commodity reporting requirements of TGC § 2054.1015


• Availability of high priority and best of breed software and hardware • Higher performance at a lower price through best-value group purchase agreements • Standardized methodology to track and report investments in critical information planning,

prioritizing, and budgeting components • Improved prevention and cost avoidance through security design reviews for all major

state information and communication system acquisitions


REDUCE VULNERAB I L I TY Objective 4 Identify risks and vulnerabilities for critical infrastructure and key resources

The best approach to reduce CI/KR risks and vulnerabilities is to follow best business practices that recommend annual security activities, such as risk assessments and internal and external vulnerability scans, followed by business continuity and disaster recovery testing. These types of security efforts form the backbone of a mature, capable security program and establish baselines that each agency can use to document, address, and mitigate current threats and plan for incremental improvements.

Security is a process, not just a patch or a single application. One vital step in the process is testing the environment. To ensure that networks are properly secured, agencies must conduct routine checks for holes in the security infrastructure. The industry best practice for testing an environment is to replicate the methods of attackers and insiders by scanning the network for open ports and vulnerabilities. A successful IT security program requires periodic IT risk and vulnerability assessments and business continuity tests to identify specific focus areas for improvement. These types of activities provide agency leadership and privacy stakeholders with better visibility into the effectiveness of their external and internal IT security posture and will help them to set priorities for planning and budgeting IT security resources. Texas agencies need a risk assessment process that helps identify and quantify cybersecurity investments and assess their effectiveness.

Recent DIR vulnerability assessments of agency external network connections have helped reveal and quickly remediate serious holes in agency security postures. A network-based attack is not possible if the attacker cannot get to or from the target. The idea of perimeter-based security and a firewall defense stem from this concept. This defense provides some protection against outside attacks, but most serious cyber incidents involve insider access. Compartmental control of internal traffic is an important security element that helps prevent unauthorized access to restricted information within a network. Firewalls, intrusion and penetration detection, and monitoring devices, along with an adequately staffed and well-trained security team working in combination greatly reduce these vulnerabilities.

Many organizations deploy dozens of network applications across multiple hosts or domains within their environment or include applications dealing with users outside the organization. To add to this complex environment, organizations also want to use the same security infrastructure for network applications as they do to address their wireless, legacy, database, and other application security requirements. Successful organizations will recognize that their security infrastructures must address not only access control at the physical and network layer, but also will manage access to specific applications and systems. Applications adhering to the principles of least privilege and need-to-know will greatly reduce the risk of unauthorized access into the environment.

Wireless connectivity can allow attackers that are beyond agency physical boundaries to access confidential, internal networks. The proliferation of mobile devices, such as laptops and personal digital assistants (PDAs) has increased support for remote access to traditional IT


resources. Allowing remote users to access the same resources that local users find on their desktop PC carries obvious security risks. Technologies that create a private connection to the internal network, such as a virtual private network (VPN) via the Internet or telephone dial-up remote access services can mitigate these risks. For these systems, security is often an issue when access to the private link and the internal network is not sufficiently guarded, allowing an attacker unrestricted entry as though they were a legitimate user. Unfortunately, many organizations do not actively map and monitor access to the rapidly expanding wireless network, leaving it highly vulnerable to attack.

Emergency operations planners, IRMs, and IT security professionals often overlook the physical security aspects of cyber assets. Information and communication resources have physical characteristics and dependencies that can be seriously impacted by natural disasters or physical attacks. To ensure the reliable performance and delivery of cyber-based products and services, IT security managers must account and plan for virtual assets and pathways that share the same physical vulnerabilities and single points of failure. For example, if an organization uses a primary and secondary Internet service provider (ISP), it should ensure that the ISPs do not share the same communication infrastructure in the event there is a communication outage due to physical causes, e.g., a fiber-optic cable is cut.

Expected IT security benefits for meeting this objective include: • Reduced number and cost of significant computer security events • All agencies can regularly assess, test, and investigate any IT vulnerability, business

continuity, or disaster recovery issues per TxHSSP24 25 and the SSP (which complies with the Information Resources Management Act26)

• Agency resources can target the most important security issues by completing standardized Baseline Risk Assessments on Physical Security, Vulnerability Assessments, Information Security Standards Compliance, and Benchmarking of Performance Measures, as specified in TXHSSP27 28 and SSP

• Agencies conduct regular internal vulnerability assessments, scanning, and testing that reduce internal vulnerabilities and deter malicious actors

• Regular scans of agency systems reduce the vulnerability of unauthorized or non-secure access to the agency network via remote connections

• A unified enterprise approach to logical, physical, network, and application level access controls across agencies and infrastructures while maintaining the unique mission capabilities for individual agencies

• Accurate agency mapping of networks that have external connectivity will reduce vulnerability to outside cyber attacks and permit consistent pathway visualization and positive control and monitoring of internal and external network traffic flow

• Filtered access to agency networks via outside linkages will limit vulnerability to direct attacks

• Strict auditing of access control lists, firewall rule sets, and intrusion detection system (IDS) logs will improve network protection

• Federated user access provisioning and deprovisioning improves security while reducing costs and time spent on system administration


• Documentation of training, technology, management, and investment trends and requirements will improve performance tracking and trends analysis

• Facilitate compliance with TGC § 2059.101 and SSP29 to collect information on agency IT security resources

• Reduced vulnerabilities through standardized policies and procedures by leveraging statewide technology security architecture, assets, and training

• Improved security coordination with privacy stakeholders on the collection, storage, usage, dissemination, and disposal of personal information


REDUCE VULNERAB I L I TY Objective 5 Increase awareness and information sharing about cybersecurity attacks, threats, and vulnerabilities

The successful development of analytic capabilities, for threat identification, prevention, reduction, and response requires a broad-based information sharing effort. Sharing information about cyber incidents or attacks is vital to cybersecurity and is an important part of any coherent cyber CI/KR protection program. It ensures implementation of effective, coordinated, and integrated CI/KR protection efforts for information resources and enables partners to make informed decisions with regard to short- and long-term cybersecurity postures, risk mitigation, and operational continuity. Information sharing and awareness involves sharing programs with agency and other security partners and special sharing arrangements for emergency situations.

Cyber threat reduction and prevention can be improved and expanded through a statewide collaboration capability that is linked with a sector, regional, and national network. DIR will take a leadership role in coordinating and encouraging state and nongovernmental participation with appropriate cyber information sharing initiatives. All users and organizations play important roles in detecting and reporting cyber attacks, exploits, or vulnerabilities.

DIR has a role in developing specific information sharing initiatives as well as promoting these linkages and partnerships to raise awareness among the general public, and state, local, and federal agencies. DIR will support improved information sharing and investigative coordination with state, federal, and local cybersecurity programs and organizations to help reduce cyber attacks and threats to the state and the respective participants. See Appendix D for a list of sites, programs, and organizations that support cybersecurity information sharing.

A key part of information sharing is confidentiality of sensitive information and communications infrastructure and key resource data and assessments. DIR will raise awareness to remove impediments to information sharing about cybersecurity and infrastructure vulnerabilities and keep sensitive information out of the hands of those who would do us harm. The state and federal governments have established procedures to receive and store critical infrastructure information submitted to the government while protecting the confidentiality of the submitting entity. For example, the private sector can use the protections afforded by the Protected Critical Infrastructure Information Act to electronically submit proprietary data to the U.S. Computer Emergency Response Team (US-CERT).

IT security benefits of meeting the information sharing and awareness objective include: • Reduced attacks and threats through improved information sharing and coordination,

expeditious investigation and resolution of critical incidents, and better understanding and tracking of intrusions and trends

• Improved statewide cyber terrorism and threat awareness and management as directed in TxHSSP30

• Improved statewide security program as directed in TxHSSP31 that includes increased public, regional and local cyber terrorism education, awareness and reporting of suspicious IT security activities


• Timely information and advice about current cybersecurity issues, vulnerabilities, and exploits are available via cybersecurity alerts, bulletins, and tips

• Online reference tool is available for Texas citizens (e.g., SecureTexas) with cyber terrorism awareness and reporting content

• Distribution of information and materials via a Web portal to other state agencies for broader media distribution as well as multiple communities of interest, such as neighborhoods, schools, places of worship, private sector businesses, and nongovernmental organizations as well as through electronic capabilities

• Streamlined plans, policies, and procedures for cyber terrorism and IT security event detection and response are in place

• A Texas CI/KR information database that can be easily accessed by local, state and federal law enforcement agencies as outlined in TxHSSP32 is in place

• A robust set of collaboration links are in place, e.g., national (US-CERT, GFIRST), state (Multi-State ISAC, State Information Security Advisory Workgroup, Homeland Security Council), local (Texas Conference of Urban Counties, Texas Association of Counties), and private sector, e.g., Infragard, ISSA, ASIS, ACP,

• IT security staff members can become leaders and participants in state and national resource sharing opportunities and partnerships, e.g., Multi-State ISAC, National Association of State Chief Information Officers (NASCIO), the Government Forum for Incident Response Teams (GFIRST), and US-CERT


RESPOND AND RECOVER Objective 6 Identify and facilitate implementation of cybersecurity best practices

The delivery of critical public services depends on the availability, reliability, and integrity of its information and communication systems. Each agency must adopt appropriate methods to protect its information and communication systems. While some agencies will need to adopt stronger standards and methods, the statewide program must address minimum requirements and a consistent approach. Statewide rules, standards, and guidelines will help eliminate structural vulnerabilities from the state’s IT architecture and encourage the implementation of more uniform, robust security within all agencies.

The strength of an agency’s security posture is heavily influenced by the degree to which the agency makes its information security program an integral component of all business operations. The success of any security program is directly related to executive management’s clear and unequivocal support and its independence from operations.

Executive management must maintain awareness of the agency’s IT security posture, and provide a healthy role model for the rest of the agency. Management can create an atmosphere that acknowledges information security as not just another policy requirement but a mission critical practice for everyone in the organization. When the security program is embedded in IT operations and/or the ISO is too far removed from senior management in an agency’s chain of command, the security program often lacks independence, exercises minimal authority, receives little management attention, and lacks adequate resources.

Texas Administrative Code (TAC § 202) provides information security standards for state agencies. For example, it requires each state agency head to have a designated ISO that administers the agency’s information security program and reports directly to executive level management.33 TGC § 2054.307 also requires the agency employee in charge of information security (i.e., the agency ISO) to approve all major information resources projects and ensure the allocation of adequate resources. These rules are intended to ensure that agency ISOs have direct access and input to agency leadership and avoid any internal conflict of interest issues.34

Some state entities may be exempt from certain portions of TAC § 202 due to their business model, function, structure, or other reasons that need to be confirmed and documented. However, the 2005 SITSA revealed other operational, organizational, equipment, and training aspects of cybersecurity where rules, standards and guidelines are lacking or need improved definition. DIR will address those shortfalls and provide tailored best practices for state entities to help ease the workload of individual ISOs and improve the overall level of the state’s security posture.

A common security approach also supports compatible solutions that can be shared among agencies and yield a better return on technology investment. Agencies may want to implement more stringent or specific requirements using industry standards (e.g., National Institute of


Standards and Technology or ISO 17799). Specific security rules, standards, and guidelines will evolve but the primary benefits will remain constant: • A secure information and communications environment • Reduced information security risk • Well understood responsibilities for information protection

Other specific IT security benefits of achieving this objective are expected to be: • Consistent management policies, staffing, certification, training, awareness, budgeting,

equipment, and standard operating procedures that reflect industry best practices • Improved statewide ability to meet or exceed rules, policies and standards of performance

as outlined in TAC 202, the SSP35 and related guidelines • Separately designated and independent ISOs within each agency per industry best

practices and state administrative code • Economies of scale for investing and training on similar systems and equipment, security

software, and encryption implementation • Reduced risk through a management process that protects the organization’s ability to

perform its mission through a statewide standard for conducting periodic vulnerability and penetration scans, tests, and assessments at least annually36

• More timely and standardized data collection, reporting, and monitoring • Dedicated agency budgets to identify and track investment effectiveness • Meet NIMS incident command structure requirements to perform core functions • State agencies have online access to a risk assessment tool that guides investment

decisions and resource allocations • Improved technical and policy standards for protecting the storage, transmission, sharing,

or disposal of sensitive (personal) information

IT SECURITY BEST PRACTICES – PRIVACY MANAGEMENT

One of the major factors unique to government is the inherent openness that is expected of government at all levels. This has created the challenge of balancing that expectation of openness and transparency with the need to protect the privacy of personal or sensitive citizen information.

Privacy policy and security policy are separate concepts, but closely linked. Privacy policy dictates what information is considered personal and how states will collect, store, use, disseminate, and dispose of citizens’ personal information. Security policy dictates how states will protect personal information from misuse. One cannot have privacy without security.

As states develop privacy management policies, state CIOs and CISOs play an important role in addressing issues related to the effective management and implementations of privacy protections involving technology and the handling of electronic data. — “Keeping Citizen Trust: What Can a State CIO do to Protect Privacy,” Research Brief, NASCIO,

Lexington, KY, October 2006.


RESPOND AND RECOVER Objective 7 Establish a capability for responding to state-level cybersecurity incidents

Incident response and business continuity capabilities are vital to the survival of any organization but are particularly critical to those organizations that have a strong reliance on information and communications technology. Many organizations with large IT infrastructures have dedicated groups that develop, plan, and test incident response and business continuity plans and procedures. These larger organizations usually pool or share their training, expertise, and resources with security professionals across the enterprise.

While it is an industry best practice to have only a few dedicated incident response resources, organizations must ensure that they have excellent incident response procedures and processes. Most incident response teams are activated on an as-needed basis, but they are most effective when guided by established, tested procedures and each team member is trained and regularly exercised using those procedures.

Texas requires a response system to detect potentially damaging activity in cyberspace, to analyze exploits and warn potential victims, coordinate incident responses, and restore essential services that have been damaged. To mitigate the impact of cyber attacks, information about them must disseminate widely and quickly. The new state NSOC will coordinate analytical and incident response capabilities that exist in numerous agencies and determine how to best defend against an attack, mitigate effects, and restore service.

The NSOC will serve as the state’s principal interagency mechanism for operational information sharing and coordination of state government response and recovery efforts during a cyber crisis or other disaster with significant cyber effects. During such incidents, the state CSIRT members will coordinate their capabilities to assess the statewide scope and severity of an incident. The member agencies will use their situational awareness of a cyber incident to govern response and remediation efforts and to guide senior policymakers. The member agencies will also develop, coordinate, and recommend courses of action and incident response strategies for the state. Moreover, the NSOC and its CSIRT members will leverage their established relationships with the private sector and other state, local, and federal entities to help manage a cyber crisis, develop courses of action, and devise response and recovery strategies.

Cyberspace Emergency Readiness: DHS established the US-CERT as a 24/7 single point of contact for cyberspace analysis warning, information sharing, and incident response and recovery for a broad range of users, including government, enterprises, small businesses, and home users. The Multi-State ISAC is linked to the US-CERT and is also a 24/7 vehicle for monitoring and sharing information about state government cyber attack trends, vulnerabilities, and best practices.

The Texas CSIRT will serve as the point of contact and interface with the US-CERT and Multi-State ISAC as appropriate to: • Analyze and reduce cyber threats and vulnerabilities


• Disseminate statewide cyber threat warning information • Coordinate cyber incident response activities

Establishing a state CSIRT will provide the following IT security benefits, which will improve our ability to prevent, detect, respond to, and reconstitute rapidly after an incident or disaster that has significant cyber impact: • Better protection of Texas’s infrastructure through more timely and effective response to

computer security incidents • Improved statewide and agency situational awareness through enhanced information

dissemination and analysis of threats and responses • Increased collaboration, coordination, and information sharing among state, local, and

federal governments and the private sectors • Improved statewide readiness, protection, and incident response capabilities through state,

regional, local, federal, and interagency exercises and workshops that promote effective collaborative responses to attacks

• Improved capacity to prevent, detect, analyze, respond, and recover from an incident37 • Statewide CSIRT will meet DHS grant funding guidelines38 for additional funding • Computer incident or emergency responders are equipped and trained to nationally

recognized standards • Agencies have well-trained CSIRT members onsite or immediately available to assist in

recovery operations • Close coordination with other government’s 24/7 functions, analysis, warning, information

sharing, major incident response, and national-level recovery effort, e.g., US-CERT, Multi-State ISAC, and GFIRST


RESPOND AND RECOVER Objective 8 Promote cybersecurity exercises and integrate cybersecurity elements into homeland security exercises

Exercises help identify, test, and improve coordinated cyber incident response and help managers understand the role of IT within a context of emergency or disaster. The main objectives of cyber exercises are to practice effective collaborative response to a variety of attack scenarios that have cyber elements, including crisis decision making. Exercises provide an environment for evaluation of interagency and inter-sector business processes that rely on the IT infrastructure; measure the progress of ongoing cyber incident response efforts; and foster improved information sharing among state agencies, local and federal government, and private industry. Cyber exercises can sensitize a diverse constituency of private and public sector decision makers to a variety of potential cyber threats; familiarize this constituency with the national cyber response system and the importance of their role in it; and practice the roles and responsibilities of government agencies and industry in cyber incident response.

DIR will coordinate all IT security exercises in Texas that are funded by federal dollars with the Governor’s Division of Emergency Management (GDEM) to ensure a cohesive statewide effort and a consistent standard of excellence. Statewide exercises will test cybersecurity plans and operations using lessons learned, plan modifications, and scenarios based on, or resulting from, natural disasters, terrorist attacks, and other criminal or illicit activity.

DIR is responsible for demonstrating due diligence and periodically testing and exercising cybersecurity plans using state39 40 and federal homeland security guidelines. DIR also provides crisis management support in response to threats to, or attacks on, critical information systems within the consolidated NSOC. DIR will also support other state agencies, local governments and private sector infrastructures when requested and as resources permit.

Benefits from a successful cybersecurity exercise program are expected to be: • CSIRT participants are well-trained through an annual exercise program • Improved interoperability and readiness of participants through tailored exercises • Cybersecurity is integrated into all major statewide homeland security exercises • DIR partnerships with nationally recognized exercise subject matter experts within Texas,

e.g., University of Texas San Antonio (UTSA) Center for Infrastructure Assurance and Security (CIAS), Texas Engineering Extension Service (TEEX), Texas A&M National Emergency Response and Rescue Training Center (NERRTC)

• Development of exercise training template that helps other communities prevent, deter, and respond to cybersecurity incidents

• Agencies demonstrate due diligence to periodically test and exercise cybersecurity plans using relevant homeland security guidelines41

• Local communities can schedule and conduct exercises at low cost • Cybersecurity exercises include NIMS concepts to ensure rapid response and

interoperability are built into exercises and training • Information and communication systems are included in cybersecurity continuity plans and

exercises


RESPOND AND RECOVER Objective 9 Integrate cybersecurity into continuity of operations (COOP) and continuity of government (COG) plans

Identifying and prioritizing critical applications is an essential step in any risk assessment and disaster recovery planning. Business critical applications are crucial applications that the organization needs for its core business functions. Documentation of these applications is an important element of risk assessment and disaster recovery planning. Risk assessments should be a reliable source of information on agency critical application data and should help ensure that the network is robust enough to operate during partial outages and avoid single-point failures that disable the network.

In consonance with society’s growing reliance on technology, state organizations depend on each other to provide data or services to perform their core business functions. Some organizations provide data or services, while others rely on receiving data or services from others as part of their daily operations. Most organizations do both. As part of their risk assessment and disaster recovery planning, agencies should know whom they provide data to and whom they receive their critical data input from. A detailed understanding of these government and commercial relationships and communication paths can be critical if one agency experiences a disaster or attack resulting in an outage that initiates a cascading effect into organizations and infrastructures not directly impacted by the original event.

While most emergency situations are handled locally, major incidents require assistance from other jurisdictions, including the state or federal government. The National Incident Management System (NIMS) helps responders from different jurisdictions and disciplines work together and better respond to natural disasters and emergencies, including acts of terrorism. Personnel involved in the cybersecurity aspects of emergency response must be well-versed in NIMS to achieve the objective of an integrated approach to COOP and COG planning.

Integrating cybersecurity into COOP and COG plans should produce the following benefits: • Strong, mutual understanding of agency interdependencies for collaborative information

and communication security efforts • Every agency’s COOP/COG plan clearly documents where and how it receives its data or

IT services from and whom it provides data or IT services to • Agencies have clearly documented response plans associated with any internal outages or

external data interruptions from critical sources • Information security personnel have met qualifications and certifications for NIMS • NIMS-certified cybersecurity specialists are available to commence operations with an

Emergency Operations Center or State Operations Center • Statewide IT security COOP/COG, administrative rules, best practices, guidelines, and

standard operating procedures are aligned with NIMS standards • All agencies have integrated cybersecurity into COOP/COG plans • DIR can resume operations and critical business functions resulting from any disruption • Agency risk assessments and COOP/COG plans are regularly aligned and tested


SECT ION 4 Strategies

The cyber threat in Texas is real, constant, and increasing in quantity and sophistication. The strategies presented in this section address those threats by identifying specific initiatives to accomplish the state enterprise security goals and objectives described in the previous section.

State enterprise security strategies are an essential part of the comprehensive security program to safeguard the integrity of state information and communications assets. While the strategies apply specifically to DIR, the statewide security posture depends upon the collective actions of individual state agencies and institutions. Responsibilities are listed with each strategy.

GOALS AND OBJECTIVES STATE ENTERPRISE SECURITY

PREVENT REDUCE RESPOND STRATEGIES

1 2 3 4 5 6 7 8 9


1 2 3 4 5 6 7 8 9

2. Conduct statewide annual cybersecurity risk, vulnerability, systems, and equipment assessments and track strengths, weaknesses, and remediation activities for all eligible entities

1 4 5 6 9

3. Establish a state Computer Security Incident Response Team to rapidly identify, contain, and recover from any attack or attempt to disrupt the state’s critical IT infrastructure

1 2 4 5 6 7 8 9

4. Identify, develop, and maintain best practice rules, performance standards, and guidelines to help reduce agency workload while providing timely, complete, and accurate data for internal and external monitoring and management

1 2 3 4 5 6 7 8 9


1 4 5 6 7 8 9

6. Leverage technology to improve cybersecurity information sharing and enhance security communication, collaboration, and information sharing capabilities throughout the state

1 2 3 4 5 6 7

7. Promote cybersecurity awareness, training, education, and certification programs to ensure that IT security professionals, agency leadership, and network users at all levels are able to perform cybersecurity responsibilities

2 4 5 6 7 8 9

8. Integrate cybersecurity into state homeland security exercises and promote tailored exercises to help reduce network vulnerabilities and minimize the severity of cyberattacks

2 5 6 7 8 9

See Appendix B for a matrix showing how each of the strategies maps to federal and state homeland security strategies.

S T A T E E N T E R P R I S E S E C U R I T Y P L A N | S E C T I O N 4 | S T R A T E G I E S 35

Strategy 1 Align Texas cybersecurity initiatives and resources to ensure consistent adherence to the State Enterprise Security Plan and satisfy statewide cybersecurity goals and objectives.

This first strategy is an overarching management activity that maps the goals and objectives from Section 3 to each course of action that follows. The implementation of these actions will result in sustainable efforts that consistently satisfy those goals and objectives. This State Enterprise Security Plan is a first step toward implementing this initiative. It is designed to link DIR, state, and federal IRM and cybersecurity strategies with concrete implementation plans that include commitment timelines, budgets and accountability performance measures.

D IR RESPONS IB I L I T I ES

1.1 Ensure that all DIR cybersecurity initiatives and operations are consistent with this strategy

AGENCY RESPONS IB I L I T I ES

1.2 Support core agency mission areas by maintaining a safe and secure environment for all assigned information and communication resources

1.3 Manage the agency’s respective IT security program and initiate measures to assure and demonstrate compliance with applicable state security policies, standards, and laws as well as applicable federal requirements

43 for a tactical checklist associated with this strategy. See page

Strategy 2 Conduct statewide annual cybersecurity risk, vulnerability, systems, and equipment assessments and track strengths, weaknesses, and remediation activities for all eligible entities.

These assessments also identify agency requirements that provide specific direction to the initiatives contained in this State Enterprise Security Plan. DIR records reveal a direct correlation between those state agencies with excellent cybersecurity postures and those that regularly conduct third-party (i.e., DIR) controlled vulnerability tests and assessments. This plan outlines responsibilities for introducing and sustaining a regular program of IT security evaluations and risk assessments.


2.1 Provide external cyber vulnerability and controlled penetration testing (CPT) and assessment services to state agencies and other entities (universities, local government, school districts, hospital districts, water districts or authorities) to the extent possible42

2.2 Assess the existing user access management controls and submit recommendations to the Legislature for improvement regarding interoperability, scalability, cost savings, feasibility, and security benefits43

2.3 Sponsor a statewide cyber risk assessment and vulnerability reduction program to protect sensitive information resources and facilitate planning for agency baseline risk analysis and reduction, as specified in the TxHSSP 44 45 and the SSP


2.4 Collect information on agency assets and evaluate commonalities in statewide technology security architecture, assets, training, and policies and procedures as required46 and as outlined in the SSP 47


2.5 Sponsor or conduct regular (at least annual) external network vulnerability and penetration testing and assessments as required48

2.6 Continue to participate in current and ongoing statewide assessment activities


Strategy 3 Establish a state Computer Security Incident Response Team to rapidly identify, contain, and recover from any attack or attempt to disrupt the state’s critical IT infrastructure


3.1 Create a statewide response and recovery CSIRT capability that has interagency participation, a training and continuing education program, an annual cybersecurity exercise program, and Web-based incident reporting tools


3.2 Participate in statewide collaborative opportunities such as the computer security incident response and recovery capability program by making IT security personnel available for specialized training and certification49

See page 46 for a tactical checklist associated with this strategy.

Strategy 4 Identify, develop, and maintain best practice rules, performance standards, and guidelines to help reduce agency workload while providing timely, complete, and accurate data for internal and external monitoring and management.

DIR is committed to documenting IT security best practices and transforming them into rational rules, standards, and guidelines in partnership with affected agencies. This is an ongoing, sustaining initiative that will optimize each of the goals, objectives, and activities of this plan. DIR-sponsored rules and standards are not intended as a set of detailed instructions, but as a minimum set of best practices, check lists, and guidelines that provide a common understanding of expectations, reduce agency work loads, and promote positive results.


4.1 Work with agencies to develop, maintain, and distribute IT security program guidelines, best practices, and standard operating procedures that offer a consistent framework while accounting for diverse missions and organization size



4.2 Develop and follow cybersecurity guidelines, best practices, and standard operating procedures to meet standards, save time, and better secure agency assets

4.3 Help develop and adhere to IT security training and certification guidelines for all personnel

4.4 Develop and sustain methodologies to budget for and track the effectiveness of IT security investments

4.5 Use appropriate best-value group purchase agreements and take full advantage of DIR-negotiated rates for security, certification, CPE, and user training

4.6 Require the agency employee in charge of information security for the agency (e.g., the ISO) to review and approve all major information resources projects50


Strategy 5 Establish a Network and Security Operations Center to initially focus on network security system services for those agencies and networks that are part of the consolidated Network Operations Center (NOC).

This collaborative initiative will also serve as a statewide operational hub for monitoring, coordinating, and sharing information on statewide cybersecurity events. By consolidating the functions of a NOC into a state NSOC, the state will strengthen its ability to protect critical information resource infrastructures and provide more collaborative opportunities for agencies to share information and effectively plan against cybersecurity threats.


5.1 Develop a shared statewide NSOC to initially deliver services to state agencies that are part of the statewide network infrastructure per legislative51 52 and DIR requirements


5.2 Leverage NSOC information sharing, analysis, and response processes


Strategy 6

Leverage technology to improve cybersecurity information sharing and enhance security communication, collaboration, and information sharing capabilities throughout the state.


6.1 Build a statewide NSOC facility with sufficient resources to deliver network security services to state agencies per legislative53 54 and DIR requirements

6.2 Engage state entities in proof-of-concept pilots for promising cybersecurity technologies and tools


6.3 Develop an “information sharing methodology with external partners (including local government)” per DHS guidelines55


6.4 Work with DIR to plan, execute, and evaluate proof-of-concept pilots and topical workshops

6.5 Provide two-way exchange of information and feedback and use collaborative tools 6.6 Participate in the DIR-sponsored online security risk assessment program to help identify

requirements and reduce vulnerability through gap analysis and risk reduction planning (e.g., ISAC)


Strategy 7 Promote cybersecurity awareness, training, education, and certification programs to ensure that IT security professionals, agency leadership, and network users at all levels are able to perform cybersecurity responsibilities, as directed in the TxHSSP.56


7.1 Establish and promote statewide cybersecurity training and awareness at multiple levels consistent with Texas Emergency Operation Plans per DHS guidelines57

7.2 Develop a program to initiate, sustain, and expand a CSIRT and provide cyber forensics capabilities to serve both civilian and criminal matters for the state as recommended in DHS guidelines58 and in partnership with state agencies

7.3 Participate in and sponsor joint public-private sector partnerships with groups that have cybersecurity interests and the ability to plan, conduct, and evaluate IT security forums, seminars, and conferences


7.4 Fund and participate in technical cybersecurity training and awareness on an annual basis at multiple levels to ensure the greatest penetration possible59

7.5 Participate in IT security forums, seminars, and conferences


Strategy 8 Integrate cybersecurity into state homeland security exercises and promote tailored exercises to help reduce network vulnerabilities and minimize the severity of cyber attacks.

Recognizing the relationship of information and communications with other critical infrastructure is important. Exercises provide managers the opportunity to visualize the cascading effects of any physical or virtual disruption of their critical information resources and develop plans and processes to prevent, reduce the impact, and recover more quickly.



Demonstrate due diligence by conducting statewide exercises to evaluate cybersecurity capabilities a

8.1

60nd periodically test and exercise cybersecurity plans8.2 Develop integrated community cybersecurity exercises in partnership with Texas Division of

Emergency Management, TEEX/NERRTC, UTSA CIAS, and the Governor’s Office of Homeland Security per the TxHSSP61 62 and SSP


8.3 Demonstrate due diligence, and periodically test and exercise cybersecurity plans 8.4 Include cybersecurity as part of participation in emergency response exercises as outlined

in the TxHSSP63 64 and SSP



SECT ION 5 Moving Forward

IT security breaches occur when information and communication resources are inadequately prepared to respond to the security threat and when there are insufficient policies and infrastructure to protect individual environments. Although much work remains to be done, implementation of this State Enterprise Security Plan will improve the security posture of the state. The essential element for the success of this plan is collaboration and partnership among state agencies and institutions of higher education.

DIR is committed to creating a security environment that evolves beyond compliance and enforcement to one of collaboration and partnership. Cybersecurity in Texas is no longer a discretionary afterthought; it is fundamental to the safety and economic well-being of the state and the nation. Accordingly, this plan provides a road map that includes both strategic direction and tactical stakeholder actions that will improve the security of our state.

As Texas moves forward, agency understanding of the increasing security risks and how to manage and mitigate them must be emphasized and accelerated at all levels, from agency leadership to staff employees. The state must also establish and maintain adaptable security policies, processes, and infrastructure that all state entities can use to coordinate their response to IT security threats. The preliminary steps outlined in this plan will ensure that Texas fulfills its commitment to protect the vital information and communications technology assets of its citizens.

S T A T E E N T E R P R I S E S E C U R I T Y P L A N | S E C T I O N 5 | M O V I N G F O R W A R D 41

APPENDIX A Tactical Checklists

TACTICAL CHECKLIST

STRATEGY 1

Align Texas cybersecurity initiatives and resources to ensure consistent adherence to the State Enterprise Security Plan and satisfy statewide cybersecurity goals and objectives

DIR RESPONSIBILITIES

1.1 Ensure that all DIR cybersecurity initiatives and operations are consistent with this strategy

Submit and annually update a Homeland Security Implementation Plan that is aligned with relevant SSP, TxHSSP, and NSSC plans

Assist in strategic and operational recovery planning and policy development in partnership with state agencies

AGENCY RESPONSIBILITIES

1.2 Support core agency mission areas by maintaining a safe and secure environment for all assigned information and communication resources

Assure the confidentiality, integrity, availability, and accountability of all agency information while it is being processed, stored, and/or transmitted electronically, and the security of processing-associated resources

Use available statewide network-layer cybersecurity services as available and consistent with agency core mission functions

Maintain current physical and logical inventories and network maps of hardware, software applications and operating systems as a first step in network defense

Update deployment profiles, mitigation priorities and policies whenever a critical database application is added to a host

1.3 Manage the agency’s respective IT security program and initiate measures to assure and demonstrate compliance with applicable state security policies, standards, and laws as well as applicable federal requirements

Report significant cybersecurity incidents and IT security program status to DIR Ensure separation of duties and assignment of appropriate system permissions and responsibilities for agency system users

Assume the lead role in resolving internal agency security incidents Ensure that a configuration/patch management process is in place that maintains IT system security Identify and protect sensitive information, e.g., privacy data

S T A T E E N T E R P R I S E S E C U R I T Y P L A N | A P P E N D I X A | T A C T I C A L C H E C K L I S T S 43

TACTICAL CHECKLIST

STRATEGY 2

Conduct statewide annual cybersecurity risk, vulnerability, systems, and equipment assessments and track strengths, weaknesses, and remediation activities for all eligible entities.


2.1 Provide external cyber vulnerability and controlled penetration testing (CPT) and assessment services to state agencies and other entities (universities, local government, school districts, hospital districts, water districts or authorities) to the extent possible

Assist agencies in implementing requirements to increase the number of CPT engagements Identify external network access vulnerabilities, including authentication and authorization issues Maintain internal user access requirements for systems, applications, and data Use annual CPTs to assess an agency’s network security posture (simulate outside/unauthorized network access without attacking or disrupting operations)

Provide analysis of identified vulnerabilities and provide recommendations for remediation of identified vulnerabilities

Review user roles and appropriate access requirements regularly Provide a written report and oral briefing to each agency/organization and, upon request, the State Auditor’s Office that contains analysis of exploitable vulnerabilities found, remediation recommendations, and network security posture assessment

Track test results to help assess annual training and awareness requirements to reduce the number of vulnerabilities, improve the efficiency of future testing, and make the organization’s networks safer from outside attacks

Use the results of the engagements to provide accurate trend analysis and assessment as part of the IT security biennial report65

Obtain federal homeland security or other grant funding to help subsidize any start up costs to the fullest extent possible66

Transition to a charge back, cost recovery system for vulnerability and CPT services as part of DIR’s converged telecommunication services offerings

2.2 Assess the existing user access management controls and submit recommendations to the Legislature for improvement regarding interoperability, scalability, cost savings, feasibility, and security benefits

Identify commonalities in statewide technology security architecture, assets, training, and policies and procedures to reduce vulnerabilities as required67 68 and as outlined in the SSP

Address logical and physical security as part of statewide user access recommendations Assess the status of user access management by reviewing data from affected agencies within the State of Texas

Outline and recommend applicable best practices

2.3 Sponsor a statewide cyber risk assessment and vulnerability reduction program to protect sensitive information resources and facilitate planning for agency baseline risk analysis and reduction, as specified in the TxHSSP and the SSP

Deploy a prototype risk assessment tool (i.e., Texas A&M’s Information Security Awareness, Assessment, and Compliance, ISAAC) to facilitate Web-based agency planning and tracking of baseline risk analysis and reduction

Use risk assessment tools and assessments to help weigh the risks involved and make informed decisions on how to spend resources using established cybersecurity metrics


TACTICAL CHECKLIST

STRATEGY 2

2.4 Collect information on agency assets and evaluate commonalities in statewide technology security architecture, assets, training, and policies and procedures as required and as outlined in the SSP

Maintain a current inventory of cyber assets, including personnel as part of a statewide policy mechanism Maintain a core inventory of statewide hardware, software applications, and operating systems and help to determine the optimum security applications to defend the network infrastructures

Develop standardized methods and tools to monitor, manage, assess, and track IT security status and resources in partnership with auditors and agencies to reduce the number and frequency of redundant surveys and data calls69


2.5 Sponsor or conduct regular (at least annual) external network vulnerability and penetration testing and assessments as required

Use DIR resources when available or DIR-recommended best value solutions to conduct external network vulnerability and penetration tests and assessments70

As part of an external CPT, complete a confidential security remediation assessment for DIR and internal use

Design a formal program for periodic internal vulnerability assessment, third-party vulnerability assessments, and prioritized remedial actions at least annually as recommended in Texas statutes71

Conduct regular (at least annual) network risk assessments, and specify the level of security required to protect all agency IT assets72

2.6 Continue to participate in current and ongoing statewide assessment activities

Identify appropriate access requirements for different levels agency users Participate (affected agencies) in determining the feasibility and benefits of user access management controls

Develop policies and practices in line with the statewide user access strategy, and ensure that appropriate security implementation controls are in place

Conduct regular risk assessments to identify resources, sensitive data (including privacy data), vulnerabilities, threats, and impact analysis


TACTICAL CHECKLIST

STRATEGY 3

Establish a state Computer Security Incident Response Team to rapidly identify, contain, and recover from any attack or attempt to disrupt the state’s critical IT infrastructure.


3.1 Create a statewide response and recovery CSIRT capability that has interagency participation, a training and continuing education program, an annual cybersecurity exercise program, and Web-based incident reporting tools

Coordinate the establishment of a CSIRT as a 24/7 single point of contact for cyberspace analysis, warning, information sharing, incident response, and recovery for a broad range of users including government, enterprises, small businesses, and home users

Develop computer incident categories and reporting content and time frame criteria to clearly communicate incidents and events

As part of the establishment of the NSOC, develop partnerships and agreements among state agencies to create a statewide CSIRT program that improves the state’s capacity to prevent, detect, analyze, respond, and recover from an incident as specified in the SSP73 and to address shortfalls identified in the SITSA

Coordinate with GFIRST


3.2 Participate in statewide collaborative opportunities such as the computer security incident response and recovery capability program by making IT security personnel available for specialized training and certification

Participate in the CSIRT emergency response capability by sponsoring team members who are certified available for consultation on significant internal and statewide incidents (two year minimum)

Help sustain the statewide CSIRT capability by allowing members to complete train-the-trainer certification Administer a virus prevention and incident reporting program that coordinates with Texas’s CSIRT Develop, implement and test an IT disaster recovery plan for critical agency IT systems


TACTICAL CHECKLIST

STRATEGY 4

Identify, develop, and maintain best practice rules, performance standards, and guidelines to help reduce agency workload while providing timely, complete, and accurate data for internal and external monitoring and management.


4.1 Work with agencies to develop, maintain, and distribute IT security program guidelines, best practices, and standard operating procedures that offer a consistent framework while accounting for diverse missions and organization size

Develop a certification and accreditation framework for the life cycle of each agency critical IT system to include a network security design review for all new network acquisitions74

Track statewide performance in meeting rules, standards, and guidelines Promote improvements to statewide security practices and state agency policies including availability and cost effectiveness of peer-to-peer file sharing policies and technologies

Develop a wireless security plan with procedural and technical standards for laptop and mobile computing network security in partnership with affected state agencies, to include software encryption and system certification and accreditation prior to implementation per industry best practices75

Develop data and system classification guidelines for protecting varying levels of sensitive information (e.g., critical infrastructure or personal data)

Act as the State CISO under the State CTO Develop and sustain methodologies to track and measure the effectiveness of IT security investments. Establish separate IT security budget line item categories (e.g., network and client-based firewall and VPN; intrusion prevention system (IPS) or intrusion detection system (IDS); server-based access management; encryption; system security design reviews; vulnerability scanning, assessment, and testing; malware blocking tools; automated patch management and security policy compliance tools; physical security for IT assets; forensics, risk, or security assessment tools; network mapping technologies; cybersecurity certification; cybersecurity incident remediation costs; cybersecurity training or exercises)

Develop and sustain best-value group purchase agreements for IT security-related products Negotiate the lowest possible rates for certification, CPE, and user training in partnership with other states, federal, and local government officials

76 Develop a system of billings and charges for network security system services


4.2 Develop and follow cybersecurity guidelines, best practices, and standard operating procedures to meet standards, save time, and better secure agency assets

Review agency policies for compliance with and enforcement of state network security policies, guidelines, and standard operating procedures including peer-to-peer file-sharing policies.

Document and justify any desired exemptions from portions of TAC 202 or recommended changes to IT security standards due to specific business model, function, structure, or other reasons

Implement a certification/accreditation process for the life cycle of each agency critical information resource Ensure that ISOs have direct access and input to agency leadership and avoid any administrative conflicts or appearance of conflict of interest within the agency information resources departments77

Adopt more stringent procedures or standards as required Document the classification of information in accordance with information sensitivity and classification standards

Generate information security deviation/risk acceptance requests


TACTICAL CHECKLIST

STRATEGY 4

4.3 Help develop and adhere to IT security training and certification guidelines for all personnel

Track NIMS certifications for personnel in key cyber incident response positions Designate an ISO that administers the agency’s information security program and reports directly to executive level management per TAC 20278

Follow industry best practices and state administrative code by having a separately designated ISO who does not directly report to the IRM

4.4 Develop and sustain methodologies to budget for and track the effectiveness of IT security investments 79 Budget for network security system service costs and affirm adequate security investments for “each major

information resources project”80

Track and report IT security investment in critical information security infrastructure to include software, hardware, application, and infrastructure planning, performance measures, and business continuity/disaster recovery planning categories: network and client-based firewall and VPN deployments; server-based access controls (e.g., ID management/authentication, authorization/provisioning and deprovisioning; biometrics, smart cards/other one-time password tokens; IPS/IDS; encryption (for data in transit, files, Public Key Infrastructure); system security design reviews; vulnerability scanning, assessment, and testing; malware blocking tools (e.g., application-level attack blocking, virus, spyware, adware, and spam management); automated patch management and security policy compliance tools; physical security for IT assets; forensics, risk, or security assessment tools; security certification; incident remediation costs; training and exercises

4.5 Use appropriate best-value group purchase agreements and take full advantage of DIR-negotiated rates for security, certification, CPE, and user training

4.6 Require the agency employee in charge of information security for the agency (e.g., the ISO) to review and approve all major information resources projects


TACTICAL CHECKLIST

STRATEGY 5

Establish a Network and Security Operations Center to initially focus on network security system services for those agencies and networks that are part of the consolidated Network Operations Center (NOC).


5.1 Develop a shared statewide NSOC to initially deliver services to state agencies that are part of the statewide network infrastructure per legislative and DIR requirements

Conduct real-time monitoring of external network security status

Research, correlate, and disseminate early warnings of external cyber system threats to help prevent attacks or cascading effects

Provide immediate incident response capability and share information between sectors

Provide trending and other analyses for security planning

Distribute current proven security practices and recommendations

Adopt and provide network security guidelines and standard operating procedures

Provide inputs and expertise to assist the Texas Fusion Center in developing cybersecurity assessments and analysis for public and state agency use

Produce a report on the state and NSOC accomplishments toward meeting service and IT security objectives and other performance measures in the DIR Biennial Performance Report


5.2 Leverage NSOC information sharing, analysis, and response processes

Determine benefits and capabilities of the shared statewide NSOC in reviewing and assessing opportunities to leverage and participate in the statewide network infrastructure

Use DIR-provided or recommended best value services as a first option to enhance security against external threats81


TACTICAL CHECKLIST

STRATEGY 6

Leverage technology to improve cybersecurity information sharing and enhance security communication, collaboration, and information sharing capabilities throughout the state.


6.1 Build a statewide NSOC facility with sufficient resources to deliver network security services to state agencies per legislative and DIR requirements

Obtain systems for real-time monitoring of external network intrusion

Maintain systems and licenses to conduct vulnerability scans and assessments

6.2 Engage state entities in proof-of-concept pilots for promising cybersecurity technologies and tools

Deploy pilot program to “secure information sharing (statewide secure portal)” and “a Web presence that provides cybersecurity guidance” and cyber threat analysis as specified in the SSP82

Coordinate with state ISOs to develop, update, and disseminate emergency alert notifications assessments, guidelines, training opportunities, and incident information using real-time reporting and collaboration tools

83 Establish and administer a statewide secure Web portal for state ISOs as specified in the SSP and in compliance with the Information Resources Management Act84

Sponsor a Web-based, risk assessment and collaboration tool (i.e., ISAC) to help state entities reduce vulnerability through risk analysis, physical security, compliance with information security standards, and benchmarking

6.3 Develop an “information sharing methodology with external partners (including local government)” per DHS guidelines

Actively participate and lead state and national resource sharing opportunities and partnerships (e.g., Multi-State ISAC, and GFIRST)

Sponsor for topical workshops on emerging security issues

Collaborate with the public and private sectors and participate in activities to raise statewide cybersecurity awareness (“National Cybersecurity Awareness Month” in Texas, newsletters, Web site, and public service announcements)


6.4 Work with DIR to plan, execute, and evaluate proof-of-concept pilots and topical workshops

Develop emergency alert notifications assessments, guidelines, training opportunities, and incident information using real-time incident reporting and collaboration tools

6.5 Provide two-way exchange of information and feedback and use collaborative tools

Assess current network security resources to identify requirements for information sharing

6.6 Participate in the DIR-sponsored online security risk assessment program to help identify requirements and reduce vulnerability through gap analysis and risk reduction planning (e.g., ISAC)

Establish thresholds and acceptable risk levels that are aligned with the overarching state policy


TACTICAL CHECKLIST

STRATEGY 7

Promote cybersecurity awareness, training, education, and certification programs to ensure that IT security professionals, agency leadership, and network users at all levels are able to perform cybersecurity responsibilities, as directed in the TxHSSP.


7.1 Establish and promote statewide cybersecurity training and awareness at multiple levels consistent with Texas Emergency Operation Plans per DHS guidelines

Address identified shortfalls for all levels of state agencies: users, leadership, IT security officers, and CSIRT members as specified in the SSP85

Facilitate and promote training opportunities as developed in the statewide security training guidelines and standards for state/local government users, leaders, and ISOs

Develop training, certification, and skill level guidelines for state ISOs and other personnel with IT security responsibilities

Meet NIMS standards to follow incident command structure within the State Operations Center (SOC) for the core functions of coordination, communications, resource dispatch and tracking, and information collection, analysis, and dissemination86

87 Facilitate and track NIMS certifications for personnel in key cyber incident response positions: – Emergency management operations responsibilities: Incident Command System (ICS)-100, and IS-700 – First line supervisors, middle management, or senior staff with emergency management operations

responsibilities: ICS-200 – Emergency management as a primary responsibility: IS-800 National Response Plan training

7.2 Develop a program to initiate, sustain, and expand a CSIRT and provide cyber forensics capabilities to serve both civilian and criminal matters for the state as recommended in DHS guidelines and in partnership with state agencies

Develop a program to select, train, and certify a CSIRT that improves the state’s capacity to prevent, detect, analyze, respond to, and recover from an incident as specified in the SSP88 and address identified shortfalls

Sponsor and deploy a “train-the-trainer” program that sustains and expands the CSIRT

7.3 Participate in and sponsor joint public-private sector partnerships with groups that have cybersecurity interests and the ability to plan, conduct, and evaluate IT security forums, seminars, and conferences

Develop information sharing relationships with relevant organizations (e.g., SANS Institute, Multi-State ISAC, Government Forum for Incident Response and Security Teams, and National Security Agency-certified Centers of Academic Excellence in Information Assurance Education)


TACTICAL CHECKLIST

STRATEGY 7


7.4 Fund and participate in technical cybersecurity training and awareness on an annual basis at multiple levels to ensure the greatest penetration possible

Plan training for all levels of agency personnel: users, leadership, IT security officers, and CSIRTs Follow statewide guidelines and standards for state/local government users, leaders, and ISOs (e.g., training and certification for data protection, computer network protocols and vulnerabilities, security, firewalls and forensics, data hiding, infrastructure, wireless security, and ethical and legal considerations)

Include NIMS certifications for personnel in key incident response positions Participate in the CSIRT to obtain training and certifications to improve the agency’s capacity to prevent, detect, analyze, and respond to cyber incidents

Establish a means to assess, track, and provide information regarding technology security training investments and needs to DIR

Develop training and certification guidelines in partnership with agencies for initial staffing levels, CPE, and responsibility levels

7.6 Participate in IT security forums, seminars, and conferences

Develop information sharing relationships with state IT security organizations


TACTICAL CHECKLIST

STRATEGY 8

Integrate cybersecurity into state homeland security exercises and promote tailored exercises to help reduce network vulnerabilities and minimize the severity of cyber attacks.


8.1 Demonstrate due diligence by conducting statewide exercises to evaluate cybersecurity capabilities and periodically test and exercise cybersecurity plans

Coordinate and conduct a state-level cybersecurity exercise based on a community exercise model, e.g., simultaneous exercises in three Texas cities

Develop an exercise training template for other communities Support Texas exercise centers of excellence, e.g., TEEX/NERRTC and the UTSA/CIAS

89 Leverage federal funding for state and community cybersecurity exercises Conduct exercises to reinforce and assess training for CSIRT participants Include NIMS concepts in cyber exercises and training Take immediate action to assist agencies in correcting any significant weaknesses or vulnerabilities discovered during tests and exercises

Report exercise findings and corrective action plans in the DIR Biennial Performance Report

8.2 Develop integrated community cybersecurity exercises in partnership with Texas Division of Emergency Management, TEEX/NERRTC, UTSA/CIAS, and the Governor’s Office of Homeland Security per the TxHSSP and SSP

Address the training shortfalls specified in DIR security assessments

Participate in Governor’s Office of Homeland Security sponsored statewide hurricane exercise

Participate in national cyber exercises that impact state readiness, economic, and security equities, e.g., the DHS-sponsored “Cyber Storm”


8.3 Demonstrate due diligence, and periodically test and exercise cybersecurity plans

Participate in appropriate DIR and/or GDEM-sponsored exercises to help prevent, deter, and respond to computer incidents

Use DIR-sponsored exercise templates as applicable 90 Leverage federal funding sources for cybersecurity exercises

Participate in exercises to reinforce and assess training for CSIRT members Include NIMS concepts in cyber exercises and training Take immediate action to remediate or correct any significant weakness or vulnerability discovered during tests and exercises

918.4 Include cybersecurity as part of participation in emergency response exercises as outlined in the TxHSSP and SSP

Periodically test an IT disaster recovery plan for critical agency IT systems as part of the agency COOP, COG, or business continuity plan


APPENDIX B State and Federal

Homeland Security Strategies

State and federal homeland security strategies are presented under the following categories: planning, organizing, equipping, training, and exercising. Each category is explained in further detail on the following page. The table below maps the strategies, goals, and objectives from the State Enterprise Security Plan to state and federal homeland security strategies.

STATE ENTERPRISE SECURITY GOALS AND OBJECTIVES

PREVENT REDUCE RESPOND

STATE/FEDERAL HOMELAND STATE ENTERPRISE SECURITY STRATEGIES SECURITY STRATEGIES

1 2 3 4 5 6 7 8 9


1 2 3 4 5 6 7 8 9 PLANNING

2. Conduct statewide annual cybersecurity risk, vulnerability, systems, and equipment assessments and track strengths, weaknesses, and remediation activities for all eligible entities

1 4 5 6 9

3. Establish a state Computer Security Incident Response Team to rapidly identify, contain, and recover from any attack or attempt to disrupt the state’s critical IT infrastructure

1 2 4 5 6 7 8 9 ORGANIZING

4. Identify, develop, and maintain best practice rules, performance standards, and guidelines to help reduce agency workload while providing timely, complete, and accurate data for internal and external monitoring and management

1 2 3 4 5 6 7 8 9


1 4 5 6 7 8 9

EQUIPPING 6. Leverage technology to improve cybersecurity information sharing and enhance security communication, collaboration, and information sharing capabilities throughout the state

1 2 3 4 5 6 7

TRAINING 7. Promote cybersecurity awareness, training, education, and certification programs to ensure that IT security professionals, agency leadership, and network users at all levels are able to perform cybersecurity responsibilities

2 4 5 6 7 8 9

EXERCISING 8. Integrate cybersecurity into state homeland security exercises and promote tailored exercises to help reduce network vulnerabilities and minimize the severity of cyberattacks

2 5 6 7 8 9

S T A T E E N T E R P R I S E S E C U R I T Y P L A N | A P P E N D I X B | S T A T E A N D F E D E R A L H O M E L A N D S E C U R I T Y S T R A T E G I E S 55

STATE AND FEDERAL HOMELAND SECURITY STRATEGIES

PLANNING – Plan and assess preparedness for physical and cyber events that affect information and communication resources

Planning includes the collection and analysis of intelligence and information and development of policies, written plans, procedures, mutual aid agreements, strategies, and outcomes that comply with relevant laws, regulations, and guidance necessary to perform assigned missions and tasks.

The Governor’s Office of Homeland Security, the Texas Legislature, and the federal DHS have all recognized the increasing threat to state networks from cyber-terrorists, criminal elements, and natural disasters. All of these authorities have included networks among the critical infrastructure needing protection to ensure that vital government services continue after an attack. The key outcome of all planning strategies is the reduction of the vulnerability of critical state infrastructures from cyber terrorism and other malicious attacks.

ORGANIZING – Organize cybersecurity prevention, protection, response, and recovery assets

Organizing activities involve individuals, teams, an overall structure, and leadership that perform assigned missions and tasks within the context of relevant laws, regulations, and guidance.

EQUIPPING – Equip information resources owners with appropriate security tools, systems, and technologies

These activities include major items of equipment, supplies, facilities, and systems that comply with relevant standards necessary to perform assigned security missions and tasks. The state must ensure that government communications and computer networks are secure as part of its overall information and communications technology strategy.

TRAINING – Training state leadership, users, and IT security professionals on cybersecurity

This plan includes actions that address statewide IT security training initiatives that follow the guidelines and standards created as part of Strategy 4.

EXERCISING – Exercise the ability to prevent, protect, respond, and recover from cyber events

This element includes planned exercises, evaluations, and corrective actions as well as actual major events. Exercises (and actual events) provide opportunities to demonstrate, evaluate, and improve the combined capability and interoperability to perform assigned missions and tasks within defined standards of success.


APPENDIX C Authorities and References

1. The Texas Homeland Security Strategic Plan, 2005-2010 (TxHSSP, November 1, 2005, defines critical infrastructures as “physical or cyber assets so vital that their incapacity or destruction would have a debilitating impact on security, national economic security, or national public health or safety.” It also requires a statewide cybersecurity plan to “ensure cyber protection, detection, and response capabilities” and “test and protect local and state IT systems from penetration and attack.”

2. Texas Administrative Code, Title 1, Part 10, Section 202 defines agency IT security policy requirements. TAC 202 also requires each state agency head to have a designated ISO that administers the agency’s information security program and reports directly to executive level management.92 Agencies may be exempt from certain portions of TAC § 202, due to their business model, function, structure, or other reasons that need to be confirmed and documented.

3. Texas Government Code, Chapter 2059, Texas Computer Network Security System, September 1, 2005, requires DIR to establish a network security center that provides services to agencies against external threats to a network. It also directs DIR to adopt guidelines and standard operating procedures to ensure efficient operations and prepare a report on integration and user-specific access features that will enhance network and information security (December 31, 2006). DIR may also provide network security to local governments, the Legislature, special districts, and, if approved by the Information Technology Council for Higher Education, institutions of higher education. Additionally, TGC § 2059 requires DIR to prepare a biennial report on the accomplishments and status of the state’s consolidated network security system.

4. House Bill 1516: Implementation of DIR Biennial Performance Report Recommendations, effective September 1, 2005, amends TGC Sections 2054, 2157, and 2170 to implement DIR’s technology recommendations from its 2004 Biennial Performance Report, Making Technology Deliver. The statutes require DIR to establish a statewide technology center for data or disaster recovery services and authorize DIR to establish and operate additional centers when consolidating operations or services and will promote efficiency and effectiveness and provide the best value for the state. DIR is required to negotiate a favorable price for commodities, including hardware, software, services, and seat management. HB 1516 also directed DIR to conduct an assessment of technology security resources and practices of state agencies and report the results to state leadership.

5. Information Resources Management Act (TGC § 2054) requires DIR to prepare a state strategic plan that establishes strategies to meet the changing technology needs of state government to effectively serve Texans for the next five years.

S T A T E E N T E R P R I S E S E C U R I T Y P L A N | A P P E N D I X C | A U T H O R I T I E S A N D R E F E R E N C E S 57

6. Shared Success, the 2005 State Strategic Plan for Information Resources Management (SSP), December 14, 2005, is a DIR state strategic plan required by The Information Resources Management Act (TGC § 2054). It establishes strategies to meet the changing technology needs of state government to effectively serve Texans for the next five years.

7. 2005 State IT Security Assessment (SITSA), December 23, 2005, is the DIR response to the HB 1516 requirement for a confidential IT security assessment of state agency information and communications technology resources and practices.

8. 2007 Homeland Security Grant Program (HSGP), Program Guidance and Application Kit, January 2007, integrates the State Homeland Security Program (SHSP), the Urban Areas Security Initiative, the Law Enforcement Terrorism Prevention Program, the Metropolitan Medical Response System, and the Citizen Corps Program. The HSGP streamlines state efforts in obtaining resources that are critical to building and sustaining capabilities to achieve the Interim National Preparedness Goal and implement State and Urban Area Homeland Security Strategies; Appendix I provides Cybersecurity Guidance.

9. The National Strategy to Secure Cyberspace, February 2003, is an implementing component of the National Strategy for Homeland Security and is complemented by the National Strategy for the Physical Protection of Critical Infrastructures and Key Assets. It identifies the responsibilities of the various security partners with a role in securing cyber space and encourages state and local governments to establish IT security programs and participate in information sharing and analysis centers with similar governments. It also articulates five national priorities: • Improved response to cyber incidents and reduced potential damage from such events • Cyber threat and vulnerability reduction • Cybersecurity awareness and training • Secure government cyberspace • Cyber attack prevention

10. ISO/IEC 17799 (or ISO/IEC 27002) is an information security standard by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Entitled Information Technology - Security Techniques – Code of Practice for Information Security Management (2005), ISO 17799 is one of the most widely adopted information security management frameworks. It addresses risk assessment, incident management guidance, ISO standard integration, and security in business partner relationships and provides best practice recommendations for initiating, implementing and maintaining information security management systems.

11. CSI/FBI Computer Crime and Security Survey, 2005 and 2006, are annual reports of computer security incidents and trends. A portion of one survey focuses on Texas organizations as well as national trends.


APPENDIX D Cybersecurity Resources

Cybercop Portal is a DHS-facilitated secure Internet-based information-sharing mechanism for more than 5,300 law enforcement members involved in electronic crimes investigations.

FBI’s InfraGard program is a public-private partnership coordinated out of the 56 FBI field offices (in Texas: El Paso, Dallas, Houston, and San Antonio). The program is an information sharing and networking forum for law enforcement, academia, and private sector entities.

FBI’s Inter-Agency Coordination Cell is a multi-agency group focused on sharing law enforcement information on cyber-related investigations.

Government Forum for Incident Response Teams (GFIRST) is a community of government response teams responsible for facilitating interagency information sharing and cooperation for cyber threat reduction and securing government information technology systems

Multi-State Information Sharing and Analysis Center (MS-ISAC, http://www.msisac.org/) is a voluntary and collaborative organization with participation from all 50 states and the District of Columbia. The mission of the MS-ISAC is to provide a common mechanism for raising the level of cybersecurity readiness and response in each state and with local governments. The MS-ISAC provides a central resource for information on cyber threats for the states, providing two-way information sharing between and among the states and with local government. The U.S. Department of Homeland Security has recognized the MS-ISAC as the national center for the states to coordinate cyber readiness and response. The MS-ISAC Web site links to other sector-specific ISACs including Emergency Management and Response and IT.

National Association of State Chief Information Officers (NASCIO) represents state CIOs and information resource executives and managers from all 50 states. It monitors new threats created by emerging technologies and helps state CIOs formulate high-level security and data protection policies and technical controls to secure the states’ information systems and protect the privacy of sensitive information within them.

SecureTexas (http://www.dir.state.tx.us/securetexas/index.htm) provides up-to-date technology security information as well as tips to help strengthen Texas’s technology infrastructure. DIR’s IT Security Division designed this site to cater to the needs of Texas citizens.

U.S. Computer Emergency Readiness Team (US-CERT) is a public and private partnership with DHS designed to defend against and respond to cyber attacks. US-CERT interacts with state and local governments and others to analyze and reduce cyber threats and vulnerabilities, disseminate cybersecurity information, and coordinate incident response.

U.S. Secret Service’s Electronic Crime Task Forces provide interagency coordination on cyber-based attacks and intrusions.

S T A T E E N T E R P R I S E S E C U R I T Y P L A N | A P P E N D I X D | C Y B E R S E C U R I T Y R E S O U R C E S 59

http://www.msisac.org/

http://www.dir.state.tx.us/securetexas/index.htm

Glossary

Acronyms and Abbreviations

ACP Association of Contingency Planners

ASIS American Society for Industrial Security

CERT/CC Computer Emergency Response Team/Coordination Center

CIAS Center for Infrastructure Assurance and Security

CI/KR Critical infrastructures and key resources

CIO Chief Information Officer

CISO Chief Information Security Officer

COG Continuity of government

COOP Continuity of operations

CPE Continuing professional education

CPT Controlled penetration testing

CSI Computer Security Institute

CSIRT Computer Security Incident Response Team

CTO Chief Technology Officer

DHS Department of Homeland Security

ERP Enterprise Resource Plan

FERPA Family Educational Rights and Privacy Act

FIM Federated identity management

FIPS Federal Information Processing Standard

GDEM Governor’s Division of Emergency Management

GFIRST Government Forum for Incident Response Teams

HIPAA Health Insurance Portability and Accountability Act

HSGP Homeland Security Grant Program

ICS Incident Command System

ID Identification

IDS Intrusion detection system

IM Instant messaging

IPS Intrusion prevention system

IRM Information Resource Manager

S T A T E E N T E R P R I S E S E C U R I T Y P L A N | G L O S S A R Y 61

ISAAC Information Security Awareness, Assessment, and Compliance (Texas A&M)

ISAC Information Sharing and Analysis Center

ISACA Information Systems Audit and Control Association

ISO Information Security Officer

ISSA Information Systems Security Association

ISP Internet service provider

IT Information technology

MS-ISAC Multi-State Information Sharing and Analysis Center

NASCIO National Association of State Chief Information Officers

NERRTC National Emergency Response and Rescue Training Center (Texas A&M)

NIMS National Incident Management System

NIST National Institute of Standards and Technology

NOC Network Operations Center

NSOC Network and Security Operations Center

NSSC National Strategy to Secure Cyberspace

PDA Personal digital assistants

RAS Remote access services

SCADA Supervisory Control and Data Acquisition

SOC State Operations Center

SITSA State IT Security Assessment (2005)

SSP State Strategic Plan for Information Resources Management

TAC Texas Administrative Code

TEEX Texas Engineering Extension Service

TGC Texas Government Code

TxHSSP Texas Homeland Security Strategic Plan

US-CERT United States Computer Emergency Response Team

UTSA University of Texas San Antonio

VPN Virtual private network


Definitions

Access control – Authentication and authorization process that manages the rules and deployment mechanisms of individual’s ability to use information resources for owner-specified purposes.

Association of Contingency Planners (ACP) – Non-profit trade association dedicated to fostering continued professional growth and development in effective Contingency & Business Resumption Planning.

ASIS International (formerly the American Society for Industrial Security) – Organization for security professionals that develops educational materials and administers certification programs: Certified Protection Professional (CPP) security management designation, and two technical certifications: Physical Security Professional (PSP) and Professional Certified Investigator (PCI).

Authentication – Process that establishes the validity of a user’s claimed identity by requesting some kind of information, such as a password, that is unique to, or known only by, the user.

Authorization – Process of granting or denying access rights and privileges to a protected resource, such as a network, system, application, function, or file.

Bots (short for “robots”) – Covertly installed programs (e.g., Web-crawler or spider) that allow an unauthorized user to control a computer remotely using instant messenger (IM), Internet Relay Chat (IRC) or other communication channels. Also described as remote attack tools, these Web interfaces allow the attacker to control a large number of bot-compromised computers which can then be used to launch coordinated attacks. Most bots are installed for malicious purposes without the knowledge of the computer’s owner. Software agents that interface with Web pages are robots that recursively gather Web-page information. They also can dynamically interact with a site by exploiting or locating opportunities for financial gain.

Botnet (short for robot network) – Collection of software robots that runs autonomously under a remote, common command and control infrastructure. Some bots can automatically scan their environment and propagate themselves using network vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to the botnet controller.

Botnet Controller (or herder) – The originator of a botnet who controls the group remotely, e.g., via Internet relay chat, usually for nefarious purposes. The perpetrator usually introduces a botnet by exploiting network vulnerabilities (e.g., buffer overflows).

Chief Information Officer (CIO) – The head of the information technology group within an organization

Chief Technology Officer, State (State CTO) – In Texas, the executive director of the Department of Information Resources serves as CTO for state government.

Computer Security Incident Response Team (CSIRT) – A service organization that is responsible for receiving, reviewing, and responding to computer security incident reports and activity.


http://en.wikipedia.org/wiki/Command_and_control

Continuity of Operations Plan (COOP) – A plan that documents the activities of individual departments and agencies to ensure that they can perform essential functions at all times.

Continuity of Government Plan (COG Plan) – A plan that defines procedures that allow a government to continue its essential operations in case of a catastrophic event.

Critical Infrastructure/Key Resources (CI/KR) – Critical infrastructures are physical or cyber assets so vital that their incapacity or destruction would have a debilitating impact on security, national economic security, or national public health or safety. Key resources are publicly or privately controlled resources that are essential to the minimal operations of the economy and government.

Cyber infrastructure – Includes electronic information and communications systems and the information contained in those systems. Information and communications systems are composed of all hardware and software that process (i.e., create, access, modify, and destroy), store (e.g., all media types: paper, magnetic, and electronic), and communicate (i.e., share and distribute) information, or any combination of all of these elements. For example, computer systems, control systems (e.g., Supervisory Control and Data Acquisition (SCADA) systems), and networks, such as the Internet, are part of cyber infrastructure: • Producers of cyber infrastructure are the IT industrial base, which comprise the IT Sector.

The producers of cyber infrastructure play a key role in developing secure and reliable products.

• Consumers of cyber infrastructure must maintain its security in a changing threat environment.

• Individuals, whether private citizens or employees with cyber systems administration responsibility, play a significant role in managing the security of computer systems to ensure that they are not used to enable attacks against CI/KR.

Cybersecurity – The protection of the confidentiality, integrity, and availability of data and the associated information resources that transmit or store that data.

Department of Homeland Security (DHS) – Federal agency with primary responsibility for the security of cyber space.

Deprovision(ing) – The action required to delete (deprovision) or deactivate a user’s system access.

Distributed network – Structure in which the network resources, such as switching equipment and processors, are distributed geographically or virtually.

Driver’s Privacy Protection Act – requires that data is protected and remains confidential in storage and in transmission.

Encryption – Cryptographic transformation of data to provide confidentiality and integrity by transforming plain text into cipher text using a special value known as a key and a mathematical process known as an algorithm.


External vulnerability assessments include all security tests and evaluations of information resources that originate from outside the organization’s network, i.e., using the logical or physical access that is available to outside hackers or other unauthorized network users.

Fair Credit Reporting Act requires data to be protected and remain confidential in storage and in transmission.

Federal Information Processing Standard 140-2 (FIPS 140-2) ensures integrity and privacy of messages in storage and in transmission.

Federated ID management/federated identity management (FIM) – Arrangement among multiple enterprises that allows subscribers to use the same identification data to obtain access to the networks of all enterprises in the group.

Governor’s Division of Emergency Management (GDEM) carries out state all-hazard emergency management program, manages and staffs the State Operations Center, and assists cities, counties, and state agencies in planning and implementing their emergency management programs. GDEM also supports the Governor’s Homeland Security Strategy and implementing programs and is the State Administrative Agency for DHS grant programs.

Gramm-Leach-Bliley Financial Services Modernization Act requires that data is protected and remains confidential in storage and in transmission

Information Resource Managers (IRMs) of Texas state agencies are responsible for the management of all information resources within the respective state agency or university.

Identity (ID) management – Process of distinguishing a particular person’s unique attributes as an authorized information resource user. The backbone of identity management is a system of directories and directory-enabled applications.

Information security – Protection of all data and information against unauthorized access or usage.

Information Security Awareness, Assessment, and Compliance (ISAAC) – An application adapted by Texas A&M University to facilitate baseline risk analysis, cyber vulnerability reduction, planning, and tracking of agency IT assets.

Information Security Officers (ISOs) of Texas state entities are responsible for administering the information security functions within an agency or university.

Information Sharing and Analysis Centers (ISAC) – DHS-sponsored, voluntary organizations that represent individual critical infrastructure sectors (e.g., state government, IT, energy, water, food, and financial services) to share information, minimize vulnerabilities, and work together to help protect the economy.

Information Systems Audit and Control Association (ISACA) sponsors international conferences, publishes the Information Systems Control Journal, develops international information systems auditing and control standards, and administers the Certified Information Systems Auditor (CISA) and the Certified Information Security Manager (CISM) designations.


Information Systems Security Association (ISSA) – A not-for-profit, international organization of information security professionals that provides educational forums, publications, and peer interaction opportunities.

Information technology (IT) security – See cybersecurity.

Internal vulnerability assessments include all security tests and evaluations of information resources that originate from inside the organization’s network, i.e., using the logical or physical access that is available to insiders or other authorized network users.

Least privilege – A basic principle for securing computer resources and data. It means that users are granted only those access rights and permissions that they need to perform their official duties.

Logic Bomb – Malicious code that has been surreptitiously uploaded but remains hidden or dormant until it executes at a set time or when conditions are met, e.g., a user performs a certain action.

Multifactor authentication – Protocol that requires multiple methods of establishing identity, such as ‘something you know’ and ‘something you have’ or ‘something you are’; e.g., a combination of password/PIN, certificates, tokens, smart cards, and/or biometrics.

National Incident Management System (NIMS) – A nationwide template that enables all government, private-sector, and nongovernmental organizations to work together during domestic incidents.

National Institute of Standards and Technology (NIST) Computer Security Division – A non-regulatory federal agency within the U.S. Commerce Department’s Technology Administration. The NIST Computer Security Division shares information security tools and practices, provides standards and guidelines, and identifies and links security Web resources.

Need-to-know – Fundamental security principle that authorizes user access only to the information that the individual requires to meet their work responsibilities. This authorization usually applies to sensitive information.

Orphaned account – Active user account that is assigned to an individual who is no longer authorized access to that account.

Privacy data – A category of sensitive data that includes personal information or personal identifying information. Privacy is a personal construct that accrues to individuals, not to the information. Privacy data is usually protected by privacy laws, regulations, and/or policies, and is subject to heightened protection.

Root access – The most privileged access possible on a UNIX computer system. With ‘root’ access, any person (usually a trusted system administrator, but potentially a hacker) can create, manage, and delete anything on the system.

Sarbanes-Oxley Act requires data to be protected and remains confidential in storage and in transmission.


Sensitive information is any information defined by state or federal law that must be protected and released only to persons with an authorized need to know. Information classified as “sensitive” or “confidential” includes personal or personal identity information (privacy data), health/medical and law enforcement data, and certain security assessments that might jeopardize citizen safety if released to the public.

Stateful firewall keeps track of the state of network connections that travel across it and allows only legitimate packets that match a known connection state to pass through.

Strategy – A plan of action, or prioritized initiative, intended to accomplish a specific goal or objective.

Supervisory Control and Data Acquisition (SCADA) Systems – Computer-based automated control systems that monitor and control remote industrial processes (e.g., transport of gas through pipelines, steel making, and power generation and transmission).

Texas Government Code Chapter 2054 addresses statewide information resource vulnerability reports.

Texas Government Code Chapter 2059 addresses computer network security services for state agencies, institution of higher education, and entities other than state agencies. Network security services include rules, facilities or equipment; release of confidential information; cybersecurity threat assessment and notification; biennial reports; establishment of and transition to a network security center to provide services to state agencies; guidelines and standard operating procedures; and payment for network security system that allocates the cost to each state agency based on proportionate usage.

Texas Senate Bill 327: Computer Spyware (September 1, 2005) adds Chapter 48 to the Texas Business and Commerce Code. It prohibits a person who is not the owner or operator of a computer from collecting or modifying information by deceptive means.

Trojan horse – Malicious code disguised as a legitimate program to entice an unsuspecting user to install an attack software program that damages or disrupts the normal operation of a computer.

User – Any person who can read, enter, or update information on a network.

User access control – See access control.

User ID – User identification.

Virus – Self-replicating program that spreads by inserting copies of itself into other executable code or documents, similar to a biological virus.

Vulnerability – Information resource characteristic or weakness that insiders or outside hackers can exploit (e.g., system security procedures, hardware design, or internal controls).

War Dialing – Malicious computer program that automatically dials computer modem connections to conduct automated penetration testing and to identify operating systems, potential targets, and/or unauthorized modems.


Worm – Self-propagating malware that does not infect other programs, but instead may alter, install, or destroy files and programs.

Zombie – Internet-connected computer controlled by a hacker that performs malicious tasks against other computers, usually without the owner’s awareness.


Endnotes

1 State of Texas, Shared Success: Building a Better Texas through Shared Responsibilities, Department of Information Resources, Austin, Texas, Dec. 14, 2005, (SSP). Retrieved 20-Dec-2006 from <http://www.dir.state.tx.us/pubs/ssp2005/>.

2 State of Texas, Texas Homeland Security Strategic Plan: 2005–2010, Office of the Governor, Austin, Texas, Nov. 1, 2005 (TxHSSP).

3 U.S. Department of Homeland Security, National Strategy to Secure Cyberspace, Washington, D.C., February 2003 (NSSC).

4 U.S. Department of Homeland Security, National Strategy for Homeland Security, Washington, D.C., July 2002 (NSHS).

5 State of Texas, State IT Security Assessment, Department of Information Resources, 2005 (SITSA). A confidential report to the Legislature required by House Bill 1516, Section 3.02, 79th Texas Legislature, R.S., 2005. Text of HB 1516 retrieved 21-Feb-2007 from <http://www.capitol.state.tx.us/tlodocs/79R/billtext/html/HB01516F.htm>.

6 Daily average of 246 successful attacks reported to DIR in FY 2005–2006 (e.g., intrusions, data/info theft, denial of service, Web site defacement).

7 U.S. Department of Justice, Federal Bureau of Investigation, 2005 FBI Computer Crime Survey, pages 1 and 9.

8 Homeland Security Presidential Directive/HSPD-7 (paragraph 16), Dec. 17, 2003. Retrieved 21-Feb-2007 from The White House Web site at <http://www.whitehouse.gov/news/releases/2003/12/20031217-5.html>.

9 Leyden, John, “Cybercrime costs biz more than physical crime,” The Register, Mar. 16, 2006. Retrieved 21-Mar-2006 from <http://www.theregister.co.uk/2006/03/16/ibm_cybercrime_survey/>.

10 TxHSSP, page 11

11 McKenna, Corey, “Cybercrime and Effective Security Policies,” Government Technology, May 13, 2005. Retrieved 20-Dec-06 from <http://www.govtech.net/news/news.php?id=93992>.

12 U.S. Department of Justice, 2005 FBI Computer Crime Survey (pages 1, 3, 9), Federal Bureau of Investigation, Washington, D.C., 2006.

13 Lt. Gen. Michael D. Mapes, Director, Defense Intelligence Agency, Statement for the Record, Senate Armed Services Committee, Feb. 28, 2006. Retrieved 21-Feb-07 from <http://www.dia.mil/publicaffairs/Testimonies/statement24.html>

14 Texas Administrative Code, Title 1, Section 202, Texas Department of Information Resources (2006). Retrieved 20-Feb-2007 from <http://info.sos.state.tx.us/pls/pub/readtac$ext.viewtac>.

15 TGC § 2059.059(c), § 2059.102(d), and § 2059.151.

16 TGC § 2054.307.

17 HSPD-7, see endnote 8.

18 79th Texas Legislature, Regular Session (2005), House Bill 1516, Section 3.02. Retrieved 21-Feb-2007 from <http://www.capitol.state.tx.us/tlodocs/79R/billtext/html/HB01516F.htm>.

19 TGC § 2059.101.

S T A T E E N T E R P R I S E S E C U R I T Y P L A N | E N D N O T E S 69

http://www.theregister.co.uk/2006/03/16/ibm_cybercrime_survey/

http://www.dia.mil/publicaffairs/Testimonies/statement24.html

20 SSP (pages 38–40).

21 TxHSSP (pages 17, 27)

22 “Committing to Security—Fourth Annual Benchmark Study: A CompTIA Analysis of IT Security and the Workforce,” White Paper, March 2006.

23 Conrad, James R., Analyzing the Risks of Information Security Investments with Monte-Carlo Simulations, paper presented at the Fourth Workshop on the Economics of Information Security, Kennedy School of Government, Harvard University, June 2, 2005, page 1.

24 TxHSSP (page 29)

25 SSP (pages 37–38)

26 TGC § 2054.

27 TxHSSP (page 28).

28 SSP (page 37).

29 SSP (page 38).



32 TxHSSP (page 27, priority action 2.1.2).

33 1 TAC § 202.21 and § 202.71.

34 TGC § 2102.007(b).

35 SSP (pages 37–38).

36 Risk Management Guide for Information Technology Systems, NIST Special Publication 800-30, National Institute of Standards and Technology, Computer Security Division, Information Technology Laboratory, Gaithersburg, MD, July 2002.

37 SSP (pages 10–11, 38–40).

38 U.S. Department of Homeland Security, FY 2007 DHS Homeland Security Grant Program (HSGP) – Program Guidance and Application Kit, Office of Grants and Training, Washington, D.C., January 2007.


40 HSGP (see endnote 38).

41 DHS/HSGP (see endnote 38).

42 TGC § 2059.56 and § 2059.104.

43 State of Texas, User Access Study, Department of Information Resources. Retrieved 13-Mar-2007 from <http://www.dir.state.tx.us/pubs/UserAccess/index.htm>.


45 SSP (page 37).

46 TGC § 2059.101.


47 SSP (page 38).

48 TGC § 2059.059 and § 2059.104 (a) (1).

49 1 TAC 202.25 and 202.75.

50 TGC § 2054.307.

51 TGC § 2059.101.

52 SSP (pages 38-40).

53 TGC § 2059.101.

54 SSP (pages 38–40).


56 TxHSSP (page 27, paragraph a).



59 1 TAC 202.25 and 202.75.



62 SSP (page 11).


64 SSP (page 11).

65 TGC § 2059.057.

66 TGC § 2059.153.

67 TGC § 2059.101.

68 SSP (page 38).

69 SSP (pages 23, 57).

70 TGC § 2059.10 (c) & (d) Texas Government Code

71 TGC § 2059.56.

72 I TAC 202.21–22 202.24–25, 202.71–72, 202.74–75.

73 SSP (pages 10–11, 38–40)

74 TGC § 2059.104 (b).

75 Risk Management Guide for Information Technology Systems, NIST Special Publication 800-30, National Institute of Standards and Technology, Computer Security Division, Information Technology Laboratory, Gaithersburg, MD, July 2002.

S T A T E E N T E R P R I S E S E C U R I T Y P L A N | E N D N O T E S 71

76 TGC § 2059.151.

77 TGC § 2102.007(b)(2).

78 I TAC 202.21 and 202.71.

79 TGC § 2059.059(c), § 2059.102 (d), and § 2059.151.

80 TGC § 2054.307.

81 TGC § 2059.102 (c), (d).

82 SSP (pages 10, 39–40).

83 SSP (pages 10, 39–40).

84 TGC § 2054.059.

85 SSP (pages 10–11, 38–40)

86 U.S. Department of Homeland Security, Federal Emergency Management Agency, State NIMS Integration, Version 1.0, Washington, D.C.

87 U.S. Department of Homeland Security, Federal Emergency Management Agency, NIMS Training Guidelines for FY 2006, Washington, D.C., December 2005.

88 SSP (pages 10–11, 38–40)

89 DHS/HSGP, Appendix I (see endenote 38).



92 1 TAC 10 § 202.21 and § 202.71.


Department of Information Resources P.O. Box 13564 Austin, TX 78711-3564 www.dir.state.tx.us/

Visit www.TexasOnline.com, the Official Web Site of the State of Texas

state enterprise security plan

Documents