STATE OF CALIFORNIA Budget C h a n g e Proposa l - Cover Sheet DF-46 (REV 08/16)

Fiscal Year Business Unit Department Priority No. 2017/18 0950 State Treasurer's Office 3

Budget Request Name Program Subprogram 0950-003-BCP-2017-GB 0740 - State Treasurer's Office 0740035 - Administration

Budget Request Description State Treasurer's Office Information Security Program Augmentation

Budget Request Summary

The State Treasurer's Office (STO) requests expenditure authority in the amount of $303,000, to maintain the department's Information Security tools and administration, to sustain adequate support of STO's continuous cyber risk management program and security defense systems by funding additional threat monitoring tools and one permanent, full-time position in the Information Technology Division (ITD), as follows:

1. Acquisition of vulnerability assessment, continuous network monitoring, and log management security products to complement and complete STO's current cyber security protection program.

2. Position authority and funding for a Systems Software Specialist II

Requires Legislation

• Yes ^ No

Code Section(s) to be Added/Amended/Repealed

Does this BCP contain information technology (IT) components? ^ Yes • No

If yes. departmental Chief Information Officer must sign.

Department CIO Date

For IT requests, specify the project number, the most recent project approval document (FSR, SPR, S1BA, S2/\A, S3SD, S4PRA), and the approval date.

Project No. Project Approval Document: Approval Date:

If proposal affects another department, does other department concur with proposal? • Yes • No Attach comments of affected department, signed and dated by the department director or designee.

Prepared By Date Reviewed By Date

Department Director Date Agency Secretary Date

Department of Finance Use Only

Additional Review; • Capital Outlay • ITCU • FSCU • OSAE • CALSTARS • Dept. of Technology

BCP Type: • Policy • Workload Budget per Government Code 13308.05

PPBA ORIGINAL SIGNED BY: G R E G B R U S S 1/10/2017

DF-46 (REV 03/13) F i s c a l S u m m a r y

(Dollars in thousands)

BCP No. 3

Proposal Title Program 0740035 - Administration

Personal Services Positions Dollars Personal Services CY BY BY + 1 C Y BY BY + 1

Total Salaries and Wages ^ 1.0 1.0 $81 $81 Total Staff Benefits ̂ 42 42 Total Personal Services 0.0 1.0 1.0 $0 $123 $123

Operating Expenses and Equipment General Expense 4 4 Printing 1 1 Communications 3 3 Postage 1 1 Travel-In State 1 1 Travel-Out of State Training 1 1 Facilities Operations 4 4 Utilities 1 1 Consulting & Professional Services: interdepartmental ^

Consulting & Professional Services: External ^

Data Center Services 1 1 Information Technology 153 141 Equipment ^ 10 Other/Special Items of Expense: ̂

Total Operating Expenses and Equipment $0 $180 $158

Total State Operations Expenditures $0 $303 $281

Fund Source tem Number

Fund Source Org Ref Fund

General Fund 0950 001 0001 $303 $281 Special Funds^ Federal Funds Other Funds (Specify) Reimbursements Total Local Assistance Expenditures $0 $0 $0

Fund Source tem Number

Fund Source Org Ref Fund

General Fund Special Funds^ Federal Funds Other Funds (Specify) Reimbursements Grand Total, State Operations and Local Assistance $0 $303 $281

^ Itemize positions by classification on the Personal Services Detail worksheet.

^ Provide benefit detail on the Personal Services Detail worksheet.

' Provide list on the Supplemental Information worksheet.

Other/Special Items of Expense must be listed individually. Refer to the Uniform Codes Manual for a list of standard titles.

^ Attach a Fund Condition Statement that reflects special fund or bond fund expenditures (or revenue) as proposed.

Personal Services Detail (Whole dollars)

BCP No. Proposal Title 3 Information Security Program Augmentation

Salaries and Wages Detail

Classification^ ^ Positions Salary

Range Dollars Classification^ ^ CY BY BY+1

Salary Range CY BY BY + 1

Systems Software Specialist II 1.0 1.0 5814-7642 $80,736 $80,736

Total Salaries and Wages ^ 0.0 1.0 1.0 $0 $80,736 $80,736

Staff Benefits Detail CY BY BY+1 OASDI $5,000 $5,000 Health/DentalA/ision Insurance 13,000 13,000 Retirement 22,000 22,000

Miscellaneous Safety Industrial Other:

Workers' Compensation 1,000 1,000 Industrial Disability Leave Non-Industrial Disability Leave Unemployment Insurance Other: Medicare 1,000 1,000

Total Staff Benefits ^ $0 $42,000 $42,000

Grand Total, Personal Services $0 $122,736 $122,736

' Use standard abbreviations per the Salaries and Wages Supplement. Show any effective date or limited-term expiration date in parentheses if the position is not proposed for a full year or is not permanent, e.g. (exp 6-30-13) or (eff 1-1-13) Note: Information provided shouid appear in the same format as it wouid on the Changes in Authorized Positions.

^ if multiple programs require positions, please include a subheading under the classification section to identify positions by program/element.

^ Totals must be rounded to the nearest thousand dollars before posting to the Fiscal Summary.

Supplemental Information (Dollars in thousands)

BCP No. Proposal Title 3 Information Security Program Augmentation

Equipment C Y BY BY +1 Personal Computer and Software 3

Office Furniture 7

Cyber Security Tools 153 141 Total $0 $163 $141

Consulting & Professional Services

Total $0 $0 $0

Facility/Capital Costs

Total $0 $0 $0

One-Time/Limited-Term Costs Yes No

Description B Y BY+1 BY +2 Description

Positions Dollars Positions Dollars Positions Dollars

0.0 $0 0.0 $0 0.0 $0

Full-Year Cost Adjustment Yes No

Provide the incrementai change in dollars and positions by fiscal year.

Item Number B Y BY+1 BY +2 Item Number Positions Dollars Positions Dollars Positions Dollars

Total 0.0 $0 0.0 $0 0.0 $0

Future Savings

Specify fiscal year ar

Yes No

id estimated savings, including any decrease in positions.

Item Number BY BY+1 BY +2 Item Number Positions Dollars Positions Dollars Positions Dollars

Total 0.0 $0 0.0 $0 0.0 $0

BCP Fiscal Detail Sheet BCP Title: Information Security Program Augmentation BR Name: 0950-003-BCP-2017-GB

Budget Request Summary FY17 CY BY BY+1 BY+2 BY+3 BY+4

Personal Services Positions - Permanent 0.0 1.0 1.0 1.0 1.0 1.0

Total Positions 0.0 1.0 1.0 1.0 1.0 1.0

Salaries and Wages Earnings - Permanent 0 81 81 81 81 81

Total Salaries and Wages $0 $81 $81 $81 $81 $81

Total Staff Benefits 0 42 42 42 42 42

Total Personal Services $0 $123 $123 $123 $123 $123

Operating Expenses and Equipment 5301 - General Expense 0 4 4 4 4 4 5302 - Printing 0 1 1 1 1 1 5304 - Communications 0 3 3 3 3 3 5306 - Postage 0 1 1 1 1 1 5320 - Travel: In-State 0 1 1 1 1 1 5322 - Training 0 1 1 1 1 1 5324 - Facilities Operation 0 4 4 4 4 4 5326 - Utilities 0 1 1 1 1 1 5344 - Consolidated Data Centers 0 1 1 1 1 1 5346 - Information Technology 0 153 141 141 141 141 5368 - Non-Capital Asset Purchases - 0 10 0 0 0 0

Equipment 0 10 0 0 0

Total Operating Expenses and Equipment $0 $180 $158 $158 $158 $158

Total Budget Request $0 $303 $281 $281 $281 $281

und Summary Fund Source - State Operations

0001 - General Fund 0 303 281 281 281 281 Total State Operations Expenditures $0 $303 $281 $281 $281 $281

Total All Funds $0 $303 $281 $281 $281 $281

Program Summary Program Funding

0740035 - Administration 0 303 281 281 281 281_ Total All Programs $0 $303 $281 $281 $281 $281

BCP Title: Information Security Program Augmentation BR Name: 0950-003-BCP-2017-GB

Personal Services Details

Positions Sys Software Spec 11 (Tech) (Eff. 07-

^•^'•^ ' 01-2017)

Total Positions

Salaries and Wages

Sys Software Spec II (Tech) (Eff. 07 •̂̂ -̂̂ ' 01-2017)

Total Salaries and Wages

Staff Benefits 5150350 - Health Insurance 5150500 - OASDI 5150600 - Retirement - General 5150800 - Workers'Compensation 5150900 - Staff Benefits - Other Total Staff Benefits

Total Personal Services

Salary Information Min Mid Max CY BY BY+1 BY+2 BY+3 BY+4

0.0 1.0 1.0 1.0 1.0 1.0

0.0 1.0 1.0 1.0 1.0 1.0

CY BY BY+1 BY+2 BY+3 BY+4

0 81 81 81 81 81

$0 $81 $81 $81 $81 $8?

0 13 13 13 13 13 0 5 5 5 5 5 0 22 22 22 22 22 0 1 1 1 1 1 0 1 1 1 1 1

$0 $42 $42 $42 $42 $42 $0 $123 $123 $123 $123 $123

Analysis of Problem

A. Budget Request Summary

STO requests a General Fund funding increase in the amount of $303,000 for the continuation of STO's Information Security program, commensurate with STO's risk management plan and the Governor's Executive Order B-34-15. This funding request consists of $22,000 one-time costs, and $281,000 current year and ongoing annual costs to complement STO's Information Security (IS) program. The current year and ongoing costs are comprised of the following:

1. Software-as-a-Service = $131,000: annual software licensing subscription and professional data analytics service for vulnerability assessments and continuous network monitoring security tools to provide essential cyber security protection, (products defined on page 8 of this BOP).

2. Personal Services = $150,000: position authority and funding of a Systems Software Specialist II (SSS II) as the primary resource administering STO's cyber security tools.

B. Background/History

Based predominantly on the federal government's security standards identified in the National Institute of Standards and Technology, the STO uses automation to support the STO and its Boards, Oommission, and Authorities^ (hereinafter collectively referred to as STO) in the compliance of State and STO security policies. STO's IS program sets the policies administered by ITD's Technical Support Section through a suite of cyber security products that enforce multiple layers of security protection, threat detection and network traffic monitoring. Additionally, STO's IS program collaborates with other governmental entities including Oalifornia's Office of Emergency Services, Oalifornia's Information Security Office, and the Multi-State Information Sharing and Analysis Oenter, in the management of STO's cyber security and risk mitigation strategies at the broadest level.

However, as the internet threat landscape is continuously evolving and expanding, STO must similarly evolve its cyber security arsenal commensurate with the STO's risk management objectives. STO classified its data, identifying that which is public, sensitive, protected, and/or under some other level of regulatory compliance. This data classification serves as a fundamental component of STO's risk management objectives, as presented in the Business Oontinuity Plan. It is also the basis for validating STO's arsenal of cyber tools necessary to achieve the desired level of security and risk tolerance regarding data, application, and network infrastructure.

In combination, these tools provide the means by which STO currently protects Its data assets. However, identifying and remediating the increasingly sophisticated cyber-attacks that pose a real and persistent threat to the integrity of the STO's banking and financial systems^ is of the utmost importance not only to the STO, but the thousands of municipal governments and the depository banks with which STO conducts daily business transactions.

STO's cyber security and risk management objectives include the protection of STO's financial banking systems, including the current STO applications that provide access and information to the public. This is not a new workload. It dates back to when the STO launched its first public-facing applications more than a decade ago. ITD supports more than one-hundred applications on the STO enterprise network in support of STO's core operating mission. STO's online applications provide customers (upwards of 4,600 state and local government entities) with access to banking and financial systems that require continuous monitoring, vulnerability assessments, and advanced logging protection. There are no new STO applications identified for future development with this BOP.

STO's cyber security objective remains unchanged and this BOP neither alters nor changes that objective. However, because cyber security risks are increasingly complex and pervasive they are much more difficult to identify and eliminate, raising STO's likelihood of incurring incidents that are catastrophic and/or material well beyond the boundaries of the STO.

'' See Appendix A for list of the Boards, Commissions and Authorities (BCA's) under the Treasurer's purview and tor whom STO provides all IT support

^ The State Treasurer is the state's lead asset manager, banker and financier and also serves as chairperson or a member of numerous state

authorities, boards and commissions; http://www.treasurer.ca.qov/inside/tunctions.asD

Analysis of Problem

For the past two decades, within ITD, the Information Security Office (ISO) and the Network Support Section have doggedly supported STO's primary cyber security objective through the use of tools once considered sufficient, but are now proven to be more effective when complemented by other threat-vector mitigation features, such as applying automated business intelligence to the massive amounts of data collected by STO's current network monitoring logs. The cyber industry reports that 89% of data breaches have a financial or espionage motive, aligning with STO's unique vulnerability. Attack methods range from undetected malware, network packet hijacking, data leakage and/or ransomware attacks (hostile takeover of servers inside the network). In combination, STO's proposed cyber security suite of tools enforces an improved security posture for prevention, detection and obstruction of threats.

As described in Executive Order 6-34-15^, information technology networks and critical infrastructure around the world are threatened by these increasingly sophisticated cyber-attacks that are aimed at breaching and damaging computer networks and infrastructure in California, and elsewhere. As such, the STO is a prime target. Without strengthening STO's current prevention and response capabilities, the STO is at high risk of being vulnerable to a major security breach, threatening the state's susceptibility to economic disruption, critical infrastructure damage, and privacy violations.

The first component of this BCP is to request funding to acquire the cyber protection tools and analytical services that complement STO's current cyber security enforcement mechanisms. Minimizing security risks to the STO's banking and financial infrastructure, the proposed tools would provide proactive identification of potential or emerging exploits and vulnerabilities in STO's networks, operating systems, and applications. ITD manually monitors the logs created from the devices listed in the table above. This is an inefficient use of time, minimally effective, and exclusively reactionary.

Additionally, ITD Is Informed of potential threats through email advisories from vendors and email notifications from federal and state cyber information sharing centers. This labor intensive, manual method requires staff intervention to correct problems after they have already been exploited, which is at best a reactionary response that is both time consuming and introduces additional risks due to the latency of external communications. If the STO network should be exploited, it is likely that unchecked or unannounced vulnerabilities could compromise the confidentiality, integrity, and availability of STO's banking and financial systems and data. In turn, this would prove to be highly disruptive to the State's core financial operations impacting all California State entities, California's local governments, municipalities, and the multitude of service providers and recipients of the State's financial services.

Exploits are rampant on the internet, and are an ever-present threat to the integrity of STO's cyber assets. Unfortunately many cyber exploits are not formally announced by governmental and private sector entities created for the world's cyber protection, in the financial services sector, Microsoft and Oracle account for over 50% of the cyber vulnerabilities and exploit targets. The STO has and continues to make a significant technology investment and deployment of Microsoft and Oracle products.

The second component of this BCP is to establish a new position at the SSS II level. Currently, STO's cyber security tools are administered as a secondary-responsibility by multiple engineers in ITD's Technical Support Section, who have other primary technical responsibilities. The skeletal staffing structure of the Technical Support Section has resulted in the lack of additional staff depth, whereby current staff could have a backup resource that's cross-trained in core responsibilities. Without that critical depth of staff, none of the current staff have the capacity to support additional security tools without compromising their core responsibilities in other technical areas such as the development, deployment and administration of firewalls, routers, databases, application servers, and storage area network devices (SAN) etc. The proposed SSS II will serve as the hands-on lead administrator of STO's suite of tools in the enforcement of STO's security standards, while the current engineers will be able to maintain their core responsibilities and also be a backup resource in their areas of security specialization.

In the STO's State Leadership Accountability Act report that was submitted in December 2015, and in the STO's subsequent Corrective Action plans, STO ranked the department's disaster preparedness.

3 EXECUTIVE ORDER B-34-15, GOVERNOR BROWN 6

Analysis of Problem

business continuity/technology recovery as its higtiest risk. Strengthening STO's cyber security posture is a critical component of the corrective measures to mitigate this risk.

C. State Level Considerations

California's Dependency on STO's IT Services

On behalf of California, and as a Constitutional Office, the Treasurer has broad authority and responsibility for approximately $100 billion in State debt (bonds, notes, and commercial paper). One of the Treasurer's mandated responsibilities is to borrow from capital markets at the lowest cost to the State of California. State bonds fund critical infrastructure needs such as schools, transportation, clean water, and clean air. The ability to manage the bonds that fund California's critical infrastructure resides in part with STO's initiatives such as the Security Management Accounting, Reporting, and Transaction (SMART) system, the Debt Management System II and the interface with the FI$Cal system, which are but three examples, from among more than 100 in-house applications.

An IT staff augmentation is crucial to maintaining STO's cyber integrity. Ensuring the level of protection warranted for STO's IT services requires dedicated administration of comprehensive vulnerability mitigation tools that provide real-time information on a wide range of vulnerabilities existing across the enterprise, including the enterprise infrastructure, servers, applications, and databases.

Alignment with the Treasurer's Strategic Plan

The following are excerpts from STO's Strategic Plan:

"As an independently elected California Constitutional Officer, the Treasurer represents all Californians and functions as the State's lead asset manager, banker and financier, and also serves as chairperson or a member of numerous State authorities, boards and commissions. The Treasurer has broad constitutional and statutory responsibilities and authority in the areas of state government's investment and finance."

"Objectives: • Leverage today's information technology resources to more effectively and efficiently meet the

needs of the State Treasurer's Office and its Boards, Commissions, and Authorities. • Utilize innovative outreach strategies to increase public awareness of the State Treasurer's Office

and its Boards, Commissions, and Authorities and the various programs, services, and benefits available, and the contributions of our employees.

• Continue its historic partnership with the State Controller's Office, Department of Finance, and Department of General Services to ensure success in the development and implementation of the Financial Information System for California (FI$Cal).

• Continue to negotiate with our banking and business partners to simplify work processes, take advantage of technological advances, to gain efficiencies, save money, and provide better performance."

The mission of the ITD is to support the efforts of the State Treasurer's Office to achieve its program objectives through the efficient, effective, and timely delivery of quality information technology products and services.

Alignment with State Leadership Accountability Act (SLAA)

This proposal complies with the SLAA mandates, which requires STO to identify risks to its mission, ensure there are sufficient internal controls to minimize the risks, and monitor internal control on an ongoing basis to certify they are working as intended. STO recently submitted the annual SLAA report to Department of Finance, and the highest priority on the SLAA is STO's business continuity plan and the inherent responsibility ability to mitigate the risk of cyber-attacks. This BCP strategically contributes to mitigating those risks.

7

Analysis of Problem

External Alignment

This proposal aligns with information security requirements published in the SAM, Section 5300 Information Security Policies states in part:

Risk Assessment 5305.7 (Revised 6/14)

Policy: Each state entity shall conduct an assessment of risk, including the likelihood and magnitude of harm from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system/asset and the information it processes, stores, or transmits. Each state entity shall conduct a comprehensive risk assessment once every two years which assesses the state entity's risk management strategy for all three levels and documents the risk assessment results in a risk assessment report.

The risk assessment process must include the following:

1. Assignment of responsibilities for risk assessment, including appropriate participation of executive, technical, and program management.

2. Identification of the state entity information assets that are at risk, with particular emphasis on the applications of information technology that are critical to state entity program operations. Identification of the threats to which the information assets could be exposed.

3. Assessment of the vulnerabilities, e.g., the points where information assets lack sufficient protection from identified threats.

4. Determination of the probable loss or consequences, based upon quantitative and qualitative evaluation, of a realized threat for each vulnerability and estimation of the likelihood of such occurrence.

5. Identification and estimation of the cost of protective measures which would eliminate or reduce the vulnerabilities to an acceptable level.

6. Selection of cost-effective security management measures to be implemented.

7. Preparation of a report, to be submitted to the state entity head and to be kept on file within the state entity, documenting the risk assessment, the proposed security management measures, the resources necessary for security management, and the amount of residual risk to be accepted by the state entity.

System Developer Security Testing 5315.4 (Revised 6/14)

Policy: Each state entity shall require that system developers create and implement a security test and evaluation plan as part of the system design and build. When a contract is required, it shall specify the acceptance criteria for security test and evaluation plans and vulnerability remediation processes.

Security Assessments 5330.1 (Revised 6/14)

Policy: Each state entity shall perform security assessments to determine whether the security controls selected by the state entity are implemented correctly and working as intended to mitigate risk. Security assessments conducted by the state entity shall include, but are not limited to, the following:

Analysis of Problem

1. Legal, policy, standards, and procedure compliance review; 2. Vulnerability scanning; and 3. Penetration testing.

Vulnerability and Threat Management 5345 (Revised 6/14)

Introduction: Ttireats and vulnerabilities provide the primary inputs to the state entity's risk assessment process.

Policy: Each state entity shall continuously identify and remediate vulnerabilities before they can be exploited. Vulnerability and threat management include, but not limited to, the following:

1. Strategic placement of scanning tools to continuously assess all information technology assets;

2. Implementation of appropriate scan schedules, based on asset criticality;

3. Communication of vulnerability information to system owners or other individuals responsible for remediation;

4. Dissemination of timely threat advisories to system owners or other individuals responsible for remediation; and

5. Consultation with system owners on mitigation strategies.

6 . Implementation of mitigation measures. ,

Governor Brown's Executiye Order B-34-15

Additionally this proposal aligns with Governor Brown's Executive Order B-34-15. The Governor's Office of Emergency Services; tasked with the establishment of the California Cybersecurity Integration Center (Cal-SCIC), has identified the STO as a partner representing the States' Financial Services sector. Cyber threat indications and warnings generated from security assessment tools would be shared and passed on to Cal-SCIC and its partners for unified intelligence gathering and coordination incident response.

Executive Order B-34-15 states in part:

WHEREAS information technology networks and critical infrastructure around the world are threatened by increasingly sophisticated cyber-attacks; and

WHEREAS cyber-attacks aimed at breaching and damaging computer networks and infrastructure in California represent a major security risk and increase the state's vulnerability to economic disruption, critical infrastructure damage, privacy violations, and identify theft; and

WHEREAS state government agencies protect the state's computer networks and investigate criminal attacks on state computer networks and critical infrastructure systems under current state law; and

WHEREAS the National Cybersecurity and Communications Integration Center was established through the National Cybersecurity Protection Act of 2014 to oversee federal government cybersecurity and critical infrastructure protection; and

WHEREAS the increasing number and complexity of cyber-attacks demands heightened levels of coordination, information sharing, and emergency response between state government and federal agencies, local governments, tribal governments, private companies, academic institutions, and other entities in order to protect computer networks and critical infrastructure systems from damage or unauthorized access; and

WHEREAS the California Emergency Services Act authorizes the Governor to take actions to prepare for, respond to, and prevent natural or human-caused emergencies that endanger life, property, and the

9

Analysis of Problem

state's resources, and furttier authorizes the Governor's Office of Emergency Services and its Director to take actions to coordinate emergency planning, preparedness, and response activities.

D. Justification

Cyber security threats continue to increase in frequency and complexity. Proper and robust cyber security defenses are needed to effectively detect and protect against these threats. The cyber security tools, analytics and staff augmentation are needed to further protect critical State Banking and Financial systems and to satisfy Information Security requirements in SAM 5300 for Network Assessments and Monitoring. Additionally, this augmentation will support Governor Brown's Executive Order B-34-15 which recognizes the increasing number and complexity of cyber-attacks and security risks to critical State infrastructure. This request also aligns with the State Leadership Accountability Act mandates, which requires STO to identify risks to its mission, insure there are sufficient internal controls to minimize the risks, and monitor internal control on an ongoing basis to certify they are working as intended.

E. Outcomes and Accountability

The approval of this request will authorize the ongoing increased expenditure authority and fund it accordingly, for the STO to take the following actions:

1. Uphold STO's IS program objectives and policies though the enforcement of a robust security posture protecting STO's banking and financial systems.

2. Establish one Systems Software Specialist II (SSS II) position to provide hands-on administration and leadership of the STO's suite of cyber security tools.

F. Analysis of All Feasible Alternatives

Alternative 1 (Recommended)

This BCP proposes that STO acquire renewable cloud subscription software services to complete STO's cyber security arsenal. These cloud subscription services will complement STO's existing, in-house cyber security suite, to be administered by the proposed SSS II. The proposed SSS II will be the primary resource for ensuring compliance and enforcement of STO's security policies through automation. The SSS II will configure and manage the cloud software services, in addition to the in-house products to effectively assess and mitigate application vulnerabilities, supported with broad scale continuous network monitoring and automated log analysis with threat-profiling reports.

The proposed tools are mature, proven and currently used in California state government, including the Department of Technology, and the Fi$CAL Project. This proposal includes a.) Threat Management Solution; b.) Vulnerability Assessment Service; and c.) Web Application Security Products. More details and the benefits of these products are outlined below.

a. Threat Management Solution provides data log collection, event correlation and 24x7 device monitoring. The service is risk based, rules-based, and anomaly-based event correlation to reduce false positives and better detect abnormal logging behavior. Critical devices send their log data to collectors which are installed on the network. These collectors then send log data 24x7 to a security operations center for advanced analytical analysis. The data is sent in an encrypted format and notifications are generated in both email and personal telephones calls, if/when malicious content is discovered. All log data is accessible at any time to authorized administrators and customizable dashboards are available.

b. The Vulnerability Assessment Service provides host discovery (a.k.a. 'gorilla nodes' maliciously or Innocuously implanted on the STO network) and vulnerability scans to proactively test for known vulnerabilities through industry best-practice security configurations. Internet facing devices such as routers, firewalls, webservers, and e-mail servers will be scanned for potential security weaknesses and checked for "open doors" that could allow a hacker to gain unauthorized access to the network and exploit critical assets. A variety of reports are available to authorized administrators, including Technical Details Assessment, and Active View Risks.

10

Analysis of Problem

0. Web Application Security Products provides comprehensive application vulnerability detection through dynamic analysis of applications. This is accomplished by testing applications for security errors in real time to accurately identify potential security vulnerabilities and providing automated notifications and reports to the administrator.

This recommendation mitigates the need for ITD to acquire and install hardware and software, as this is a cloud-based subscription service. ITD currently has experience administering other cloud-based subscription services. California has a cloud-first directive, and the proposed software-as-a-service is a cloud solution that includes software installation, patching and maintenance. The proposed SSS II will be responsible for configuration and customization aligning STO's security policies. The SSS II duty statement is attached.

Alternative 1 Cost Summary One-time Cost Ongoing Cost** BCP Request Personal Services SSS II staffing $150,000

Technology Services Setup Cost* Licensing Cost** Threat Management Solution $18,000 $24,000 Vulnerability Assessment Service $4,000 $12,000 Cloud based Solution License $95,000

Total $22,000* $281,000** $303,000 * One-time setup cost. Year 1 only ** Annual Personal Services and Software-as-a-Service license & support, Year 1, & ongoing

The STO has also explored the following alternatives.

Alternative #2

Hire the use of contractors to conduct point-in-time web application vulnerability assessments and ongoing internal/external hardware and software monitoring. This option is inconsistent with the Administration's policy to hire contractors to perform work that is within the skills, knowledge and abilities of the State workforce. For this alternative, we evaluated contracted services to meet STO's vulnerability assessment and remediation needs.

The offerings by the vendors ranged approximately $150,000 on the low-end for a one-time assessment on a limited number of network nodes, to the mid-range at several hundred thousand for substantially more network nodes (equivalent to STO's network), to high-end costs that were unjustifiable for STO's ongoing services. The one-time assessments are only good for that point in time, and do not serve to perpetuate STO's ongoing security compliance and enforcement needs, consistent with the 24x7 operations of STO's cyber services.

Alternative #3

Execute a contract with the California Military Department Cyber Network Defense Team to perform vulnerability and other information security assessments. This option does not provide for continuous protection against new and evolving threats, as it is a snap-shot in time assessment. Furthermore, the cost of the snap-shot assessment was commensurate with the low-end estimate referenced in Alternative #2, but again for only a limited number of nodes within STO's network. The assessment fee dramatically increased with the corresponding increase in scope. It would be of little to no value to limit the scope of the assessment, and leave multiple vulnerabilities unassessed, in an attempt to avoid spending hundreds of thousands of dollars, when a complete assessment is achievable with Alternative # 1, for all network nodes, ongoing and into perpetuity. Continuous vulnerability assessments against STO's network logs are required to maintain an effective information security program.

At the time we met with the California Military Department, they could make no assertions regarding their availability to conduct assessments due to the uncertainty of their resource availability resulting

11

Analysis of Problem

from the passage of AB670, which includes requiring them to provide compliance audits and independent security assessments to state departments on behalf of the Department of Technology.

G. Implementation Plan

Upon budget enactment the STO will initiate recruitment of the staff and fulfill the activities as described herein.

H. Supplementallnformation

N/A V

I. Recommendation

STO recommends Alternative #1 , as it is incumbent upon STO to support the network and related services consistent with the State and STO's security policies. Consequently, STO must take responsibility for evaluating the adequacy and efficacy of its Information Security program, including the cyber threat mitigation tools currently in use, and ensure their viability in managing the ever-evolving threats facing STO's network and assets.

12

Appendix A

Boards, Authorities and Commissions

The State Treasurer's Office (STO's) plays a central administrative role to numerous state Boards, Commissions, and Authorities. The Treasurer serves as chair or member of these various agencies that organizationally report to the State Treasurer's Office. Many of these agencies are authorized to issue debt for specific purposes as permitted by law. These agencies also may advise California municipalities on debt issuance and oversee the state's various investment operations. Their mission statements are published online, in the STO's Strategic Plan.

1. California Alternative Energy and Advanced Transportation Financing Authority

2. California Debt and Investment Advisory Commission

3. California Debt Limit Allocation Commission

4. California Educational Facilities Authority '

5. California Health Facilities Financing Authority

6. California Healthy Food Financing Initiative Council

7. California Industrial Development Financing Advisory Commission

8. California Pollution Control Financing Authority

9. California School Finance Authority

10. California Secure Choice Retirement Savings Investment Board

11. California Tax Credit Allocation Committee

12. California Transportation Financing Authority

13. ScholarShare Investment Board

14. California Urban Waterfront Area Restoration Financing Authority

Attachment

Proposed - DUTY S T A T E M E N T S T A T E T R E A S U R E R ' S O F F I C E

Information Technology Division Techn ica l Support Sect ion

PART A

Position No: 820-xxx-xxxx-xxx Date: Class: System Software Specialist II (Technical) Name:

Under the general supervision of the Systems Software Specialist III (Supervisor), the Systems Software Specialist II (Technical) position is the technical lead for the implementation and administration of the complex technology systems enforcing departmental and statewide security policies consistent with STO's Information Security and risk management plans. The scope of responsibility spans the STO's IT environment which includes production, disaster recovery, test, development and client networks hosted in multiple sites, and all information assets residing within them.

The incumbent will work on STO's suite of complex information security products and systems, including design, programming, configuration, administration, installation and maintenance of a variety of technology products critical to upholding the integrity of STO's cyber and information assets. Additionally, the incumbent must keep abreast of the ever-enlarging threat landscape external to the STO, through education and training. The incumbent must identify STO's corresponding technology vulnerabilities, pursuant to administering STO's security systems that contribute to the prevention, mitigation and correction of risks, cyber-attacks and all forms of malicious technology exploits.

The incumbent will serve as one of STO's technical and analytical experts in the analysis and prevention of security breaches; perform security assessments through expert command of ITD's cyber security suite of products that enforce STO's security policies and programs; produce reports and documentation affirming policy enforcement; enable STO's Information Security Office to conduct security audits; and cross train staff in the Technical Support Section as backup resources on ITD's cyber security suite of products.

The incumbent is expected to have extensive knowledge and experience administering complex IT systems; communicate effectively; develop and maintain effective and cooperative working relationships; and adapt to changing priorities. This position requires the incumbent to work under pressure to meet deadlines.

Special knowledge of networking, operating systems, monitoring and disaster recovery is highly desirable.

Percentage of time performing duties:

ESSENTIAL FUNCTIONS

60%

The following is not intended to serve as a comprehensive list of all duties performed by this position. This duty statement is only a representative summary of the primary responsibilities. The incumbent may be required to perform additional, position-specific duties.

Security Risk Management

Administer STO's suite of complex information security products and systems, including design, programming, configuration, administration, installation and

30%

5%

maintenance of a variety of technology products critical to upholding the integrity of STO's cyber and information assets.

Conduct technical security product assessments, validating and documenting how the products uphold and enforce STO's security policies.

Stay well informed through self-education and formal training of current and emerging security threats and mitigation controls. Perform analysis of network infrastructure and IT asset security settings. Receive the ISO's vulnerability and assessment findings, using them to identify and analyze how to most effectively deploy STO's security products to enforce and mitigate vulnerabilities and risks. Lead the Technical Support Section as the primary administrator of the suite of cyber security products.

Maintain accurate documentation of all security incidents.

Information Security Office (ISO) Support

Work with STO's ISO to understand STO's security policies, procedures and standards. Administer the cyber-security suite of tools sufficiently to enforce compliance with STO's security policies, or conversely identify non-compliance.

Support the ISO communicating with internal and external entities to ensure that appropriate containment activity is performed in the event of a security incident. Ensure the ISO has appropriate documentation to serve notification to the Oalifornia Highway Patrol, Directorate level. State Information Security Office (SISO), and departmental staff. Monitor, update and advise management of all information regarding security issues and incidents.

Provide feedback to the ISO regarding any findings incumbent identified from cyber security impact analyses and recommendations that could result in changes to the State's IT standards, policies, instructions, processes and guidelines as addressed in SAM, SIMM, Management Memos and annual Budget Letters.

Maintain a cooperative working relationship with STO's ISO to understand the nuances of STO's Information Security program initiatives, and projects, including the ongoing maintenance of STO's Business Oontinuity Plan, Technology Recovery Plan, and risk management plans. Maintain familiarity with all STO standards, procedures, and guidelines.

Provide consultant services to STO's ISO related to the effective administration of STO's cyber security suite of products, in support of the ISO's ongoing review of STO's program areas regarding business reengineering opportunities and process improvement proposals that are driven by cyber security initiatives.

Participate in the agency's disaster recovery and business continuity programs.

NON-ESSENTIAL FUNOTIONS

5% Provide written and verbal communications in the form of status reports, time estimates, problem analysis, summaries, etc. to management throughout the department, as necessary.

Other duties as required.