commonwealth information security advisory …...security domains 1. sdlc security 2. software...
TRANSCRIPT
![Page 1: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/1.jpg)
1
Commonwealth Information Security Advisory Group (ISOAG) Meeting
March 14, 2007
www.vita.virginia.gov
1
![Page 2: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/2.jpg)
2
ISOAG March 2007 Agenda
I. Welcome Peggy Ward, VITA
II. Commonwealth Enterprise Solutions Center (CESC) Tier III Data Center Dana Taylor , NG
III. CESC Physical Security Ralph Bell, NG
IV. Server Virtualization/Shared DASD Security Dana Taylor , NG
V. CESC Data Center Information Security Trey Stevens, NG
VI. Encryption Solution Ordering Specifics Don Kendrick, VITA
VII. SJR 51 Action Plan Cathie Brown, VITA
VIII. IT Legislation Peggy Ward, VITA
VIIII. Other Business Peggy Ward, VITA
![Page 3: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/3.jpg)
Commercial, State & Local Solutions
Facilities OverviewCommonwealth
Enterprise Solutions
CenterPresented by: Dana Taylor
![Page 4: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/4.jpg)
4
Facility Characteristics
Basic Data Center Infrastructure– Floor Plan– Amenities
• Electrical• Mechanical• Questions and Answers
![Page 5: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/5.jpg)
5
Facility Characteristics
Meeting Tier III
“ the key to Tier III is concurrent maintainability…”Uptime Institute
![Page 6: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/6.jpg)
6
Data Center Basic Infrastructure
• The Data Center is 50,000 sq ft• 100 Watts per sq ft (corner to corner)• Raised floor is 48”• All equipment have dual source power• Security Cameras • Access control (including Portal with Bio)• CMOC ( Consolidated Management Operations
Center)• Fire Protection - Pre-Action Sprinklers and VESDA• Cable management
– Server PODs Via overhead Cable tray• Two separate Dmarc Locations (3 Rooms each)
![Page 7: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/7.jpg)
7
Data Center Characteristics
• Separation of VITA and Northrop Grumman
• Central Monitoring (CMOC)
• Expandability
• Testing and Burn In Labs
• Security Operations Center (SOC)
• Hot Cold Isles
• Floor Layout (Alpha Numeric floor grid)
![Page 8: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/8.jpg)
8
Page Intentionally Omitted
![Page 9: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/9.jpg)
9
Page Intentionally Omitted
![Page 10: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/10.jpg)
10
Page Intentionally Omitted
![Page 11: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/11.jpg)
11
Generator Master Controls
4000ASwitchgear 4000AMP SwitchgearPage Intentionally Omitted
![Page 12: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/12.jpg)
12
GENERATOR PARALLELING GEAR
![Page 13: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/13.jpg)
13
GENERATOR
![Page 14: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/14.jpg)
14
CESC Electrical
SPECIAL SYSTEMS
– VESDA (Very Early Smoke Detection Apparatus)
– Elevated Cable Tray
– Access Control and CCTV
– Local and Remote Monitoring
– Signal Reference Grid
– Emergency Power Off
![Page 15: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/15.jpg)
15
Page Intentionally Omitted
![Page 16: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/16.jpg)
16
Page Intentionally Omitted
![Page 17: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/17.jpg)
17
Page Intentionally Omitted
![Page 18: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/18.jpg)
18
Page Intentionally Omitted
![Page 19: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/19.jpg)
19
Page Intentionally Omitted
![Page 20: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/20.jpg)
20
Page Intentionally Omitted
![Page 21: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/21.jpg)
21
CESC Mechanical
Typical Computer Room Air Conditioning Unit (CRAC)Multiple CRAC units installed for initial Data Center operation
![Page 22: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/22.jpg)
22
Page Intentionally Omitted
![Page 23: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/23.jpg)
23
Page Intentionally Omitted
![Page 24: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/24.jpg)
24
Page Intentionally Omitted
![Page 25: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/25.jpg)
25
Page Intentionally Omitted
![Page 26: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/26.jpg)
Copyright 2006 Northrop Grumman Corporation26
Ralph Bell
CESC Physical Security Overview
![Page 27: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/27.jpg)
Copyright 2006 Northrop Grumman Corporation27
Page Intentionally Omitted
![Page 28: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/28.jpg)
Copyright 2006 Northrop Grumman Corporation28
Page Intentionally Omitted
![Page 29: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/29.jpg)
Copyright 2006 Northrop Grumman Corporation29
Pegasys P2000 Security Management System
The Pegasys P2000 technology has been utilized as the security platform for many agencies and critical infrastructures in the Commonwealth of Virginia including:
§ Virginia Department of Transportation § Virginia Department of General Services - including
– Capitol – Supreme Court – Division of Consolidated Laboratory Services
§ Virginia State Police § The Chesapeake Bay Bridge Tunnel Authority § Virginia Department of Public Rail & Transportation§ Virginia Department of Emergency Management§ Virginia Forensic Laboratories
![Page 30: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/30.jpg)
Copyright 2006 Northrop Grumman Corporation30
Page Intentionally Omitted
![Page 31: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/31.jpg)
Copyright 2006 Northrop Grumman Corporation31
Page Intentionally Omitted
![Page 32: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/32.jpg)
Copyright 2006 Northrop Grumman Corporation32
Page Intentionally Omitted
![Page 33: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/33.jpg)
Copyright 2006 Northrop Grumman Corporation33
Security Walk Through
![Page 34: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/34.jpg)
Copyright 2006 Northrop Grumman Corporation34
![Page 35: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/35.jpg)
Server Virtualization/ Shared DASD Security
Dana Taylor
![Page 36: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/36.jpg)
36
VMware Infrastructure Security Components
§ VirtualCenter§ The virtual machines§ The virtualization layer, consisting of the VMkernel and the
virtual machine monitor§ The ESX Server service console§ The ESX Server virtual networking layer§ Virtual storage
![Page 37: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/37.jpg)
37
Isolation is a Virtualization Benefit
§ ESX Server can be deployed in a variety of scenarios, including Restrictive Multi-customer Deployment
§ Virtual machines are isolated from the host machine and other virtual machines running on the same hardware
§ They share physical resources such as CPU, memory and I/O devices, but cannot “see” any device other than virtual devices made available to it by the virtual machine monitor
§ Data does not leak across virtual machines. Applications only communicate over configured network connections
![Page 38: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/38.jpg)
38
VirtualCenter
§ Centralized management of the VMware Infrastructure § Sophisticated system of roles and permissions§ Allows fine-grained determination of authorization for
administrative and user tasks, based on user or group and inventory item, such as clusters, resource pools, and hosts
§ Allows only the minimum necessary privileges to be assigned in order to prevent unauthorized access
![Page 39: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/39.jpg)
39
Page Intentionally Omitted
![Page 40: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/40.jpg)
40
Virtual Storage
§ Centralized management of the VMware Infrastructure § Sophisticated system of roles and permissions§ Allows fine-grained determination of authorization for
administrative and user tasks, based on user or group and inventory item, such as clusters, resource pools, and hosts
§ Allows only the minimum necessary privileges to be assigned in order to prevent unauthorized access
![Page 41: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/41.jpg)
41
Page Intentionally Omitted
![Page 42: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/42.jpg)
42
Page Intentionally Omitted
![Page 43: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/43.jpg)
43
Page Intentionally Omitted
![Page 44: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/44.jpg)
44
Page Intentionally Omitted
![Page 45: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/45.jpg)
Questions?
![Page 46: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/46.jpg)
46
Contact Information:
§ Mike Shaffer – VITA Service Delivery Manager§ [email protected]
§ Don Norwine – Server Functional Area Lead§ [email protected]
§ Jennifer Breitzmann – Server Functional Area§ [email protected]
![Page 47: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/47.jpg)
Logical Security - Networks
Trey Stevens
Security Engineer
![Page 48: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/48.jpg)
48
PremiseAgencies have expressed concern that in the new shared
environment, where all of their resources are physically beside systems outside of their control, that data security may suffer.
![Page 49: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/49.jpg)
49
Network segmentation• Agencies will be logically separated in several different ways
– TCP/IP range
– VLAN separation
– Firewalls
![Page 50: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/50.jpg)
50
TCP/IP range
Each agency will be allocated their own range of addresses. Based on the nature of TCP/IP, these ranges cannot communicate with one another without going through a router/firewall.
![Page 51: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/51.jpg)
51
VLAN’s
• Virtual Local Area Network’s are a very flexible type of LAN in which machines located in the same physical area are not necessarily on the same LAN broadcast domain.
• Virtual LANs (VLANs) are used as a means to identify and then segment traffic at a very granular level.
![Page 52: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/52.jpg)
52
Firewalls• Firewalls will be used to protect
specific resources, thereby reducing the risk of unauthorized access to sensitive information.
• In addition to user containment, internal firewalls contain attacks to prevent damages from spreading in the event that an attack occurs.
![Page 53: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/53.jpg)
53
Defense in depth• Physical security maintained in a Tier 3 data center as described
by Dana Taylor.
• Layer 2 switch security with VLAN’s
• Layer 3 security with firewalls
• Additional security not discussed such as NIDS/NIPS and HIDS
![Page 54: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/54.jpg)
54
Before Transformation• Before Transformation,
Agencies may have differing degrees of logical separation.
• For example, Agency A in this diagram is basically a ‘flat’network with all computers and servers on the same subnet. Agency B in this diagram is utilizing VLAN separation internally and also has its own Internet connection.
• Agencies connect back to RPB for resources
![Page 55: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/55.jpg)
55
Post Transformation• Post Transformation, each
agency will have a degree of logical separation which will be honored all the way back to the data center ensuring agencies can access their assets but no one else can.
• Internet access will be collapsed providing fewer points of entrance
• Agencies connect back to the CESC for resources
![Page 56: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/56.jpg)
56
Questions?
![Page 57: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/57.jpg)
Guardian Edge - Encryption Plus
Don KendrickSenior Manager of Security Operations
![Page 58: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/58.jpg)
58
SJR 51 Action Plan
Cathie Brown, CISM, CISSP
ISOAG Meeting
www.vita.virginia.gov
expect the best
58
![Page 59: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/59.jpg)
59
SJR 51 Recommendation #1• Develop a plan to communicate
infrastructure information & standards to agencies that VITA supports.
• Provide assistance & expertise to agencies as they develop their information security programs.
• Assume responsibility for ensuring that the infrastructure meets the agency’s needs & mitigate threats & vulnerabilities through Northrop Grumman’s standards.
![Page 60: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/60.jpg)
60
Action Plan• Analyze SJR51 data to define areas of
need• Identify communication vehicles• Promote COV Information Security:
– Standards and Guidelines– Configuration Standards (CIS and NG)– Information Assurance Program
• Compliance with COV Information Security Standard (ITRM SEC501-01)
![Page 61: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/61.jpg)
61
Data Analysis: Security DomainsTop 5 areas based on
analysis of Security Domains
1. SDLC Security2. Software Change
Mgmt3. Monitoring &
Logging4. Standard Config.5. Security
Awareness Training
APA SJR51 Checklist / All Agencies by Security Domain(103 agencies)
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
90.00%
SD
LC S
ecur
ityS
oftw
are
Cha
nge
Mgm
tM
onito
ring
& L
oggi
ngS
tand
ard
Con
fig.
Sec
Aw
are
Trng
Inte
rface
s/In
tero
pera
bilit
Res
ourc
e &
Dat
a C
lass
.A
sset
Mgm
tR
isk
Ass
mt R
AC
hang
e M
gmt
Inci
dent
Res
p P
roc.
IRP
Phy
sica
l Acc
ess
Bus
Impa
ct A
naly
sis
BIA
Aut
horiz
atio
nP
assw
ord
Con
trols
IS R
esp
& S
ep o
fIS
O R
ole
Aut
hent
icat
ion
Info
Ass
ets
Inve
ntor
yD
isas
ter R
ec P
lng
DR
PS
ec M
gmt S
truct
ure
Bus
Con
tinui
ty P
lng
% True% False
![Page 62: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/62.jpg)
62
Analysis: Key QuestionsTop 5 areas based on
key questions1. Monitoring
System?2. Users required to
authenticate?3. Training
Program?4. Risk
Assessment?5. BIA?
All Agencies in SJR51 Survey
0%
10%
20%
30%
40%
50%
60%
70%
80%
Monito
ring S
ystem
in pl
ace?
Are us
ers re
qured
to be
authe
ntica
ted?
Trainin
g Prog
ram?
Is the
re a R
isk A
sses
smen
t?
Is the
re a B
IA?
Physic
al Safe
guard
s in p
lace?
Are the
re pa
sswor
d con
trols?
Pol & pr
o for
Logic
al Acc
ess?
Is the
re an
ISO ?
Is the
re a D
RP?
Is the
re a B
CP?
Key SJR51 Questions
True %False %
![Page 63: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/63.jpg)
63
Communication Vehicles• ISOAG Meetings• AITR Meetings• New ISO Orientation• Information Security Council• CAM Small Agency Council• Leadership Communique• SoTech Communications
![Page 64: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/64.jpg)
64
Promote COV Information Security• Proposed schedule for Guidelines
Guidelines Publish on WebPresent at ISOAG
Meeting
Data Protection Guideline Mar-07 Apr-07
Logical Access Control Guideline Mar-07 Apr-07
Contingency Planning Guideline Mar-07 Apr-07
Threat Management Guideline Apr-07 May-07
System Security Guideline Jun-07 Jul-07
Personnel Security Guideline Jul-07 Aug-07
IT Security Audit Guideline Sep-07 Oct-07
![Page 65: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/65.jpg)
65
Configuration Standards• Center for Internet Security (CIS) configuration
standards adopted• 1,037 Windows servers tested from 24 agencies• Focus remediation efforts on top 6 failures
1. Interactive Logon Message2. Password History Enforced3. Account Lockout Duration Set4. Maximum Event Log Size Not Set5. Complex Passwords Not Set6. Minimum Password Length Not Set or Insufficient
![Page 66: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/66.jpg)
66
NG Infrastructure StandardsIn Working On Exception
Compliance Plan to Comply SubmittedServer Backup 65 6 2Rotate Backup Tapes 61 10 2User Passwords 57 13 3Admin Passwords 48 22 7OS Patches 62 12 1Virus Patches 65 11 1Test Server Restore 33 21 25Network Monitoring Passwords 62 13 2RAID Configuration 40 32 2Enable Firewall on LT 41 25 3
63% 19% 6%
• Currently meeting with SLDs individually on plans to bring agencies into compliance with standards
![Page 67: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/67.jpg)
67
Information Assurance Program• Collect information on sensitive systems• Collect IT Security Audit Plans on sensitive
systems• Collect technical data on infrastructure• Analyze current security controls• Document recommendations, if any• Provide letters of assurance to customer
Agencies
![Page 68: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/68.jpg)
68
Compliance with Information Security Standard• Designate ISO & backup ISO• Perform BIA• Inventory & classify IT systems and data• Perform Risk Assessment for sensitive systems• Require IT Security Audits for sensitive systems• Document and exercise contingency/DR plans• Implement security configuration standards• Incorporate IT security requirements in SDLC of IT
applications• Document formal account management practices• Define appropriate data protection practices• Safeguard the physical facilities• Establish access control, security awareness training and
acceptable use policies for personnel security• Prepare for response to IT security incidents
![Page 69: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/69.jpg)
69
Recommendation #3• The CIO & ITIB should consider
supplementing the Commonwealth’s SEC 501 standard with the additional processes identified in this report.
• 15 processes identified• Each process will be considered as the IT
Security Standard is revised or as guidelines are published.
![Page 70: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/70.jpg)
70
QUESTIONS
![Page 71: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/71.jpg)
Agency Encryption Requirements Survey Results
www.vita.virginia.gov
71
2007 General Assembly Session
IT Legislation Update
Peggy Ward
![Page 72: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/72.jpg)
72
HB 1603S - Multiline telephone systems; owner or operator thereof ability to identify location from 9-1-1 call.
http://leg1.state.va.us/cgi-bin/legp504.exe?071+ful+HB1603S1
HB 2140/SB 1244 - Identity theft; notification of breach of information system.
http://leg1.state.va.us/cgibin/legp504.exe?071+sum+HB2140http://leg1.state.va.us/cgibin/legp504.exe?071+sum+SB1224
HB 2306/SB 1342 - Public institutions of higher education; operational authority.
http://leg1.state.va.us/cgi-bin/legp504.exe?071+sum+HB2306http://leg1.state.va.us/cgi-bin/legp504.exe?071+sum+SB1342
HB 2870 - Cellular phones; encouraged to program w/ICE #’shttp://leg1.state.va.us/cgi-bin/legp504.exe?071+sum+HB2870
Bills Failed
![Page 73: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/73.jpg)
73
HB 2973- Unsolicited bulk electronic messages; changes scope of State's spam law
http://leg1.state.va.us/cgi-bin/legp504.exe?071+sum+HB2973
HB 3148 - Compromised Data Disclosure Acthttp://leg1.state.va.us/cgi-bin/legp504.exe?071+sum+HB3148
SB 1123 - Auditor of Public Accounts; review security governmental databases containing personal information.
http://leg1.state.va.us/cgi-bin/legp504.exe?071+ful+SB1123
Bills Failed - Continued
![Page 74: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/74.jpg)
74
HB 1603S - Multiline telephone systems; owner or operator thereof ability to identify location from 9-1-1 call.
http://leg1.state.va.us/cgi-bin/legp504.exe?071+ful+HB1603S1
HB 1885 - Voice-over-Internet protocol service; revises definition.http://leg1.state.va.us/cgi-bin/legp504.exe?071+ful+HB1885ER
HB 2196 - Chief Information Officer; powers and duties.http://leg1.state.va.us/cgi-bin/legp504.exe?071+ful+HB2196ER
HB 2198 Electronic health records; requires those purchased by state agency to adhere to accepted standard.
http://leg1.state.va.us/cgi-bin/legp504.exe?071+ful+HB2198ER
HB 2946 - Chief Information Officer; powers and duties; information technology recycling.
http://leg1.state.va.us/cgi-bin/legp504.exe?071+ful+HB2946ER
Bills Passed
![Page 75: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/75.jpg)
75
SB 845 - State agencies; Chief Information Officer to develop policies, etc. relating to security data.
http://leg1.state.va.us/cgi-bin/legp504.exe?071+sum+SB845
SB 1004 - Telecommuting; use of personal computers.http://leg1.state.va.us/cgi-bin/legp504.exe?071+ful+SB1004ER
SB 1111 - Freedom of Information Act; closed meetings and security of public buildings.
http://leg1.state.va.us/cgi-bin/legp504.exe?071+ful+SB1111ER
HJ 587 - Internet Safety Month; designating as September 2007, and each succeeding year thereafter.
http://leg1.state.va.us/cgi-bin/legp504.exe?071+ful+HJ587E
Bills Passed - Continued
![Page 76: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/76.jpg)
76
Telecommuting; use of personal computers.
http://leg1.state.va.us/cgi-bin/legp504.exe?071+ful+SB1004ER
Telecommuting; use of personal computers. A. In accordance with the statewide telecommuting and alternative work schedule policy, to be developed by the Secretary of Administration pursuant to § 2.2-203.1, the head of each state agency shall establish a telecommuting and alternative work policy under which eligible employees of such agency may telecommute, participate in alternative work schedules, or both, to the maximum extent possible without diminished employee performance or service delivery. …The policy shall promote use of Commonwealth information technology assets where feasible but may allow for eligible employees to use computers, computing devices, or related electronic equipment not owned or leased by the Commonwealth to telecommute, if such use is technically and economically practical, and so long as such use meets information security standards as established by the Virginia Information Technologies Agency, or receives an exception from such standards approved bythe CIO of the Commonwealth or his designee. The policy shall be updated periodically as necessary. Patron: Devolites Davis
SB 1004 – SUBSTITUTE!
![Page 77: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/77.jpg)
77
Chief Information Officer; to incorporate computer security into 4-year strategic plan.
http://leg1.state.va.us/cgi-bin/legp504.exe?071+ful+SB1029ER
Powers of the Chief Information Officer (CIO); information security. Requires the CIO of the Commonwealth to monitor trends in information security and incorporate computer security into the four-year strategic plan for information technology.
Patron: O'Brien
SB 1029 – SUBSTITUTE!
![Page 78: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/78.jpg)
78
C. The CIO shall report to the Governor and General Assembly by December 2008 and annually thereafter, those executive branch and independent agencies and institutions of higher education that have not implemented acceptable policies, procedures, and standards to control unauthorized uses, intrusions, or other security threats. For any executive branch and independent agency or institution of higher education whose security audit results and plans for corrective action are unacceptable, the CIO shall report such results to the (i) Information Technology Investment Board, (ii) affected cabinet secretary, (iii) Governor, and (iv) Auditor of Public Accounts. Upon review of the securityaudit results in question, the Information Technology InvestmentBoard may take action to suspend the public bodies information technology projects pursuant to subdivision 3 of § 2.2-2458(3), limit additional information technology investments pending acceptable corrective actions, and recommend to the Governor any other appropriate actions. Patron: O'Brien
SB 1029 – SUBSTITUTE!
![Page 79: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/79.jpg)
www.vita.virginia.gov
79
Other Business
![Page 80: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/80.jpg)
80
Data Handling Standardization• Work effort underway to provide
standards for handling of data irrespective of form (electronic, paper, video, audio, etc.)
• First meeting was March 12• Framework is in design & efforts of other
states are being assessed.• Freedom of Information Advisory Council
was contacted.
![Page 81: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/81.jpg)
81
Upcoming Events
Virginia Digital Government Summit
March 15, 2007 Richmond Marriott
http://www.govtech.net/events/index.php/VirginiaDGS2007
![Page 82: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/82.jpg)
82
UPCOMING EVENTS!ISOAG MEETING DATES
Wednesday, April 25, 2007 9:00 - 12:00 @ TBD
Tentative Agenda Items:Executive Order 43 – Secretary ChopraTelework – Karen Jackson (to be invited)Remote Access – Chad WirzInformation Security Council – Peggy Ward
![Page 83: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/83.jpg)
83
Any other Topics?
![Page 84: Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training](https://reader035.vdocuments.net/reader035/viewer/2022063003/5f5b0f5b5377f0070771d766/html5/thumbnails/84.jpg)
84
ADJOURN
THANK YOU FOR YOUR TIME AND
THOUGHTS!!!