erik avakian, cissp, cisa, cism chief information security officer commonwealth of pennsylvania...
TRANSCRIPT
![Page 1: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/1.jpg)
Erik Avakian, CISSP, CISA, CISMChief Information Security Officer Commonwealth of Pennsylvania
The Core Security Services Taxonomy
Commonwealth of Pennsylvania
![Page 2: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/2.jpg)
But first….Some background
information before we dive in
Just how did we get here?
2
![Page 3: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/3.jpg)
• Deloitte-NASCIO Joint Cybersecurity Study kicked off in 2010
• Consisted of a survey targeting U.S. state enterprise- level CISOs, with additional input from agency CISOs and security staff
• High participation: 49 of the 50 states responding
2010 Deloitte/NASCIO Study
3
![Page 4: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/4.jpg)
Five Main Joint Study Areas of Focus:
• IT Security Governance• Security Strategy• Budget (Investments and use
of Security technologies)• Internal, External Threats• Security of Third Party
Providers
2010 Deloitte/NASCIO Study
4
![Page 5: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/5.jpg)
Key Findings
5
![Page 6: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/6.jpg)
IT Security Governance• Cyber Security Governance in
the public space is lacking
Security Strategy• States had the strategic
plans. However the survey data revealed significant challenges in the execution
2010 Study - Key Findings
6
![Page 7: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/7.jpg)
Budget• State IT Security functions
were significantly underfunded
• Not only that - Security budgets were in a dangerous downward trend, aggravated by economic conditions and competing state priorities
2010 Study - Key Findings
7
![Page 8: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/8.jpg)
Third-Party Providers• States must enforce better
third-party security
Internal and External Threats
• States store enormous amounts of citizens PII
• These “pots of gold” must be protected while potential threats to that data increase
2010 Study - Key Findings
8
![Page 9: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/9.jpg)
Internal and External Threats on the Rise
• States needed to do more to secure citizen data and maintain public trust
• State and local governments needed to implement tougher security safeguards, thwart these threats, and be ready to respond when an attack occurs
2010 Study - Key Findings
9
![Page 10: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/10.jpg)
Overall Theme
• States lacked the appropriate funding for security programs and strategies (and asking for new funding just wasn’t working)
• Significant diversity in security postures existed between the states
• Service Offerings were lacking to combat threats
2010 Study - Key Findings
10
![Page 11: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/11.jpg)
Lets examine some of the real world cyber related
events that have transpired since the
2010 survey
11
![Page 12: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/12.jpg)
In 2011 alone…• 25 million new strains of malware
(including new threats and variants)
• Number of malicious websites more than doubled from the previous year
• More than 11 million records nationwide were involved in data breaches – and numbers continued to grow
Emerging Threat Landscape
12
![Page 13: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/13.jpg)
Emerging Threat Landscape
![Page 14: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/14.jpg)
Emerging Threat Landscape
14
![Page 15: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/15.jpg)
Emerging Threat Landscape
15
![Page 16: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/16.jpg)
Emerging Threat Landscape
16
![Page 17: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/17.jpg)
Emerging Threat Landscape
17
![Page 18: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/18.jpg)
Emerging Threat Landscape
18
![Page 19: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/19.jpg)
Emerging Threat Landscape
19
![Page 20: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/20.jpg)
Hactivism - Defacement
20
![Page 21: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/21.jpg)
Hactivism - Defacement
21
![Page 22: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/22.jpg)
Hactivism – Data Theft/DDOS
25
22
![Page 23: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/23.jpg)
Malware and Botnets
23
![Page 24: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/24.jpg)
Phishing: How Severe is the Threat?
• 73 million U.S. adults received more than 50 phishing e-mails a year in 2011 alone – trend increasing!
• Financial losses by the end of 2012 expected to reach upwards of 5 billion.
THREAT
Social Engineering Attacks
24
![Page 25: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/25.jpg)
Advanced Persistent Threats
25
![Page 26: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/26.jpg)
Fast Forward to Present Day
26
![Page 27: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/27.jpg)
Present Day Attacks
27
![Page 28: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/28.jpg)
Present Day Attacks
28
![Page 29: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/29.jpg)
What The Bad Guys (Still) Want• Organizational, proprietary, financial, and
sensitive private information for identity theft or to sell it for big $$$$.
• Competitive advantage from disruption of operations (DDOS)
• National pride or political message
Present Day Attacks
29
![Page 30: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/30.jpg)
Asymmetric Cyber Battle
Attack• Low barrier of entry• Low cost• From anywhere• High probability of
success• Low probability of
getting caught
Defend• Huge effort• High cost• Identified targets• High probability of
being compromised• Little or no recourse
Challenges states and other orgs face
30
![Page 31: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/31.jpg)
2010 Study Findings
Action Items• The 2010 Joint Study results
led to several key action items for states to help identify and mitigate present day and future cyber security risk
• Among those were key items prompting development of the Core Security Services Taxonomy
31
![Page 32: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/32.jpg)
2010 Study Findings
…”Though there is no mandated state compliance platform to drive consistent security programs, adopting an understood, comprehensive, and repeatable framework state-wide will enable improved alignment between state agencies and business, technology, and security leaders.”*
32
![Page 33: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/33.jpg)
A Call to Action
33
![Page 34: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/34.jpg)
Joint Study Follow up:
• Feb ’11: NASCIO asks state CIOs to respond to the growing threats, fiscal constraints, and security requirements for protecting critical state data and operational capacity.
• November ’11: the NASCIO Security & Privacy Committee completes core security services taxonomy to enhance the State CIOs and CISOs ability to assess risks and better understand resource requirements
A Call to Action
34
![Page 35: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/35.jpg)
Overview:Core Security Services
Taxonomy
35
![Page 36: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/36.jpg)
What are the core security services?
• A common vocabulary for describing security services that must be provided to meet the requirements of security standards frameworks defined by various standards bodies
• A common set of security services that ALL state’s should have, provide, or acquire to ensure appropriate levels of protection for state data assets and operational capabilities
Core Security Services
36
![Page 37: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/37.jpg)
Divides security services into two main categories:
1. Governance, Risk, Compliance Services (GRC)
2. Operational Security Services
Under the 2 primary categories are 12 sub-categories
Core Security Services
37
![Page 38: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/38.jpg)
Core Service Categories
38
![Page 39: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/39.jpg)
Core Service Categories
39
![Page 40: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/40.jpg)
Identifying Criterea
• List is inclusive, so that every IT security-related function performed by a state IT security program is included or nests under one of the sub-category headings
• Items representative of all functions that need to be performed by an IT organization to ensure adequate information security and risk assessment is in place
Core Security Services
40
![Page 41: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/41.jpg)
Core Security Services
41
![Page 42: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/42.jpg)
Identifying Criterea
• Services focus on what needs to be done – not on who needs to do it
• Services could be outsourced, could be internal or a hybrid of the two
• Not all functions have to report to the CISO. (This helps ensure separation of duties between compliance and operations)
Core Security Services
42
![Page 43: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/43.jpg)
Core Security Services
43
![Page 44: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/44.jpg)
Common Questions
• How can I convince management this year that we really need funding for this new security tool?
• Why doesn’t management understand cyber security funding?
44
![Page 45: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/45.jpg)
Common Questions
• Is my state’s security spend in line with industry best practices?
• How do my investments compare with other states?
• Is the right mix of services in my security portfolio?
45
![Page 46: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/46.jpg)
Taxonomy Goals
• Help CIOs and other government leaders understand what needs to be done by identifying
Key Services Key Outcomes Tools
• Provide a common framework for financial comparisons down the road
46
![Page 47: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/47.jpg)
Promoting Understandability• Target audience:
CIOs and other executives
• Consistent format to describe each security service
• Use simple terms without jargon
Taxonomy Goals
47
![Page 48: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/48.jpg)
Lets take a Closer Look
• We’ll examine a key service, the key outcomes, and tools used
• We’ll focus on one example service category – but can be applied to any
Methodology
48
![Page 49: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/49.jpg)
Service Categories - Example
49
![Page 50: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/50.jpg)
Secure System Engineering
Service Description:Designing appropriate security controls in new systems or systems that are undergoing substantial redesign, including both in-house and outsourced solutions
Service Categories - Example
50
![Page 51: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/51.jpg)
Secure System Engineering• Integrate security design requirements in the SDLC
• Participate as a security consultant on significant technology projects
• Assist with the creation of system security plans, outlining key controls to address risks
• Assist with creation of residual risk documentation for management acceptance
Key Outcomes from Activities
51
![Page 52: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/52.jpg)
Secure System Engineering• Integrate security requirements into contracts for outsourced services
• Assist with the creation of information security policies, standards, procedures, and guidelines
• Assist with the creation of secure configuration standards for hardware, software, and network devices
Key Outcomes from Activities
52
![Page 53: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/53.jpg)
Secure System Engineering• Standardized system
security planning templates
• Governance, risk, and compliance software
• Various operational and application security tools
• Best practice frameworks for the management of IT, such as ITIL
Tools to Implement
53
![Page 54: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/54.jpg)
Commonwealth Of Pennsylvania- Cyber Security Taxonomy Implementation -
PA’s Taxonomy Implementation
54
![Page 55: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/55.jpg)
Initial Maturity Assessment:
The 2012 Deloitte/NASCIO Cybersecurity Study
55
![Page 56: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/56.jpg)
2012 Deloitte/NASCIO Cyber Study
56
![Page 57: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/57.jpg)
2012 Deloitte/NASCIO Cyber Study
Methodology in accordance with ISACA COBIT 4.1
57
![Page 58: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/58.jpg)
2012 Deloitte/NASCIO Cyber Study
58
![Page 59: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/59.jpg)
2012 Deloitte/NASCIO Cyber Study
59
![Page 60: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/60.jpg)
2012 Deloitte/NASCIO Cyber Study
60
![Page 61: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/61.jpg)
2012 Deloitte/NASCIO Cyber Study
61
![Page 62: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/62.jpg)
2012 Deloitte/NASCIO Cyber Study
62
![Page 63: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/63.jpg)
Agreeing upon, using & describing a set of
essential core services creates significant
opportunities and benefits for state IT leaders
Benefits
63
![Page 64: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/64.jpg)
Benefits
• Identifies the services that are ideally performed centrally versus those which are distributed
• Creates a common vocabulary in decentralized environments across lines of agency authority and allow better assessment of the total costs being expended to fulfill the service requirement
• Creates a real method for CISOs to assess their programs against those of other states
64
![Page 65: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/65.jpg)
Benefits
• Can be used as states move to use of cloud computing services to ensure that security requirements are well articulated and understood
• Assists state leaders in making informed decisions related to cyber security threats, risks, programs, and strategies
• Finally – It provides a way to demonstrate real funding needs based on maturity levels
65
![Page 66: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/66.jpg)
Benefits
Uses of the Taxonomy
• From an auditing standpoint, if states are making strides in maturing the taxonomy service areas, this closes compliance gaps, reduces real risk, and identified residual real risk
• Much easier for the organization to demonstrate compliance by ensuring these service areas are covered properly
66
![Page 67: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/67.jpg)
Mid-Year Wrap Up
Q & A from the NASCIO Midyear
1) Are there any specific areas in the taxonomy that you feel that the states are in most need of help? If so what are they?
2) Are there certain service area items within the taxonomy that absolutely must report to the CISO?
67
![Page 68: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/68.jpg)
Mid-Year Wrap Up
Q & A from the NASCIO Midyear
3) Where does Application Security fit into the model?
4) Resources are limited. States are being asked to do more with less. What if the a state organization simply doesn't have enough human resources to allocate to all the parts of the taxonomy?
68
![Page 69: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/69.jpg)
What’s Next?
Next Steps:
• Results from the 2012 Deloitte/NASCIO Cyber Security review to be released during the 2012 NASCIO Annual conference in mid October
• Results will be an important step to identifying initial maturity baselines for states - where they are and in what areas they need to improve to stay ahead of the cyber threat landscape
69
![Page 70: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/70.jpg)
The 2010 Deloitte-NASCIO Cyber Security Study*• http://www.nascio.org/publications/documents/Deloitte-NASCIOCy
bersecurityStudy2010.PDF
The Heart of the Matter: A Core Services Taxonomy for State IT Security Programs*
• http://www.nascio.org/publications/documents/NASCIO_CoreSecuritySevices.pdf
Resources and References
E
![Page 71: Erik Avakian, CISSP, CISA, CISM Chief Information Security Officer Commonwealth of Pennsylvania eavakian@pa.gov The Core Security Services Taxonomy Commonwealth](https://reader030.vdocuments.net/reader030/viewer/2022020115/551a0f5d55034619378b4dd0/html5/thumbnails/71.jpg)
Thank You!
Questions? Erik Avakian, CISSP, CISA, CISM
Chief Information Security Officer Commonwealth of Pennsylvania