information security continuous monitoring (iscm)

12
Information Security Continuous Monitoring (ISCM) Department of Information Resources (DIR) March 2019 As used in this document, “Deloitte” means Deloitte & Touche LLP and its subsidiaries. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte & Touche LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation.

Upload: others

Post on 20-Apr-2022

10 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Information Security Continuous Monitoring (ISCM)

Information Security

Continuous Monitoring

(ISCM)

Department of Information Resources (DIR)March 2019

As used in this document, “Deloitte” means Deloitte & Touche LLP and its subsidiaries. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte & Touche LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation.

Page 2: Information Security Continuous Monitoring (ISCM)

Copyright © 2019 Deloitte Development LLC. All rights reserved. 2

Introduction to Information Security Continuous Monitoring (ISCM)

Maintain ongoing security awareness, vulnerabilities, and threats to enable organizational risk management decisions:• Collect information based on

established metrics utilizing information readily available in part through implemented security controls

• Regular (and as often as needed) data analysis to manage risk as appropriate for each organizational tier

National Institute of Standards and Technology (NIST)• Special Publication (SP) 800-

137 (“Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations”)

• Special Publication (SP) 800-37 (“Risk Management Framework”) – core of ISCM

• Interagency Report (IR) 8011 (“Automation Support for Security Control Assessments”)

Enables data-driven control of organization’s cybersecurity posture through• Increased visibility into assets and

awareness of vulnerabilities• Improve and mature architectures,

operational capabilities, and monitoring processes to accelerate response to threats and incidents

• Aligns to threat landscape and organization’s priorities through periodic revision of ISCM strategy and program

• Prioritization of investments, resources and focus based on risk levels and posture

• Review and improve process efficiencies.

Texas Administrative Code (TAC) 202 and House Bill 4214 (Draft)

What? Guiding Principles

Benefits

Texas Regulations

Source: National Institute of Standards and Technology

Page 3: Information Security Continuous Monitoring (ISCM)

Copyright © 2019 Deloitte Development LLC. All rights reserved. 3

NIST Risk Management Framework – The Core of ISCM

Step 1CATEGORIZE

Information System

Step 2SELECT

Security Controls

Step 3IMPLEMENT

Security Controls

Step 4ASSESS

Security Controls

Step 5AUTHORIZE

Information System

Step 6MONITOR

Security Controls

PREPARE

Categorize system and the information processed, stored, and transmitted by the system based on an analysis of the impact of loss

Initial set of controls for the system and tailor the controls as needed to reduce risk to an acceptable level

Enable controls and describe how the controls are employed within the system and its environment of operation

Determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes

Authorize system or common controls based on a determination that the risk is acceptable

Monitor system and the associated controls on an ongoing basis and reporting the security and privacy posture

Source: National Institute of Standards and Technology

Page 4: Information Security Continuous Monitoring (ISCM)

Copyright © 2019 Deloitte Development LLC. All rights reserved. 4

Organization-Wide ISCM and Risk Management Approach

TIER 1

ORGANIZATION

MISSION/ BUSINESS PROCESSESCollection/ Correlation/

Analysis/ Reporting

TIER 2

Data

Data

Tools

Tools

INFORMATION SYSTEMSCollection/ Correlation/

Analysis/ Reporting

TIER 3

Prioritization of core mission/business processes with the overall goals and objectives

Enable successful execution of the stated mission/business processes, and the organization-wide information security program strategy.

Risk Tolerance/ Governance/

Policies/ Strategy

Define the organization’s risk management strategy, including how the organization plans to assess, respond to, and monitor risk, and the oversight required for an effective risk management strategy

Make risk management decisions in support of governance.

Enable system-level security controls are implemented correctly and operate as intended

Produce the desired outcome with respect to meeting the security requirements for the system, and continue to be effective over time

Source: National Institute of Standards and Technology

Page 5: Information Security Continuous Monitoring (ISCM)

Copyright © 2019 Deloitte Development LLC. All rights reserved. 5

Building Blocks for ISCM Program

Foundation - Tools and Sensors

Assets Identity Network Security Data Protection Risk and Privacy

Collection and Integration

Agency Level OperationalDashboard and Reporting

Devices Network

Cloud Endpoints

Users & Access

Priv. Users

Incident Response

Perimeter

Event Mgmt

Defense in depth

Ongoing Authorization

Threat Intelligence

Endpoint protection

Vulnerability Scans

Data Loss Prevention Risk Register

Data disclosure

Config. Mgmt

Software

Data breach

eDiscovery

Anti-Virus & Malware

Integrated Collection and Aggregation

Enterprise and other agencies

Intelligence Sharing

Patching

Enterprise Level OperationalDashboard and Reporting

External sources

Intelligence Sharing

Legislative Reporting

Risk Scoring & Prioritization

Source: National Institute of Standards and Technology, and Department of Homeland Security

Page 6: Information Security Continuous Monitoring (ISCM)

Copyright © 2019 Deloitte Development LLC. All rights reserved. 6

Yr 1Q4 Q3 Q4

Yr 3

Q1 Q2

Establish a ISCM workgroup Approve ISCM Technical

Architecture Identify ISCM Metrics Establish strategy and

roadmap

Finalize Standard Operating Procedures (SOPs)

Complete agency integration of assets layer

Publish ISCM Dashboard at agency level

Continue integration with enterprise

Implement Strategy to Advance the ISCM Program’s Maturity

Publish policies (local and enterprise) Develop Operational Architecture Complete agency integration of network

security layer Publish ISCM Dashboard at agency level ISCM Skills, Knowledge, and Resources Start integration with enterprise Start development of ISCM Training Materials

Develop an ISCM Communications Plan Identify and Develop Requirements (e.g., required

metrics for external reporting, frequency, etc.) to Advance the ISCM Program’s Maturity

Identify ISCM-specific Dashboard Requirements Complete ISCM Policy Updates Determine requirements to Integrate with

enterprise

Complete agency integration of data protection layer

Publish ISCM Dashboard at agency level

Complete ISCM training materials Continue integration with enterprise

Typical Roadmap

Q2 Q1Q4 Q3

Complete agency integration of risk and privacy layer

Publish ISCM Dashboard at agency level Prepare to integrate ongoing authorizations

(authority to operate) Continue integration with enterprise

Operationalize pilot for ongoing authorizations (authority to operate)

Start agency integration of identity layer

Publish ISCM Dashboard at agency level Continue integration with enterprise

Rollout enterprise ongoing authorizations (authority to operate)

Pilot agency integration of identity layer

Publish ISCM Dashboard at agency level

Continue integration with enterprise

Rollout enterprise ongoing authorizations (authority to operate)

Continue agency integration of identity layer

Publish ISCM Dashboard at agency level

Continue integration with enterprise

Q3 Q4Q1 Q2

Continue to expand integration Continue to expand integration Continue to expand integration Continue to expand integration

Yr 2

Yr 4

Page 7: Information Security Continuous Monitoring (ISCM)

Copyright © 2019 Deloitte Development LLC. All rights reserved. 7

(b) Each state agency shall: (1) Develop and maintain an information security continuous monitoring program that:

A. Allows the agency to maintain ongoing awareness of the security and vulnerabilities of and threats to the agency's information resources

B. Provides a clear understanding of organizational risk and helps the agency set priorities and manage the risk consistentlyC. Addresses how the agency conducts ongoing authorizations of information resources technologies and the environments in

which those technologies operate, including the agency's use of common controlsD. Aligns with the continuous monitoring guidance, cybersecurity framework, and risk management framework published in

NIST Special Publications 800-137 and 800-53E. Addresses critical security controls, including hardware asset management, software asset management, configuration

management, and vulnerability managementF. Requires the integration of cybersecurity products

(2) Establish a strategy and plan to implement a program for the agency(3) To the extent practicable, establish information security continuous monitoring as an agency-wide solution and deploy enterprise information security continuous monitoring products and services(4) Submit specified security-related information to the dashboard established under Subsection (c)(3)(5) Evaluate and upgrade information resources technologies and deploy new products, including agency and component information security continuous monitoring dashboards, as necessary to support information security continuous monitoring andthe need to submit security-related information requested by the department(6) Require that external service providers hosting state information meet state information security requirements for information security continuous monitoring(7) Ensure the agency has adequate staff with the necessary training to meet the objectives of the program

Expectations of House Bill 4214 (Draft) – Agency Role

Page 8: Information Security Continuous Monitoring (ISCM)

Copyright © 2019 Deloitte Development LLC. All rights reserved. 8

(c) The department shall:

(1) oversee the implementation of this section by each state agency

(2) monitor and assist each state agency in implementation of a program and related strategies

(3) establish a statewide dashboard for information security continuous monitoring that provides:

A. A government-wide view of information security continuous monitoring; and

B. technical specifications and guidance for state agencies on the requirements for submitting information for purposes of the dashboard.

Expectations of House Bill 4214 (Draft) – DIR Role

Page 9: Information Security Continuous Monitoring (ISCM)

Copyright © 2019 Deloitte Development LLC. All rights reserved. 9

Fiscal impact considerations

Tools and Sensors

Collection and Integration

Agency Level Operational Dashboard and Reporting

Key components for fiscal impact• Log aggregators and SIEM• Configuration, analysis and monitoring services

Key component for fiscal impact• Business analytics tools• Configuration, analysis and monitoring services

Key component for fiscal impact• Tools and services not currently available to agencies

Enterprise Level Operational Dashboard and Reporting

Page 10: Information Security Continuous Monitoring (ISCM)

Copyright © 2019 Deloitte Development LLC. All rights reserved. 10

Example Dashboard

Page 11: Information Security Continuous Monitoring (ISCM)

Copyright © 2019 Deloitte Development LLC. All rights reserved. 11

Please reach out to DIR Security for [email protected]

Page 12: Information Security Continuous Monitoring (ISCM)

About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.

Copyright © 2019 Deloitte Development LLC. All rights reserved.