Oregon Fire Service Conference

Enterprise Security Office Update

October 26, 2018

2

State CIO Update

Terrence Woods – Interim State CIO

Slide presented at August OAGTIM

3

Information

Security

1. Unifying Enterprise Security Operations.

Unifying cybersecurity to improve customer

service for Oregonians while ensuring those

systems are secure, resilient and ready for

the future.

2. Cybersecurity Center of Excellence.

Building a long-term multi-sector strategy

that leverages the private-sector expertise of

Oregon’s Cyber-related industries to protect

the digital lives of all Oregonians

Unify cybersecurity to improve customer service for

Oregonians while ensuring those systems are secure

and resilient

4Enterprise Security Strategy

5

Roadmap & Execution2017-19 Biennium

2017 2018 2019

• Positions (35) moved by

HR to DAS/ESO

• All existing staff (14)

moved to new roles in

ESO

• Vacancies prepared for

recruitment

• Deputy CISO hired

• Security risk governance

foundation defined

• Security shared services

catalog

• Plan for unified execution

• Agency minimum security

requirements

• Unified enterprise security

plan

• System security

requirements for IT

governance

• Key vacancies filled (10)

• Refresh security policy

• IT security rule making

(update of OAR 125-800)

• Publish quarterly report

cards

• Initiate 5-year planning

• Establish enterprise

security board under

ELT/EITG

• Finish staffing to plan

(13)

• Independent review of

program against best

practice

• Independent technical

assessment of State

network

• Survey agency leaders on

program quality &

effectiveness

• Establish 2019-21

objectives

• Publish 5-year plan

Form new ESO, Ops review,

Start on governance

Establish shared services, publish

enterprise plan, staff team

Rule & Policy updates, metrics &

reporting, 5-year planning

Evaluate, course correct as

needed, 2019-21 planning

6

Developing a post SB-90 Update

State CISO Guidance

• Near term implementation (1 July 2018-30 June 2019) of SB 90 and Enterprise Security Strategic Objectives

• Build on work of the Executive Order 16-13 Steering Group

• Set Realistic and Achievable Targets

• Security becomes part of DNA of the State of Oregon

• ESO is a trusted partner and advisor

• State Leadership and Agencies know value of ESO offerings

• Mid-Biennium Service Update released July 1

• Statewide Information Security Plan released August 8 (Gap Analysis due Oct 31)

• System Security Plan

7

Key Elements & Update Structure

Key Elements

• Center for Internet Security (CIS) v7 “Basic 6”—State baseline and what Agencies “must do”

• Regulated data is accounted for

• Offerings are grouped into “Security Operations” and “Security Enabling” areas

• State of Oregon 5-Year Cybersecurity Strategy—To be Developed collaboratively

Structure

• Background and Overview

• Rule Making (OAR 125.800)

• Operations

• Enabling

• Metrics

• Looking Ahead—Investments from PoP

• 5-Year Cybersecurity Strategy for the State of Oregon

8

Near Term Initiatives

Outreach

• State Government

• Large Agencies

• Mid-Size Agencies

• Small ABC’s

• Oregon

• Municipalities

• Education Districts

• Private Sector

• Critical Infrastructure

Resources

• ESO/State Counterparts

• MS-ISAC/US DHS/CIS

Planning

• State of Oregon 5-Year Cybersecurity Strategy

• Define Governance

• Identify major cybersecurity Initiatives

• CIS Basic 6 Controls a focus

• Increasing SOC visibility

• Something big the State can agree to

Statewide Security CommunityPublic-private cybersecurity collaboration to help all Oregonians

Oregon Cybersecurity Advisory Council• Actively engaging wide community in workgroups focused on

education, workforce, technology, information sharing & outreach

Oregon Cybersecurity Awareness• Six major community events across Oregon in 2018

• Five high school NW Cyber Camps conducted across Oregon

• CyberOregon website launched: 800-850 visitors/month & growing

Oregon Cybersecurity Research• Research on security needs across Oregon, public & private

• Top ask – workforce development

• Consistent interest & need for services of a Center of Excellence

info@cyberoregon.com https://www.cyberoregon.com

Basecamp Overview

Basecamp is an IT Supply Chain Management Program Co-Sponsored by the Office of the State Chief Information Officer (OSCIO) and DAS Procurement Services.

•Making business oriented

decisions

•Taking innovative approaches

•Planning strategically

•Embracing transparency

•Driving value

•Avoiding risk to our partners

•Engaging in nimble contracting

•Supporting public stewardship

We are committed to:

Basecamp Overview

• Save you time: no need for a Lengthy procurement process

• Save you resources: Save on Procurement and IT staff hours

• Vendor Management Provided: Performance is centrally managed

• We Leveraged Expertise: Multi-organization contributions

• Support Purchaser Community: Find other purchasing organizations

• Interoperability: Products and Services can integrate

www.Oregon.gov/Basecamp

Helping you get the IT you need:

Basecamp offerings

•8 Vetted Vendors

•Full Cyber Security Services

•Risk Assessments

•Training

•Monitoring & Detecting

•Response & Recovery Planning

• Incident Response

•And More

www.Oregon.gov/Basecamp

Need Cyber Security Services?

Basecamp offerings

Buyers Guide

• Service Matrix• Selection Process• Consultant link• General information

Cyber Security, Everything you need to get started

http://www.oregon.gov/das/procurement/guiddoc/BuyersGuideITSecurityServices.docxhttp://www.oregon.gov/das/procurement/guiddoc/BuyersGuideITSecurityServices.docx

How to Access Products & Services

Cooperative Agreements:

• 50+ Fire Districts are members

• 340+ Goods and Services available: vehicles, Radios, Tires and Office Supplies

• No Fee to join: $3 million budgets and

under)

info.orcpp@oregon.govFor more information Contact:

www.oregon.gov/das/Procurement/Pages/Orcpp.aspx

Oregon Cooperative Procurement Program (ORCPP)

How to Find more Products & Services

https://www.oregon.gov/basecamp/Pages/IT-Catalog.aspx

Basecamp’s IT Catalog provides quick link to the Award Summary Page basic document set.

• Find all Basecamp Statewide

agreements

• Search, Sort and Filter

• Links to Procurement info

• Find purchaser data

Contact Basecamp with Questions

CONTRACT ADMINISTRATOR

DAS PS – Lori Nordlien,

IT Procurement Strategist

Phone: (503) 378-6781

Email:

Lori.nordlien@oregon.gov

VENDOR MANAGER

DAS OSCIO – Jason Rood,

Strategic Sourcing Specialist

Phone: (503) 383-6291

Email:

Jason.rood@oregon.gov

Get in touch with ESO:

General questions: eso.info@Oregon.gov

SOC/Incidents: eso.soc@Oregon.gov

Malicious Hotline: 503-378-5930