SlideShare una empresa de Scribd logo

Enterprise security strategic_plan

wardell henley
wardell henley

Enterprise security strategic plan approach

Tecnología
1 de 14
Descargar para leer sin conexión
State of Minnesota Enterprise Security Strategic Plan Fiscal Years 2009 – 2013 Jointly Prepared By: Office of Enterprise Technology - Enterprise Security Office Members of the Information Security Council
State of Minnesota Enterprise Security Strategic Plan Contents EXECUTIVE SUMMARY ................................................................................................ 2 CHAPTER 1 - INTRODUCTION ..................................................................................... 3 STAKEHOLDERS............................................................................................................. 4 PLAN NAVIGATION ......................................................................................................... 5 GOVERNANCE ................................................................................................................ 6 CHAPTER 2 - MISSION AND UNDERLYING CORE VALUES ..................................... 7 CHAPTER 3 - STRATEGIC OUTCOMES ...................................................................... 8 CHAPTER 4 - KEY INITIATIVES.................................................................................. 10 Page 1
Executive Summary We are pleased to present the first Enterprise Security Strategic Plan for the State of Minnesota. This plan sets priorities for management, control, and protection of the state’s information assets. The 5 year vision includes 19 high-level strategic objectives (see chapter 3), grouped into the following 3 categories: Improved situational awareness, which includes continuous system monitoring and continuous assessment of controls Proactive risk management, such as solidly articulated requirements and ongoing security training Robust crisis and security incident management, which allows critical services to continue uninterrupted in a crisis. This plan also outlines 8 key initiatives (see chapter 4) that have been prioritized for delivery during the ensuring 2 years: Security Information and Event Management: provide enterprise-wide security monitoring Enterprise Vulnerability and Threat Management: provide ongoing vulnerability assessments of all information technology assets Baseline Policies, Procedures, and Standards: complete enterprise security policy and standard framework Security Awareness for Employees: ongoing and comprehensive security awareness program for all state employees Security Awareness for Government Leaders: annual security awareness event for government leaders and policymakers Identity and Access Management: centralized and streamlined access control solution for state government Enterprise Business Continuity Program: ongoing continuity program to address unanticipated disruptions to government services Enterprise Security Incident Management: enterprise-wide approach to record, identify, and manage information security incidents Strong executive commitment and support are crucial to the implementation of this plan. We ask that you, as government leaders and policymakers, commit to partner with us in effective problem solving, and be our champions at the highest levels. Successful implementation will ensure information is both protected and available, and that critical government services are available when needed. Page 2
Chapter 1 - Introduction The State of Minnesota recognizes that information is a critical asset. How information is managed, controlled, and protected has a significant impact on the delivery of state services and on the trust instilled in the users of those services. Information assets, including those held in trust, must be protected from unauthorized disclosure, theft, loss, destruction, and alteration. Information assets must be available when needed, particularly during emergencies and times of crisis. The State of Minnesota’s decentralized information technology environment is inherently difficult to secure. Most state agencies still operate their own data centers. Furthermore, the state has not defined or enforced standards limiting the diversity of hardware and software products. In testimony, the Legislative Auditor pointed to undue complexity as a primary factor for the large number of information security audit findings. Current data center consolidation initiatives will simplify the state’s information technology environment, making it easier to secure. However, data center consolidation plans are complex and take many years to implement. The rapidly expanding use of the internet has increased the need for connectivity between government entities, third parties, and users of state services. This increase in connectivity has increased the state’s risk posture and made it more difficult to protect information. Cyber crime has skyrocketed over the past few years, shifting from crimes of notoriety to far more serious crimes for financial gain. Attackers have become much more sophisticated in perpetrating and concealing cyber crimes, typically operating in stealth mode with a goal of avoiding detection altogether. This document is the first enterprise-wide information security strategic plan for the State of Minnesota. It sets priorities for how the enterprise can efficiently and effectively address the management, control, and protection of the state’s information assets. It outlines the state’s security community’s five year vision, articulated as 19 high-level Strategic Objectives, grouped into three categories. There are significant gaps between where the state’s security community is today and the five year vision. The importance of the strategic objectives was assessed, prioritizing the gaps. The results of this assessment are summarized as Key Initiatives; a two year strategic plan. A set of business and tactical plans detailing the deliverables necessary to achieve the key initiatives are maintained separately. Page 3
Figure 1 As depicted in Figure 1, this plan attempts Security Strategy Alignment to align information security strategic objectives with broader government technology and business strategies. When developing this plan, the strategies outlined in the State of Minnesota Information Security Strategies Technology Master Plan and the 2005 Drive to Excellence Transformation Roadmap Information Technology were incorporated. Strategies Major Government This plan incorporates core information Business Initiatives security requirements that must be in place to accomplish major government initiatives Global Trends efficiently and effectively. These initiatives include data center consolidation and the development of major government business applications, such as the new accounting and procurement system, and centralized electronic licensing. Finally, this plan incorporates global trends, such as: • More stringent regulatory requirements pertaining to information security • Increasing sophistication of criminals and politically motivated attackers • New demands to access data and services through web applications and mobile devices (i.e., laptops, mobile-phones) • New demands to share data across multiple organizations • Intense pressure to reduce costs • A shift from long-term employees to a more temporary and mobile workforce • The expanding use of software as a service Figure 2 Stakeholders Strategic Plan Primary Stakeholders Government leaders and policymakers are the primary Government Leaders audience of this plan. From an information security perspective, they need to know the current state, the future vision, and the task necessary to bridge the Enterprise gap. Achieving the strategic Security Strategic objectives will not be possible Plan without strong executive Security Users of Community Services Page 4
commitment. Government leaders and policymakers must understand and have confidence in this plan. They must become problem-solving partners by committing resources and helping to remove barriers that impede progress. The security community itself is also a key audience of this plan. In the past, each government entity was forced to address information security issues on its own. This approach has fostered an environment where critical security duties are simply not done at many government entities. By joining forces to establish a common vision, the security community can ensure that all entities have appropriate information security controls, and can deploy those controls cost effectively. Finally, business partners and citizens – the end users of government services – have a vested interest in the success of this plan. End users of government services need to have complete confidence that government entities will protect their data from unauthorized disclosure. End users must be confident that critical government services will be available when needed, particularly during times of crisis. Developing this plan demonstrates due diligence to the people and businesses who rely on government services. Plan Navigation The plan is organized into three sections: • Chapter 2 – Mission and Underlying Core Values discusses the mission of the Enterprise Security Program, as defined by the security community. It also outlines the core values of a security program necessary to drive the strategic security outcomes in this document. • Chapter 3 – Strategic Outcomes lists the 19 high-level objectives for the State of Minnesota, segregated into three broad categories: Improved Situational Awareness, Robust Crisis and Security Incident Management, and Proactive Risk Management. • Chapter 4 – Key Initiatives discusses the highest-priority projects that the security community hopes to accomplish during the current biennium. Additional details concerning these projects can be seen in the separate Enterprise Security Tactical Plan. Page 5
Governance The State Chief Information Security Officer will lead the effort to deliver the objectives in this plan. To be successful, the State Chief Information Security Officer must align and coordinate agency resources with those in Enterprise Security Office, a part of the Office of Enterprise Technology. Furthermore, these coordinated security efforts must be vetted by all impacted stakeholders through an agreed upon governance process. Though the governance process is still evolving, current stakeholders that participate in the decision-making process include: • State Chief Information Officer. Under state law, the State Chief Information Officer is responsible for the overall management, direction, and security of the state’s information assets. • State Chief Information Security Officer. The State Chief Information Security Officer has delegated authority and is responsible for planning, developing, and deploying the Enterprise Security Program. • Information Security Council. Agency security professionals who comprise the council serve as advisors to the State Chief Information Security Officer. These professionals are responsible for helping develop the enterprise-wide security strategies. They help craft the policies, standards, and systems to achieve the strategic objectives. • Chief Information Officer Advisory Council. This council represents the government technology community as a whole. It is responsible for making sure that security efforts align with and support broader government technology and business initiatives. • Commissioners Technology Advisory Board. This board represents leaders at the highest level in state government, ensuring buy-in and support for enterprise-wide projects and security efforts. Page 6
Chapter 2 – Mission and Underlying Core Values The State of Minnesota’s Enterprise Security Program began in June 2006 with the hiring of the first Chief Information Security Officer in the Office of Enterprise Technology. To advance enterprise security, the Chief Information Security Officer promptly established the Information Security Council, an advisory body to help plan, develop, and implement the new program. With help from the Information Security Council, the Chief Information Security Officer worked to create the following mission for the Enterprise Security Program: “The Enterprise Security Program exists to support the efficient delivery of services to government entities and their customers; through a sustainable information security program. The program will accomplish its mission through enterprise information security policies, standards, guidelines, and services that protect the state’s information assets and the security interests of the users of state services.” The security community also agreed on eight core values as a foundation for the new Enterprise Security Program. The program must: • have an increased focus on security planning activities. • be comprehensive, clearly outlining the baseline requirements that all agencies must follow. • ensure that important security decisions are made by people best suited to make those decisions. • have broad-based support from people who will be expected to implement the provisions. • be championed by government leaders at the highest levels. • be supported by appropriate resources, including technical tools, training, and people. • take advantage of the size of government to leverage financial and human resources to be cost effective. • include methods to ensure compliance with baseline security requirements. With this foundation in place, the security community began the difficult task of defining, vetting, and prioritizing long-term security strategies for the State of Minnesota. The result of this effort can be seen in the following chapter. Page 7
Chapter 3 - Strategic Outcomes The high-level strategies outlined in this chapter collectively define where the State of Minnesota needs to be to appropriately manage cyber security risks. The security community believes that it will take at least five years to achieve these strategic outcomes, assuming that there will be sufficient resources for people, processes, and tools. Absent the necessary resources, the strategic outcomes will not change, however, the timeframe to achieve the outcomes will be extended. The strategic outcomes can be classified into three broad categories: • Improved Situational Awareness (Table 1) – Outcomes in this category will help the state obtain a better understanding of its risk posture. They also will give the state the ability to measure its risk posture with rigorous performance metrics. • Proactive Risk Management (Table 2) – Outcomes in this category will make employees and government leaders more aware of security threats. Also, they will garner the executive support needed for Enterprise Security Program to thrive long-term. Finally, they include various types of preventive controls. • Robust Crisis and Security Incident Management (Table 3) – Outcomes in this category will help the state manage security events more efficiently and effectively, thereby minimizing damage. Table 1 Improved Situational Awareness Current Biennium Strategic Outcome Description Priority All state computer systems are continuously monitored for adverse Yes information security events. Information security controls are continuously assessed for effectiveness. Key performance indicators are used to measure the information security program’s effectiveness. The state has a consolidated and reportable information security risk profile. Page 8
Table 2 Proactive Risk Management Current Biennium Strategic Outcome Description Priority Government leaders at the highest levels understand and support the Yes information security program. All state employees receive ongoing security training appropriate to their Yes job duties. Information security program requirements are clearly articulated in a Yes framework of policies, procedures, and standards. Established relationships between state, local, and federal government entities permit shared security solutions that span traditional parochial boundaries. Stakeholders participate in the design and implementation of information security solutions. The state attracts, develops, and retains professionals with the appropriate security skills. Exploitable technical vulnerabilities in state computer systems are Yes promptly identified and remediated. Information security controls adapt rapidly to changing risk conditions. People and entities that conduct business with state government have Yes appropriate and timely access to the necessary computer resources and data. State computer resources and data are protected from being used or Yes accessed inappropriately. Government entities comply with the information security program and other externally mandated compliance requirements. Government entities, regardless of size, are supported by security professionals and engaged in the information security program. The Office of Enterprise Technology serves as a leader by setting high Yes standards for excellence in information security. Table 3 Robust Crisis and Security Incident Management Current Biennium Strategic Outcome Description Priority When information security incidents occur, government entities promptly Yes contain, remediate, and manage those incidents. Mission-critical services will continue in the event of a crisis. Yes Page 9
Chapter 4 - Key Initiatives The Enterprise Security Office and the Information Security Council identified certain security outcomes and specific projects as “high priority.” In general, these are areas where our current security controls are lax or have not been applied consistently across the enterprise, resulting in an unacceptable level of risk. In many cases, the security community has developed formal projects to address pressing concerns. In others, security projects are still in the planning stages. This chapter outlines security projects that the security community believes are high priority. It is not a complete inventory of the work being done by the security community. Rather, it is list of a key initiatives that are planned or are currently under way to address the most pressing risks. Additional details about each key initiative can be found in the Enterprise Security Tactical Plan. It is important to demonstrate the linkage between Figure 3 key initiatives, long-term strategic outcomes, and Linking Key Initiatives to Outcomes the broader strategic outcome categories. Broad Outcome Category Therefore, included with each key initiative in this chapter is a graphic. Figure 3 illustrates the one- Specific Strategic Outcome to-many relationship between broad strategic outcome categories, specific strategic outcomes, Key Initiative and key initiatives. Initiative #1 – Security Information and Event Management Description: Central system to provide enterprise- Improved Situational Awareness wide security monitoring Key Benefits: • Improved ability to identify complex All state computer systems are continuously monitored for cyber attacks adverse information security • Reduced time and cost to events investigate security incidents • Consistent and robust monitoring of Security Information and Event all agencies, including those with Management Project limited resources Page 10
Initiative #2 – Enterprise Vulnerability and Threat Management Description: Central system to provide ongoing Proactive Risk Management vulnerability assessments of all information technology assets Key Benefits: • State finds and remediates Exploitable technical problems before they are exploited vulnerabilities in state computer systems are promptly identified by hackers and remediated • Inventory created of all technology assets • Services offered to all agencies, Enterprise Vulnerability and Threat Management Project including those with limited resources Initiative #3 – Baseline Policies, Procedures, and Standards Description: Complete enterprise security policy and Proactive Risk Management standard framework Key Benefits: • Clear security baselines for all Security program requirements government entities are clearly articulated in a framework of policies, • Policy-based foundation to procedures, and standards measure results • Consistent application of security controls across the enterprise Baseline Policies, Procedures, and Standards Initiative #4 – Security Awareness for Employees Proactive Risk Management Description: Ongoing and comprehensive security awareness program for all state employees Key Benefits: • Better awareness of security All state employees receive on- threats capable of impacting going security training that is commensurate with their job government operations • Fewer security incidents caused by employee mistakes Employee Security Awareness • Common baseline of knowledge for Program all employees Page 11
Initiative #5 – Security Awareness for Government Leaders Description: Annual security awareness event for Proactive Risk Management government leaders and policymakers Key Benefits: • Clear understanding of all All state employees receive on- enterprise security initiatives going security training that is commensurate with their job • Overview of significant information duties security threats Government leaders at the • Support for the Enterprise Security highest levels understand and Program support the information security program Annual Information Security Briefing for Government Executives Initiative #6 – Identity and Access Management Description: Centralized and streamlined access Proactive Risk Management control solution for state government Key Benefits: • Better security through uniform and People and entities that conduct business with state government repeatable access control have appropriate and timely processes access to the necessary computer resources and data • Better experience for users of state State computer resources and services by providing all access data are protected from being through a single user ID and used or accessed inappropriately password • Reduced costs to develop new Identity and Access Management government systems by leveraging Project an external access control solution Page 12
Initiative #7 – Enterprise Business Continuity Program Robust Crisis and Security Description: Ongoing continuity program to address Incident Management unanticipated disruptions to government services Key Benefits: • Faster recovery of critical Mission critical services will government services during a crisis continue in the event of a crisis • Reduced costs through leveraging shared recovery environment • Better ability to share staff during Enterprise Continuity Program times of crisis through adoption of a common plan format and tools Initiative #8 – Enterprise Security Incident Management Description: Enterprise-wide approach to record, Robust Crisis and Security identify, and manage information Incident Management security incidents When information security Key Benefits: • Ability to limit damage through incidents occur, government information sharing entities promptly contain, remediate, and manage those • Fewer cross-agency infections incidents • Reduced costs through the sharing of staff and expensive forensic Enterprise Security Incident investigation tools Management Page 13

Recomendados

Institutional Cybersecurity from Military Perspective
Institutional Cybersecurity from Military PerspectiveInstitutional Cybersecurity from Military Perspective
Institutional Cybersecurity from Military PerspectiveGovernment
 
Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...Malaysia University of Science and Technology (MUST)
 
Chapter1
Chapter1Chapter1
Chapter1tammy1124
 
Michigan Cyber TTX response planning ESF 18
Michigan Cyber TTX response planning ESF 18 Michigan Cyber TTX response planning ESF 18
Michigan Cyber TTX response planning ESF 18 David Sweigert
 
20111010 The National Security Framework of Spain for Guide Share Europe, in ...
20111010 The National Security Framework of Spain for Guide Share Europe, in ...20111010 The National Security Framework of Spain for Guide Share Europe, in ...
20111010 The National Security Framework of Spain for Guide Share Europe, in ...Miguel A. Amutio
 
Fundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkitsFundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkitsIT-Toolkits.org
 
Cissp notes
Cissp notesCissp notes
Cissp notesJagbir Singh
 
Cyber Security Conference - Msps cybersecurity whitepaper
Cyber Security Conference - Msps cybersecurity whitepaperCyber Security Conference - Msps cybersecurity whitepaper
Cyber Security Conference - Msps cybersecurity whitepaperMicrosoft
 

Recomendados

Institutional Cybersecurity from Military Perspective
Institutional Cybersecurity from Military PerspectiveInstitutional Cybersecurity from Military Perspective
Institutional Cybersecurity from Military PerspectiveGovernment
 
Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...Malaysia University of Science and Technology (MUST)
 
Chapter1
Chapter1Chapter1
Chapter1tammy1124
 
Michigan Cyber TTX response planning ESF 18
Michigan Cyber TTX response planning ESF 18 Michigan Cyber TTX response planning ESF 18
Michigan Cyber TTX response planning ESF 18 David Sweigert
 
20111010 The National Security Framework of Spain for Guide Share Europe, in ...
20111010 The National Security Framework of Spain for Guide Share Europe, in ...20111010 The National Security Framework of Spain for Guide Share Europe, in ...
20111010 The National Security Framework of Spain for Guide Share Europe, in ...Miguel A. Amutio
 
Fundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkitsFundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkitsIT-Toolkits.org
 
Cissp notes
Cissp notesCissp notes
Cissp notesJagbir Singh
 
Cyber Security Conference - Msps cybersecurity whitepaper
Cyber Security Conference - Msps cybersecurity whitepaperCyber Security Conference - Msps cybersecurity whitepaper
Cyber Security Conference - Msps cybersecurity whitepaperMicrosoft
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentIJERD Editor
 
Effective IT Security Governance
Effective IT Security GovernanceEffective IT Security Governance
Effective IT Security GovernanceLeo de Sousa
 
Computer Emergency Response Team for Health Care Sector (CERT-H)
Computer Emergency Response Team for Health Care Sector (CERT-H)Computer Emergency Response Team for Health Care Sector (CERT-H)
Computer Emergency Response Team for Health Care Sector (CERT-H)Manpreet Singh Sidhu
 
Improve Public Safety
Improve Public SafetyImprove Public Safety
Improve Public Safetyestotts75
 
Privacy trends 2011
Privacy trends 2011Privacy trends 2011
Privacy trends 2011Vladimir Matviychuk
 
Prevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in RetrospectPrevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in RetrospectJermund Ottermo
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Manuel Guillen
 
2004-cost-report
2004-cost-report2004-cost-report
2004-cost-reportMatthew W. Stephan, CISM, CISSP, CRISC, CGEIT, PMP
 
Rapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsRd. R. Agung Trimanda
 
Minnesota iGov a report by the State Chief Information Officer Gopal Khanna
Minnesota iGov a report by the State Chief Information Officer Gopal KhannaMinnesota iGov a report by the State Chief Information Officer Gopal Khanna
Minnesota iGov a report by the State Chief Information Officer Gopal KhannaGopal Khanna
 
Afcea it security course 2015 flyer
Afcea it security course 2015 flyerAfcea it security course 2015 flyer
Afcea it security course 2015 flyerClaude Gelinas
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligencewbesse
 
Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...Avinash Ramineni
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsOxfordCambridge
 
Improving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity FrameworkImproving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity FrameworkWilliam McBorrough
 
Framework for cybersecurity info sharing
Framework for cybersecurity info sharingFramework for cybersecurity info sharing
Framework for cybersecurity info sharingRoy Ramkrishna
 
Availability
AvailabilityAvailability
AvailabilitySam Muthoka
 
FED GOV CON - Cybersecurity Compliance Under The FAR
FED GOV CON - Cybersecurity Compliance Under The FARFED GOV CON - Cybersecurity Compliance Under The FAR
FED GOV CON - Cybersecurity Compliance Under The FARJSchaus & Associates
 
Information Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectInformation Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectIOSR Journals
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFLaurie Mosca-Cocca
 
Chapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdfChapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdfkimangeloullero
 

Más contenido relacionado

La actualidad más candente

International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentIJERD Editor
 
Effective IT Security Governance
Effective IT Security GovernanceEffective IT Security Governance
Effective IT Security GovernanceLeo de Sousa
 
Computer Emergency Response Team for Health Care Sector (CERT-H)
Computer Emergency Response Team for Health Care Sector (CERT-H)Computer Emergency Response Team for Health Care Sector (CERT-H)
Computer Emergency Response Team for Health Care Sector (CERT-H)Manpreet Singh Sidhu
 
Improve Public Safety
Improve Public SafetyImprove Public Safety
Improve Public Safetyestotts75
 
Prevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in RetrospectPrevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in RetrospectJermund Ottermo
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Manuel Guillen
 
Rapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsRd. R. Agung Trimanda
 
Minnesota iGov a report by the State Chief Information Officer Gopal Khanna
Minnesota iGov a report by the State Chief Information Officer Gopal KhannaMinnesota iGov a report by the State Chief Information Officer Gopal Khanna
Minnesota iGov a report by the State Chief Information Officer Gopal KhannaGopal Khanna
 
Afcea it security course 2015 flyer
Afcea it security course 2015 flyerAfcea it security course 2015 flyer
Afcea it security course 2015 flyerClaude Gelinas
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligencewbesse
 
Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...Avinash Ramineni
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsOxfordCambridge
 
Improving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity FrameworkImproving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity FrameworkWilliam McBorrough
 
Framework for cybersecurity info sharing
Framework for cybersecurity info sharingFramework for cybersecurity info sharing
Framework for cybersecurity info sharingRoy Ramkrishna
 
FED GOV CON - Cybersecurity Compliance Under The FAR
FED GOV CON - Cybersecurity Compliance Under The FARFED GOV CON - Cybersecurity Compliance Under The FAR
FED GOV CON - Cybersecurity Compliance Under The FARJSchaus & Associates
 
Information Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectInformation Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectIOSR Journals
 

La actualidad más candente (20)

International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and Development
 
Effective IT Security Governance
Effective IT Security GovernanceEffective IT Security Governance
Effective IT Security Governance
 
Computer Emergency Response Team for Health Care Sector (CERT-H)
Computer Emergency Response Team for Health Care Sector (CERT-H)Computer Emergency Response Team for Health Care Sector (CERT-H)
Computer Emergency Response Team for Health Care Sector (CERT-H)
 
Improve Public Safety
Improve Public SafetyImprove Public Safety
Improve Public Safety
 
Privacy trends 2011
Privacy trends 2011Privacy trends 2011
Privacy trends 2011
 
Prevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in RetrospectPrevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in Retrospect
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020
 
2004-cost-report
2004-cost-report2004-cost-report
2004-cost-report
 
Rapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance Guide
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and Controls
 
Minnesota iGov a report by the State Chief Information Officer Gopal Khanna
Minnesota iGov a report by the State Chief Information Officer Gopal KhannaMinnesota iGov a report by the State Chief Information Officer Gopal Khanna
Minnesota iGov a report by the State Chief Information Officer Gopal Khanna
 
Afcea it security course 2015 flyer
Afcea it security course 2015 flyerAfcea it security course 2015 flyer
Afcea it security course 2015 flyer
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligence
 
Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
 
Improving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity FrameworkImproving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity Framework
 
Framework for cybersecurity info sharing
Framework for cybersecurity info sharingFramework for cybersecurity info sharing
Framework for cybersecurity info sharing
 
Availability
AvailabilityAvailability
Availability
 
FED GOV CON - Cybersecurity Compliance Under The FAR
FED GOV CON - Cybersecurity Compliance Under The FARFED GOV CON - Cybersecurity Compliance Under The FAR
FED GOV CON - Cybersecurity Compliance Under The FAR
 
Information Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectInformation Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and Prospect
 

Similar a Enterprise security strategic_plan

GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFLaurie Mosca-Cocca
 
Chapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdfChapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdfkimangeloullero
 
Cybersecurity Risk -- Redefing real risk measurement for the CISO
Cybersecurity Risk -- Redefing real risk measurement for the CISOCybersecurity Risk -- Redefing real risk measurement for the CISO
Cybersecurity Risk -- Redefing real risk measurement for the CISODavid Sweigert
 
Guideline Thailand Cybersecure Strate Digital Economy
Guideline Thailand Cybersecure Strate Digital EconomyGuideline Thailand Cybersecure Strate Digital Economy
Guideline Thailand Cybersecure Strate Digital EconomySettapong_CyberSecurity
 
This domain reviews the diverse areas of knowledge needed to develop and man...
This domain reviews the diverse areas of knowledge needed to develop and man...This domain reviews the diverse areas of knowledge needed to develop and man...
This domain reviews the diverse areas of knowledge needed to develop and man...bikheet
 
Cyber Security Conference - Trustworthy computing cybersecurity white paper
Cyber Security Conference - Trustworthy computing cybersecurity white paperCyber Security Conference - Trustworthy computing cybersecurity white paper
Cyber Security Conference - Trustworthy computing cybersecurity white paperMicrosoft
 
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...Redspin, Inc.
 
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...Redspin, Inc.
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020Jessica Graf
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee StudyHiten Sethi
 
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAImproving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAGovCloud Network
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...IT-Toolkits.org
 
MCGlobalTech Commercial Cybersecurity Capability Statement
MCGlobalTech Commercial Cybersecurity Capability StatementMCGlobalTech Commercial Cybersecurity Capability Statement
MCGlobalTech Commercial Cybersecurity Capability StatementWilliam McBorrough
 
LD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docxLD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docxstirlingvwriters
 
Whitepaper Pro-active Security Management 2006.pdf
Whitepaper Pro-active Security Management 2006.pdfWhitepaper Pro-active Security Management 2006.pdf
Whitepaper Pro-active Security Management 2006.pdfserve&solve
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...Laura Benitez
 
Review of national cyber security policy 2013 by chintan pathak
Review of national cyber security policy 2013 by chintan pathakReview of national cyber security policy 2013 by chintan pathak
Review of national cyber security policy 2013 by chintan pathakChintan Pathak
 

Similar a Enterprise security strategic_plan (20)

GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
 
Chapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdfChapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdf
 
Cybersecurity Risk -- Redefing real risk measurement for the CISO
Cybersecurity Risk -- Redefing real risk measurement for the CISOCybersecurity Risk -- Redefing real risk measurement for the CISO
Cybersecurity Risk -- Redefing real risk measurement for the CISO
 
Guideline Thailand Cybersecure Strate Digital Economy
Guideline Thailand Cybersecure Strate Digital EconomyGuideline Thailand Cybersecure Strate Digital Economy
Guideline Thailand Cybersecure Strate Digital Economy
 
This domain reviews the diverse areas of knowledge needed to develop and man...
This domain reviews the diverse areas of knowledge needed to develop and man...This domain reviews the diverse areas of knowledge needed to develop and man...
This domain reviews the diverse areas of knowledge needed to develop and man...
 
Cyber Security Conference - Trustworthy computing cybersecurity white paper
Cyber Security Conference - Trustworthy computing cybersecurity white paperCyber Security Conference - Trustworthy computing cybersecurity white paper
Cyber Security Conference - Trustworthy computing cybersecurity white paper
 
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
 
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee Study
 
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAImproving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...
 
MCGlobalTech Commercial Cybersecurity Capability Statement
MCGlobalTech Commercial Cybersecurity Capability StatementMCGlobalTech Commercial Cybersecurity Capability Statement
MCGlobalTech Commercial Cybersecurity Capability Statement
 
LD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docxLD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docx
 
Whitepaper Pro-active Security Management 2006.pdf
Whitepaper Pro-active Security Management 2006.pdfWhitepaper Pro-active Security Management 2006.pdf
Whitepaper Pro-active Security Management 2006.pdf
 
CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010
 
Return on Investment of Diversity and Inclusion Initiatives in Information Go...
Return on Investment of Diversity and Inclusion Initiatives in Information Go...Return on Investment of Diversity and Inclusion Initiatives in Information Go...
Return on Investment of Diversity and Inclusion Initiatives in Information Go...
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...
 
Review of national cyber security policy 2013 by chintan pathak
Review of national cyber security policy 2013 by chintan pathakReview of national cyber security policy 2013 by chintan pathak
Review of national cyber security policy 2013 by chintan pathak
 

Más de wardell henley

RP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdfRP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdfwardell henley
 
Landscape_Medicaid_Healthcare_Information_Technology.pdf
Landscape_Medicaid_Healthcare_Information_Technology.pdfLandscape_Medicaid_Healthcare_Information_Technology.pdf
Landscape_Medicaid_Healthcare_Information_Technology.pdfwardell henley
 
Facets Overview and Navigation User Guide.pdf
Facets Overview and Navigation User Guide.pdfFacets Overview and Navigation User Guide.pdf
Facets Overview and Navigation User Guide.pdfwardell henley
 
self_inspect_handbook_nisp.pdf
self_inspect_handbook_nisp.pdfself_inspect_handbook_nisp.pdf
self_inspect_handbook_nisp.pdfwardell henley
 
Itil a guide to cab meetings pdf
Itil a guide to cab meetings pdfItil a guide to cab meetings pdf
Itil a guide to cab meetings pdfwardell henley
 
9 150928065812-lva1-app6892 gmp
9 150928065812-lva1-app6892 gmp9 150928065812-lva1-app6892 gmp
9 150928065812-lva1-app6892 gmpwardell henley
 
15466 mba technology_white_paper
15466 mba technology_white_paper15466 mba technology_white_paper
15466 mba technology_white_paperwardell henley
 
Best practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingBest practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingwardell henley
 
213946 dmarc-architecture-identifier-alignmen
213946 dmarc-architecture-identifier-alignmen213946 dmarc-architecture-identifier-alignmen
213946 dmarc-architecture-identifier-alignmenwardell henley
 
Cissp chapter-05ppt178
Cissp chapter-05ppt178Cissp chapter-05ppt178
Cissp chapter-05ppt178wardell henley
 
Enterprise%20 security%20architecture%20 %20business%20driven%20security
Enterprise%20 security%20architecture%20 %20business%20driven%20securityEnterprise%20 security%20architecture%20 %20business%20driven%20security
Enterprise%20 security%20architecture%20 %20business%20driven%20securitywardell henley
 
3 securityarchitectureandmodels-120331064706-phpapp01
3 securityarchitectureandmodels-120331064706-phpapp013 securityarchitectureandmodels-120331064706-phpapp01
3 securityarchitectureandmodels-120331064706-phpapp01wardell henley
 
Splunk 7.2.3-security-hardeningstandards
Splunk 7.2.3-security-hardeningstandardsSplunk 7.2.3-security-hardeningstandards
Splunk 7.2.3-security-hardeningstandardswardell henley
 
Ms app 1.5.1-msinfra-bestpracticesguide
Ms app 1.5.1-msinfra-bestpracticesguideMs app 1.5.1-msinfra-bestpracticesguide
Ms app 1.5.1-msinfra-bestpracticesguidewardell henley
 
IBM enterprise Content Management
IBM enterprise Content ManagementIBM enterprise Content Management
IBM enterprise Content Managementwardell henley
 

Más de wardell henley (20)

RP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdfRP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdf
 
mita_overview.pdf
mita_overview.pdfmita_overview.pdf
mita_overview.pdf
 
Landscape_Medicaid_Healthcare_Information_Technology.pdf
Landscape_Medicaid_Healthcare_Information_Technology.pdfLandscape_Medicaid_Healthcare_Information_Technology.pdf
Landscape_Medicaid_Healthcare_Information_Technology.pdf
 
Facets Overview and Navigation User Guide.pdf
Facets Overview and Navigation User Guide.pdfFacets Overview and Navigation User Guide.pdf
Facets Overview and Navigation User Guide.pdf
 
self_inspect_handbook_nisp.pdf
self_inspect_handbook_nisp.pdfself_inspect_handbook_nisp.pdf
self_inspect_handbook_nisp.pdf
 
Itil a guide to cab meetings pdf
Itil a guide to cab meetings pdfItil a guide to cab meetings pdf
Itil a guide to cab meetings pdf
 
Mn bfdsprivacy
Mn bfdsprivacyMn bfdsprivacy
Mn bfdsprivacy
 
9 150928065812-lva1-app6892 gmp
9 150928065812-lva1-app6892 gmp9 150928065812-lva1-app6892 gmp
9 150928065812-lva1-app6892 gmp
 
It security cert_508
It security cert_508It security cert_508
It security cert_508
 
15466 mba technology_white_paper
15466 mba technology_white_paper15466 mba technology_white_paper
15466 mba technology_white_paper
 
Best practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingBest practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_training
 
213946 dmarc-architecture-identifier-alignmen
213946 dmarc-architecture-identifier-alignmen213946 dmarc-architecture-identifier-alignmen
213946 dmarc-architecture-identifier-alignmen
 
Soa security2
Soa security2Soa security2
Soa security2
 
Cissp chapter-05ppt178
Cissp chapter-05ppt178Cissp chapter-05ppt178
Cissp chapter-05ppt178
 
Enterprise%20 security%20architecture%20 %20business%20driven%20security
Enterprise%20 security%20architecture%20 %20business%20driven%20securityEnterprise%20 security%20architecture%20 %20business%20driven%20security
Enterprise%20 security%20architecture%20 %20business%20driven%20security
 
3 securityarchitectureandmodels-120331064706-phpapp01
3 securityarchitectureandmodels-120331064706-phpapp013 securityarchitectureandmodels-120331064706-phpapp01
3 securityarchitectureandmodels-120331064706-phpapp01
 
Splunk 7.2.3-security-hardeningstandards
Splunk 7.2.3-security-hardeningstandardsSplunk 7.2.3-security-hardeningstandards
Splunk 7.2.3-security-hardeningstandards
 
Ms app 1.5.1-msinfra-bestpracticesguide
Ms app 1.5.1-msinfra-bestpracticesguideMs app 1.5.1-msinfra-bestpracticesguide
Ms app 1.5.1-msinfra-bestpracticesguide
 
IBM enterprise Content Management
IBM enterprise Content ManagementIBM enterprise Content Management
IBM enterprise Content Management
 
oracle EBS
oracle EBSoracle EBS
oracle EBS
 

Último

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 

Último (20)

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 

Enterprise security strategic_plan

  • 1. State of Minnesota Enterprise Security Strategic Plan Fiscal Years 2009 – 2013 Jointly Prepared By: Office of Enterprise Technology - Enterprise Security Office Members of the Information Security Council
  • 2. State of Minnesota Enterprise Security Strategic Plan Contents EXECUTIVE SUMMARY ................................................................................................ 2 CHAPTER 1 - INTRODUCTION ..................................................................................... 3 STAKEHOLDERS............................................................................................................. 4 PLAN NAVIGATION ......................................................................................................... 5 GOVERNANCE ................................................................................................................ 6 CHAPTER 2 - MISSION AND UNDERLYING CORE VALUES ..................................... 7 CHAPTER 3 - STRATEGIC OUTCOMES ...................................................................... 8 CHAPTER 4 - KEY INITIATIVES.................................................................................. 10 Page 1
  • 3. Executive Summary We are pleased to present the first Enterprise Security Strategic Plan for the State of Minnesota. This plan sets priorities for management, control, and protection of the state’s information assets. The 5 year vision includes 19 high-level strategic objectives (see chapter 3), grouped into the following 3 categories: Improved situational awareness, which includes continuous system monitoring and continuous assessment of controls Proactive risk management, such as solidly articulated requirements and ongoing security training Robust crisis and security incident management, which allows critical services to continue uninterrupted in a crisis. This plan also outlines 8 key initiatives (see chapter 4) that have been prioritized for delivery during the ensuring 2 years: Security Information and Event Management: provide enterprise-wide security monitoring Enterprise Vulnerability and Threat Management: provide ongoing vulnerability assessments of all information technology assets Baseline Policies, Procedures, and Standards: complete enterprise security policy and standard framework Security Awareness for Employees: ongoing and comprehensive security awareness program for all state employees Security Awareness for Government Leaders: annual security awareness event for government leaders and policymakers Identity and Access Management: centralized and streamlined access control solution for state government Enterprise Business Continuity Program: ongoing continuity program to address unanticipated disruptions to government services Enterprise Security Incident Management: enterprise-wide approach to record, identify, and manage information security incidents Strong executive commitment and support are crucial to the implementation of this plan. We ask that you, as government leaders and policymakers, commit to partner with us in effective problem solving, and be our champions at the highest levels. Successful implementation will ensure information is both protected and available, and that critical government services are available when needed. Page 2
  • 4. Chapter 1 - Introduction The State of Minnesota recognizes that information is a critical asset. How information is managed, controlled, and protected has a significant impact on the delivery of state services and on the trust instilled in the users of those services. Information assets, including those held in trust, must be protected from unauthorized disclosure, theft, loss, destruction, and alteration. Information assets must be available when needed, particularly during emergencies and times of crisis. The State of Minnesota’s decentralized information technology environment is inherently difficult to secure. Most state agencies still operate their own data centers. Furthermore, the state has not defined or enforced standards limiting the diversity of hardware and software products. In testimony, the Legislative Auditor pointed to undue complexity as a primary factor for the large number of information security audit findings. Current data center consolidation initiatives will simplify the state’s information technology environment, making it easier to secure. However, data center consolidation plans are complex and take many years to implement. The rapidly expanding use of the internet has increased the need for connectivity between government entities, third parties, and users of state services. This increase in connectivity has increased the state’s risk posture and made it more difficult to protect information. Cyber crime has skyrocketed over the past few years, shifting from crimes of notoriety to far more serious crimes for financial gain. Attackers have become much more sophisticated in perpetrating and concealing cyber crimes, typically operating in stealth mode with a goal of avoiding detection altogether. This document is the first enterprise-wide information security strategic plan for the State of Minnesota. It sets priorities for how the enterprise can efficiently and effectively address the management, control, and protection of the state’s information assets. It outlines the state’s security community’s five year vision, articulated as 19 high-level Strategic Objectives, grouped into three categories. There are significant gaps between where the state’s security community is today and the five year vision. The importance of the strategic objectives was assessed, prioritizing the gaps. The results of this assessment are summarized as Key Initiatives; a two year strategic plan. A set of business and tactical plans detailing the deliverables necessary to achieve the key initiatives are maintained separately. Page 3
  • 5. Figure 1 As depicted in Figure 1, this plan attempts Security Strategy Alignment to align information security strategic objectives with broader government technology and business strategies. When developing this plan, the strategies outlined in the State of Minnesota Information Security Strategies Technology Master Plan and the 2005 Drive to Excellence Transformation Roadmap Information Technology were incorporated. Strategies Major Government This plan incorporates core information Business Initiatives security requirements that must be in place to accomplish major government initiatives Global Trends efficiently and effectively. These initiatives include data center consolidation and the development of major government business applications, such as the new accounting and procurement system, and centralized electronic licensing. Finally, this plan incorporates global trends, such as: • More stringent regulatory requirements pertaining to information security • Increasing sophistication of criminals and politically motivated attackers • New demands to access data and services through web applications and mobile devices (i.e., laptops, mobile-phones) • New demands to share data across multiple organizations • Intense pressure to reduce costs • A shift from long-term employees to a more temporary and mobile workforce • The expanding use of software as a service Figure 2 Stakeholders Strategic Plan Primary Stakeholders Government leaders and policymakers are the primary Government Leaders audience of this plan. From an information security perspective, they need to know the current state, the future vision, and the task necessary to bridge the Enterprise gap. Achieving the strategic Security Strategic objectives will not be possible Plan without strong executive Security Users of Community Services Page 4
  • 6. commitment. Government leaders and policymakers must understand and have confidence in this plan. They must become problem-solving partners by committing resources and helping to remove barriers that impede progress. The security community itself is also a key audience of this plan. In the past, each government entity was forced to address information security issues on its own. This approach has fostered an environment where critical security duties are simply not done at many government entities. By joining forces to establish a common vision, the security community can ensure that all entities have appropriate information security controls, and can deploy those controls cost effectively. Finally, business partners and citizens – the end users of government services – have a vested interest in the success of this plan. End users of government services need to have complete confidence that government entities will protect their data from unauthorized disclosure. End users must be confident that critical government services will be available when needed, particularly during times of crisis. Developing this plan demonstrates due diligence to the people and businesses who rely on government services. Plan Navigation The plan is organized into three sections: • Chapter 2 – Mission and Underlying Core Values discusses the mission of the Enterprise Security Program, as defined by the security community. It also outlines the core values of a security program necessary to drive the strategic security outcomes in this document. • Chapter 3 – Strategic Outcomes lists the 19 high-level objectives for the State of Minnesota, segregated into three broad categories: Improved Situational Awareness, Robust Crisis and Security Incident Management, and Proactive Risk Management. • Chapter 4 – Key Initiatives discusses the highest-priority projects that the security community hopes to accomplish during the current biennium. Additional details concerning these projects can be seen in the separate Enterprise Security Tactical Plan. Page 5
  • 7. Governance The State Chief Information Security Officer will lead the effort to deliver the objectives in this plan. To be successful, the State Chief Information Security Officer must align and coordinate agency resources with those in Enterprise Security Office, a part of the Office of Enterprise Technology. Furthermore, these coordinated security efforts must be vetted by all impacted stakeholders through an agreed upon governance process. Though the governance process is still evolving, current stakeholders that participate in the decision-making process include: • State Chief Information Officer. Under state law, the State Chief Information Officer is responsible for the overall management, direction, and security of the state’s information assets. • State Chief Information Security Officer. The State Chief Information Security Officer has delegated authority and is responsible for planning, developing, and deploying the Enterprise Security Program. • Information Security Council. Agency security professionals who comprise the council serve as advisors to the State Chief Information Security Officer. These professionals are responsible for helping develop the enterprise-wide security strategies. They help craft the policies, standards, and systems to achieve the strategic objectives. • Chief Information Officer Advisory Council. This council represents the government technology community as a whole. It is responsible for making sure that security efforts align with and support broader government technology and business initiatives. • Commissioners Technology Advisory Board. This board represents leaders at the highest level in state government, ensuring buy-in and support for enterprise-wide projects and security efforts. Page 6
  • 8. Chapter 2 – Mission and Underlying Core Values The State of Minnesota’s Enterprise Security Program began in June 2006 with the hiring of the first Chief Information Security Officer in the Office of Enterprise Technology. To advance enterprise security, the Chief Information Security Officer promptly established the Information Security Council, an advisory body to help plan, develop, and implement the new program. With help from the Information Security Council, the Chief Information Security Officer worked to create the following mission for the Enterprise Security Program: “The Enterprise Security Program exists to support the efficient delivery of services to government entities and their customers; through a sustainable information security program. The program will accomplish its mission through enterprise information security policies, standards, guidelines, and services that protect the state’s information assets and the security interests of the users of state services.” The security community also agreed on eight core values as a foundation for the new Enterprise Security Program. The program must: • have an increased focus on security planning activities. • be comprehensive, clearly outlining the baseline requirements that all agencies must follow. • ensure that important security decisions are made by people best suited to make those decisions. • have broad-based support from people who will be expected to implement the provisions. • be championed by government leaders at the highest levels. • be supported by appropriate resources, including technical tools, training, and people. • take advantage of the size of government to leverage financial and human resources to be cost effective. • include methods to ensure compliance with baseline security requirements. With this foundation in place, the security community began the difficult task of defining, vetting, and prioritizing long-term security strategies for the State of Minnesota. The result of this effort can be seen in the following chapter. Page 7
  • 9. Chapter 3 - Strategic Outcomes The high-level strategies outlined in this chapter collectively define where the State of Minnesota needs to be to appropriately manage cyber security risks. The security community believes that it will take at least five years to achieve these strategic outcomes, assuming that there will be sufficient resources for people, processes, and tools. Absent the necessary resources, the strategic outcomes will not change, however, the timeframe to achieve the outcomes will be extended. The strategic outcomes can be classified into three broad categories: • Improved Situational Awareness (Table 1) – Outcomes in this category will help the state obtain a better understanding of its risk posture. They also will give the state the ability to measure its risk posture with rigorous performance metrics. • Proactive Risk Management (Table 2) – Outcomes in this category will make employees and government leaders more aware of security threats. Also, they will garner the executive support needed for Enterprise Security Program to thrive long-term. Finally, they include various types of preventive controls. • Robust Crisis and Security Incident Management (Table 3) – Outcomes in this category will help the state manage security events more efficiently and effectively, thereby minimizing damage. Table 1 Improved Situational Awareness Current Biennium Strategic Outcome Description Priority All state computer systems are continuously monitored for adverse Yes information security events. Information security controls are continuously assessed for effectiveness. Key performance indicators are used to measure the information security program’s effectiveness. The state has a consolidated and reportable information security risk profile. Page 8
  • 10. Table 2 Proactive Risk Management Current Biennium Strategic Outcome Description Priority Government leaders at the highest levels understand and support the Yes information security program. All state employees receive ongoing security training appropriate to their Yes job duties. Information security program requirements are clearly articulated in a Yes framework of policies, procedures, and standards. Established relationships between state, local, and federal government entities permit shared security solutions that span traditional parochial boundaries. Stakeholders participate in the design and implementation of information security solutions. The state attracts, develops, and retains professionals with the appropriate security skills. Exploitable technical vulnerabilities in state computer systems are Yes promptly identified and remediated. Information security controls adapt rapidly to changing risk conditions. People and entities that conduct business with state government have Yes appropriate and timely access to the necessary computer resources and data. State computer resources and data are protected from being used or Yes accessed inappropriately. Government entities comply with the information security program and other externally mandated compliance requirements. Government entities, regardless of size, are supported by security professionals and engaged in the information security program. The Office of Enterprise Technology serves as a leader by setting high Yes standards for excellence in information security. Table 3 Robust Crisis and Security Incident Management Current Biennium Strategic Outcome Description Priority When information security incidents occur, government entities promptly Yes contain, remediate, and manage those incidents. Mission-critical services will continue in the event of a crisis. Yes Page 9
  • 11. Chapter 4 - Key Initiatives The Enterprise Security Office and the Information Security Council identified certain security outcomes and specific projects as “high priority.” In general, these are areas where our current security controls are lax or have not been applied consistently across the enterprise, resulting in an unacceptable level of risk. In many cases, the security community has developed formal projects to address pressing concerns. In others, security projects are still in the planning stages. This chapter outlines security projects that the security community believes are high priority. It is not a complete inventory of the work being done by the security community. Rather, it is list of a key initiatives that are planned or are currently under way to address the most pressing risks. Additional details about each key initiative can be found in the Enterprise Security Tactical Plan. It is important to demonstrate the linkage between Figure 3 key initiatives, long-term strategic outcomes, and Linking Key Initiatives to Outcomes the broader strategic outcome categories. Broad Outcome Category Therefore, included with each key initiative in this chapter is a graphic. Figure 3 illustrates the one- Specific Strategic Outcome to-many relationship between broad strategic outcome categories, specific strategic outcomes, Key Initiative and key initiatives. Initiative #1 – Security Information and Event Management Description: Central system to provide enterprise- Improved Situational Awareness wide security monitoring Key Benefits: • Improved ability to identify complex All state computer systems are continuously monitored for cyber attacks adverse information security • Reduced time and cost to events investigate security incidents • Consistent and robust monitoring of Security Information and Event all agencies, including those with Management Project limited resources Page 10
  • 12. Initiative #2 – Enterprise Vulnerability and Threat Management Description: Central system to provide ongoing Proactive Risk Management vulnerability assessments of all information technology assets Key Benefits: • State finds and remediates Exploitable technical problems before they are exploited vulnerabilities in state computer systems are promptly identified by hackers and remediated • Inventory created of all technology assets • Services offered to all agencies, Enterprise Vulnerability and Threat Management Project including those with limited resources Initiative #3 – Baseline Policies, Procedures, and Standards Description: Complete enterprise security policy and Proactive Risk Management standard framework Key Benefits: • Clear security baselines for all Security program requirements government entities are clearly articulated in a framework of policies, • Policy-based foundation to procedures, and standards measure results • Consistent application of security controls across the enterprise Baseline Policies, Procedures, and Standards Initiative #4 – Security Awareness for Employees Proactive Risk Management Description: Ongoing and comprehensive security awareness program for all state employees Key Benefits: • Better awareness of security All state employees receive on- threats capable of impacting going security training that is commensurate with their job government operations • Fewer security incidents caused by employee mistakes Employee Security Awareness • Common baseline of knowledge for Program all employees Page 11
  • 13. Initiative #5 – Security Awareness for Government Leaders Description: Annual security awareness event for Proactive Risk Management government leaders and policymakers Key Benefits: • Clear understanding of all All state employees receive on- enterprise security initiatives going security training that is commensurate with their job • Overview of significant information duties security threats Government leaders at the • Support for the Enterprise Security highest levels understand and Program support the information security program Annual Information Security Briefing for Government Executives Initiative #6 – Identity and Access Management Description: Centralized and streamlined access Proactive Risk Management control solution for state government Key Benefits: • Better security through uniform and People and entities that conduct business with state government repeatable access control have appropriate and timely processes access to the necessary computer resources and data • Better experience for users of state State computer resources and services by providing all access data are protected from being through a single user ID and used or accessed inappropriately password • Reduced costs to develop new Identity and Access Management government systems by leveraging Project an external access control solution Page 12
  • 14. Initiative #7 – Enterprise Business Continuity Program Robust Crisis and Security Description: Ongoing continuity program to address Incident Management unanticipated disruptions to government services Key Benefits: • Faster recovery of critical Mission critical services will government services during a crisis continue in the event of a crisis • Reduced costs through leveraging shared recovery environment • Better ability to share staff during Enterprise Continuity Program times of crisis through adoption of a common plan format and tools Initiative #8 – Enterprise Security Incident Management Description: Enterprise-wide approach to record, Robust Crisis and Security identify, and manage information Incident Management security incidents When information security Key Benefits: • Ability to limit damage through incidents occur, government information sharing entities promptly contain, remediate, and manage those • Fewer cross-agency infections incidents • Reduced costs through the sharing of staff and expensive forensic Enterprise Security Incident investigation tools Management Page 13