logging in or signing up BrodyCyberSecurityBr ief Carlotto Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 121 Category: Education License: All Rights Reserved Like it (0) Dislike it (0) Added: January 22, 2008 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... By: shalokesh (36 month(s) ago) nice work sir...can u mail me at SHALOKESH@GMAIL.com Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript VA Cyber Security Program: Status Report Presented to the VA CIO Conference August 2002: VA Cyber Security Program: Status Report Presented to the VA CIO Conference August 2002 Department of Veterans Affairs Office of the Assistant Secretary for Information and Technology Office of Cyber Security Bruce A. Brody, CISSP Associate Deputy Assistant Secretary for Cyber SecurityWhat’s Changed?: What’s Changed? Cyber security is no longer fragmented Consolidation of headquarters staff Eventual relationship with field elements and operational activities to be resolved Our breakout sessions will focus on organizational structure and financial planning We have a “once-in-a-lifetime”opportunity to organize as a world class cyber security organization No operational disruptions What SLAs must be executed, and with whom? The challenge is huge, and there is much work ahead of us We start figuring out the answers this weekVision: Vision Developed at the February 28, 2002 CIO Conference by the Cyber Security Working Group Become the model cyber security program within the federal government with a standardized, secure, controlled environment, where the organizational culture collaboratively balances business requirements with security to meet VA’s missions.Cyber Security Mission: Cyber Security Mission Provide cyber security services to veterans and their dependents that protect the confidentiality, integrity and availability of their private information and enable the timely, uninterrupted and trusted nature of those services Provide assurances that cost-effective cyber security controls are in place to protect automated information systems from financial fraud, waste and abuse Together, we will accomplish this mission. Good News – Bad News: Good News – Bad News The OIG, GAO and Congressional oversight bodies tell us that significant progress has been made, although there is much more to do OMB considers the Department’s GISRA report to be among the top five in government The VA CIRC is awarded and will provide “world class” incident response capability VA’s anti-virus program is the largest and most successful in the government – and one of the largest in the world! Information security is still a “material weakness” OIG: “Much work remains to implement key security initiatives and establish a comprehensive integrated VA security program” OIG: GISRA reporting not credible GAO: Many actions required to establish a comprehensive security management program Progress on Departmental cyber security priorities has been inconsistentMaterial Weakness Shortfalls: Material Weakness Shortfalls Existing policy, procedure and security requirements are not being enforced; Risk assessments/penetration testing are not being done; Incident reporting to CIRC is not being done or is not timely; Annual security awareness training is not being held; Warning banners are not being used; There is no proactive network monitoring to identify intrusion attempts or other suspicious/unusual activities; and There is no structured training curriculum for cyber security staff. Entity-wide Security ShortfallsRemediation of OIG’s Top 10 GISRA Priority Weakness Areas (as of July 1, 2002): Remediation of OIG’s Top 10 GISRA Priority Weakness Areas (as of July 1, 2002)Slide8: VA’s GISRA Results (Summary as of July 1, 2002) During the past year, VA compliance with GISRA has escalated from 53% to 78% Significant Progress since March 2001: Significant Progress since March 2001 ADAS for Cyber Security Arrives 2001 GISRA Annual Report 2001 VA INFOSEC Conference Enterprise Architecture Expedition 1st Quarter GISRA Report ECSIP MS 0 Approval Began VA-wide Anti-Virus Rollout March 2001 VA GISRA Process Top 5 in Gov’t VA CIRC Awarded C&A Policy Published 2002 VA INFOSEC Conference July 2002 Privacy / HIPAA Kickoff ROC Pilot VA CIO Confirmed VA Anti-Virus Program is now the 3rd largest anti-virus implementation in the world – prevented over 1 million virus attacks in the first six months of operations. Completed VA-wide Anti-Virus Rollout OMB Considers VA’s approach to GISRA and its GISRA report to be among the top five in Government. January 2002 OCS Reorg JPO standupThe New VA CIRC Is Awarded: The New VA CIRC Is Awarded VAST (“VA Security Team”), LLC Joint venture of SecureInfo, ADTECH Systems, AEM Corp., DSD Labs, SEIDCON Inc., TeamBI Solutions Large partners Signal Corp., SAIC, Compaq The VA CIRC will provide “world class” incident analysis and response capability for the VA 24x7x365 operations through the SOC(s) Threat analysis Event correlation and analysis Forensics Technical help desk/Fly away support The VA CIRC is the: Only incident response capability in the VA Central node in VA operational control of security Mandatory contract vehicle for VA managed security servicesSlide11: The New VA CIRC VA-CIRC SOC SOC 24 x 7 x 365 Incident Response and Incident Management Command and Control Liaison with National Agencies Threat Analysis National Help Desk Central Incident Database Fly Away Support Forensics Analysis Alerts/Advisories/Bulletins NOC Centralized Managed Security Services: Intrusion Detection Monitoring Firewall Management Anti-Virus Management Software Patch Distribution Event Correlation and Analysis Audit Log Analysis Vulnerability Scanning Penetration Testing Rapid Engineering Remediation Planning Compliance Monitoring ECSIP For these services, the contract will be the mandatory vehicle for the entire VAECSIP Milestone I/II Approved by SMC ( August 6, 2002): ECSIP Milestone I/II Approved by SMC ( August 6, 2002) ECSIP will procure and install cyber security systems to protect external gateway connections and critical information repositories located at the VA’s data centers Other internal connections will be protected once the above is complete All existing legacy external connections will migrate to an ECSIP configured gateway by September 30, 2004 Security Operations Centers (SOCs) will centrally and remotely configure, manage and monitor all VA installed cyber security systems Local IT staff will provide “hands-on” support of installed cyber security systemsEnterprise Cyber Security Infrastructure Project’s Architecture: Enterprise Cyber Security Infrastructure Project’s Architecture N Regional Data Processing Centers VBA - 3? VHA - 6? NCA - 1? VACO – 1? 1 Information Technology Integration Center Product Acceptance Testing Electronic S/W Distribution 3? Corporate Data Processing Centers Electronically Vaulted Data Distributed Processing (Supports COOP) 2 Network/Security Operating Centers Collocated ONE VA SOC and Cyber Security Services LegendSecurity Infrastructure for a Generic Data Processing Center (Simplified): VA Facing Server Farm (SDNS/HIDS/Anti-Virus/Content Filter) Externally Facing Server Farm (SDNS/HIDS) Local Network Security Infrastructure for a Generic Data Processing Center (Simplified) VPN Gateway & IDS Dial Up RAS* & IDS Firewall & IDS Firewall Firewall & IDS * Dial Up RAS May Be An Outsourced ServiceThe Secretary’s Commitments to Congress: The Secretary’s Commitments to Congress June 7, 2002 letters to Reps. Buyer and Carson VA will implement the following: A rigorous qualification and certification program for information security practitioners, managed by OCS ISOs will report routinely to OCS on facility security posture OCS will add a review and inspection capability to its mission OCS will review and have input to ISO performance evaluations All training, qualification, certification, credentialing, reporting and audit functions will be managed by OCS Initial credentialing to be completed by October 1, 2003 The ISO….: The ISO…. Must have the authority to Enforce the Department’s cyber security policies Act on behalf of the CIO and OCS in executing the Department’s cyber security programs Must have the independence to Report accurately on the security posture of the ISO’s domain Report directly to the VA CIRC on all security incidents Not be influenced by local pressure Must be empowered and motivated to Remove the material weakness Eliminate GISRA deficiencies Certification and Accreditation: Certification and AccreditationNeed for Increased VA Effort: Need for Increased VA Effort FY2003 Cyber Security Budget at 8% of VA’s $1.4 billion IT Budget $112M Existing OCS Spend Plan $27M $22M Administration Cyber Security Spend Plans Richard Clarke Presidential Cyber Security Advisor Government Computer News 3/19/2002 “8% of the $52 billion proposed Fiscal 2003 IT budget is earmarked for security.” $80M The VA can go a long way towards addressing its cyber security deficiencies if the entire $80 million is spent on doing the right things. Administration Cyber Security Salaries $27M $4M OCS Salaries The Department’s Cyber Security Priorities: The Department’s Cyber Security Priorities Protect the boundary of the enterprise from external attack and lay the Defense in Depth security groundwork for implementing the VA Enterprise Architecture Centralize cyber security technology and operational controls wherever practical Remove the “material weakness” Comply with GISRA and all other legislative requirements Achieve Federal CIO Council and NIST FITSAF Level 4 and get on the path to Level 5 Professionalize the VA’s cyber security practitioners Become the model cyber security program in the Federal Government All of which ensures the confidentiality, integrity and availability of veterans’ private information, and assures that our systems are free from financial fraud, waste and abuse. Target: FY 2002/3 Target: FY 2002/3 Target: FY 2003/4 Target: Ongoing Target: FY 2003/4 Target: FY 2003/4 Target: FY 2005Breakout Sessions: Breakout Sessions We have a lot of new business to discuss How to organize and staff for the future Preparation and submission of action plans and spend plans We have a lot of regular business to work on Updates on ISO certification, ECSIP, VA CIRC Review of GAO and OIG recommendations Demonstration of the TESS tool We will answer all of your questions to the best of our ability And we might not have all of the answers this week You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
BrodyCyberSecurityBr ief Carlotto Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 121 Category: Education License: All Rights Reserved Like it (0) Dislike it (0) Added: January 22, 2008 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... By: shalokesh (36 month(s) ago) nice work sir...can u mail me at SHALOKESH@GMAIL.com Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript VA Cyber Security Program: Status Report Presented to the VA CIO Conference August 2002: VA Cyber Security Program: Status Report Presented to the VA CIO Conference August 2002 Department of Veterans Affairs Office of the Assistant Secretary for Information and Technology Office of Cyber Security Bruce A. Brody, CISSP Associate Deputy Assistant Secretary for Cyber SecurityWhat’s Changed?: What’s Changed? Cyber security is no longer fragmented Consolidation of headquarters staff Eventual relationship with field elements and operational activities to be resolved Our breakout sessions will focus on organizational structure and financial planning We have a “once-in-a-lifetime”opportunity to organize as a world class cyber security organization No operational disruptions What SLAs must be executed, and with whom? The challenge is huge, and there is much work ahead of us We start figuring out the answers this weekVision: Vision Developed at the February 28, 2002 CIO Conference by the Cyber Security Working Group Become the model cyber security program within the federal government with a standardized, secure, controlled environment, where the organizational culture collaboratively balances business requirements with security to meet VA’s missions.Cyber Security Mission: Cyber Security Mission Provide cyber security services to veterans and their dependents that protect the confidentiality, integrity and availability of their private information and enable the timely, uninterrupted and trusted nature of those services Provide assurances that cost-effective cyber security controls are in place to protect automated information systems from financial fraud, waste and abuse Together, we will accomplish this mission. Good News – Bad News: Good News – Bad News The OIG, GAO and Congressional oversight bodies tell us that significant progress has been made, although there is much more to do OMB considers the Department’s GISRA report to be among the top five in government The VA CIRC is awarded and will provide “world class” incident response capability VA’s anti-virus program is the largest and most successful in the government – and one of the largest in the world! Information security is still a “material weakness” OIG: “Much work remains to implement key security initiatives and establish a comprehensive integrated VA security program” OIG: GISRA reporting not credible GAO: Many actions required to establish a comprehensive security management program Progress on Departmental cyber security priorities has been inconsistentMaterial Weakness Shortfalls: Material Weakness Shortfalls Existing policy, procedure and security requirements are not being enforced; Risk assessments/penetration testing are not being done; Incident reporting to CIRC is not being done or is not timely; Annual security awareness training is not being held; Warning banners are not being used; There is no proactive network monitoring to identify intrusion attempts or other suspicious/unusual activities; and There is no structured training curriculum for cyber security staff. Entity-wide Security ShortfallsRemediation of OIG’s Top 10 GISRA Priority Weakness Areas (as of July 1, 2002): Remediation of OIG’s Top 10 GISRA Priority Weakness Areas (as of July 1, 2002)Slide8: VA’s GISRA Results (Summary as of July 1, 2002) During the past year, VA compliance with GISRA has escalated from 53% to 78% Significant Progress since March 2001: Significant Progress since March 2001 ADAS for Cyber Security Arrives 2001 GISRA Annual Report 2001 VA INFOSEC Conference Enterprise Architecture Expedition 1st Quarter GISRA Report ECSIP MS 0 Approval Began VA-wide Anti-Virus Rollout March 2001 VA GISRA Process Top 5 in Gov’t VA CIRC Awarded C&A Policy Published 2002 VA INFOSEC Conference July 2002 Privacy / HIPAA Kickoff ROC Pilot VA CIO Confirmed VA Anti-Virus Program is now the 3rd largest anti-virus implementation in the world – prevented over 1 million virus attacks in the first six months of operations. Completed VA-wide Anti-Virus Rollout OMB Considers VA’s approach to GISRA and its GISRA report to be among the top five in Government. January 2002 OCS Reorg JPO standupThe New VA CIRC Is Awarded: The New VA CIRC Is Awarded VAST (“VA Security Team”), LLC Joint venture of SecureInfo, ADTECH Systems, AEM Corp., DSD Labs, SEIDCON Inc., TeamBI Solutions Large partners Signal Corp., SAIC, Compaq The VA CIRC will provide “world class” incident analysis and response capability for the VA 24x7x365 operations through the SOC(s) Threat analysis Event correlation and analysis Forensics Technical help desk/Fly away support The VA CIRC is the: Only incident response capability in the VA Central node in VA operational control of security Mandatory contract vehicle for VA managed security servicesSlide11: The New VA CIRC VA-CIRC SOC SOC 24 x 7 x 365 Incident Response and Incident Management Command and Control Liaison with National Agencies Threat Analysis National Help Desk Central Incident Database Fly Away Support Forensics Analysis Alerts/Advisories/Bulletins NOC Centralized Managed Security Services: Intrusion Detection Monitoring Firewall Management Anti-Virus Management Software Patch Distribution Event Correlation and Analysis Audit Log Analysis Vulnerability Scanning Penetration Testing Rapid Engineering Remediation Planning Compliance Monitoring ECSIP For these services, the contract will be the mandatory vehicle for the entire VAECSIP Milestone I/II Approved by SMC ( August 6, 2002): ECSIP Milestone I/II Approved by SMC ( August 6, 2002) ECSIP will procure and install cyber security systems to protect external gateway connections and critical information repositories located at the VA’s data centers Other internal connections will be protected once the above is complete All existing legacy external connections will migrate to an ECSIP configured gateway by September 30, 2004 Security Operations Centers (SOCs) will centrally and remotely configure, manage and monitor all VA installed cyber security systems Local IT staff will provide “hands-on” support of installed cyber security systemsEnterprise Cyber Security Infrastructure Project’s Architecture: Enterprise Cyber Security Infrastructure Project’s Architecture N Regional Data Processing Centers VBA - 3? VHA - 6? NCA - 1? VACO – 1? 1 Information Technology Integration Center Product Acceptance Testing Electronic S/W Distribution 3? Corporate Data Processing Centers Electronically Vaulted Data Distributed Processing (Supports COOP) 2 Network/Security Operating Centers Collocated ONE VA SOC and Cyber Security Services LegendSecurity Infrastructure for a Generic Data Processing Center (Simplified): VA Facing Server Farm (SDNS/HIDS/Anti-Virus/Content Filter) Externally Facing Server Farm (SDNS/HIDS) Local Network Security Infrastructure for a Generic Data Processing Center (Simplified) VPN Gateway & IDS Dial Up RAS* & IDS Firewall & IDS Firewall Firewall & IDS * Dial Up RAS May Be An Outsourced ServiceThe Secretary’s Commitments to Congress: The Secretary’s Commitments to Congress June 7, 2002 letters to Reps. Buyer and Carson VA will implement the following: A rigorous qualification and certification program for information security practitioners, managed by OCS ISOs will report routinely to OCS on facility security posture OCS will add a review and inspection capability to its mission OCS will review and have input to ISO performance evaluations All training, qualification, certification, credentialing, reporting and audit functions will be managed by OCS Initial credentialing to be completed by October 1, 2003 The ISO….: The ISO…. Must have the authority to Enforce the Department’s cyber security policies Act on behalf of the CIO and OCS in executing the Department’s cyber security programs Must have the independence to Report accurately on the security posture of the ISO’s domain Report directly to the VA CIRC on all security incidents Not be influenced by local pressure Must be empowered and motivated to Remove the material weakness Eliminate GISRA deficiencies Certification and Accreditation: Certification and AccreditationNeed for Increased VA Effort: Need for Increased VA Effort FY2003 Cyber Security Budget at 8% of VA’s $1.4 billion IT Budget $112M Existing OCS Spend Plan $27M $22M Administration Cyber Security Spend Plans Richard Clarke Presidential Cyber Security Advisor Government Computer News 3/19/2002 “8% of the $52 billion proposed Fiscal 2003 IT budget is earmarked for security.” $80M The VA can go a long way towards addressing its cyber security deficiencies if the entire $80 million is spent on doing the right things. Administration Cyber Security Salaries $27M $4M OCS Salaries The Department’s Cyber Security Priorities: The Department’s Cyber Security Priorities Protect the boundary of the enterprise from external attack and lay the Defense in Depth security groundwork for implementing the VA Enterprise Architecture Centralize cyber security technology and operational controls wherever practical Remove the “material weakness” Comply with GISRA and all other legislative requirements Achieve Federal CIO Council and NIST FITSAF Level 4 and get on the path to Level 5 Professionalize the VA’s cyber security practitioners Become the model cyber security program in the Federal Government All of which ensures the confidentiality, integrity and availability of veterans’ private information, and assures that our systems are free from financial fraud, waste and abuse. Target: FY 2002/3 Target: FY 2002/3 Target: FY 2003/4 Target: Ongoing Target: FY 2003/4 Target: FY 2003/4 Target: FY 2005Breakout Sessions: Breakout Sessions We have a lot of new business to discuss How to organize and staff for the future Preparation and submission of action plans and spend plans We have a lot of regular business to work on Updates on ISO certification, ECSIP, VA CIRC Review of GAO and OIG recommendations Demonstration of the TESS tool We will answer all of your questions to the best of our ability And we might not have all of the answers this week