Statewide Security Update October 25, 2005

1. Information Technology Advisory Board Statewide Security UpdateOctober 25, 2005 Ann Garrett, State Chief Information Security Officer

2. Agenda • 2004 - Security Assessment Results • Consequences of Assessment • Statewide Security Initiatives Program • Improve Network Security Defenses • Improve Wireless Network Security • Improve Risk and Business Continuity Management • Complete Statewide Security Standards Framework • Improve Security Awareness & Training • Statewide Approach to Security tools Anti-Virus and Anti-Spyware • Questions

3. 2004 Security Assessment Scoring Distribution Planned Security Practices (Quality) Actual Security Practices (Execution)

4. 2004 Security AssessmentScoring Summary Note: The circle indicates the State average for the agencies assessed in the study

5. 2004 Security AssessmentStatewide Average Scores by Category

6. Opportunities for Improvement • Insufficient Funding (~100%) • Insufficient Staffing (84%) • Lack of Security Training & Experience (76%) • Outdated Desktop Operating Systems (72%) • Outdated and Missing Business Continuity Plans (69%) • Gaps in Agency Network Security Defense (64%) • Deficient Policies, Standards, and Procedures (60%)

7. ConsequencesStatewide Significance • Assessment provided a baseline for metrics and a roadmap for planning improvements • Increased awareness at all levels of government of the importance of information security • Flexible assessment tool that can be used in years to come • Cost savings

8. Legislative Response LAW PASSED IN JULY 2004 (SB991) • Shifted responsibilities from the IRMC to the State CIO and the ITAB • Gave State CIO clearer authority in project approval and management, procurement and establishment of security standards • Established a statewide IT Fund and appropriated $4.8 million for 2004-2005. $3 million appropriated for security assessment and remediation

9. Statewide Security Responsibilities SCIO Security Responsibilities: • Set statewide security standards • Monitor and assess agency compliance • Oversee information security incidents • Information security considered in project management cycle • Select and deploy enterprise security technology • Oversee security procurements • Provide security education and training

10. Statewide Security Initiatives • Improve network security defenses • Improve wireless network security • Improve risk management and business continuity planning • Complete statewide security framework (policies, procedures, standards and architecture) • Improve enterprise security awareness and training • Statewide approach to Anti-Virus/Anti-Spyware

11. Statewide Security Initiatives #1 Improve Network Security Defenses– (Next Generation Network (NGN), Firewalls, Intrusion Prevention System (IPS), NCID) • Implementing NGN with agency pilots • MPLS – Multi-protocol label switching • ESAP – Enterprise Service Access Point(s) • Approved Intrusion Protection System (IPS) project, RFP in process

12. State Network • 2,500 remote sites • Public Network • Internet Pipes = Multiple - Gigabit Ethernet Connections • Perimeter Defenses (Firewalls, IDS/IPS and ITS Hosted Zones IPS/IDS) • Centralized Security Incident Management, NC Information Sharing Analysis Center

13. Next Generation Network (NCIN3) Goals • Enhance Network Availability (99.99) • Reliable, Manageable, Scaleable • Enhance Security • Establish Layers of Security Controls • Enable Quality of Services features • Differentiated Service Offerings

14. Enterprise Services Access Point (ESAP) Model

15. Statewide Security Initiatives #2. Improve Agency Border/Perimeter Defense – Wireless • Conducted Agency Wireless Survey 01/05 • Formed Agency Wireless Focus Group • Updated ‘Wireless Security IEEE 802.11 Communications Policy’ issued 2/15/05 • Project underway to build a prototype to deploy a secure wireless environment using 802.1X and WPA2 at ITS

16. Statewide Security Initiatives #3. Improve Risk Management and Business Continuity Planning • Developed Risk Assessment Tool • Purchased Strohl Business Impact Analysis and Business Continuity Planning software for all executive branch agencies (available to locals thru ITS at reduced price) • Trained agencies in Fall ‘04 • Agencies complete Business Impact Analysis (BIA’s) in March ‘05 • Consistent statewide approach for business continuity management

17. Statewide Security Initiatives #4. Complete Statewide Security Standards Framework • Purchased ISO 17799 Policy Tool Kit 07/04 and updates in 07/05 • Formed Agency Standards/Policy Focus Groups • Awarded RFP to Ciber to complete standards framework with training materials 11/04. • Chapters in review cycle, rollout is in progress • All Statewide Security Standards/Policies are on http://www.scio.state.nc.us

18. Statewide Security Initiatives July 2004 to June 2005 Enterprise Training Plan

19. Statewide Security Initiatives #5. Improve Enterprise Security Training & Awareness July 2005 to June 2006 Enterprise Training Plan

20. Statewide Security Initiatives #6 Statewide Approach to Anti-Virus and Anti-Spyware • Use statewide consolidated purchasing power and authority to: • Lower overall statewide AV/AS costs and derive more value from these solutions while providing greater AV/AS protection to state agencies. • Offer similar AV/AS pricing to all executive branch agencies as well as local government units, community colleges, and public schools (Based on support option) • Simplify AV/AS administration through an integrated solution

21. Enterprise Security Infrastructure… Is a key element of consolidation: • Integrating IT infrastructure services, (network, hosting, access etc.) through an enterprise wide risk management approach improves security and enables cost efficiencies Why: • Consistent approach to • Threats • Technology • Business Drivers • Users • Vendors • Education

22. NC - Statewide Security Initiatives Program – 2005 WINNER!!!

23. Questions?http://www.scio.state.nc.us