070614F ISOAPresentation by RuITNjK

VIEWS: 0 PAGES: 115

									Commonwealth
Information Security Officers
Advisory Group (ISOAG) Meeting


                    JUNE 14, 2007



www.vita.virginia                   1 1
                     WELCOME



                    Peggy Ward, VITA



www.vita.virginia                      2 2
Happy Flag Day!




                  3
                              ISOAG June 2007 Agenda
I.     Welcome                                                           Peggy Ward, VITA

II. InfraGard                                                            Melissa McRae & Melissa Schuler, F.B.I.

III. Encryption Service Offering                                         John Kissel, VITA

IV.    Commonwealth Information Security Council Update!
                        Encryption Committee                             Steve Werby
                        Making Security an Executive Management Priority John Karabaic
                        Small Agency Outreach                            John Jenkins
                        Identity and Access Management                   Patricia Paquette

V.     RPB Data Center Move                                              Larry Ellison, NG

VI.    VITA IT Security Standard Technical Documentation                 Craig Luka, NG

VII.    COV IT Security Standard Compliance Update                       Ed Miller, VITA

VIII. COV IT Security Policies, Standards and Guidelines Update          Cathie Brown, VITA

IX.     Information Risk Executive Council (IREC)                        Cathie Brown, VITA

X.      Upcoming Events                                                  Peggy Ward, VITA

XI.     Other Business                                                   Peggy Ward, VITA




                                                                                                              4
  InfraGard Program
 Public and Private Sector Alliance
Protecting our Critical Infrastructure
            A Brief History…
In 1996, FBI Cleveland Field Office cyber
focused industry outreach initiative.

In 1998, the FBI adopted the InfraGard
program for NIPC private sector outreach

In 2003, the FBI Cyber Division was
established and DHS formed taking NIPC
mission.
                                             18,645 Members
Today, InfraGard is the FBI’s lead private
and public sector information sharing tool

                                                         6
“Critical infrastructures are those physical and cyber-based systems essential
to the minimum operations of the economy and government. These systems
are so vital, that their incapacity or destruction would have a debilitating
impact on the defense or economic security of the United States.”
– William J. Clinton, 1998




    Agriculture         Banking/Finance     Chemical Computer Security       Defense




 Emergency Service           Energy           Food        Postal/Shipping




    Public Health        Transportation   Telecommunication   Water Supply
                                                                                  7
8
                      Cyber Attack
                      Cost & Means
  Cost of
 Capability



       Availability of Capability



1945    1955       1960     1970   1975     1985           Today




                                Cruise Missile Precision
            Strategic                           Guided        Computer
 Invasion              Missiles
            Nuclear ICBM & SLBM                Munitions
            Weapons                                                 9
  The CyberWorld Today
Cyber Attacks:
Immediately follow or
in conjunction with
physical world events
Becoming more
coordinated and
politically motivated
Don’t care about
being detected or
traced
                         10
Potential Sources of Attacks
Terrorist Groups
Targeted Nation-States
Terrorist Sympathizers and Anti-U.S.
Hackers
Thrill Seekers
U.S. Hackers who need resources



                                       11
             Cyber Threats
Unstructured
Threats
   Insiders
   Recreational
    Hackers

Structured Threats
   Organized Crime
   Industrial Espionage

National Security
Threats
   Intelligence
    Agencies
                             12
   Information Warfare
                           InfraGard Benefits
                     FBI Program vs Private Sector


                                           Benefits


• Trusted membership and Network of professionals       • Industry sector Subject Matter Experts
• Timely/Non-public Intelligence Products               • Initiation of new investigations
• Secure forum to share information & discuss issues.   • Early indication of sector specific attacks
• Avenue to provide positive intelligence               • Avenue to obtain feedback on intelligence
• Ongoing relationship with the FBI                     • Ability to identify significant crime problems




                                     Also, It is “FREE!”


                                                                                                    13
 InfraGard VPN
   Home Page

Graphic Unavailable for
 On-line Participants.




                          14
  InfraGard VPN
Alerts & Advisories

 Graphic Unavailable for
  On-line Participants.




                           15
          InfraGard VPN
Specific Critical Infrastructure Articles

         Graphic Unavailable for
          On-line Participants.




                                        16
      InfraGard VPN
IT & Telecommunication Sector

    Graphic Unavailable for
     On-line Participants.




                                17
      InfraGard VPN
IT & Telecommunication Sector
  Computer Security Articles

    Graphic Unavailable for
     On-line Participants.



                                18
      InfraGard VPN
IT & Telecommunication Sector
 Cyber Threat Media Highlights

     Graphic Unavailable for
      On-line Participants.



                                 19
 InfraGard VPN
  Message Board

Graphic Unavailable for
 On-line Participants.




                          20
   InfraGard VPN
     Message Board
Topic: Computer Security

  Graphic Unavailable for
   On-line Participants.



                            21
         InfraGard VPN
           Resource Page
(DHS Open Source Reports, Presentations, etc…)

       Graphic Unavailable for
        On-line Participants.




                                                 22
  InfraGard VPN
DHS Daily Reports Page

 Graphic Unavailable for
  On-line Participants.




                           23
 Other Features
Special Interest Groups, e.g.
Research and Technology
Partnerships, e.g. NIST & SBA
Quarterly Meetings with valuable
speakers
Ability to Participate in FBI Citizen’s
Academy



                                          24
    InfraGard VPN
Special Interest Groups
• Research and Technology InfraGard
• Food/Agriculture InfraGard
• Chemical InfraGard


  Graphic Unavailable for
   On-line Participants.

                                      25
        InfraGard VPN
Research and Technology InfraGard

       Graphic Unavailable for
        On-line Participants.




                                    26
             SBA/NIST/FBI
Partnership between:
   FBI
   Small Business Administration (SBA) – assist small
    businesses
   National Institute of Standards and Technology
    (NIST) – World leader in Information Security
    Guidelines
Goal
   Provide Security Workshops poised to deliver
    information security training to the small business
    community like no other.
                                                     27
              How you can help as
            IT Security Professionals
Develop and implement security policies and
procedures.
   Know what you want to protect, and who will do it.

Build some walls…
   Create a perimeter and guard it (routers, firewalls, IDS). Then, check
    the guards (audit policy).

Educate your users.
   The importance of security (personal & corporate data), strong
    passwords, encryption, etc.


                                                                      28
       How you can help (Cont’d)
Banners
   Put people on notice. You ARE watching!

Employee Agreements

Then:
   LOG, LOG, LOG!
   MONITOR, MONITOR, MONITOR!
   TEST, TEST, TEST!
                                              29
OK…The Policies
 are in Place, the
Perimeter is Built,
and the Network is
      Secure!
                                 But…
           What If They Sneak Through?
          If They Sneak Through…
Respond quickly and without fail.
Have key response personnel predetermined.
Consider content monitoring of the attack.
Backups:
   Create backups of altered/damaged files, LOGS.
   Secure backups of original state
Determine the cost of the attack.
    Repairs, replacement, personnel, consultants, lost
    “business”.
                        Consider contacting the FBI31
Intrusion cases are already
won or lost long before law
    enforcement arrives
     Making the Right Investment

                        Protection
                          Costs
Potential
 Loss


             versus




                                     33
       What the FBI can Do
 Combine technical skills and investigative
 experience
 Provide national and global coverage
 Provide long-term commitment of
 resources.
 Apply more traditional investigative
 techniques
 Perform pattern analysis
 Integrate law enforcement and national
 security concerns.
CYBER CRIME IS THE FBI’S #3 PRIORITY      34
www.InfraGard.net
                    35
Federal Bureau of Investigation
     Richmond, Virginia
        (804) 261-1044

      www.InfraGard.net
                               Disk Encryption Overview




 PC Hard drive Encryption
Rated Service Price Offering

         John Kissel, VITA
            June 14, 2007
                                       Disk Encryption Overview




                       Agenda
• Review
• Service Offering Rate
• Product Feature Summary
• Preliminary Configuration settings
• Status




                                                             38
                                                                         Disk Encryption Overview




                   Rated Service Offering
• Monthly rate
  – Approx $17.00 per encrypted PC Windows desktop/laptop/tablet
     • Added to the current per unit rate


  – Includes deployment and recurring support
     • Deployment
        – Applies to devices being refreshed during the scheduled refresh
          initiative as well as those devices not requiring refresh during the
          scheduled refresh initiative.
        – Does not apply to legacy devices requiring encryption prior to the
          scheduled refresh initiative.
     • Recurring support
        – Applies to ALL devices that NG encrypts



                                                                                               39
                                                                                                         Disk Encryption Overview




                  Hard Drive Encryption - Service Offering
                                                                                        During     After
                                                                                                             Prior to Desktop
                       Category                          Item                           Desktop   Desktop
                                                                                                                 Refresh
                                                                                        Refresh   Refresh

                Software                                             Product license       ■         ■         ■
                                                    Product Client Access License(s)       ■         ■         ■
                Technical Services   Testing
                                                                Functionality testing      ■         ■                   T&M
                                                                 Image development         ■         ■                   T&M
                                                                    package creation       ■         ■                   T&M
Non-Recurring




                                                                  package creation 2       ■         ■                   T&M
                                                       hardware compatability testing      ■         ■                   T&M
                                                                       use scenerios       ■         ■                   T&M
                                                                 Deployment testing        ■         ■                   T&M
                                     Training
                                                                        Site Support       ■         ■                   T&M
                                                                           Helpdesk        ■         ■                   T&M
                                                                            End user       ■         ■                   T&M
                                                                      Comunications        ■         ■                   T&M
                                     Deployment
                                                               Deployment planning         ■         ■                   T&M
                                                             Deployment preparation        ■         ■                   T&M
                                                              Deployment execution         ■         ■                   T&M
                                                                                           ■         ■         ■          ■
Recurring




                Software             Product License maintenance
                                     Client Access License Maintenance                     ■         ■         ■          ■
                Technical Support    Helpdesk (first call resolution)                      ■         ■         ■          ■
                                     Tier 2 support                                        ■         ■         ■          ■
                                     Maintenance                                           ■         ■         ■          ■
                                                                                                                                40
                                                        Disk Encryption Overview




                 General Assumptions

• Degraded Desktop/Laptop performance during system startup may
  be realized.
• Increase in Helpdesk support calls is anticipated.
• Increase in support/administration effort.
  – Extended system recovery times
• Implementation
  – Desktop/Laptop preparation tasks must be performed
  – All support calls will routed to the VCCC
  – Encryption will be performed as part of the desktop refresh
    schedule


                                                                              41
                                                            Disk Encryption Overview




             Procedures for Ordering
• If you choose not to wait for Transformation a RFS needs to be
  completed to request this service
• If you choose to wait for transformation it will be discussed at your
  kickoff meeting.




                                                                                  42
      Commonwealth
Information Security Council
         Peggy Ward, VITA




                               43
Encryption Committee
         Jesse Crim (VCU)
        John Palese (DSS)
     Michael McDaniel (VRS)
     Tripp Simms (VITA/NG)
       Steve Werby (DOC)
    Encryption Committee - Goals
   Survey agencies – IT and business perspective
   Questionnaire to aid agencies in determining
    encryption needs and solutions
   Develop plan for educating users
   Develop best practices
   Recommend solutions, preferably enterprise
   Develop end user training plan




                                                    45
Making Security an Executive
Management Priority


     Committee Members
     John Karabaic, DMAS
     Joe Hubbell, Va. Lottery
     Shirley Payne, U.Va.
Ideas To Date

  • Make recommendations for executive
    security awareness events, either
    standalone or as riders on other
    planned executive-level events such as
    a previous 2-day workshop on COOP.
  • Solicit effective executive security
    awareness practices from agencies and
    present these as models other agencies
    might follow.                         47
Ideas To Date - continued

  • Collect and make available canned
    security awareness presentations
    tailored for executives.
  • Form a speakers bureau of ISO/boss
    teams willing to give presentations to
    agency executives within their
    secretariat.

                                             48
Interested in volunteering?



Contact Shirley
payne@virignia.edu
Small Agency Outreach

   Current Members
       Robert Jenkins (DJJ)
       Aaron Mathes (OAG)
       Goran Gustavsson (APA)
       Ross McDonald (DSS)
       Bob Auton (DJJ)
       Doug Mack (DJJ)




                                 50
Small Agency Outreach

   Contact & survey small agencies and benchmark were they are in the process
   Develop pool of available talent available to work in a shared service capacity to
    provide Audit functions to Small Agencies
      Measure Small Agencies with Audit capabilities versus those without this
        function
   Develop “Canned Solutions” i.e. quick fixes using best practices from those with
    success in the areas such as policy, practice or procurement.
   Develop tool for communications such as a message board that has shared access.
   Create network of Subject Matter Experts (SME) to offer advice and guidance.
      ARMICS and implementation options
      Resources to talk with Agency Management who may be reluctant or
        unfamiliar with required actions needed for compliance matters
      VITA IT Security Policies and Standards (Business Impact Analysis, Risk
        Assessment, Breaches/Detections, etc.)
      Other IT Services, such as possible tests/reviews/audits




                                                                                     51
Small Agency Outreach

Volunteers are welcome!
     If interested, contact Robert Jenkins
     804-786-1608
     robert.jenkins@djj.virginia.gov




                                              52
        Identity and Access
         Management and
       Account Management

Committee Members

Patricia Paquette – DHP,
pat.paquette@dhp.virginia.gov
Mike Garner – Tax, mike.garner@tax.virginia.gov
Marie Greenberg – DMV,
marie.greenberg@dmv.virginia.gov
Jim Rappe – ABC, james.rappe@abc.virginia.gov
Maria Batista, DMV, maria.batista@dmv.virginia.gov
Joel McPherson, DSS,
joel.mcpherson@dss.virginia.gov
  Identity and Access Management
                 and
        Account Management

“An identity management solution
  should not be made up of isolated
  silos of security technologies, but
  rather, consist of well integrated
  technologies that address the
  spectrum of scenarios in each stage
  of the identity life cycle.”

                           Frederick Chong
                            Microsoft Corp.



                                         54
 Identity and Access Management
                and
       Account Management

Goal - establish a secure and effective
methodology focused on identification and
authentication across the Commonwealth
Standard process which includes:

   Registering or identifying users
   Establishing roles and accounts
   Issuing credentials
   Using the credential, and
   Record keeping and auditing.


                                       55
                    IT Infrastructure Transformation – RPB Mainframe and Server Move




Richmond Plaza Building Data Center Move




                         Larry Ellison, NG




                                                                                  56
                                                 IT Infrastructure Transformation – RPB Mainframe and Server Move




                                Mainframe and Server
                                   Move Overview
• Mainframe Environment Profile
   – More system to system interaction
   – Larger foot-print with multiple partitions per physical system
   – Diverse user group
• Mainframe Environment Move and Test Approach
   – Duplication of hardware at CESC (buy new)
   – Isolated Test environment at CESC to provide extended test window
• Server Environment Profile
   – More system isolation (Agency specific apps)
   – Smaller foot-print (Isolated UNIX/Windows systems)
   – Agency specific user group
• Server Environment Move and Test Approach
   – VLAN Extension approach (RPB to CESC)
   – Disconnect/move/reconnect of hardware from RPB to CESC (physical or virtual)
   – Unit testing of systems and applications prior to disconnect/move/reconnect


                                                                                                               57
                                           IT Infrastructure Transformation – RPB Mainframe and Server Move




         Mainframe Move and Test Strategy for CESC
                            (Isolated Test Environment)
• Replicate RPB Internal Network (LAN) at CESC (~ 280 devices)
• Replicate all IBM, UNISYS, Prime-Power, and related hardware required for full
  application testing
• Replicate key Windows and UNIX servers required to support the Mainframe Test
  environment
• Provide isolated external connectivity to the CESC Test Environment from key
  agency locations (VPN or other dedicated connections)
• Test environment available for 60-90 days to facilitate full Operational Readiness
  and Application Regression testing of the environment, from isolated locations
• Maintain the same IP Addresses across the entire Mainframe environment
• Requires key Agencies to provide a dedicated/isolated test lab with dedicated link
  from Agency location to CESC, for testing
• Supports Connectivity Testing from remote locations during planned weekend
  maintenance windows
• Multiple Mock Cutover Tests prior to final Go-Live



                                                                                                         58
                                         IT Infrastructure Transformation – RPB Mainframe and Server Move



                    CESC Isolated Mainframe Test Environment
                       Operations and Application Testing
Production Agency                   (7/15 – 10/28)              Isolated Key Agency    Isolated Key Agency
    Locations                                                         Locations              Locations




                                                                     Servers
                                          Data Replication
        Servers
                        Shared              As needed                                    Shared
                        DASD                                                             DASD

          IBM                                                       IBM
        Mainframe                                                 Mainframe
                         IBM                                                               IBM
                                         Data Replication
                        Tape 2                                                            Tape 1
                                           As needed

         DMX2000                                                   DMX2000
            2                                                         1

                     Production
         Unisys                                                                       App Servers
                    App Servers                                    Unisys
        Mainframe                                                                     For Testing
                                                                  Mainframe
                                           Data Replication
                                             As needed
          EMC                                                        EMC
         Centera                                                    Centera
         Tape 2                                                     Tape 1



 RPB Data Center                                              CESC Data Center
                                                                                                             59
                                                    IT Infrastructure Transformation – RPB Mainframe and Server Move




                            CESC Isolated Mainframe Test Environment
                                Connectivity and Cutover Testing
                                     (Selected Weekends from 7/15 – 10/28)
        Production Agency                                                    Isolated Key Agency       Isolated Key Agency
            Locations                                                              Locations                 Locations




                                                                                Servers
          Servers
                            Shared                    Data Replication                                Shared
                            DASD                                                                      DASD

            IBM                                                                IBM
          Mainframe                                                          Mainframe
                             IBM                                                                        IBM
                            Tape 2                                                                     Tape 1
                                                     Data Replication
          DMX2000                                                            DMX2000
             2                                                                  1

                       Production
           Unisys                                                                                  App Servers
                      App Servers                                             Unisys
          Mainframe                                                                                For Testing
                                                                             Mainframe


           EMC                                        Data Replication          EMC
          Centera                                                              Centera
          Tape 2                                                               Tape 1


RPB Data Center – Offline during testing                                 CESC Data Center
                                                                                                                             60
                                                IT Infrastructure Transformation – RPB Mainframe and Server Move




                      Mainframe Test Objectives for CESC
                                 (Isolated Test Environment)

• Operations Testing
   – All systems will IPL/Boot and communicate with peripherals
   – Administrative functions (Monitoring and Management) operate as expected
   – Data replication between CESC and RPB functions properly
   – Internal CESC Network (LAN) and Firewalls function properly
   – Print Infrastructure Functions Properly
   – Tape Backup Infrastructure functions properly
   – Control-M Infrastructure functions properly for support of Batch operations
   – Point-to-point connections function properly
• Application Testing
   – Applications will initiate and connect with database(s)
   – Applications will update data and print reports as expected
   – Regression test of all applications components on the Mainframe systems
• Network Connectivity Testing
   – Controlled testing of external connectivity to CESC from remote sites
   – Scheduled during pre-defined weekend Maintenance Periods from August – October                           61
                                                                                                    IT Infrastructure Transformation – RPB Mainframe and Server Move




                                   Tentative Testing and Cutover Timeline

                                                             May 2007              Jun 2007                     Jul 2007                       Aug 2007                    Sep 2007                      Oct 2007          Nov 2007
ID             Task Name             Start       Finish
                                                               5/20   5/27   6/3   6/10   6/17   6/24   7/1   7/8   7/15   7/22   7/29   8/5    8/12   8/19   8/26   9/2   9/9   9/16   9/23   9/30   10/7 10/14 10/21 10/28 11/4


1    Design test environment       5/15/2007    7/15/2007

2    Build test environment         6/1/2007     8/5/2007

3    Build Test Plans               6/8/2007    7/20/2007

4    Operations Testing             7/2/2007    10/28/2007

5    Application testing           7/16/2007    10/28/2007

6    Network Connectivity Test 1    8/5/2007     8/5/2007

7    Network Connectivity Test 2   8/19/2007    8/19/2007

8    Mock cutover 1                 9/1/2007     9/3/2007

9    Network Connectivity Test 3   9/16/2007    9/16/2007

10   Mock Cutover 2                10/9/2007    10/11/2007

11   Mock Cutover 3                10/26/2007   10/28/2007

12   Review and Signoff            10/29/2007   11/2/2007

13   Final Cutover Prep            11/5/2007    11/9/2007

14   Go Live                       11/12/2007   11/12/2007




                                                                                                                                                                                                                                      62
                                                IT Infrastructure Transformation – RPB Mainframe and Server Move




                          Mainframe Move Risk Mitigation

• Standup of an Isolated Test Environment
   – Replicate mainframe hardware and software infrastructure
   – Replicate servers running tier 2 applications that interface with mainframes
   – Replicate DASD and Tape storage infrastructure and data via high speed data links
   – Create network that will support simultaneous dual access for large agencies (RPB and
     CESC)
   – Replicate security environment including current complex firewall controls
• Detailed Analysis of entire infrastructure at RPB
   – Application components
   – Network components
   – Server and Mainframe components
• Extended Test Period
   – Provide agencies with at least 60 days to complete application testing
   – Extended timeframe provides the opportunity for multiple test phases
   – Mock move weekends have been scheduled and are designed to accommodate thorough
     integration testing of complex, interdependent applications
   – Risk will be significantly mitigated through agencies having continuous access to a
                                                                                                              63
     dedicated test environment rather than only a series of mock move tests over weekends
                                                 IT Infrastructure Transformation – RPB Mainframe and Server Move




                          Mainframe Move Risk Mitigation
                                             (continued)


• Command Center
   – Provides a rapid response team to quickly address problems that surface during testing
   – Staffed with operations, network, systems, and sub-system support specialists
   – Support will be available 24 hours a day and weekends
• Test Coordination Support
   – NG/VITA testing coordination teams will be assigned to each key mainframe using agency
   – Test coordinators will work directly with Agency staff to jointly development test plans for
     each mainframe application
   – Weekly reporting of testing progress by agency and associated applications will be
     generated and shared with agency managers

• Fallback Contingency
   – RPB processing infrastructure will remain intact for at least 2-3 weeks following the move
     to provide fall-back capability
   – Dual network access environment will remain intact for at least 2-3 weeks following the
     move to provide fall-back capability
• Freeze/limit Hardware/software changes during test/move window

                                                                                                               64
                                             IT Infrastructure Transformation – RPB Mainframe and Server Move




                                Communication Plan
                                    Overview
• Comprehensive CH/COMM Plan to include email communications and supporting
  documentation
• Overview, Kick-Off and monthly meetings with each affected Agencies – Start June 7
• Detailed Planning Meetings with Agency Application Teams to develop test scenarios –
  (6/15 – 8/15)
• Checkpoints and signoffs in plan for agreement to start test planning, agreement that
  test plans are complete, application testing is complete and approval is given to move
• Detailed weekly status reviews with all Agency/VITA Test Teams throughout the entire
  test window – (7/15 – 10/28)
• Dedicated Test Coordinators from the Transformation Team, Current Ops Team, and
  the Agency
• 24x7 Command Center setup before, during, and post move/cutover
   – Multiple locations linked by phone and/or video conferencing (Agency, RPB, CESC)
   – Participation by Agency Application staff, Current Ops, VITA, Transformation, and Vendors (as
     needed)
   – Representation by Network, Security, Mainframe, Server, Applications, etc
                                                                                                           65
                                            IT Infrastructure Transformation – RPB Mainframe and Server Move



                    Application Testing Coordination


                                                                                  Mainframe


  Agencies
    Agencies
 Involved in
      Agencies
                                                                                      Server
        Agencies
   Involved in
     Involved
  Isolated in            Test Coordinator
       Involved
    Isolated in          Application Spec              VITA Test
      Isolated
      Test               Network Spec for             Coordinators
        Isolated
        Test              each agency
         Test
Environment
          Test
  Environment                                                                       Network
    Environment
      Environment


                                                                                    Security


                                                                                                          66
                                                IT Infrastructure Transformation – RPB Mainframe and Server Move




           Agency Application Test Responsibilities
• Assign dedicated resources and participate in detailed planning process - (starting
  June 15)
   – Assign dedicated resources to participate in the test activities
   – Identify applications that need to be tested in isolated test environment
   – Identify servers in RPB that would need to be included in isolated test environment in CESC to
     enable application testing
   – Provide acceptable dates for tests and cutover
• Responsible for Application Freeze (7/15 – 11/12)
   – Commitment to Break-Fix only during the test window
   – Joint approval (Agency, Current Ops, Transformation, VITA) for any additional changes that
     are required
   – Participation in special CCB process for review of any proposed changes during test window
• Provide isolated test environment at Agency that will connect directly to isolated test
  infrastructure at CESC – (available by 7/15)
   – Dedicated PC’s in a training room or test lab recommended
   – Alternate methods for access to test environment directly from users workstations is being
     investigated
• Conduct all application tests – (from 7/15 – 10/28)
• Participate in cutover tests and verify network connectivity
                                                                                                              67
                                 IT Infrastructure Transformation – RPB Mainframe and Server Move




             Test and Move Coordination Roles

Agency    Test Coordinators    Field Operations                 Agency Application
 SBE          Kevin Kelley          Mike Elliott                     Beth Nelson
 DHRM         Kevin Kelley             TBD                          Steven Hastey
 DSS          Kevin Kelley       Wayne Kniceley                      Harry Sutton
 VRS          Kevin Kelley    Donald Garrett (Agency)               Donald Garrett
VADOC         Karen Lusk          Karen Hardwick                    Geoff Lamberta
 DMV          Karen Lusk            Bob Tingle                        Will Burke
 VEC          Karen Lusk         Dave Thompson                      Victoria Caplan
 VDH          Karen Lusk           Kenny White                           TBD
DOA/TRS     Danny Wilmoth         Wendy Hudson                      James Moore
 DPB        Danny Wilmoth           David Allen                    Jowjou Hamilton
 TAX        Danny Wilmoth         Cathy Franklin                         TBD
 SCB        Danny Wilmoth         Richard Walls                     Anne Wilmoth
 SCC        Thomas Williams    Blair Kirtley (Agency)                Blair Kirtley
 VDOT       Thomas Williams         Scot Jones                       Ray Haynes
VDACS       Thomas Williams         Kathy Ange                       Jerry Allgeier




                                                                                               68
                                         IT Infrastructure Transformation – RPB Mainframe and Server Move




                  Server Transformation and Move
                              Agenda
• Server Transformation Introduction
• Server Move Approach and Test Strategy
• Server Test Objectives
• High level Move and Cutover schedule
• Managing Risk
• Communication Plans
• Agency Responsibilities
• Questions




                                                                                                       69
                                            IT Infrastructure Transformation – RPB Mainframe and Server Move




            Server Move and Test Strategy for CESC
• Virtualize as many servers at RPB to facilitate the move process and reduce risk
• Consolidate multiple SAN/Disk system at RPB onto a single SAN/Disk Platform
• Replicate the data on this consolidated SAN/Disk system from RPB to CESC
• Replicate RPB Internal Network (LAN) at CESC (~ 280 devices)
• Extend VLAN’s from current RPB Network Infrastructure to CESC
• Replicate EBARS Backup Environment at CESC
• Servers will be placed in either PODS or Standard Racks at CESC based on specific
  hardware, power, and cooling requirements
• We will maintain the same IP Addresses across the entire Server environment
• A two phased cutover approach will be utilized
   – Phase-1 is the movement of the servers onto an extended VLAN at CESC (located at CESC, but
     still part of the RPB LAN)
   – Phase-2 requires servers be switched from the extended VLAN to a the local VLAN at CESC
• Servers will be moved in logical groups, based primarily on agency usage (VDOT, DEQ,
  GOV, etc,)
• Whenever possible Operation and Application Testing will be performed using the virtual
  server infrastructure to replicate systems from RPB to CESC
• In some instances duplicate server hardware will be purchased for CESC to facilitate
  Operation and Application Testing at CESC                                                               70
                                                   IT Infrastructure Transformation – RPB Mainframe and Server Move



                                       RPB to CESC Server Move
  Current Production                     Phase-1 : Relocation                             New Production
                                                                                             Network
       Network




              6506
            6506               4507                                           New
                                                                            6506              New
             Outside         Campus                                          Outside        Campus
             Switches         Switch                                         Switches        Switch
                                                Extend Server
                                                   VLANs
      Juniper        PIX     Chk Point                                New          New        New
        FW           FW        FW                                     FW           FW         FW

                   6509
                6506             Core                                         6506
                                                                                 New              Core
                  Inside        Network                                         Inside           Network
                 Switches     PRODUCTION                                       Switches         TEST ONLY


                                       Server                                                   Server
    Old                                Farm                                                     Farm
       Old
 SAN/Disk
                                                  Virtual and     Servers are moved in
         Old
    SAN/Disk                                       Physical       Groups to CESC but are
            Old
      SAN/Disk                                   Server Moves     still using the network
              Old
         SAN/Disk                                                 infrastructure at RPB
                Old
            SAN/Disk
                     Old
              SAN/Disk          Shared                                                            Shared
Consolidate
                  SAN/Disk     SAN/DISK                                                          SAN/DISK
Disk at RPB                                     Replicate Data
                                                  To CESC

   RPB Data Center                                                 CESC Data Center
                                                                                                                 71
                                                    IT Infrastructure Transformation – RPB Mainframe and Server Move



                                      RPB to CESC Server Move
Current Production                     Phase-2 : Network Swap                                 New Production
                                                                                                 Network
     Network




           6506
         6506                 4507                                               New
                                                                               6506               New
          Outside           Campus                                              Outside         Campus
          Switches           Switch                                             Switches         Switch

   Juniper        PIX       Chk Point                                    New          New            New
     FW           FW          FW                                         FW           FW             FW
                                                 VLAN Extensions
                6509
             6506                Core              Are dropped                      New
                                                                                 6506                   Core
               Inside           Network                                            Inside              Network
              Switches          OFFLINE                                           Switches           PRODUCTION

                         Data Replication
                         direction is switched                     Servers are running at             Server
                         to go from CESC back                      CESC and are now using             Farm
                         to RPB in preparation                     the full network infrastructure
                         for DR at SWESC                           at CESC


Old SAN/Disk arrays            Shared                                                                   Shared
are no longer needed          SAN/DISK                                                                 SAN/DISK



   RPB Data Center - Offline                                          CESC Data Center
                                                                                                                  72
                                                IT Infrastructure Transformation – RPB Mainframe and Server Move




                         Server Test Objectives for CESC

• Operations Testing
   – All systems will Boot and communicate with peripherals
   – Administrative functions (Monitoring and Management) operate as expected
   – Data replication between CESC and RPB functions properly
   – VLAN Extension from RPB to CESC Network (LAN) and Firewalls function properly
   – Print Infrastructure Functions Properly
   – Tape Backup Infrastructure functions properly
   – Control-M Infrastructure functions properly for support of Batch operations
   – Point-to-point connections function properly
• Application Testing
   – Applications will initiate and connect with database(s)
   – Applications will update data and print reports as expected
   – Regression test of all applications components on the Mainframe systems
• Network Connectivity Testing
   – External access to Agency locations functions properly
   – Access from RPB to CESC over extended VLAN functions properly

                                                                                                              73
                                                                                               IT Infrastructure Transformation – RPB Mainframe and Server Move




                                                 Testing and Cutover Timeline
                                                          (Notional)
                                                          May 2007              Jun 2007                     Jul 2007                       Aug 2007                    Sep 2007                      Oct 2007          Nov 2007
ID         Task Name              Start       Finish
                                                            5/20   5/27   6/3   6/10   6/17   6/24   7/1   7/8   7/15   7/22   7/29   8/5    8/12   8/19   8/26   9/2   9/9   9/16   9/23   9/30   10/7 10/14 10/21 10/28 11/4

     Finalize Rack and Power
1                                5/15/2007   5/23/2007
     Requirements
     Obtain additional network
2                                5/23/2007   7/28/2007
     hardware for CESC
     Review Plan with Current
3                                5/23/2007   5/31/2007
     Operations
     Communication and
4                                6/3/2007    6/28/2007
     Review with Agency
     Agency staff on board for
5                                6/15/2007   8/15/2007
     review and testing
6    VLAN Extension to CESC      6/3/2007     8/3/2007

7    EBARS standup at CESC       6/3/2007     8/3/2007

8    SAN Standup at CESC         6/3/2007     8/3/2007
     Additional discovery with
9                                6/10/2007   9/17/2007
     App Team and CO
10 Server Group 1                6/10/2007   8/12/2007

11 Server Group 2                6/10/2007   8/25/2007

12 Server Group 3                6/17/2007    9/3/2007

13 Server Group 4                6/17/2007   9/17/2007

14 Server Group 5                6/24/2007   10/1/2007

15 Server Group 6                6/24/2007   10/15/2007

16 Server Group 7                6/24/2007   10/29/2007

17 Final Network Cutover         11/9/2007   11/12/2007



                                                                                                                                                                                                                                   74
                                       IT Infrastructure Transformation – RPB Mainframe and Server Move




                        Server Move Group Summary


• Server Group-1 : DFP, DCG, SBE , 25 servers
• Server Group-2 : DEQ, VDH, DPB, DCJS, 83 servers
• Server Group-3 : DGS, 124 servers
• Server Group-4 : GOV, DOF, VDACS, VGIN, 76 servers
• Server Group-5 : TAX, DSS, VEC, 112 servers
• Server Group-6 : VITA Group-1, 132 Servers
• Server Group-7 : VITA Group-2, 132 Servers




                                                                                                     75
                                                                  IT Infrastructure Transformation – RPB Mainframe and Server Move




                                        Server Move Group Detail

                               Relo    Pod
                    Relo                                 Wintel     Non-
Agency   Isolated            Complet Candidat   Wintel                         RPB Location - Racks                     VLAN Information
                    Start                                Blade      Wintel
                                 e      e
DFP         X       11-Aug    12-Aug    Y         2        0          0      166                          58
DCG         X       11-Aug    12-Aug    Y         4        0          0      160                          303
SBE                 11-Aug    12-Aug    Y         19       0          0      130, 131                     59, 61
DEQ         X       25-Aug    26-Aug    N         7        40         1      68, 70, 72                   16
VDH                 25-Aug    26-Aug    Y         13       0          0      146                          14
DPB                 25-Aug    26-Aug    N         13       0          0      148, 149, 150                3, 66
DCJS                25-Aug    26-Aug    N         9        0          0      157, 158, 159                10
                                                                             141,   142, 143, 144, 151,
                                                                             152,   153, 154, 155, 176,
 DGS        X        1-Sep    3-Sep     Y        124       0          0      178,   179                   3, 5, 9. 48
 GOV        X       15-Sep   16-Sep     N         32       0          0      137,   139, 180              52
 DOF                15-Sep   16-Sep     Y         3        0          0      172                          242
 VGIN               15-Sep   16-Sep     Y         18       0          0      130,   172                   242
VDACS       X       15-Sep   16-Sep     N         16       0          7      162,   163, 164, 165         106
                                                                             97, 98, 99, 107, 108, 111,
                                                                             112, 115, 116, 118, 123,
 TAX                6-Oct     8-Oct     N         51       0          16     169,177                    15, 30, 40
 DSS                6-Oct     8-Oct     Y         16       0          0      170, 171                     155
 VEC                6-Oct     8-Oct     Y         28       1          0      103, 104, 105 106, 181       31, 33, 40
                                                                             19, 21, 23, 94, 95, 109,     3, 8, 14, 15, 30, 31, 33, 34, 38, 50, 51,
                                                                             110, 113, 114, 124, 125,     52, 56, 57, 59, 61, 63, 90, 97, 101, 103,
                                                                             126, 127, 128, 132, 133,     109, 115, 120, 121, 153, 155, 156, 157,
                    13-Oct   14-Oct                                          134, 135, 136, 167, 168,     158, 159, 160, 161, 162, 163, 230, 234,
 VITA               27-Oct   28-Oct    Both      142       98         24     185                          242, 247, 990, 993, 994, 995, 998

 Total                                           497      139         48




                                                                                                                                                      76
                                            IT Infrastructure Transformation – RPB Mainframe and Server Move




                     Server Move Risk Mitigation
• VLAN Extensions
   – Minimizes level of network and security changes required for the move to CESC
   – Allows NG and the Agency to stage and pre-test selected Dev and/or Test servers PRIOR to
     moving production systems
• Migration of Current Systems
   – Minimizes level of system changes required for the move to CESC
   – Minimizes complexity of having to re-rack systems
   – All required cables (Network, SAN, etc) can be pre-installed and tested prior to moving the
     systems to CESC
• System Virtualization
   – Provides enhanced pre-move testing capabilities
   – Minimizes system/application downtime during the move to CESC
   – Provides quick, easy fall-back




                                                                                                          77
                                            IT Infrastructure Transformation – RPB Mainframe and Server Move




                     Server Move Risk Mitigation
                                         (continued)

• Stand-by Hardware
   – Mission Critical application hardware can be made available if hardware problems arise due
     to move related issues
       • Tax related HP-UX hardware is an example of some of the systems that are being
         considered for stand-by hardware
   – Any x86 server can have a stand-by virtual server in-place at both data center locations

• Move Specialists
   – All system packaging, pre and post move verifications will be performed by hardware vendor
     Customer Engineers
       • Customer Engineers (CE’s) are the vendor employees who are dispatched to diagnose
         and resolve hardware related issues as part of warranty and maintenance support
         services
   – Representatives for each vendor will be either on-site or on-standby

• Move VITA last so that server move process is refined with smaller move groups



                                                                                                          78
                                             IT Infrastructure Transformation – RPB Mainframe and Server Move




                                Communication Plan
                                    Overview
• Comprehensive CH/COMM Plan to include email communications and supporting
  documentation
• Overview, Kick-Off and monthly meetings with each affected Agency – Start June 7
• Detailed Planning Meetings with Agency Application Teams to develop test scenarios –
  (6/15 – 8/15)
• Checkpoints and signoffs in plan for agreement to start test planning, agreement that
  test plans are complete, application testing is complete and approval is given to move
• Detailed weekly status reviews with all Agency/VITA Test Teams throughout the entire
  test window – (7/15 – 10/28)
• Dedicated Test Coordinators from the Transformation Team, Current Ops Team, and
  the Agency
• 24x7 Command Center setup before, during, and post move/cutover
   – Multiple locations linked by phone and/or video conferencing (Agency, RPB, CESC)
   – Participation by Agency Application staff, Current Ops, VITA, Transformation, and Vendors (as
     needed)
   – Representation by Network, Security, Mainframe, Server, Applications, etc
                                                                                                           79
                                                IT Infrastructure Transformation – RPB Mainframe and Server Move




            Agency Application Test Responsibilities
• Participate in Planning Process
   – Identify applications that need to be tested on each server
   – Provide acceptable dates for tests and cutover and confirm downtime windows

• Provide Agency resources to participate in application testing pre-move as well as
  during the actual cutover
• Prepare test scripts and desired test results for application tests
• Conduct application tests for validation of the move
• Participate in cutover tests and verify network connectivity
• Agency acceptance sign off




                                                                                                              80
                                                   IT Infrastructure Transformation – RPB Mainframe and Server Move




               Test and Move Coordination Roles
         Tentative                                           Agency
                                            Current                         Primary HP      Secondary HP
Agency    Relocation   Transformation                        Application
                                            Operations                        Assignee         Assignee
          Weekend                                              Team

 SBE      11-Aug         Bob Reviea        Mike Elliott        TBD            Tao Tao         Terry Miller
VDFP      11-Aug        Brian Welliver        TBD              TBD           Terry Miller    Tom Springer
 DCG      11-Aug        Don Morgon            TBD              TBD          Tom Springer       Tao Tao
 DEQ      25-Aug        Brian Welliver     Dan Gayk            TBD           Terry Miller    Tom Springer
 VDH      25-Aug        Don Morgon        Kenny White          TBD          Tom Springer      Terry Miller
DCJS      25-Aug         Bob Reviea           TBD              TBD            Tao Tao        Tom Springer
 DPB      25-Aug         Bob Reviea           TBD              TBD            Tao Tao         Terry Miller
 DGS      1-Sep         Don Morgon       Barbara Garnett       TBD          Tom Springer       Tao Tao
 GOV      17-Sep         Bob Reviea      Barbara Garnett       TBD            Tao Tao         Terry Miller
 DOF      17-Sep        Brian Welliver        TBD              TBD           Terry Miller    Tom Springer
VDACS     17-Sep        Don Morgon       Brenda Richart        TBD          Tom Springer       Tao Tao
 VEC      17-Sep        Brian Welliver   Brenda Richart        TBD           Terry Miller    Tom Springer
 TAX      6-Oct          Bob Reviea      Cathie Franklin       TBD            Tao Tao        Tom Springer
VGIN      6-Oct         Don Morgon            TBD              TBD          Tom Springer      Terry Miller
 DSS      6-Oct         Brian Welliver     Mike Elliott        TBD           Terry Miller      Tao Tao
          13-Oct
 VITA      27-Oct           TBD          Dave Matthews         TBD          John Sewell      Jeff Flanigan

                                                                                                                 81
VITA IT Security Technical
Documentation
                        Craig Luka
                        Security Analyst

                        Northrop Grumman, VITA IT Security
                        June 14th, 2007




www.vita.virginia.gov
www.vita.virginia.gov                        expect the best   82 82
Overview
• What documentation has been developed?
    – Enterprise Infrastructure Security Practices
    – Security Practices Self Assessment
• Why?
    – Define baseline security practices for
      customer-based staff
    – COV ITRM Standard SEC501-01 compliance
    – Document current Agency security practices
      and develop SEC501-01 Gap Analyses.
    – Reduce risk of unfavorable audit findings
www.vita.virginia.gov                                83
Documentation Architecture
• Documentation Framework
    – Security practices document has been
      developed on industry best practices (SANS,
      NIST, Center For Internet Security)
    – All SEC501-01 requirements from the technical
      requirements matrix are accounted for in the
      security practices document
    – Self Assessment maps each SEC501-01
      requirement to a set of security practices
        • Serves as a cross reference between SEC501-01 and
          newly developed Enterprise Security Practices.

www.vita.virginia.gov                                     84
Workflow and Routing
• Document Distribution
    – EISP and self assessment are delivered to
      Regional Service Directors (RSDs)
    – RSDs deliver documents to Agency-based
      Service Level Directors (SLDs)
    – Customer-based technical staff and SLDs
      complete the self assessment
    – Completed self assessments are returned to
      EISP team for quality assurance review
    – Final documentation is delivered to Agency
      ISOs and reports are delivered to the CISO
www.vita.virginia.gov                              85
Timeframe
•   June 1st: Documents delivered to RSDs
•   June 4th: RSDs deliver to SLDs and
  work begins on the self assessments
• June 4th – June 29th: Self assessment
  submitters complete assessment and work
  with EISP team as needed for clarification
• June 29th: All assessments completed,
  reviewed and delivered to respective
  Agency ISOs.

www.vita.virginia.gov                      86
What to Expect
• The EISP team will work with customer-
  based staff and SLDs as needed to assist
  in assessment completion
• Any clarifications or enhancements
  discovered while assessments are being
  completed will be added to the EISP and
  self assessment documents
• Agency ISOs will receive a copy of the
  EISP document and their Agency’s
  completed self assessment on June 29th
www.vita.virginia.gov                        87
Questions ?




                        ?


www.vita.virginia.gov       88
COV IT Security Standard
Compliance –
  ISO Appointments & IT Security Audits
                        Ed Miller




www.vita.virginia.gov                     89 89
Appointment of an Information
       Security Officer

   The IT Security Policy (ITRM
    SEC500-02) requirement to
  appoint an Information Security
           Officer (ISO)


                                    90
  ISO Designation Requirement
ITRM SEC500-02 requires each Agency Head to
  “designate via e-mail…an ISO (Information
  Security Officer) for the Agency and provide
  the person’s name, title and contact
  information to VITA no less than biennially.
  The Agency Head is strongly encouraged to
  designate at least one backup for the ISO, as
  well”   Send via Email to:
  VITASecurityServices@Vita.Virginia.Gov
  Must either be from the Agency Head or have
  the Agency head copied (cc:)
                                             91
List of Confirmed ISO’s
Accountancy, Board of                              Juvenile Justice, Department of
Aging, Department for the                          Library of Virginia, The
Agriculture and Consumer Services, Department of   Longwood University
Business Assistance, Virginia Department of        Mary Washington University
Center for Behavioral Rehab                        Medical Assistance Services, Department of
Center for Innovative Technology                   Mental Health, Mental Retardation & Substance Abuse Svcs,
Christopher Newport University                     Department of
Conservation and Recreation, Department of         Mines, Minerals and Energy, Department of
Correctional Education, Department of              Minority Business Enterprise, Department of
Corrections, Department of                         Motor Vehicle Dealer Board
Department of Charitable Gaming                    Motor Vehicles, Department of
Department of Forensic Sciences                    Museum of Fine Arts, Virginia
Economic Development Partnership, Virginia         Museum of Natural History, Virginia
Elections, State Board of                          Old Dominion University
Employment Dispute Resolution, Department of       Professional & Occupational Regulation, Department of
Environmental Quality, Department of               Racing Commission, Virginia
Fire Programs, Department of                       Rail and Public Transportation, Department of
Forestry, Department of                            Science Museum of Virginia
Frontier Culture Museum of Virginia                Social Services, Department of
Game and Inland Fisheries, Department of           State Police, Department of
Governor, Office of the                            Tourism Commission, Virginia
Health Professions, Department of                  Transportation, Department of
Human Resource Management, Department of           Virginia Commonwealth University
James Madison University                           Virginia Information Technologies Agency


                                                                                                          92
IT Security Audit Plan

The IT Security Audit Standard (ITRM
SEC502-00) requirement to submit an
annual IT security “audit plan” to the
  CISO beginning February 1, 2007.



                                         93
    IT Security Audit Plan
• The IT Security Audit Plan should identify all sensitive
  system(s), the planned date of the audit(s) and the
  planned auditor for the audit(s).

• Each sensitive system must be audited at a frequency
  relative to its risk, or at least, once every 3 years.

• There is a template that can be used by the agency to
  record this information on the VITA web at:
http://www.vita.virginia.gov/docs/securityTemplates/ITSecurityAuditPlanTemplate.doc



                                                                             94
    Exception Request
• If your agency cannot submit their IT Security
  Audit plan the Agency must submit an
  Exception Request for an extension of time in
  order to comply. The Exception Request must
  be approved by the Agency Head and sent to
  the CISO for review and approval.

• The IT Security Policy and Standard Exception
  request form is on the VITA web at
http://www.vita.virginia.gov/docs/securityTemplates/ITSecurityPolicyStandardExcepti
   onRequestForm.doc



                                                                             95
No Sensitive Systems?
• In addition, there may be some agencies that do
  not classify any of their databases or systems as
  “sensitive”. Under the requirements of SEC502-
  00, they do not have to submit an audit plan.
  However, to ensure that we are not missing any
  sensitive systems, we would like any Agency
  making that assertion to please notify us by
  email to vitasecurityservices.com that they will
  not be submitting an audit plan for that reason.




                                                      96
Agencies w/Audit Plans or Extensions
Board of Accountancy                                          Department of Rehabilitative Services
Center for the Innovative Technology                          Department of Social Services
Christopher Newport University                                Department of State Police
Department of Employment Dispute Resolution                   Department of Taxation
Department for the Aging                                      Department of the Treasury
Department of Agriculture and Consumer Services               Department of Transportation
Department of Alcoholic Beverage Control                      George Mason University
Department of Conservation and Recreation                     James Madison University
Department of Corrections                                     Jamestown-Yorktown Foundation
Department of Education                                       Longwood University
Department of Environmental Quality                           Mary Washington University
Department of Fine Arts                                       Office of the Governor
Department of Forensic Sciences                               Old Dominion University
Department of General Services                                Radford University
Department of Health                                          Richard Bland College
Department of Health Professions                              State Compensation Board
Department of Housing and Community Development               State Board of Elections
Department of Human Resource Management                       State Council of Higher Education for Virginia
Department of Juvenile Justice                                University of Virginia Commonwealth
Department of Medical Assistance Services                     Virginia Board for People with Rehabilitative Services
Department of Mental Health, Mental Retardation & Substance   Virginia Department for the Blind and Vision Impaired
Abuse                                                         Virginia Department for the Deaf and Hard of hearing
Department of Mines, Mineral, and Energy                      Virginia Employment Commission
Department of Motor Vehicles                                  Virginia Information Technologies Agency
Department of Planning and Budget                             Virginia Racing Commission
Department of Professional & Occupational Regulation          Virginia State University
Department of Rail and Public Transportation


                                                                                                                       97
 Where to find Policies/Templates/Forms
• Go to the VITA Website:
www.vita.virginia.gov

Click Security and then Policies and Procedures
http://www.vita.virginia.gov/docs/psg.cfm#securityPSGs




                                                    98
COV Information Technology Security
Policy, Standards and Guidelines

                        Cathie Brown, CISM, CISSP




www.vita.virginia.gov                               99 99
 Compliance: IT Security Policy & Standard
July 1, 2007 Compliance Date
• Key Steps to Compliance include:
  –   Designate an ISO
  –   Inventory all systems
  –   Perform Risk Assessment on sensitive systems
  –   Perform Security Audits on sensitive systems
  –   Document and exercise Contingency & DR Plans
  –   Implement IT systems security standards
  –   Document formal account management practices
  –   Define appropriate data protection practices
  –   Establish Security Awareness & Acceptable Use policies
  –   Safeguard physical facilities
  –   Report & Respond to IT Security Incidents
  –   Implement IT Asset Controls

                                                               100
    Exception Request
• If your agency cannot comply July, 2007 the
  Agency must submit an Exception Request for
  an extension of time. The Exception Requests
  must be approved by the Agency Head and
  sent to the CISO for review and approval.

• The IT Security Policy and Standard Exception
  request form is on the VITA web at
http://www.vita.virginia.gov/docs/securityTemplates/ITSecurityPolicyStandardExcepti
   onRequestForm.doc



                                                                             101
  Status Update
• Revised IT Security Policy & Standard
  End date for ORCA Comments – 6/13


• IT Standard Use of Non-Commonwealth Computing
  Devices to Telework ITRM SEC511-00
  New COV Standard
  End date for ORCA Comments – 6/13


• IT Threat Management Guideline
  Comments have been addressed
  Publish by June 29, 2007


                                                  102
New! Data Breach Notification
Included in Revised IT Security Policy and Standard:
• Data Breach Notification Requirements:

   – Each agency will identify systems that contain PII (Personally
     Identifiable Information)

   – Include provisions in any third party contracts requiring that
     the third party & third party subcontractors provide immediate
     notification of suspected breaches

   – Provide appropriate notice to affected individuals upon the
     unauthorized release of any unencrypted PII by any
     mechanism (laptop, desktop, tablet, CD, DVD, etc.)




                                                                      103
Revisions - IT Security Policy & Std
• Highlights
  – Expanded scope to include Legislative, Judicial,
    Independent and Higher Education
  – System Security Plans for sensitive systems
  – Additional considerations for account management
  – Additional considerations for protection of data on
    mobile storage media including encryption
  – Additional requirements for specialized IT security
    training
  – Data Breach Notification
• Compliance date – 1/01/2008


                                                          104
New! IT Std Using Non-COV Devices to Telework
• Purpose
   – Establish a standard to protect COV data while teleworking
     with Non-COV Devices
• Acceptable Solutions
   – Standalone Computer
   – Internet Access to Web-Based Applications
   – Internet Access to Remote Desktop Applications
• Requirements
   – Storing COV data on a non-COV device is prohibited
   – Network traffic containing sensitive data must be encrypted
   – Provide training on remote access policies
• Security Incident Response
   – Non-COV device may be required during forensics or
     investigation of a Security Incident
   – Acknowledgement form signed


                                                                   105
IT Threat Management Guideline
• Highlights
  –   IT Security Threat Detection
  –   IT Security Incident Management
  –   IT Security Monitoring and Logging
  –   Example: Recording and Reporting Procedure
  –   Example: Internal Incident Handling
      Procedure




                                               106
QUESTIONS




            107
Information Risk Executive Council


                        Cathie Brown, CISM, CISSP




www.vita.virginia.gov                               108
                                                      108
Reminder – IREC Resource Available
• Information Risk Executive Council
  – Unlimited access to the following services
     • Strategic Research and Tools
     • Benchmarking and Diagnostic Tools
     • Teleconferences
• To register
  – https://www.irec.executiveboard.com/Public/Register.aspx
• For questions or problems, please contact:
  – Jennifer Smith
    Account Manager, CIO Executive Board
    Corporate Executive Board
    2000 Pennsylvania Avenue, NW
    Washington, DC 20006
  – 202-587-3601 jsmith@executiveboard.com


                                                               109
QUESTIONS




            110
Upcoming Events


                        Peggy Ward




www.vita.virginia.gov                111
                                       111
UPCOMING EVENTS!
         ISOAG MEETING DATES
        Wednesday, July 11, 2007
                1:00 - 4:00
          Tentative Agenda Items:
E-Discovery – OAG
VITA transformed IT Infrastructure Architecture - Linda Smith
NG IS Policy, Standards & Guidelines Update - Cathie Brown
VITA IS Council Committee Updates - Committee Chairs




                                                                112
UPCOMING EVENTS!
      VITA OFFICES MOVE
      Friday July 27, 2007

CAMS will move to 411 E. Franklin




                                113
                   Any Other Business ?




www.vita.virginia.go                      114
ADJOURN


  THANK YOU FOR
  YOUR TIME AND
    THOUGHTS
       !!!
                  115

								
To top