Encryption Policy Session August 2, 2007 Karen Sorady NYS Office of Cyber Security and Critical Infrastructure Coordination Agenda Background Anatomy of a Recent Breach Policy Standard Federal Data at Rest Awards Background Over 200 million personal records breached in US since 2004 (70 million in US in 2007 alone) NYS Internet Security and Privacy Act – August 2005 NYS Cyber Citizen’s Notification Policy – December 2005 – Since then, over 3 million records breached in NYS CSCIC Internal Directive on Personal, Private and Sensitive Information (PPSI) – July 2006 Revised Cyber Security Policy/New Standard – August 1, 2007 Anatomy of a Recent Breach Ohio longstanding practice of allowing employees to take home backup devices as part of contingency plan In June 2007, backup device stolen from intern’s unlocked car PPSI for over a half million taxpayers put at risk - 72,000 current and former state employees - 584,000 individuals with uncashed refund checks - 600 lottery winners with uncashed tickets - 2,500 individuals with unclaimed funds Anatomy of a Recent Breach (continued) Other information compromised - Names and case numbers for 84,000 welfare recipients - Tax ID numbers of 87,000 vendors - Names and bank account numbers on up to 1,000 failed electronic bank transfers Jobs were lost Cost to State of Ohio estimated at over $2 million In response, Governor Strickland issued Executive Order requiring development of Statewide encryption protocol for Ohio General Policy Changes Added responsibility to State Entity to communicate policy requirements to third parties and address those requirements in third party agreements Introduced Personal, Private and Sensitive Information (PPSI) Date for submission of annual Executive Management compliance certification changed from 4/1 to 12/31 Cryptographic Controls Policy Statement Encryption is just one layer of security Risk assessment will determine proper level of protection necessary Longer key lengths = stronger encryption Agencies must weigh benefits of stand-alone vs. enterprise encryption Attention must be given to regulations and national restrictions that may apply NEW Cryptographic Controls Standard – Data in Transit Encryption required when data in transit over SE wireless networks used to access SE internal networks Encryption required when accessing SE data remotely from shared network, including: – Connections between agencies over Internet or NYeNET – Connections from Bluetooth device to agency PDA/cell phone NEW Cryptographic Controls Standard - Data at Rest Full disk encryption (FDE) of ALL laptops accessing or containing SE information Encryption for ALL PDAs Encryption for ALL USBs Encryption for removable storage devices when containing PPSI and not in an approved storage facility – Executive Management exemption allowed for tapes NEW Cryptographic Controls Standard (Continued) Encryption used must be FIPS 140 validated (http://csrc.nist.gov/cryptval/) FDE must use pre-boot authentication SE must inventory encrypted devices and validate implementation of encryption product Key Management Policy/ NEW Standard Unencrypted keys must not be stored with encrypted data Protect encryption keys with passphrase of at least 15 characters, unless: – Multifactor protection – Automatic deletion after 10 or less attempts to login – Remote erase feature Compromise requires generation of a new key Maintain keys and encryption software for life of encrypted archive Compliance Requirements Required as soon as possible, no later than December 31, 2008 Reportable item on Gap Analysis spreadsheet CSCIC will ask for more detailed periodic status reports on progress Federal Data at Rest (DAR) Agreements April 2007, Federal government issued RFQ for encryption hardware and/or software 103 technical/functional requirements May 2007, added State and local government to procurement Historic, first time vendors must give us same terms and conditions as Feds Potential for excellent pricing considering the potential volume Support from the Top “By working with the federal government to protect this important information we have the ability to add another layer of protection, to New York’s cyber security program, in an extremely cost-effective way.” - Governor Eliot Spitzer Federal Data at Rest (DAR) Awards Reseller Publisher FDE/FES INTELLIGENT DECISIONS INC CREDANT Technologies Inc FES HI TECH SERVICE INC Encryption Solutions Inc FES MERLIN INTERNATIONAL INC GuardianEdge Technologies Inc FDE CARAHSOFT TECHNOLOGY CORP Information Security Corporation FES MTM TECHNOLOGIES INC. Mobile Armor LLC FDE IMMIX TECHNOLOGIES Pointsec/Checkpoint FDE ROCKY MOUNTAIN RAM LLC Safeboot Mobile Data Security FDE/FES SPECTRUM SYSTEMS INC Safeboot Corp FDE/FES SAFENET INC SafeNet Inc FDE AUTONOMIC RESOURCES SPYRUS Inc & WinMagic Inc FDE/FES GOVBUYS INC WinMagic Inc FDE/FES Representative Pricing (License - PC) Product 10K 33K 100K GuardianEdge Encryption Anywhere Hard Disk $44.36 $38.81 $25.88 Pointsec for PC $81.03 $49.50 $33.00 Safeboot Device\ Content Encryption $19.00 $14.00 $6.00 WinMagic SecureDoc* $54.84 $44.03 $30.02 *Pricing includes server component Representative Pricing (License – Removable Media) Product 10K 33K 100K GuardianEdge Encryption Plus Anywhere Removable Storage $12.67 $11.09 $7.39 Pointsec Media Encryption $16.39 $11.00 $8.25 Safeboot Port Control $10.00 $6.00 $2.00 WinMagic SecureDoc RME Bundled pricing given; unable to determine individual pricing Representative Pricing (Maintenance) Product 10K 33K 100K GuardianEdge Encryption Anywhere Hard Disk $10.73 $9.39 $6.26 Pointsec for PC $16.73 $7.43 $4.95 Safeboot Device\ Content Encryption $3.99 $3.00 $1.50 WinMagic SecureDoc* $10.97 $8.81 $6.00 *Pricing includes server component Our Goal Our goal is to maximize the number of agencies buying the same product to achieve the greatest discount. Aggregate Buy Example INDIVIDUAL PURCHASES STATE AGGREGATE BUY # Unit Cost Total Cost # Unit Cost Total Cost Savings Agency A 500 $108.90 $54,450.00 Agency A 500 $92.70 $46,350.00 $8,100.00 Agency B 1,000 $99.00 $99,000.00 Agency B 1,000 $92.70 $92,700.00 $6,300.00 Agency C 3,000 $92.70 $278,100.00 Agency C 3,000 $92.70 $278,100.00 $0.00 Subtotal $431,550.00 Subtotal 4,500 $417,150.00 $14,400.00 Federal 29,000 $75.57 $2,191,530.00 FEDERAL AGGREGATE BUY # Unit Cost Total Cost Savings Agency A 500 $49.50 $24,750.00 $29,700.00 Agency B 1,000 $49.50 $49,500.00 $49,500.00 Agency C 3,000 $49.50 $148,500.00 $129,600.00 Subtotal $222,750.00 $208,800.00 Federal 29,000 $49.50 $1,435,500.00 $756,030.00 Total 33,500 $964,830.00 Using Pointsec Pricing from NYS OGS Contract PT55645 and Federal BPA FA8771-07-A-0307 Next Steps CSCIC is working with OGS to put DAR contracts on State contract. CSCIC is working to coordinate an aggregate buy. Commitment (including product and number of licenses) needed from agency purchasing authority to participate in aggregate buy. Additional Information http://www.esi.mil http://www.gsa.gov/smartbuy http://www.msisac.org THANK YOU!
Pages to are hidden for
"Encryption Policy Session"Please download to view full document