ADE Data Security Initiatives

1
ADE Data Security Initiatives
By Donald Houde Chief Information
Officer donald.houde_at_azed.gov April 22nd, 2008
2
Why is the ADE so focused upon security and data
access management?

• To earn the trust of ADEs data providers.
• To assure that ADEs data security strategy
  supports the larger goals surrounding educational
  stakeholder privacy.
• To assure that Arizonas education information
  consumers are securely provisioned the data they
  are authorized to view or manipulate.
• To accurately monitor data access and usage.
• To mitigate risks associated with potential data
  compromise (i.e. FBI warning of hacker
  threatening to expose school
• districts insecure environments by exploiting
  infrastructure holes).

3
Why is the ADE so focused upon security and data
access management? cont.

• FERPA/HIPPA and, if student access is granted,
  CIPA (Childrens Internet Protection Act)
  compliance.
• Arizonas auditor generals office conducted a
  nine month long Agency Information Technology
  that included a KPMG application penetration
  audit.
• Arizonas adoption of Sarbanes/Oxley like model
  stipulating agency executives personal civil and
  criminal liability model for data loss or
  compromise.

4
What are many of the assumptions associated with
ADEs data securitization policies and
implementation strategy?

• Our highest risk comes from within an
  organization
• Automated solutions securitization is not a one
  time event
• Data security and access controls are like SLDS
  in the fact that success is not purely contingent
  upon technical solutionsit requires executive
  sponsorship, organizational alignment and
  cultural support
• Manage resistance to change
• Organizational Development
• How to get stakeholders to make data security a
  priority
• Requires strict understanding of organizational
  data flow, work flow (as it relates to data) and
  process controls
• Dependant upon technology stack and architecture

5
What are ADEs goals associated with data
security managed access control?

• To design and implement a data securitization
  strategy that
• Will result in a robust Single Sign-on identity
  management system that insures security policy
  compliance by leveraging the standards
  associated with Lightweight Directory Access
  (network) Protocol (LDAP) over TCP/IP
• Provides the highest level of data securitization
  without prohibiting the Arizona educational
  stakeholder community from their authorized
  actionable data.
• Is designed with the agility to adapt to changing
  requirements.
• Provides native logging and auditability.
• Is tightly integrated with data governance
  policies, procedures and best practices including
  ADEs restricted data use licensing procedures.

6
What are ADEs goals associated with data
security managed access control? cont.

• To design and implement a data securitization
  strategy that
• Is created to secure both data at-rest and data
  in-flight
• Is tightly integrated with ADE communications
  solutions.
• Minimizes the risk of exposure to the top
  security holes delineated by OWASP (Open Web
  Application Security Project)
• Cross Site Scripting Injection Flaws,
• Improper error handling (information leakage)
• Session management issues (authentication
  credentials, cookies)
• URL system by-pass issues
• Malicious File Execution
• Denial of Service attacks, etc.

7
What are ADEs goals associated with data
security managed access control?cont.

• To design and implement a data securitization
  strategy that
• Integrates with ADEs overall incident reporting
  system.
• When appropriate, integrates with ADEs DR/COOP
  (disaster recovery and continuity of operations)
  communications plan.
• Stratifies ADE owned/stewarded data including a
  privacy context.
• Engages ADEs internal divisions, LEAs and other
  Arizona state agencies through strategic security
  partnerships.
• Defines acceptable service levels and metrics
  that measures ADEs data privacy/security
  success.

8
How is ADE addressingdata security challenges?

• ADE IT created a security section and hired an
  Information Security Officer (ISO)
• Create a security program including
• Defining and communicating expectations Create
  communicate security privacy related
  guidelines and security awareness program.
• Monitoring for Compliance - The ISO will be
  responsible for ensuring compliance with the
  Security Program. This includes conducting
  security assessments and audits.
• Measuring Effectiveness and Continuous
  Improvement - The ISO will be responsible for
  measuring the effectiveness of the Security
  Program. This will be accomplished through the
  use of various metrics. The ISO will deliver
  regular reports to the CIO, Management Team and
  Executive Team. The ISO will also conduct an
  annual risk assessment.
• Created a security governance plan that details
  the policies and procedures required to implement
  the security program.

9
How is ADE addressingdata security challenges?

• ADE has reorganized IT by sections balancing the
  data governance and technical disciplines.
• Implemented an enterprise virus/trojan
  horse/malicious file execution aversion strategy.
• Embarked on a 60 day development moratorium where
  all of IT resources were reallocated to address
  and resolve the issues surrounding OWASP
  application and data securitization issues.
• Developed enterprise security and data access
  modules.
• Implemented an enterprise network intrusion
  prevention systems (IPS/IDS).
• Re-architected ADEs network infrastructure to
  create a DMZ.

10
How is ADE addressingdata security challenges?
cont.

• Implemented a secure FTPS (FTP/SSL), SFTP/SSH
  (secure shell for point-to-point data exchange),
  https (secure HTTP) and Web Services (SOA) for
  data in-flight processes.
• End User Security Policies Procedures
• Thumb drive encryption policies
• Local disk encryption policies
• Laptop/tablet PC utilization policies
• Acquired, deployed and trained QA staff on
  Webinspect a web based application penetration
  testing tool.
• Began creation, documentation and implementation
  of new formalized security policies and processes
  related to implementation of defined best
  practices, application upgrades, network
  restructuring and system hardening.

11
How is ADE addressingdata security challenges?
cont.

• Defined ADEs SSO functional and systems
  requirements while commencing the process of
  upgrading our existing roles based authentication
  system to address the SSOs requirements.
• Implemented Microsoft Operations Monitor (MOM) to
  monitor operational infrastructure processes and
  access.
• Updated user password policies and procedures.
• Created formalized restricted data access
  policies (specified period, use, scope, etc.)
  with a pre-authorization mindset for restricted
  data access.
• Design data warehouse security at the data
  element level.

12
How is ADE addressingdata security challenges?
cont.

• Leading state wide committee focused on secure
  data archival, disaster recovery and COOP
  (continuity of operations) requirements.
• ITIL (Integrating Information Technology
  Infrastructure Library) service/operational and
  some COBIT (Control Objectives for Information
  and related technology) processes related to
  managing data usage and monitoring.

13
Questions?

? Thank you! donald.houde_at_azed.gov