Commonwealth Information Security Officers Advisory Group (ISOAG) Meeting - PowerPoint PPT Presentation

Loading...

PPT – Commonwealth Information Security Officers Advisory Group (ISOAG) Meeting PowerPoint presentation | free to view - id: 5a3a1-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Commonwealth Information Security Officers Advisory Group (ISOAG) Meeting

Description:

www.vita.virginia. 5. Happy Flag Day! ISOAG June 2007 Agenda. I. Welcome Peggy Ward, VITA ... Joe Hubbell, Va. Lottery. Shirley Payne, U.Va. Ideas To Date ... – PowerPoint PPT presentation

Number of Views:102
Avg rating:3.0/5.0
Slides: 116
Provided by: bsch94
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Commonwealth Information Security Officers Advisory Group (ISOAG) Meeting


1
Commonwealth Information Security Officers
Advisory Group (ISOAG) Meeting
  • JUNE 14, 2007

www.vita.virginia
1
2
WELCOME
  • Peggy Ward, VITA

www.vita.virginia
2
3
Happy Flag Day!

4
ISOAG June 2007 Agenda
  • I. Welcome Peggy Ward, VITA
  • II. InfraGard Melissa McRae Melissa
    Schuler, F.B.I.
  • III. Encryption Service Offering
    John Kissel, VITA
  • IV. Commonwealth Information Security Council
    Update!
  • Encryption Committee Steve Werby
  • Making Security an Executive Management
    Priority John Karabaic
  • Small Agency Outreach John Jenkins
  • Identity and Access Management Patricia
    Paquette
  • V. RPB Data Center Move Larry Ellison,
    NG
  • VI. VITA IT Security Standard Technical
    Documentation Craig Luka, NG
  • VII. COV IT Security Standard Compliance
    Update Ed Miller, VITA

5
InfraGard ProgramPublic and Private Sector
AllianceProtecting our Critical Infrastructure
6
A Brief History
  • In 1996, FBI Cleveland Field Office cyber focused
    industry outreach initiative.
  • In 1998, the FBI adopted the InfraGard program
    for NIPC private sector outreach
  • In 2003, the FBI Cyber Division was established
    and DHS formed taking NIPC mission.
  • Today, InfraGard is the FBIs lead private and
    public sector information sharing tool

18,645 Members
7
National Critical Infrastructures
Critical infrastructures are those physical and
cyber-based systems essential to the minimum
operations of the economy and government. These
systems are so vital, that their incapacity or
destruction would have a debilitating impact on
the defense or economic security of the United
States. William J. Clinton, 1998
Agriculture
Banking/Finance
Defense
Chemical
Computer Security
Emergency Service
Energy
Food
Postal/Shipping
Public Health
Telecommunication
Water Supply
Transportation
8
(No Transcript)
9
Cyber Attack Cost Means
1955
1960
1970
1975
1985
1945
Today
10
The CyberWorld Today
Cyber Attacks
  • Immediately follow or in conjunction with
    physical world events
  • Becoming more coordinated and politically
    motivated
  • Dont care about being detected or traced

11
Potential Sources of Attacks
  • Terrorist Groups
  • Targeted Nation-States
  • Terrorist Sympathizers and Anti-U.S. Hackers
  • Thrill Seekers
  • U.S. Hackers who need resources

12
Cyber Threats
  • Unstructured Threats
  • Insiders
  • Recreational Hackers
  • Structured Threats
  • Organized Crime
  • Industrial Espionage
  • National Security Threats
  • Intelligence Agencies
  • Information Warfare
  • Terrorists

13
InfraGard Benefits FBI Program vs Private Sector
Benefits
  • Industry sector Subject Matter Experts
  • Initiation of new investigations
  • Early indication of sector specific attacks
  • Avenue to obtain feedback on intelligence
  • Ability to identify significant crime problems
  • Trusted membership and Network of professionals
  • Timely/Non-public Intelligence Products
  • Secure forum to share information discuss
    issues.
  • Avenue to provide positive intelligence
  • Ongoing relationship with the FBI

Also, It is FREE!
14
InfraGard VPN Home Page Graphic Unavailable for
On-line Participants.
15
InfraGard VPN Alerts Advisories Graphic
Unavailable for On-line Participants.
16
InfraGard VPN Specific Critical Infrastructure
Articles Graphic Unavailable for On-line
Participants.
17
InfraGard VPN IT Telecommunication
Sector Graphic Unavailable for On-line
Participants.
18
InfraGard VPN IT Telecommunication
Sector Computer Security Articles Graphic
Unavailable for On-line Participants.
19
InfraGard VPN IT Telecommunication Sector Cyber
Threat Media Highlights Graphic Unavailable for
On-line Participants.
20
InfraGard VPN Message Board Graphic Unavailable
for On-line Participants.
21
InfraGard VPN Message Board Topic Computer
Security Graphic Unavailable for On-line
Participants.
22
InfraGard VPN Resource Page (DHS Open Source
Reports, Presentations, etc) Graphic
Unavailable for On-line Participants.
23
InfraGard VPN DHS Daily Reports Page Graphic
Unavailable for On-line Participants.
24
Other Features
  • Special Interest Groups, e.g. Research and
    Technology
  • Partnerships, e.g. NIST SBA
  • Quarterly Meetings with valuable speakers
  • Ability to Participate in FBI Citizens Academy

25
  • InfraGard VPN
  • Special Interest Groups
  • Research and Technology InfraGard
  • Food/Agriculture InfraGard
  • Chemical InfraGard
  • Graphic Unavailable for
  • On-line Participants.

26
InfraGard VPN Research and Technology
InfraGard Graphic Unavailable for On-line
Participants.
27
SBA/NIST/FBI
  • Partnership between
  • FBI
  • Small Business Administration (SBA) assist
    small businesses
  • National Institute of Standards and Technology
    (NIST) World leader in Information Security
    Guidelines
  • Goal
  • Provide Security Workshops poised to deliver
    information security training to the small
    business community like no other.

28
How you can help as IT Security Professionals
  • Develop and implement security policies and
    procedures.
  • Know what you want to protect, and who will do
    it.
  • Build some walls
  • Create a perimeter and guard it (routers,
    firewalls, IDS). Then, check the guards (audit
    policy).
  • Educate your users.
  • The importance of security (personal corporate
    data), strong passwords, encryption, etc.

29
How you can help (Contd)
  • Banners
  • Put people on notice. You ARE watching!
  • Employee Agreements
  • Then
  • LOG, LOG, LOG!
  • MONITOR, MONITOR, MONITOR!
  • TEST, TEST, TEST!

30
OKThe Policies are in Place, the Perimeter is
Built, and the Network is Secure!
But
  • What If They Sneak Through?

31
If They Sneak Through
  • Respond quickly and without fail.
  • Have key response personnel predetermined.
  • Consider content monitoring of the attack.
  • Backups
  • Create backups of altered/damaged files, LOGS.
  • Secure backups of original state
  • Determine the cost of the attack.
  • Repairs, replacement, personnel, consultants,
    lost business.

Consider contacting the FBI
32
Intrusion cases are already won or lost long
before law enforcement arrives
33
Making the Right Investment
ProtectionCosts
PotentialLoss
versus
34
What the FBI can Do
  • Combine technical skills and investigative
    experience
  • Provide national and global coverage
  • Provide long-term commitment of resources.
  • Apply more traditional investigative techniques
  • Perform pattern analysis
  • Integrate law enforcement and national security
    concerns.
  • Establish a deterrent effecteven if the
    hacker/intruder is not prosecuted

CYBER CRIME IS THE FBIS 3 PRIORITY
35
www.InfraGard.net
36
  • Federal Bureau of Investigation
  • Richmond, Virginia
  • (804) 261-1044
  • www.InfraGard.net

37
PC Hard drive Encryption Rated Service Price
Offering
John Kissel, VITA June 14, 2007
38
Agenda
  • Review
  • Service Offering Rate
  • Product Feature Summary
  • Preliminary Configuration settings
  • Status

39
Rated Service Offering
  • Monthly rate
  • Approx 17.00 per encrypted PC Windows
    desktop/laptop/tablet
  • Added to the current per unit rate
  • Includes deployment and recurring support
  • Deployment
  • Applies to devices being refreshed during the
    scheduled refresh initiative as well as those
    devices not requiring refresh during the
    scheduled refresh initiative.
  • Does not apply to legacy devices requiring
    encryption prior to the scheduled refresh
    initiative.
  • Recurring support
  • Applies to ALL devices that NG encrypts

40
Hard Drive Encryption - Service Offering
41
General Assumptions
  • Degraded Desktop/Laptop performance during system
    startup may be realized.
  • Increase in Helpdesk support calls is
    anticipated.
  • Increase in support/administration effort.
  • Extended system recovery times
  • Implementation
  • Desktop/Laptop preparation tasks must be
    performed
  • All support calls will routed to the VCCC
  • Encryption will be performed as part of the
    desktop refresh schedule

42
Procedures for Ordering
  • If you choose not to wait for Transformation a
    RFS needs to be completed to request this service
  • If you choose to wait for transformation it will
    be discussed at your kickoff meeting.

43
Commonwealth Information Security Council
  • Peggy Ward, VITA

44
Encryption Committee
  • Jesse Crim (VCU)
  • John Palese (DSS)
  • Michael McDaniel (VRS)
  • Tripp Simms (VITA/NG)
  • Steve Werby (DOC)

45
Encryption Committee - Goals
  • Survey agencies IT and business perspective
  • Questionnaire to aid agencies in determining
    encryption needs and solutions
  • Develop plan for educating users
  • Develop best practices
  • Recommend solutions, preferably enterprise
  • Develop end user training plan

46
Making Security an Executive Management Priority
  • Committee Members
  • John Karabaic, DMAS
  • Joe Hubbell, Va. Lottery
  • Shirley Payne, U.Va.

47
Ideas To Date
  • Make recommendations for executive security
    awareness events, either standalone or as riders
    on other planned executive-level events such as a
    previous 2-day workshop on COOP.
  • Solicit effective executive security awareness
    practices from agencies and present these as
    models other agencies might follow.

48
Ideas To Date - continued
  • Collect and make available canned security
    awareness presentations tailored for executives.
  • Form a speakers bureau of ISO/boss teams willing
    to give presentations to agency executives within
    their secretariat.

49
Interested in volunteering?
  • Contact Shirley
  • payne_at_virignia.edu

50
Small Agency Outreach
  • Current Members
  • Robert Jenkins (DJJ)
  • Aaron Mathes (OAG)
  • Goran Gustavsson (APA)
  • Ross McDonald (DSS)
  • Bob Auton (DJJ)
  • Doug Mack (DJJ)

51
Small Agency Outreach
  • Contact survey small agencies and benchmark
    were they are in the process
  • Develop pool of available talent available to
    work in a shared service capacity to provide
    Audit functions to Small Agencies
  • Measure Small Agencies with Audit capabilities
    versus those without this function
  • Develop Canned Solutions i.e. quick fixes using
    best practices from those with success in the
    areas such as policy, practice or procurement.
  • Develop tool for communications such as a message
    board that has shared access.
  • Create network of Subject Matter Experts (SME) to
    offer advice and guidance.
  • ARMICS and implementation options
  • Resources to talk with Agency Management who may
    be reluctant or unfamiliar with required actions
    needed for compliance matters
  • VITA IT Security Policies and Standards (Business
    Impact Analysis, Risk Assessment,
    Breaches/Detections, etc.)
  • Other IT Services, such as possible
    tests/reviews/audits

52
Small Agency Outreach
  • Volunteers are welcome!
  • If interested, contact Robert Jenkins
  • 804-786-1608
  • robert.jenkins_at_djj.virginia.gov

53
Identity and Access Management and Account
Management
  • Committee Members
  • Patricia Paquette DHP, pat.paquette_at_dhp.virginia
    .gov
  • Mike Garner Tax, mike.garner_at_tax.virginia.gov
  • Marie Greenberg DMV, marie.greenberg_at_dmv.virgini
    a.gov
  • Jim Rappe ABC, james.rappe_at_abc.virginia.gov
  • Maria Batista, DMV, maria.batista_at_dmv.virginia.gov
  • Joel McPherson, DSS, joel.mcpherson_at_dss.virginia.g
    ov

54
Identity and Access Management and Account
Management
  • An identity management solution should not be
    made up of isolated silos of security
    technologies, but rather, consist of well
    integrated technologies that address the spectrum
    of scenarios in each stage of the identity life
    cycle.
  • Frederick Chong
  • Microsoft Corp.

55
Identity and Access Managementand Account
Management
  • Goal - establish a secure and effective
    methodology focused on identification and
    authentication across the Commonwealth
  • Standard process which includes
  • Registering or identifying users
  • Establishing roles and accounts
  • Issuing credentials
  • Using the credential, and
  • Record keeping and auditing.

56
Richmond Plaza Building Data Center Move
  • Larry Ellison, NG

57
Mainframe and Server Move Overview
  • Mainframe Environment Profile
  • More system to system interaction
  • Larger foot-print with multiple partitions per
    physical system
  • Diverse user group
  • Mainframe Environment Move and Test Approach
  • Duplication of hardware at CESC (buy new)
  • Isolated Test environment at CESC to provide
    extended test window
  • Server Environment Profile
  • More system isolation (Agency specific apps)
  • Smaller foot-print (Isolated UNIX/Windows
    systems)
  • Agency specific user group
  • Server Environment Move and Test Approach
  • VLAN Extension approach (RPB to CESC)
  • Disconnect/move/reconnect of hardware from RPB to
    CESC (physical or virtual)
  • Unit testing of systems and applications prior to
    disconnect/move/reconnect

58
Mainframe Move and Test Strategy for
CESC(Isolated Test Environment)
  • Replicate RPB Internal Network (LAN) at CESC (
    280 devices)
  • Replicate all IBM, UNISYS, Prime-Power, and
    related hardware required for full application
    testing
  • Replicate key Windows and UNIX servers required
    to support the Mainframe Test environment
  • Provide isolated external connectivity to the
    CESC Test Environment from key agency locations
    (VPN or other dedicated connections)
  • Test environment available for 60-90 days to
    facilitate full Operational Readiness and
    Application Regression testing of the
    environment, from isolated locations
  • Maintain the same IP Addresses across the entire
    Mainframe environment
  • Requires key Agencies to provide a
    dedicated/isolated test lab with dedicated link
    from Agency location to CESC, for testing
  • Supports Connectivity Testing from remote
    locations during planned weekend maintenance
    windows
  • Multiple Mock Cutover Tests prior to final Go-Live

59
CESC Isolated Mainframe Test EnvironmentOperation
s and Application Testing(7/15 10/28)
Production Agency Locations
Isolated Key Agency Locations
Isolated Key Agency Locations
Servers
Servers
Data Replication As needed
Shared DASD
Shared DASD
IBM Mainframe
IBM Mainframe
IBM Tape 2
IBM Tape 1
Data Replication As needed
DMX2000 2
DMX2000 1
Production App Servers
App Servers For Testing
Unisys Mainframe
Unisys Mainframe
Data Replication As needed
EMC Centera Tape 2
EMC Centera Tape 1
CESC Data Center
RPB Data Center
60
CESC Isolated Mainframe Test EnvironmentConnectiv
ity and Cutover Testing(Selected Weekends from
7/15 10/28)
Production Agency Locations
Isolated Key Agency Locations
Isolated Key Agency Locations
Servers
Servers
Shared DASD
Shared DASD
Data Replication
IBM Mainframe
IBM Mainframe
IBM Tape 2
IBM Tape 1
Data Replication
DMX2000 2
DMX2000 1
Production App Servers
App Servers For Testing
Unisys Mainframe
Unisys Mainframe
Data Replication
EMC Centera Tape 2
EMC Centera Tape 1
RPB Data Center Offline during testing
CESC Data Center
61
Mainframe Test Objectives for CESC(Isolated Test
Environment)
  • Operations Testing
  • All systems will IPL/Boot and communicate with
    peripherals
  • Administrative functions (Monitoring and
    Management) operate as expected
  • Data replication between CESC and RPB functions
    properly
  • Internal CESC Network (LAN) and Firewalls
    function properly
  • Print Infrastructure Functions Properly
  • Tape Backup Infrastructure functions properly
  • Control-M Infrastructure functions properly for
    support of Batch operations
  • Point-to-point connections function properly
  • Application Testing
  • Applications will initiate and connect with
    database(s)
  • Applications will update data and print reports
    as expected
  • Regression test of all applications components on
    the Mainframe systems
  • Network Connectivity Testing
  • Controlled testing of external connectivity to
    CESC from remote sites
  • Scheduled during pre-defined weekend Maintenance
    Periods from August October

62
Tentative Testing and Cutover Timeline
63
Mainframe Move Risk Mitigation
  • Standup of an Isolated Test Environment
  • Replicate mainframe hardware and software
    infrastructure
  • Replicate servers running tier 2 applications
    that interface with mainframes
  • Replicate DASD and Tape storage infrastructure
    and data via high speed data links
  • Create network that will support simultaneous
    dual access for large agencies (RPB and CESC)
  • Replicate security environment including current
    complex firewall controls
  • Detailed Analysis of entire infrastructure at RPB
  • Application components
  • Network components
  • Server and Mainframe components
  • Extended Test Period
  • Provide agencies with at least 60 days to
    complete application testing
  • Extended timeframe provides the opportunity for
    multiple test phases
  • Mock move weekends have been scheduled and are
    designed to accommodate thorough integration
    testing of complex, interdependent applications
  • Risk will be significantly mitigated through
    agencies having continuous access to a dedicated
    test environment rather than only a series of
    mock move tests over weekends

64
Mainframe Move Risk Mitigation (continued)
  • Command Center
  • Provides a rapid response team to quickly address
    problems that surface during testing
  • Staffed with operations, network, systems, and
    sub-system support specialists
  • Support will be available 24 hours a day and
    weekends
  • Test Coordination Support
  • NG/VITA testing coordination teams will be
    assigned to each key mainframe using agency
  • Test coordinators will work directly with Agency
    staff to jointly development test plans for each
    mainframe application
  • Weekly reporting of testing progress by agency
    and associated applications will be generated and
    shared with agency managers
  • Fallback Contingency
  • RPB processing infrastructure will remain intact
    for at least 2-3 weeks following the move to
    provide fall-back capability
  • Dual network access environment will remain
    intact for at least 2-3 weeks following the move
    to provide fall-back capability
  • Freeze/limit Hardware/software changes during
    test/move window

65
Communication Plan Overview
  • Comprehensive CH/COMM Plan to include email
    communications and supporting documentation
  • Overview, Kick-Off and monthly meetings with each
    affected Agencies Start June 7
  • Detailed Planning Meetings with Agency
    Application Teams to develop test scenarios
    (6/15 8/15)
  • Checkpoints and signoffs in plan for agreement to
    start test planning, agreement that test plans
    are complete, application testing is complete and
    approval is given to move
  • Detailed weekly status reviews with all
    Agency/VITA Test Teams throughout the entire test
    window (7/15 10/28)
  • Dedicated Test Coordinators from the
    Transformation Team, Current Ops Team, and the
    Agency
  • 24x7 Command Center setup before, during, and
    post move/cutover
  • Multiple locations linked by phone and/or video
    conferencing (Agency, RPB, CESC)
  • Participation by Agency Application staff,
    Current Ops, VITA, Transformation, and Vendors
    (as needed)
  • Representation by Network, Security, Mainframe,
    Server, Applications, etc

66
Application Testing Coordination
Mainframe
Agencies Involved in Isolated Test Environment
Agencies Involved in Isolated Test Environment
Server
Agencies Involved in Isolated Test Environment
Agencies Involved in Isolated Test Environment
Test Coordinator Application Spec Network Spec
for each agency
VITA Test Coordinators
Network
Security
67
Agency Application Test Responsibilities
  • Assign dedicated resources and participate in
    detailed planning process - (starting June 15)
  • Assign dedicated resources to participate in the
    test activities
  • Identify applications that need to be tested in
    isolated test environment
  • Identify servers in RPB that would need to be
    included in isolated test environment in CESC to
    enable application testing
  • Provide acceptable dates for tests and cutover
  • Responsible for Application Freeze (7/15 11/12)
  • Commitment to Break-Fix only during the test
    window
  • Joint approval (Agency, Current Ops,
    Transformation, VITA) for any additional changes
    that are required
  • Participation in special CCB process for review
    of any proposed changes during test window
  • Provide isolated test environment at Agency that
    will connect directly to isolated test
    infrastructure at CESC (available by 7/15)
  • Dedicated PCs in a training room or test lab
    recommended
  • Alternate methods for access to test environment
    directly from users workstations is being
    investigated
  • Conduct all application tests (from 7/15
    10/28)
  • Participate in cutover tests and verify network
    connectivity

68
Test and Move Coordination Roles
Agency Test Coordinators Field Operations Agency Application
SBE Kevin Kelley Mike Elliott Beth Nelson
DHRM Kevin Kelley TBD Steven Hastey
DSS Kevin Kelley Wayne Kniceley Harry Sutton
VRS Kevin Kelley Donald Garrett (Agency) Donald Garrett
VADOC Karen Lusk Karen Hardwick Geoff Lamberta
DMV Karen Lusk Bob Tingle Will Burke
VEC Karen Lusk Dave Thompson Victoria Caplan
VDH Karen Lusk Kenny White TBD
DOA/TRS Danny Wilmoth Wendy Hudson James Moore
DPB Danny Wilmoth David Allen Jowjou Hamilton
TAX Danny Wilmoth Cathy Franklin TBD
SCB Danny Wilmoth Richard Walls Anne Wilmoth
SCC Thomas Williams Blair Kirtley (Agency) Blair Kirtley
VDOT Thomas Williams Scot Jones Ray Haynes
VDACS Thomas Williams Kathy Ange Jerry Allgeier
69
Server Transformation and MoveAgenda
  • Server Transformation Introduction
  • Server Move Approach and Test Strategy
  • Server Test Objectives
  • High level Move and Cutover schedule
  • Managing Risk
  • Communication Plans
  • Agency Responsibilities
  • Questions

70
Server Move and Test Strategy for CESC
  • Virtualize as many servers at RPB to facilitate
    the move process and reduce risk
  • Consolidate multiple SAN/Disk system at RPB onto
    a single SAN/Disk Platform
  • Replicate the data on this consolidated SAN/Disk
    system from RPB to CESC
  • Replicate RPB Internal Network (LAN) at CESC (
    280 devices)
  • Extend VLANs from current RPB Network
    Infrastructure to CESC
  • Replicate EBARS Backup Environment at CESC
  • Servers will be placed in either PODS or Standard
    Racks at CESC based on specific hardware, power,
    and cooling requirements
  • We will maintain the same IP Addresses across the
    entire Server environment
  • A two phased cutover approach will be utilized
  • Phase-1 is the movement of the servers onto an
    extended VLAN at CESC (located at CESC, but still
    part of the RPB LAN)
  • Phase-2 requires servers be switched from the
    extended VLAN to a the local VLAN at CESC
  • Servers will be moved in logical groups, based
    primarily on agency usage (VDOT, DEQ, GOV, etc,)
  • Whenever possible Operation and Application
    Testing will be performed using the virtual
    server infrastructure to replicate systems from
    RPB to CESC
  • In some instances duplicate server hardware will
    be purchased for CESC to facilitate Operation and
    Application Testing at CESC

71
RPB to CESC Server MovePhase-1 Relocation
New Production Network
Current Production Network
6506
6506
6506 Outside Switches
4507 Campus Switch
New Outside Switches
New Campus Switch
Extend Server VLANs
PIX FW
Juniper FW
Chk Point FW
New FW
New FW
New FW
6506
6506
Core Network PRODUCTION
Core Network TEST ONLY
6509 Inside Switches
New Inside Switches
Server Farm
Server Farm
Old SAN/Disk
Old SAN/Disk
Virtual and Physical Server Moves
Servers are moved in Groups to CESC but are
still using the network infrastructure at RPB
Old SAN/Disk
Old SAN/Disk
Old SAN/Disk
Old SAN/Disk
Shared SAN/DISK
Shared SAN/DISK
Old SAN/Disk
Consolidate Disk at RPB
Replicate Data To CESC
CESC Data Center
RPB Data Center
72
RPB to CESC Server MovePhase-2 Network Swap
New Production Network
Current Production Network
6506
6506
6506 Outside Switches
4507 Campus Switch
New Outside Switches
New Campus Switch
PIX FW
Juniper FW
Chk Point FW
New FW
New FW
New FW
VLAN Extensions Are dropped
6506
6506
Core Network OFFLINE
Core Network PRODUCTION
6509 Inside Switches
New Inside Switches
Data Replication direction is switched to go from
CESC back to RPB in preparation for DR at SWESC
Server Farm
Servers are running at CESC and are now using the
full network infrastructure at CESC
Shared SAN/DISK
Shared SAN/DISK
Old SAN/Disk arrays are no longer needed
CESC Data Center
RPB Data Center - Offline
73
Server Test Objectives for CESC
  • Operations Testing
  • All systems will Boot and communicate with
    peripherals
  • Administrative functions (Monitoring and
    Management) operate as expected
  • Data replication between CESC and RPB functions
    properly
  • VLAN Extension from RPB to CESC Network (LAN) and
    Firewalls function properly
  • Print Infrastructure Functions Properly
  • Tape Backup Infrastructure functions properly
  • Control-M Infrastructure functions properly for
    support of Batch operations
  • Point-to-point connections function properly
  • Application Testing
  • Applications will initiate and connect with
    database(s)
  • Applications will update data and print reports
    as expected
  • Regression test of all applications components on
    the Mainframe systems
  • Network Connectivity Testing
  • External access to Agency locations functions
    properly
  • Access from RPB to CESC over extended VLAN
    functions properly

74
Testing and Cutover Timeline (Notional)
75
Server Move Group Summary
  • Server Group-1 DFP, DCG, SBE , 25 servers
  • Server Group-2 DEQ, VDH, DPB, DCJS, 83 servers
  • Server Group-3 DGS, 124 servers
  • Server Group-4 GOV, DOF, VDACS, VGIN, 76
    servers
  • Server Group-5 TAX, DSS, VEC, 112 servers
  • Server Group-6 VITA Group-1, 132 Servers
  • Server Group-7 VITA Group-2, 132 Servers

76
Server Move Group Detail
77
Server Move Risk Mitigation
  • VLAN Extensions
  • Minimizes level of network and security changes
    required for the move to CESC
  • Allows NG and the Agency to stage and pre-test
    selected Dev and/or Test servers PRIOR to moving
    production systems
  • Migration of Current Systems
  • Minimizes level of system changes required for
    the move to CESC
  • Minimizes complexity of having to re-rack systems
  • All required cables (Network, SAN, etc) can be
    pre-installed and tested prior to moving the
    systems to CESC
  • System Virtualization
  • Provides enhanced pre-move testing capabilities
  • Minimizes system/application downtime during the
    move to CESC
  • Provides quick, easy fall-back

78
Server Move Risk Mitigation (continued)
  • Stand-by Hardware
  • Mission Critical application hardware can be made
    available if hardware problems arise due to move
    related issues
  • Tax related HP-UX hardware is an example of some
    of the systems that are being considered for
    stand-by hardware
  • Any x86 server can have a stand-by virtual server
    in-place at both data center locations
  • Move Specialists
  • All system packaging, pre and post move
    verifications will be performed by hardware
    vendor Customer Engineers
  • Customer Engineers (CEs) are the vendor
    employees who are dispatched to diagnose and
    resolve hardware related issues as part of
    warranty and maintenance support services
  • Representatives for each vendor will be either
    on-site or on-standby
  • Move VITA last so that server move process is
    refined with smaller move groups

79
Communication Plan Overview
  • Comprehensive CH/COMM Plan to include email
    communications and supporting documentation
  • Overview, Kick-Off and monthly meetings with each
    affected Agency Start June 7
  • Detailed Planning Meetings with Agency
    Application Teams to develop test scenarios
    (6/15 8/15)
  • Checkpoints and signoffs in plan for agreement to
    start test planning, agreement that test plans
    are complete, application testing is complete and
    approval is given to move
  • Detailed weekly status reviews with all
    Agency/VITA Test Teams throughout the entire test
    window (7/15 10/28)
  • Dedicated Test Coordinators from the
    Transformation Team, Current Ops Team, and the
    Agency
  • 24x7 Command Center setup before, during, and
    post move/cutover
  • Multiple locations linked by phone and/or video
    conferencing (Agency, RPB, CESC)
  • Participation by Agency Application staff,
    Current Ops, VITA, Transformation, and Vendors
    (as needed)
  • Representation by Network, Security, Mainframe,
    Server, Applications, etc

80
Agency Application Test Responsibilities
  • Participate in Planning Process
  • Identify applications that need to be tested on
    each server
  • Provide acceptable dates for tests and cutover
    and confirm downtime windows
  • Provide Agency resources to participate in
    application testing pre-move as well as during
    the actual cutover
  • Prepare test scripts and desired test results for
    application tests
  • Conduct application tests for validation of the
    move
  • Participate in cutover tests and verify network
    connectivity
  • Agency acceptance sign off

81
Test and Move Coordination Roles
Agency Tentative Relocation Weekend Transformation Current Operations Agency Application Team Primary HP Assignee Secondary HP Assignee
SBE 11-Aug Bob Reviea Mike Elliott TBD Tao Tao Terry Miller
VDFP 11-Aug Brian Welliver TBD TBD Terry Miller Tom Springer
DCG 11-Aug Don Morgon TBD TBD Tom Springer Tao Tao
DEQ 25-Aug Brian Welliver Dan Gayk TBD Terry Miller Tom Springer
VDH 25-Aug Don Morgon Kenny White TBD Tom Springer Terry Miller
DCJS 25-Aug Bob Reviea TBD TBD Tao Tao Tom Springer
DPB 25-Aug Bob Reviea TBD TBD Tao Tao Terry Miller
DGS 1-Sep Don Morgon Barbara Garnett TBD Tom Springer Tao Tao
GOV 17-Sep Bob Reviea Barbara Garnett TBD Tao Tao Terry Miller
DOF 17-Sep Brian Welliver TBD TBD Terry Miller Tom Springer
VDACS 17-Sep Don Morgon Brenda Richart TBD Tom Springer Tao Tao
VEC 17-Sep Brian Welliver Brenda Richart TBD Terry Miller Tom Springer
TAX 6-Oct Bob Reviea Cathie Franklin TBD Tao Tao Tom Springer
VGIN 6-Oct Don Morgon TBD TBD Tom Springer Terry Miller
DSS 6-Oct Brian Welliver Mike Elliott TBD Terry Miller Tao Tao
VITA 13-Oct27-Oct TBD Dave Matthews TBD John Sewell Jeff Flanigan
82
VITA IT Security Technical Documentation
  • Craig Luka
  • Security Analyst
  • Northrop Grumman, VITA IT Security
  • June 14th, 2007

www.vita.virginia.gov
www.vita.virginia.gov
expect the best
82
83
Overview
  • What documentation has been developed?
  • Enterprise Infrastructure Security Practices
  • Security Practices Self Assessment
  • Why?
  • Define baseline security practices for
    customer-based staff
  • COV ITRM Standard SEC501-01 compliance
  • Document current Agency security practices and
    develop SEC501-01 Gap Analyses.
  • Reduce risk of unfavorable audit findings

www.vita.virginia.gov
84
Documentation Architecture
  • Documentation Framework
  • Security practices document has been developed on
    industry best practices (SANS, NIST, Center For
    Internet Security)
  • All SEC501-01 requirements from the technical
    requirements matrix are accounted for in the
    security practices document
  • Self Assessment maps each SEC501-01 requirement
    to a set of security practices
  • Serves as a cross reference between SEC501-01 and
    newly developed Enterprise Security Practices.

www.vita.virginia.gov
85
Workflow and Routing
  • Document Distribution
  • EISP and self assessment are delivered to
    Regional Service Directors (RSDs)
  • RSDs deliver documents to Agency-based Service
    Level Directors (SLDs)
  • Customer-based technical staff and SLDs complete
    the self assessment
  • Completed self assessments are returned to EISP
    team for quality assurance review
  • Final documentation is delivered to Agency ISOs
    and reports are delivered to the CISO

www.vita.virginia.gov
86
Timeframe
  • June 1st Documents delivered to RSDs
  • June 4th RSDs deliver to SLDs and work begins
    on the self assessments
  • June 4th June 29th Self assessment submitters
    complete assessment and work with EISP team as
    needed for clarification
  • June 29th All assessments completed, reviewed
    and delivered to respective Agency ISOs.

www.vita.virginia.gov
87
What to Expect
  • The EISP team will work with customer-based staff
    and SLDs as needed to assist in assessment
    completion
  • Any clarifications or enhancements discovered
    while assessments are being completed will be
    added to the EISP and self assessment documents
  • Agency ISOs will receive a copy of the EISP
    document and their Agencys completed self
    assessment on June 29th

www.vita.virginia.gov
88
Questions ?
  • ?

www.vita.virginia.gov
89
COV IT Security Standard Compliance ISO
Appointments IT Security Audits
  • Ed Miller

www.vita.virginia.gov
89
90
Appointment of an Information Security Officer
  • The IT Security Policy (ITRM SEC500-02)
    requirement to appoint an Information Security
    Officer (ISO)

91
ISO Designation Requirement
  • ITRM SEC500-02 requires each Agency Head to
    designate via e-mailan ISO (Information
    Security Officer) for the Agency and provide the
    persons name, title and contact information to
    VITA no less than biennially. The Agency Head is
    strongly encouraged to designate at least one
    backup for the ISO, as well Send via Email to
    VITASecurityServices_at_Vita.Virginia.Gov
  • Must either be from the Agency Head or have the
    Agency head copied (cc)

92
List of Confirmed ISOs
Accountancy, Board of Aging, Department for the Agriculture and Consumer Services, Department of Business Assistance, Virginia Department of Center for Behavioral Rehab Center for Innovative Technology Christopher Newport University Conservation and Recreation, Department of Correctional Education, Department of Corrections, Department of Department of Charitable Gaming Department of Forensic Sciences Economic Development Partnership, Virginia Elections, State Board of Employment Dispute Resolution, Department of Environmental Quality, Department of Fire Programs, Department of Forestry, Department of Frontier Culture Museum of Virginia Game and Inland Fisheries, Department of Governor, Office of the Health Professions, Department of Human Resource Management, Department of James Madison University Juvenile Justice, Department of Library of Virginia, The Longwood University Mary Washington University Medical Assistance Services, Department of Mental Health, Mental Retardation Substance Abuse Svcs, Department of Mines, Minerals and Energy, Department of Minority Business Enterprise, Department of Motor Vehicle Dealer Board Motor Vehicles, Department of Museum of Fine Arts, Virginia Museum of Natural History, Virginia Old Dominion University Professional Occupational Regulation, Department of Racing Commission, Virginia Rail and Public Transportation, Department of Science Museum of Virginia Social Services, Department of State Police, Department of Tourism Commission, Virginia Transportation, Department of Virginia Commonwealth University Virginia Information Technologies Agency
93
IT Security Audit Plan
  • The IT Security Audit Standard (ITRM SEC502-00)
    requirement to submit an annual IT security
    audit plan to the CISO beginning February 1,
    2007.

94
IT Security Audit Plan
  • The IT Security Audit Plan should identify all
    sensitive system(s), the planned date of the
    audit(s) and the planned auditor for the
    audit(s).
  • Each sensitive system must be audited at a
    frequency relative to its risk, or at least, once
    every 3 years.
  • There is a template that can be used by the
    agency to record this information on the VITA web
    at
  • http//www.vita.virginia.gov/docs/securityTemplate
    s/ITSecurityAuditPlanTemplate.doc

95
Exception Request
  • If your agency cannot submit their IT Security
    Audit plan the Agency must submit an Exception
    Request for an extension of time in order to
    comply. The Exception Request must be approved by
    the Agency Head and sent to the CISO for review
    and approval.
  • The IT Security Policy and Standard Exception
    request form is on the VITA web at
  • http//www.vita.virginia.gov/docs/securityTemplate
    s/ITSecurityPolicyStandardExceptionRequestForm.doc

96
No Sensitive Systems?
  • In addition, there may be some agencies that do
    not classify any of their databases or systems as
    sensitive. Under the requirements of
    SEC502-00, they do not have to submit an audit
    plan. However, to ensure that we are not missing
    any sensitive systems, we would like any Agency
    making that assertion to please notify us by
    email to vitasecurityservices.com that they will
    not be submitting an audit plan for that reason.

97
Agencies w/Audit Plans or Extensions
Board of Accountancy Center for the Innovative Technology Christopher Newport University Department of Employment Dispute Resolution Department for the Aging Department of Agriculture and Consumer Services Department of Alcoholic Beverage Control Department of Conservation and Recreation Department of Corrections Department of Education Department of Environmental Quality Department of Fine Arts Department of Forensic Sciences Department of General Services Department of Health Department of Health Professions Department of Housing and Community Development Department of Human Resource Management Department of Juvenile Justice Department of Medical Assistance Services Department of Mental Health, Mental Retardation Substance Abuse Department of Mines, Mineral, and Energy Department of Motor Vehicles Department of Planning and Budget Department of Professional Occupational Regulation Department of Rail and Public Transportation Department of Rehabilitative Services Department of Social Services Department of State Police Department of Taxation Department of the Treasury Department of Transportation George Mason University James Madison University Jamestown-Yorktown Foundation Longwood University Mary Washington University Office of the Governor Old Dominion University Radford University Richard Bland College State Compensation Board State Board of Elections State Council of Higher Education for Virginia University of Virginia Commonwealth Virginia Board for People with Rehabilitative Services Virginia Department for the Blind and Vision Impaired Virginia Department for the Deaf and Hard of hearing Virginia Employment Commission Virginia Information Technologies Agency Virginia Racing Commission Virginia State University
98
Where to find Policies/Templates/Forms
  • Go to the VITA Website
  • www.vita.virginia.gov
  • Click Security and then Policies and Procedures
  • http//www.vita.virginia.gov/docs/psg.cfmsecurity
    PSGs

99
COV Information Technology Security Policy,
Standards and Guidelines
  • Cathie Brown, CISM, CISSP

www.vita.virginia.gov
99
100
Compliance IT Security Policy Standard
  • July 1, 2007 Compliance Date
  • Key Steps to Compliance include
  • Designate an ISO
  • Inventory all systems
  • Perform Risk Assessment on sensitive systems
  • Perform Security Audits on sensitive systems
  • Document and exercise Contingency DR Plans
  • Implement IT systems security standards
  • Document formal account management practices
  • Define appropriate data protection practices
  • Establish Security Awareness Acceptable Use
    policies
  • Safeguard physical facilities
  • Report Respond to IT Security Incidents
  • Implement IT Asset Controls

101
Exception Request
  • If your agency cannot comply July, 2007 the
    Agency must submit an Exception Request for an
    extension of time. The Exception Requests must be
    approved by the Agency Head and sent to the CISO
    for review and approval.
  • The IT Security Policy and Standard Exception
    request form is on the VITA web at
  • http//www.vita.virginia.gov/docs/securityTemplate
    s/ITSecurityPolicyStandardExceptionRequestForm.doc

102
Status Update
  • Revised IT Security Policy Standard
  • End date for ORCA Comments 6/13
  • IT Standard Use of Non-Commonwealth Computing
    Devices to Telework ITRM SEC511-00
  • New COV Standard
  • End date for ORCA Comments 6/13
  • IT Threat Management Guideline
  • Comments have been addressed
  • Publish by June 29, 2007

103
New! Data Breach Notification
  • Included in Revised IT Security Policy and
    Standard
  • Data Breach Notification Requirements
  • Each agency will identify systems that contain
    PII (Personally Identifiable Information)
  • Include provisions in any third party contracts
    requiring that the third party third party
    subcontractors provide immediate notification of
    suspected breaches
  • Provide appropriate notice to affected
    individuals upon the unauthorized release of any
    unencrypted PII by any mechanism (laptop,
    desktop, tablet, CD, DVD, etc.)

104
Revisions - IT Security Policy Std
  • Highlights
  • Expanded scope to include Legislative, Judicial,
    Independent and Higher Education
  • System Security Plans for sensitive systems
  • Additional considerations for account management
  • Additional considerations for protection of data
    on mobile storage media including encryption
  • Additional requirements for specialized IT
    security training
  • Data Breach Notification
  • Compliance date 1/01/2008

105
New! IT Std Using Non-COV Devices to Telework
  • Purpose
  • Establish a standard to protect COV data while
    teleworking with Non-COV Devices
  • Acceptable Solutions
  • Standalone Computer
  • Internet Access to Web-Based Applications
  • Internet Access to Remote Desktop Applications
  • Requirements
  • Storing COV data on a non-COV device is
    prohibited
  • Network traffic containing sensitive data must be
    encrypted
  • Provide training on remote access policies
  • Security Incident Response
  • Non-COV device may be required during forensics
    or investigation of a Security Incident
  • Acknowledgement form signed

106
IT Threat Management Guideline
  • Highlights
  • IT Security Threat Detection
  • IT Security Incident Management
  • IT Security Monitoring and Logging
  • Example Recording and Reporting Procedure
  • Example Internal Incident Handling Procedure

107
QUESTIONS
108
Information Risk Executive Council
  • Cathie Brown, CISM, CISSP

www.vita.virginia.gov
108
109
Reminder IREC Resource Available
  • Information Risk Executive Council
  • Unlimited access to the following services
  • Strategic Research and Tools
  • Benchmarking and Diagnostic Tools
  • Teleconferences
  • To register
  • https//www.irec.executiveboard.com/Public/Registe
    r.aspx
  • For questions or problems, please contact
  • Jennifer SmithAccount Manager, CIO Executive
    BoardCorporate Executive Board2000 Pennsylvania
    Avenue, NWWashington, DC 20006
  • 202-587-3601 jsmith_at_executiveboard.com

110
QUESTIONS
111
Upcoming Events
  • Peggy Ward

www.vita.virginia.gov
111
112
UPCOMING EVENTS!
  • ISOAG MEETING DATES
  • Wednesday, July 11, 2007
  • 100 - 400
  • Tentative Agenda Items
  • E-Discovery OAG
  • VITA transformed IT Infrastructure Architecture -
    Linda Smith
  • NG IS Policy, Standards Guidelines Update -
    Cathie Brown
  • VITA IS Council Committee Updates - Committee
    Chairs

113
UPCOMING EVENTS!
  • VITA OFFICES MOVE
  • Friday July 27, 2007
  • CAMS will move to 411 E. Franklin

114
Any Other Business ?
www.vita.virginia.gov
114
115
ADJOURN
  • THANK YOU FOR YOUR TIME AND THOUGHTS
  • !!!
About PowerShow.com