Pennsylvania’s
Alignment &
Implementation of the
Call to Action
Erik Avakian, CISSP, CISA, CISM
Chief Information Security Officer
Commonwealth of Pennsylvania
[email protected]
1. Establish a Governance and Authority
Structure for Cybersecurity
What we are doing now:
• Centralized model with federation.
•
•
Enterprise CISO responsible for security strategy , Governance, Risk,
Compliance, Incident Response & Education/Awareness.
Each agency assigns an ISO and adheres to enterprise policies
implements appropriate controls, report incidents, and apply any
corrective actions.
• Documented policies and procedures wrapped around information
security.
• Cyber security governance through the Enterprise Technology
Security Council (ETSC).
• IT polices and processes are collaborated on, developed, and rolled
out enterprise wide via Collaborative cross agency model
What’s new?
• Assessing overall Agency ISO reporting structure and realignment
• Expanding governance through partnerships with our Office of
Homeland Security to roll out a state-wide cyber security strategy
and incident response plan.
2. Conduct Risk Assessments and Allocate
Resources Accordingly
What we are doing now:
• Conducting Annual third party risk assessments across Enterprise IT.
• Conducting Quarterly PCI scans as well as continuous application
vulnerability scans.
• Scanning Web applications for security flaws before they go live on
the internet via our app Certification and Accreditation process (CA)2.
• Requiring all-agency self-assessment annually as well as bi-annual
participation in the NCSR.
What’s New?
• Leveraging of the DHS C3 Voluntary Program and cyber resilience
assessment services.
• In talks with PA National Guard re: Delivery of Cyber Security
Assessments.
3. Implement Continuous Vulnerability
Assessments and Threat Mitigation Practices
What we are doing now:
• Over 500 million security events daily are analyzed then correlated
for alerting and action.
• Incident response team monitors and responds to threats and attacks
on our network and agency applications 24/7.
• Digital forensics and investigations are conducted over the network
capabilities spanning 80,000 desktops and 6000 servers
• Agency applications are scanned around the clock for flaws.
• Email Data Loss prevention protects against data leakage.
What’s New?
•
•
•
•
Automating code and application scanning processes.
Adoption of the free Managed Security Services from CIS/MS-ISAC.
DDOS protection and mitigation services state network-wide.
Implementing next generation Security Analytics for rapid real-time
and dynamic threat analysis.
4. Ensuring Compliance with Current Security
Methodologies & Business Disciplines
What we are doing now:
Security methodologies:
• Fully layered centralized enterprise security model.
• IT policies and controls based on NIST and regulatory requirements.
• Routine auditing and monitoring of admins, employees and contractors to
ensure compliance with acceptable use.
• Awareness training enforced and reported regularly to senior staff.
Business disciplines:
• Mobile: Device Policies outline minimum security requirements and
encompass BYOD
• Social: Policies and technical controls implemented/enforced
• Cloud: Standardized Security Contract Language for Outsourced Services
File Sharing Policies and technical controls implemented/enforced
Implemented Risk Acceptance Process
What’s new?
•
•
•
National Strategy for Trusted Identity in Cyberspace (Pilot).
Outsourcing public facing websites / Consolidating data center assets.
Enterprise Data Loss Prevention for all users in the Enterprise.
5. Creating a Culture of Risk Awareness
What we are doing now:
• Require all employees to take annual security awareness training.
• Completion metrics continually communicated/shared with agencies
• Regular participation in federal or state sponsored exercises.
• Annual internal cyber exercises include the Governor’s Cabinet
• Annual participation in Cyber Security Awareness Month.
• Partnerships with external entities (MS-ISAC, US-CERT, FBI, DHS,
State Fusion Center and locals.
• Raising awareness in each agency from Cabinet level to end user.
• Including “Cyber” in the continuity plans. Ensuring communications
plans exist at each agency. Emphasis on “Resilience”
What’s new?
• Social engineering “exercise as a service” provided to all agencies.
• Awareness training for IT administrators, developers, mobile users.
• Rolling out eGRC (Governance Risk and Compliance) to provide risk
scores, and maturity level view of IT risk across the enterprise.
• Agency risk “scorecards” for Deputy Secretaries / Agency CIO’s.
5. Creating a Culture of Risk Awareness
Thank You!