DIR HB 3834 END USER CYBER SECURITY AWARENESS PRESENTATION Andy Bennett Deputy CISO State of Texas 1 HB 3834 Training Disclaimer DISCLAIMER These slides are distributed by the Texas Municipal League (TML) for informational purposes only. Accordingly, possession of these slides does not satisfy the annual training requirement under HB 3834 (86 th Legislative Session). 2 1
Agenda • Presenter Bio • HB 3834 Overview and Requirements • HB 3834 Training Session • The principles of information security • Safeguarding, response, and reporting best practices • Real-world examples • State and Federal Resources 3 Presenter Bio Andy Bennett is a boot wearin’ native Texan who serves the State of Texas as the Deputy Chief Information Security Officer. He has a diverse IT background covering 23 years of experience in roles across the enterprise and in a variety of sectors including government, banking, higher education, applied research, oil and gas, law enforcement, Fortune 500 consulting services, and more. He specializes in incident response, investigations, and change efforts and has a passion for security. He is the primary author of the State of Texas’ incident response redbook template and is involved in strategic planning and rulemaking at the statewide level. His professional philosophy is “Show works better than tell, every time.” 4 2
State CISO and Cybersecurity Coordinator Role TEXAS GOVERNMENT CODE Sec. 2054.511. CYBERSECURITY COORDINATOR. The State Cybersecurity Coordinator shall "oversee cybersecurity matters for th[e] state.“ [LINK] Sec. 2054.512. CYBERSECURITY COUNCIL. “The state cybersecurity coordinator shall establish and lead a cybersecurity council that includes public and private sector leaders and cybersecurity practitioners to collaborate on matters of cybersecurity concerning this state.” [LINK] Sec. 2054.514. RECOMMENDATIONS. “The state cybersecurity coordinator may implement any portion or all of the recommendations made by the Cybersecurity, Education, and Economic Development Council under Subchapter N.” [LINK] 5 HB 3834 Overview TEXAS GOVERNMENT CODE Sec. 2054.519. STATE CERTIFIED CYBERSECURITY TRAINING PROGRAMS [LINK] • DIR, in consultation with the cybersecurity council and industry stakeholders shall “certify at least five cybersecurity training programs for state and local government employees.“ • To be certified, “ a cybersecurity training program must: • Focus on forming information security habits and procedures that protect information resources; and • Teach best practices for detecting, assessing, reporting and addressing information security threats .” 6 3
Meeting HB 3834 Training Requirements Select a state certified cybersecurity training program • If you are currently using a program that was developed in-house, submit it for certification • Select a training program from the list of certified programs (available on the DIR website) Complete training by June 14, 2020 7 Principles of Information Security HB 3834 Topic Mapping Topic 1.1(a). Users should be aware of what ‘information security’ means 8 4
Defining Information Security Definition: Information Security According to NIST, Information Security is “[t]he protection of information and information systems against unauthorized access, use, disclosure, modification, or destruction in order to provide confidentiality, integrity, and availability .” Source: NIST SP 800-171 Rev. 1 Information refers to “[a]ny Information System refers to “[a] communication or representation of discrete set of information resources knowledge such as facts, data, or organized for the collection, processing, opinions in any medium or form, maintenance, use, sharing, including textual, numerical, graphic, dissemination, or disposition of cartographic, narrative, or audiovisual.” information.” Source: NIST SP 800-171 Rev. 1 Protecting Source : NIST SP 800-53 Rev. 4 Security and Controlled Unclassified Information in Privacy Controls for Federal Information Nonfederal Systems and Organizations Systems and Organization 9 Availability Defining Information Security C Prevent unauthorized access and use of information resources I Prevent unauthorized change and ensure reliability of information resources A Ensure timely availability of information resources Users must exercise due care to ensure the confidentiality, integrity, and availability of the information resources under their care. Availability 10 5
Information Security Objective: Confidentiality Information Security Objective: Confidentiality “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.” Common Controls/Safeguards: - Cryptography - Access Management - Acceptable Use Policy - Information Security Awareness Policy - Privacy Policy - Social Media Policy 11 Availability Information Security Objective: Integrity Information Security Objective: Integrity “Guarding against improper information modification or destruction, and includes ensuring information non- repudiation and authenticity.” Common Controls/Safeguards: - File Integrity Monitoring - System Integrity Monitoring - Hashing Technology 12 Availability 6
Information Security Objective: Availability Information Security Objective: Availability “Ensuring timely and reliable access to and use of information.” Common Controls/Safeguards: - Incident Response Plan - Business Continuity Plan - Disaster Recovery Plan - Data/Record Retention Plans 13 Availability Information Security Strategy Defense-in-Depth Information assets are protected by many interlocking, redundant, and complimentary controls to detect, deter, and prevent attacks. This Photo by Unknown Author is licensed under CC BY-NC-ND This Photo by Unknown Author is licensed under CC BY-ND 14 7
Information Security Strategy/Defense-in-Depth USER DOMAIN TYPICAL IT INFRASTRUCTURE WAN DOMAIN Public LAN DOMAIN LAN-TO-WAN DOMAIN Internet Vendors Encrypted Tunnel WORKSTATION DOMAIN APPLICATION DOMAIN REMOTE ACCESS DOMAIN Public Internet DMZ EMAIL Encrypted Tunnel WEB 15 Information Security Strategy Defense-in-Depth “Information assets” are protected by several layers of “technical” controls. Information assets are protected by many interlocking, redundant, and complimentary controls to detect, deter, and prevent attacks. Host-Based Controls Multi-Factor Authentication - Username/Pass - Fingerprint - Windows Hello Whole-Disk Encryption Encrypted Folders Anti-Malware Scanner Host-Based Firewall VPN Client Software 16 8
Information Security Strategy Least Privileges & Segregation of Duties Limit user privileges (access/use) to no more than what is necessary to perform their duties. Ex: The judicial branch of government, by law, may decide the constitutionality of a law, but it may not create law. Why? Because this authority belongs to the legislature and CANNOT be delegated to another branch. This Photo by Unknown Author is licensed under CC BY-SA 17 Information Security Controls/Safeguards Controls/Safeguards Categories and Design Controls/safeguards are instruments implemented by an organization to ensure the “CIA” of “information assets”. They are categorized as one or several of the following: 1) Administrative; 2) Physical; or 3) Technical. They are designed for one or several outcomes: 1) Detection; 2) Deterrence; 3) Prevention; and/or 4) Correction. See NIST SP 800-53 Rev.4 for a comprehensive set of “controls”. (Link) 18 9
Information Security Controls/Safeguards Administrative Controls/Safeguards Administrative controls/safeguards generally refer to the policies, standards, procedures, and guidelines adopted to provide for the confidentiality, integrity, and availability of information. Administrative controls can be enforced through physical and technical controls. Examples: Acceptable Use Policy Clean Desk Policy Wireless Communication Policy Wireless Communication Standard Data Retention Policy Information Classification Management Program Mechanical Hard Drive Destruction Procedure Vendor Management Program 19 Information Security Controls/Safeguards Administrative Controls/Safeguards • Documents stating an organization’s Your information security program should official position on an information consist of a “policy framework.” Policy security issue. The “policy framework” will balance • Documents defining methods for achieving system or procedural- the organization’s objectives and: Standards specific requirements. - Business requirements; - Legal requirements; and • Documents outlining the - Technical requirements. specific steps of a process. Procedures • Documents outlining voluntary methods Guidelines or procedures. 20 10
Recommend
More recommend