Cyber Transformation at CNS Pantex & Y-12

Transcription

1 Cyber Transformation at CNS Pantex & Y-12 v Craig D. Thomas Director, Chief Information Security Officer 1

2 Agenda About Me Goals & Approach Lessons Learned Q&A 2

3 About Me 3

4 Goals & Approach 4

5 Goals Fundamentally transform the cyber security program from the ground up to deliver: Consistent approach to building the cyber talent pipeline Improved user experience Modernization of cyber security tools Transition from a reactive to proactive program Reduction of paperwork associated with the program Focus of precious resources on improved cyber security monitoring Enable continuous compliance and continuous monitoring Improvements in change management Transition to a service culture with metrics around performance 5

6 Approach Cyber Transformation Project Kicked off mid-november year project using Agile methodology to deliver high level requirements each quarter 1 Phase per year Plan at beginning of each FY - In detail (stories, tasks) Small victories which snowball into large accomplishments High-level goals for the end of Year 1 Budget clarity, reporting, Service Level Agreements (SLAs), and aligned spending Enterprise Risk Management Framework (RMF) submitted and approved with implementation plan for security plans Transparent metrics updated regularly For NPO, cyber, and other staff Automated scripts for self-assessments 6

7 Approach High-level goals for the end of Year 2 RMF Execute Implementation Plan Splunk New hardware for unclass fully deployed and operational egrc Additional modules, workflows, alerting, and roles Connector to populate Archer from egrc CDM Training for ISSOs Automation of Compliance Testing Further development and integration with CMDB/eGRC Monitoring 7

8 Lessons Learned 8

9 Lessons Learned Reporting Need Different formats for different people (examples on following slides) Need drivers/leaders Break down work better Team size Communication Lots of meetings Length of sprints Better understanding of how much work we can really do THAT sprint What else is going on, other project support, audits, holidays, vacations Early sprints and holiday sprints are disappointing Need a great Project Manager Include other important works, such as Issues, Cyber Security Improvement Items, and other deliverables 9

10 Example Report Sprint Overview Epics Worked Align training to key skills assessments/career planning Consolidate cyber security policies between the sites Consolidate cyber security training between the sites Cyber budget proposal submission aligned to security service SLAs Deploy and load Risk Module in egrc Develop the xxx MISSP Develop the xxx MISSP Develop TM/RA module in egrc Develop work instructions for egrc modules Develop workflow, alerts, and reporting for selected existing modules in egrc Implement automated compliance scanning and develop plan to be discussed with AO Implement connector to populate Archer from egrc Implement Vulnerability Management in ServiceNow Improved response to data calls through automated systems Integration of automated compliance testing into the CMDB and/or egrc Issues Provide a real-time dashboard for Financial performance for the cyber security program Sprint Metrics Completed Issues Encountered Xxx Xxx xxx Points Remaining 26 Completed # of Stories Blocked: 3 Stories 39 Remaining 10

11 Example Report Burndown Chart 11

12 Example Report Status of Epics 12

13 Questions? Craig D. 13