Interagency Advisory Board Meeting Agenda, Wednesday, December 5, 2012

Transcription

1 Interagency Advisory Board Meeting Agenda, Wednesday, December 5, Opening Remarks 2. The State Identity Credential and Access Management Guidance and Roadmap (SICAM) (Chad Grant, NASCIO) 3. PIV and PIV-I Use in Health IT Relying Party Systems (Mike Magrath, Gemalto) 4. Briefing on Draft NIST SP , Guidelines on Hardware-Rooted Security in Mobile Devices (Andy Regenscheid, NIST) 5. Cloud-Sourcing Public Key Enablement (Steve Howard, Certipath) 6. Closing Remarks

2 The Necessity for Maturing Iden5ty and Access Management in State Government: SICAM Guidance and Roadmap Government Smart Card Interagency Advisory Board Mee5ng December 5, 2012 Chad Grant, Senior Policy Analyst Na#onal Associa#on of State Chief Informa#on Officers

3 About NASCIO Na#onal associa#on represen#ng state chief informa#on officers and informa#on technology execu#ves from the states, territories and D.C. NASCIO's mission is to foster government excellence through quality business prac#ces, informa#on management, and technology policy. Founded in 1969 we re a legacy system

4 Fiscal recovery uneven, slow revenue growth, budgets are beker, federal deficit reduc#on impact? CIOs seeking IT opera#onal cost savings and alterna#ve IT sourcing strategies Opportuni#es for change and innova5on Living with the past - modernizing the legacy IT security and risk! Game has changed IT workforce: re#rement wave, skills, recrui#ng State CIO transi#on major churn State IT Landscape Today

5 CIOs' view on IT budgets for % of Federal grants go to states In the past, many CIOs saw budget decreases as an opportunity to improve by breaking down barriers, strengthening IT governance, developing crea#ve solu#ons Op#mis#c outlook by state CIOs on IT budgets 47% an5cipate an increase for 2013 Source: NASCIO Midyear Conference, May 2012

6 View from the States: Priori5es and Trends

7 State CIO Priori5es for Consolida5on / Op5miza5on: centralizing, consolida#ng services, opera#ons, resources, infrastructure, data centers, communica#ons and marke#ng "enterprise" thinking, iden#fying and dealing with barriers 2. Cloud Services: scalable and elas#c IT- enabled capabili#es provided "as a service" using internet technologies, governance, service management, service catalogs, playorm, infrastructure, security, privacy, data ownership, vendor management, indemnifica#on, service poryolio management 3. Security: risk assessment, governance, budget and resource requirements, security frameworks, data protec#on, training and awareness, insider threats, third party security prac#ces as outsourcing increases, determining what cons#tutes "due care" or "reasonable" 4. Mobile Services / Mobility: devices, applica#ons, workforce, security, policy issues, support, ownership, communica#ons, wireless infrastructure, BYOD 5. Budget and Cost Control: managing budget reduc#on, strategies for savings, reducing or avoiding costs, dealing with inadequate funding and budget constraints 6. Shared Services: business models, sharing resources, services, infrastructure, independent of organiza#onal structure, service poryolio management, service catalog, marke#ng and communica#ons related to organiza#onal transforma#on, transparent charge back rates, u#lity based service on demand 7. Health Care: the Affordable Care Act, health informa#on and insurance exchanges, health enterprise architecture, assessment, partnering, implementa#on, technology solu#ons, Medicaid Systems (planning, re#ring, implemen#ng, purchasing), eligibility determina#on 8. Legacy moderniza5on: enhancing, renova#ng, replacing, legacy playorms and applica#ons, business process improvement 9. Interoperable Na5onwide Public Safety Broadband Network: planning, governance, collabora#on, defining roles, asset determina#on 10. Disaster Recovery / Business Con5nuity: improving disaster recovery, business con#nuity planning and readiness, pandemic flu / epidemic and IT impact, tes#ng Source: NASCIO State CIO Survey, November 2012

8 IT Security Risks in the States Cri#cal infrastructure protec#on More aggressive threats organized crime, unorganized crime, hack#vism Spam, phishing, hacking, and network probes up Advanced persistent threats Data breaches trust impact! Insider threats, third party Securing mobile solu#ons, BYOD Iden#ty and Access Management Inadequate funding

9 10. Which security risk concerns you the most? (State Government only) A. End-user downloads of non-approved apps B. Insider threats C. malware and phishing D. Mobile devices and BYOD E. Sophisticated, pre-meditated attacks by hackers

10 11. To your knowledge, has your organization experienced a data breach? (All) A. Yes B. No C. It depends who is asking D. I don t know

11 Priority Technologies, Applica5ons and Tools 1. Cloud compu5ng: so]ware as a service, infrastructure, pla^orm, storage 2. Mobile workforce technologies 3. Virtualiza5on: servers, desktop, storage, applica5ons, data center 4. Legacy applica5on moderniza5on / renova5on 5. Iden5ty and access management 6. Enterprise Resource Planning (ERP) 7. Security enhancement tools 8. Networking: voice and data communica5ons, unified 9. Business Intelligence (BI) and Business Analy5cs (BA) applica5ons, Big Data 10. Document/Content/Records/E- mail management: ac5ve, repository, archiving, digital preserva5on Source: NASCIO State CIO Survey, November 2012

12 Levels of Maturity and Adop5on of Iden5ty and Access Management Source: 2012 DeloiKe- NASCIO Cybersecurity Study

13 State CIOs Recognize Why Iden5ty Management Needs to be a Top Priority Support for a national framework that provides interoperability and trust across multiple jurisdictions. Promotes state enterprise approach: avoids silos, avoids proprietary solu5ons. Adop5on of the standards will reduce redundant creden5aling efforts and expenditures. Follows the great work the states have led in improving drivers license issuance. FIPS 201 has a standardized iden5ty proofing process and standardized issuance procedures. Provides strong proof of cardholder iden5ty. Supports mul5ple applica5ons & legacy infrastructure: issue once, use many 5mes. Enables standards- based provisioning of access management and audi5ng

14 Digital Iden5ty and the States States - nucleus of iden#ty for individuals Iden#ty - basis for providing services and sharing secure and auditable data across agencies Issue iden#ty creden#als - Too many iden#ty silos! Lots of technical, opera#onal, policy and legal ques#ons to resolve NASCIO chartered the State Digital Iden#ty Working Group to address these concerns

15 State Government Challenges AKacks on iden#ty services Real- #me provisioning and de- provisioning of user accounts (life cycle management) Insider threats Least privilege/need to know (privacy preserva#on) Password management User- centric access control Dynamically scale up and down Interoperability with exis#ng IT systems and solu#ons Mul#- jurisdic#onal compliance

16 Business Drivers Enabling Services and Workflow Improve trust in the digital identity Streamline and re-engineer business processes Enables C2G, B2G, and G2G applications Improve fraud detection Protecting Critical Assets Supports multiple risk and access levels Access auditing Security, privacy, compliance Secure authentication Critical Service Capabilities Enterprise Data Sharing and Management Support data sharing and interoperability Permits cross-departmental data analysis and forecasting Promotes evidence-based policy making Operational Efficiencies Standards-based approach Simplified sign-on Automatic provisioning Password resets SICAM Guidance and Roadmap Business Drivers

17 If Digital Iden5ty is a Priority What we should not do each state work independently use proprietary solu#ons disregard interoperability and a federated approach What we should do Document and benchmark ROI elements and share business drivers and solu#ons Incorporate iden#ty and access management into the exis#ng enterprise architecture Harmonize public and private efforts through adop#on of the NSTIC guiding principles

18 SICAM Document Background Who par#cipated NASCIO Digital Iden#ty Working Group par#cipants were from both public and private sector Purpose Provide a standard, unified framework for all states to u#lize and adopt Provide defini#ons, architectural guidance, and describe processes Develop a baseline for further discussion and improvement by NASCIO community Scope Evangelize the business drivers of SICAM Break down iden#ty silos and streamline services Compliance with exis#ng law, regula#ons, standards, and state policies Improve interoperability Enhanced privacy and customer service (protect PII) 20

19 SICAM Document Overview Goals and Objec#ves Trust Interoperability Security Process Improvements SICAM Model for Assurance Levels Principles, Processes, and Concepts Architecture Framework Implementa#on Strategy Risk Assessment Assurance Levels Iden#ty Proofing Requirements AKribute Management Governance Architecture Compliance

20 Looking Ahead Call- to- Ac5on for state leaders to include IdM as a domain within exis5ng EA Frameworks Take an ac5ve role in the iden5ty ecosystem Evangelize the business drivers and highlight ROI Iden5ty implica5ons for reforming social programs? Demand for secure iden55es by ci5zens Reduce cyber risks!

21

22 Connect with... nascio.org facebook.com linkedin.com youtube.com/nasciomedia twitter.com/nascio