Designing & Building a Cybersecurity Program. Based on the NIST Cybersecurity Framework (CSF)

Transcription

1 Designing & Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF) Larry Wilson Lesson 4 June,

2 Lesson 4: Case Study: South Carolina DOR Data Breach Part 1: The State Government Information Security Initiative Part 2: The Mandiant Report Part 3: The Deloitte Initial Report Part 4: The Deloitte Interim Report Part 5: The Deloitte Final Report 2

3 Part 1: State Government Information Security Initiative 3

4 South Carolina DOR Data Breach Timeline Aug. 13, 2012: Hacker sends a phishing with embedded link to several Department of Revenue employees. Aug 27: Hacker uses worker's user name and password to log into the worker's computer and begins exploring various Revenue Department systems and databases. Sept. 1-12: Hacker obtains user account passwords, searches through numerous Revenue Department systems. Sept : Hacker copies data and transfers it through the Internet. Oct. 10: U.S. Secret Service notifies South Carolina officials of the breach. Oct. 12: South Carolina contracts with Mandiant, a cyber-security company, to figure out what happened, recommend quick fixes and long-range security upgrades. Oct : The Revenue Department puts in place Mandiant's recommended quick fixes. Oct. 26: Gov. Haley holds a news conference to let the public know for the first time that millions of individual South Carolina taxpayers and almost 700,000 businesses have had their personal and financial information stolen. Nov. 20: Gov. Haley releases a summary of Mandiant's investigation into how the hacking occurred. It reveals the Revenue Department's cyber-security was minimal and that the hacker was able to get in easily because the computer system lacked dual verification. Dec.: State begins sending letters to those whose information was hacked, telling them what happened and what they can do to protect their identity and accounts from theft. 4

5 Information Security Initiative Executive Summary Examine the current statewide INFOSEC posture, and provides a way forward to protect our citizens information. Currently, There is no state entity with authority, or responsibility, to provide leadership, standards, policies, oversight. The Division of State Information Technology (DSIT), only provides suggested policy and ad hoc support Each agency to decide its own risk tolerance for data loss and its own INFOSEC plan. This decentralized INFOSEC environment inherently produces less than an adequate statewide INFOSEC posture. The lack of standard policies produces uneven quality in individual agency security postures. Many agencies are required to meet federal INFOSEC standards due to maintaining categories of personally identifiable information (PII), such as health, tax, or credit card information. The question is do these independent INFOSEC judgments carried out in an uncoordinated manner without any common standard policies in more than 100 state agencies, universities, and commissions, all add up to meet the post-dor risk threshold of protecting our citizens information? The answer - No. 5

6 Information Security Initiative Objective On October 26, 2012, Governor Nikki R. Haley issued Executive Order to improve information security policies and procedures in state agencies. The Governor noted information technology policy for security procedures and protocols have been largely uncoordinated and outdated exposing our state to greater risks of internal and external cyberattacks. Governor Haley s request was in response to the announcement the same day of a network breach at the DOR resulting in millions of stolen records containing taxpayer personal information. The breach, one of the largest of its kind, directly diminished the trust and confidence of the public in state government, and elevated concerns about the security of data at other state agencies. 6

7 Information Security Initiative Short Term Statewide Efforts After the DOR breach, each agency was tasked with completing a list of short term statewide protective measures: Conduct short term remediation steps: Each Agency double checked specific INFOSEC procedures having the highest impact on lowering INFOSEC risk. Agency self-assessment: Each Agency CIO completed an electronic INFOSEC self-assessment survey, as did each Agency Head from their perspective. Data Classification: Each agency located all high risk data, primarily personal identifying information (PII) and protected health information (PHI). Additionally, agencies were tasked to request help on any PII or PHI not sufficiently secured. 7

8 Information Security Initiative Assessment of Statewide INFOSEC Risk Each agency decides its own risk tolerance for a data loss and determines what it thinks is an appropriate plan. There is no statewide INFOSEC program providing leadership, support, and establishing statewide INFOSEC expectations in the form of standards, policies, and procedures. This decentralized approach prevents the state from understanding, let alone managing, statewide INFOSEC risk, which creates potentially negative consequences for all of state government. The DSIT, which is led by the state CIO, lacks the authority to lead statewide INFOSEC. The DSIT s role has been to provide suggested policy and ad hoc support to help interested agencies. 8

9 Information Security Initiative A Way Forward : Leadership Through Governance Establish a governance model to provide a sustainable statewide platform for leadership, structure, processes, and assurance that INFOSEC risk, policy, and resource needs are addressed at the state level. A CISO position established to take ownership to lead a statewide INFOSEC program. INFOSEC governance framework is the structure, strategies, policies, and practices put in place at the state level to provide support and ensure INFOSEC expectations and controls are adequately communicated and enforced. It allows the executives responsible for state government to have visibility into agencies INFOSEC, and assurance the state, collectively, is doing everything possible to protect our citizens information. A Way Forward : Leadership Through Governance Establish a federated model with central responsibility for the statewide INFOSEC program and authority to establish a statewide umbrella framework and policies. Delegate authority, in most areas, to agencies to tailor statewide policy to fit their operational environment subject to oversight and audit. This general approach was near overwhelmingly endorsed by CIOs, DSIT personnel, and experts. 9

10 Information Security Initiative Programmatic Approach Despite the complexity of INFOSEC, the statewide solution is fundamental program management. The first step in understanding the problem is developing statewide standards. Then, standards can be applied to individual agency operations through the risk assessment process, which will expose gaps or weaknesses. Only after looking at an agency s weaknesses in a holistic manner, can the optimum cost/effective mitigation plan be developed, along with resource requirements and timelines. After all risk assessments and mitigation plans are completed, statewide governance provides technical and resource support to agencies on an ongoing basis, as well as coordinates periodic audits. The cycle repeats continually, resulting in improved INFOSEC maturity and capabilities over the long term. Statewide INFOSEC is a process, and not a single solution. Initially, it will not be easy to coordinate this new programmatic approach. It will take more resources in terms of staffing, expertise, technology, and hardware. However, there are two worthy goals to keep in mind during this urgent effort. 10

11 Information Security Initiative Findings & Recommendations Finding # 1: The state does not have a statewide INFOSEC program, which undermines an effective statewide security posture, as well as creating unmanaged and uncontrolled statewide INFOSEC risks having potential impact on the entire state government. Recommendation #1: Establish a statewide INFOSEC program. Establish a federated governance model. Finding #2: The state has not fixed responsibility, accountability, and authority for statewide INFOSEC. Recommendation #2: Establish a Chief Information Security Officer (CISO) position outside of DSIT to lead the development and implementation of a statewide INFOSEC program. Establish a Steering Committee to expedite and provide oversight of the development of a statewide INFOSEC program. Finding #3: A consultant, with expertise in developing and implementing a statewide INFOSEC programs, will be required to assist in establishing a statewide INFOSEC governance framework and develop statewide INFOSEC implementation options. Recommendation #3: Identify and procure the use of a consultant to assist building the governance framework and developing statewide INFOSEC implementation options. 11

12 Information Security Initiative Next Phase of Review If approved, a CISO, a federated model, and the use of a consultant with expertise in implementing INFOSEC statewide programs should construct a governance framework in a highly collaborative manner with state executive leadership and agency representation. The next interim report will focus on implementation options and recommendations, in terms of cost and schedule, to develop a long term sustainable statewide INFOSEC program to reduce agency and statewide risk. 12

13 Part 2: Mandiant Report 13

14 Mandiant Investigation: Objectives Initial Contact On October 10, 2012, a law enforcement agency contacted the South Carolina Department of Revenue (DoR) with evidence that Personally Identifiable Information (PII) of three individuals had been stolen. The Department of Revenue reviewed the data provided and identified that the data provided would have been stored within databases managed by the Department of Revenue. On October 12, 2012, Mandiant was contracted by the Department of Revenue to perform an incident response. Mandiant Engagement Objectives Determine if the attack was ongoing. Confirm the initial method of intrusion and its timing. Determine the scope of the compromise. Determine data loss/exposure. Perform immediate remediation activities. Develop short and long term remediation plans. 14

15 Mandiant Investigation: Activities Met with the South Carolina Department of Revenue and Division of State Information Technology (DSIT) representatives to discuss initial evidence preservation requirements. Reviewed log data, created forensic images and performed forensic analysis of the web, application, and database systems that housed the PII data provided in the law enforcement notification. Analyzed DOR computer systems for indicators of compromise (IOCs). Monitored all network traffic from the DOR s single Internet egress point for evidence of ongoing malicious activity. Reviewed available network and security device logs for indicators of compromise. Collected live response data and forensic images from key systems as well as network and system logs. Analyzed malware to identify additional indicators of compromise. Analyzed evidence to identify attacker activities and additional indicators of compromise. Documented findings and remediation recommendations. Performed a PCI Forensics Investigation (PFI) as required by the Department of Revenue s acquiring bank, First Data. Performed both on-site and off-site incident response activities from October 13, 2012 through November 16,

16 Mandiant Investigation: Findings Summary of the Attack 1. August 13, 2012: A malicious (phishing) was sent to multiple Department of Revenue employees. At least one Department of Revenue user clicked on the embedded link, unwittingly executed malware, and became compromised. The malware likely stole the user s username and password. This theory is based on other facts discovered during the investigation; however, Mandiant was unable to conclusively determine if this is how the user s credentials were obtained by the attacker. 2. August 27, 2012: The attacker logged into the remote access service (Citrix) using legitimate Department of Revenue user credentials. The credentials used belonged to one of the users who had received and opened the malicious on August 13, The attacker used the Citrix portal to log into the user s workstation and then leveraged the user s access rights to access other Department of Revenue systems and databases with the user s credentials. 3. August 29, 2012: The attacker executed utilities designed to obtain user account passwords on six servers. 4. September 1, 2012: The attacker executed a utility to obtain user account passwords for all Windows user accounts. The attacker also installed malicious software ( backdoor ) on one server. 5. September 2, 2012: The attacker interacted with twenty one servers using a compromised account and performed reconnaissance activities. The attacker also authenticated to a web server that handled payment maintenance information for the Department of Revenue, but was not able to accomplish anything malicious. 6. September 3, 2012: The attacker interacted with eight servers using a compromised account and performed reconnaissance activities. The attacker again authenticated to a web server that handled payment maintenance information for the Department of Revenue, but was not able to accomplish anything malicious. 7. September 4, 2012: The attacker interacted with six systems using a compromised account and performed reconnaissance activities. 8. September 5-10, 2012: No evidence of attacker activity was identified. 16

17 Mandiant Investigation: Findings Summary of the Attack (continued) 9. September 11, 2012: The attacker interacted with three systems using a compromised account and performed reconnaissance activities. 10.September 12, 2012: The attacker copied database backup files to a staging directory. 11.September 13 and 14, 2012: The attacker compressed the database backup files into fourteen (of the fifteen total) encrypted 7-zip1 archives. The attacker then moved the 7-zip archives from the database server to another server and sent the data to a system on the Internet. The attacker then deleted the backup files and 7-zip archives. 12.September 15, 2012: The attacker interacted with ten systems using a compromised account and performed reconnaissance activities. 13.September 16, 2012 October 16, 2012: No evidence of attacker activity was identified. 14.October 17, 2012: The attacker checked connectivity to a server using the backdoor previously installed on September 1, No evidence of additional activity was discovered. 15.October 19 and 20, 2012: The Department of Revenue executed remediation activities based on short term recommendations provided by Mandiant. The intent of the remediation activities was to remove the attacker s access to the environment and detect a re-compromise. 16.October 21, Present: No evidence of related malicious activity post-remediation has been discovered. 17

18 Mandiant Investigation: IOCs Extent of Compromise 1. The attacker compromised a total of 44 systems: One system had malicious software ( backdoor ) installed Three systems had database backups or files stolen One system was used to send data out of the environment to the attacker Thirty nine systems were accessed by the attacker (the attacker performed such activities as reconnaissance and password hash dumping) 2. The attacker used at least 33 unique pieces of malicious software and utilities to perform the attack and data theft activities including: A backdoor Multiple password dumping tools Multiple administrative utilities Multiple Windows batch scripts to perform scripted actions Multiple generic utilities to execute commands against databases 3. The attacker remotely accessed the Department of Revenue environment using at least four IP addresses. 4. The attacker used at least four valid Department of Revenue user accounts during the attack. 18

19 Mandiant Investigation: Data Breach Impact Information Exposure 1. The attacker created fifteen encrypted 7-zip archives totaling approximately 8.2 GB of compressed data. The data decompressed into approximately 74.7 GB of data. The data was comprised of: Fourteen total 7-zip archives that contained twenty three database backup files One 7-zip archive that contained ~1,200 files related to the sctax.org web site and an encrypted version of the data encryption key 2. The twenty three database backup files contained a combination of encrypted and unencrypted data. According to the Department of Revenue, all instances of encrypted data within the various databases were encrypted using an industry standard two-key method that leveraged the AES 256-bit encryption standard. One key was used to encrypt the data ( encryption key ); the second key was used to protect the encryption key by encrypting it ( key encrypting key or KEK). The attacker stole the encrypted version of the data encryption key No evidence was discovered to suggest that the attacker stole, or accessed, the key encrypting key 19

20 Mandiant Investigation: Remediation Remediation Plan Mandiant developed an immediate containment plan to deny the attacker access to the environment using the known methods of access. A containment plan is critical in a compromise involving potential PII and/or cardholder data loss. The Department of Revenue started implementing the containment plan on October 19, 2012 and completed containment activities on October 20, Mandiant then developed a plan to implement intermediate and longer term recommendations to enhance the Department of Revenue s security against future compromise. Those longer term recommendations are in the process of being implemented. No evidence of ongoing attacker activity post-remediation has been identified. 20

21 Updates: Nov 20, 2012 In a press conference on November 20th, Governor Nikki Haley announced Jim Etter, the Department of Revenue director, has given his letter of resignation in wake of the Department of Revenue hacking. Haley released the information about Etter's resignation after releasing a report on a cyber-attack on South Carolina's tax collection agency shows officials could have done more to protect the personal information of nearly 4 million individual filers and 700,000 businesses. Governor Haley also announced the state now knows who was impacted by the hack and anyone affected will be contacted by mail. She also released the following numbers on the number of people impacted: Filers impacted: 3.9 million Dependents: 1.9 million Businesses: 699,900 Bank Accounts: 3.3 million, some of which are closed Credit Cards: 5,000, all of which have expired 21

22 Part 4: The Initial Assessment 22

23 Initial Security Assessment Deloitte & Touche LLP May 1, 2013 Deloitte Recommendations 1. Provide the necessary support to establish and mature the State s INFOSEC program over the long-term. Provide the organizational, governance and financial support required to implement the foundational aspects of the program in fiscal year 2014 and to further evolve and mature the program in subsequent years. 2. Establish an enterprise information security organization with the authority to set, independently assess and enforce policy and to implement the INFOSEC program. Create an interim governing authority with responsibility for reviewing, approving, and coordinating enterprise and agency information security procurements and projects. 3. Implement an enterprise security awareness program for state employees and strengthen the State s cybersecurity workforce. Develop in partnership with local universities to help develop a pipeline of talent. 4. Implement the immediate security technology recommendations as a foundation for enterprise and agency level security improvements. Based upon the security assessment activities performed, we have provided the State recommendations that are implementable in the near term to improve the security posture of the enterprise. 5. Evaluate governance options and recommend a model to improve the State s technology governance. The decentralized Information Technology (IT) governance model is likely to continue constrain the effectiveness of the INFOSEC program. To overcome challenges associated with multiple points of security risk evaluation, control and enforcement, the State should consider moving to a federated governance model for IT. 23

24 Initial Security Assessment Deloitte & Touche LLP May 1, 2013 Background Information In December of 2012, the Budget and Control Board authorized the Executive Director of the Board to issue a Request for Proposals (RFP) to assist the State of South Carolina ( State ) with a statewide information security program and assistance in identifying and addressing serious information security vulnerabilities. The RFP was issued by the Budget and Control Board in January, Through a competitive procurement, Deloitte & Touche, LLP was awarded a three year contract, containing two task orders: Task A: Assess security vulnerabilities and provide an initial report by May 1, o Assess security vulnerabilities o Recommend appropriate structure and governance to manage INFOSEC program for the State o Provide guidance and estimates for fiscal year 2014 budget o Deliver an initial report by May 1st, 2013 Task B: Assist with the development and implementation of an INFOSEC program for the State. 24

25 Initial Security Assessment Deloitte & Touche LLP May 1,

26 Initial Security Assessment Deloitte & Touche LLP May 1, 2013 Recommendations Governance an enterprise organizational structure responsible for developing statewide enterprise security policies, with state agencies responsible for implementing them Roadmap a set of prioritized recommendations to help improve the security posture of the state Budget budgetary estimates for implementing the foundational aspects of the INFOSEC program in state fiscal year

27 Initial Security Assessment Deloitte & Touche LLP May 1, 2013 Organizational Recommendation 27

28 Initial Security Assessment Deloitte & Touche LLP May 1, 2013 Program Roadmap 28

29 Initial Security Assessment Deloitte & Touche LLP May 1, 2013 Foundation Roadmap Deliverables 29

30 Initial Security Assessment Deloitte & Touche LLP May 1, 2013 Evolve Roadmap Deliverables 30

31 Initial Security Assessment Deloitte & Touche LLP May 1, 2013 Leading in Class Roadmap Deliverables 31

32 Initial Security Assessment Deloitte & Touche LLP May 1, 2013 Budget Recommendation 32

33 Initial Security Assessment Deloitte & Touche LLP May 1, 2013 State fiscal year 2014 recommendations 1. Provide the financial support required for the INFOSEC program for fiscal year Establish an enterprise information security organization with the authority to set, independently assess and enforce policy and to implement the INFOSEC program. a. Recognizing that it will likely take several months to hire personnel and to establish the organization, create an interim governing authority with responsibility for reviewing, approving and coordinating enterprise and agency information security procurements and projects. 3. Implement an enterprise security awareness program for state employees and strengthen the State s cybersecurity workforce through professional development and in partnership with universities through the development of an internship program. 4. Implement the immediate security technology recommendations as a foundation for enterprise and agency level security improvements. 5. Evaluate IT governance options and recommend a model to improve the State s technology governance to overcome the challenges associated with multiple points of security risk evaluation, control and enforcement that stem from the decentralized nature of the State s current information technology governance and assets. 33

34 Part 5: The Interim Assessment 34

35 Interim Security Assessment Deloitte & Touche LLP October 28, 2013 Task A Status As part of Task A, a preliminary security assessment was conducted and on May 1, 2013, Deloitte & Touche presented results which included information security risks and areas of opportunity for improving the security posture of the State. Recommendations derived from the preliminary assessment included the following areas: Provide the necessary organizational, governance and financial support required to implement the foundational aspects of the INFOSEC program in FY 2014, and to further evolve and enhance the program in future years; Implement security technology improvements as a foundation for enterprise security improvements; Design and implement a governance structure for an enterprise information security organization with the authority to define, assess and enforce policy and stand up the INFOSEC program; Create and implement an enterprise security awareness program for state employees, and strengthen the cyber security workforce through professional development. The State s FY13-14 Budget, approved and ratified on June 19, 2013, provides $10.6 million for the newly created Budget and Control Board Division of Information Security (DIS). 35

36 Interim Security Assessment Deloitte & Touche LLP October 28, 2013 Background Task B Initiatives As part of Task B, the Deloitte & Touche assisted the State with conducting the following INFOSEC initiatives: Governance continued development of a federated information security governance model by creating and posting INFOSEC role position descriptions, including the Chief Information Security Officer and Chief Privacy Officer positions. Risk Analysis conducted concurrent risk assessments at selected state agencies and presenting observations and remediation options to agencies and State leadership. Risk Management developed and released an information security self-assessment tool that will help enable State agencies to internally identify, remediate, and manage information security risks identified through self assessments driven internally at each agency. Information Security Policy and Recommended Technology Solutions created and released four new enterprise-wide information security policies; additional policies are under development and will be released over the coming months. Data Classification created a data classification model to characterize the State s data for more efficient use and protection. Training and Workforce Development released a Request for Proposal (RFP) seeking a broad, online-based cybersecurity training program for State employees. 36

37 Interim Security Assessment Deloitte & Touche LLP October 28, 2013 Approach 37

38 Interim Security Assessment Deloitte & Touche LLP October 28, 2013 Organization Progress Function Current State Next Steps Governance Organizational structure finalized Awareness, Training and Talent CISO and CPO job descriptions finalized and hiring process initiated Developed and issued an RFP for Employee Cyber Security Awareness Training program State procurement has reviewed responses to the RFP and is in process of selecting a vendor Develop job descriptions for other leadership positions (Deputy CISOs, COO) Deploy awareness training program across the enterprise Develop professional development program to define training paths for INFOSEC personnel, attract new talent, and minimize rotation of personnel Information security skill set developed for statewide workforce assessment 38

39 Interim Security Assessment Deloitte & Touche LLP October 28, 2013 Process and Policies Function Current State Next Steps Security Framework Security Risk Assessments Developed an enterprise-wide INFOSEC framework, based on information security sources, including NIST Completed security risk assessments at nine agencies Provided individual results of assessments and remediation options to agency executive leaders Provided summary findings and remediation options to State leadership Deployed and in process of training agencies on information security self assessment tool which is designed to better enable agencies to measure their own information security posture Develop an ongoing compliance program that measures alignment the framework Complete additional nine agency risk assessments Review remediation efforts of the agencies and provide recommendations for remediation assistance where needed Security Policy Designed and released four new enterprise-wide security policies: o Asset Management o Human Resources and Security Awareness o Risk Management o Information Systems Acquisition, Development, and Maintenance Data Classification Deployed and provided training on an initial IT asset management tool to assist agencies with identification of systems within their organization that contain data Agency Risk Profiles Established an enterprise-wide data classification schema and delivered it to Agencies Established risk profile categories for each agency, along with an information security framework for each category Created an information security self assessment tool to help agencies auto-classify internal information security risks Release additional enterprise-wide security policies and associated Recommended Technology Solutions over the next three months Monitor and evaluate polices on an as needed basis Pilot sensitive data discovery tool to assist with data identification and subsequent classification Determine appropriate security measures based on data classification Based on the risk levels observed, determine appropriate ongoing security measures for each agency 39

40 Interim Security Assessment Deloitte & Touche LLP October 28, 2013 Technology Progress Function Current State Next Steps Secure Network Engineering Identified and distributed enterprise information security solutions for access controls and protect against malicious threats Establish and implement a distributed enterprise solution Data Protection Identified the different types of sensitive data within the State environment Developed and delivered asset management guidance and data classification schema Perform a data discovery exercise to identify the presence of sensitive data, and employ the appropriate level of data protection Threat Monitoring and Control Identified information security solutions to enhance the current IT security monitoring and reporting capabilities of the State Enhance threat monitoring to include cyber threat analytics and gathering intelligence Periodic Vulnerability Assessment and Remediation Conducted vulnerability assessments to help identify, analyze and mitigate infrastructure and current application vulnerabilities Establish a program to track the remediation of future vulnerabilities identified during periodic vulnerability assessments 40

41 Interim Security Assessment Deloitte & Touche LLP October 28, 2013 Budget 41

42 Interim Security Assessment Deloitte & Touche LLP October 28, 2013 Conclusions and Next Steps 42

43 Interim Security Assessment Deloitte & Touche LLP October 28, 2013 Budget Summary 43

44 Part 6: The Final Security & Privacy Report 44

45 The Final Security & Privacy Report Deloitte & Touche LLP May, 2014 State of South Carolina - Initial Security Assessment People Process Technology No statewide INFOSEC or Privacy organization to provide standardized, consistent guidance to agencies. This has contributed to inconsistent policies and technologies, as well as ad-hoc, duplicative procurement and implementation of information security and privacy tools among agencies. Lack of security awareness and privacy training available to employees and contractors serving the State. Security awareness and privacy training is foundational for effective INFOSEC and Privacy programs and is consistently identified as a top cybersecurity initiative for states. Page Deloitte-NASCIO Cybersecurity Study State governments at risk: Time to Move Forward October Lack of qualified cybersecurity professionals and specialized INFOSEC and Privacy training. As a common practice, agencies had staff performing security and privacy job functions without training or certifications. Open positions were difficult to fill due to lack of availability of qualified candidates and salary constraints. Inconsistent business continuity management (BCM). Evaluation of the agencies revealed that 72% had no formalized business contingency documentation and processes, putting mission delivery at risk in the event of a natural disaster or a manmade disaster or crisis such as a cyber-attack. Lack of IT risk management and IT risk strategy. Of the agencies evaluated, 66% had not developed an IT risk strategy outlining how their security risks would be mitigated, transferred, or accepted. Agencies were unaware where they had INFOSEC risks (e.g., out-of-support Microsoft XP systems) within their organizations. Poor security governance and management. In total, 60% of assessed agencies lacked effective processes for security management. The assessments identified 50 examples of missing security updates for known security vulnerabilities. In addition, over 100 examples of improper or weak configuration management were found. If exploited, vulnerabilities could lead to compromise of citizen and State data, as well as it could affect the availability of mission-critical systems. Lack of patch management tools. The evaluation indicated that 60% of the assessed agencies did not have a tool to support the process of identifying and installing security updates on systems, which serve to reduce the risk of exploitation of known vulnerabilities. Inconsistent use of multifactor authentication. More than half of assessed agencies that processed sensitive data lacked multifactor authentication for individuals with direct access to sensitive citizen data. Inconsistent use of encryption. More than half of assessed agencies were using no encryption, or only partial encryption, to protect sensitive data. This is especially important for mobile devices such as laptops, which are easily lost or stolen. Islands of computing. Many State agencies operate their own IT infrastructures, from servers in unprotected closets to data centers. This decentralized approach presents a number of risks and program challenges, including increased complexity for the implementation of statewide security information event monitoring (SIEM); proliferation of security tool vendors selected to provide security capabilities; inability to efficiently provide reporting on the security posture of the State; and additional cost and time required to roll out statewide consolidated service security tools and programs. 45

46 The Final Security & Privacy Report Deloitte & Touche LLP May, 2014 State of South Carolina - InfoSec Program Roadmap 46

47 The Final Security & Privacy Report Deloitte & Touche LLP May, 2014 State of South Carolina - Current Security Assessment People Process Technology Implementing a federated information security governance model. Statewide INFOSEC professionals report directly to the Chief Operating Officer ( COO ) of the Division of Technology ( DT ), including the State s Chief Information Security Officer ( CISO ) as head of the DIS, and the State s Chief Privacy Officer ( CPO ) responsible for the EPO. The State has also filled all Deputy CISO ( D-CISO ) positions within DIS, two Deputy Chief Privacy Officers ( D-CPO ) within the EPO, and continues to hire information security professionals for the INFOSEC program. Building a professional development program. The program is designed to attract, train/develop, and retain INFOSEC and Privacy staff. Providing online cybersecurity awareness training for State employees. This training is essential for the State to establish a strong INFOSEC and Privacy posture, as the State s employees are the first line of defense against cybercrime and data breaches. Providing training to State cybersecurity professionals. This training provides continuous learning opportunities for INFOSEC professionals to develop the skill sets necessary for specialty areas within the cyber-security workforce. Publishing the State s data classification schema to categorize data for more efficient and effective data protection. This data classification schema helps agencies and the State prioritize investments in information and data security. Publishing foundational INFOSEC policies and providing agencies with guidance and education for the adoption and implementation of these policies. Developing INFOSEC program key performance indicators ( KPIs ). These KPIs help the State monitor adoption of the INFOSEC policies at State agencies. They are the key input to a program maturity dashboard that will facilitate reporting progress made by individual agencies, as well as statewide progress towards the implementation of the INFOSEC and Privacy programs. Developing and rollout of information security self-assessment tool. State agencies can use the tool for internal risk assessments of INFOSEC capabilities, as well as in developing remediation plans to address the risks identified Initiating statewide implementation of enterprise INFOSEC technology solutions. These include technologies for laptop encryption, virtual private network/two-factor authentication, patch management, privileged user management, enterprise vulnerability assessments, and data discovery. Expanding the coverage of the SIEM monitoring solution to non-cabinet agencies. Cabinet agencies were previously integrated per the Governor s executive order in December

48 The Final Security & Privacy Report Deloitte & Touche LLP May, 2014 State of South Carolina Security Program Recommendations People Process Technology Continue to build an efficient INFOSEC and Privacy governance model. Establish statewide processes and additional shared resources. Focus on delivering effective security and privacy capabilities in a cost-efficient manner. Review and improve the security awareness training program. Determine if alternative providers would be more cost-effective and have greater impact. Roll out the initial phases of the statewide professional development program. Focus on attracting, developing, and retaining INFOSEC and Privacy staff. These people are on the front lines of safeguarding citizens data and will help to protect the State against internal and external threats. Collaborate further with external organizations that have sophisticated cybersecurity, capabilities. As the cybersecurity mission expands from protection of citizen data to protection of broader statewide critical infrastructure, DIS should further mature the State s Fusion Center (a term for entities that are designed to integrate federal intelligence efforts with those of state and local authorities) capabilities and further develop its relationship with the Multi-State Information Sharing and Analysis Center (MS-ISACs).. Continue to oversee statewide development and rollout of the agency INFOSEC and Privacy programs. This includes such activities as: agency implementation of statewide INFOSEC policies and procedures; agency selfassessments using the State s security framework; completion of asset inventories of the IT environment and subsequent data classification to identify systems and data that require protection; and creation and execution of agency-level risk mitigation plans for risks identified through information security risk assessments. Implement a statewide governance, risk and, compliance (GRC) program. This will enable the measurement of the security posture and progress at the agency and statewide levels. This type of program also assists with investment prioritization. Continue and improve agency-level implementation of the State s asset inventory and data classification processes. Creating an inventory and data classification identifies what data and systems need protection. The State can then determine what technology investments are required to deliver the needed protection. Continue deployment of the recommended enterprise technology solutions statewide, including technologies for laptop encryption, virtual private network/two-factor authentication, patch management, privileged user management, enterprise vulnerability assessments, and data discovery. Procure and implement an enterprise/statewide GRC tool. This will allow for a tools based implementation of the GRC processes described above, which provides automation and dashboard reporting capabilities. Begin to design and implement a data loss prevention (DLP) solution for agencies that deal with sensitive data. This initiative will build on the foundation constructed during the rollout of data discovery tools. Invest in network technology to improve threat detection and containment within the statewide network environment. Identify opportunities to provide additional consolidated services and reduce the islands of IT computing. The number of IT computing centers is directly related to the number of INFOSEC controls required to mitigate risk of losing confidentiality, integrity, and availability of the State s IT systems and data. Reducing the number of computing centers will mean fewer devices and systems needing protection and monitoring. Having fewer locations would also lower the cost of statewide business continuity and disaster recovery programs, enable faster rollout of INFOSEC technology solutions, and improve the State s ability to respond to security incidents. 48

49 The Final Security & Privacy Report Deloitte & Touche LLP May, 2014 Summary of Task A and Task B Initiatives 49

50 The Final Security & Privacy Report Deloitte & Touche LLP May, 2014 State of South Carolina Key Initiatives Roadmap 50

51 Questions? 51