Oregon Fire Service Conference Enterprise Security Office Update October 26, 2018
2 State CIO Update Terrence Woods Interim State CIO Slide presented at August OAGTIM
3 Information Security Unify cybersecurity to improve customer service for Oregonians while ensuring those systems are secure and resilient 1. Unifying Enterprise Security Operations. Unifying cybersecurity to improve customer service for Oregonians while ensuring those systems are secure, resilient and ready for the future. 2. Cybersecurity Center of Excellence. Building a long-term multi-sector strategy that leverages the private-sector expertise of Oregon s Cyber-related industries to protect the digital lives of all Oregonians
Enterprise Security Strategy 4
Roadmap & Execution 5 2017-19 Biennium 2017 2018 2019 Form new ESO, Ops review, Start on governance Establish shared services, publish enterprise plan, staff team Rule & Policy updates, metrics & reporting, 5-year planning Evaluate, course correct as needed, 2019-21 planning Positions (35) moved by HR to DAS/ESO All existing staff (14) moved to new roles in ESO Vacancies prepared for recruitment Deputy CISO hired Security risk governance foundation defined Security shared services catalog Plan for unified execution Agency minimum security requirements Unified enterprise security plan System security requirements for IT governance Key vacancies filled (10) Refresh security policy IT security rule making (update of OAR 125-800) Publish quarterly report cards Initiate 5-year planning Establish enterprise security board under ELT/EITG Finish staffing to plan (13) Independent review of program against best practice Independent technical assessment of State network Survey agency leaders on program quality & effectiveness Establish 2019-21 objectives Publish 5-year plan
Developing a post SB-90 Update 6 State CISO Guidance Near term implementation (1 July 2018-30 June 2019) of SB 90 and Enterprise Security Strategic Objectives Build on work of the Executive Order 16-13 Steering Group Set Realistic and Achievable Targets Security becomes part of DNA of the State of Oregon ESO is a trusted partner and advisor State Leadership and Agencies know value of ESO offerings Mid-Biennium Service Update released July 1 Statewide Information Security Plan released August 8 (Gap Analysis due Oct 31) System Security Plan
Key Elements & Update Structure 7 Key Elements Center for Internet Security (CIS) v7 Basic 6 State baseline and what Agencies must do Regulated data is accounted for Offerings are grouped into Security Operations and Security Enabling areas State of Oregon 5-Year Cybersecurity Strategy To be Developed collaboratively Structure Background and Overview Rule Making (OAR 125.800) Operations Enabling Metrics Looking Ahead Investments from PoP 5-Year Cybersecurity Strategy for the State of Oregon
Near Term Initiatives 8 Outreach State Government Large Agencies Mid-Size Agencies Small ABC s Oregon Municipalities Education Districts Private Sector Critical Infrastructure Resources ESO/State Counterparts MS-ISAC/US DHS/CIS Planning State of Oregon 5-Year Cybersecurity Strategy Define Governance Identify major cybersecurity Initiatives CIS Basic 6 Controls a focus Increasing SOC visibility Something big the State can agree to
Statewide Security Community Public-private cybersecurity collaboration to help all Oregonians Oregon Cybersecurity Advisory Council Actively engaging wide community in workgroups focused on education, workforce, technology, information sharing & outreach Oregon Cybersecurity Awareness Six major community events across Oregon in 2018 Five high school NW Cyber Camps conducted across Oregon CyberOregon website launched: 800-850 visitors/month & growing Oregon Cybersecurity Research Research on security needs across Oregon, public & private Top ask workforce development Consistent interest & need for services of a Center of Excellence info@cyberoregon.com https://www.cyberoregon.com
Basecamp Overview Basecamp is an IT Supply Chain Management Program Co-Sponsored by the Office of the State Chief Information Officer (OSCIO) and DAS Procurement Services. We are committed to: Making business oriented decisions Taking innovative approaches Planning strategically Embracing transparency Driving value Avoiding risk to our partners Engaging in nimble contracting Supporting public stewardship
Basecamp Overview Helping you get the IT you need: Save you time: no need for a Lengthy procurement process Save you resources: Save on Procurement and IT staff hours Vendor Management Provided: Performance is centrally managed We Leveraged Expertise: Multi-organization contributions Support Purchaser Community: Find other purchasing organizations Interoperability: Products and Services can integrate www.oregon.gov/basecamp
Basecamp offerings Need Cyber Security Services? 8 Vetted Vendors Full Cyber Security Services Risk Assessments Training Monitoring & Detecting Response & Recovery Planning Incident Response And More www.oregon.gov/basecamp
Basecamp offerings Cyber Security, Everything you need to get started Buyers Guide Service Matrix Selection Process Consultant link General information http://www.oregon.gov/das/procurement/guiddoc/buyersguideitsecurityservices.docx
How to Access Products & Services Cooperative Agreements: Oregon Cooperative Procurement Program (ORCPP) 50+ Fire Districts are members Leverage Statewide agreements 340+ Goods and Services available Sliding fee scale For more information Contact: info.orcpp@oregon.gov www.oregon.gov/das/procurement/pages/orcpp.aspx
How to Find more Products & Services Basecamp s IT Catalog provides quick link to the Award Summary Page basic document set. Find all Basecamp Statewide agreements Search, Sort and Filter Links to Procurement info Find purchaser data https://www.oregon.gov/basecamp/pages/it-catalog.aspx
Contact Basecamp with Questions CONTRACT ADMINISTRATOR DAS PS Lori Nordlien, IT Procurement Strategist Phone: (503) 378-6781 Email: Lori.nordlien@oregon.gov VENDOR MANAGER DAS OSCIO Jason Rood, Strategic Sourcing Specialist Phone: (503) 383-6291 Email: Jason.rood@oregon.gov
Get in touch with ESO: General questions: eso.info@oregon.gov SOC/Incidents: eso.soc@oregon.gov Malicious Hotline: 503-378-5930