States have comprehensive information about citizens
Organized cyber criminals have targeted government and higher education agencies for the past few years. Data loss from government impacts citizen trust and has the potential to impact state business by affecting citizen services, revenue collections, or unplanned spending There has been high-profile cyber attacks from loose-knit, politically-motivated groups operating globally. These groups are distinct from more well established cyber criminal organizations, in both organizational structure (ad-hoc vs. top-down) and motivation (hacktivism vs. monetary gain). State Governments Are a Target 2 Texas has a population of 26+ million Texas agencies spread across over 3 million IP addresses Attacks mirror the larger Internet Since January of 2009: 34 incidents of lost data Range from network breach to lost/stolen laptops Texas is not immune The Changing Face of External Breaches Emerging cybercrime and state-sponsored threats will require a strong response from states. In terms of external security breaches, which of the following apply to your state? Texas Overall Infections are lower, but vectors have expanded Web vulnerabilities are still a significant vector for attack Similar attacks year-over-year A distinct issue for a State with thousands of field workers No significant activity from state- sponsored attackers The OCISO does not track financial fraud Top Five Barriers faced in addressing Cybersecurity Insufficient resources against growing sophistication of threats and emerging technologies make the need to raise stakeholder awareness to gain their support and funding the more critical. Identified Trends in Texas Internal network segmentation Consistent event monitoring and analysis Standards in security governance / awareness IT staffing challenges Security in software development 1 2 3 4 5 6 Data classification 7 Identity and access management standardization Increased Focus on Security 0 Bills Introduced 81 st Session 1 Bill Introduced 1 Bill Enrolled 82 nd Session 5 Bills Introduced 4 Bills Enrolled 83 rd Session Multiple groups established to identify and address security issues Texas Cybersecurity, Education, and Economic Development Council Statewide Information Security Advisory Committee Information Security Working Group State Security Operations Group Cyber Texas Texas Legislative Action SB1101 & SB1102 Establishes a statewide coordinator within DIR to develop strategies for and implement solutions related to cybersecurity education and economic development Extends the council created in the 82 nd Legislative Session to provide recommendations. SB 1134 Creates clarity in the role DIR performs such as developing strategies and a framework for protecting critical infrastructure, maintaining a clearinghouse for the states cybersecurity matters, and to provide training to state personnel as well as promote public awareness of cybersecurity issues. SB1597 Requires agencies to submit a security plan to DIR Frameworks and Standards HTTP://XKCD.COM/927/ Texas Statewide Security Program Overview Security Services Texas Cybersecurity Framework Plan & Strategy Education & Awareness Direct Elected Services Cooperative Contract Procurement Offerings Managed Services TAC 202 Agency Security Plan Template Control Catalog Operations Vendor Services Alignment Identify Recover Protect Respond Detect Risk Management Security Officer Training Agency Personnel Awareness Public Awareness Agency Security Plan Template 40 security objectives defined Aligned to Framework for Improving Critical Infrastructure Cybersecurity released by NIST on February 12 Agencies are guided to specify the controls they have in place for each security objective Framework Components Agency Security Plan Template Delivered in January / Responses Due in October Vendor Product / Service Template Delivered in March Texas Administrative Code Ch. 202 Target February 2015 Guidelines and Whitepapers Developed as Necessary Risk Management within the Framework In development within SISAC Risk Assessment Subcommittee Security Hierarchy of Needs Rick Holland, Principal Analyst, Forrester, @rickhholland Must do the fundamentals well or you'll never be able to address the top level threats. Contact Edward Block edward.block@dir.texas.gov 512.463.8807