State Enterprise Security Plan

TEXAS DEPARTMENT OF INFORMATION RESOURCES
State Enterprise Security Plan

Securing Texas Information Resources
Fiscal Years 20072012
MAY 31, 2007
Letter from the States Chief Technology Officer
May 31, 2007
Too often, information technology (IT) security has been relegated to the same category as traininga discretionary spending priority that is last to be funded and first to be cut during annual budget cycles. The business case for a new approach to IT security is compelling. The security and integrity of Texass information and communications infrastructure underpin the activities and safety of every state agency and of every Texas citizen. Information resources are among the most valuable assets of any organization or individual. The information resources of Texas are under attack virtually every minute of every hour of every day through theft, tampering, and destruction. The safety and security of state information resources are a fundamental management responsibility that cannot be delegated and is not optional. The security of these resources must be factored into every aspect of state agency operations. It is the responsibility and commitment of the Department of Information Resources (DIR) to foster partnerships with each state agency to: Ensure that systems and applications operate effectively with appropriate confidentiality, integrity, and availability Protect information commensurate with the level of risk and magnitude of harm resulting from loss, misuse, unauthorized access, or modification Regularly assess operations for IT vulnerabilities and risk mitigation opportunities This State Enterprise Security Plan provides goals, objectives, and a plan of action to secure state information resources. It is consistent with the vision articulated in the Governors Texas Homeland Security Strategic Plan: 20052010and in Shared Success, DIRs 2005 State Strategic Plan for Information Resources Management. It also builds on the findings of the 2005 State IT Security Assessment to enhance and sustain cost-effective IT security for the state.
Brian S. Rawson Executive Director Texas Department of Information Resources
Contents
Executive Summary....................................................................... 1 Section 1. Threats and Vulnerabilities............................................. 7 Section 2. Roles and Responsibilities............................................ 11 Section 3. Goals and Objectives ................................................. 17 Section 4. Strategies ................................................................... 35 Section 5. Moving Forward ......................................................... 41 Appendix A. Tactical Checklists ................................................... 43 Appendix B. State and Federal Homeland Security Strategies ........ 55 Appendix C. Authorities and References ....................................... 57 Appendix D. Cybersecurity Resources........................................... 59 Glossary.................................................................................... 61 Endnotes ................................................................................... 69
About this Report

This State Enterprise Security Plan is an implementing component of DIRs Shared Success, the State Strategic Plan for Information Resources Management (SSP) 1 and the Governors Texas Homeland Security Strategic Plan (TxHSSP). 2 It complements and is aligned with the National Strategy to Secure Cyberspace (NSSC), 3 the implementing component of the National Strategy for Homeland Security (NSHS). 4 This plan also integrates recommendations from the 2005 State IT Security Assessment (SITSA). 5 This report is available for public use through the Texas State Publications Depository Program at the Texas State Library and other state depository libraries. It is available electronically through the DIR Web site at www.dir.state.tx.us. Note: For the purposes of this report, the term state agency is used to indicate a state agency or a state institution of higher education.
iv
TEXAS DEPARTMENT OF INFORMATION RESOURCES | MAY 31, 2007
Executive Summary
Threats and Vulnerabilities
On an average day, there are reports of almost 250 successful attacks against the states information resources. 6 A major computer security incident that has significant financial and operational impact is an annual event for most Texas organizations. 7 Cyber-terrorists, spies, hackers, and thieves are not just targeting our computers; they are targeting the information that our networks store and transmit. Whether the source of an attack is an insider, a hacker, or a terrorist, the consequences are often the sameloss of revenue, loss of sensitive information, erosion of consumer and constituent confidence, interruption or denial of business operations, and even loss of life. These threats to state security also are increasing in number and sophistication. To cope with the continuous reality of these threats, state agencies must constantly assess vulnerabilities and manage risk to keep our vital networks open and operational, but secure. Cybersecurity in Texas is evolving from a discretionary afterthought to a fundamental enabler of the states safety and economic well-being. Like any important aspect of a successful business plan, security must have the active support of executive leadership, management authority that matches responsibility, and it must have a budget. Effective state security budgets are not arbitrarythey reflect a rational IT security business case that builds upon tailored risk assessments and resulting gap analysis and prioritization. The Department of Information Resources (DIR) is working in partnership with state agencies and other eligible entities to facilitate these assessments, provide low-cost network and security operations services, and track the effectiveness of statewide IT security investments. Of primary interest to DIR are the critical infrastructures and key resources (CI/KR) belonging to state entities, including hardware and software infrastructures and personnel that are vital to the operations and safety of all government sectors. All state agencies rely upon these assets to fulfill their distinct mission requirements. The diversity of resources demands a state enterprise security strategy and implementation plan that allows individual agencies to execute their respective core missions within the context of a secure state infrastructure.
Roles and Responsibilities

While DIR took the lead in preparing this plan, success depends on the engagement and active participation of each state entity. Security and cybersecurity strategic planning is a process, not a destination. It is a difficult challenge that requires continuous, coordinated, and focused effort. Consequently, this plan is a prioritized action plan that specifies implementation responsibilities and outcomes that will help to better protect statewide assets.
STATE ENTERPRISE SECURITY PLAN | EXECUTIVE SUMMARY
DIRs Role in Securing Cyberspace

Concerns about information security have risen dramatically in recent years. Accordingly, DIRthe chief technology office for the stateestablished the Information Technology (IT) Security Division in 2004 and designated its director as the states first Chief Information Security Officer. DIRs IT Security Division now also reflects the convergence of network security as integral to telecommunications services. DIR provides information security services specifically targeted for Texas state agencies, local governments, and public educational entities. In addition to providing general policy templates, maintaining an emergency alert system, and providing guidance on information security issues, DIR is poised to significantly expand enterprise security services that will prevent, reduce, respond, and recover from IT-related threats and vulnerabilities. DIR helps to ensure that all Texas state entities are implementing security controls in ways that are consistent with the overall strategy for the state.
Role of State Agencies and Institutions of Higher Education

The protection of government and personal information and the associated infrastructure is a fundamental management responsibility. State agencies and institutions of higher education must take positive actions to protect data and critical infrastructures through equal measures of qualified personnel, cost-effective investment strategies, sophisticated hardware and software, meaningful training, and enlightened security policies and management. The Office of the Attorney General and the Department of Public Safety also have specific cyber law enforcement capabilities and responsibilities.
Shared Responsibilities
The figure opposite shows the division of responsibilities for security of the states information and communications technology. DIR manages the shared state network, hosting consolidated data centers and associated operating systems and providing external security services through the Network and Security Operations Center (NSOC). Agencies and DIR collaboratively participate in information sharing partnerships, training, analysis, and policy development. Agencies continue to retain ownership of, and responsibility for, their data, applications, desktops, user access and identification (ID), and internal security policies. Individual users also have a personal responsibility to follow state and agency policies and participate as the first line of defense at every layer of the enterprise.
Other DIR Partners

A number of federal agencies and the private sector have specific responsibilities with potential impact on the cybersecurity posture of the state: The Department of Homeland Security (DHS) has specific federal responsibilities regarding the coordination of the efforts of state security partners, including the coordination of cybersecurity protective programs and contingency plans. 8
Department of Justice, FBI, intelligence community, and other federal agencies provide the state with information sharing, investigative coordination, and analytic support. Private sector partners include the commercial owner/operators of the states critical infrastructure as well as the citizens who are the ultimate stakeholders for state government
Shared Responsibilities for State Information and Communications Technology
Goals and Objectives

State enterprise security goals are consistent with the SSP, the TxHSSP, and the National Strategy for Homeland Security. They are general rather than specific and serve to focus our long-term statewide IT security efforts. State enterprise security objectives describe a specific result, event, or outcome for a particular goal. Strategic objectives are near term, specific, and help to focus efforts toward achieving the goals. Objectives will be attained and sustained within the five-year time frame of the TxHSSP (fiscal 20052010). The following table presents the state enterprise security goals and objectives mapped to their associated strategies.
STATE ENTERPRISE SECURITY GOALS PREVENT CYBER ATTACKS OBJECTIVES STRATEGIES
1 2 3 4 5 6 7 8
and incidents against critical infrastructure
1. Establish a statewide analysis, monitoring, and reporting capability to address all cybersecurity incident-related matters on a 24/7 basis 2. Integrate training, education, and certification across all jurisdictions and disciplines 3. Support improved budget tracking processes and group purchase agreements to ensure that state information and communications systems have strong IT security, authentication, and identification features
1 2 3 4 5 6
3 4
6 7 8
4 5 6
REDUCE VULNERABILITY
4. Identify risks and vulnerabilities for critical infrastructure and key resources 5. Increase awareness and information sharing about cybersecurity attacks, threats, and vulnerabilities 6. Identify and facilitate implementation of cybersecurity best practices
1 2 3 4 5 6 7
to cyber attacks and other disruptions
1 2 3 4 5 6 7 8
1 2 3 4 5 6 7 8
RESPOND AND RECOVER
7. Establish a capability for responding to state-level cybersecurity 1 incidents 8. Promote cybersecurity exercises and integrate cybersecurity elements into homeland security exercises 9. Integrate cybersecurity into continuity of operations and continuity of government plans
1
3 4 5 6 7 8
to minimize the impact of successful cyber attacks and disruptions
3 4 5
7 8
1 2 3 4 5
7 8
Strategies
The State Enterprise Security Plan not only presents guiding goals and objectivesit describes priority actions (strategies) to achieve them. The plan defines eight strategies to safeguard the integrity of state information and communications assets and it assigns specific implementation responsibilities. While the strategies apply specifically to DIR, the statewide security posture depends upon the collective actions of individual state agencies and institutions. Each strategy is consistent with state and federal guidance, is directly linked to the state enterprise security goals and objectives, and is part of a comprehensive security program that includes all stakeholders. 1. Align Texas cybersecurity initiatives and resources to ensure consistent adherence to the State Enterprise Security Plan and satisfy statewide cybersecurity goals and objectives 2. Conduct statewide annual cybersecurity risk, vulnerability, systems, and equipment assessments and track strengths, weaknesses, and remediation activities for all eligible entities. 3. Establish a state Computer Security Incident Response Team (CSIRT) to rapidly identify, contain, and recover from any attack or attempt to disrupt the states critical IT infrastructure 4. Identify, develop, and maintain best practice rules, performance standards, templates, and guidelines to help reduce agency workload while providing timely, complete, and accurate data for internal and external monitoring and management 5. Establish a Network and Security Operations Center to initially focus on network security system services for those agencies and networks that are part of the consolidated Network Operations Center 6. Leverage technology to improve cybersecurity information sharing and enhance security communication, collaboration, and information sharing capabilities throughout the state 7. Promote cybersecurity awareness, training, education, and certification programs to ensure that IT security professionals, agency leadership, and network users at all levels are able to perform cybersecurity responsibilities 8. Integrate cybersecurity into state homeland security exercises and promote tailored exercises to help reduce network vulnerabilities and minimize the severity of cyber attacks
Moving Forward
The best way to prevent security incidents and sustain operations is to regularly test and affirm network security effectiveness before an incident occurs. In a major collaborative initiative, DIR is dramatically expanding its affordable and actionable test and assessment services to include all eligible state entities. Through the NSOC, DIR will sustain these and other security services on a cost-recovery basis that reflects the convergence of security as an integral expectation of telecommunications services. Despite the best precautions, networks are susceptible to attack and compromise. To improve the states ability to respond and recover from damage to its information resources, DIR is launching another major statewide collaborative initiative to improve statewide ability to report and analyze relevant data. This initiative will improve our ability to prevent, protect against, respond, and recover from significant security incidents. In addition to improvements in its analysis, reporting, and monitoring capabilities, DIR is developing a comprehensive program that will initiate, sustain, and expand a statewide Computer Security Incident Response Team. DIR is committed to creating a security environment that evolves beyond compliance and enforcement to one of collaboration and partnership. Implementation of the preliminary steps outlined in this plan will improve the security posture of the state enterprise and ensure that Texas will be positioned to protect its vital information and communications assets.
SECTION 1
Threats and Vulnerabilities

The state has a huge repository of personal identity information or privacy datae.g., law enforcement and medical data, or Social Security, drivers license, and credit card numbers that has drawn the attention of criminals and terrorists. Each state entity must implement policy and technical standards with their information resource architectures to protect this category of sensitive information.
Whats at Stake
Critical Infrastructures
The protection of the states critical infrastructure is vital to the safety, security, and economic well-being of all Texans. Critical IT infrastructures include physical or cyber assets that are so vital that their incapacity or destruction would have a debilitating impact on security, state economic security, or state public health or safety. All state agencies rely upon critical information and communications infrastructure, a large portion of which is privately owned and operated or controlled by other government agencies. This diversity demands strategies and implementation plans that are focused on partnerships and shared responsibility to maximize the states technology infrastructure and allow individual agencies to focus efforts on their respective core businesses. Key cyber resources within DIRs purview include TexasOnline.comthe states business portal and official state Web site that enables other state agencies and participating local governments to interact with their constituencies electronically. DIR also manages the states communications network, TEX-AN, the Capitol Complex Telephone System, and select, shared IT services for state entities. Shared service offerings include federated identity management, network security services, messaging and collaboration, and the state data center system. DIR is expanding the use of the state data center to bring together the states largest data center environments, enabling agencies to share resources and increase their security and disaster recovery capability.
Key Resources
Key resources are publicly or privately controlled assets that are essential to the basic operations of the economy and government. Key resources include personnel and the hardware and software infrastructure. HUMAN RESOURCES The success of an agencys IT security program is largely determined by the quality of its personnel. The organization with the most stable, competent IT security staff and management
STATE ENTERPRISE SECURITY PLAN | SECTION 1 | THREATS AND VULNERABILITIES
will usually outperform other, less-qualified organizations with higher budgets and more modern equipment. Good security practices begin with senior management awareness and priorities. The security of agency information resources is a core leadership responsibility of every agency director. Management plays the primary role in setting security priorities for staffing, funding, awareness, and the integration of IT security and operations. To maximize the utility of their information resources while managing security risks, the states leaders must establish and adhere to rational management processes and policies. Agency leaders must also be able to recruit and retain qualified individuals and keep them refreshed on current technologies and practices. HARDWARE AND SOFTWARE INFRASTRUCTURE In a large, decentralized state government environment, effective coordination of limited IT security hardware and software resources among agencies is vital for a successful, sustained response to security challenges. While each agency must manage and acquire the unique tools necessary to conduct operations, many of the IT security hardware and software functions and best-value applications are similar. Information security is a very horizontal discipline technology and practices from one agency can usually be applied to another. A statewide enterprise approach helps the state to strategically deploy security assets, manage access and secure state information assets, deliver services, and manage costs. Agencies need the ability to choose the security systems best suited for their security environment, use enterprise hardware solutions where possible, and obtain the best value for their investment.
The Case for Action

Sound strategies begin with a clear understanding of the risk environmenta combination of threat, vulnerability, the likelihood of occurrence, and consequences. A recent survey reveals that cybercrime is more costly to U.S. businesses than physical crime. Lost revenue, wasted staff time, system down time, and damage to customer goodwill have become more serious problems than conventional crime to many businesses. 9 Types of threats and/or attacks include: Viruses Identity Theft Data Mining Extortion Worms Denial of Service
Credit Card Fraud Financial Institution Fraud
Cyber terrorists, spies, hackers, and thieves are continually probing Texas systems to steal and profit from our information resources or to simply render them useless. To cope with the continuous reality of these threats, state agencies must constantly assess vulnerabilities and manage risk to keep networks open and operational, but secure. A successful response must include equal measures of qualified personnel, cost-effective investment strategies, sophisticated hardware and software, meaningful training, and enlightened security policies and management.
Cyber Threats
Cyber attacks can result in serious consequences that interrupt or deny business operations, cause loss of revenue and intellectual property or even loss of life. These attacks are not theoretical or just another potential risk. Whether an attack originates from a terrorist, hacker, natural disaster, or insider, the resulting damage to our critical infrastructure is the same.
Insider Threats
The greatest threat to our cyber networks stems from insidersindividuals who have authorized physical or electronic access to an organizations information resources. The insiders access authorization may only be technical (e.g., a former employee who retains a valid user ID and password), or it may exceed the intended security policy. The analysis and prevention of insider threats focuses on capabilities, and sometimes, the insiders intent to steal, abuse, or otherwise harm an organizations information resources. An outside hacker must first penetrate an organizations perimeter defenseswhere most IT security resources are focused. However, insiders with authorized access within that perimeter may use their privileges to facilitate or gain unfettered access to other enterprise systems, files, or services that exceed their need-to-know. Insiders have, for example, introduced viruses into network resources by placing contaminated disks into the systems and by downloading contaminated Internet attachments. These unintentional insider-facilitated attacks provide malicious outsiders an open door to the network through the Internet that they can use to exfiltrate sensitive information or launch additional attacks. Anticipating termination, some users may prepare backdoor access to the computer system, insert alternative passwords, or simply stockpile proprietary data for later use.
External Threats
External network connections are critical to the operations of most organizations, but they also provide a pathway into state information resources. This access offers hackers an opportunity to disrupt, destroy, or steal state information resources. Until recently, the technical prowess required to carry out cyber attacks was very high. Today, new hacker-friendly technologies have become more accessible to moderately skilled attackers, including terrorists. These sophisticated tools, in conjunction with increasing numbers of malicious hackers, have increased the threat to information and communication systems exponentially. The growth of e-commerce and data mining has given rise to well-organized criminal elements who seek to profit from stolen personal information, such as Social Security and bank account numbers. These external threats to state IT security will continue to increase in number and sophistication. The following chart tracks Carnegie Mellons Computer Emergency Response Team/Coordination Center (CERT/CC) reports showing that cyber incidents and attacks are increasing at an alarming rate, as are the numbers of vulnerabilities that an attacker can exploit. CERT/CC stopped tracking these incidents in 2003 because the number became too numerous to count.
STATE ENTERPRISE SECURITY PLAN | SECTION 1 | THREATS AND VULNERABILITIES
Number of Security Incidents, 19952003

150,000 125,000 100,000 75,000 50,000 25,000 0
1995
1996
1997
1998
1999
2000
2001
2002
2003
Cyber Terrorism
Cyber terrorists enjoy the advantage of being able to conduct all the necessary precursors and launch the actual attack from the safety of their home. These terrorists include hacktivists who use the Internet to aggressively advocate their cause and cyber junkies who enjoy creating havoc or gaining notoriety, as well as those who want to create panic as a means to destroy our way of life. These attackers often enter and exit a network without the user ever realizing that the system has been compromised. A stealthy, coordinated attack on our infrastructure using hidden logic bombs or denial of service attacks could amplify the effects of a traditional terrorist attack. 10 Agency coordination is very important in combating hacking, identity theft, and other types of cybercrime because the groups involved operate in a worldwide environment that does not respect international borders. 11 According to the 2005 FBI Computer Crime Survey conducted in four states (New York, Texas, Iowa, and Nebraska)almost 75% of the attempted computer intrusions reported by the respondents originated from outside of the U.S. The FBI report is particularly relevant to Texas since 65% of the responses in that report (out of 2,066 total) came from government and private industry organizations within the state. 12 The Defense Intelligence Agency believes that adversarial information operations, or the use of information warfare tools and techniques, are the greatest threat to our national information and communications infrastructure. 13
Physical Attacks
Information systems are also impacted by physical attacks, such as theft or natural disasters, as experienced during the hurricane season of 2005. IT security is a major factor in business continuity, whether the source of the attack is a terrorist, hacker, thief, or natural disaster.
10
SECTION 2
Roles and Responsibilities

Cybersecurity in Texas state government is not the responsibility of a single agency. It is a shared responsibility of all agencies, working collaboratively, to build a secure enterprise infrastructure that supports the individual, mission-critical business processes of each state entity. A secure enterprise infrastructure depends on more than compliance and enforcementto thrive, it requires collaboration among federal, state, and local government, institutions of higher education, and private sector partners. The SSP describes the Texas Model of the Enterprise for sharing and managing the states technology investment. It reflects the latest legislative guidance and provides a vision of greater cost efficiencies, improved services, and a shared technology infrastructure that is flexible, innovative, and supports agencies in meeting their missions. The base of the Texas Modelthe statewide infrastructure layer delivers shared IT security functions that, similar to utility services, all agencies must have but are not unique or specific to an individual agency. Building on the statewide infrastructure layer is the collaboration layer. This layer supports Texas Model of the Enterprise the shared development of rules, guidelines, standards, and practices that contribute to effective enterprise management of information resources and practices. One practice includes guiding the development of integrated IT security architectures that advance information sharing among agencies. Another practice employed in this layer is a collaborative approach for standardizing agency IT security processes where common needs exist. Leveraging each preceding layer, the most important is the agency layer, which supports the unique functionality that an agency must deliver to successfully support its mission. Together, the layers of the Texas Model of the Enterprise comprise the vision for effective technology planning and security service delivery in the state.
State Agencies
Texas Department of Information Resources
DIRs mission is to ensure the effective and efficient use of public funds through the successful application of statewide services and technologies that are beneficial, secure, and accessible and utilize a standard infrastructure. DIR provides security services specifically targeted to Texas state agencies, local governments, and educational entities to help them identify, assess, respond to, and prevent IT-related security incidents. In coordination with federal and state
STATE ENTERPRISE SECURITY PLAN | SECTION 2 | ROLES AND RESPONSIBILITIES
11
counterparts, DIR provides security policy templates, maintains an emergency alert program, provides external vulnerability assessments, and develops best practice rules, policies, and guidelines on information security issues. The director of DIRs IT Security Division serves as the states Chief Information Security Officer (CISO). In compliance with Chapter 2059 of the Texas Government Code (TGC 2059), DIR provides sustainable NSOC services for participating state agencies and may also provide these external services to local governments, the Legislature, special districts, and institutions of higher education. DIR will fulfill the network security requirements of all state entities to the extent practicable, providing a cost-effective, first priority source of external network security services. On a strategic level, DIRs security duties are as follows: Develop and approve updates to IT security requirements Provide statewide IT security policy, standards, guidelines, and procedures Ensure that the states IT security program is established and implemented in compliance with state laws and regulations and federal laws where applicable Report to the Governor and the Legislature on the status of the states IT security program Provide policy expertise for issues involving the storage, transmission, sharing, or disposal of personal information Enforce state security policy, including establishing the appropriate measures and remedial actions for agencies for non-compliance Act as the State CISO On a tactical level, DIRs security duties are as follows: Identify vulnerabilities in state systems and recommend corrective action Develop, manage, and maintain a statewide security program that includes policy, standards, guidelines, procedures, best security practices, IT disaster recovery planning guidelines, IT security certification and accreditation guidelines, security awareness training, sensitive data protection standards, and an incident response reporting capability Coordinate with state agency information security officers (ISOs), federal and local government, and private industry to improve security for state systems Support Texas Office of Homeland Security initiatives through participation in the Texas Homeland Security Council and development of departmental implementation plans that support the TxHSSP
Texas Department of Public Safety

DIR is not the only state agency with specific computer security responsibilities that extend to other state entities. The Texas Department of Public Safety's (DPS) Criminal Law Enforcement Division has a number of service organizations that pursue computer crime investigations: The Criminal Intelligence Service manages the Computer Information Technology & Electronic Crime (CITEC) program. The CITEC pursues investigations where computer systems and/or the Internet are used to facilitate a crime or to store evidence of a crime. Personnel assigned to CITEC are trained in the investigation of high-tech offenses and in the recovery of digital evidence from computer systems. Investigations include network
12
intrusions, denial-of- service attacks, Web site defacements, child pornography, gambling, terrorist (e-mail) threats, tampering with a government record, and identity theft or fraud. The Special Crimes Service investigates certain computer crimes that are related to organized crime, pari-mutuel betting at horse and dog racetracks in Texas, parole violators, and high-risk sex offenders. The Narcotics Service has a Technical Unit that conducts certain types of computer crime investigations. The Crime Laboratory Service provides expert forensic laboratory services to Texas law enforcement agencies, including computer data recovery and analysis.
Texas Office of Attorney General

The Texas Office of the Attorney Generals (OAGs) Criminal Enforcement Division provides prosecutorial assistance to Texas law enforcement entities, county attorneys, and district attorneys. The Cyber Crimes Unit brings together the OAGs law enforcement investigations and prosecutors to ensure a safe electronic environment for the communication of information and ideas and for the transaction of commerce. Members of this unit have expertise in investigating and prosecuting Internet- and computer-related crimes, including predators (Internet pedophiles), online child pornography, and childrens online privacy. Another key function of the Cyber Crimes Unit is the investigation and prosecution of computer security breaches involving suspected malicious or damaging computer intrusions that violate the Texas Breach of Computer Security Statute, Texas Penal Code, Section 33.02.
All State Agencies and Institutions of Higher Education

Each agency is responsible for developing an IT security program to protect the agencys communications systems, computer systems, networks, and data, in accordance with state IT security policy. The Texas Administrative Code (TAC 202) 14 specifies the major components that must be included in every IT security program. At a minimum, each program must contain the following elements: Security Policy, Risk Assessment and Management, Systems Development Life Cycle Methodology, Security Certification and Accreditation, Disaster Recovery Planning, Security Awareness Training, Incident Response Process, and External Connections Review. Each state agency head must designate an individual (or individuals) independent of the information security program to review, at least annually, the agencys information security program for compliance with state standards, based on business risk management decisions. Each state agency must affirm compliance with state standards in its biennial Information Resources Strategic Plan. Additionally, each agencys IT security responsibilities are as follows: Plan and budget for network security system service costs 15 and ensure that security investment is addressed for each major information resources project 16 Ensure the confidentiality, integrity, availability, and accountability of all agency IT assets, including information while it is being processed, stored, and/or transmitted electronically
13
Ensure that the agencys IT security program is established and implemented in compliance with state security policies and standards and state and federal laws and regulations, as applicable Incorporate and implement periodic information vulnerability assessments into agency security policy Participate in current and ongoing statewide assessment activities Participate in collaborative opportunities, such as the statewide computer security incident response and recovery program Demonstrate compliance with security requirements Ensure separation of duties and adhere to a configuration/change management process to maintain the security of the information resources Ensure that user access within the agency infrastructure is established on the principle of least privilege and adequate policies and processes exist for user provisioning, privilege management, and review of user access rights Establish a means to track and provide information regarding requested and allocated technology security budgets Leverage DIRs information sharing, analysis, and response capabilities Work with DIR to plan, execute, and evaluate new technologies and programs Fund and participate in cybersecurity awareness, training, and technical certifications Participate in IT security forums, seminars, and conferences Demonstrate due diligence and periodically testing and exercising cybersecurity and disaster recovery plans
State Employees, Contractors, and Users of State Information Resources

The IT security responsibilities of all state employees and contract personnel are as follows: Be aware of their personal responsibility to protect state IT assets Follow IT security program guidelines, best practices, and standard operating procedures Be accountable for their actions relating to the use of all information systems Use IT resources only for intended purposes as defined by state and federal laws, policies, and regulations Provide the first line of defense for potential computer security incidents Participate in two-way exchange of IT security information Participate in IT security training and exercises
Local Governments
DIR encourages local governments to adopt the following security practices: Follow DIRs IT security guidelines and standards to the fullest extent possible Take advantage of DIR-sponsored IT security training, exercises, and assessments Manage computer systems security while maintaining awareness of threats, vulnerabilities, and consequences to ensure that they do not enable attacks against CI/KR Participate in significant national, regional, and local awareness programs to encourage local governments and citizens to manage computer systems appropriately
14
Establish cybersecurity programs, including awareness of current threats and training for audits and standards compliance
Federal Departments and Agencies

All federal departments and agencies must manage the security of their computer systems while maintaining awareness of vulnerabilities and consequences to ensure that computer systems are not used to enable attacks against the nations critical infrastructure or key resources. State and local entities often have the opportunity to coordinate cybersecurity issues with regional federal representatives who have jurisdictions that encompass Texas. A number of federal agencies have specific additional responsibilities outlined in the National Strategy to Secure Cyberspace.
Department of Homeland Security

DHS is a principle federal focal point for the security of cyberspace. 17 DHS has specific responsibilities affecting the confidentiality, integrity, and availability of state information resources. These duties include coordinating efforts to prevent damage, unauthorized use, or exploitation, and enabling the restoration of information and communications systems. Other IT security responsibilities are as follows: Develop a comprehensive national plan for securing national CI/KR Develop and publish best practices that are applicable to state and local governments Coordinate protective programs and contingency plans with state and local governments Provide technical assistance to other government entities and the private sector with respect to emergency recovery plans for failures of critical information systems Facilitate cross-sector cyber analysis and assist in understanding and mitigating cyber risk and in developing effective and appropriate protective measures Within the IT security risk management framework, DHS is also tasked to: Provide cyber-specific warnings and expert advice to reduce vulnerabilities and minimize the severity of attacks on the cyber elements of CI/KR Promote a comprehensive national awareness program Work with security partners to mitigate risk Lead the development of a national threat assessment
Department of Justice and Other Federal Agencies

Improve information sharing and investigative coordination with state and local law enforcement communities, other agencies, and the private sector Develop and implement efforts to reduce attacks and threats by developing more robust data to characterize cyber crime and intrusions Provide sufficient investigative and forensic resources and training to facilitate expeditious investigation and resolution of CI/KR incidents Provide counterintelligence to prevent and detect cyber-based intelligence collection against government and other U.S. commercial and educational organizations
15
Attribute the source of cyber attacks or actions to enable timely and effective response
Private Sector
The private sector includes commercial owner/operators of the vast majority of the states critical infrastructure as well as the citizens, who are the ultimate stakeholders for state government. There are also a number of helpful professional private sector associations and organizations that are committed to education and protection of the states and the nations IT infrastructure, e.g., the SANS Institute and Information Sharing and Analysis Centers (ISACs). The private sector is encouraged to implement the following recommendations consistent with the National Strategy to Secure Cyberspace: Manage computer system security to minimize CI/KR vulnerabilities and consequences Exercise continuity plans and consider service provider diversity to reduce risk Consider active involvement in sector-wide (ISAC) programs to share information Evaluate the security of networks that affect the nations CI/KR, including: Conduct audits to ensure the effectiveness and use of best practices Develop continuity plans that consider off-site staff and equipment Participate in industry-wide information sharing and best practices dissemination Set near-term research and development priorities for highly secure and trustworthy operating systems Promote more secure out of the box software industry products, increased user awareness, ease of use, and adherence to industry guidelines and best practices
16
SECTION 3
Goals and Objectives

The State Enterprise Security Plan is designed to complement and support the TxHSSP and the SSP. It is consistent with the National Strategy to Secure Cyberspace. This plan also leverages the findings of the 2005 State IT Security Assessment (SITSA) to address specific gaps in the states ability to detect, deter, and respond to IT security threats and helps prioritize statewide IT security efforts and investments.
As described in Section 1, the cybersecurity threat in Texas is real, constant, and, at the same time, continuously changing and adapting to our cyber defenses. This plan outlines the states IT security goals and objectives to address these threats and then describes each in detail. Section 4 addresses the specific strategies that will meet these goals and objectives and improve the statewide IT security posture.
STATE ENTERPRISE SECURITY PLAN | SECTION 3 | GOALS AND OBJECTIVES
17
State Enterprise Security Goals and Objectives

State enterprise security goals are the desired ends that the state will continually work toward to improve capabilities to prevent, protect, respond, and recover from cyber incidents. Goals are general rather than specific and serve to focus our long-term statewide IT security efforts. Strategic objectivespresented in detail beginning on the next pagedescribe a specific result, event, or outcome for a particular goal. Strategic objectives are specific and help focus efforts toward achieving the goals. They are also near term. Objectives will be attained and sustained within the five-year time frame of the TxHSSP. The following table presents the state enterprise security goals and objectives mapped to their associated strategies, which are detailed in Section 4.
STATE ENTERPRISE SECURITY GOALS PREVENT CYBER ATTACKS OBJECTIVES STRATEGIES
1 2 3 4 5 6 7 8
and incidents against critical infrastructure
1. Establish a statewide analysis, monitoring, and reporting capability to address all cybersecurity incident-related matters on a 24/7 basis (p. 19) 2. Integrate training, education, and certification across all jurisdictions and disciplines (p. 20) 3. Support improved budget tracking processes and group purchase agreements to ensure that state information and communications systems have strong IT security, authentication, and identification features (p. 21)
1 2 3 4 5 6
3 4
6 7 8
4 5 6
4. Identify risks and vulnerabilities for critical infrastructure and key resources (p. 23) 5. Increase awareness and information sharing about cybersecurity attacks, threats, and vulnerabilities (p. 26) 6. Identify and facilitate implementation of cybersecurity best practices (p. 28)
1 2 3 4 5 6 7
to cyber attacks and other disruptions
1 2 3 4 5 6 7 8
1 2 3 4 5 6 7 8
RESPOND AND RECOVER
7. Establish a capability for responding to state-level cybersecurity 1 incidents (p. 29) 8. Promote cybersecurity exercises and integrate cybersecurity elements into homeland security exercises (p. 32) 9. Integrate cybersecurity into continuity of operations and continuity of government plans (p. 33)
1
3 4 5 6 7 8
to minimize the impact of successful cyber attacks and disruptions
3 4 5
7 8
1 2 3 4 5
7 8
See Appendix B for a matrix mapping the state enterprise security goals and objectives to state and federal homeland security strategies.
18
PREVENT CYBER ATTACKS
Objective 1
Establish a statewide analysis, monitoring, and reporting capability to address all cybersecurity incident-related matters on a 24/7 basis Rapid advances in science and technology have accelerated the convergence of computer and communications networks. These advances have also accelerated the increasing variety, uncertainty, and scale of the associated cybersecurity challenges. As Texas develops a statewide network infrastructure, it must also establish corresponding statewide IT security capabilities in concert with increased functionality and efficiency. The state must ensure that government communications and computer networks are secured as part of its overall information and communications technology security strategy. The state also needs to strengthen the protection of critical infrastructure through additional collaborative information sharing and planning opportunities among agencies. DIR will use the findings from its 2005 SITSA, a confidential assessment requested by the Legislature, 18 as a guide for advancing a program to protect the states technology assets and infrastructure. Expected cybersecurity benefits include: Expanded and enhanced availability of security services to agencies Faster response time to recognize a terrorism event (or external/internal threat), activate a computer incident response team, and warn effective network users Broadened scope and availability of security training Improved security planning and collaboration opportunities Reduced internal dependencies through resource sharing within Texas, among other states, and nationally Expanded statewide online analysis and interagency information sharing Reduced impact of ongoing and future attacks or incidents (downtime, number of systems affected, number and severity of attacks, cost) Alignment with the statewide network operations center infrastructure as directed in statute 19 and as outlined in the SSP 20 Rapid notification of local leadership of security issues as specified in TxHSSP 21 Improved event and trend analyses, guidelines, best practices and recommendations Improved cyber emergency operational plan integration with the National Incident Management System
19
Objective 2
Integrate training, education, and certification across all jurisdictions and disciplines Human error is an important and, potentially, the most damaging factor in the majority of IT security incidents. For agency leadership, IT security professionals, and all other network users, security awareness training is an essential tool. While not every user can be a security expert, individuals can reduce their organizations risk by following guidelines, such as selecting good passwords, not opening certain e-mail attachments, and locking screens or logging off when not at their desk. For individuals to understand and follow basic best practices, they must first be made aware of the threats that exist and what they can do as individuals on a daily basis to defend against those threats. Employees are often the first to receive malicious code, making effective agency-wide training a critical element in preventing the execution of attachments or Web files that could escalate into a major security incident. To keep pace with emerging threats, defend sophisticated IT systems, and take advantage of new technologies and capabilities, security professionals need continuous and frequent access to quality training. A recent national survey by the Computing Technology Industry Association 22 attributed fully 80% of recent major IT security breaches to human error and lack of awareness through poor training (either wholly or in part). Most organizations experience approximately 20% fewer security incidents when at least 25% of their staff have received IT security training. Security training, education, and relevant certifications are key steps to improving security. IT security experts also emphasize the importance of recognizing continuing professional education (CPE) as a critical component of successful technology management. Education, awareness, and training may be an organizations most important security measure. Only by understanding emerging threats and vulnerabilities to its information and communication technology systems can an agency begin to cope effectively with other control measures. DIR advanced training initiatives will include a more comprehensive approach to technology security training for state and other government agencies. Expected benefits agencies include: Improved IT security as documented by third-party assessments, reduced incidents, and lower remediation costs Agency leadership, security staff, and users have CPE and qualification standards Minimum state IT security education, certification, and CPE standards for ISOs and IRMs Selected agency personnel are well trained as CSIRT participants and trainers Increased emergency response effectiveness through better understanding of the National Incident Management System (NIMS) IT security training and registration is accessible via a cybersecurity Web portal Cybersecurity exercises maintain and verify personal and agency skills and readiness Reduced time and expense to respond and recover from computer incidents compared to agencies using untrained/non-certified personnel Improved agency understanding of critical data sharing linkages and dependencies between agencies
20
Objective 3
Support improved budget tracking processes and group purchase agreements to ensure that state information and communications systems have strong IT security, authentication, and identification features Compared to industry and government norms, most Texas agencies are under-investing in IT security. However, there is no firm guidance or set formula for how much is enough to spend on IT or security-related issues. Security spending is best determined through due diligence and risk analysis efforts. Risk analysis methods can help to determine the value of the information the agency processes and stores, its critical information systems and processes, the threats to its information and IT systems, and appropriate countermeasures. Each agency must ultimately determine how much is enough to counter the threats that it faces, protect the information it processes and stores, and provide adequate continuity and recovery capabilities. When information security investments have to compete for resources, security analysts need to help the financial decision makers understand the value of security. These decision makers may readily accept the need to purchase a new information or communication system, but they often do not account for the cost of keeping it operational in the face of a barrage of cyber attacks. 23 To better assess the effectiveness of IT security expenditures to deter and prevent attacks, Texas agencies also need a better process to help them to identify and quantify those investments as dedicated line items. Group buying power is one of the most effective tools that an organization can employ to overcome this problem and save money. With an entity the size of the state of Texas, there is tremendous leverage with vendor pricing. Texas is able to negotiate much better pricing on items and services than agencies can on their own, and all state agencies should be able to benefit from the best available rates. In addition to cost savings, group purchase agreements for IT security tools help foster a statewide marketplace for more secure technologies through large procurements of advanced information assurance technologies. An important aspect of the threat reduction goal is the deployment of computing systems that are designed to be highly secure, trustworthy, and resilient. The state must seek to ensure that future components of the cyber infrastructure are designed and built to be inherently secure and dependable for their users. The state government will also advance the introduction of the best, proven technology through collaboration with federal and local governments through cybersecurity awareness, training, and information exchange. Expected IT security benefits for participating agencies include: Dedicated budgets to help focus attention and measure effectiveness of security spending Accurate tracking of agency risk assessments and associated security investments Improved return on investment decisions resulting in deployment of highly secure and reliable systems with reduced number of security incidents DIR Planned Procurement Schedule to address group purchasing priorities Compliance with IT commodity reporting requirements of TGC 2054.1015
21
Availability of high priority and best of breed software and hardware Higher performance at a lower price through best-value group purchase agreements Standardized methodology to track and report investments in critical information planning, prioritizing, and budgeting components Improved prevention and cost avoidance through security design reviews for all major state information and communication system acquisitions
22
Objective 4
Identify risks and vulnerabilities for critical infrastructure and key resources The best approach to reduce CI/KR risks and vulnerabilities is to follow best business practices that recommend annual security activities, such as risk assessments and internal and external vulnerability scans, followed by business continuity and disaster recovery testing. These types of security efforts form the backbone of a mature, capable security program and establish baselines that each agency can use to document, address, and mitigate current threats and plan for incremental improvements. Security is a process, not just a patch or a single application. One vital step in the process is testing the environment. To ensure that networks are properly secured, agencies must conduct routine checks for holes in the security infrastructure. The industry best practice for testing an environment is to replicate the methods of attackers and insiders by scanning the network for open ports and vulnerabilities. A successful IT security program requires periodic IT risk and vulnerability assessments and business continuity tests to identify specific focus areas for improvement. These types of activities provide agency leadership and privacy stakeholders with better visibility into the effectiveness of their external and internal IT security posture and will help them to set priorities for planning and budgeting IT security resources. Texas agencies need a risk assessment process that helps identify and quantify cybersecurity investments and assess their effectiveness. Recent DIR vulnerability assessments of agency external network connections have helped reveal and quickly remediate serious holes in agency security postures. A network-based attack is not possible if the attacker cannot get to or from the target. The idea of perimeter-based security and a firewall defense stem from this concept. This defense provides some protection against outside attacks, but most serious cyber incidents involve insider access. Compartmental control of internal traffic is an important security element that helps prevent unauthorized access to restricted information within a network. Firewalls, intrusion and penetration detection, and monitoring devices, along with an adequately staffed and welltrained security team working in combination greatly reduce these vulnerabilities. Many organizations deploy dozens of network applications across multiple hosts or domains within their environment or include applications dealing with users outside the organization. To add to this complex environment, organizations also want to use the same security infrastructure for network applications as they do to address their wireless, legacy, database, and other application security requirements. Successful organizations will recognize that their security infrastructures must address not only access control at the physical and network layer, but also will manage access to specific applications and systems. Applications adhering to the principles of least privilege and need-to-know will greatly reduce the risk of unauthorized access into the environment. Wireless connectivity can allow attackers that are beyond agency physical boundaries to access confidential, internal networks. The proliferation of mobile devices, such as laptops and personal digital assistants (PDAs) has increased support for remote access to traditional IT
23
resources. Allowing remote users to access the same resources that local users find on their desktop PC carries obvious security risks. Technologies that create a private connection to the internal network, such as a virtual private network (VPN) via the Internet or telephone dial-up remote access services can mitigate these risks. For these systems, security is often an issue when access to the private link and the internal network is not sufficiently guarded, allowing an attacker unrestricted entry as though they were a legitimate user. Unfortunately, many organizations do not actively map and monitor access to the rapidly expanding wireless network, leaving it highly vulnerable to attack. Emergency operations planners, IRMs, and IT security professionals often overlook the physical security aspects of cyber assets. Information and communication resources have physical characteristics and dependencies that can be seriously impacted by natural disasters or physical attacks. To ensure the reliable performance and delivery of cyber-based products and services, IT security managers must account and plan for virtual assets and pathways that share the same physical vulnerabilities and single points of failure. For example, if an organization uses a primary and secondary Internet service provider (ISP), it should ensure that the ISPs do not share the same communication infrastructure in the event there is a communication outage due to physical causes, e.g., a fiber-optic cable is cut. Expected IT security benefits for meeting this objective include: Reduced number and cost of significant computer security events All agencies can regularly assess, test, and investigate any IT vulnerability, business continuity, or disaster recovery issues per TxHSSP 24 and the SSP 25 (which complies with the Information Resources Management Act 26 ) Agency resources can target the most important security issues by completing standardized Baseline Risk Assessments on Physical Security, Vulnerability Assessments, Information Security Standards Compliance, and Benchmarking of Performance Measures, as specified in TXHSSP 27 and SSP 28 Agencies conduct regular internal vulnerability assessments, scanning, and testing that reduce internal vulnerabilities and deter malicious actors Regular scans of agency systems reduce the vulnerability of unauthorized or non-secure access to the agency network via remote connections A unified enterprise approach to logical, physical, network, and application level access controls across agencies and infrastructures while maintaining the unique mission capabilities for individual agencies Accurate agency mapping of networks that have external connectivity will reduce vulnerability to outside cyber attacks and permit consistent pathway visualization and positive control and monitoring of internal and external network traffic flow Filtered access to agency networks via outside linkages will limit vulnerability to direct attacks Strict auditing of access control lists, firewall rule sets, and intrusion detection system (IDS) logs will improve network protection Federated user access provisioning and deprovisioning improves security while reducing costs and time spent on system administration
24
Documentation of training, technology, management, and investment trends and requirements will improve performance tracking and trends analysis Facilitate compliance with TGC 2059.101 and SSP 29 to collect information on agency IT security resources Reduced vulnerabilities through standardized policies and procedures by leveraging statewide technology security architecture, assets, and training Improved security coordination with privacy stakeholders on the collection, storage, usage, dissemination, and disposal of personal information
25
Objective 5
Increase awareness and information sharing about cybersecurity attacks, threats, and vulnerabilities The successful development of analytic capabilities, for threat identification, prevention, reduction, and response requires a broad-based information sharing effort. Sharing information about cyber incidents or attacks is vital to cybersecurity and is an important part of any coherent cyber CI/KR protection program. It ensures implementation of effective, coordinated, and integrated CI/KR protection efforts for information resources and enables partners to make informed decisions with regard to short- and long-term cybersecurity postures, risk mitigation, and operational continuity. Information sharing and awareness involves sharing programs with agency and other security partners and special sharing arrangements for emergency situations. Cyber threat reduction and prevention can be improved and expanded through a statewide collaboration capability that is linked with a sector, regional, and national network. DIR will take a leadership role in coordinating and encouraging state and nongovernmental participation with appropriate cyber information sharing initiatives. All users and organizations play important roles in detecting and reporting cyber attacks, exploits, or vulnerabilities. DIR has a role in developing specific information sharing initiatives as well as promoting these linkages and partnerships to raise awareness among the general public, and state, local, and federal agencies. DIR will support improved information sharing and investigative coordination with state, federal, and local cybersecurity programs and organizations to help reduce cyber attacks and threats to the state and the respective participants. See Appendix D for a list of sites, programs, and organizations that support cybersecurity information sharing. A key part of information sharing is confidentiality of sensitive information and communications infrastructure and key resource data and assessments. DIR will raise awareness to remove impediments to information sharing about cybersecurity and infrastructure vulnerabilities and keep sensitive information out of the hands of those who would do us harm. The state and federal governments have established procedures to receive and store critical infrastructure information submitted to the government while protecting the confidentiality of the submitting entity. For example, the private sector can use the protections afforded by the Protected Critical Infrastructure Information Act to electronically submit proprietary data to the U.S. Computer Emergency Response Team (US-CERT). IT security benefits of meeting the information sharing and awareness objective include: Reduced attacks and threats through improved information sharing and coordination, expeditious investigation and resolution of critical incidents, and better understanding and tracking of intrusions and trends Improved statewide cyber terrorism and threat awareness and management as directed in TxHSSP 30 Improved statewide security program as directed in TxHSSP 31 that includes increased public, regional and local cyber terrorism education, awareness and reporting of suspicious IT security activities
26
Timely information and advice about current cybersecurity issues, vulnerabilities, and exploits are available via cybersecurity alerts, bulletins, and tips Online reference tool is available for Texas citizens (e.g., SecureTexas) with cyber terrorism awareness and reporting content Distribution of information and materials via a Web portal to other state agencies for broader media distribution as well as multiple communities of interest, such as neighborhoods, schools, places of worship, private sector businesses, and nongovernmental organizations as well as through electronic capabilities Streamlined plans, policies, and procedures for cyber terrorism and IT security event detection and response are in place A Texas CI/KR information database that can be easily accessed by local, state and federal law enforcement agencies as outlined in TxHSSP 32 is in place A robust set of collaboration links are in place, e.g., national (US-CERT, GFIRST), state (Multi-State ISAC, State Information Security Advisory Workgroup, Homeland Security Council), local (Texas Conference of Urban Counties, Texas Association of Counties), and private sector, e.g., Infragard, ISSA, ASIS, ACP, IT security staff members can become leaders and participants in state and national resource sharing opportunities and partnerships, e.g., Multi-State ISAC, National Association of State Chief Information Officers (NASCIO), the Government Forum for Incident Response Teams (GFIRST), and US-CERT
27
RESPOND AND RECOVER
Objective 6
Identify and facilitate implementation of cybersecurity best practices The delivery of critical public services depends on the availability, reliability, and integrity of its information and communication systems. Each agency must adopt appropriate methods to protect its information and communication systems. While some agencies will need to adopt stronger standards and methods, the statewide program must address minimum requirements and a consistent approach. Statewide rules, standards, and guidelines will help eliminate structural vulnerabilities from the states IT architecture and encourage the implementation of more uniform, robust security within all agencies. The strength of an agencys security posture is heavily influenced by the degree to which the agency makes its information security program an integral component of all business operations. The success of any security program is directly related to executive managements clear and unequivocal support and its independence from operations. Executive management must maintain awareness of the agencys IT security posture, and provide a healthy role model for the rest of the agency. Management can create an atmosphere that acknowledges information security as not just another policy requirement but a mission critical practice for everyone in the organization. When the security program is embedded in IT operations and/or the ISO is too far removed from senior management in an agencys chain of command, the security program often lacks independence, exercises minimal authority, receives little management attention, and lacks adequate resources. Texas Administrative Code (TAC 202) provides information security standards for state agencies. For example, it requires each state agency head to have a designated ISO that administers the agencys information security program and reports directly to executive level management. 33 TGC 2054.307 also requires the agency employee in charge of information security (i.e., the agency ISO) to approve all major information resources projects and ensure the allocation of adequate resources. These rules are intended to ensure that agency ISOs have direct access and input to agency leadership and avoid any internal conflict of interest issues. 34 Some state entities may be exempt from certain portions of TAC 202 due to their business model, function, structure, or other reasons that need to be confirmed and documented. However, the 2005 SITSA revealed other operational, organizational, equipment, and training aspects of cybersecurity where rules, standards and guidelines are lacking or need improved definition. DIR will address those shortfalls and provide tailored best practices for state entities to help ease the workload of individual ISOs and improve the overall level of the states security posture. A common security approach also supports compatible solutions that can be shared among agencies and yield a better return on technology investment. Agencies may want to implement more stringent or specific requirements using industry standards (e.g., National Institute of
28
Standards and Technology or ISO 17799). Specific security rules, standards, and guidelines will evolve but the primary benefits will remain constant: A secure information and communications environment Reduced information security risk Well understood responsibilities for information protection Other specific IT security benefits of achieving this objective are expected to be: Consistent management policies, staffing, certification, training, awareness, budgeting, equipment, and standard operating procedures that reflect industry best practices Improved statewide ability to meet or exceed rules, policies and standards of performance as outlined in TAC 202, the SSP 35 and related guidelines Separately designated and independent ISOs within each agency per industry best practices and state administrative code Economies of scale for investing and training on similar systems and equipment, security software, and encryption implementation Reduced risk through a management process that protects the organizations ability to perform its mission through a statewide standard for conducting periodic vulnerability and penetration scans, tests, and assessments at least annually 36 More timely and standardized data collection, reporting, and monitoring Dedicated agency budgets to identify and track investment effectiveness Meet NIMS incident command structure requirements to perform core functions State agencies have online access to a risk assessment tool that guides investment decisions and resource allocations Improved technical and policy standards for protecting the storage, transmission, sharing, or disposal of sensitive (personal) information
IT SECURITY BEST PRACTICES PRIVACY MANAGEMENT One of the major factors unique to government is the inherent openness that is expected of government at all levels. This has created the challenge of balancing that expectation of openness and transparency with the need to protect the privacy of personal or sensitive citizen information. Privacy policy and security policy are separate concepts, but closely linked. Privacy policy dictates what information is considered personal and how states will collect, store, use, disseminate, and dispose of citizens personal information. Security policy dictates how states will protect personal information from misuse. One cannot have privacy without security. As states develop privacy management policies, state CIOs and CISOs play an important role in addressing issues related to the effective management and implementations of privacy protections involving technology and the handling of electronic data.
Keeping Citizen Trust: What Can a State CIO do to Protect Privacy, Research Brief, NASCIO, Lexington, KY, October 2006.
29
RESPOND AND RECOVER
Objective 7
Establish a capability for responding to state-level cybersecurity incidents Incident response and business continuity capabilities are vital to the survival of any organization but are particularly critical to those organizations that have a strong reliance on information and communications technology. Many organizations with large IT infrastructures have dedicated groups that develop, plan, and test incident response and business continuity plans and procedures. These larger organizations usually pool or share their training, expertise, and resources with security professionals across the enterprise. While it is an industry best practice to have only a few dedicated incident response resources, organizations must ensure that they have excellent incident response procedures and processes. Most incident response teams are activated on an as-needed basis, but they are most effective when guided by established, tested procedures and each team member is trained and regularly exercised using those procedures. Texas requires a response system to detect potentially damaging activity in cyberspace, to analyze exploits and warn potential victims, coordinate incident responses, and restore essential services that have been damaged. To mitigate the impact of cyber attacks, information about them must disseminate widely and quickly. The new state NSOC will coordinate analytical and incident response capabilities that exist in numerous agencies and determine how to best defend against an attack, mitigate effects, and restore service. The NSOC will serve as the states principal interagency mechanism for operational information sharing and coordination of state government response and recovery efforts during a cyber crisis or other disaster with significant cyber effects. During such incidents, the state CSIRT members will coordinate their capabilities to assess the statewide scope and severity of an incident. The member agencies will use their situational awareness of a cyber incident to govern response and remediation efforts and to guide senior policymakers. The member agencies will also develop, coordinate, and recommend courses of action and incident response strategies for the state. Moreover, the NSOC and its CSIRT members will leverage their established relationships with the private sector and other state, local, and federal entities to help manage a cyber crisis, develop courses of action, and devise response and recovery strategies. Cyberspace Emergency Readiness: DHS established the US-CERT as a 24/7 single point of contact for cyberspace analysis warning, information sharing, and incident response and recovery for a broad range of users, including government, enterprises, small businesses, and home users. The Multi-State ISAC is linked to the US-CERT and is also a 24/7 vehicle for monitoring and sharing information about state government cyber attack trends, vulnerabilities, and best practices. The Texas CSIRT will serve as the point of contact and interface with the US-CERT and MultiState ISAC as appropriate to: Analyze and reduce cyber threats and vulnerabilities
30
Disseminate statewide cyber threat warning information Coordinate cyber incident response activities Establishing a state CSIRT will provide the following IT security benefits, which will improve our ability to prevent, detect, respond to, and reconstitute rapidly after an incident or disaster that has significant cyber impact: Better protection of Texass infrastructure through more timely and effective response to computer security incidents Improved statewide and agency situational awareness through enhanced information dissemination and analysis of threats and responses Increased collaboration, coordination, and information sharing among state, local, and federal governments and the private sectors Improved statewide readiness, protection, and incident response capabilities through state, regional, local, federal, and interagency exercises and workshops that promote effective collaborative responses to attacks Improved capacity to prevent, detect, analyze, respond, and recover from an incident 37 Statewide CSIRT will meet DHS grant funding guidelines 38 for additional funding Computer incident or emergency responders are equipped and trained to nationally recognized standards Agencies have well-trained CSIRT members onsite or immediately available to assist in recovery operations Close coordination with other governments 24/7 functions, analysis, warning, information sharing, major incident response, and national-level recovery effort, e.g., US-CERT, MultiState ISAC, and GFIRST
31
RESPOND AND RECOVER
Objective 8
Promote cybersecurity exercises and integrate cybersecurity elements into homeland security exercises Exercises help identify, test, and improve coordinated cyber incident response and help managers understand the role of IT within a context of emergency or disaster. The main objectives of cyber exercises are to practice effective collaborative response to a variety of attack scenarios that have cyber elements, including crisis decision making. Exercises provide an environment for evaluation of interagency and inter-sector business processes that rely on the IT infrastructure; measure the progress of ongoing cyber incident response efforts; and foster improved information sharing among state agencies, local and federal government, and private industry. Cyber exercises can sensitize a diverse constituency of private and public sector decision makers to a variety of potential cyber threats; familiarize this constituency with the national cyber response system and the importance of their role in it; and practice the roles and responsibilities of government agencies and industry in cyber incident response. DIR will coordinate all IT security exercises in Texas that are funded by federal dollars with the Governors Division of Emergency Management (GDEM) to ensure a cohesive statewide effort and a consistent standard of excellence. Statewide exercises will test cybersecurity plans and operations using lessons learned, plan modifications, and scenarios based on, or resulting from, natural disasters, terrorist attacks, and other criminal or illicit activity. DIR is responsible for demonstrating due diligence and periodically testing and exercising cybersecurity plans using state 39 and federal homeland security guidelines. 40 DIR also provides crisis management support in response to threats to, or attacks on, critical information systems within the consolidated NSOC. DIR will also support other state agencies, local governments and private sector infrastructures when requested and as resources permit. Benefits from a successful cybersecurity exercise program are expected to be: CSIRT participants are well-trained through an annual exercise program Improved interoperability and readiness of participants through tailored exercises Cybersecurity is integrated into all major statewide homeland security exercises DIR partnerships with nationally recognized exercise subject matter experts within Texas, e.g., University of Texas San Antonio (UTSA) Center for Infrastructure Assurance and Security (CIAS), Texas Engineering Extension Service (TEEX), Texas A&M National Emergency Response and Rescue Training Center (NERRTC) Development of exercise training template that helps other communities prevent, deter, and respond to cybersecurity incidents Agencies demonstrate due diligence to periodically test and exercise cybersecurity plans using relevant homeland security guidelines 41 Local communities can schedule and conduct exercises at low cost Cybersecurity exercises include NIMS concepts to ensure rapid response and interoperability are built into exercises and training Information and communication systems are included in cybersecurity continuity plans and exercises
32
RESPOND AND RECOVER
Objective 9
Integrate cybersecurity into continuity of operations (COOP) and continuity of government (COG) plans Identifying and prioritizing critical applications is an essential step in any risk assessment and disaster recovery planning. Business critical applications are crucial applications that the organization needs for its core business functions. Documentation of these applications is an important element of risk assessment and disaster recovery planning. Risk assessments should be a reliable source of information on agency critical application data and should help ensure that the network is robust enough to operate during partial outages and avoid single-point failures that disable the network. In consonance with societys growing reliance on technology, state organizations depend on each other to provide data or services to perform their core business functions. Some organizations provide data or services, while others rely on receiving data or services from others as part of their daily operations. Most organizations do both. As part of their risk assessment and disaster recovery planning, agencies should know whom they provide data to and whom they receive their critical data input from. A detailed understanding of these government and commercial relationships and communication paths can be critical if one agency experiences a disaster or attack resulting in an outage that initiates a cascading effect into organizations and infrastructures not directly impacted by the original event. While most emergency situations are handled locally, major incidents require assistance from other jurisdictions, including the state or federal government. The National Incident Management System (NIMS) helps responders from different jurisdictions and disciplines work together and better respond to natural disasters and emergencies, including acts of terrorism. Personnel involved in the cybersecurity aspects of emergency response must be well-versed in NIMS to achieve the objective of an integrated approach to COOP and COG planning. Integrating cybersecurity into COOP and COG plans should produce the following benefits: Strong, mutual understanding of agency interdependencies for collaborative information and communication security efforts Every agencys COOP/COG plan clearly documents where and how it receives its data or IT services from and whom it provides data or IT services to Agencies have clearly documented response plans associated with any internal outages or external data interruptions from critical sources Information security personnel have met qualifications and certifications for NIMS NIMS-certified cybersecurity specialists are available to commence operations with an Emergency Operations Center or State Operations Center Statewide IT security COOP/COG, administrative rules, best practices, guidelines, and standard operating procedures are aligned with NIMS standards All agencies have integrated cybersecurity into COOP/COG plans DIR can resume operations and critical business functions resulting from any disruption Agency risk assessments and COOP/COG plans are regularly aligned and tested
33
34
SECTION 4
Strategies
The cyber threat in Texas is real, constant, and increasing in quantity and sophistication. The strategies presented in this section address those threats by identifying specific initiatives to accomplish the state enterprise security goals and objectives described in the previous section. State enterprise security strategies are an essential part of the comprehensive security program to safeguard the integrity of state information and communications assets. While the strategies apply specifically to DIR, the statewide security posture depends upon the collective actions of individual state agencies and institutions. Responsibilities are listed with each strategy.
STATE ENTERPRISE SECURITY STRATEGIES GOALS
PREVENT AN D
OBJECTIVES
RESPOND
REDUCE
1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9
1. Align Texas cybersecurity initiatives and resources to ensure consistent adherence to the State Enterprise Security Plan and satisfy statewide cybersecurity goals and objectives 2. Conduct statewide annual cybersecurity risk, vulnerability, systems, and equipment assessments and track strengths, weaknesses, and remediation activities for all eligible entities 3. Establish a state Computer Security Incident Response Team to rapidly identify, contain, and recover from any attack or attempt to disrupt the states critical IT infrastructure 4. Identify, develop, and maintain best practice rules, performance standards, and guidelines to help reduce agency workload while providing timely, complete, and accurate data for internal and external monitoring and management 5. Establish a Network and Security Operations Center to initially focus on network security system services for those agencies and networks that are part of the consolidated Network Operations Center 6. Leverage technology to improve cybersecurity information sharing and enhance security communication, collaboration, and information sharing capabilities throughout the state 7. Promote cybersecurity awareness, training, education, and certification programs to ensure that IT security professionals, agency leadership, and network users at all levels are able to perform cybersecurity responsibilities 8. Integrate cybersecurity into state homeland security exercises and promote tailored exercises to help reduce network vulnerabilities and minimize the severity of cyberattacks
4 5 6
1 2
4 5 6 7 8 9
1 2 3 4 5 6 7 8 9
4 5 6 7 8 9
1 2 3 4 5 6 7
4 5 6 7 8 9
5 6 7 8 9
See Appendix B for a matrix showing how each of the strategies maps to federal and state homeland security strategies.
STATE ENTERPRISE SECURITY PLAN | SECTION 4 | STRATEGIES
35
Strategy 1
Align Texas cybersecurity initiatives and resources to ensure consistent adherence to the State Enterprise Security Plan and satisfy statewide cybersecurity goals and objectives. This first strategy is an overarching management activity that maps the goals and objectives from Section 3 to each course of action that follows. The implementation of these actions will result in sustainable efforts that consistently satisfy those goals and objectives. This State Enterprise Security Plan is a first step toward implementing this initiative. It is designed to link DIR, state, and federal IRM and cybersecurity strategies with concrete implementation plans that include commitment timelines, budgets and accountability performance measures. DIR RESPONSIBILITIES
1.1 Ensure that all DIR cybersecurity initiatives and operations are consistent with this strategy
AGENCY RESPONSIBILITIES
1.2 Support core agency mission areas by maintaining a safe and secure environment for all
assigned information and communication resources 1.3 Manage the agencys respective IT security program and initiate measures to assure and demonstrate compliance with applicable state security policies, standards, and laws as well as applicable federal requirements See page 43 for a tactical checklist associated with this strategy.
Strategy 2
Conduct statewide annual cybersecurity risk, vulnerability, systems, and equipment assessments and track strengths, weaknesses, and remediation activities for all eligible entities. These assessments also identify agency requirements that provide specific direction to the initiatives contained in this State Enterprise Security Plan. DIR records reveal a direct correlation between those state agencies with excellent cybersecurity postures and those that regularly conduct third-party (i.e., DIR) controlled vulnerability tests and assessments. This plan outlines responsibilities for introducing and sustaining a regular program of IT security evaluations and risk assessments. DIR RESPONSIBILITIES
2.1 Provide external cyber vulnerability and controlled penetration testing (CPT) and
assessment services to state agencies and other entities (universities, local government, school districts, hospital districts, water districts or authorities) to the extent possible 42 2.2 Assess the existing user access management controls and submit recommendations to the Legislature for improvement regarding interoperability, scalability, cost savings, feasibility, and security benefits 43 2.3 Sponsor a statewide cyber risk assessment and vulnerability reduction program to protect sensitive information resources and facilitate planning for agency baseline risk analysis and reduction, as specified in the TxHSSP 44 and the SSP 45
36
2.4 Collect information on agency assets and evaluate commonalities in statewide technology
security architecture, assets, training, and policies and procedures as required 46 and as outlined in the SSP 47 AGENCY RESPONSIBILITIES
2.5 Sponsor or conduct regular (at least annual) external network vulnerability and penetration
testing and assessments as required 48 2.6 Continue to participate in current and ongoing statewide assessment activities See page 44 for a tactical checklist associated with this strategy.
Strategy 3
Establish a state Computer Security Incident Response Team to rapidly identify, contain, and recover from any attack or attempt to disrupt the states critical IT infrastructure DIR RESPONSIBILITIES
3.1 Create a statewide response and recovery CSIRT capability that has interagency
participation, a training and continuing education program, an annual cybersecurity exercise program, and Web-based incident reporting tools AGENCY RESPONSIBILITIES
3.2 Participate in statewide collaborative opportunities such as the computer security incident
response and recovery capability program by making IT security personnel available for specialized training and certification 49 See page 46 for a tactical checklist associated with this strategy.
Strategy 4
Identify, develop, and maintain best practice rules, performance standards, and guidelines to help reduce agency workload while providing timely, complete, and accurate data for internal and external monitoring and management. DIR is committed to documenting IT security best practices and transforming them into rational rules, standards, and guidelines in partnership with affected agencies. This is an ongoing, sustaining initiative that will optimize each of the goals, objectives, and activities of this plan. DIR-sponsored rules and standards are not intended as a set of detailed instructions, but as a minimum set of best practices, check lists, and guidelines that provide a common understanding of expectations, reduce agency work loads, and promote positive results. DIR RESPONSIBILITIES
4.1 Work with agencies to develop, maintain, and distribute IT security program guidelines,
best practices, and standard operating procedures that offer a consistent framework while accounting for diverse missions and organization size
37
AGENCY RESPONSIBILITIES
4.2 Develop and follow cybersecurity guidelines, best practices, and standard operating 4.3 4.4 4.5 4.6
procedures to meet standards, save time, and better secure agency assets Help develop and adhere to IT security training and certification guidelines for all personnel Develop and sustain methodologies to budget for and track the effectiveness of IT security investments Use appropriate best-value group purchase agreements and take full advantage of DIRnegotiated rates for security, certification, CPE, and user training Require the agency employee in charge of information security for the agency (e.g., the ISO) to review and approve all major information resources projects 50
See page 47 for a tactical checklist associated with this strategy.
Strategy 5
Establish a Network and Security Operations Center to initially focus on network security system services for those agencies and networks that are part of the consolidated Network Operations Center (NOC). This collaborative initiative will also serve as a statewide operational hub for monitoring, coordinating, and sharing information on statewide cybersecurity events. By consolidating the functions of a NOC into a state NSOC, the state will strengthen its ability to protect critical information resource infrastructures and provide more collaborative opportunities for agencies to share information and effectively plan against cybersecurity threats. DIR RESPONSIBILITIES
5.1 Develop a shared statewide NSOC to initially deliver services to state agencies that are
part of the statewide network infrastructure per legislative 51 and DIR requirements 52 AGENCY RESPONSIBILITIES
5.2 Leverage NSOC information sharing, analysis, and response processes
See page 49 for a tactical checklist associated with this strategy.
Strategy 6
Leverage technology to improve cybersecurity information sharing and enhance security communication, collaboration, and information sharing capabilities throughout the state. DIR RESPONSIBILITIES
6.1 Build a statewide NSOC facility with sufficient resources to deliver network security services
to state agencies per legislative 53 and DIR requirements 54 6.2 Engage state entities in proof-of-concept pilots for promising cybersecurity technologies and tools
38
6.3 Develop an information sharing methodology with external partners (including local
government) per DHS guidelines 55 AGENCY RESPONSIBILITIES

6.4 Work with DIR to plan, execute, and evaluate proof-of-concept pilots and topical
workshops 6.5 Provide two-way exchange of information and feedback and use collaborative tools 6.6 Participate in the DIR-sponsored online security risk assessment program to help identify requirements and reduce vulnerability through gap analysis and risk reduction planning (e.g., ISAC) See page 50 for a tactical checklist associated with this strategy.
Strategy 7
Promote cybersecurity awareness, training, education, and certification programs to ensure that IT security professionals, agency leadership, and network users at all levels are able to perform cybersecurity responsibilities, as directed in the TxHSSP. 56 DIR RESPONSIBILITIES
7.1 Establish and promote statewide cybersecurity training and awareness at multiple levels
consistent with Texas Emergency Operation Plans per DHS guidelines 57 7.2 Develop a program to initiate, sustain, and expand a CSIRT and provide cyber forensics capabilities to serve both civilian and criminal matters for the state as recommended in DHS guidelines 58 and in partnership with state agencies 7.3 Participate in and sponsor joint public-private sector partnerships with groups that have cybersecurity interests and the ability to plan, conduct, and evaluate IT security forums, seminars, and conferences AGENCY RESPONSIBILITIES
7.4 Fund and participate in technical cybersecurity training and awareness on an annual basis
at multiple levels to ensure the greatest penetration possible 59 7.5 Participate in IT security forums, seminars, and conferences See page 51 for a tactical checklist associated with this strategy.
Strategy 8
Integrate cybersecurity into state homeland security exercises and promote tailored exercises to help reduce network vulnerabilities and minimize the severity of cyber attacks. Recognizing the relationship of information and communications with other critical infrastructure is important. Exercises provide managers the opportunity to visualize the cascading effects of any physical or virtual disruption of their critical information resources and develop plans and processes to prevent, reduce the impact, and recover more quickly.
39
DIR RESPONSIBILITIES
8.1 Demonstrate due diligence by conducting statewide exercises to evaluate cybersecurity
capabilities and periodically test and exercise cybersecurity plans 60 8.2 Develop integrated community cybersecurity exercises in partnership with Texas Division of Emergency Management, TEEX/NERRTC, UTSA CIAS, and the Governors Office of Homeland Security per the TxHSSP 61 and SSP 62 AGENCY RESPONSIBILITIES
8.3 Demonstrate due diligence, and periodically test and exercise cybersecurity plans 8.4 Include cybersecurity as part of participation in emergency response exercises as outlined
in the TxHSSP 63 and SSP 64 See page 53 for a tactical checklist associated with this strategy.
40
SECTION 5
Moving Forward
IT security breaches occur when information and communication resources are inadequately prepared to respond to the security threat and when there are insufficient policies and infrastructure to protect individual environments. Although much work remains to be done, implementation of this State Enterprise Security Plan will improve the security posture of the state. The essential element for the success of this plan is collaboration and partnership among state agencies and institutions of higher education. DIR is committed to creating a security environment that evolves beyond compliance and enforcement to one of collaboration and partnership. Cybersecurity in Texas is no longer a discretionary afterthought; it is fundamental to the safety and economic well-being of the state and the nation. Accordingly, this plan provides a road map that includes both strategic direction and tactical stakeholder actions that will improve the security of our state. As Texas moves forward, agency understanding of the increasing security risks and how to manage and mitigate them must be emphasized and accelerated at all levels, from agency leadership to staff employees. The state must also establish and maintain adaptable security policies, processes, and infrastructure that all state entities can use to coordinate their response to IT security threats. The preliminary steps outlined in this plan will ensure that Texas fulfills its commitment to protect the vital information and communications technology assets of its citizens.
STATE ENTERPRISE SECURITY PLAN | SECTION 5 | MOVING FORWARD
41
42
APPENDIX A
Tactical Checklists
TACTICAL CHECKLIST STRATEGY 1 Align Texas cybersecurity initiatives and resources to ensure consistent adherence to the State Enterprise Security Plan and satisfy statewide cybersecurity goals and objectives DIR RESPONSIBILITIES 1.1 Ensure that all DIR cybersecurity initiatives and operations are consistent with this strategy Submit and annually update a Homeland Security Implementation Plan that is aligned with relevant SSP, TxHSSP, and NSSC plans Assist in strategic and operational recovery planning and policy development in partnership with state agencies AGENCY RESPONSIBILITIES 1.2 Support core agency mission areas by maintaining a safe and secure environment for all assigned information and communication resources Assure the confidentiality, integrity, availability, and accountability of all agency information while it is being processed, stored, and/or transmitted electronically, and the security of processing-associated resources Use available statewide network-layer cybersecurity services as available and consistent with agency core mission functions Maintain current physical and logical inventories and network maps of hardware, software applications and operating systems as a first step in network defense Update deployment profiles, mitigation priorities and policies whenever a critical database application is added to a host 1.3 Manage the agencys respective IT security program and initiate measures to assure and demonstrate compliance with applicable state security policies, standards, and laws as well as applicable federal requirements Report significant cybersecurity incidents and IT security program status to DIR Ensure separation of duties and assignment of appropriate system permissions and responsibilities for agency system users Assume the lead role in resolving internal agency security incidents Ensure that a configuration/patch management process is in place that maintains IT system security Identify and protect sensitive information, e.g., privacy data
STATE ENTERPRISE SECURITY PLAN | APPENDIX A | TACTICAL CHECKLISTS
43
TACTICAL CHECKLIST STRATEGY 2 Conduct statewide annual cybersecurity risk, vulnerability, systems, and equipment assessments and track strengths, weaknesses, and remediation activities for all eligible entities. DIR RESPONSIBILITIES 2.1 Provide external cyber vulnerability and controlled penetration testing (CPT) and assessment services to state agencies and other entities (universities, local government, school districts, hospital districts, water districts or authorities) to the extent possible Assist agencies in implementing requirements to increase the number of CPT engagements Identify external network access vulnerabilities, including authentication and authorization issues Maintain internal user access requirements for systems, applications, and data Use annual CPTs to assess an agencys network security posture (simulate outside/unauthorized network access without attacking or disrupting operations) Provide analysis of identified vulnerabilities and provide recommendations for remediation of identified vulnerabilities Review user roles and appropriate access requirements regularly Provide a written report and oral briefing to each agency/organization and, upon request, the State Auditors Office that contains analysis of exploitable vulnerabilities found, remediation recommendations, and network security posture assessment Track test results to help assess annual training and awareness requirements to reduce the number of vulnerabilities, improve the efficiency of future testing, and make the organizations networks safer from outside attacks Use the results of the engagements to provide accurate trend analysis and assessment as part of the IT security biennial report 65 Obtain federal homeland security or other grant funding to help subsidize any start up costs to the fullest extent possible 66 Transition to a charge back, cost recovery system for vulnerability and CPT services as part of DIRs converged telecommunication services offerings 2.2 Assess the existing user access management controls and submit recommendations to the Legislature for improvement regarding interoperability, scalability, cost savings, feasibility, and security benefits Identify commonalities in statewide technology security architecture, assets, training, and policies and procedures to reduce vulnerabilities as required 67 and as outlined in the SSP 68 Address logical and physical security as part of statewide user access recommendations Assess the status of user access management by reviewing data from affected agencies within the State of Texas Outline and recommend applicable best practices 2.3 Sponsor a statewide cyber risk assessment and vulnerability reduction program to protect sensitive information resources and facilitate planning for agency baseline risk analysis and reduction, as specified in the TxHSSP and the SSP Deploy a prototype risk assessment tool (i.e., Texas A&Ms Information Security Awareness, Assessment, and Compliance, ISAAC) to facilitate Web-based agency planning and tracking of baseline risk analysis and reduction Use risk assessment tools and assessments to help weigh the risks involved and make informed decisions on how to spend resources using established cybersecurity metrics
44
TACTICAL CHECKLIST STRATEGY 2 2.4 Collect information on agency assets and evaluate commonalities in statewide technology security architecture, assets, training, and policies and procedures as required and as outlined in the SSP Maintain a current inventory of cyber assets, including personnel as part of a statewide policy mechanism Maintain a core inventory of statewide hardware, software applications, and operating systems and help to determine the optimum security applications to defend the network infrastructures Develop standardized methods and tools to monitor, manage, assess, and track IT security status and resources in partnership with auditors and agencies to reduce the number and frequency of redundant surveys and data calls 69 AGENCY RESPONSIBILITIES 2.5 Sponsor or conduct regular (at least annual) external network vulnerability and penetration testing and assessments as required Use DIR resources when available or DIR-recommended best value solutions to conduct external network vulnerability and penetration tests and assessments 70 As part of an external CPT, complete a confidential security remediation assessment for DIR and internal use Design a formal program for periodic internal vulnerability assessment, third-party vulnerability assessments, and prioritized remedial actions at least annually as recommended in Texas statutes 71 Conduct regular (at least annual) network risk assessments, and specify the level of security required to protect all agency IT assets 72 2.6 Continue to participate in current and ongoing statewide assessment activities Identify appropriate access requirements for different levels agency users Participate (affected agencies) in determining the feasibility and benefits of user access management controls Develop policies and practices in line with the statewide user access strategy, and ensure that appropriate security implementation controls are in place Conduct regular risk assessments to identify resources, sensitive data (including privacy data), vulnerabilities, threats, and impact analysis
45
TACTICAL CHECKLIST STRATEGY 3 Establish a state Computer Security Incident Response Team to rapidly identify, contain, and recover from any attack or attempt to disrupt the states critical IT infrastructure. DIR RESPONSIBILITIES 3.1 Create a statewide response and recovery CSIRT capability that has interagency participation, a training and continuing education program, an annual cybersecurity exercise program, and Web-based incident reporting tools Coordinate the establishment of a CSIRT as a 24/7 single point of contact for cyberspace analysis, warning, information sharing, incident response, and recovery for a broad range of users including government, enterprises, small businesses, and home users Develop computer incident categories and reporting content and time frame criteria to clearly communicate incidents and events As part of the establishment of the NSOC, develop partnerships and agreements among state agencies to create a statewide CSIRT program that improves the states capacity to prevent, detect, analyze, respond, and recover from an incident as specified in the SSP 73 and to address shortfalls identified in the SITSA Coordinate with GFIRST AGENCY RESPONSIBILITIES 3.2 Participate in statewide collaborative opportunities such as the computer security incident response and recovery capability program by making IT security personnel available for specialized training and certification Participate in the CSIRT emergency response capability by sponsoring team members who are certified available for consultation on significant internal and statewide incidents (two year minimum) Help sustain the statewide CSIRT capability by allowing members to complete train-the-trainer certification Administer a virus prevention and incident reporting program that coordinates with Texass CSIRT Develop, implement and test an IT disaster recovery plan for critical agency IT systems
46
TACTICAL CHECKLIST STRATEGY 4 Identify, develop, and maintain best practice rules, performance standards, and guidelines to help reduce agency workload while providing timely, complete, and accurate data for internal and external monitoring and management. DIR RESPONSIBILITIES 4.1 Work with agencies to develop, maintain, and distribute IT security program guidelines, best practices, and standard operating procedures that offer a consistent framework while accounting for diverse missions and organization size Develop a certification and accreditation framework for the life cycle of each agency critical IT system to include a network security design review for all new network acquisitions 74 Track statewide performance in meeting rules, standards, and guidelines Promote improvements to statewide security practices and state agency policies including availability and cost effectiveness of peer-to-peer file sharing policies and technologies Develop a wireless security plan with procedural and technical standards for laptop and mobile computing network security in partnership with affected state agencies, to include software encryption and system certification and accreditation prior to implementation per industry best practices 75 Develop data and system classification guidelines for protecting varying levels of sensitive information (e.g., critical infrastructure or personal data) Act as the State CISO under the State CTO Develop and sustain methodologies to track and measure the effectiveness of IT security investments. Establish separate IT security budget line item categories (e.g., network and client-based firewall and VPN; intrusion prevention system (IPS) or intrusion detection system (IDS); server-based access management; encryption; system security design reviews; vulnerability scanning, assessment, and testing; malware blocking tools; automated patch management and security policy compliance tools; physical security for IT assets; forensics, risk, or security assessment tools; network mapping technologies; cybersecurity certification; cybersecurity incident remediation costs; cybersecurity training or exercises) Develop and sustain best-value group purchase agreements for IT security-related products Negotiate the lowest possible rates for certification, CPE, and user training in partnership with other states, federal, and local government officials Develop a system of billings and charges for network security system services 76 AGENCY RESPONSIBILITIES 4.2 Develop and follow cybersecurity guidelines, best practices, and standard operating procedures to meet standards, save time, and better secure agency assets Review agency policies for compliance with and enforcement of state network security policies, guidelines, and standard operating procedures including peer-to-peer file-sharing policies. Document and justify any desired exemptions from portions of TAC 202 or recommended changes to IT security standards due to specific business model, function, structure, or other reasons Implement a certification/accreditation process for the life cycle of each agency critical information resource Ensure that ISOs have direct access and input to agency leadership and avoid any administrative conflicts or appearance of conflict of interest within the agency information resources departments 77 Adopt more stringent procedures or standards as required Document the classification of information in accordance with information sensitivity and classification standards Generate information security deviation/risk acceptance requests
47
TACTICAL CHECKLIST STRATEGY 4 4.3 Help develop and adhere to IT security training and certification guidelines for all personnel Track NIMS certifications for personnel in key cyber incident response positions Designate an ISO that administers the agencys information security program and reports directly to executive level management per TAC 202 78 Follow industry best practices and state administrative code by having a separately designated ISO who does not directly report to the IRM 4.4 Develop and sustain methodologies to budget for and track the effectiveness of IT security investments Budget for network security system service costs 79 and affirm adequate security investments for each major information resources project 80 Track and report IT security investment in critical information security infrastructure to include software, hardware, application, and infrastructure planning, performance measures, and business continuity/disaster recovery planning categories: network and client-based firewall and VPN deployments; server-based access controls (e.g., ID management/authentication, authorization/provisioning and deprovisioning; biometrics, smart cards/other one-time password tokens; IPS/IDS; encryption (for data in transit, files, Public Key Infrastructure); system security design reviews; vulnerability scanning, assessment, and testing; malware blocking tools (e.g., application-level attack blocking, virus, spyware, adware, and spam management); automated patch management and security policy compliance tools; physical security for IT assets; forensics, risk, or security assessment tools; security certification; incident remediation costs; training and exercises 4.5 Use appropriate best-value group purchase agreements and take full advantage of DIR-negotiated rates for security, certification, CPE, and user training 4.6 Require the agency employee in charge of information security for the agency (e.g., the ISO) to review and approve all major information resources projects
48
TACTICAL CHECKLIST STRATEGY 5 Establish a Network and Security Operations Center to initially focus on network security system services for those agencies and networks that are part of the consolidated Network Operations Center (NOC). DIR RESPONSIBILITIES 5.1 Develop a shared statewide NSOC to initially deliver services to state agencies that are part of the statewide network infrastructure per legislative and DIR requirements Conduct real-time monitoring of external network security status Research, correlate, and disseminate early warnings of external cyber system threats to help prevent attacks or cascading effects Provide immediate incident response capability and share information between sectors Provide trending and other analyses for security planning Distribute current proven security practices and recommendations Adopt and provide network security guidelines and standard operating procedures Provide inputs and expertise to assist the Texas Fusion Center in developing cybersecurity assessments and analysis for public and state agency use Produce a report on the state and NSOC accomplishments toward meeting service and IT security objectives and other performance measures in the DIR Biennial Performance Report AGENCY RESPONSIBILITIES 5.2 Leverage NSOC information sharing, analysis, and response processes Determine benefits and capabilities of the shared statewide NSOC in reviewing and assessing opportunities to leverage and participate in the statewide network infrastructure Use DIR-provided or recommended best value services as a first option to enhance security against external threats 81
49
TACTICAL CHECKLIST STRATEGY 6 Leverage technology to improve cybersecurity information sharing and enhance security communication, collaboration, and information sharing capabilities throughout the state. DIR RESPONSIBILITIES 6.1 Build a statewide NSOC facility with sufficient resources to deliver network security services to state agencies per legislative and DIR requirements Obtain systems for real-time monitoring of external network intrusion Maintain systems and licenses to conduct vulnerability scans and assessments 6.2 Engage state entities in proof-of-concept pilots for promising cybersecurity technologies and tools Deploy pilot program to secure information sharing (statewide secure portal) and a Web presence that provides cybersecurity guidance and cyber threat analysis as specified in the SSP 82 Coordinate with state ISOs to develop, update, and disseminate emergency alert notifications assessments, guidelines, training opportunities, and incident information using real-time reporting and collaboration tools Establish and administer a statewide secure Web portal for state ISOs as specified in the SSP 83 and in compliance with the Information Resources Management Act 84 Sponsor a Web-based, risk assessment and collaboration tool (i.e., ISAC) to help state entities reduce vulnerability through risk analysis, physical security, compliance with information security standards, and benchmarking 6.3 Develop an information sharing methodology with external partners (including local government) per DHS guidelines Actively participate and lead state and national resource sharing opportunities and partnerships (e.g., MultiState ISAC, and GFIRST) Sponsor for topical workshops on emerging security issues Collaborate with the public and private sectors and participate in activities to raise statewide cybersecurity awareness (National Cybersecurity Awareness Month in Texas, newsletters, Web site, and public service announcements) AGENCY RESPONSIBILITIES 6.4 Work with DIR to plan, execute, and evaluate proof-of-concept pilots and topical workshops Develop emergency alert notifications assessments, guidelines, training opportunities, and incident information using real-time incident reporting and collaboration tools 6.5 Provide two-way exchange of information and feedback and use collaborative tools Assess current network security resources to identify requirements for information sharing 6.6 Participate in the DIR-sponsored online security risk assessment program to help identify requirements and reduce vulnerability through gap analysis and risk reduction planning (e.g., ISAC) Establish thresholds and acceptable risk levels that are aligned with the overarching state policy
50
TACTICAL CHECKLIST STRATEGY 7 Promote cybersecurity awareness, training, education, and certification programs to ensure that IT security professionals, agency leadership, and network users at all levels are able to perform cybersecurity responsibilities, as directed in the TxHSSP. DIR RESPONSIBILITIES 7.1 Establish and promote statewide cybersecurity training and awareness at multiple levels consistent with Texas Emergency Operation Plans per DHS guidelines Address identified shortfalls for all levels of state agencies: users, leadership, IT security officers, and CSIRT members as specified in the SSP 85 Facilitate and promote training opportunities as developed in the statewide security training guidelines and standards for state/local government users, leaders, and ISOs Develop training, certification, and skill level guidelines for state ISOs and other personnel with IT security responsibilities Meet NIMS standards to follow incident command structure within the State Operations Center (SOC) for the core functions of coordination, communications, resource dispatch and tracking, and information collection, analysis, and dissemination 86 Facilitate and track NIMS certifications for personnel in key cyber incident response positions: 87 Emergency management operations responsibilities: Incident Command System (ICS)-100, and IS-700 First line supervisors, middle management, or senior staff with emergency management operations responsibilities: ICS-200 Emergency management as a primary responsibility: IS-800 National Response Plan training 7.2 Develop a program to initiate, sustain, and expand a CSIRT and provide cyber forensics capabilities to serve both civilian and criminal matters for the state as recommended in DHS guidelines and in partnership with state agencies Develop a program to select, train, and certify a CSIRT that improves the states capacity to prevent, detect, analyze, respond to, and recover from an incident as specified in the SSP 88 and address identified shortfalls Sponsor and deploy a train-the-trainer program that sustains and expands the CSIRT 7.3 Participate in and sponsor joint public-private sector partnerships with groups that have cybersecurity interests and the ability to plan, conduct, and evaluate IT security forums, seminars, and conferences Develop information sharing relationships with relevant organizations (e.g., SANS Institute, Multi-State ISAC, Government Forum for Incident Response and Security Teams, and National Security Agency-certified Centers of Academic Excellence in Information Assurance Education)
51
TACTICAL CHECKLIST STRATEGY 7 AGENCY RESPONSIBILITIES 7.4 Fund and participate in technical cybersecurity training and awareness on an annual basis at multiple levels to ensure the greatest penetration possible Plan training for all levels of agency personnel: users, leadership, IT security officers, and CSIRTs Follow statewide guidelines and standards for state/local government users, leaders, and ISOs (e.g., training and certification for data protection, computer network protocols and vulnerabilities, security, firewalls and forensics, data hiding, infrastructure, wireless security, and ethical and legal considerations) Include NIMS certifications for personnel in key incident response positions Participate in the CSIRT to obtain training and certifications to improve the agencys capacity to prevent, detect, analyze, and respond to cyber incidents Establish a means to assess, track, and provide information regarding technology security training investments and needs to DIR Develop training and certification guidelines in partnership with agencies for initial staffing levels, CPE, and responsibility levels 7.6 Participate in IT security forums, seminars, and conferences Develop information sharing relationships with state IT security organizations
52
TACTICAL CHECKLIST STRATEGY 8 Integrate cybersecurity into state homeland security exercises and promote tailored exercises to help reduce network vulnerabilities and minimize the severity of cyber attacks. DIR RESPONSIBILITIES 8.1 Demonstrate due diligence by conducting statewide exercises to evaluate cybersecurity capabilities and periodically test and exercise cybersecurity plans Coordinate and conduct a state-level cybersecurity exercise based on a community exercise model, e.g., simultaneous exercises in three Texas cities Develop an exercise training template for other communities Support Texas exercise centers of excellence, e.g., TEEX/NERRTC and the UTSA/CIAS Leverage federal funding for state and community cybersecurity exercises 89 Conduct exercises to reinforce and assess training for CSIRT participants Include NIMS concepts in cyber exercises and training Take immediate action to assist agencies in correcting any significant weaknesses or vulnerabilities discovered during tests and exercises Report exercise findings and corrective action plans in the DIR Biennial Performance Report 8.2 Develop integrated community cybersecurity exercises in partnership with Texas Division of Emergency Management, TEEX/NERRTC, UTSA/CIAS, and the Governors Office of Homeland Security per the TxHSSP and SSP Address the training shortfalls specified in DIR security assessments Participate in Governors Office of Homeland Security sponsored statewide hurricane exercise Participate in national cyber exercises that impact state readiness, economic, and security equities, e.g., the DHS-sponsored Cyber Storm AGENCY RESPONSIBILITIES 8.3 Demonstrate due diligence, and periodically test and exercise cybersecurity plans Participate in appropriate DIR and/or GDEM-sponsored exercises to help prevent, deter, and respond to computer incidents Use DIR-sponsored exercise templates as applicable Leverage federal funding sources for cybersecurity exercises 90 Participate in exercises to reinforce and assess training for CSIRT members Include NIMS concepts in cyber exercises and training Take immediate action to remediate or correct any significant weakness or vulnerability discovered during tests and exercises 8.4 Include cybersecurity as part of participation in emergency response exercises as outlined in the TxHSSP 91 and SSP Periodically test an IT disaster recovery plan for critical agency IT systems as part of the agency COOP, COG, or business continuity plan
53
54
APPENDIX B
State and Federal Homeland Security Strategies

State and federal homeland security strategies are presented under the following categories: planning, organizing, equipping, training, and exercising. Each category is explained in further detail on the following page. The table below maps the strategies, goals, and objectives from the State Enterprise Security Plan to state and federal homeland security strategies.
STATE/FEDERAL HOMELAND STATE ENTERPRISE SECURITY STRATEGIES SECURITY STRATEGIES STATE ENTERPRISE SECURITY GOALS AND OBJECTIVES
PREVENT REDUCE RESPOND
1 1
2 2
3 3
4 4
5 5
6 6
7 7
8 8
9 9
PLANNING
1. Align Texas cybersecurity initiatives and resources to ensure consistent adherence to the State Enterprise Security Plan and satisfy statewide cybersecurity goals and objectives 2. Conduct statewide annual cybersecurity risk, vulnerability, systems, and equipment assessments and track strengths, weaknesses, and remediation activities for all eligible entities
ORGANIZING 3. Establish a state Computer Security Incident Response Team to rapidly identify, contain, and recover from any attack or attempt to disrupt the states critical IT infrastructure
1 2 3 4 5 6 7 8 9 4. Identify, develop, and maintain best practice rules, performance standards, and guidelines to help reduce agency workload while providing timely, complete, and accurate data for internal and external monitoring and management
5. Establish a Network and Security Operations Center to initially focus on network security system services for those agencies and networks that are part of the consolidated Network Operations Center EQUIPPING 6. Leverage technology to improve cybersecurity information sharing and enhance security communication, collaboration, and information sharing capabilities throughout the state 7. Promote cybersecurity awareness, training, education, and certification programs to ensure that IT security professionals, agency leadership, and network users at all levels are able to perform cybersecurity responsibilities 8. Integrate cybersecurity into state homeland security exercises and promote tailored exercises to help reduce network vulnerabilities and minimize the severity of cyberattacks
TRAINING
EXERCISING
STATE ENTERPRISE SECURITY PLAN | APPENDIX B | STATE AND FEDERAL HOMELAND SECURITY STRATEGIES
55
STATE AND FEDERAL HOMELAND SECURITY STRATEGIES

PLANNING Plan and assess preparedness for physical and cyber events that affect information and communication resources Planning includes the collection and analysis of intelligence and information and development of policies, written plans, procedures, mutual aid agreements, strategies, and outcomes that comply with relevant laws, regulations, and guidance necessary to perform assigned missions and tasks. The Governors Office of Homeland Security, the Texas Legislature, and the federal DHS have all recognized the increasing threat to state networks from cyber-terrorists, criminal elements, and natural disasters. All of these authorities have included networks among the critical infrastructure needing protection to ensure that vital government services continue after an attack. The key outcome of all planning strategies is the reduction of the vulnerability of critical state infrastructures from cyber terrorism and other malicious attacks. ORGANIZING Organize cybersecurity prevention, protection, response, and recovery assets Organizing activities involve individuals, teams, an overall structure, and leadership that perform assigned missions and tasks within the context of relevant laws, regulations, and guidance. EQUIPPING Equip information resources owners with appropriate security tools, systems, and technologies These activities include major items of equipment, supplies, facilities, and systems that comply with relevant standards necessary to perform assigned security missions and tasks. The state must ensure that government communications and computer networks are secure as part of its overall information and communications technology strategy. TRAINING Training state leadership, users, and IT security professionals on cybersecurity This plan includes actions that address statewide IT security training initiatives that follow the guidelines and standards created as part of Strategy 4. EXERCISING Exercise the ability to prevent, protect, respond, and recover from cyber events This element includes planned exercises, evaluations, and corrective actions as well as actual major events. Exercises (and actual events) provide opportunities to demonstrate, evaluate, and improve the combined capability and interoperability to perform assigned missions and tasks within defined standards of success.
56
APPENDIX C
Authorities and References

1. The Texas Homeland Security Strategic Plan, 2005-2010 (TxHSSP, November 1, 2005, defines critical infrastructures as physical or cyber assets so vital that their incapacity or destruction would have a debilitating impact on security, national economic security, or national public health or safety. It also requires a statewide cybersecurity plan to ensure cyber protection, detection, and response capabilities and test and protect local and state IT systems from penetration and attack. 2. Texas Administrative Code, Title 1, Part 10, Section 202 defines agency IT security policy requirements. TAC 202 also requires each state agency head to have a designated ISO that administers the agencys information security program and reports directly to executive level management. 92 Agencies may be exempt from certain portions of TAC 202, due to their business model, function, structure, or other reasons that need to be confirmed and documented. 3. Texas Government Code, Chapter 2059, Texas Computer Network Security System, September 1, 2005, requires DIR to establish a network security center that provides services to agencies against external threats to a network. It also directs DIR to adopt guidelines and standard operating procedures to ensure efficient operations and prepare a report on integration and user-specific access features that will enhance network and information security (December 31, 2006). DIR may also provide network security to local governments, the Legislature, special districts, and, if approved by the Information Technology Council for Higher Education, institutions of higher education. Additionally, TGC 2059 requires DIR to prepare a biennial report on the accomplishments and status of the states consolidated network security system. 4. House Bill 1516: Implementation of DIR Biennial Performance Report Recommendations, effective September 1, 2005, amends TGC Sections 2054, 2157, and 2170 to implement DIRs technology recommendations from its 2004 Biennial Performance Report, Making Technology Deliver. The statutes require DIR to establish a statewide technology center for data or disaster recovery services and authorize DIR to establish and operate additional centers when consolidating operations or services and will promote efficiency and effectiveness and provide the best value for the state. DIR is required to negotiate a favorable price for commodities, including hardware, software, services, and seat management. HB 1516 also directed DIR to conduct an assessment of technology security resources and practices of state agencies and report the results to state leadership. 5. Information Resources Management Act (TGC 2054) requires DIR to prepare a state strategic plan that establishes strategies to meet the changing technology needs of state government to effectively serve Texans for the next five years.
STATE ENTERPRISE SECURITY PLAN | APPENDIX C | AUTHORITIES AND REFERENCES
57
6. Shared Success, the 2005 State Strategic Plan for Information Resources Management (SSP), December 14, 2005, is a DIR state strategic plan required by The Information Resources Management Act (TGC 2054). It establishes strategies to meet the changing technology needs of state government to effectively serve Texans for the next five years. 7. 2005 State IT Security Assessment (SITSA), December 23, 2005, is the DIR response to the HB 1516 requirement for a confidential IT security assessment of state agency information and communications technology resources and practices. 8. 2007 Homeland Security Grant Program (HSGP), Program Guidance and Application Kit, January 2007, integrates the State Homeland Security Program (SHSP), the Urban Areas Security Initiative, the Law Enforcement Terrorism Prevention Program, the Metropolitan Medical Response System, and the Citizen Corps Program. The HSGP streamlines state efforts in obtaining resources that are critical to building and sustaining capabilities to achieve the Interim National Preparedness Goal and implement State and Urban Area Homeland Security Strategies; Appendix I provides Cybersecurity Guidance. 9. The National Strategy to Secure Cyberspace, February 2003, is an implementing component of the National Strategy for Homeland Security and is complemented by the National Strategy for the Physical Protection of Critical Infrastructures and Key Assets. It identifies the responsibilities of the various security partners with a role in securing cyber space and encourages state and local governments to establish IT security programs and participate in information sharing and analysis centers with similar governments. It also articulates five national priorities: Improved response to cyber incidents and reduced potential damage from such events Cyber threat and vulnerability reduction Cybersecurity awareness and training Secure government cyberspace Cyber attack prevention 10. ISO/IEC 17799 (or ISO/IEC 27002) is an information security standard by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Entitled Information Technology - Security Techniques Code of Practice for Information Security Management (2005), ISO 17799 is one of the most widely adopted information security management frameworks. It addresses risk assessment, incident management guidance, ISO standard integration, and security in business partner relationships and provides best practice recommendations for initiating, implementing and maintaining information security management systems. 11. CSI/FBI Computer Crime and Security Survey, 2005 and 2006, are annual reports of computer security incidents and trends. A portion of one survey focuses on Texas organizations as well as national trends.
58
APPENDIX D
Cybersecurity Resources
Cybercop Portal is a DHS-facilitated secure Internet-based information-sharing mechanism for more than 5,300 law enforcement members involved in electronic crimes investigations. FBIs InfraGard program is a public-private partnership coordinated out of the 56 FBI field offices (in Texas: El Paso, Dallas, Houston, and San Antonio). The program is an information sharing and networking forum for law enforcement, academia, and private sector entities. FBIs Inter-Agency Coordination Cell is a multi-agency group focused on sharing law enforcement information on cyber-related investigations. Government Forum for Incident Response Teams (GFIRST) is a community of government response teams responsible for facilitating interagency information sharing and cooperation for cyber threat reduction and securing government information technology systems Multi-State Information Sharing and Analysis Center (MS-ISAC, http://www.msisac.org/) is a voluntary and collaborative organization with participation from all 50 states and the District of Columbia. The mission of the MS-ISAC is to provide a common mechanism for raising the level of cybersecurity readiness and response in each state and with local governments. The MS-ISAC provides a central resource for information on cyber threats for the states, providing two-way information sharing between and among the states and with local government. The U.S. Department of Homeland Security has recognized the MS-ISAC as the national center for the states to coordinate cyber readiness and response. The MS-ISAC Web site links to other sector-specific ISACs including Emergency Management and Response and IT. National Association of State Chief Information Officers (NASCIO) represents state CIOs and information resource executives and managers from all 50 states. It monitors new threats created by emerging technologies and helps state CIOs formulate high-level security and data protection policies and technical controls to secure the states information systems and protect the privacy of sensitive information within them. SecureTexas (http://www.dir.state.tx.us/securetexas/index.htm) provides up-to-date technology security information as well as tips to help strengthen Texass technology infrastructure. DIRs IT Security Division designed this site to cater to the needs of Texas citizens. U.S. Computer Emergency Readiness Team (US-CERT) is a public and private partnership with DHS designed to defend against and respond to cyber attacks. US-CERT interacts with state and local governments and others to analyze and reduce cyber threats and vulnerabilities, disseminate cybersecurity information, and coordinate incident response. U.S. Secret Services Electronic Crime Task Forces provide interagency coordination on cyberbased attacks and intrusions.
STATE ENTERPRISE SECURITY PLAN | APPENDIX D | CYBERSECURITY RESOURCES
59
60
Glossary
Acronyms and Abbreviations
ACP Association of Contingency Planners ASIS American Society for Industrial Security CERT/CC Computer Emergency Response Team/Coordination Center CIAS Center for Infrastructure Assurance and Security CI/KR Critical infrastructures and key resources CIO Chief Information Officer CISO Chief Information Security Officer COG Continuity of government COOP Continuity of operations CPE Continuing professional education CPT Controlled penetration testing CSI Computer Security Institute CSIRT Computer Security Incident Response Team CTO Chief Technology Officer DHS Department of Homeland Security ERP Enterprise Resource Plan FERPA Family Educational Rights and Privacy Act FIM Federated identity management FIPS Federal Information Processing Standard GDEM Governors Division of Emergency Management GFIRST Government Forum for Incident Response Teams HIPAA Health Insurance Portability and Accountability Act HSGP Homeland Security Grant Program ICS Incident Command System ID Identification IDS Intrusion detection system IM Instant messaging IPS Intrusion prevention system IRM Information Resource Manager
STATE ENTERPRISE SECURITY PLAN | GLOSSARY
61
ISAAC Information Security Awareness, Assessment, and Compliance (Texas A&M) ISAC Information Sharing and Analysis Center ISACA Information Systems Audit and Control Association ISO Information Security Officer ISSA Information Systems Security Association ISP Internet service provider IT Information technology MS-ISAC Multi-State Information Sharing and Analysis Center NASCIO National Association of State Chief Information Officers NERRTC National Emergency Response and Rescue Training Center (Texas A&M) NIMS National Incident Management System NIST National Institute of Standards and Technology NOC Network Operations Center NSOC Network and Security Operations Center NSSC National Strategy to Secure Cyberspace PDA Personal digital assistants RAS Remote access services SCADA Supervisory Control and Data Acquisition SOC State Operations Center SITSA State IT Security Assessment (2005) SSP State Strategic Plan for Information Resources Management TAC Texas Administrative Code TEEX Texas Engineering Extension Service TGC Texas Government Code TxHSSP Texas Homeland Security Strategic Plan US-CERT United States Computer Emergency Response Team UTSA University of Texas San Antonio VPN Virtual private network
62
Definitions
Access control Authentication and authorization process that manages the rules and deployment mechanisms of individuals ability to use information resources for owner-specified purposes. Association of Contingency Planners (ACP) Non-profit trade association dedicated to fostering continued professional growth and development in effective Contingency & Business Resumption Planning. ASIS International (formerly the American Society for Industrial Security) Organization for security professionals that develops educational materials and administers certification programs: Certified Protection Professional (CPP) security management designation, and two technical certifications: Physical Security Professional (PSP) and Professional Certified Investigator (PCI). Authentication Process that establishes the validity of a users claimed identity by requesting some kind of information, such as a password, that is unique to, or known only by, the user. Authorization Process of granting or denying access rights and privileges to a protected resource, such as a network, system, application, function, or file. Bots (short for robots) Covertly installed programs (e.g., Web-crawler or spider) that allow an unauthorized user to control a computer remotely using instant messenger (IM), Internet Relay Chat (IRC) or other communication channels. Also described as remote attack tools, these Web interfaces allow the attacker to control a large number of bot-compromised computers which can then be used to launch coordinated attacks. Most bots are installed for malicious purposes without the knowledge of the computers owner. Software agents that interface with Web pages are robots that recursively gather Web-page information. They also can dynamically interact with a site by exploiting or locating opportunities for financial gain. Botnet (short for robot network) Collection of software robots that runs autonomously under a remote, common command and control infrastructure. Some bots can automatically scan their environment and propagate themselves using network vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to the botnet controller. Botnet Controller (or herder) The originator of a botnet who controls the group remotely, e.g., via Internet relay chat, usually for nefarious purposes. The perpetrator usually introduces a botnet by exploiting network vulnerabilities (e.g., buffer overflows). Chief Information Officer (CIO) The head of the information technology group within an organization Chief Technology Officer, State (State CTO) In Texas, the executive director of the Department of Information Resources serves as CTO for state government. Computer Security Incident Response Team (CSIRT) A service organization that is responsible for receiving, reviewing, and responding to computer security incident reports and activity.
63
Continuity of Operations Plan (COOP) A plan that documents the activities of individual departments and agencies to ensure that they can perform essential functions at all times. Continuity of Government Plan (COG Plan) A plan that defines procedures that allow a government to continue its essential operations in case of a catastrophic event. Critical Infrastructure/Key Resources (CI/KR) Critical infrastructures are physical or cyber assets so vital that their incapacity or destruction would have a debilitating impact on security, national economic security, or national public health or safety. Key resources are publicly or privately controlled resources that are essential to the minimal operations of the economy and government. Cyber infrastructure Includes electronic information and communications systems and the information contained in those systems. Information and communications systems are composed of all hardware and software that process (i.e., create, access, modify, and destroy), store (e.g., all media types: paper, magnetic, and electronic), and communicate (i.e., share and distribute) information, or any combination of all of these elements. For example, computer systems, control systems (e.g., Supervisory Control and Data Acquisition (SCADA) systems), and networks, such as the Internet, are part of cyber infrastructure: Producers of cyber infrastructure are the IT industrial base, which comprise the IT Sector. The producers of cyber infrastructure play a key role in developing secure and reliable products. Consumers of cyber infrastructure must maintain its security in a changing threat environment. Individuals, whether private citizens or employees with cyber systems administration responsibility, play a significant role in managing the security of computer systems to ensure that they are not used to enable attacks against CI/KR. Cybersecurity The protection of the confidentiality, integrity, and availability of data and the associated information resources that transmit or store that data. Department of Homeland Security (DHS) Federal agency with primary responsibility for the security of cyber space. Deprovision(ing) The action required to delete (deprovision) or deactivate a users system access. Distributed network Structure in which the network resources, such as switching equipment and processors, are distributed geographically or virtually. Drivers Privacy Protection Act requires that data is protected and remains confidential in storage and in transmission. Encryption Cryptographic transformation of data to provide confidentiality and integrity by transforming plain text into cipher text using a special value known as a key and a mathematical process known as an algorithm.
64
External vulnerability assessments include all security tests and evaluations of information resources that originate from outside the organizations network, i.e., using the logical or physical access that is available to outside hackers or other unauthorized network users. Fair Credit Reporting Act requires data to be protected and remain confidential in storage and in transmission. Federal Information Processing Standard 140-2 (FIPS 140-2) ensures integrity and privacy of messages in storage and in transmission. Federated ID management/federated identity management (FIM) Arrangement among multiple enterprises that allows subscribers to use the same identification data to obtain access to the networks of all enterprises in the group. Governors Division of Emergency Management (GDEM) carries out state all-hazard emergency management program, manages and staffs the State Operations Center, and assists cities, counties, and state agencies in planning and implementing their emergency management programs. GDEM also supports the Governors Homeland Security Strategy and implementing programs and is the State Administrative Agency for DHS grant programs. Gramm-Leach-Bliley Financial Services Modernization Act requires that data is protected and remains confidential in storage and in transmission Information Resource Managers (IRMs) of Texas state agencies are responsible for the management of all information resources within the respective state agency or university. Identity (ID) management Process of distinguishing a particular persons unique attributes as an authorized information resource user. The backbone of identity management is a system of directories and directory-enabled applications. Information security Protection of all data and information against unauthorized access or usage. Information Security Awareness, Assessment, and Compliance (ISAAC) An application adapted by Texas A&M University to facilitate baseline risk analysis, cyber vulnerability reduction, planning, and tracking of agency IT assets. Information Security Officers (ISOs) of Texas state entities are responsible for administering the information security functions within an agency or university. Information Sharing and Analysis Centers (ISAC) DHS-sponsored, voluntary organizations that represent individual critical infrastructure sectors (e.g., state government, IT, energy, water, food, and financial services) to share information, minimize vulnerabilities, and work together to help protect the economy. Information Systems Audit and Control Association (ISACA) sponsors international conferences, publishes the Information Systems Control Journal, develops international information systems auditing and control standards, and administers the Certified Information Systems Auditor (CISA) and the Certified Information Security Manager (CISM) designations.
65
Information Systems Security Association (ISSA) A not-for-profit, international organization of information security professionals that provides educational forums, publications, and peer interaction opportunities. Information technology (IT) security See cybersecurity. Internal vulnerability assessments include all security tests and evaluations of information resources that originate from inside the organizations network, i.e., using the logical or physical access that is available to insiders or other authorized network users. Least privilege A basic principle for securing computer resources and data. It means that users are granted only those access rights and permissions that they need to perform their official duties. Logic Bomb Malicious code that has been surreptitiously uploaded but remains hidden or dormant until it executes at a set time or when conditions are met, e.g., a user performs a certain action. Multifactor authentication Protocol that requires multiple methods of establishing identity, such as something you know and something you have or something you are; e.g., a combination of password/PIN, certificates, tokens, smart cards, and/or biometrics. National Incident Management System (NIMS) A nationwide template that enables all government, private-sector, and nongovernmental organizations to work together during domestic incidents. National Institute of Standards and Technology (NIST) Computer Security Division A nonregulatory federal agency within the U.S. Commerce Departments Technology Administration. The NIST Computer Security Division shares information security tools and practices, provides standards and guidelines, and identifies and links security Web resources. Need-to-know Fundamental security principle that authorizes user access only to the information that the individual requires to meet their work responsibilities. This authorization usually applies to sensitive information. Orphaned account Active user account that is assigned to an individual who is no longer authorized access to that account. Privacy data A category of sensitive data that includes personal information or personal identifying information. Privacy is a personal construct that accrues to individuals, not to the information. Privacy data is usually protected by privacy laws, regulations, and/or policies, and is subject to heightened protection. Root access The most privileged access possible on a UNIX computer system. With root access, any person (usually a trusted system administrator, but potentially a hacker) can create, manage, and delete anything on the system. Sarbanes-Oxley Act requires data to be protected and remains confidential in storage and in transmission.
66
Sensitive information is any information defined by state or federal law that must be protected and released only to persons with an authorized need to know. Information classified as sensitive or confidential includes personal or personal identity information (privacy data), health/medical and law enforcement data, and certain security assessments that might jeopardize citizen safety if released to the public. Stateful firewall keeps track of the state of network connections that travel across it and allows only legitimate packets that match a known connection state to pass through. Strategy A plan of action, or prioritized initiative, intended to accomplish a specific goal or objective. Supervisory Control and Data Acquisition (SCADA) Systems Computer-based automated control systems that monitor and control remote industrial processes (e.g., transport of gas through pipelines, steel making, and power generation and transmission). Texas Government Code Chapter 2054 addresses statewide information resource vulnerability reports. Texas Government Code Chapter 2059 addresses computer network security services for state agencies, institution of higher education, and entities other than state agencies. Network security services include rules, facilities or equipment; release of confidential information; cybersecurity threat assessment and notification; biennial reports; establishment of and transition to a network security center to provide services to state agencies; guidelines and standard operating procedures; and payment for network security system that allocates the cost to each state agency based on proportionate usage. Texas Senate Bill 327: Computer Spyware (September 1, 2005) adds Chapter 48 to the Texas Business and Commerce Code. It prohibits a person who is not the owner or operator of a computer from collecting or modifying information by deceptive means. Trojan horse Malicious code disguised as a legitimate program to entice an unsuspecting user to install an attack software program that damages or disrupts the normal operation of a computer. User Any person who can read, enter, or update information on a network. User access control See access control. User ID User identification. Virus Self-replicating program that spreads by inserting copies of itself into other executable code or documents, similar to a biological virus. Vulnerability Information resource characteristic or weakness that insiders or outside hackers can exploit (e.g., system security procedures, hardware design, or internal controls). War Dialing Malicious computer program that automatically dials computer modem connections to conduct automated penetration testing and to identify operating systems, potential targets, and/or unauthorized modems.
67
Worm Self-propagating malware that does not infect other programs, but instead may alter, install, or destroy files and programs. Zombie Internet-connected computer controlled by a hacker that performs malicious tasks against other computers, usually without the owners awareness.
68
Endnotes
1 State of Texas, Shared Success: Building a Better Texas through Shared Responsibilities, Department of Information Resources, Austin, Texas, Dec. 14, 2005, (SSP). Retrieved 20-Dec-2006 from <http://www.dir.state.tx.us/pubs/ssp2005/>. 2 State of Texas, Texas Homeland Security Strategic Plan: 20052010, Office of the Governor, Austin, Texas, Nov. 1, 2005 (TxHSSP). 3 U.S. Department of Homeland Security, National Strategy to Secure Cyberspace, Washington, D.C., February 2003 (NSSC). 4 U.S. Department of Homeland Security, National Strategy for Homeland Security, Washington, D.C., July 2002 (NSHS). 5 State of Texas, State IT Security Assessment, Department of Information Resources, 2005 (SITSA). A confidential report to the Legislature required by House Bill 1516, Section 3.02, 79th Texas Legislature, R.S., 2005. Text of HB 1516 retrieved 21-Feb-2007 from <http://www.capitol.state.tx.us/tlodocs/79R/billtext/html/HB01516F.htm>. 6 Daily average of 246 successful attacks reported to DIR in FY 20052006 (e.g., intrusions, data/info theft, denial of service, Web site defacement). 7 U.S. Department of Justice, Federal Bureau of Investigation, 2005 FBI Computer Crime Survey, pages 1 and 9. 8 Homeland Security Presidential Directive/HSPD-7 (paragraph 16), Dec. 17, 2003. Retrieved 21-Feb-2007 from The White House Web site at <http://www.whitehouse.gov/news/releases/2003/12/20031217-5.html>. 9 Leyden, John, Cybercrime costs biz more than physical crime, The Register, Mar. 16, 2006. Retrieved 21-Mar2006 from <http://www.theregister.co.uk/2006/03/16/ibm_cybercrime_survey/>. 10 TxHSSP, page 11 11 McKenna, Corey, Cybercrime and Effective Security Policies, Government Technology, May 13, 2005. Retrieved 20-Dec-06 from <http://www.govtech.net/news/news.php?id=93992>. 12 U.S. Department of Justice, 2005 FBI Computer Crime Survey (pages 1, 3, 9), Federal Bureau of Investigation, Washington, D.C., 2006. 13 Lt. Gen. Michael D. Mapes, Director, Defense Intelligence Agency, Statement for the Record, Senate Armed Services Committee, Feb. 28, 2006. Retrieved 21-Feb-07 from <http://www.dia.mil/publicaffairs/Testimonies/statement24.html>
14 Texas Administrative Code, Title 1, Section 202, Texas Department of Information Resources (2006). Retrieved 20-Feb-2007 from <http://info.sos.state.tx.us/pls/pub/readtac$ext.viewtac>. 15 TGC 2059.059(c), 2059.102(d), and 2059.151. 16 TGC 2054.307. 17 HSPD-7, see endnote 8. 18 79th Texas Legislature, Regular Session (2005), House Bill 1516, Section 3.02. Retrieved 21-Feb-2007 from <http://www.capitol.state.tx.us/tlodocs/79R/billtext/html/HB01516F.htm>. 19 TGC 2059.101.
STATE ENTERPRISE SECURITY PLAN | ENDNOTES
69
20 SSP (pages 3840). 21 TxHSSP (pages 17, 27) 22 Committing to SecurityFourth Annual Benchmark Study: A CompTIA Analysis of IT Security and the Workforce, White Paper, March 2006. 23 Conrad, James R., Analyzing the Risks of Information Security Investments with Monte-Carlo Simulations, paper presented at the Fourth Workshop on the Economics of Information Security, Kennedy School of Government, Harvard University, June 2, 2005, page 1. 24 TxHSSP (page 29) 25 SSP (pages 3738) 26 TGC 2054. 27 TxHSSP (page 28). 28 SSP (page 37). 29 SSP (page 38). 30 TxHSSP (page 29). 31 TxHSSP (page 27). 32 TxHSSP (page 27, priority action 2.1.2). 33 1 TAC 202.21 and 202.71. 34 TGC 2102.007(b). 35 SSP (pages 3738). 36 Risk Management Guide for Information Technology Systems, NIST Special Publication 800-30, National Institute of Standards and Technology, Computer Security Division, Information Technology Laboratory, Gaithersburg, MD, July 2002. 37 SSP (pages 1011, 3840). 38 U.S. Department of Homeland Security, FY 2007 DHS Homeland Security Grant Program (HSGP) Program Guidance and Application Kit, Office of Grants and Training, Washington, D.C., January 2007. 39 TxHSSP (page 44). 40 HSGP (see endnote 38). 41 DHS/HSGP (see endnote 38). 42 TGC 2059.56 and 2059.104. 43 State of Texas, User Access Study, Department of Information Resources. Retrieved 13-Mar-2007 from <http://www.dir.state.tx.us/pubs/UserAccess/index.htm>. 44 TxHSSP (page 28). 45 SSP (page 37). 46 TGC 2059.101.
70
47 SSP (page 38). 48 TGC 2059.059 and 2059.104 (a) (1). 49 1 TAC 202.25 and 202.75. 50 TGC 2054.307. 51 TGC 2059.101. 52 SSP (pages 38-40). 53 TGC 2059.101. 54 SSP (pages 3840). 55 DHS/HSGP (see endnote 38). 56 TxHSSP (page 27, paragraph a). 57 DHS/HSGP (see endnote 38). 58 DHS/HSGP (see endnote 38). 59 1 TAC 202.25 and 202.75. 60 DHS/HSGP (see endnote 38). 61 TxHSSP (page 44). 62 SSP (page 11). 63 TxHSSP (page 44). 64 SSP (page 11). 65 TGC 2059.057. 66 TGC 2059.153. 67 TGC 2059.101. 68 SSP (page 38). 69 SSP (pages 23, 57). 70 TGC 2059.10 (c) & (d) Texas Government Code 71 TGC 2059.56. 72 I TAC 202.2122 202.2425, 202.7172, 202.7475. 73 SSP (pages 1011, 3840) 74 TGC 2059.104 (b). 75 Risk Management Guide for Information Technology Systems, NIST Special Publication 800-30, National Institute of Standards and Technology, Computer Security Division, Information Technology Laboratory, Gaithersburg, MD, July 2002.
STATE ENTERPRISE SECURITY PLAN | ENDNOTES
71
76 TGC 2059.151. 77 TGC 2102.007(b)(2). 78 I TAC 202.21 and 202.71. 79 TGC 2059.059(c), 2059.102 (d), and 2059.151. 80 TGC 2054.307. 81 TGC 2059.102 (c), (d). 82 SSP (pages 10, 3940). 83 SSP (pages 10, 3940). 84 TGC 2054.059. 85 SSP (pages 1011, 3840) 86 U.S. Department of Homeland Security, Federal Emergency Management Agency, State NIMS Integration, Version 1.0, Washington, D.C. 87 U.S. Department of Homeland Security, Federal Emergency Management Agency, NIMS Training Guidelines for FY 2006, Washington, D.C., December 2005. 88 SSP (pages 1011, 3840) 89 DHS/HSGP, Appendix I (see endenote 38). 90 DHS/HSGP (see endnote 38). 91 TxHSSP (page 44). 92 1 TAC 10 202.21 and 202.71.
72
Department of Information Resources P.O. Box 13564 Austin, TX 78711-3564 www.dir.state.tx.us/
Visit www.TexasOnline.com, the Official Web Site of the State of Texas

State Enterprise Security Plan

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

State Enterprise Security Plan

Uploaded by

Copyright:

Available Formats

TEXAS DEPARTMENT OF INFORMATION RESOURCES

State Enterprise Security Plan

MAY 31, 2007

Letter from the States Chief Technology Officer

May 31, 2007

Brian S. Rawson Executive Director Texas Department of Information Resources

About this Report

TEXAS DEPARTMENT OF INFORMATION RESOURCES | MAY 31, 2007

Roles and Responsibilities

STATE ENTERPRISE SECURITY PLAN | EXECUTIVE SUMMARY

DIRs Role in Securing Cyberspace

Role of State Agencies and Institutions of Higher Education

Other DIR Partners

TEXAS DEPARTMENT OF INFORMATION RESOURCES | MAY 31, 2007

STATE ENTERPRISE SECURITY PLAN | EXECUTIVE SUMMARY

Goals and Objectives

and incidents against critical infrastructure

to cyber attacks and other disruptions

RESPOND AND RECOVER

to minimize the impact of successful cyber attacks and disruptions

TEXAS DEPARTMENT OF INFORMATION RESOURCES | MAY 31, 2007

STATE ENTERPRISE SECURITY PLAN | EXECUTIVE SUMMARY

TEXAS DEPARTMENT OF INFORMATION RESOURCES | MAY 31, 2007

Threats and Vulnerabilities

STATE ENTERPRISE SECURITY PLAN | SECTION 1 | THREATS AND VULNERABILITIES

The Case for Action

Credit Card Fraud Financial Institution Fraud

TEXAS DEPARTMENT OF INFORMATION RESOURCES | MAY 31, 2007

STATE ENTERPRISE SECURITY PLAN | SECTION 1 | THREATS AND VULNERABILITIES

Number of Security Incidents, 19952003

TEXAS DEPARTMENT OF INFORMATION RESOURCES | MAY 31, 2007

Roles and Responsibilities

STATE ENTERPRISE SECURITY PLAN | SECTION 2 | ROLES AND RESPONSIBILITIES

Texas Department of Public Safety

TEXAS DEPARTMENT OF INFORMATION RESOURCES | MAY 31, 2007

Texas Office of Attorney General

All State Agencies and Institutions of Higher Education

STATE ENTERPRISE SECURITY PLAN | SECTION 2 | ROLES AND RESPONSIBILITIES

State Employees, Contractors, and Users of State Information Resources

TEXAS DEPARTMENT OF INFORMATION RESOURCES | MAY 31, 2007

Federal Departments and Agencies

Department of Homeland Security

Department of Justice and Other Federal Agencies

STATE ENTERPRISE SECURITY PLAN | SECTION 2 | ROLES AND RESPONSIBILITIES

TEXAS DEPARTMENT OF INFORMATION RESOURCES | MAY 31, 2007

Goals and Objectives

STATE ENTERPRISE SECURITY PLAN | SECTION 3 | GOALS AND OBJECTIVES

State Enterprise Security Goals and Objectives

and incidents against critical infrastructure

to cyber attacks and other disruptions

RESPOND AND RECOVER

to minimize the impact of successful cyber attacks and disruptions

TEXAS DEPARTMENT OF INFORMATION RESOURCES | MAY 31, 2007

PREVENT CYBER ATTACKS

STATE ENTERPRISE SECURITY PLAN | SECTION 3 | GOALS AND OBJECTIVES

PREVENT CYBER ATTACKS

TEXAS DEPARTMENT OF INFORMATION RESOURCES | MAY 31, 2007

PREVENT CYBER ATTACKS

STATE ENTERPRISE SECURITY PLAN | SECTION 3 | GOALS AND OBJECTIVES

TEXAS DEPARTMENT OF INFORMATION RESOURCES | MAY 31, 2007

STATE ENTERPRISE SECURITY PLAN | SECTION 3 | GOALS AND OBJECTIVES

TEXAS DEPARTMENT OF INFORMATION RESOURCES | MAY 31, 2007

STATE ENTERPRISE SECURITY PLAN | SECTION 3 | GOALS AND OBJECTIVES