Tuesday, May 12, 2015

Security is never done

Cyber attacks have been all over the news recently, with aggressive attacks on businesses, governments and personal information. The year 2014 — the quote-unquote Year of the Data Breach — proved to us that no enterprise, regardless of the size of security investment, is immune to attack. Attackers’ weapons are changing daily, technology is advancing exponentially, and businesses are evolving constantly — requiring rapid response and preventative tools to detect and thwart the increasingly sophisticated level of cyber attacks.

So what is the State of Colorado doing to stay on top of this?
Secure Colorado is a multi-year phased plan focusing on the 20 Critical Security Controls and other security improvements to reduce risk across the state. The plan is based on a layered security approach, and Colorado is one of only two states to have demonstrated a “solid and robust” understanding of the importance of integrating cyber security in their strategic IT plans.

What have we done so far?
The first two years of Secure Colorado focused on:
  • Alignment of the team to proactively address security and manage risk
  • Establishment of a risk and audit committee to perform risk assessments, track risks, and manage security in a consistent manner across all agencies
  • Remediation of audit findings
  • Implementation of the “first five” critical security controls resulting in an inventory of connected devices and deployed software, as well as an estimated 75 percent reduction in malware events
  • Establishment of metrics
  • Implementation of next generation firewall technology for better filtering for individual agency needs and to provide increased visibility and automated prevention for advanced threats
  • Creation of a SECURE system development life cycle (S-SDLC) for application code reviews at appropriate times in the implementation and change process
What’s next?
As a progressive and innovative state, our security team continues to evolve and embrace new technologies. Coloradans are demanding mobile applications, social media interaction and other new ways of interacting with state government — and we have to include security in these innovations from the very beginning in order to stay ahead of attacks.

Here’s what we have coming up with Secure Colorado:
  • Continuing to implement detective and preventative tools
  • Training teams to respond quickly to contain ANY type of event
  • Implementing and refining tools to filter security events through intelligence information — so that we can more quickly identify targeted attacks
  • Creating the next iteration of Secure Colorado to ensure that the state continues to improve security
Each of the 20 Critical Security Controls includes multiple sub-controls: 182 total sub-controls, with 75 “quick wins.” The quick wins for each of the 20 controls will all be implemented by July 2016, and additional sub-controls will be prioritized for implementation based upon risks/threats, evolving technology/business strategy, cost, and other factors.

Want to know more about Secure Colorado?
Join me and Rick Howard, Chief Security Officer for Palo Alto Networks, for a free webinar — A Safer Colorado through Security Excellence — Thursday, May 21, at 12 noon MDT.

Debbi Blyth: Chief Information Security Officer. Colorado native (almost!), beach lover, deep sea diver, Sunday school teacher. I'm the queen of keeping Colorado safe online. Find me on Twitter at @debbiblyth.

No comments:

Post a Comment

OIT encourages open discussion, and we invite you to share your opinion on our issues. By commenting on this blog, you are agreeing to our commenting policy, outlined below.

We reserve the right not to publish comments on our blog containing any of the following elements: profanity, misinformation, spam, off-topic/irrelevant (including self promotional posts not having to do with IT or the organization), personal attacks, promotion of violence, or the promotion illegal or questionable activities.

If you repeatedly violate this policy, you will be blocked from commenting.

If you have a question regarding this blog or anything on it, please email us at oit@state.co.us.

We appreciate your cooperation and support, and look forward to connecting with you!