alberta's approach to an itm control framework
DESCRIPTION
TRANSCRIPT
ALBERTA’S APPROACH TO AN INFORMATION ANDTECHNOLOGY POLICY AND CONTROL FRAMEWORK
AGENDA
• OAG, Privacy Commissioner and Quality
• Alberta’s Approach to ITM Policies, Controls and Frameworks
• The Web 2.0 Impact• What We Have Learned
OAG, PRIVACY COMMISSIONER
RECENT MEDIA
OAG and Media• Alberta Gov't records at risk of hacking: A-G
EDMONTON - The auditor's general office found electronic "footprints" showing that confidential government records had been accessed by outside sources, Fred Dunn said this morning as he outlined his annual report.Alexandra Zabjek and Archie McLean, edmontonjournal.com
Published: Thursday, October 02
• Trust betrayed by multiple lapses in Gov't computer security. Actual breaches minor, but why were databases left unprotected? Invaders from Eastern Europe and Asia could have already infiltrated Alberta - and the government's most top-secret information -- says Alberta's auditor general.Paula Simons, The Edmonton Journal
Published: Friday, October 03
• We are lucky indeed to have an active auditor general's office with the mandate and chutzpah to keep tabs on those who spend our money.Edmonton JournalPublished: Saturday, October 04
Privacy Commissioner
• Information and Privacy Commissioner in support of Auditor General Recommendations: Information and Privacy Commissioner Frank Work fully supports recommendations made by the Auditor General with respect to security and protection of information assets of the Government of Alberta. The Auditor General, among other things, is recommending establishment of a central security office to oversee all aspects of information security across all Government of Alberta ministries and departments.
Not just AB, Canada but all GovernmentsGovernmentExec.COM
• If Alberta is like almost every other government in the world, skilled hackers got in and out with little notice. ….. And they're probably still hiding in a closet ready to pounce.
• In all fairness, Alberta is not alone. Attacks on Web applications are now considered one of the most worrisome for government information security folks.
• Targeted attacks on computers and vulnerabilities in Web applications topped the list of threats to government and industry information systems in 2007, according to a new report from the SANS Institute. While proper security measures can help lock down agency systems, employees are easily duped by the increasingly sophisticated methods of hackers.
• This is an arms race; each time we set up a defense, the people who are attacking raise the sophistication of the attack," said Alan Paller, Director of Research at the SANS Institute. "For a lot of years, the sophistication was in how well they could find vulnerabilities in the system. What's different is that as they have been blocked in most simple vulnerabilities, they've come up with two completely new ones that most federal agencies aren't even thinking about."
• One emerging threat lies with Web applications, which accounted for half the total vulnerabilities reported in 2007, according to TippingPoint, an intrusion prevention systems vendor in Austin, Texas. And that figure doesn't include custom-developed Web applications, which are particularly prevalent in government.
ALBERTA OAG
• WE NEED THE AUDITOR TO SAVE OURSELVES FROM SELF DESTRUCTION, SELF MUTILATION AND
• WE NEED TO PROTECT OUR INVESTMENTS, OUR INFORMATION BUT ALSO CONTINUE TO DELIVER SERVICE WHICH MEANS UNDERSTANDING AND BALANCING RISK
ALBERTA’S APPROACH
IMT CONTROL FRAMEWORK
Alberta’s Challenges
• ITM policies were developed in reaction to ‘new technology’ and OAG– could not keep up with continuous change– did not withstand the test of time– increased management burden– no alignment
• Increased complexity of reorganizations and restructuring
• Gaps and overlaps caused exposure to unnecessary business, project execution and operational risks (134 ‘policies’ – 4 Ministries)
• Limited flexibility as policies were prescriptive
ALBERTA ITM Control Framework
Leadership & Management
Integrated Information Shared Technology
Infrastructure
1.1 Information and Technology
Governance
1.2 Planning & Risk
Management
1.4 I & T Organization & Relationships
Personnel Training GCCR#1.4.1 COBIT PO7.4
3.1 Information Management
4.1 Technology Management
4.3 Change Management
1.3 Program Management
4.2 Technology Service
Management
Closure & Documentation GCCR#4.1.2 COBIT AI6.5
Approve Change GCCR#4.2.1
COBIT AI7.3, AI7.8
Promote to Production
GCCR#4.2.3 COBIT AI7.8
Records Management Records Management
Regulation (RMR), Alberta Evidence Act,
Electronic Transactions Act, Financial
Administration Act
Document Management
Knowledge Management
Physical & Environmental
Security Controls GCCR#3.2.2 COBIT n/a
Network Security Technology GCCR#3.4.1
COBIT DS5.10
Anti-Virus & Malware Protection
GCCR#3.5.1 COBIT DS5.9
Incident & Problem Management GCCR#6.1.1
COBIT DS10.1, DS8.3, DS8.4
Business Continuity Plan GCCR#7.1.1 COBIT DS4.2 Emergency
Management Regulation
Backup & Restoration
GCCR#7.2.1 COBIT DS11.5
Test Backup Media
GCCR#7.3.1 COBIT DS11.5
2.1 Client Acquired & Developed Solutions
ITM Strategic Plan GCCR#1.1.2 COBIT PO1
Data & System Ownership
GCCR#1.3.1 COBIT PO4.9,
DS9.1 RMR4(2)
Segregate Duties GCCR#1.3.2
COBIT PO4.6, PO4.11
RMR4(2)
Physical & Environmental Security Plan GCCR#3.2.1 COBIT DS5.2
Enterprise ITM Risk & Control GCCR#1.2.2 COBIT PO6.2
ITM Control Framework Alignment Map
User Account Management GCCR#3.1.1 COBIT DS5.4
Configuration Management GCCR#3.6.1 COBIT DS9.1
Supplier Contract Management GCCR#8.1.1 COBIT AI5.2
STRATEGIC
TACTICAL
Advanced Education & TechnologyEducation
Children & Youth Services
GoA STRATEGIC GOAL
2.3 Privacy & Information
Security
2.2 Identity Management
Privacy of Information FOIP Act
Information Classification
Scheme GCCR#1.5.1 COBIT PO2.3
Segregate Duties GCCR#4.2.2 COBIT AI7.8
ITM Steering Committee
GCCR#1.1.1 COBIT PO4.3
Roles & Responsibilities
GCCR#1.4.2 COBIT PO4.6
Access Rights GCCR#3.1.3 COBIT DS5.4
Access Controls & Segregated Duties
GCCR#3.1.2 COBIT PO4.11
Access Monitoring GCCR#3.1.4
Financial Administration Act
Risk Response Plan
GCCR#2.1.2 COBIT PO9.5,
PO9.6
Risk Assessment GCCR#2.1.1
COBIT PO6.3, ME3.2, ME3.3
Access Configuration GCCR#3.1.5 COBIT DS5.4
Physical Access GCCR#3.2.3
COBIT DS12.3
Physical Security Measures – Fire
GCCR#3.3.1 COBIT DS12.2
Physical Security Measures – Temperature GCCR#3.3.2
COBIT DS12.2
Physical Security Measures –
Humidity GCCR#3.3.3
COBIT DS12.2
Physical Security Measures –
Moisture GCCR#3.3.4
COBIT DS12.2, DS12.4
Physical Security Measures – UPS
Backup GCCR#3.3.5
COBIT DS12.2, DS12.4, DS12.5
Security Testing, Surveillance &
Monitoring GCCR#3.4.2 COBIT DS5.5
Security Technology Protection
GCCR#3.4.3 COBIT DS5.7
Wireless Security GCCR#3.4.4
COBIT DS5.7, DS5.10
Automatic Updates
GCCR#3.5.2 COBIT DS5.9
Configuration & Monitoring
GCCR#3.5.3 COBIT DS5.9
Configuration Monitoring
GCCR#3.6.2 COBIT DS9.3, DS5.7, DS5.9,
DS5.10
Infrastructure Protection & Availability
GCCR#3.6.3 COBIT AI3.2
Infrastructure Maintenance GCCR#3.6.4
COBIT AI3.3, AI6.1
Identity Management GCCR#3.7.1
COBIT DS5.3, DS4.4
Remote Access Configuration & Authorization GCCR#3.7.2
COBIT DS5.11
Implementation Plan
GCCR#4.1.3 COBIT AI7.3
Change PIR GCCR#4.1.4 COBIT AI7.9
CM Standards, Procedures, Assessment GCCR#4.1.1
COBIT AI6.1, AI6.2
Test Environment GCCR#4.3.1 COBIT AI7.4
Test Change GCCR#4.3.2 COBIT AI7.6
Emergency Change
GCCR#4.4.1 COBIT AI6.3
Development & Acquisition
Methodology GCCR#5.1.2 COBIT PO8.3
Project Development PIR
GCCR#5.2.1 COBIT AI7.9
Incident & Problem Reporting
GCCR#6.1.2 COBIT DS8.5
Assess Business Impact
GCCR#7.1.2 COBIT DS4.2
Test BCP GCCR#7.1.3 COBIT DS4.5
Maintain BCP GCCR#7.1.4
COBIT DS4.4, DS4.7, DS4.10
Restrict Access to Backup Media
GCCR#7.3.2 COBIT DS11.6
Offsite Backup Storage
GCCR#7.3.3 COBIT DS4.9
Supplier Selection GCCR#8.1.2
COBIT AI5.3, DS2.3
Relationship Mngt & Performance Monitoring
GCCR#8.1.3 COBIT DS2.2, DS2.4
Supplier Controls GCCR#8.1.4 COBIT DS2.3
Supplier Compliance Monitoring
GCCR#8.1.5 COBIT ME2.6
OPERATIONAL
Assess Project GCCR#5.1.1 COBIT AI1.3
End-User Computing
Controls GCCR#9.1.1
Financial Admin. Act
ITM Policy Management GCCR#1.2.1
COBIT PO6.3, ME3.1
Standard Foundations for Business and Citizen
Centric Services
Information Architecture COBIT PO2
Technological Plan
COBIT PO3
ITM Organization & Relationships COBIT PO4
ITM Investment Management COBIT PO5
ITM Control Environment COBIT PO6
ITM HR Management COBIT PO7
Quality Management COBIT PO8
ITM Risk Management COBiT PO9
ITM Programme Management COBIT PO10
Project Requirements &
Feasibility COBITAI1
Software Acquisition & Maintenance COBIT AI2
Technology Acquisition & Maintenance COBIT AI3
User Manuals & Documentation
COBIT AI4
ITM Procurement COBIT AI5
Change Management
COBITAI6
Test, Implement & Review Changes
COBIT AI7
ITM Performance Management COBIT ME1
Internal Control Programme COBIT ME2
Compliance Assurance
COBIT ME3
ITM Governance COBIT ME4
Service Level Management COBIT DS1
3rd Party Services Management GCCR#8.1.4 COBIT DS2
Performance & Capacity
Management COBIT DS3
Business Continuity Plan
COBIT DS4
Security Management COBIT DS5
ITM Budgeting & Cost Allocation
COBIT DS6
Educate & Train Users
COBIT DS7
Incident & Problem Management
COBIT DS8, DS10
Configuration Management COBIT DS9
Data Management COBIT DS11
Physical Security Management COBIT DS12
Operations Management COBIT DS13
ITM Policy Framework
Legend
COBIT 4.1
GCCR COBIT 4.1
GCCR COBIT 4.1
Legislation or Regulation
Legislation or Regulation
GCCR Legislation or
Regulation
Policy
GoA Strategic Goal
Governance & Accountability
Framework (Service AB)
PMI ISO/IEC 12207
AS8015 Dublin Core ISO 15489 ISO 11179
FRAMEWORK
INTERNATIONAL STANDARD
Best Practices
Framework
International Standard
ISO/IEC 27002
Information Management Framework
(IMAC)
ICT Risk Management Framework
(Service AB)
COSO ITIL
Overall Strategic Direction & Vision
Strategic & Tactical Policies
Supporting Controls (Processes, Standards, Guidelines)
Forrester ResearchIT Compliance Life Cycle
Phase I
Phase II
Phase III - Ongoing Management
Drivers
Enterprise governance
IT governance
Best practices
Controls and Legislation
PerformanceBusiness goals
ConformanceBasel II, Sarbanes-Oxley Act etc.
COSO
COBIT
ITIL
SecurityQuality
ManagementIT Service
Management
ISO/IEC
2700x
ISO/IEC
9001:2000
Balanced scorecard
CoBIT, Legislation & Other Frameworks
Maturity Level Status Establishment
0 – Non-existent No recognition of need to control No intent to assess the need for control
1 – Initial / ad hoc Some ad hoc recognition of need to control
No awareness of need to assess what controls are needed
2 – Repeatable but intuitive Controls in place but not documented
Assessment of control need occurs only when necessary
3 – Defined Controls are in place and adequately documented
Critical controls and processes are identified based on value and risk drivers
4 – Managed and Measurable Effective control and risk management environment
Control criticality regularly defined with full support of business owners
5 – Optimized Enterprise wide risk and control programme provides continuous and effective control and risk resolution
Business changes consider the criticality of controls and cover any need to reassess control capability
CoBIT Maturity ModelUnderstand where IT and business are for each control
Layers of ITM Control Framework
14
Layers in ITM Alignment Map
ITM Control Framework Overview
Decide Who Owns (leads) What Control
16
Security/Privacy Incident Reporting
UNDERSTAND WHOSE CONTROLS Trigger OTHERS’ CONTROLS
17
ITM Control Framework Overview
WEB 2.0
What do we need to know about and consider while we are developing policies,
frameworks, standards and controls?
Web 2.0 at Advanced Education and Technology
Iden
tity M
an
ag
em
en
t A &
A
Rea
l-Tim
e C
om
mu
nic
ation
s Da
sh
bo
ard
InternalP.S.I.
InstitutesOther
Stakeholders
Iden
tity
Ma
na
ge
me
nt
A &
A
Rea
l-T
ime
Co
mm
un
icat
ion
s D
as
hb
oa
rd
InternalP.S.I.InstitutesOther Stakeholders
Business Apps(SFS, ATOMS, PAPRS, SHR)
Information Strategy(Information & Knowledge)
Web Strategy(Content, Information, Applications)
Desktop Apps(Calendar, Word, PowerPoint)
Unified Msg
Web Conference
Video Conference
Instant Msg
Collaboration Tools
Presence (People, Place, Time)
Presence (People, Place, Time)
Co
llab
ora
tio
nIn
teg
rati
on
IP Enabling Contact Centers
Public | Wireless Network | LAN/GOA Domain
Presence (People, Place, Time)
Supernet
Room to Room Video over IP
Centrix | PSTN
VPNs
Co
llabo
ration
Integ
ration
WEB 2.0 Impact
Mid 1990-2000s WEB 2.0 Value Proposition
Knowledge/Info Centralization Decentralization
Training Waterfall/RUP meant training was at the end
Training is at the beginning through Self Training and each other
Cultural Change Business performed and information in silos
Collaboration, openness, joint problem solving
Business Work Style Feature and information and overload
Simple, easy to use, business has become technology savvy through self training
WEB 2.0 Impact
Mid 1990-2000s WEB 2.0 Value Proposition
Home / Work Tools Work, more tools Home/Work tools the same
Labour Shortages Attract Gen X, Y and Millenials
Governments cutting Everyone recruiting
Generation X Expectations Grassroots Managers understand how technology can help productivity
IT Organization's Gate Keepers
Privacy/security force IT to protect castles
Business will go around any blocking we put in because they CAN and they WANT IT
Centralized Control Versus Decentralized Information Sharing(Balancing Opportunities/Risks)
Mid 1990-2000s WEB 2.0 Value Proposition
Privacy/Security IT and SMEs guardians End user behaviors guided by principles
Managing Information and Records
IT and SMEs guardians and overwhelmed by increased volume
End users accountable for information supported by tools provided by IT and SME
Information Silos Caused by not working together and sharing
Caused by collaborating and working together but outside of centralized, controlled tools
Policy, Authorized, Authoritative Sources
Policy and authority decentralized - IT just starting to centralize IT now
Policies and accountability principle based on understanding and trust
Centralized Control Versus Decentralized Information Sharing(Balancing Opportunities/Risks)
Mid 1990-2000s WEB 2.0 Value Proposition
Technology Delivery and Expectations
IT plans aligned after business plans
IT specific visions, plans and strategies plus business alignment
Service Responsiveness IT and SMEs required to implement policies and controls
Policies and controls need to demonstrate value
Enterprise Tool Investments Created to share investment and reduce information silos
Still required but only for information sources where information needs to be protected
ALBERTA’S PLANS, VISIONS AND STRATEGIES
WHAT WE LEARNED ABOUT HOW WE NEED TO PLAN BECAUSE OF CONTROLS,
EXPECTATIONS, AND WEB 2.0
Web 2.0
Advanced Education & TechnologyBusiness Plan & Policy
Cross-Government
Initiatives
GoA Information& Services
Strategy
GoAEnterprise
Architecture
GoABusiness
Plan
STAKEHOLDER INPUT
Post Secondary Institution
Learners/Parents/Public/other Stakeholders
Research Institutes
3 Year ITM Plan
Maintenance Operations Initiatives Standards
ITMPolicy Framework
Operational Controls
PSI Plans & Architecture
7 Year ITM Vision
5 Year ITM Strategies
Vision: All Plans – Relationships
1 Year Operational Plan
Advanced Education and Technology in 2014
Test & DemoPilots
2014
“Right Info”and
“Right Services” at the
“Right Time” at the
“Right Place”to Answer the
“Right Question” for the
“Right Person”
Testing &Training
IdentityManagement
StrategyInformation Management Strategy
Web Strategy
GOA Information & Services Strategy
Unified Communications Strategy