alberta's approach to an itm control framework

ALBERTA’S APPROACH TO AN INFORMATION ANDTECHNOLOGY POLICY AND CONTROL FRAMEWORK

AGENDA

• OAG, Privacy Commissioner and Quality

• Alberta’s Approach to ITM Policies, Controls and Frameworks

• The Web 2.0 Impact• What We Have Learned

OAG, PRIVACY COMMISSIONER

RECENT MEDIA

OAG and Media• Alberta Gov't records at risk of hacking: A-G

EDMONTON - The auditor's general office found electronic "footprints" showing that confidential government records had been accessed by outside sources, Fred Dunn said this morning as he outlined his annual report.Alexandra Zabjek and Archie McLean, edmontonjournal.com

Published: Thursday, October 02

• Trust betrayed by multiple lapses in Gov't computer security. Actual breaches minor, but why were databases left unprotected? Invaders from Eastern Europe and Asia could have already infiltrated Alberta - and the government's most top-secret information -- says Alberta's auditor general.Paula Simons, The Edmonton Journal

Published: Friday, October 03

• We are lucky indeed to have an active auditor general's office with the mandate and chutzpah to keep tabs on those who spend our money.Edmonton JournalPublished: Saturday, October 04

Privacy Commissioner

• Information and Privacy Commissioner in support of Auditor General Recommendations: Information and Privacy Commissioner Frank Work fully supports recommendations made by the Auditor General with respect to security and protection of information assets of the Government of Alberta. The Auditor General, among other things, is recommending establishment of a central security office to oversee all aspects of information security across all Government of Alberta ministries and departments.

Not just AB, Canada but all GovernmentsGovernmentExec.COM

• If Alberta is like almost every other government in the world, skilled hackers got in and out with little notice. ….. And they're probably still hiding in a closet ready to pounce.

• In all fairness, Alberta is not alone. Attacks on Web applications are now considered one of the most worrisome for government information security folks.

• Targeted attacks on computers and vulnerabilities in Web applications topped the list of threats to government and industry information systems in 2007, according to a new report from the SANS Institute. While proper security measures can help lock down agency systems, employees are easily duped by the increasingly sophisticated methods of hackers.

• This is an arms race; each time we set up a defense, the people who are attacking raise the sophistication of the attack," said Alan Paller, Director of Research at the SANS Institute. "For a lot of years, the sophistication was in how well they could find vulnerabilities in the system. What's different is that as they have been blocked in most simple vulnerabilities, they've come up with two completely new ones that most federal agencies aren't even thinking about."

• One emerging threat lies with Web applications, which accounted for half the total vulnerabilities reported in 2007, according to TippingPoint, an intrusion prevention systems vendor in Austin, Texas. And that figure doesn't include custom-developed Web applications, which are particularly prevalent in government.

ALBERTA OAG

• WE NEED THE AUDITOR TO SAVE OURSELVES FROM SELF DESTRUCTION, SELF MUTILATION AND

• WE NEED TO PROTECT OUR INVESTMENTS, OUR INFORMATION BUT ALSO CONTINUE TO DELIVER SERVICE WHICH MEANS UNDERSTANDING AND BALANCING RISK

ALBERTA’S APPROACH

IMT CONTROL FRAMEWORK

Alberta’s Challenges

• ITM policies were developed in reaction to ‘new technology’ and OAG– could not keep up with continuous change– did not withstand the test of time– increased management burden– no alignment

• Increased complexity of reorganizations and restructuring

• Gaps and overlaps caused exposure to unnecessary business, project execution and operational risks (134 ‘policies’ – 4 Ministries)

• Limited flexibility as policies were prescriptive

ALBERTA ITM Control Framework

Leadership & Management

Integrated Information Shared Technology

Infrastructure

1.1 Information and Technology

Governance

1.2 Planning & Risk

Management

1.4 I & T Organization & Relationships

Personnel Training GCCR#1.4.1 COBIT PO7.4

3.1 Information Management

4.1 Technology Management

4.3 Change Management

1.3 Program Management

4.2 Technology Service

Management

Closure & Documentation GCCR#4.1.2 COBIT AI6.5

Approve Change GCCR#4.2.1

COBIT AI7.3, AI7.8

Promote to Production

GCCR#4.2.3 COBIT AI7.8

Records Management Records Management

Regulation (RMR), Alberta Evidence Act,

Electronic Transactions Act, Financial

Administration Act

Document Management

Knowledge Management

Physical & Environmental

Security Controls GCCR#3.2.2 COBIT n/a

Network Security Technology GCCR#3.4.1

COBIT DS5.10

Anti-Virus & Malware Protection

GCCR#3.5.1 COBIT DS5.9

Incident & Problem Management GCCR#6.1.1

COBIT DS10.1, DS8.3, DS8.4

Business Continuity Plan GCCR#7.1.1 COBIT DS4.2 Emergency

Management Regulation

Backup & Restoration


Test Backup Media


2.1 Client Acquired & Developed Solutions

ITM Strategic Plan GCCR#1.1.2 COBIT PO1

Data & System Ownership

GCCR#1.3.1 COBIT PO4.9,

DS9.1 RMR4(2)

Segregate Duties GCCR#1.3.2

COBIT PO4.6, PO4.11

RMR4(2)

Physical & Environmental Security Plan GCCR#3.2.1 COBIT DS5.2

Enterprise ITM Risk & Control GCCR#1.2.2 COBIT PO6.2

ITM Control Framework Alignment Map

User Account Management GCCR#3.1.1 COBIT DS5.4

Configuration Management GCCR#3.6.1 COBIT DS9.1

Supplier Contract Management GCCR#8.1.1 COBIT AI5.2

STRATEGIC

TACTICAL

Advanced Education & TechnologyEducation

Children & Youth Services

GoA STRATEGIC GOAL

2.3 Privacy & Information

Security

2.2 Identity Management

Privacy of Information FOIP Act

Information Classification

Scheme GCCR#1.5.1 COBIT PO2.3

Segregate Duties GCCR#4.2.2 COBIT AI7.8

ITM Steering Committee

GCCR#1.1.1 COBIT PO4.3

Roles & Responsibilities


Access Rights GCCR#3.1.3 COBIT DS5.4

Access Controls & Segregated Duties


Access Monitoring GCCR#3.1.4

Financial Administration Act

Risk Response Plan

GCCR#2.1.2 COBIT PO9.5,

PO9.6

Risk Assessment GCCR#2.1.1

COBIT PO6.3, ME3.2, ME3.3

Access Configuration GCCR#3.1.5 COBIT DS5.4

Physical Access GCCR#3.2.3

COBIT DS12.3

Physical Security Measures – Fire


Physical Security Measures – Temperature GCCR#3.3.2

COBIT DS12.2

Physical Security Measures –

Humidity GCCR#3.3.3

COBIT DS12.2

Physical Security Measures –

Moisture GCCR#3.3.4

COBIT DS12.2, DS12.4

Physical Security Measures – UPS

Backup GCCR#3.3.5

COBIT DS12.2, DS12.4, DS12.5

Security Testing, Surveillance &

Monitoring GCCR#3.4.2 COBIT DS5.5

Security Technology Protection


Wireless Security GCCR#3.4.4

COBIT DS5.7, DS5.10

Automatic Updates


Configuration & Monitoring


Configuration Monitoring

GCCR#3.6.2 COBIT DS9.3, DS5.7, DS5.9,

DS5.10

Infrastructure Protection & Availability


Infrastructure Maintenance GCCR#3.6.4

COBIT AI3.3, AI6.1

Identity Management GCCR#3.7.1

COBIT DS5.3, DS4.4

Remote Access Configuration & Authorization GCCR#3.7.2

COBIT DS5.11

Implementation Plan


Change PIR GCCR#4.1.4 COBIT AI7.9

CM Standards, Procedures, Assessment GCCR#4.1.1

COBIT AI6.1, AI6.2

Test Environment GCCR#4.3.1 COBIT AI7.4

Test Change GCCR#4.3.2 COBIT AI7.6

Emergency Change


Development & Acquisition

Methodology GCCR#5.1.2 COBIT PO8.3

Project Development PIR


Incident & Problem Reporting


Assess Business Impact


Test BCP GCCR#7.1.3 COBIT DS4.5

Maintain BCP GCCR#7.1.4

COBIT DS4.4, DS4.7, DS4.10

Restrict Access to Backup Media


Offsite Backup Storage


Supplier Selection GCCR#8.1.2

COBIT AI5.3, DS2.3

Relationship Mngt & Performance Monitoring

GCCR#8.1.3 COBIT DS2.2, DS2.4

Supplier Controls GCCR#8.1.4 COBIT DS2.3

Supplier Compliance Monitoring

GCCR#8.1.5 COBIT ME2.6

OPERATIONAL

Assess Project GCCR#5.1.1 COBIT AI1.3

End-User Computing

Controls GCCR#9.1.1

Financial Admin. Act

ITM Policy Management GCCR#1.2.1

COBIT PO6.3, ME3.1

Standard Foundations for Business and Citizen

Centric Services

Information Architecture COBIT PO2

Technological Plan

COBIT PO3

ITM Organization & Relationships COBIT PO4

ITM Investment Management COBIT PO5

ITM Control Environment COBIT PO6

ITM HR Management COBIT PO7

Quality Management COBIT PO8

ITM Risk Management COBiT PO9

ITM Programme Management COBIT PO10

Project Requirements &

Feasibility COBITAI1

Software Acquisition & Maintenance COBIT AI2

Technology Acquisition & Maintenance COBIT AI3

User Manuals & Documentation

COBIT AI4

ITM Procurement COBIT AI5

Change Management

COBITAI6

Test, Implement & Review Changes

COBIT AI7

ITM Performance Management COBIT ME1

Internal Control Programme COBIT ME2

Compliance Assurance

COBIT ME3

ITM Governance COBIT ME4

Service Level Management COBIT DS1

3rd Party Services Management GCCR#8.1.4 COBIT DS2

Performance & Capacity

Management COBIT DS3

Business Continuity Plan

COBIT DS4

Security Management COBIT DS5

ITM Budgeting & Cost Allocation

COBIT DS6

Educate & Train Users

COBIT DS7

Incident & Problem Management

COBIT DS8, DS10

Configuration Management COBIT DS9

Data Management COBIT DS11

Physical Security Management COBIT DS12

Operations Management COBIT DS13

ITM Policy Framework

Legend

COBIT 4.1

GCCR COBIT 4.1

GCCR COBIT 4.1

Legislation or Regulation

Legislation or Regulation

GCCR Legislation or

Regulation

Policy

GoA Strategic Goal

Governance & Accountability

Framework (Service AB)

PMI ISO/IEC 12207

AS8015 Dublin Core ISO 15489 ISO 11179

FRAMEWORK

INTERNATIONAL STANDARD

Best Practices

Framework

International Standard

ISO/IEC 27002

Information Management Framework

(IMAC)

ICT Risk Management Framework

(Service AB)

COSO ITIL

Overall Strategic Direction & Vision

Strategic & Tactical Policies

Supporting Controls (Processes, Standards, Guidelines)

Forrester ResearchIT Compliance Life Cycle

Phase I

Phase II

Phase III - Ongoing Management

Drivers

Enterprise governance

IT governance

Best practices

Controls and Legislation

PerformanceBusiness goals

ConformanceBasel II, Sarbanes-Oxley Act etc.

COSO

COBIT

ITIL

SecurityQuality

ManagementIT Service

Management

ISO/IEC

2700x

ISO/IEC

9001:2000

Balanced scorecard

CoBIT, Legislation & Other Frameworks

Maturity Level Status Establishment

0 – Non-existent No recognition of need to control No intent to assess the need for control

1 – Initial / ad hoc Some ad hoc recognition of need to control

No awareness of need to assess what controls are needed

2 – Repeatable but intuitive Controls in place but not documented

Assessment of control need occurs only when necessary

3 – Defined Controls are in place and adequately documented

Critical controls and processes are identified based on value and risk drivers

4 – Managed and Measurable Effective control and risk management environment

Control criticality regularly defined with full support of business owners

5 – Optimized Enterprise wide risk and control programme provides continuous and effective control and risk resolution

Business changes consider the criticality of controls and cover any need to reassess control capability

CoBIT Maturity ModelUnderstand where IT and business are for each control

Layers of ITM Control Framework

14

Layers in ITM Alignment Map

ITM Control Framework Overview

Decide Who Owns (leads) What Control

16

Security/Privacy Incident Reporting

UNDERSTAND WHOSE CONTROLS Trigger OTHERS’ CONTROLS

17

ITM Control Framework Overview

WEB 2.0

What do we need to know about and consider while we are developing policies,

frameworks, standards and controls?

Web 2.0 at Advanced Education and Technology

Iden

tity M

an

ag

em

en

t A &

A

Rea

l-Tim

e C

om

mu

nic

ation

s Da

sh

bo

ard

InternalP.S.I.

InstitutesOther

Stakeholders

Iden

tity

Ma

na

ge

me

nt

A &

A

Rea

l-T

ime

Co

mm

un

icat

ion

s D

as

hb

oa

rd

InternalP.S.I.InstitutesOther Stakeholders

Business Apps(SFS, ATOMS, PAPRS, SHR)

Information Strategy(Information & Knowledge)

Web Strategy(Content, Information, Applications)

Desktop Apps(Calendar, Word, PowerPoint)

Unified Msg

Web Conference

Video Conference

Instant Msg

Collaboration Tools

Presence (People, Place, Time)


Co

llab

ora

tio

nIn

teg

rati

on

IP Enabling Contact Centers

Public | Wireless Network | LAN/GOA Domain


Supernet

Room to Room Video over IP

Centrix | PSTN

VPNs

Co

llabo

ration

Integ

ration

WEB 2.0 Impact

Mid 1990-2000s WEB 2.0 Value Proposition

Knowledge/Info Centralization Decentralization

Training Waterfall/RUP meant training was at the end

Training is at the beginning through Self Training and each other

Cultural Change Business performed and information in silos

Collaboration, openness, joint problem solving

Business Work Style Feature and information and overload

Simple, easy to use, business has become technology savvy through self training

WEB 2.0 Impact


Home / Work Tools Work, more tools Home/Work tools the same

Labour Shortages Attract Gen X, Y and Millenials

Governments cutting Everyone recruiting

Generation X Expectations Grassroots Managers understand how technology can help productivity

IT Organization's Gate Keepers

Privacy/security force IT to protect castles

Business will go around any blocking we put in because they CAN and they WANT IT

Centralized Control Versus Decentralized Information Sharing(Balancing Opportunities/Risks)


Privacy/Security IT and SMEs guardians End user behaviors guided by principles

Managing Information and Records

IT and SMEs guardians and overwhelmed by increased volume

End users accountable for information supported by tools provided by IT and SME

Information Silos Caused by not working together and sharing

Caused by collaborating and working together but outside of centralized, controlled tools

Policy, Authorized, Authoritative Sources

Policy and authority decentralized - IT just starting to centralize IT now

Policies and accountability principle based on understanding and trust

Centralized Control Versus Decentralized Information Sharing(Balancing Opportunities/Risks)


Technology Delivery and Expectations

IT plans aligned after business plans

IT specific visions, plans and strategies plus business alignment

Service Responsiveness IT and SMEs required to implement policies and controls

Policies and controls need to demonstrate value

Enterprise Tool Investments Created to share investment and reduce information silos

Still required but only for information sources where information needs to be protected

ALBERTA’S PLANS, VISIONS AND STRATEGIES

WHAT WE LEARNED ABOUT HOW WE NEED TO PLAN BECAUSE OF CONTROLS,

EXPECTATIONS, AND WEB 2.0

Web 2.0

Advanced Education & TechnologyBusiness Plan & Policy

Cross-Government

Initiatives

GoA Information& Services

Strategy

GoAEnterprise

Architecture

GoABusiness

Plan

STAKEHOLDER INPUT

Post Secondary Institution

Learners/Parents/Public/other Stakeholders

Research Institutes

3 Year ITM Plan

Maintenance Operations Initiatives Standards

ITMPolicy Framework

Operational Controls

PSI Plans & Architecture

7 Year ITM Vision

5 Year ITM Strategies

Vision: All Plans – Relationships

1 Year Operational Plan

Advanced Education and Technology in 2014

Test & DemoPilots

2014

“Right Info”and

“Right Services” at the

“Right Time” at the

“Right Place”to Answer the

“Right Question” for the

“Right Person”

Testing &Training

IdentityManagement

StrategyInformation Management Strategy

Web Strategy

GOA Information & Services Strategy

Unified Communications Strategy

alberta's approach to an itm control framework

Technology

alberta oag

assessment of control

alberta itm control

albertas auditor general

topsecret information

recognition of need

infiltrated alberta

awareness of need