Project 5 -- Security, Vulnerability, Redundancy

From Mike's working wiki

Jump to: navigation, search

Contents

Questions

How would security work in the un-controlled, non-standards based "real world" end points?

Who would have the authority to drive these actions?

We need some kind of ongoing something to help these goals along

Advisory group, aggregted data, Authority to monitor and make recommendations to public and private entities -- share across silos (public and private space) -- focus on the big picture (security, redundancy, privacy, etc) -- built to monitor/guide a moving target -- an important part of Minnesota life -- too important to ignore

Benefits to the state

More complete info, more timely info, quicker responses, building off of other best practices

Nimble

Allows quick response to security incidents (goal, react within minutes)

More revenue

If we don't handle this, the adoption and creation of new applications on the Internet (eg health care uses closed networks because the Internet isn't security)

A competitive advantage for the state

Strengthens businesses in the state

Improve quality

Reduce cost

Scope

User Layer Application Safety

Cybersecurity vs physical infrastructure security vs information security


Action Items

  • All -- look for existing forums
  • All -- look for comparable groups in different states/countries
  • Mike -- set up wiki accounts
  • All -- define scope of this security section

Research results

use this little section to record any of your "homework"

Minnesota CSO Executive Summit - [1]

State by State Breach Notification Guidelines - [2]

Here is information that I obtained after talking with the CSO at Thomson Reuters. These all apply to us in various parts of the business. ISO 27001 is widely considered as the foundation and the other regulations enhance it for certain puposes.

International Standards Organization (ISO 27001, 27002 security standards)- [3]

Center for Internet Security - [4]

Defense Information Systems Agency - [5]

National Security Agency - [6]

Federal Financial Institutions Examination Council - [7]

BITS Financial Services Roundtable [8]

Payment Card Industry (PCI) - [9]

Gramm-Leach-Bliley Act (GLBA) - [10]

Health Insurance Portability and Accountability Act (HIPAA) - [11]

Notes -- June 26 teleconference

Security


Need: Education & awareness across many different groups Need: Coordination -- partly as competitive advantage for the state Need: Leadership -- to drive many facets of security (management, practices, assessment, response, etc.) Need: To formalize the relationship between govt, businesses, consumers, ISPs -- we can no longer leave this to chance Goal -- Everybody wins

Recommendation -- a coordinating group that works to develop approach, monitor progress


Redundancy

Problem: Facilities aren't well known, understood at the consumer level

Question: How fragile IS the broadband infrastructure? Question: Is redundancy the same problem for every location? Every kind of business? Every kind of consumer?

Need: Information sharing (plans, projects, collaboratives) Need: Mechanisms to share facilities, projects Need: multiple paths to the national backbone Need: Peering, which improves redundancy Need: Reduce dependencies on single points of failure (eg 511 Building) Need: Additional points of presence in other cities -- Duluth, St Cloud, Rochester


Recommendation -- a different, but similar coordinating group


Privacy

Direction: The role of the core is let the bits pass -- Net Neutrality

Need -- transparency Need -- recourse when violations

Recommendation -- add this issue to the "consumer protection" regulatory recommendation of the task force (state level, location to be determined)



Report Draft

<Summary Begin>

5. Evaluate and recommend of security, vulnerability, and redundancy actions necessary to ensure reliability


Security as defined by the Task Force involves providing security at the edge of the network. It is important to highlight the distinction between protecting the physical infrastructure from attack and securing computers that are attached to the Internet. Imposing network security in the core of the Internet provides an unacceptable risk of government (or provider) monitoring and invasion of privacy.

Security is not possible without broadband

Today’s applications and operating systems are routinely upgraded on a weekly basis, with daily updates rapidly becoming common. Users connected through dialup or other slow connections are faced with the choice between using their connection or being secure. As botnets and other network-enabled exploits increase, these under-connected under-secured machines pose an increasing threat to the health of the Internet as a whole.

State policy should encourage better interconnection (peering) of Minnesota’s Internet service providers. State policy should encourage interconnectivity of Minnesota’s broadband networks to promote a more robust local economy and better connect our citizens to local government, education, libraries, and healthcare resources. This interconnectivity should include commercial, government, education, and municipal providers.

The task force recommends the following actions:

  • An evaluation of redundancy and security of the state broadband infrastructure.
  • Monitor progress with mapping and data collection. Implement an ongoing program of data collection and mapping to enable Minnesota’s policy-makers to monitor progress in achieving the state's broadband goals.
  • Provide a granular method of defining where broadband service exists.
  • Consider modeling efforts on locally-driven broadband data collection projects. All data on available speeds must be based on actual, not advertised availability, and also be accompanied by cost of service.
  • Make all data on available speeds available to the public in a format that can be used to generate similarly-granular overlays with other types of economic and demographic data.
  • Ensure clear service definitions and monitor performance against those definitions
  • Rethink the Universal Service Fund. As we rethink the Universal Service Fund with an eye towards broadband and internet adoption we must develop policies that promote the goal of Universal Access. The focus should be on the human impact rather than the service provider - the opportunity for every person, regardless of their digital skills, geographical and socio-economic situation, to create and to share information useful for their own life plans.
  • Ensure privacy. The freedom to hold opinions without interference is not possible without privacy of information and regulation around the collection and sharing of personal data. All members of the Internet community must be protected from government and corporate surveillance. The right to privacy on the Internet has two equally important aspects:
  • Information privacy or data protection, which requires the establishment of rules governing the collection and handling of personal data such as credit information, and medical and government records.
  • Privacy of communications, which covers the security and privacy of Recently, the Federal-State Joint Board on Universal Service, comprised of state and federal regulators, recommended to the FCC that the USF be divided into three separate programs:
    • One focusing on traditional wired telephone service.
    • One focusing on wireless or “mobility” service.
    • One focusing on broadband.

<Note: additional content is needed that focuses on vulnerability and redundancy.>

To summarize, the task force recommends: • <to be filled in>

Report Snippets

Just as cities have an interest in the so-called “last mile” closest to them, the state has an indispensable interest in the necessary “middle mile” connections to its citizens and localities that ensure both security and redundancy in those essential connections, sustain business commerce and jobs, provide e-government functions, and protect vital networks and data from outside vulnerability and attack. Garrison

The Task Force recommends that the Legislature require an evaluation of redundancy and security of the state broadband infrastructure.

Concepts

  • Security
    • Security management -- strategy, leadership
    • Standards, tools, techniques
    • Risk assessment, risk management
    • Audit, compliance monitoring
    • Incident response
    • Continuity
    • Education, training, awareness
    • Access controls
  • Management
    • Steer at the core, row at the edges
    • Shared priorities at the core

Suggested structure [here]

Retrieved from "http://www.urbanusers.com/wiki/index.php?title=Project_5_--_Security%2C_Vulnerability%2C_Redundancy"