Government Information Security Case Study
Roberto remembers when “information security” was making sure the wrong people didn’t get hold of the mainframe printouts…
Information Security Concern
He’s committed to moving the County into the 21st century… although the pace demanded by his freeholders, Clerk, and Sheriff is far faster than he would prefer; especially relating to the Shared Services that extends to his county’s 29 municipalities. Roberto’s current challenges include:
- Building out the core infrastructure necessary to support, properly segregate, and secure multiple forms of sensitive data (e.g., Law Enforcement, Health & Child Services, County College, Social Services).
- Determining the “consolidated services” compliance requirements (HIPAA, PCI, CALEA, State Identity Theft Act, etc.) and be able to demonstrate compliance.
- Defining Third Party Security requirements and enforcing them for a diverse array of public and private sector “partners/vendors/users” (e.g., 4G Wireless providers, a MPLS VPN provider, a Co-Location Facility, Medicare Claims Processing application provider).
- Ensuring the County’s “restrict access to only those with a need to know” mandate is enforceable on the soon-to-be-deployed County Portal that will provide access to shared services for both Township and County employees, as well as county residents.
Information Security Approach
Roberto contacted us based on a Google search on “third party risk management.” Pivot Point Security worked with Roberto and his team to analyze various options, and helped them come up with the right combination of activities to meet their specific requirements.
Roberto and his team decided to:
Conduct an Information Asset audit to understand the types and classifications of data in the scope of the new architecture. They could then leverage this information in an information-focused Risk Assessment based on Secure Data Flow Diagramming, to understand how the different forms of information transit the infrastructure, the processes that act on the data, and the security controls required at each juncture.
Conduct a multi standard Controls Gap Assessment covering the Standards outlined by County Counsel leveraging the Information Audit/SDFD. In order to simplify internal and Third Party Risk Assessment, Roberto decided to have Pivot Point Security map all the compliance standards (e.g., STATE ITPA, PCI, HIPAA, NIEM-GJXDM, NIST) against the ISO27002 standard. This approach produced a simplified list of action items mapped across one or more of the standards that the gaps applied to. This also simplified the next project phase.
Develop Third Party security requirements and contractually communicate them to all vendors, agencies, and municipalities whose Information Security Controls posed a risk to sensitive information. Integral to these contracts was a definition of each third party’s responsibility to provide third party attestation (proof) that they were achieving the requirements.
Conduct a Portal Vulnerability Assessment and Penetration Test that extended to the network, application, and database tiers of the solution. The Penetration Test substantiated that the portal achieved the County’s access restriction objectives.
We continue to work with Roberto, with a focus on developing a fully “validated” Private Cloud. Still to execute:
- Continue to implement findings from previous audit activities
- Formalize and document the Information Security Management System
- Phase 1 Validation of Security Posture and ISMS: Conduct a BITS Shared Assessment
- Phase 2 Validation of Security Posture and ISMS: Pursue ISO 27001 Certification
You might say “Mission accomplished”!