Guidance to Safeguard Digital Assets in Fiscally Challenged Times

12 Core Information Security Services

To help states keep their IT security robust in these tough economic times, the National Association of State Chief Information Officers has published a taxonomy of a dozen critical IT security service.

The 12 core services identified in the report, The Heart of the Matter: A Core Services Taxonomy for State IT Security Programs, could prove useful for other government and non-government organizations working to secure their information assets under financially challenging conditions.

1. Information Security Program Management: Plans, provides oversight and coordinates all information security activities.

• Align security program activities and staff with a generally accepted best practice framework.
• Oversee the creation and maintenance of information security policies, standards, procedures and guidelines.
• Create and maintain strategic and tactical plans.
• Coordinate the movement of plans, policies, standards and other authoritative documents through a governance process.
• Track information security risk key performance indicators.
• Disseminate security metrics and risk information to executives and other managers for decision making.
• Coordinate security efforts.

2. Secure System Engineering: Designs appropriate security controls in new systems or systems that are undergoing substantial redesign, including in-house and outsourced solutions.

• Integrate information security design requirements in the system development life cycle.
• Participate as a security consultant on significant technology projects.
• Assist with the creation of system security plans, outlining key controls to address risks.
• Assist with the creation of residual risk documentation for management acceptance.
• Integrate security requirements into contracts for outsourced services.
• Assist with the creation of information security policies, standards, procedures and guidelines.
• Assist with the creation of secure configuration standards for hardware, software and network devices.
• Integrate security requirements into contracts for outsourced services.

3. Information Security Awareness and Training: Provides employees at all levels with relevant security information and training to lessen the number of security incidents.

• Coordinate general security awareness training for all employees and contractors.
• Coordinate security training for groups with specialized needs, such as application developers.
• Provide persistent and regular messaging relating to cybersecurity threats and vulnerabilities.

4. Business Continuity: Ensures that critical business functions will be available in a time of crisis.

• Coordinate business impact analysis.
• Development of appropriate recovery strategies for services.
• Develop disaster recovery plans for identified key technologies.
• Coordinate testing to ensure that services can be recovered in the event of an actual disaster.

5. Information Security Compliance: Validates that information security controls are functioning as intended.

• Coordination of continuing assessments of key security controls in in-house and outsourced systems.
• Completion of independent pre-production assessments of security controls in new systems or systems that are undergoing substantial redesign.
• Coordination of all IT audit and assessment work done by third-party auditors.
• Monitoring of third parties' compliance to state security requirements.

6. Information Security Monitoring: Gain situational awareness through continuous monitoring of networks and other IT assets for signs of attack, anomalies and inappropriate activities.

• Create and implement an event logging strategy.
• Place sensors, agents and security monitoring software at strategic locations throughout the network.
• Monitor situational awareness information from security monitoring and event correlation tools to determine events that require investigation and response.
• Disseminate potential security events to the information security incident response team.

7. Information Security Incident Response and Forensics: Determines the cause, scope and impact of incidents to stop unwanted activity, limit damage and prevent recurrence.

• Manage security incident case assignments and the security investigation process.
• Mobilize emergency and third-party investigation and response processes, when necessary.
• Consult with system owners to help quarantine incidents and limit damage.
• Consult with human resources on violations of appropriate use policy.
• Communicate with law enforcement, when necessary.

8. Vulnerability and Threat Management: Continuously identify and remediate vulnerabilities before they can be exploited.

• Strategic placement of scanning tools to continuously assess all information technology assets.
• Implement appropriate scan schedules, based on asset criticality.
• Communicate vulnerability information to system owners or other individuals responsible for remediation.
• Disseminate timely threat advisories to system owners or other individuals responsible for remediation.
• Consult with system owners on mitigation strategies.

9. Boundary Defense: Separates and controls access to different networks with different threat levels and sets of users to reduce the number of successful attacks.

• Assist with the development of a network security architecture that includes distinct zones to separate internal, external and demilitarized-zone traffic and segments internal networks to limit damage, should a security incident occur.
• Participate in the change management process to ensure that firewall, router and other perimeter security tools enforce network security architecture decisions.
• Periodically re-certify perimeter security access control rules to identify those that are no longer needed or provide overly broad clearance.

10. Endpoint Defense: Protects information on computers that routinely interact with untrusted devices on the internet or may be prone to loss or theft.

• Manage processes and tools to detect malicious software.
• Manage processes and tools that only permits trusted software to run on a device, commonly referred to as white listing.
• Manage processes and tools to prevent certain software from running on a device, commonly referred to as blacklisting.
• Manage processes and tools to identity unauthorized changes to secure configurations.
• Manage processes and tools to encrypt sensitive data.

11. Identity and Access Management: Manages the identities of users and devices and controls access to resources and data based on a need to know.

• Maintenance of identities, including provisioning and de-provisioning.
• Enforce password policies or more advanced multifactor mechanisms to authenticate users and devices.
• Manage access control rules, limiting security access to the minimum necessary to complete defined responsibilities.
• Periodically recertify access control rules to identify those that are no longer needed or provide overly broad clearance.
• Restrict and audit the use of privileged accounts that can bypass security.
• Define and install systems to administer access based on roles.
• Generate, exchange, store and safeguard encryption keys and system security certificates.

12. Physical Security: Protects information systems and data from physical threats.

• Maintain facility entry controls and badging systems.
• Manage equipment and media destruction processes.
• Maintain building emergency procedures.
• Perform screening/background checks on job applicants.
• Implement controls to mitigate facility vulnerabilities.