NYS Forum

Security

To work in collaboration with State, local and private sector partners to support mission-critical business activities through information security risk management, data protection and a strong culture of cyber security awareness.

Objectives

• Provide educational/training opportunities, tools, and resources that support and enrich the Information Security "Community of Practice" (COP).
• Facilitate networking, collaboration, and information sharing to harness collective knowledge and leverage proven strategies and practices.
• Support the Joint MS-ISAC National Webcast Initiative.
• Maintain strong working relationships with the NYS Office for Technology (CIO/OFT) and the NYS Office of Cyber Security & Critical Infrastructure Coordination (CSCIC).

2009-2010 Accomplishments

Education/Training Seminars

• MS-ISAC National Webcasts http://www.msisac.org/webcast
• * 2009 - six joint initiative webcasts reached over 5,100 individuals (up slightly from 2008) in federal, state and local governments, private sector organizations, academia and home users in 15 countries, including 50 U.S. states, Washington D.C. and 2 U.S. territories. ** 2010 to date -high registration counts (800 -1,352 per webcast) continue to indicate the value and strong following of these excellent programs.
  • Payment Card Industry (PCI) - 2/12/2009
  • Application Security - 4/9/2009
  • Securing Mobile Devices - 6/17/2009
  • Security of Social Networking Sites / Web 2.0 - 8/19/2009
  • Our Shared Responsibility - Strategy for Promoting Cyber Security Awareness - 10/8/2009
  • Phishing Scams Part II - December 16, 2009
  • Information Security Emerging Trends & Threats for 2010 - February 24, 2010
  • Cloud Computing - April 21, 2010
  • Incident Response - June 23, 2010
• Security Work Group Seminars & Webinars
  • 2009 Information Security Roundtable - ½ day event, May 14, 2009. Over 100 participants, 18 topics, 10 tables and 3 rounds. Topics were led by subject matter experts, channeled into ongoing Topic-of-Interest Groups, and included: Application Security, Continuity of Operations Planning, e-Discovery, eSignature, Identity Access Management, Data Classification, Security Framework, Policy, Investigations, Network Security, NYS Encryption Standard, PCI, Mobile Workforce, Metrics, Social Networking, Threats, Risk Assessment and Virtualization.
  • Virtualization-Related Security Risks - ½ day seminar, June 9, 2009
  • Developing and Updating Security Policies - Best Practice Approaches and Common Mistakes - seminar & the Forum's "pioneer webinar event," September 29, 2009
  • Manage Risk by Building Security Into Projects - seminar & webinar, May 26, 2010 [1st of 2 deliverables from a joint Security, Project Management & Business Continuity work group initiative]

Tool Development

• Security Metrics - consensus list of baseline metric options, which will be further developed into implementable best practice measures and made available.

Presentations

• "ISec Hot Topics" Presentation Series - ongoing, monthly series of executive briefings on timely information security-related topics (established and conducted since 2009):
  • "Shifting Internet Threat Landscape" by Patrick Gray, Cisco
  • "Risk Management" by Andrew Mule, EMC2
  • "Fast Track Risk Assessment Model" case study by Deb Snyder, NYS OTDA
  • "Web 2.0 Security" by Ken Kaminski, Cisco
  • "Information Security Program Framework - Critical Components & Strategies" by Michael Orozco, Teledyne
  • "2009 Supplemental Data Breach Investigations Report: An Anatomy of a Data Breach" by Chris Novak, Verizon Business
  • "Just One Person" security awareness video produced by Todd Colvin, Paychex
  • "The State of the Hack" - current attack vectors & Advanced Persistent Threat (APT)" by James Carder, Mandiant
  • "Secure SDLC Overview" by Dave Stern, NYC DOITT
  • "Taking the Pulse Check of Information Security - Management Level Assessment Model" by Ted Phelps, SUNY

Policy Review & Comment

• NYS application security boilerplate contract language
• NYS Cyber Security Information Security Policy & related standards
• NYS Cyber Security Guideline G10-001 Secure Use of Social Media
• CIO/OFT NYS Social Media Guidelines

Publications (all media formats)

• Externally Hosted Social Media Information Security Risk Considerations whitepaper
• Refer to the Security Work Group's growing Resource Center list of publications at www.nysforum.org/committees/security/resources.aspx

Research/Surveys

• Information Security Topics of Interest & Key Challenges Surveys
• Forum research into the use of social media, including participation in CTG Web 2.0 and Emerging Technologies Web 2.0 sub group discussions, and development of external social media information security risk considerations and recommendations.

Consultation with State/Local Government Agencies/Leadership

• In conjunction with NYS CSCIC, jointly developed slate of topics for the 2009-2010 MS-ISAC webcasts, and assisted in the selection/securing of presenters, and promotion of same.
• Continued Professional Networking Framework of "Topic of Interest Groups" (established in 2009) to facilitate "Community of Practice" knowledge sharing & collaboration.

Other

• Increased Work Group Membership - As of June 29, 2010: 89 active members (60 in state government, 2 in local government, 23 in private sector organizations and 4 in the NYS Forum). During QTR1 2010, 16 new members joined; during QTR2 2010, 11 more came aboard! Expanded membership helps foster the Forum's value proposition by reaching more individuals and organizations. Monthly meeting attendance and participation in education/training seminars, MS-ISAC web casts, and presentations remains strong, indicating our efforts are meeting the Information Security "Community of Practice" interest and needs.
• Implemented the use of WebEx as an option to enhance monthly meeting attendance.
• Enhanced Work Group Leadership from two to four active Co-Chairs to provide added depth of expertise, coverage and support. A strong and coordinated leadership team has helped ensure work group initiatives meet the interests and needs of our members.

2010-2011 Projected Initiatives

Education/Training Seminars

• MS-ISAC National Webcasts http://www.msisac.org/webcast
  • Social Networking/Web 2.0 - August 25, 2010
  • Topic TBA (in conjunction with National Cyber Security Awareness Month) - October 14, 2010
  • Security Management - December 15, 2010
  • Joint Planning Meeting in to devise 2011 slate of web cast topics
• Security Work Group Seminars & Webinars
  • "Information Security Program Framework, Part II - Breaking down the Critical Components & Strategies into Actionable Activities" - a web cast series that takes a deeper look at each critical component of an enterprise framework. - 1st in Sept. 2010.
  • "2010 Information Security Roundtable" - ½ day program featuring timely topics & "topic of interest" networking opportunities - Fall 2010
  • Introduction to the PM Guidebook Secure System Development Life Cycle Addendum - [2nd of 2 deliverables from the joint Security, Project Management & BC work group initiative] Fall 2010
  • Impact of Modernization & New Technologies on Security - seminar/web cast - 2011 date TBD
  • Others TBD based on feedback from the Forum's Annual Strategic Planning Session, Community of Practice Topics of Interest survey, and Work Group input.
  • Information Security Governance, Assurance and Risk Management Framework (Assessment & Implementation Tools/Techniques) (15)
  • Incident Management Response Preparedness (4)
  • Impact of new technologies (cloud computing, VI, etc.) on database security (6)

Tool Development

• Security Controls and Metrics - working sub groups will develop implementable best practices for key controls, based on world-wide attack and threat evidence.
• (As Above)Information Security Governance, Assurance and Risk Management Framework (Assessment & Implementation Tools/Techniques)

Presentations

• "ISec Hot Topics" Presentation Series - ongoing, monthly series of executive briefings on timely information security-related topics (established and conducted since 2008).

Policy Review

• Actively review/comment on emergent and revised NYS CSCIC information security and CIO/OFT technology policies.

Publications (all media formats)

• Enhancements to the Security Work Group's Resource Center list of publications at www.nysforum.org/committees/security/resources.aspx
• PM Guidebook - Secure System Development Life Cycle Addendum

Research/Surveys

• Information Security Topics of Interest & Key Challenges Surveys, and related Forum research.

Consultation with State/Local Government Agencies/Leadership

• In conjunction with NYS CSCIC, jointly develop a slate of topics for the 2010-2011 MS-ISAC webcasts, and assist in the selection/securing of presenters, and promotion of same.
• Enhance Professional Networking through the framework of "Topic of Interest Groups" (established in 2009) to facilitate "Community of Practice" knowledge sharing & collaboration.

Other

• Once the Forum has viable platforms available, establish and moderate an Information Security WIKI, blog (carry-over initiative from 2009) and collaboration/networking portal to foster and facilitate "Info-Security Community of Practice" networking, knowledge, best practices and resource sharing.