STRATEGY GUIDE TO SECURITY INFORMATION MANAGEMENT IN GOVERNMENT

HP

Tech

Dos

sier

At the same time, the security of citizen information is paramount. The government has a critical responsibility to protect personally identifiable and sensitive information, such as Social Security numbers and health care records. According to a 2010 study by Deloitte and the National Association of State CIOs (NASCIO)1, “States hold the most comprehensive collection of personally identifiable information about constituents, spanning from birth to death,” a collection that will only increase with the implementa-tion of health care reform.

Security is needed at every level of IT: applications, servers, storage, end devices and networks. In most organizations, however, different types of security are managed in different silos. And for state and local governments, the situation can be even more

In today’s digital world, with its mobile devices and

ubiquitous Internet access, citizens expect increasingly fast, convenient

and accessible government services. And you as a state or local govern-

ment are expected to meet these expectations. California’s Department of

Motor Vehicles (DMV), for example, enables citizens to access their driving

records via the Web. The state even has Android and iPhone apps that

show the location of the nearest DMV office as well as its wait times.

SPONSORED BY HP AND INTEL

complicated. Often, different departments and agen-cies within the government may have their own IT staff and budgets and thus their own IT systems and services. This not only duplicates services and increases costs but the lack of coordination can also result in significant security vulnerabilities. Each state agency, for example, might use a different ISP, each with different security capabilities — or lack thereof.

What’s required is a holistic, integrated and proactive approach that embeds security into the IT life cycle and ensures that security practices are used throughout the organization. State IT departments are already starting to move in this direction. Among the top priorities in a 2011 survey of state CIOs2, for example, were consoli-

1 Deloitte study: “State Govern-

ments at Risk: A call to secure citizen data and inspire public trust,” 2010.

2 “State CIO Top Ten Policy and

Technology Priorities for 2012”, NASCIO, October 2011.

dation, information governance, security and shared services. (See story on NASCIO survey on page 4.)

It’s a tall order, however, given deep budget cuts; staff shortages; and outdated, legacy systems. How to start? The Center for Digital Government recommends a security and risk assessment to identify vulnerabili-ties, categorize risks and garner internal support for improvements. State and local government IT depart-ments can then use this information to design and implement an overall strategy that embeds security throughout their operation.

HP can help at every step of this process. Its Security Solutions Framework creates a sustainable approach to security and risk management, by identifying and reconciling the disparate functions and silos of security. Within the framework, HP offers services and products for assessing your current security stance, designing and implementing a security strategy and embedding security throughout your operation. The framework covers information security governance, security operations, application security, endpoint security, network security and data center security.

ENTERPRISE SECURITY DISCOVERY WORKSHOP

HP CAN HELP you achieve integrated, proactive security through its Enterprise Security Discovery Workshop. The one-day engagement, led by HP security experts, takes you through a structured, interac-tive process designed to

k Identify success factors for a secure enterprise

k Discover the organization’s current state of security, measured against its security goals

k Align programs based on security challenges

k Identify critical risk factors that need to be addressed

The workshop gives insight into market trends and drivers and how they affect an organization’s security posture. HP’s experts help identify priority projects based on business alignment and risk expo-sure and help design a program to meet the organization’s specific security challenges.

For more information, visit HP Security and Risk Management

“We were extremely pleased with the high value of the security quality assessment, recommendations and follow-up evaluations.”

— Wallace B. Rogersl E-Government Program Manager

for the State of Oregon

3 /// HP Tech Dossier: SECURITY INFORMATION IN THE INSTANT-ON SOCIETY

/// NETWORK SECURITYReducing instances of network intrusion is impera-tive, but firewalls and antivirus software go only so far. “It’s no longer enough to deploy traditional desktop defenses against malware and spam,” says Tom Guenther, director of IT for Dauphin County, Pa. “The growing complexity of threats requires security at the network level and coordinated security management.”

The county installed HP’s TippingPoint solution, which blends firewall technology with intrusion detection and prevention. Through deep packet inspection, TippingPoint finds and stops requests with known bad signatures and even analyzes IP addresses associated with nefarious activity. Dauphin County found that the solution not only improved its security but also saved its staff six to 10 hours a week that it would otherwise have spent tuning security responses and automated network actions based on the threats being encoun-tered. “With TippingPoint, we’ve virtually eliminated the need for tuning,” says John Doebling, network manager for the county.

/// IDENTITY MANAGEMENTAnother point of vulnerability is user access. Employees, contractors and partners must have access to the information they need but must also be restricted from accessing other data. However, identity and access management projects have a high failure rate, with 52 percent of all projects ending in failure. Not only is the technology complex but identity management can also be hard to implement when organizational and political turf is involved. To help, HP offers a range of identity and access manage-ment products and services, including an assessment service that helps you quantify the benefits of identity and access management, justify and build consensus among stakeholders and develop a road map of successful subprojects.

The sheriff’s office of Polk County, Fla., for example, needed to control access to its network, on which it kept criminal records, medical reports and information on police investigations. The county installed Identity Driven Manager, an HP ProCurve Manager. Plus plug-in, to better control access rights of users as well as particular devices. “HP helped us take a big step with our security,” says Bill Ward, division director of IT for the sheriff’s office.

HOW HP HELPED THE STATE OF OREGON ASSESS ITS SECURITY RISKS

BUSINESS NEED:

Oregon’s E-Government Program provides infrastructure for more than 100 Web sites. As part of the state’s emphasis on Internet security, it wanted to audit the Web architecture and applications on a regular basis.

SOLUTION:

k HP performed an independent security quality assessment, reviewing Oregon’s Web content management system and processes.

k HP identified security gaps and vulnerabilities and categorized them by security levels.

k HP recommended specific risk mitigation procedures for each level.

k HP performed follow-up evaluations, giving the state assurance that mitigation recommendations had been properly implemented.

Together, HP and Intel redefine security, energy efficiency, data center and cloud platform innovation. With an unmatched depth of resources, partnership and leadership, HP and Intel enable their customers to manage the volatile demand for energy, data and applications.

Here are just a few solutions HP offers.

/// APPLICATION SECURITYApplication layer vulnerabilities represent an enor-mous risk for government IT. Decades of security-blind programming practices mean that many legacy appli-cations contain vulnerabilities. Third-party applications can vary in terms of how well they are locked down. Even recently developed custom applications may not be safe if security is not part of your life cycle management best practices. HP Fortify Software Security Center ensures that security is considered at every stage of an application’s life cycle. It tests, identifies vulnerabilities and eliminates risk in legacy applications and prevents vulnerabilities from being introduced during application development.

Web applications, in particular, can be fraught with security vulnerabilities. In a recent HP study, 69 percent of the Web apps tested contained at least one SQLi flaw and 64 percent of the assessed applications contained at least one reflected XSS flaw. HP offers a variety of services that test application security, including dynamic Web penetration testing that detects vulner-abilities in Web applications and services.

LEARN HOW HP WAS ABLE TO

SECURELY DIGITIZE PAUL

MCCARTNEY’S ENTIRE

ARCHIVE OF PHOTOGRAPHS AND

RECORDINGS.

4 /// HP Tech Dossier: SECURITY INFORMATION IN THE INSTANT-ON SOCIETY

STATE CIO PRIORITIES3

A SURVEY by the National Association of State CIOs (NASCIO) found these strategies, management processes and solutions to be the top priorities of its members:

1. Consolidation/optimization

2. Budget and cost control

3. Governance

4. Health care

5. Cloud computing

6. Security

7. Broadband and connectivity

8. Shared services

9. Portals

10. Mobile services/mobility

Source: NASCIOof the government of the United Kingdom.) The company has invested billions of dollars to create a huge security ecosystem, including five global security operations centers that employ more than 3,000 security and privacy service professionals. This ecosystem monitors more than 1.3 million secu-rity devices and 213 vendors of more than 20,300 technologies for system vulnerabilities and collects, stores and processes 3.5 billion events daily.

Citizens are expecting top-notch services at the touch of their smartphones. Threats are becoming more sophisticated, persistent and unpredict-able. Governments need a sustainable approach to information security and risk management. With its full complement of security services, expertise and technologies, HP has the depth and breadth to help state and local governments meet the demands of the instant-on society.

For more information on HP offerings in enterprise security, www.hp.com/go/enterprisesecurity. n

“The HP TippingPoint Security Management System allows us to gather accurate and timely statistics on what is hitting our network, what is going on inside our network—and allows us to adjust policies and practices on the fly as needed.”

— John Doebling, Network Manager Dauphin County, Pennsylvania

Read the full story

Four Ways to a Self-Sufficient Infrastructure: HP ProLiant Gen8

Learn more about the new HP ProLiant Gen8…explore the architecture, see the portfolio, understand the value and join the conversation.

Cloud computing, virtualization, consumerization of IT—all have opened new vectors for security holes. How can you combat the cyber criminals? Watch this interview with an HP security expert.

3 “State CIO Top Ten Policy and

Technology Priorities for 2012”, NASCIO, October 2011.

4 Center for Digital Government:

Issue Brief: “Lifting the Security Burden. A Cybersecurity Strategy for the Public Sector,” CDG, 2011

GOT 30 SECONDS TO LEARN

ABOUT HP AND

SECURITY?

Intel and the Intel logo are registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

HP is a registered trademark of Hewlett-Packard Company.

/// MANAGED SECURITY SERVICESFew state and local governments can afford to hire enough IT people, let alone security special-ists. That’s why the Center for Digital Government4 recommends that governments consider using managed services. In fact, outsourcing security is a growing trend for state governments, according to the Deloitte/NASCIO survey.

HP offers a suite of managed security services, from short project engagement to full security outsourcing, for governments ranging from munic-ipal governments all the way up to national govern-ments. (For instance, HP provides security, compli-ance and risk services to multiple departments

////////////

Are CIOs Too Cocky About Security?The ninth annual Global Information Security Survey conducted by CSO magazine and PricewaterhouseCoopers indicates the vast majority of tech and business execs are overconfident about their security policies.

By George V. Hulme CIO.com

There’s been no shortage of high-profile and damag-ing data breaches in the past year. And the targets are widely varied—they include security firms RSA Security and HBGary Federal, defense contractors Lockheed Martin and Northrop Grumman, entertain-ment giant Sony, major retailers, healthcare compa-nies and marketing firms.

Despite these attacks, the ninth annual Global Infor-mation Security Survey conducted by CIO’s sister pub-lication CSO magazine and PricewaterhouseCoopers indicates that of the 9,600-plus business and technol-ogy execs surveyed, 43 percent identify themselves as security frontrunners and believe they have a sound security strategy and are executing it effectively.

“Clearly, something unusual is happening, with so many organizations viewing themselves as security leaders,” says Mark Lobel, a principal in the advisory services division of PwC. In reality, “nowhere near 43 percent [are] leaders.”

Pete Lindstrom, research director at Spire Security, has another take. “Either 43 percent are fooling them-selves, or they are reaching a good level of success in setting their strategy and hitting it.”

To better understand the actual security-management capabilities of the respondents who said they were leaders, PwC filtered the results according to factors it thinks are markers of real leadership. To meet the criteria, a company had to have a security strategy in place, IT security had to report to senior business leadership, the company had to have reviewed its IT security policy in the past year, and if the business had suffered a breach, it had to understand the cause. “When we finished that analysis, the amount of front-runners fell from 43 percent to 13 percent,” Lobel says.

Read the full article

////////////

How much should you spend on IT security?The industry average is about 5 percent of the total IT budget, according to research from Gartner

By Jeremy Kirk IDG News Service (London Bureau)

It may be difficult for enterprises to figure out how much they should spend on IT security, but research analyst Gartner has statistics on how much their peers are spending.

Security is a trade-off between risk and cost, and enterprises in different industries may spend more or less depending on their situation, said Ian Reeves, a managing vice president for Gartner Consulting.

A survey of 1,500 or so companies worldwide found businesses spend an average of 5 percent of their total IT budget on security, according to Gartner’s IT Key Metrics Data for 2010. Gartner also broke it down to security spending per employee, which averaged around US$525 annually in 2009, compared to $636 in 2008 and $510 in 2007.

Of the total IT security budget, 37 percent is spent on personnel, 25 percent on software, 20 percent on hardware, 10 percent on outsourcing and 9 percent on consulting.

Companies should not necessarily worry if spending is higher or lower than the average, Reeves said. A more important question is why the spend is at a certain level and whether that is good or bad, Reeves said.

It’s possible to spend a fortune on security, but if it’s done poorly, it doesn’t help a business, said David Lello, a director at Gartner Consulting.

The general drivers for security spending include targeted malicious software attacks, cybercrime, regulation, remote access and new delivery models for services, such as cloud computing and software-as-a-service.

Companies ranked intrusion detection and preven-tion as the top security priority, followed by patch management, data loss prevention, identity manage-ment and antivirus.

Read the full article

5 /// HP Tech Dossier: SECURITY INFORMATION IN THE INSTANT-ON SOCIETY

Suggested ReadingThese additional resources include business white papers and previously published articles from IDG Enterprise.

////////////

Cybersecurity help exists, focusing it is the trickMyriad groups define technical security techniques for maintaining the confidentiality, availability of information systems and data

By Michael Cooney Network World

There are a ton of groups out there that offer cyberse-curty help and guidance, the trick, it seems is finding he right one for you organization.

The Government Accountability Office this week issued a report on just that notion saying: “ Given the plethora of guidance available, individual entities within the sectors may be challenged in identifying the guidance that is most applicable and effective in improving their security. Greater knowledge of the guidance that is available could help both federal and private sector decision makers better coordinate their efforts to protect critical cyber-reliant assets.”

Read the full article

////////////

Converged infrastructure accelerates the business, but requires investment: CIOsRoss calls for governments to support an open Internet, but not for terrorism organizations

By John Dodge Enterprise CIO Forum

This Q&A examines the converged infrastructure op-portunity through the eyes of five CIOs from around the globe. The fivesome, all members of the Enterprise CIO Forum Council, also explores the challenges to achieving converged infrastructure and offers some sage advice. The five CIOs include Wayne Shurts, CIO and executive vice president at SUPERVALU; Spain “Woody” Hall, vice president, IT strategy and CIO, Gen-eral Dynamics Information Technology; Chai Hongfeng, director and executive vice president, China Union-Pay; Hisayu Hikichi, vice president of the information technology division at Japan Tobacco; and Dr. Dietmar Schlößer, CIO of Deloitte, Germany.

Read the full article

////////////

Consumerization of IT: The tail wags the dogBuilding your own software seems nuts these days. But these CIOs from NYSE, KKR and Alcoa are doing it anyway. Why? To gain competitive advantage.

By Bill Laberis Enterprise CIO Forum

CIOs, take notice: The consumerization of IT and the evolution of technologies that enable people to work virtually are converging, pushing the boundaries of the corporate network and rapidly changing the way organizations operate.

Consumers are readily adopting tablets, smart phones and PDAs to complement their personal mobile infrastructure. Coupled with high-speed Wi-Fi, cloud and virtual technologies, these devices can supplement a flexible work environment, fostering an anytime, anywhere work philosophy.

That mind-set is transforming business; the distinc-tion between work and personal time no longer follows a traditional clock. On any personal device, consumers can transition between business and lei-sure seamlessly, allowing them to work when they’re most motivated, and hence most productive.

Embracing this evolution in consumerized IT is not just something organizations should do to boost productivity; it is something they must do to stay relevant. As these technologies have proliferated and businesses have developed more instant-re-sponse capabilities, consumer expectations have grown as well.

According to a recent survey conducted by HP, 86 percent of senior business and government executives believe that they must move swiftly to adapt the enterprise to meet changes in consumer expectations.

“I mean, there’s no avoiding it,” says Spain “Woody” Hall Jr., vice president, IT strategy, and CIO of General Dynamics Information Technology. “The consumer-ized technology has taken us by storm, so you can either find ways to leverage it and be a constructive part of the solution, or you really become irrelevant.”

Read the full article

6 /// HP Tech Dossier: SECURITY INFORMATION IN THE INSTANT-ON SOCIETY

Suggested Reading