RSA Leaders Series: State Of Texas Department of Information Resources … · 2019. 3. 5. · NANCY...
Transcript of RSA Leaders Series: State Of Texas Department of Information Resources … · 2019. 3. 5. · NANCY...
CUSTOMER Q & A
TEXAS DEPARTMENT OF INFORMATION RESOURCES
CENTRALIZES AND OPTIMIZES GRC ACTIVITIES
WITH RSA ARCHER
2
CUSTOMER Q & A
AT A GLANCECHALLENGES
• As a technology provider for state and local governments, the Department of Information Resources manages large amounts of information for many different state agencies and higher education institutions
• systems and processes were out-of-date and cumbersome, creating inefficiencies across the organization
RESULTS
• With RSA Archer all risk assess-ments and security incident reporting are now in one tool, giving the department the ability to see where the key risks are on a state-wide basis
• With the implementation of RSA Archer, all Texas state agencies and higher education institutions now have access to the same tools, regardless of their size or budget
WHAT DROVE YOUR DECISION TO IMPLEMENT RSA ARCHER?
When we began looking for a GRC solution, we had three required use cases:
optimizing incident response, improving our risk assessments and enhancing
our framework for security planning and maturity level reporting.
CAN YOU GO INTO FURTHER DETAIL ON THE USE CASES?
Optimizing incident response: We had an ageing system that was developed
in the early 2000s where organizations had to report their security incidents
on a monthly basis. They put numbers in every month and never got anything
back out of it. So we wanted to have a system where organizations could
report their monthly incidents but also see how they stack up against other
organizations of similar size or the state as a whole. We also require
organizations to report to us any incident that meets one of three criteria: if it
involves the loss of protected information, if law enforcement has to be
contacted or if it can propagate to other state systems. We weren’t always
made aware of these incidents in a timely manner and had no way to track
what was going on. We didn’t have a way to keep all the information in one
standard format either. So we looked at this tool as a way to gather that
information as well. We wanted to give organizations a method for tracking
all their incidents and the beauty of this tool is if they do that, then their
monthly report is automatically generated for them, saving a large amount of
time at the end of each month.
Improving risk assessments: The tool that state organizations used for risk
assessments was about to be discontinued, so the agencies were looking for a
replacement. We wanted a GRC solution that could help organizations
perform their information security risk assessments, since we had a tool that
was not being supported anymore. Our goal was to build in workflow for
approval processes and reduce duplication of labor.
Enhancing our framework for security planning and maturity level reporting: In 2013 it became a legal requirement for state organizations to submit a
security plan to the department every two years. In addition the department
had to develop a cybersecurity framework, so we needed a solution which
combined both of these requirements. We were developing the Texas
Cybersecurity framework at the same time that NIST was developing their
framework. Unfortunately our legislated time line would not allow us to
“As other people in our department learn about the Archer tool and its ease of use and flexibility, they are asking us to undertake other use cases. It’s been extremely successful.”
NANCY RAINOSEK, GOVERNANCE, RISK AND COMPLIANCE PROGRAM MANAGER,
TEXAS DEPARTMENT OF INFORMATION RESOURCES
3
CUSTOMER Q & A
simply adopt the NIST framework due to timing differences. So we adopted
their high-level functional areas of identify, protect, detect, respond, and re-
cover. We defined 40 key control areas under the functional areas. We needed
a tool that provided organizations with the ability to assess and record their
maturity level for each of the 40 key control areas and then develop a road map
for improving their controls.
HOW DID YOU SELECT RSA ARCHER?
We went through a competitive process to select RSA Archer, whereby we
outlined each of the use cases and sent questionnaires to a number of leading
GRC providers and then had them go through demonstrations of how they
could meet our needs. Ultimately we chose RSA Archer and we are using the
enterprise, policy risk, compliance and incident modules. It met our three key
use cases as well as the objective of having a system where organizations
could see how they compared to other organizations of similar size or the
state as a whole.
HOW LONG DID IT TAKE TO IMPLEMENT? We started implementing this tool about a year ago and in that time we have
implemented all three use cases in addition to a couple of other applications
to assist other departments in our agency. The work we have done has been
relatively quick and the response from customers has been positive.
HOW DO YOU MEASURE THE EFFECTIVENESS OF YOUR PROGRAM?
We report to our Board of Directors on a quarterly basis, giving updates on
how many organizations are using the tool and what our adoption rates are.
This is extremely valuable in helping us determine what we need to do to
improve, and making sure that our customers’ needs are being met. It’s always
rewarding to see organizations adopt the incident reporting system because it
is not a mandatory requirement. When they are voluntarily adopting a new tool
we know that we’re on the right track and doing good things for our customers.
Previously, maturity levels were estimated, but now because we have the risk
assessments as part of the tool, we’ve been able to integrate the two so that
he 40 key controls in the Texas Cybersecurity Framework are linked to the
NIST controls, which enables organizations to view the findings they have in
each of those key controls. It gives them a better method for establishing or
rating their maturity levels and this is particularly useful.
WHAT IS YOUR KEY TO SUCCESS?
I think about it as a three step process of walk, run, fly. We started small with
something that organizations were used to doing. We got them to use the
new tool to do their monthly reporting and they found this made things
easier. So much so that when people first started using the tool they felt like
they were cheating because it wasn’t as cumbersome as what they were doing
in the past. After this introduction to make them feel at ease with the tool, we
then began introducing more complex processes for them to use.
The Department of Information Resources is a technology provider for state and local governments in the state of Texas. Its mission is to provide technology leadership, solutions, and value to state government, education, and local government entities, and to enable and facilitate the fulfilment of their core missions. It works with over 140 state agencies and institutions of higher education.
4
CUSTOMER Q & A
WHAT’S NEXT IN YOUR SECURITY JOURNEY?
To As other people in our department learn about the Archer tool and its ease
of use and flexibility, they are asking us to undertake other use cases; for
example, creating an application to help DIR create a prioritized list of funding
requests for security and legacy system modernization projects for the next
legislative session. The workflow and the way that we can get information to
and from our customers is of particular interest. The implementation has been
extremely successful and we are looking to build on that.
CONTACT USTo learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller–or visit us at rsa.com ©2018 Dell Inc. or its subsidiaries. All rights reserved. RSA and the RSA logo, are registered
trademarks or trademarks of Dell Inc. or its subsidiaries in the United States and other countries. All other trademarks are the property of their respective owners. RSA believes the information in this document is accurate. The information is subject to change without notice. 03/18, Customer Q&A, HXXXXXX