| | SEPTEMBER 20188CIOReviewWith ever-increasing information security and privacy risks, we must make our systems and processes more robust. Several federal agencies and well-established institutions have legacy systems built using an architecture that was deemed vigorous 40 years ago but stands no chance exposed to the modern security threats and real-time interactions of today. Our mission essential functions are performed in a legacy mainframe environment that is costly and extremely resource heavy in order to protect high-value assets and customer data from increasing cyber threats. This concern is compounded by our aging workforce and the scant number of individuals with these legacy skills in the job market today. By re-engineering our legacy systems, we reduce the inherent risks associated with a veteran staff of which 50 percent can retire today, many taking with them the institutional knowledge acquired over 40+ years. Working closely with my Chief Information Security Officer (CISO), my risk management and privacy strategy is to prevent and detect impending attacks through continuous monitoring. By modernizing our legacy systems, we ensure that our enterprise architecture is stable for years to come, is flexible enough to accommodate new innovations, and can enable the encryption and security aspects necessary to keep our high-value assets and data safe.Cybersecurity is not a onetime activity, but rather a continuous effort requiring vigilance at all times. To improve their security posture, federal agencies continue to make progress toward a compliant information security program with the help of the Security Operations Center and senior leadership support.Security Operations Center (SOC)Our SOC is equipped with a robust infrastructure to support real-time monitoring and Network Admission Control (NAC). Our authentication and authorization process is three-fold--first the device must have a trusted certificate; second, the user must have a trusted identity in the network; and third, the Active Directory and NAC look for the trusted agreement of the user-device combination. Leveraging the Certificate Authority (CA) server, we generate agency tailored certificates for all of our devices. In general, all agency staff has federal PIV cards. In the limited scenarios where these PIV cards are not available, such as the case of a privileged login, or a new employee, the agency issues smart cards with certificates from the CA server. Our goal is to improve cybersecurity performance by focusing on the data and information entering and exiting our network, knowing what components are on this network and when their status changes, and who is logged on to our systems. We continue to manage the risk of the critical infrastructure and improve our response times to critical status alerts. By Ram Murthy, CIO, US Railroad Retirement BoardCOMBATING CYBERSECURITY CHALLENGES WITH SENIOR LEADERSHIP SUPPORTRam Murthy
<
Page 7 |
Page 9 >