2012 Biennial Performance Report 

Report on the Consolidated Network Security System

This biennial report meets the requirements of Texas Government Code Section 2059.057 (TGC 2059.057). It describes the consolidated network security system’s accomplishment of service objectives and performance measures, including financial performance.

The Report on the Consolidated Network Security System is presented in the following sections:



Background

Cyber security is the protection of the confidentiality, integrity, and availability of data and the associated information resources that transmit or store that data. It is an ongoing process that requires continuous, coordinated, and focused effort by all state agencies. The Texas Department of Information Resources (DIR), in consultation with agencies, continues to develop and expand its ability to monitor, assess, and safeguard the State of Texas’ information infrastructure from external cyber-attacks.

DIR established the Network and Security Operations Center (NSOC) in September 2007, to protect the state’s information assets from unauthorized external intervention or improper use. The NSOC is a secure and resilient facility that offers cost-effective network security services to all state agencies and other eligible state entities as specified in TGC 2059.057. Security operations are co-located and integrated with statewide network management functions in the NSOC. Security services offered through this facility include

  • event monitoring, alerting, and analysis
  • technical security assessment including controlled penetration testing (CPT) and web and host vulnerability (WAV) assessment 
  • network visibility and discovery 
  • enterprise intrusion prevention
  • training and policy support

Progress

In fiscal years 2011–2012, DIR delivered network security services through the NSOC and through agreements with a private vendor. In addition, DIR upgraded intrusion prevention services for entities connected to the consolidated statewide network. The state's Chief Information Security Officer (CISO) exercises policy direction for NSOC security operations and collaborates closely with the DIR Communications Technology Services Director.

  • Technical Assessments – The number of technical security assessments for FY 2012 represents a decrease compared to FY 2011; however, the current assessments represent a significant quality increase over the previous year. The two primary factors for this change include DIR reducing the target number of CPT assessments for the entire period while focusing on enhanced comprehensive support services provided for CPT engagements. This has delivered additional support to assessed agencies in identifying and prioritizing remediation activity thereby strengthening the assessment process.
Fiscal Year WAVs CPT – State Agency Total

2011

94

101

195

2012

58

49

107

  • Security Information Management – DIR’s Security Information Management (SIM) system provides continuous external monitoring and alerting for customer-designated, external-facing network components, e.g., firewalls, and intrusion detection and prevention systems.  In collaboration with other state entities and federal cyber security organizations, the NSOC receives timely indications and warnings of network security incidents. DIR’s SIM system also provides continuous, 24-hour network security monitoring, data gathering, and protocol analysis for assessing and defeating network security threats.
  •  Assessment – DIR uses the results and input from network monitoring, mandated incident reports, controlled penetration tests, and daily interaction with agency information security officers to
    • modify annual network security training and awareness capabilities
    • advise agencies on active vulnerabilities and exploits
    • improve the efficiency of future testing
    • protect state networks from outside attacks
  • Security Exercises – DIR conducts statewide exercises according to the Cyber Security Incident Response Plan, which was renewed and approved in FY 2012. DIR collaborates with other state agencies, communities, the Texas Department of Public Safety, and theTexas Division of Emergency Management in exercising and maintaining this plan.
  • Educational Services – DIR, through the CISO, sponsors or cosponsors no-cost and low-cost training and certification. These include DIR’s annual Texas Information Security Forum and advanced technical training provided via the SANS Institute. Other educational events include presentations at conferences and workshops.  
    Fiscal Year Security Trainings Agency Attendees

    2011

    9

    349

    2012

    15

    619

  • Network Security Guidelines and Standards – The state CISO has collaborated with DIR staff and state agency and institution of higher education Information Security Officers to develop plans for formal review of Texas Administrative Code Chapter 202: Information Security Standards. The CISO has also provided input into statewide Social Media Guidelines.
  • Financial Performance – Comprehensive consolidated network security services have been incorporated into the TEX-AN contract. DIR has determined that all state agencies that are part of the consolidated state network are paying their proportional cost of baseline NSOC security services. Additional sources of funding include:
    • Revolving Fund Account – DIR maintains sufficient funds to pay the liabilities of the center and related network security services
    • Grants – DIR did not receive any grant funding in the FY 2012–13 biennium.

Next Steps

Cyber security is an ongoing concern that DIR will address by:

  • Updating the State Enterprise Security Plan to account for new threats, increased demands, and more cost-effective operations and services
  • Continuing to cooperate with federal, state, and local counterparts for preventing, preparing for, and responding to any disruption in service delivery
  • Continuing to work collaboratively with state entities to provide quality network security services that maintain a high level of trust in the privacy and security of state information resources