May - 20198GOVERNMENT CIO OUTLOOKCombating Cybersecurity ChallengesRam Murthy, CIO, US Railroad Retirement BoardIN MYOPINIONith ever increasing information security and privacy risks, we must make our systems and processes more robust. Several federal agencies and well-established institutions have legacy systems built using an architecture that was deemed vigorous 40 years ago, but stand no chance exposed to the modern security threats and real time interactions of today. Our mission essential functions are performed in a legacy mainframe environment that is costly and extremely resource heavy in order to protect high value assets and customer data from increasing cyber threats. This concern is compounded by our aging workforce and the scant number of individuals with these legacy skills in the job market today. Cybersecurity is not a onetime activity, but rather a continuous effort requiring vigilance at all times. We can close 1,000 windows, but the bad guys will get in through the 1 window we missed. To improve their security posture, federal agencies continue to make progress towards a compliant information security program.Federal agencies are mandated to manage risk in critical infrastructure, whether it is in asset management, identity management, remote access, or network protection. We have made it a top priority to strengthen Identity, Credential, and Access Management (ICAM), better manage user permissions, prevent data loss, secure remote access, and address insider threats. Asset Management ­ Agencies must mitigate the risk of unauthorized hardware and software in their environment. An automated hardware and software inventory is essential to properly account for all assets, including their purpose for being on the network, and who owns them. Our participation in the Department of Homeland Security (DHS) Continuous Diagnostic and Mitigation (CDM) ensures that we address these cybersecurity risks. We have also started the incremental and iterative process to transform our legacy mainframe software systems. By adopting the central management of hard drive encryption through the Microsoft BitLocker Administration and Monitoring (MBAM), we are ensuring that by default all agency laptops and mobile devices have the necessary data encryption.Identity Management ­ We ensure that all federal and contractor staff establish their identity using the PIV card. We have also built a partnership with Login.gov for identity proofing and identity management solutions for all our external customers from the railroad community. Currently we are transitioning our external self-service digital solutions to use identity proofing and Multi-Factor Authentication (MFA) via Login.gov. This is planned for all public-centric services implemented on our external website and customer portal. Just like online banking services, these self-service solutions are built using secure communications with strong MFA and identity management. With the recent data breach at a major credit bureau, and assuming that personal financial information and credit histories may have been compromised, we are working with Login.gov to use alternate proofing solutions.Remote Access ­ Having deployed managed services for hardware encryption along with upgraded network firewalls, the agency has strengthened the information security controls for VPN remote access. We enforce MFA and all users login using the PIV card. At any time during an average work day, about 85-90 percent of our users, in our Chicago headquarters or from remote work-at-home locations, are logged in this way. Our target is to achieve 98-100 percent. Besides the compliance factor, our agency is better protected WBy
< Page 7 | Page 9 >