RSA 2013: Standards core to LA County security strategy

Standards are the key to a successful security strategy, says Robert Pittman, chief information security officer of Los Angeles County

Standards are the key to a successful security strategy, says Robert Pittman, chief information security officer of Los Angeles County.

All LA County IT security policies correspond to industry-recognised certifications, standards and best practices, he told the Trusted Computing Group session at RSA Conference 2013 in San Francisco.

The policies reference best practices set by organisations such as the Cloud Security Alliance, National Institute of Standards and Technology, and the Trusted Computing Group (TCG).

These policies are deployed county-wide, overseen by security engineering teams within the county’s 34 departments.

These teams report to the department information security officers along with county-wide community emergency response teams, which act like a “neighbourhood watch”, said Pittman

The departmental officers report to an information security steering committee, which meets monthly to review the county’s IT security status.

The steering committee has identified ten top priorities, said Pittman, which include web application protection, risk management, and compliance with all the major regulatory frameworks such as HIPAA, HITECH and PCI DSS.

Encryption is one priority, with the country implementing full disk encryption in 2007 for around 12,000 laptops.

“We have embraced the use of TCG’s Trusted Platform Module (TPM) and we are currently evaluating the use of self-encrypting drives (SEDs),” said Pittman.

Incident response is another priority and includes threat intelligence and relationship-building with law enforcement.

“Incident response is important because our systems are being probed all the time, with about 21 incidents a year,” said Pittman.

The top ten list includes non-technical priorities such as the county’s annual recognition awards programme that promotes competition around security between departments, and the socialisation of security initiatives by involving business units, the help desk and county psychologists.

Re-emphasising the importance of policies and standards, Pittman said: “Policies influence behaviour like traffic signs and standards influence technologies and business models.

“They also ensure consistent operational support and risk architecture across the county, and potentially reduce cost by reducing technical complexity,” he said.


Read more on Security policy and user awareness