The Incident Management Center (IMC) was created as part of the overall enhancements the Cyber Security Governance, Defense-in-Depth and Continuous Monitoring defined for the US Department of Transportation (DOT), effectively combining both the Network Operations Center (NOC) and Security Operations Center (SOC) functions. The IMC Concept of Operations (CONOPS) was designed to ensure that security investments, ongoing remediation and continuous monitoring efforts are implemented and maintained in a compliant manner. The IMC provides a centralized IT service function for cyber security monitoring, performance analysis, fault isolation, maintenance coordination, intrusion detection and incident management, configuration management, and system administration.

Customer Requirements:

• Increased communication efficiency between key infrastructure operations staff
• Central support for infrastructure and situational awareness, enabling rapid identification, response to and mitigation of events.
• 7x24X365 monitoring of the infrastructure environment that is focused on creating a comprehensive and correlated view of all servers, storage devices, and network components within DOT
• Near real-time reporting (continuous monitoring) on service events, allowing the support team to be proactive in managing and correcting issues prior to service degradations or outages
• Immediate action to address cyber security concerns or issues
• Resources to communicate regarding system availability issues and to respond to users regarding service concerns, scam emails, virus issues, and appropriate usage inquiries
• Continued efficiency of resolving security incidents with CSMC via the JAS portal (new CSMC database incident database). JAS was developed in replacement of the decommissioned Security Dashboard. ITSS can view, edit and upload statuses into the system)

Security Program Governance Structure - The security governance structure should be organized to ensure that security investments, ongoing remediation and continuous monitoring efforts are implemented and maintained in a compliant manner. The governance structure established the following activities:

• Change Management
• Incident Handling
• Patch Management
• Establishment of Effective Structures and Standards
• Prioritization of IT Cyber Security Investments (part of Portfolio Management Discipline)
• Development and Implementation of Maturity and Performance Measures

Continuous Monitoring - Implement near real time assessment of risk through continuous monitoring for DOT assets by:

• Implementing phased testing against approved baselines
• Implementing continuous compliance and monitoring platform
• Identifying, incorporating and reporting acceptable risk posture
• Reporting on System and Enterprise Risk
• Integrating the continuous monitoring platform with the governance structure
• Implementing coordinated communications with component agencies and the Cyber Security Monitoring Center

Vulnerability Mitigation - Utilize existing known vulnerability data to prioritize, mitigate and report on vulnerabilities. Utilize the continuous monitoring platform to ensure that 1) mitigation remains "in effect" and 2) new vulnerabilities are identified and mitigated in a timely manner by:

• Prioritizing and mitigating vulnerabilities
• Implementing a continuous compliance and monitoring platform
• Identifying and incorporating acceptable risk posture
• Reporting on System and Enterprise Risk
• Integrating the continuous monitoring platform with the governance structure
• Implementing coordinated communications with OA's and CSMC

Accomplishments:

• Developed and implemented the IMC CONOPS and updated the incident handling procedures and IMC performance metrics
• Creation of Executive Risk Reporting Dashboard with Performance Metric Compliance Statistics
• Installed and configured new Check Point hardware: 2 Firewall Managers and 2 Firewalls
• Added SOURCEfire IDS sensors to DOT infrastructure to enhance security posture
• Identified the DOT boundaries and systems (network, server and desktop) that are managed within those boundaries
• Staffed IMC with existing resources including SMEs from the network, server, desktop and mail teams
• Integrated IMC activities with existing governance process, technical teams and the Cyber Security Management Center (CSMC)
• Trained IMC staff on existing management and security tools, including Iron Port, Bluecoat, Fidelis, Checkpoint, Cacti, SEP, Unix and DNS queries, and incident handling
• Changed configurations to redirect all TCP traffic through Blue Coat proxies to intercept well-known traffic excluding HTTPS

*Note - Other Relevant Case Studies include BEP and SEC

Back to Case Studies

 

Also, check out ActioNet's successes showcased in:

• Publications
  Judge ActioNet by what others have said about us in articles, case studies, and website features.

• Accomplishments
  View awards ActioNet has achieved.

• Press Releases
  Read about what we have been up to recently.