Mission

The DLAS Legislative IT Security Program provides its members, employees, customers and business partners peace of mind that our business information is processed and maintained in a safe and secure environment. This is accomplished by delivering high-quality, innovative information management assurance and cyber security services and solutions that reduce risks to a level that is acceptable to the business.

Executive Summary

The continuity of operations and protection of the confidential data and critical systems we possess are the highest priorities of DLAS. The security program model DLAS has established is designed to be an ongoing collaboration exercise which provides end-to-end seamless security based on a common set of controls supported by solid communication across all Legislative Branch agencies.

An effective security program begins with the establishment of a framework of policies supported by processes, procedures, resources, and principles.

The following areas of IT Security control are the core of the DLAS Legislative IT Security Program:

• Creating a Business Impact Analysis applying Data Classification (per Data map) across all Legislative Branch agencies
• Asset management
• Threat Monitoring
• Threat Protection and Prevention
• Data recovery and continuity
• Security Assessment
• Risk Management and Security Program Oversight

Using this framework, a prioritized list of requirements can be continually updated based on the risk associated with each of the elements above. The main objective of the DLAS IT Security Program is to establish a continuous, iterative regimen of alignment and adoption of security controls which support and promote these business requirements. The program utilizes such an approach leveraging industry recognized security standards and frameworks, to include NIST, FISMA and CIS.

DLAS has a pivotal lead role in the collaborative implementation of the security program across all Legislative Branch agencies with the establishment of the Joint Legislative Cyber Security Task Force in 2023.

Processes and procedures enabling continuous monitoring of systems and assets have been developed to facilitate robust 24/7 intrusion detection and business continuity. Phase I of the Security Plan began in 2022 with the creation of a DLAS Security team to oversee the Security Program and specifically identify security deficiencies for remediation. Phase II began in 2023 and continues to evolve. It focuses on the development and annual update of the IT Security Program for DLAS to extend to the Legislative Agencies. The program includes creating/maintaining policies and procedures,security awareness training, internal phishing campaigns, ensuring continuous monitoring with alerts, conducting periodic penetration tests, and annual review and testing of Disaster Recovery/Business Continuity.

Phase II includes change control, separation of duties, access controls, version control, developer training, documentation of system plans, configurations, data flows, interfaces, etc. as they apply to a specific application.

Both Phases I and II provide the foundation to continually grow and support the DLAS Legislative Security Program goals by:

• Creating a Business Impact Analysis applying Data Classification (per Data map) across all Legislative Branch agencies
• Creating a continually updated Risk Assessment across all Legislative Branch agencies and obtaining input and agreement from stakeholder agencies on risk prioritization and mitigation
• Vulnerability Tracking and remediation of assets though Endpoint protection and monitoring, continuous Penetration Testing and SOC oversight of a SEIM system of log monitoring
• Identifying area(s) of responsibility for each area (security staff, architecture staff, application, infrastructure, DBA, others) by RACI assignment
• Maintaining the security program and Risk review of areas of control to include oversight of systems and operations supported by in house staff and vendor management and oversight of 3rd party systems