1.2.

6 Our Approach to Providing a Secure Company A System

RFP reference: 3.2.7.17.9, page 26 and 3.2.7.6.5.3, page 21

Deloitte understands that protecting the confidentiality, integrity

and availability of Company A data is required for a successful
program. The proposed Company A solution integrates the
various security requirements into a centralized and rationalized
Deloitte’s proposed security
program to help the State minimize the risk of data loss while also
leadership team for Company A:
driving the necessary compliance activities. Our world-class
security practice has the skills necessary to build a security  Has over 30 years of combined
enabled solution, has received a number of accolades for past security and privacy experience.
performance, and stands ready to assist the State.  Lead Deloitte's State Security
practice.
 Brings a production proven
The Deloitte Specialization in Security and solution that has been implemented
Risk Consulting in vaious statewide environments
Deloitte has been recognized by several leading IT research firms with similar requirements
as the leader in the information security consulting space based on our client qualifications, experience,
thought leadership, and vendor relationships. Specifically, Deloitte was recognized by Forrester as a leading
global security and IT risk consulting service provider.

“The Forrester Wave™: Information Security And Risk

Consulting Services, Q3 2010,” examined Deloitte’s information
security and IT risk consulting capabilities globally. Forrester in
their own words said “we found that Deloitte led the pack
because of its maniacal customer focus and deep technical
expertise.” Deloitte earned the highest overall scores
demonstrating the strength of our offering, thought leadership,
and cross-functional strategy. This result is a true “outside-in”
recognition of Deloitte’s market position and confirmation of the
investment made in building our Security and Privacy Services
(S&PS) practice and capabilities.

The Forrester Wave™: Information Security

Our Company A Solution Security And Risk Consulting Services, Q3 2010.

Approach
Deloitte uses a holistic approach based on the State’s policies and available enterprise tools such as public
key intrastructure (PKI), appropriate Federal/State laws, regulations and industry leading practices to design
and implement the Company A’ security solution. We start with the selection of eligibility business functions
for evaluation and we determine the corresponding information types for that function and then select the
security requirements from our Risk Framework established in the planning and start-up stage and
elaboration stage. These requirements may require implementing one or more management, technical and
operational controls for the system function. The technical design for security and privacy of the Company A
system is based on the outcome of the technical controls from this analysis performed for each system
function. We leverage one or more of the security solutions that are part of the Company A system to
implement the security and privacy technical design for the function. For example, the Company A system’s
web portal function processes PII data and therefore is subject to HIPAA, and IRS Publication 1075
requirements.
Figure X.X illustrates the various security solution components that will be designed, developed and
implemented for Company A system.

Security and Privacy

Requirements
Company A Security Design and User Access Security Plan
• Company A – Policies and Security Design User Access Security Plan
Standards
• IRS Pub 1075 Security Risk Management Identity and Access Management
• FISMA
Security Risk State of IL Microsoft Active Directory
• HIPAA Framework– Laws & (AD) integration
• FIPS PUB 31, 41, 73, 112 Regulations Library
and 186-3 Password User
• NIST SP 800-53, 111 and Management Self-Service
Compliance Testing–
Cryptographic Module Risk Assessment & Delegated User
• NIST SP 800-111 and Vulnerability Testing Administration Authentication
Cryptographic Module
Validation List Provisioning
• Federal Records Retention Infrastructure Protection of
Schedule 44 U.S.C. 3303a Security Data in Motion User Authorization
• Privacy Act of 1974 at Network HTTP(S) – User role
5 U.S.C. 552a Segmentation TLS/SSLv3 User role definition permission Secure
• Computer Matching and
Firewall and
matrix Company A
Privacy Protection Act of SOA/Web
1988 (CMPPA)
Intrusion Services User role Fine grained Solution
Prevention Security based access
• Child Online Privacy System control
access control
Protection Act
AES
• Records Usage, Duplication, Anti-Virus
Encryption Audit Logging and Monitoring
Retention, Re-disclosure and solution
Timely Destruction Protection of Protection of Rationalized use Infrastructure,
Procedures/Restrictions Data in Use Data at Rest cases of security application &
• HITECH events for monitoring database logs
User Access Data
• CMS Security classification Privileged
User
• Affordable Care Act authentication & account
• Health Information User activity audit authorizationlogs monitoring
loggingand Database
Exchanges NISTIR 7497 encryption
monitoring
• Company A Personal Information Log correlation & monitoring with SIEM
Protections Act (815 ILCS
Database
530/1-30) SIEM solution scrambling
• Company A Data Breach User privacy policy statements
NotificationPolicy
• MITA
• FIPS Publication 199,200 -
Standard

Figure X.X. Deloitte’s Approach to Designing Security Controls for Company A System.

Deloitte uses a layered ad risk driven approach to developing the security design and user access security for Company A system.
Meeting NIST and FISMA Requirements
Deloitte brings in an established toolset, our Risk Catalog, which is designed to make it both easier to
manage as well as streamline the compliance management process on an ongoing basis. Deloitte’s Risk
Catalog is a requirements library, which contains a common repository of information security requirements
containing authoritative sources from more than 300 different laws and industry sources, and other related
requirements that can be customized to meet the needs of the Company A system. Deloitte maps and
rationalizes the requirements that are applicable to Company A system, creates a risk and control assessment
framework based on NIST and FISMA Risk Management Frameworks (RMF) and then develops a “heat
map” for integrated risk reporting before the system is approved for production. The Risk Catalog is also
used to trace back applicable security requirements during design and testing phases of the project. Deloitte’s
Risk Catalog toolset is comprised of core solution accelerators as depicted in the figure X-X below.

Risk Catalog Toolset

Requirements Risk & Control Key Risk
Risk Governance Risk Framework
Library Self Assessment Monitoring

Accountability Harmonization Rationalization Synchronization Measurement

• Functional risk areas • The System’s • Standardized • Integrated control • Company A’s System’s
that the business authoritative operating plans (‘final’ risk & objectives and key
needs to manage are requirements are environment control decisions) for risks are linked
identified documented and descriptions each reporting entity • Indicators are linked
• Internal and external mapped to remove (reference re-developed to metrics
reporting, timing and overlap architectures) are • Self-assessment
developed • Reports requirements
stakeholders are • Common risk and process, test plans, are identified
identified control definitions are • Reference reporting
linked to form a single architectures are requirements and • Escalation and action
• Definitions, risk planning processes
ratings, sign-off, and set of integrated linked to integrated dashboard views are
requirements requirements developed are defined
reporting roles and
responsibilities are • Risk rationalized • An issue and • Dashboard views and
established control baselines are corrective action roles are established
established for each planning process is
reference architecture established

Provides the Provides a single

Provides risk Provides a metrics
underlying principles, integrated view of Provides an
rationalized controls driven capability for
policies and harmonized assessment process
linked to the Company monitoring key risks
accountability for requirements with full for risk & compliance
System operating aligned with the
security-privacy risk traceability to requirements
environment Company A’s
governance sources System’s objectives
-

Figure X-X. Deloitte’s Risk Catalog Toolset.

Risk Catalog toolset used to rationalize requirements and streamline the compliance management process.
Defining Information System Boundaries
Deloitte will use a core solution accelerator, our Security and Privacy Risk Framework (“Risk Framework”)
from our Risk Catalog Toolset, to define the boundaries
for authorization in the proposed Company A system.
Deloitte’s Risk Framework provides a single source of
applicable security and privacy rationalized controls that
are derived after linking requirements, risk, controls, and
the Company A systems functions and operations. The Deloitte’s Security and Privacy Risk
Risk Framework enables us to integrate the applicable Framework
rationalized controls in to a security blueprint—to address  Used in over 100 clients
proper coverage of user authorizations as well as link  Over 120 authoritative sources
specific controls required to address the access to currently in the Risk Catalog tool set
individual window, report, data element & field levels
within the proposed Company A system. The
authorizations defined using the Risk Framework are
implemented as access capabilities/permissions within our Company A solution and granted to users through
user role assignments. The Company A system security blueprint will include standardized operating
environment descriptions, reference architecture, interfaces, baseline controls and role definitions.

FIPS 199 Security Categorization Approach

Deloitte understands the State’s requirement of adhering to the Federal Information Processing Standards
(FIPS) Publication 199 Standards for Security Categorization of Federal Information and Information
Systems as a means to prevent potential security threats such as unauthorized access or disclosure of
sensitive customer data. The security category of an information type can be associated with both user
information and system information in the proposed Company A system. Establishing an appropriate security
category of an information type essentially requires determining the potential impact associated with the
particular information type. Deloitte security categorization approach follows a four step process: Identify,
Select, Review and Assign. The approach includes defining the information type using the NIST Special
Publication 800-60 and determines the impact level. The resulting security category of the information type
is represented as high water mark or maximum potential impact level. The Figure X-X depicts Deloitte’s
security categorization approach for the Company A system.
 1. Identify Information Types 2. Select Provisional Impact Levels

• Identify all information types that • Select the security impact levels
are input, stored, processed for the identified information types
and/or output • Determine Security Category (SC)
• Document information types with for each information type: SC =
the basis for information type {(Confidentiality, Impact),
selection (Integrity, Impact), (Availability
Impact)}
• Document Provisional impact
4. Assign Security Categories levels

• Review identified security

3a/3b. Review/Adjust/Finalize
categorization for aggregate
Impact Level
information types
• Identify/Adjust security impact • Review the appropriateness of
level high water mark, as provisional impact level on
necessary organization, environment,
• Assign overall information system mission, use and data sharing
impact level on the highest impact • Adjust impact levels (if need be)
for security objectives • Document all adjustments with
• Document all determinations or justifications
decisions
-

Figure X-X. Deloitte’s Security Categorization Process

Deloitte uses a four step process to perform security categorization of the information for the Company A system

Selecting Baseline Controls

Deloitte understands that FIPS 200 - Minimum Security Requirements for Federal Information and
Information Systems, is a mandatory federal standard developed by NIST in response to FISMA. The result
of the security categorization is used to define the baseline controls for the Company A System using the
Federal Information Processing Standards (FIPS) Publication 200 and NIST SP 800-53. The baseline
controls defined will cover applicable security-related areas recommended in FIPS 200 with regard to
protecting the confidentiality, integrity, and availability of the proposed Company A system. The baseline
control will represent a broad-base and appropriate security controls are chosen based on the security
category and associated impact level. The appropriate security control is the minimum set of security
controls for the Company A system.
Deloitte understands that the security plan is the foundation, upon which the Company A system can define
and manage security goals. Our philosophy regarding the security plan emphasizes thoroughness and
technical detail in security planning activities. Deloitte’s approach to this task is based on NIST SP 800-18 -
Guide for Developing Security Plans for Information Technology Systems. Our security plan addresses the
minimum security requirements or baseline controls that include Management, Operational, and Technical
controls identified in NIST Special Publication 800-53. The figure below depicts our approach to creating a
security plan that starts with creating the governance structure for the Company A system.

Define Establish the Develop the Company A

Establish
Overarching Company A Company A Security Office Security Plan and
Governance Structure
Security Policy and Team Continuous Update

IL_IES-046

Figure 14-X. Deloitte’s Security Approach for the Development of the Security Plan.
Our approach to creating a security plan commences with establishing the fundamental components required to sustain security & privacy operations.

Protecting Confidentiality, Integrity, and Availability of Information

We build upon our understanding and experience of working with the State, applicable Federal and State
regulatory policies, standards, guidelines, and extensive experience providing security and privacy services
to state government agencies for over 10 years. This is to help identify and design security and privacy
controls, to satisfy the confidentiality, integrity and availability requirements of the Company A system.
A summary of our proposed Company A security and privacy solution are delineated in the table below.
Company A Security Confidentiality, Integrity & Availability Offered to the Company A system
Feature
Rationalizing Federal, Deloitte’s Risk Catalog™ provides a structured risk based approach to understanding,
State Laws and rationalizing, evaluating, and reporting on industry standards and regulations applicable
Regulations, Industry to the Company A system. In addition, the Security & Privacy Risk Framework includes a
Standards and the State rationalized set of requirements and provides a foundational set of controls to address
Policies these requirements during the design, build and deployment processes, to “assess once
and satisfy many requirements”.
Identity and Access IAM solution is used to store user identities as well as manage and control user access to
Management (IAM) the Company A system. User profiles will determine the level of access available to each
user within the Company A system. Audit trail functions of this solution trace historic
information for compliance and operational support. Company A system employs controls
to appropriately restrict access to the identified sensitive data based on a need-to-
know/use basis. Deloitte will integrate with the State’s Active Directory solution for internal
and external user identities. For purposes of this project, the term “auditing” refers to the
implemented system’s ability to track and record specified activities in a log or repository.
It does not refer to any third-party opinion on the adequacy of the design or operating
effectiveness
Data Protection For information at rest (stored within the database), data is automatically encrypted when
it is written to disk and automatically decrypted when accessed by the application. We will
use data masking/obfuscation techniques to protect confidentiality of data in lower
environments For information in transit, Transport Layer Security/Secure Sockets Layer
(TLS/SSL) encryption between the solution components offers data integrity and
protection during transit. The communication channel between the end user and the
Company A system is encrypted using at the minimum, 128-bit key encryption, through
HTTPS using TLS/SSL technology. The Company A system uses TLS/SSL technology
for server to server communication channel encryption.
Audit Logging and Security Information and Event Management (SIEM) solution channels audit data/events
Reporting from the Company A to a centralized system, for event correlation, reporting and
compliance.
Infrastructure Security Infrastructure security capabilities available at the State’s datacenter including network
firewalls, application firewalls, anti-virus, patching, configuration management,
vulnerability scanning and intrusion detection are leveraged to provide mechanisms to
protect and defend Company A system from internal and external threats.
Web Services Security Enables web service authentication, authorization, monitoring and audit services along
with functionality for XML validation, conversion and threat scanning. The Web services
security solution for the proposed Company A system will encompass only implementing
message confidentiality using SSL, authentication & authorization using access
management solution, field-level security, data validation and message security.