Upload
patience-rose
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
11
Security Plans Security Plans Communication Communication
ForumForum
Theresa A. Masse, State Chief Information Theresa A. Masse, State Chief Information Security OfficerSecurity Officer
Department of Administrative ServicesDepartment of Administrative ServicesEnterprise Security OfficeEnterprise Security Office
22
AgendaAgenda Welcome and Opening RemarksWelcome and Opening Remarks ResourcesResources Agency PanelAgency Panel
Debbie West, Oregon Medical Board Debbie West, Oregon Medical Board Lorraine Odell, Judicial DepartmentLorraine Odell, Judicial Department Curt Hartinger, Office of the State Curt Hartinger, Office of the State
TreasurerTreasurer Q&AQ&A
33
WelcomeWelcome
Scott Harra, DirectorScott Harra, Director
Department of Administrative Department of Administrative ServicesServices
44
Policy RequirementsPolicy Requirements Oregon Administrative Rule 125-800-Oregon Administrative Rule 125-800-
0005 – State Information Security:0005 – State Information Security: (1)(c) The Department (DAS), in (1)(c) The Department (DAS), in
collaboration with state agencies, shall collaboration with state agencies, shall establish standards for agency information establish standards for agency information assets security plans. … (T)he Department assets security plans. … (T)he Department shall have the right to return the plan to the shall have the right to return the plan to the agency for revision and may decline to agency for revision and may decline to certify such plans until the plan has been certify such plans until the plan has been modified to satisfy the overarching modified to satisfy the overarching objectives of protecting the state’s objectives of protecting the state’s information assets.information assets.
55
Policy RequirementsPolicy Requirements
Information Security statewide policy Information Security statewide policy 107-004-052107-004-052 Each agency will establish a plan to Each agency will establish a plan to
initiate and control the implementation initiate and control the implementation of information security within the agency of information security within the agency and manage risk associated with and manage risk associated with information assetsinformation assets
Agencies have two (2) years from Agencies have two (2) years from effective date of this policy (7/30/2007) to effective date of this policy (7/30/2007) to complycomply
77
ResourcesResources
Theresa MasseTheresa MasseState Chief Information Security State Chief Information Security
OfficerOfficer
Department of Administrative Department of Administrative ServicesServices
88
Security Plan ResourcesSecurity Plan Resources Information Security Plan guidelinesInformation Security Plan guidelines
Policy requirements, guidance and best Policy requirements, guidance and best practice examplespractice examples
Information security objectives and controlsInformation security objectives and controls Information Security Plan sample templateInformation Security Plan sample template Agency Information Security Plan review Agency Information Security Plan review
criteriacriteria Proposed criteria sheet ESO will use to Proposed criteria sheet ESO will use to
evaluate agency plansevaluate agency plans Statewide Security Plan Statewide Security Plan
To be published by SeptemberTo be published by September
99
Security Plan ResourcesSecurity Plan Resources Security Plan writing work shopsSecurity Plan writing work shops
For small and medium-sized agencies For small and medium-sized agencies with limited security resourceswith limited security resources
Hands-on setting with assistance from Hands-on setting with assistance from ESO staff and agency mentors using ESO staff and agency mentors using Information Security Plan templateInformation Security Plan template
Two half-day sessions with two weeks Two half-day sessions with two weeks between sessionsbetween sessions September 2008September 2008 October 2008October 2008 February 2009February 2009
1010
Security Plan ResourcesSecurity Plan Resources MentorsMentors
Peer volunteers from agencies to be Peer volunteers from agencies to be mentorsmentors
Will assist during work shops for hands-Will assist during work shops for hands-on support in plan writingon support in plan writing
Will be available by phone and e-mail to Will be available by phone and e-mail to mentor agencies through plan writingmentor agencies through plan writing
1111
Agency PanelAgency Panel
Debbie West, Oregon Medical BoardDebbie West, Oregon Medical Board Lorraine Odell, Judicial DepartmentLorraine Odell, Judicial Department Curt Hartinger, Office of the State Curt Hartinger, Office of the State
TreasurerTreasurer
1212
Agency PanelAgency Panel
Debbie West, Personnel ManagerDebbie West, Personnel Manager
Oregon Medical BoardOregon Medical Board
14
Getting a handle on it… Reading the statewide policies Approval to roll them all in one
agency policy The project starts to focus!
15
Creation of Policy Ensure all elements of the individual
policies are addressed in the single policy version
Pretty easy since they are so similar Don’t tackle too much at once –
leave the procedures out of the policy
16
Creation of Plan Using the sample created by EISPD,
the plan was easy to create Made sure the plan and the policy
support each other And another light came on!
17
Fitting the Pieces Together
The Security Plan is the “Why” The Security Policy is the “What” The Procedures are the “How” The Policy acts as a bridge between
the Plan and the Procedures.
18
OMB Mission To protect the health, safety and well-being of Oregon citizens by regulating the practice of medicine in a manner
that promotes quality care.
2020
Agency PanelAgency Panel
Lorraine Odell, Information Security Lorraine Odell, Information Security OfficerOfficer
Judicial DepartmentJudicial Department
22
Structure of OJD 175 elected judges 36 circuit courts Tax court Appellate courts – Supreme, Appeals Office of the State Court
Administrator Historically, a fairly new concept Centralized administrative duties
23
What Information Needs To Be Protected
Challenge: “Core business”
information was exempted
Administrative items were not initially considered
Solution: Create workgroup
to identify general categories of protection
Meet with each division / unit / court
Check with internal auditors; they have a lot of background information
24
Support from the Top Challenge:
Judges are elected and not subject to rule by OSCA
Competing priorities
Solution: Have the
information security plan and policies supported by the Chief Justice and by the State Court Administrator
25
Allocate Resources Challenge:
As always, there are scarce resources and much to do
Court administrators view this as just another task
Solution: Provide templates
so each court doesn’t have to create their own plan (similar to what DAS is offering as workshops for smaller agencies)
26
Establish Policies Challenge:
OJD is run judicially, by order, rather than administratively, by policy
The existing policy process is cumbersome and seldom used
Resistance to policy, since they limit flexibility
Solution: Have support
from the top Work with courts
and divisions to ensure policies work with real life
Persuade staff that policies can help them know what is expected
27
Train on the Program Challenge:
The courts are geographically disbursed
Not all staff need to have the same information
Solution: Work with the
Training Unit to create a training plan for all staff
Create modules for use with different staff: judges, supervisors, line staff, etc.
DAS Web modules are a great help
28
Risk Assessment Challenge:
“Risk Assessment” is unfamiliar to most managers; it’s considered an audit or an IT function
Nobody wants to add more duties to their already full schedule
Solution: Prepare a basic
template of a risk assessment
Identify people who will be doing the assessments; work with them to see that the assessment is only what they do every day – it’s just now documented
29
Plan Maintenance Challenge:
Information Security Office is not institutionalized
Resources may not permit separate position or office
Solution: Create an office
overseeing all information security issues
If included in other positions, top level management must monitor continuation of the program
3030
Agency PanelAgency Panel
Curt HartingerCurt HartingerInternal Audit Manager / IT Security Internal Audit Manager / IT Security
OfficerOfficer
Office of the State TreasurerOffice of the State Treasurer
31
Objectives How the Oregon Liquor Control
Commission laid the foundation for their information security program by performing an information security risk assessment
Demonstrate how organizations can improve their information security program using tools provided by the DAS/EISPD Enterprise Security Office
32
Materials Available From ESO
ISO 27001 and ISO 27002 Information Security Best Practices
checklist Information Security Plan guidelines Information Security Plan template
33
Statewide Security Policies
DAS Administrative Rule 125-800-0005 Information Asset Classification policy 107-
004-050 Controlling Portable and Removable
Storage Devices Policy 107-004-051 Information Security Policy 107-004-052 Employee Security Policy 107-005-053 Transporting Information Assets Policy 107-
004-100 Acceptable Use of State Information Assets
Policy 107-004-110
34
Documents for Evaluating Program
Data Classification listing Information Security Best Practices
checklist Information Security Plan guide Information Security Plan template Risk Assessment
37
Risk Assessment Report
Oregon Liquor Control Commission
Information Security Risk Assessment
Establishing a Foundation for Information Security
Curtis Hartinger, CPA, CISA, CISM, GSNA
38
Building BlocksUntil the foundation blocks for information security are put in place it is difficult, if not impossible, to build an effective information security program. These foundation blocks include:
1.Data Classification – Data owners need to define the value of information to the organization and employees need to know the classification of the information they work with before they can know how they should protect it.
1.Data Classification – Data owners need to define the value of information to the organization and employees need to know the classification of the information they work with before they can know how they should protect it.
39
Building Blocks2. Employee Awareness Training –
employees need to understand the information security policies and procedures that apply to the information they work with. They also need the specialized information they need to perform their job effectively. The four categories of information security training focus on security staff, information technology staff, management, and general staff.
40
Building Blocks3. Policy Development – Policies
state management’s intent. Employees cannot follow management’s intent if that intent is not clearly documented and available to staff.
41
Building Blocks4. Risk Assessment – Management
needs to understand the risks to the information so they can approve and implement appropriate controls to mitigate those risks. Once the risks are understood, then proper controls can be implemented to mitigate those risks to a level that is acceptable to management.
42
Building Blocks5. Defined Roles and Responsibilities
– Employees need to know their responsibilities with regard to information security. This responsibility should be included in each employee’s position description. In addition, they need to be held accountable for those duties by including their security responsibilities as part of their annual evaluation.
43
Building Blocks6. Tone from the Top – Executive
management needs to support and lead by example with regard to information security. Without executive sponsorship and participation, it is very difficult for security staff to stand up and integrate an effective information security program.
44
Results Efficient and beneficial transfer of
knowledge Strong support for improving
information security Prioritized listing of activities to
build an effective information security program using available resources
4646
For further information For further information ……
Theresa Masse, DAS Enterprise Security OfficeTheresa Masse, DAS Enterprise Security Office(503) 378-4896, [email protected](503) 378-4896, [email protected]
Debbie West, Oregon Medical BoardDebbie West, Oregon Medical Board(971) 673-2697, [email protected](971) 673-2697, [email protected]
Lorraine Odell, Judicial DepartmentLorraine Odell, Judicial Department(503) 986-5916, [email protected](503) 986-5916, [email protected]
Curt Hartinger, Office of the State Treasurer Curt Hartinger, Office of the State Treasurer (503) 378-3150, [email protected](503) 378-3150, [email protected]