Embed Size (px)
DESCRIPTION
First Step - Planning Create a “Plan for the Plan” that describes Why? (Policy, risk, etc.) What is affected? (Entire organization)
Citation preview
Implementing an Information Systems Security Plan
THE MONTANA OFFICE OF PUBLIC INSTRUCTION
First Step - PlanningCreate a “Plan for the Plan” that describes• Why? (Policy, risk, etc.)
First Step - PlanningCreate a “Plan for the Plan” that describes• Why? (Policy, risk, etc.)• What is affected? (Entire organization)
First Step - PlanningCreate a “Plan for the Plan” that describes• Why? (Policy, risk, etc.)• What is affected? (Entire organization)• Who?• People keeping the plan in motion• People you need help from
First Step - PlanningCreate a “Plan for the Plan” that describes• Why? (Policy, risk, etc.)• What is affected? (Entire organization)• Who?• People keeping the plan in motion• People you need help from• What is being changed? (Focus on 18 control families)
First Step - PlanningCreate a “Plan for the Plan” that describes• Why? (Policy, risk, etc.)• What is affected? (Entire organization)• Who?• People keeping the plan in motion• People you need help from• What is being changed? (Focus on 18 control families)• When?• Order of action• Best estimates
First Step - PlanningCreate a “Plan for the Plan” that describes• How?• Designate• Categorize• Secure
First Step - PlanningCreate a “Plan for the Plan” – Other topics to include
First Step - PlanningCreate a “Plan for the Plan” – Other topics to include
• Short-term mitigation considerations• i.e. current events/threats
First Step - PlanningCreate a “Plan for the Plan” – Other topics to include
• Short-term mitigation considerations• i.e. current events/threats
• Targeted mitigation considerations• Market research (i.e. Verizon DBIR top threats for your industry)• Industry best practices
Second Step – Get Organizational Support
Our approach: communicate, repetition• Present to Leadership• Present to Division Heads• Present to Staff
Second Step – Get Organizational Support
Our approach: communicate, repetition• Present to leadership, division heads, staff• Elaborate on driving factors for security• Policy, audit, breach, reputation, etc.
Second Step – Get Organizational Support
Our approach: communicate, repetition• Present to leadership, division heads, staff• Elaborate on driving factors for security• Policy, audit, breach, reputation, etc.• Explain NIST topics at a relatable level• i.e. student data at the copier, sensitive data on your desk
Second Step – Get Organizational Support
Our approach: communicate, repetition• Present to leadership, division heads, staff• Elaborate on driving factors for security• Policy, audit, breach, reputation, etc.• Explain NIST topics at a relatable level• i.e. student data at the copier, sensitive data on your desk
Sample Slides:
Let’s Minimize Security Risk Across OPI
NIST provides guidance on:
USB drivesStudent data at the copier
The OPI ISSP
Let’s Minimize Security Risk Across OPI
NIST provides guidance on:
USB drives
Student data on your desk
Student data at the copier
Desktops
The OPI ISSP
Let’s Minimize Security Risk Across OPI
NIST provides guidance on:
USB drives
Student data on your desk
Emailing sensitive information
Student data at the copier
Phones, Tablets
Traveling with a laptop
Social Engineering
Desktops
The OPI ISSP
And Many More…
Internet Use
Second Step – Get Organizational Support
Our approach: communicate, repetition• Present to leadership, division heads, staff• Elaborate on driving factors for security• Policy, audit, breach, reputation, etc.• Explain NIST topics at a relatable level• i.e. student data at the copier, sensitive data on your desk
Second Step – Get Organizational Support
Our approach: communicate, repetition• Present to leadership, division heads, staff• Elaborate on driving factors for security• Policy, audit, breach, reputation, etc.• Explain NIST topics at a relatable level• i.e. student data at the copier, sensitive data on your desk • Introduce your ISSP Plan
Second Step – Get Organizational Support
Our approach: communicate, repetition• Present to leadership, division heads, staff• Elaborate on driving factors for security• Policy, audit, breach, reputation, etc.• Explain NIST topics at a relatable level• i.e. student data at the copier, sensitive data on your desk • Introduce your ISSP Plan• Ask for help
Lessons Learned Time
Lessons Learned Time Resources
Lessons Learned Time Resources Buy-in
Next Steps for OPIUpdate Roles and Responsibilities
Categorize Systems
Project Planning for Controls• Planning family• Risk assessment family
