480 likes | 630 Views
Security Plans Communication Forum. Theresa A. Masse, State Chief Information Security Officer Department of Administrative Services Enterprise Security Office. 1. Agenda. Welcome and Opening Remarks Resources Agency Panel Debbie West, Oregon Medical Board
E N D
Security Plans Communication Forum Theresa A. Masse, State Chief Information Security Officer Department of Administrative ServicesEnterprise Security Office 1
Agenda • Welcome and Opening Remarks • Resources • Agency Panel • Debbie West, Oregon Medical Board • Lorraine Odell, Judicial Department • Curt Hartinger, Office of the State Treasurer • Q&A 2
Welcome Scott Harra, Director Department of Administrative Services 3
Policy Requirements • Oregon Administrative Rule 125-800-0005 – State Information Security: • (1)(c) The Department (DAS), in collaboration with state agencies, shall establish standards for agency information assets security plans. … (T)he Department shall have the right to return the plan to the agency for revision and may decline to certify such plans until the plan has been modified to satisfy the overarching objectives of protecting the state’s information assets. 4
Policy Requirements • Information Security statewide policy 107-004-052 • Each agency will establish a plan to initiate and control the implementation of information security within the agency and manage risk associated with information assets • Agencies have two (2) years from effective date of this policy (7/30/2007) to comply 5
Resources Theresa MasseState Chief Information Security Officer Department of Administrative Services 7
Security Plan Resources • Information Security Plan guidelines • Policy requirements, guidance and best practice examples • Information security objectives and controls • Information Security Plan sample template • Agency Information Security Plan review criteria • Proposed criteria sheet ESO will use to evaluate agency plans • Statewide Security Plan • To be published by September 8
Security Plan Resources • Security Plan writing work shops • For small and medium-sized agencies with limited security resources • Hands-on setting with assistance from ESO staff and agency mentors using Information Security Plan template • Two half-day sessions with two weeks between sessions • September 2008 • October 2008 • February 2009 9
Security Plan Resources • Mentors • Peer volunteers from agencies to be mentors • Will assist during work shops for hands-on support in plan writing • Will be available by phone and e-mail to mentor agencies through plan writing 10
Agency Panel • Debbie West, Oregon Medical Board • Lorraine Odell, Judicial Department • Curt Hartinger, Office of the State Treasurer 11
Agency Panel Debbie West, Personnel Manager Oregon Medical Board 12
Security Policy – Is it just me or is this thing beyond comprehension?
Getting a handle on it… • Reading the statewide policies • Approval to roll them all in one agency policy • The project starts to focus!
Creation of Policy • Ensure all elements of the individual policies are addressed in the single policy version • Pretty easy since they are so similar • Don’t tackle too much at once – leave the procedures out of the policy
Creation of Plan • Using the sample created by EISPD, the plan was easy to create • Made sure the plan and the policy support each other • And another light came on!
Fitting the Pieces Together • The Security Plan is the “Why” • The Security Policy is the “What” • The Procedures are the “How” • The Policy acts as a bridge between the Plan and the Procedures.
OMB Mission To protect the health, safety and well-being of Oregon citizens by regulating the practice of medicine in a manner that promotes quality care.
My Mantra… … one step at a time … one step at a time …
Agency Panel Lorraine Odell, Information Security Officer Judicial Department 20
Creating an Information Security Plan OJD Challenges and Solutions
Structure of OJD • 175 elected judges • 36 circuit courts • Tax court • Appellate courts – Supreme, Appeals • Office of the State Court Administrator • Historically, a fairly new concept • Centralized administrative duties
Challenge: “Core business” information was exempted Administrative items were not initially considered Solution: Create workgroup to identify general categories of protection Meet with each division / unit / court Check with internal auditors; they have a lot of background information What Information Needs To Be Protected
Challenge: Judges are elected and not subject to rule by OSCA Competing priorities Solution: Have the information security plan and policies supported by the Chief Justice and by the State Court Administrator Support from the Top
Challenge: As always, there are scarce resources and much to do Court administrators view this as just another task Solution: Provide templates so each court doesn’t have to create their own plan (similar to what DAS is offering as workshops for smaller agencies) Allocate Resources
Challenge: OJD is run judicially, by order, rather than administratively, by policy The existing policy process is cumbersome and seldom used Resistance to policy, since they limit flexibility Solution: Have support from the top Work with courts and divisions to ensure policies work with real life Persuade staff that policies can help them know what is expected Establish Policies
Challenge: The courts are geographically disbursed Not all staff need to have the same information Solution: Work with the Training Unit to create a training plan for all staff Create modules for use with different staff: judges, supervisors, line staff, etc. DAS Web modules are a great help Train on the Program
Challenge: “Risk Assessment” is unfamiliar to most managers; it’s considered an audit or an IT function Nobody wants to add more duties to their already full schedule Solution: Prepare a basic template of a risk assessment Identify people who will be doing the assessments; work with them to see that the assessment is only what they do every day – it’s just now documented Risk Assessment
Challenge: Information Security Office is not institutionalized Resources may not permit separate position or office Solution: Create an office overseeing all information security issues If included in other positions, top level management must monitor continuation of the program Plan Maintenance
Agency Panel Curt HartingerInternal Audit Manager / IT Security Officer Office of the State Treasurer 30
Objectives • How the Oregon Liquor Control Commission laid the foundation for their information security program by performing an information security risk assessment • Demonstrate how organizations can improve their information security program using tools provided by the DAS/EISPD Enterprise Security Office
Materials Available From ESO • ISO 27001 and ISO 27002 • Information Security Best Practices checklist • Information Security Plan guidelines • Information Security Plan template
Statewide Security Policies • DAS Administrative Rule 125-800-0005 • Information Asset Classification policy 107-004-050 • Controlling Portable and Removable Storage Devices Policy 107-004-051 • Information Security Policy 107-004-052 • Employee Security Policy 107-005-053 • Transporting Information Assets Policy 107-004-100 • Acceptable Use of State Information Assets Policy 107-004-110
Documents for Evaluating Program • Data Classification listing • Information Security Best Practices checklist • Information Security Plan guide • Information Security Plan template • Risk Assessment
Risk Assessment Report Oregon Liquor Control Commission Information Security Risk Assessment Establishing a Foundation for Information Security Curtis Hartinger, CPA, CISA, CISM, GSNA
Building Blocks Until the foundation blocks for information security are put in place it is difficult, if not impossible, to build an effective information security program. These foundation blocks include: Data Classification – Data owners need to define the value of information to the organization and employees need to know the classification of the information they work with before they can know how they should protect it.
Building Blocks • Employee Awareness Training – employees need to understand the information security policies and procedures that apply to the information they work with. They also need the specialized information they need to perform their job effectively. The four categories of information security training focus on security staff, information technology staff, management, and general staff.
Building Blocks • Policy Development – Policies state management’s intent. Employees cannot follow management’s intent if that intent is not clearly documented and available to staff.
Building Blocks • Risk Assessment – Management needs to understand the risks to the information so they can approve and implement appropriate controls to mitigate those risks. Once the risks are understood, then proper controls can be implemented to mitigate those risks to a level that is acceptable to management.
Building Blocks • Defined Roles and Responsibilities – Employees need to know their responsibilities with regard to information security. This responsibility should be included in each employee’s position description. In addition, they need to be held accountable for those duties by including their security responsibilities as part of their annual evaluation.
Building Blocks • Tone from the Top – Executive management needs to support and lead by example with regard to information security. Without executive sponsorship and participation, it is very difficult for security staff to stand up and integrate an effective information security program.
Results • Efficient and beneficial transfer of knowledge • Strong support for improving information security • Prioritized listing of activities to build an effective information security program using available resources
For further information … • Theresa Masse, DAS Enterprise Security Office(503) 378-4896, theresa.a.masse@state.or.us • Debbie West, Oregon Medical Board(971) 673-2697, debbie.west@state.or.us • Lorraine Odell, Judicial Department(503) 986-5916, lorraine.odell@state.or.us • Curt Hartinger, Office of the State Treasurer (503) 378-3150, curtis.hartinger@state.or.us 46