770 likes | 1.01k Views
Enterprise Security Plan and Standards Forum. Theresa A. Masse State Chief Information Security Officer John Ritchie Senior Security Analyst. 1. Agenda. Background Statewide Information Security Plan Statewide Information Security Standards Agency Next Steps Panel Wrap Up. 2.
E N D
Enterprise Security Plan and Standards Forum Theresa A. Masse State Chief Information Security Officer John Ritchie Senior Security Analyst 1
Agenda Background Statewide Information Security Plan Statewide Information Security Standards Agency Next Steps Panel Wrap Up 2
Background The combination of the Statewide Plan, Standards, and Policies in the framework of 27001 & 27002 form the Enterprise Security Architecture 3
Background Based on ISO 27001/27002 Incorporating Best Practices from: National Institute of Standards and Technology (NIST) recommended standards SANS Institute recommended standards and best practices Burton Group recommended methodologies and best practices Vetted by agencies 4
Background ISO 27001 Information Security Management System (ISMS) Foundation - Security Risk Assessment Aligns with Agency’s Strategic Risk Management Policy and Direction 5
Background ISO 27002 Information Security Domains Controls minimize identified risk Risk Assessment identifies areas of Security Control focus 6
ISO 27002 27002 consists of 11 domains Includes an outline for each Domain and corresponding Controls Risk Assessment Security Security Organization Governance & Compliance Security Compliance Policy Human Security Resources Infrastructure & Environment Physical and Asset Environmental Management Security Access Incident Tactical Control Management Security Operations Communications Business System & Operations Continuity Development and Management Management Maintenance 7
Background Policies and standards assist agencies in achieving compliance with state laws ESO cannot establish plans, policies or standards that are less restrictive than state laws Specifically – ORS 182.122 Information Systems Security & ORS 646A.600 the Oregon Identity Theft Protection Act Agencies can implement more restrictive controls as required for compliance with other regulations - IRS, HIPAA, etc. 8
Security Plan Security Management Framework ISO 27001 Agency Annual Risk Assessment Agency Information Systems Security Risk Assessments Agency Information Security Management System 9
Security Plan Security Governance and Compliance ISO 27002 Agency Security Policies & Governance Processes Information Security Audits within Agency 10
Security Plan Security Infrastructure and Environment ISO 27002 Agency Employee Security Policies Process for Access Control to Information Assets within Agency Agency Information Security Awareness Training Agency compliance with Information Asset Classification Policy # 107-004-050 Agency compliance with the Transporting Information Assets Policy #107-005-100 DAS Building Security Access Controls Policy # 125-6-215 Evaluation of Agency facilities for security 11
Security Plan Tactical Security Operations ISO 27002 Agency compliance with the Enterprise Information Security Standards Agency compliance with Employee Security policy #107-004-053 Agency compliance with the Information Security Incident Response policy #107-004-120 Agency BCP per policy # 107-001-010 Agency BCP testing Agency DR testing Agency compliance with Sustainable Acquisition and Disposal of Electronic Equipment (E-waste/Recovery Policy) 12
Security Plan Implementation of Plan Implementation Metrics Submit agency plan to ESO – due July 2009 13
Security Standards Incorporating Best Practices from: International Organization for Standardization (ISO) 27001 & 27002 National Institute of Standards and Technology (NIST) recommended standards SANS Institute recommended standards and best practices Burton Group recommended methodologies and best practices 14
Security Standards Technical Controls Four Domains From ISO 27002 Access Control Information Asset Management Communications & Operations Management Information Systems Acquisition, Development and Management 15
Security Standards Access Control Authentication Standards Authorization Standards Audit of Access Control Standards 16
Security Standards Information Asset Management Protection of Information Assets Standards Handling of Information Assets Standards 17
Security Standards Communications & Operations Management Antivirus and Anti-malware Standards Workstation Management & Desktop Security Standards Mobile Device Management Standards Server Management Standards Log Management Standards Information Backup Standards 18
Security Standards Communications & Operations Management Security Zone and Network Security Management (Local Area Network & Wide Area Network) Standards Intrusion Detection Standards E-mail Standards Remote Access Standards Wireless Access Standards 19
Security Standards Information Systems Acquisition, Development and Management Business Case Standard Encryption Standards Patch Management Standards Information System Development Lifecycle Standards 20
Security Standards One Size Fits All? Small Agencies Most Standards Apply Large Agencies All Standards Apply State Data Center Most Standards Apply Will Assist Agencies 21
Security Standards 22 • Agencies Responsible for Data • Classification • Protection • Agencies and Third Party Providers • Contractors • State Data Center
Security Standards • Standards • Minimum Requirements • “Meet or Exceed” • Recommended Best Practices • Not Mandatory
Security Standards • Standards • Are Specific • Are Interdependent • Must Be Implemented In Entirety, but… • Risk Assessment Drives Implementation • Compensating Controls • Exceptions
Agency Next Steps • Survey • Are you compliant? • If not, do you have a plan? • Do you have the resources to implement plan? • Gap Analysis • Workshop
Panel • Robert Hulshof-Schmidt -State Library, Program Manager, Government Research Services • David Wilson- Department of Corrections, Information Security Officer • Al Grapoli - Network, Security and Voice Services Manager, DAS, State Data Center
Oregon State Library Information Security Plan and Guidelines – Development and Implementation Robert Hulshof-Schmidt, Program Manager, Government Research Services State Library
State Library Overview • 44 employees, 20+ regular volunteers • 4 Teams • Administrative Services • Government Research Services • Library Development Services • Talking Book & Braille Services
OSL Information Assets • Mostly Levels 1 & 2 • No Level 4 • Level 3 almost exclusively in Administrative Services • Consolidated donor info • Patron info streamlined and protected by statute
OSL Info Environment • Most staff are professional information workers • Three full-time IT staff • Agency-wide values on research, openness, information exchange • Generally tech-savvy, gadget-owning staff • At start of security planning: • Lack of concern due to limited level 3 info • Unclear connection to everyday work
Information Security Plan • Used ESO template – covered most of our needs • Started good conversation on physical security, not just electronic • Dovetailed with IT initiative to create stronger domain environment • Valuable, but felt to most staff like a “Business Office/IT” activity only
Making the Connection • Management team conversation about information security • Everything connected to the enterprise carries risk • Even “local-only” connections put our business at risk • All staff have a role and a responsibility • Statewide policies provide a good framework • We need local guidelines
Creating Guidelines Information Asset Use, Implementation, and Security Guidelines • Started with suite of seven statewide policies related to topic • Added reference to statewide policies related to staff behavior (telework, professional workplace, etc.) • Added reference to OSL policies and documents as relevant
Creating Guidelines • Created plain-language definitions of key terms • Did not repeat content of policies • Focused on areas that required agency-specific clarification or interpretation • Pulled common themes from various policies into cohesive sections • Allowed for streamlining
Creating Guidelines • Reference to relevant policies/authorization • Definitions • Appropriate usage times for state assets and systems • Use of personal information systems • Use of networks (state and personal) • Use of Internet resources • Use of electronic communication tools • Passwords • Monitoring behavior • Responding to incidents (tied to plan) • Decision-making, approvals, and access
Guidelines Rollout • Iterative development • Management review • Business office review • IT review • Key staff review • Agency-wide announcement • All staff training • Three sessions • One presenter • IT and HR at all three sessions
Next Steps • IT review of guidelines • Performance gaps • 30-day action plan • Long-term action plan • SDC consultation • Prepare for standards review and implementation • Set priorities based on risk and resources
Questions? • Guidelines available to share • Robert Hulshof-Schmidt • 503.378.5030 • robert.hulshof-schmidt@state.or.us
Department of Corrections David Wilson, Information Security Officer
DOC Mission Statement The mission of the Oregon Department of Corrections is to promote public safety by holding offenders accountable for their actions and reducing the risk of future criminal behavior.
Oregon Accountability Model • Criminal Risk Factor Assessment and Case Planning • Staff-Inmate Interactions • Work and Programs • Children and Families • Re-entry • Community Supervision and Programs
Quick Facts • 14 Institutions • 4 Administration Sites • 2 County Parole & Probation Offices
Quick Facts • 4,426 Employees • 1,970 Active Volunteers • Offenders: • Inmates 13,841 • Parole and Probation 2,794 • Local Control 890 Total Current Offenders 17,525
Quick Facts Others Accessing ODOC Information • Contracted Service Providers • Community Partners • Courts and Legal Professionals • Other Governmental Agencies • The Public
ODOC Information Security History • Information Security Officer • Collateral duty prior to October, 2009 • Projects through Office of Project Management • Information Security Administration • Department-wide Records Management
Project Methodology • Initiated in April, 2008 • ODOC missed early compliance dates • Combined project resources • Chose to focus resources on: • ID of agency Information Assets (IA’s) • Organizing IA’s into a Special Retention Schedule • Use structure to identify “ownership”
Methodology Mistake Information Owners Not defined or identified at the beginning of the projects.
Informed Information Owners Needed • Realized need for: • Definition of Information Owner role and responsibilities • Decision makers to decide Classification • Identified need to: • Educate decision makers • Define Data Handling Standards • Define Classification expectations
“Snap Shot” Standards Needed Methodology and standards: OVERWHELMING! Found something simple: PERS Data Handling Standards http://www.oregon.gov/DAS/EISPD/ESO/IAC.shtml Simple Matrix =Enterprise Standards Reflects PROCESS expectations
Curriculum Identified • Protecting IA’s at the Right Level • Balancing the Risk with the Cost: Confidentiality, Integrity and Accessibility • Public Records Requests - Simple Division • Level 1 & 2: Releasable = Low Risk & Priority • Level 3 & 4: Not releasable = High Risk & Priority • Able to categorize by this division based on known mandates and project team input • Level 3 vs. Level 4 • Mandates vs. Business Decision • Risk of Level 3: Mitigated by agency culture • Cost of Level 4: Resources and Accessibility