1 / 16

Senate Bill 583 Implementation

Senate Bill 583 Implementation. Public Employees Retirement System October 31, 2007 Eric Sokol, CSD Administrator Jeffrey Marecic, ISD Administrator. PERS SB 583 Program Components. Incident Response Plan Eliminate Sending Personal Information Information Security Program Issues. VPN.

gwidon
Download Presentation

Senate Bill 583 Implementation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Senate Bill 583 Implementation Public Employees Retirement System October 31, 2007 Eric Sokol, CSD Administrator Jeffrey Marecic, ISD Administrator

  2. PERS SB 583 Program Components • Incident Response Plan • Eliminate Sending Personal Information • Information Security Program • Issues

  3. VPN FTP FTP/VPN Saber PERS Business Network Employers VPN Treasury D.O.R. Salem PERS VPN VPN SDC VPN Internet VPN VPN BHS Manual CitiStreet Rev-Q Health Care Insurance Carriers Mercer Manual VPN Medical Advisors 72nd Iron Mtn Manual HQ

  4. Incident Response Plan • Two Incident Response Teams • Executive team makes policy and response decisions. • Security Breach Response Team (SBRT) works under the direction of the Executive team and provides coordination, analysis, procedures and actions associated with suspected breaches. • Other Sections of Agency Get Involved as Needed Notification Best Practices Checklist Greatly Assisted in Developing This Plan

  5. Incident Response Plan

  6. Eliminate Sending/Transporting Personal Information • Inventoried All System Generated Correspondence • Completed/Nearly Completed • Remove SSN Completely Where Possible • Use Last 4 Digits Where Needed • Move to PERS ID in the Long Term • Relaxed Procedural Requirements that Lead to Returned Documents in the First Place • Move to Redacting SSN and Personal Information on Member Records Requests • Move to Secure FTP and VPN Instead of Tapes/Disks

  7. Information Security Program • Information Security Message Begins at the Top • Information Security is Everyone’s Job • Information Security Board Formed • Security Awareness Training • HR and ISD Leads the Training Effort – Division Administrators Ensure Compliance

  8. Information Security Program • Policies and Procedures • Review and Update • Data Classification • Data/Document Labeling and Handling • ‘Clean Desk’ Provisions • Consultant/Contractor Compliance

  9. Information Security Program • Physical Security • Key Card Access to All Work Areas and Sensitive Information • Limited Access to Records Management Area • Monthly Review of Access System

  10. Information Security Program • Data Files • Network File Structure and Access • Data in Transport (Tapes, Disks, etc.) • Encrypt • Password Protect • Log Movements (senders and receivers) • Electronic Transfer (SFTP, VPN, EDX, Email) • Encryption • Developer Environments • Encrypted, Scrambled, Fictitious Data

  11. Information Security Program • Backup Tapes • Encrypt • Log movements

  12. Information Security Program • System Generated Reports • Remove SSN Where Possible • Limit Internal Distribution to Those Who ‘Need to Know’ • Track Reports • When Printed • When Delivered (internally)

  13. Information Security Program • Public Records Requests • Redaction policy & procedure

  14. Information Security Program • Applications • Remove SSN From Screens • Implement Role Based Access Control (RBAC) • Replace SSN as Account Identifier • ORION is Being Developed to Comply • RIMS will be retired Q4/2009

  15. Information Security Program • Internal Audit • Provides Periodic Assessments of Agency Compliance to Information Security Program

  16. ISSUES • 3rd party vendors out-of-state • Vendor Certifications Required? • Members Sending Original Documents • Public Records Requests • Member Records Requests • Movement of Personnel Files • Employer Data Exchange (SSN vs Another Identifier)

More Related