1 / 69

Data Privacy Point of Contact

Data Privacy Point of Contact. Orientation Session. Agenda. Introduction Sol Bermann Executive Order Sol Bermann Role of CIO, DPPOC Rick Shipley Ohio IT Security Policies Doug Alt Encryption Protocol Sam Orth Acquisition Tom Hart Q and A Closing Sol Bermann.

kiral
Download Presentation

Data Privacy Point of Contact

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Privacy Point of Contact Orientation Session

  2. Agenda • Introduction Sol Bermann • Executive Order Sol Bermann • Role of CIO, DPPOC Rick Shipley • Ohio IT Security Policies Doug Alt • Encryption Protocol Sam Orth • Acquisition Tom Hart • Q and A • Closing Sol Bermann State of Ohio IT Security DPPOC Training

  3. State of Ohio IT Security Sol BermannChief Privacy Officer, J.D., CIPP

  4. Introduction • Update on Security Breach • State Response/Executive Order • Data Privacy Point of Contacts State of Ohio IT Security DPPOC Training

  5. Executive Order 2007 -13S Improving State Agency Data Privacy and Security Sol BermannChief Privacy Officer, J.D., CIPP

  6. Which Agencies? • Mandatory • All Cabinet Level Agencies • Voluntary • Non-Cabinet Level Agencies, Boards and Commissions State of Ohio IT Security DPPOC Training

  7. Chief Privacy Officer • Privacy Impact Assessment Protocol by 8/29/07 • Data Encryption Protocol by 8/29/07 State of Ohio IT Security DPPOC Training

  8. Mandatory Agencies • Security Policy Compliance Report by 8/14/07 • Privacy Impact Assessment Implementation by 8/29/07 • Develop plan by 11/12/07 for implementing the Encryption Protocol • Appoint DPPOC by 6/22/07 State of Ohio IT Security DPPOC Training

  9. Sol Bermann Chief Privacy Officer, J.D., CIPP Sol.Bermann@oit.ohio.gov (614) 995-9928 Questions? State of Ohio IT Security DPPOC Training

  10. Implementation Rick Shipley Administrator Risk Management Services

  11. Privacy and Security • Privacy & Security are flipsides of a coin • Privacy = policies, rules & laws surrounding data usage • Security = implementation of protection that enforces the policies, rules & laws State of Ohio IT Security DPPOC Training

  12. Role of Agency CIO • Help Oversee Agency Compliance • Executive Order 2007 – 013S • Privacy, confidentiality, security, disclosure, and sharing of information • Provide direction and oversee activities • Develop and oversee the implementation of policies, principles, standards, and guidelines State of Ohio IT Security DPPOC Training

  13. Role of DPPOC • Help with Executive order • Policy Compliance Reporting 2(c) • Privacy Impact Assessment Implementation 2(e) • Data Encryption Protocol Implementation Report 2(f) • Advise or support departmental management on business and policy issues relating to privacy, information assurance, and security • Understand the data the agency has and how the agency uses the data • Sensitive data classification • Work within and across business units State of Ohio IT Security DPPOC Training

  14. Who Is The DPPOC ? • Need people that • understand the data the agency has • how the agency uses the data • understand the concept of data classification • ability to work within and across business units • Does not have to be • CIO or technical security people • Could be • Data Managers • Legal • HR State of Ohio IT Security DPPOC Training

  15. Risk Management Services • Statewide Initiatives: Network vulnerability assessments, cyber security workshops, and crisis management • Acts as Statewide incident response coordinator for security incidents (ITP-B.7) • OIT Initiatives: Policies, procedures, standards, IT planning, network vulnerability assessments, compliance monitoring (auditing), IT risk management, business continuity planning, disaster recovery, service level agreements, and crisis management State of Ohio IT Security DPPOC Training

  16. E.O. IT Security Compliance Report • Compliance checklists to evaluate in detail your agency’s compliance with Ohio IT Security Policies • Completed document to the Chief Privacy Officer by close of business on August 14, 2007 (sol.bermann@oit.ohio.gov) State of Ohio IT Security DPPOC Training

  17. E.O. Privacy Impact Assessment • Data mapping - understanding data agency has that might be subjected to privacy and data classification concerns • Privacy Impact Assessment - an assessment focusing on the impact if the specific data is breached and how it would affect agency • Two primary inputs to this phase is the OIT Statewide Policy for data classification and Ohio HB 104. In addition, best practices for data protection will be considered. • Remediation effort estimate - an estimate to get all of the data into a standardized protection model • Gap analysis and tool recommendation - identification of what the areas of improvement are for agency and a recommendation of some tools that will assist with meeting that difference • Leads to the creation of replicable processes for Agencies to internally perform PIA funcations State of Ohio IT Security DPPOC Training

  18. Rick Shipley Administrator Risk Management Services Rick.Shipley@oit.ohio.gov (614) 995-7632 Questions? State of Ohio IT Security DPPOC Training

  19. State of Ohio IT Security Policies Doug Alt State IT Policy Manager

  20. Executive Order 2007 – 013S “Improving State Agency Data Privacy and Security” All agency directors are required to review and begin updating existing information technology security policies and practices to make sure that they comply with the current statewide Office of Information Technology security policies. Within sixty days, the Data Privacy Point of Contact (DPPOC) at each agency is to provide a report to the Chief Privacy Officer detailing the state of compliance at their respective agencies and the steps and time necessary to achieve compliance. State of Ohio IT Security DPPOC Training

  21. ITP-B.1 Information Security Framework ITP-B.2 Boundary Security ITP-B.3 Password & PIN Security ITP-B.4 Malicious Code Security ITP-B.5 Remote Access Security ITP-B.6 Internet Security ITP-B.7 Security Incident Response ITP-B.8 Security Education and Awareness State IT Security Related Policies • ITP-B.9 Portable Computing Security • ITP-B.10 Security Notifications • ITP-B.11 Data Classification • ITP-B.12 Intrusion Prevention and Detection • ITP-E.1 Disposal, Servicing and Transfer of IT Equipment • ITP-E.7 Business Resumption Planning • ITP-E.8 Use of Internet, E-mail and Other IT Resources • ITP-E.30 Electronic Records State of Ohio IT Security DPPOC Training

  22. State IT Security Policies • ITP-B.1, Information Security Framework: Establishes a foundation on which your current and future IT security strategy, policies, and practices are developed, governed and administered. • Establish a risk-based foundation from which to build security programs • Base security decisions upon risk assessments • Address the basic security elements of confidentiality, integrity and availability in all security policies, plans and procedures • Key Takeaway: • Have a security management plan in place and review it, update it , and audit against it regularly. State of Ohio IT Security DPPOC Training

  23. State IT Security Policies • ITP-B.2, Boundary Security: Guidelines for designing, implementing and deploying a robust network perimeter defense capability. • Put safeguards in place to protect state information and system assets • Limit access points • Provide more robust authentication for access to sensitive information • Key Takeaway: • Allow authorized traffic and deny everything else. State of Ohio IT Security DPPOC Training

  24. State IT Security Policies • ITP-B.3, Password and Personal Identification Number Security: Minimum requirements for the selection, use and management of passwords and personal identification numbers. • Password strategy driven by risk assessment • Require more complex passwords for more sensitive information • Authentication is a critical element to data protection • Key Takeaway: • Password and PIN structures must compliment the confidentiality and criticality of the data they are securing. State of Ohio IT Security DPPOC Training

  25. State IT Security Policies • ITP-B.4, Malicious Code Security: Guidelines for the implementation and operation of a malicious code security program. • Malicious Code is the most common type of attack • State-controlled information systems must be protected from the introduction of malicious code • All system assets need to be checked regularly for malicious code • Users need to be aware of malicious code risks • Key Takeaway: • Ensure anti-virus software is installed on all devices authorized for state use and install any security patches immediately. State of Ohio IT Security DPPOC Training

  26. State IT Security Policies • ITP-B.5, Remote Access Security: Assists in the development, implementation and operation of security measures governing remote access to state systems. • Convenient and popular way to accomplish work but introduces increased risk for state systems • Additional access points need to be secured • Authenticate all remote users • Encrypt transmitted passwords • Key Takeaway: • Remote access should be granted following the concept of least- privilege. State of Ohio IT Security DPPOC Training

  27. State IT Security Policies • ITP-B.6, Internet Security: Security requirements for the use of and connectivity to the Internet. • Internet is a valuable resource but introduces risks • Internet connections need to be secure • Internet resource must be used responsibly • Key Takeaway: • Educate users on appropriate and inappropriate uses of the Internet. Prevent behavior that may put systems and information at risk. State of Ohio IT Security DPPOC Training

  28. State IT Security Policies • ITP-B.7, Security Incident Response: Develop and maintain an adequate response capability for IT related security incidents. • Recent security incidents demonstrate need for incident response capability • Continuous review and update of incident response procedures is critical • Incident reporting assists response and containment efforts • Key Takeaway: • Ensure your agency is ready to respond and roles and responsibilities are clearly defined. State of Ohio IT Security DPPOC Training

  29. ITP-B.8, Security Education and Awareness: Develop IT security education and awareness programs for employees and other agents of the state. Recent security incidents demonstrate the need for general security education and awareness Personnel need to understand how security measures align with business objectives State IT Security Policies • Key Takeaway: • Provide general information technology security education as part of new employee and new contractor orientation. State of Ohio IT Security DPPOC Training

  30. State IT Security Policies • ITP-B.9, Portable Computing Security: Addresses the information technology security concerns of portable computing devices and provides guidelines for their use, management and control. • Portable computing security is a critical area as illustrated by recent security incidents • Deliberate management decisions need to made as to use and support • Deliberate decisions need to be made as to privately-owned devices • Sensitive information needs to be appropriately secured • Management controls need to ensure portable devices are reclaimed from separated employees and that state information and software is removed from privately-owned devices • Key Takeaway: • If portable computing is allowed, your agency needs to be prepared for the security demands and have a procedure in place to respond to lost or stolen devices. State of Ohio IT Security DPPOC Training

  31. State IT Security Policies • ITP-B.10, Security Notifications: Deploy security notifications that serve to inform users of their duty, limitations on use, legal requirements and personal privacy expectations. • Security notifications can assist in the successful criminal prosecution of violators • Notifications provide the opportunity to disclose the potential legal implications of unauthorized access, information misuse, data loss and corruption • Key Takeaway: • Be sure to involve legal counsel in the development of security notifications. State of Ohio IT Security DPPOC Training

  32. State IT Security Policies • ITP-B.11, Data Classification: Provides a high-level data classification methodology for properly identifying and labeling data and informationassets. • Recent security incidents demonstrate the importance of effectively protecting data according to its risk • Data security is driven by assigned levels of confidentiality and criticality • Label data in accordance with any legal requirements • Key Takeaway: • Implement a data classification methodology to classify data and employ the appropriate security and access rights. State of Ohio IT Security DPPOC Training

  33. State IT Security Policies • ITP-B.12, Intrusion Prevention and Detection: Identify and create anintrusion prevention anddetection capability that will allow for the detection and response to unauthorized use of or attack upon a state computer network or telecommunications system. • Essential to protecting mission critical resources • Intrusion prevention should be implemented to block unauthorized use or attacks • Intrusion detection should be used to detect unauthorized use or attacks • Key Takeaway: • Develop a vetting process for personnel under consideration for positions of operational responsibility for your intrusion prevention and detection capabilities. State of Ohio IT Security DPPOC Training

  34. State IT Security Related Policies • ITP-E.1, Disposal, Servicing and Transfer of IT Equipment: Mitigate risks associated with the disposal, servicing and transfer of IT equipment. • Data stored on IT equipment can be recovered if not appropriately secured or removed • IT equipment needs to be properly sanitized or encrypted prior to release • Information stored on IT equipment dictates the method used to protect or remove data • Key Takeaway: • Before IT equipment is released from your agency, ensure that sensitive information is sanitized. State of Ohio IT Security DPPOC Training

  35. State IT Security Related Policies • ITP-E.7, Business Resumption Planning: Develop a business resumption plan that addresses emergency response, backup and recovery actions. • Hurricane Katrina devastated nearly 90,000 square miles • 74 percent of respondents to a Network Computing reader poll said they take snapshots of critical data only once daily, and 64 percent store protected data less than 30 miles from primary sites • Key Takeaway: • Your agency should have a business resumption plan in place that is updated and tested regularly and will ensure mission critical services are recovered as soon as possible. State of Ohio IT Security DPPOC Training

  36. State IT Security Related Policies • ITP-E.8, Use of Internet, E-mail and Other IT Resources: Establish controls on the use of state-provided IT resources to ensure they are appropriately used for the purposes for which they were acquired. • Misuse of computer resources can pose a serious security risk to the state • Prohibit sexually explicit materials, operating a business, gambling, dating services, chat rooms, blogging, chain letters • Key Takeaway: • Ensure restrictions on personal use are clearly communicated to employees and contractors, and explain the rationale for prohibiting certain types of activities. State of Ohio IT Security DPPOC Training

  37. State IT Security Related Policies • ITP-E.30, Electronic Records: Uniform electronic records guidelines • Electronic records need to be secured to maintain their integrity, usability, and survivability • The requirements of public records law and retention need to be considered when maintaining electronic records • Key Takeaway: • Electronic records should be created and maintained in reliable systems consistent with their respective retention schedules. State of Ohio IT Security DPPOC Training

  38. IT Security Focus Areas • Portable Devices • Personal Use • Access Privileges • Contractors • Disposal, Transfer and Servicing of IT Equipment • Education and Training State of Ohio IT Security DPPOC Training

  39. Focus Area: Portable Devices • Make a deliberate decision about whether or not portable devices are permitted as well as privately-owned portable devices • Determine extent to which portable devices will be supported • Construct procedure for responding to incidents of lost or stolen portable devices • Ensure that if portable devices are allowed, data on devices is classified and secured accordingly • Implement a management process that will ensure that portable devices are re-claimed after service life or in the case of privately-owned devices the data is recovered, deleted or overwritten as appropriate • Prohibit the uncontrolled use of sensitive information on privately owned devices of employees and contractors • Install firewall and virus protection on portable devices State of Ohio IT Security DPPOC Training

  40. Focus Area: Personal Use • Make deliberate decisions about personal use and whether it will be permitted in your agencies • Recognize the risks presented by certain types of personal use and address through security and prohibitions on use • Educate employees on prohibited activities and the reasons why they are prohibited • Document a personal use policy and distribute to employees • Include personal use policy awareness as part of new employee and new contractor orientation State of Ohio IT Security DPPOC Training

  41. Focus Area: Access Privileges • Ensure all users are properly vetted in accordance with the information they will have permission to access • Sensitive information access should require thorough vetting before access is granted • Establish rules concerning which files and which users are eligible for the use and storage of sensitive information on mobile devices and media • Implement safeguards such as access logs, passwords, encryption, biometrics, time-outs, and/or automatic data deletion for portable devices containing sensitive data State of Ohio IT Security DPPOC Training

  42. Focus Area: Contractors • Make deliberate decisions about the permitted use of contractor equipment for state purposes • If contractor equipment is used, ensure it is configured according to your agency’s requirements • Require contractors to abide by state and agency security policies and practices as a condition of performance • Ensure state information and software is recovered from any contractor-owned equipment at the time of separation • Ensure that data access requirements are incorporated into contractor service level agreements and contract terms and conditions as they relate to classified data • Address data ownership issues • Make deliberate decisions about offshore contractor management and access of sensitive data State of Ohio IT Security DPPOC Training

  43. Focus Area: Disposal, Servicing and Transfer of IT Equipment • Ensure management controls exist to reclaim IT equipment from state employees when they are separated from employment • If the use of privately-owned devices is permitted, then controls need to exist to recover information and software from the devices when the user is separated from state service • Ensure that data is scrubbed from all devices taken out of state service • Protect sensitive data from exposure if equipment is temporarily transferred State of Ohio IT Security DPPOC Training

  44. IT Security Policy Support • Security Policy Audit Checklists (incorporated into Security Compliance Report) • Coming Soon… • Security Policy Educational White Papers (sample provided for ITP-B.2) • Security Policy Tips (sample provided for ITP-B.2) • Security Policy Resource Guide(sample provided for ITP-B.2) • Documents will be available at: http://oit.ohio.gov/ITSecurityResources/ITSecurityResources.aspx State of Ohio IT Security DPPOC Training

  45. Security Policy Audit Checklists • Compliance • Am I compliant? The Self-audit. • Next Steps The Action Plan. State of Ohio IT Security DPPOC Training

  46. Security Policy Educational White Papers • The Implementer’s Perspective • What more do I need to know? • Where do I go for more information? State of Ohio IT Security DPPOC Training

  47. Security Policy Tips • The Subject Matter Expert • What are the key do’s and don’ts of implementation? State of Ohio IT Security DPPOC Training

  48. Security Policy Resource Guide • The User Perspective • Why? • What’s my role? • What are my responsibilities? • Where do I go for more information? State of Ohio IT Security DPPOC Training

  49. Securing Your System…A Basic Philosophy • There is no “Silver Bullet” for securing systems. • Three componentsfor success: • People • Processes • Technology • It’s about Risk Management SAIC “Why Security Policy” Presentation, June 19, 2001 State of Ohio IT Security DPPOC Training

  50. Statewide IT Policy Contact InformationTelephone: 614-644-9352Facsimile: 614-644-9152E-mail: State.ITPolicy.Manager@oit.ohio.gov State of Ohio IT Policy is Available at:http://ohio.gov/itp State of Ohio IT Security DPPOC Training

More Related