1 / 10

Information Security Board

Information Security Board. Mission, Goals and Guiding Principles. Mission. Assist agency management with implementing and maintaining a sound information security program consistent with industry best practices and compliant with state policies. Goals.

mairi
Download Presentation

Information Security Board

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security Board Mission, Goalsand Guiding Principles SL2

  2. Mission • Assist agency management with implementing and maintaining a sound information security program consistent with industry best practices and compliant with state policies. SL2

  3. Goals • Implement policies, procedures, and processes to ensure the information security objectives of confidentiality, integrity, and availability are met. • Comply with all statewide information security policies and have best practices identified and implementedwhen practical. • Effectively work with partners (DAS, vendors, etc.) to ensure information security objectives are met. • Be proactive in identifying and mitigating risks to information as they emerge, however, when a potential breach does occur, the agency reacts immediately to investigate and take appropriate action. • Raise user awareness for information security by establishing regular training and information security communications. • Develop and implement metrics to track the progress of the information security program. SL2

  4. Information Security Guiding Principles • We understand that information security affects us all daily • We approach information security in layers • We grant access based on “least privilege” and “roles” where appropriate • We are fiscally responsible • We strive for simplicity over complexity • We lean toward “buy” versus “build” • We strive to implement best practices as appropriate • We weigh the benefits of “open” over “commercial” sourced software • We adopt industry “standards” where appropriate • We use risk management as a tool in decision making • We strive to use existing infrastructure where feasible SL2

  5. Strategies for Goal 1 • Implement policies, procedures, and processes to ensure the information security objectives of confidentiality, integrity, and availability are met. • Develop information security goals and objectives. • Implement policies, procedures, and processes. • For example: • Completed: • Acceptable Use policy. • Personal Use of State Resources policy. • Security Breach Response Team. • In Process: • Data Classification policy. • Information Handling Standards. • Information Security Plan. • Planning: • Incident Response policy. SL2

  6. Strategies for Goal 2 • Comply with all statewide information security policies and have implemented best practices identified when practical. • Identify statewide policies the agency must comply with. • For example: • ORS 646A.600 through 646A.628: Oregon Consumer Identity Theft Protection Act. • ORS 192: Records; Public Reports and Meetings. • ORS 182.122: State Administrative Agencies. • OAR 125-800-0005 through 0020: State Information Security. • DAS policy 107-004-052: Information Security. • Develop suitable set of information security best practices. • For example: • Deploy encryption technologies to portable computing and storage devices. • Deploy endpoint management technologies to help prevent data loss. • Develop information security standards and guidelines. • For example: • Develop data handling standards. SL2

  7. Strategies for Goal 3 • Effectively work with partners (DAS, vendors, etc.) to ensure information security objectives are met. • For example: • Participate on the statewide Information Security Council. • Assigned Jason Stanley and Clint Christopher. • Share appropriate information with other state agencies and privateorganizations. SL2

  8. Strategies for Goal 4 • Be proactive in identifying and mitigating risks to information as they emerge, however, when a potential breach does occur, the agency reacts immediately to investigate and take appropriate action. • For example: • Develop an information security incident response team. • Revise the Security Breach Incident Response process to include incident response. • Develop an enterprise risk management program. SL2

  9. Strategies for Goal 5 • Raise user awareness for information security by establishing regular training and information security communications. • For example: • Develop articles to be published in the PERC and Espersso. • Maintain an Intranet site for information security. • Develop agency wide email on “hot topics.” • Develop information security awareness training using iLearnOregon and other tools. SL2

  10. Strategies for Goal 6 • Develop and implement metrics to track the progress of the information security program. • For example: • Awareness: • Do security walkthroughs for workstations “not locked” and compare with previous walkthroughs. • Develop scenario based testing. • Incidents: • How many security breaches occurred? • Prevention: • How many workstations and servers have “up-to-date” patches? • How many viruses have been detected? • Compliance: • Security findings; high, medium, low. Open versus closed. SL2

More Related