1 / 27

Role, Responsibility and Authority of New Office

Role, Responsibility and Authority of New Office. Presented by Colleen Pedroza, State Chief Information Security Officer. Overview.

tamika
Download Presentation

Role, Responsibility and Authority of New Office

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Role, Responsibility and Authority of New Office Presented by Colleen Pedroza, State Chief Information Security Officer www.infosecurity.ca.gov/

  2. Overview Effective January 1, 2008, the California State Information Security Office joined forces with the California Office of Privacy Protection, creating the new Office of Information Security and Privacy Protection. The new Office reports to the State and Consumer Services Agency. For more details, see Senate Bill 90. www.infosecurity.ca.gov/

  3. Office Overview State and Consumer Services Agency Executive Officer Office of Privacy Protection Office of Information Security • Consumer Focused • Consumer Assistance • Information & Education • Best Practice • Recommendations • Government Focused • Policy, Standards, Guidance • Assistance & Advice • Education & Awareness • Compliance Monitoring www.infosecurity.ca.gov/

  4. Immediate Changes There are some exciting new changes • Name Change - Office of Information Security • Newly Designed Web Site - www.infosecurity.ca.gov/ • Public Email Address - security@oispp.ca.gov • Physical address and phone numbers will remain the same for now www.infosecurity.ca.gov/

  5. Web Site www.infosecurity.ca.gov/

  6. Document Ownership • Statewide Information Management Manual (SIMM) Documents • SIMM 65/70 series, 145 will remain with us • Other SIMM products will go to OCIO • Policy Communication Channel • Management Memos will release new policies • Budget Letters to remain at Finance www.infosecurity.ca.gov/

  7. What Will Our Office Do? Continue to provide leadership and guidance to state government to ensure the confidentiality, integrity and availability of state information assets. This will be accomplished through a number of efforts, which include: • Issuing security and privacy policies and standards • Providing guidance and assistance to state agencies • Providing training and awareness tools to ensure the state workforce understands its responsibility for good security and privacy habits • Conducting or directing compliance reviews, assessments and audits to ensure state agencies are diligent in achieving compliance with laws, policies, and best practice standards www.infosecurity.ca.gov/

  8. Governance Our Office will be: • Establishing an ongoing process for developing, vetting, and approving statewide security and privacy policies • Establishing a policy committee involving key stakeholders, such as: • SCIO, Agency IOs, CHP, DGS, CalOHI, Legal, DTS, DPA, Finance, and department representation • Envision • Policy adoption will occur at the Cabinet level • Agencies would develop a similar governance structure for their departments www.infosecurity.ca.gov/

  9. 2008 -Year of Compliance • Certification Filings • Designation Letter (SIMM 70A) • Risk Management and Privacy Program Compliance (SIMM 70C) • Due January 31st of each year or when changes occur • Operational Recovery Plan/Certification (SIMM 70B) • ORP Transmittal Letter (SIMM 70D) – New! • See Schedule Submission • Agency Security Incident Report (SIMM 65A) • Due within 10 business days following the incident www.infosecurity.ca.gov/

  10. Review/Assessment What we look for- • Are forms complete and properly signed? • Designation Letter • Updates distribution and emergency contact lists • Program Compliance Certifications • Has agency certified programs/plans are in place? • If not, is remediation plan provided and acceptable (activities, timeline, etc.)? • If yes, schedule for compliance review • ORPs • Accompanied by Agency Transmittal Letter (new) • Are there inter-agency dependencies and have these been addressed? • Does it meet the SIMM 65A requirements? • Is a cross reference map included? • Incident Reports • Have costs and corrective actions been identified? • Do costs and corrective actions seem reasonable? www.infosecurity.ca.gov/

  11. Follow-up Process If an agency hasn’t submitted forms/plan or asked for extension: • Reminder to department ISO and CIO • Notification to department director and copy to ISO and CIO • Notification to department’s Agency and copies to ISO, CIO, director and SCIO www.infosecurity.ca.gov/

  12. Requirements for State Agencies Pursuant to Government Code 11549.3 all must comply with policies and filing requirements issued by OISPP www.infosecurity.ca.gov/

  13. Compliance Authority & Monitoring • We are required to notify the SCIO when an agency is not in compliance • We may conduct compliance reviews • We may conduct or require an independent security assessment at the agency’s expense • We may require an audit at the agency’s expense www.infosecurity.ca.gov/

  14. Consequences May impact agency’s: • IT Projects or IT Project funding • Denial, suspension, or termination • Delegated IT Procurement Cost Thresholds • Reduction or elimination www.infosecurity.ca.gov/

  15. Happy New Year! • A new year • A new office • Many new opportunities or many new challenges It’s all how we choose to look at it! www.infosecurity.ca.gov/

  16. Questions? www.infosecurity.ca.gov/

  17. Office Updates • ORP-COOP/COG Alignment Update • SAM/SIMM Restructure • New/Revised SIMM Forms and Instructions Presented by Rosa Umbach www.infosecurity.ca.gov/

  18. ORP-COOP/COG Alignment • Publication of Workgroup Products • Revised SIMM 65A Instructions • New SIMM 70D • Definitions • Internal Checklist (coming soon) Pending • Working with OES • COOP/COG definitions • Updating of the COOP/COG Instructions www.infosecurity.ca.gov/

  19. SAM/SIMM Restructure • Phase I – Restructure SAM 4840-4845 • Working with DGS to publish in SAM • Developing Management Memo for releasing new structure • Phase II – Perform Policy Gap Analysis • Phase III – Prioritize and begin establishing new policy www.infosecurity.ca.gov/

  20. SAM Restructure www.infosecurity.ca.gov/

  21. SAM Restructure (Continued) www.infosecurity.ca.gov/

  22. Revised SIMM Forms • Agency Designation Letter (SIMM 70A) • Director can identify individual to sign as designee • Agency Operational Recovery Plan Certification (SIMM 70B) • New Office Name • Agency Risk Management and Privacy Program Compliance Certification (SIMM 70C) • Certifies full Risk Management Program is in place or the Agency provides remediation plan to become compliant. www.infosecurity.ca.gov/

  23. SIMM 70A www.infosecurity.ca.gov/

  24. SIMM 70C www.infosecurity.ca.gov/

  25. Risk Management Certification • Remediation Plan should include: • List of activities which the agency is not yet compliant with • Timeline for completing each activity • Method for validation of completion • Method of verification of compliance • Contact for remediation plan www.infosecurity.ca.gov/

  26. NEW SIMM Form • Agency Operational Recovery Plan Transmittal Letter (SIMM 70D) www.infosecurity.ca.gov/

  27. Questions? www.infosecurity.ca.gov/

More Related