11

Security Plans Security Plans Communication Communication

ForumForum

Theresa A. Masse, State Chief Information Theresa A. Masse, State Chief Information Security OfficerSecurity Officer

Department of Administrative ServicesDepartment of Administrative ServicesEnterprise Security OfficeEnterprise Security Office

22

AgendaAgenda Welcome and Opening RemarksWelcome and Opening Remarks ResourcesResources Agency PanelAgency Panel

Debbie West, Oregon Medical Board Debbie West, Oregon Medical Board Lorraine Odell, Judicial DepartmentLorraine Odell, Judicial Department Curt Hartinger, Office of the State Curt Hartinger, Office of the State

TreasurerTreasurer Q&AQ&A

33

WelcomeWelcome

Scott Harra, DirectorScott Harra, Director

Department of Administrative Department of Administrative ServicesServices

44

Policy RequirementsPolicy Requirements Oregon Administrative Rule 125-800-Oregon Administrative Rule 125-800-

0005 – State Information Security:0005 – State Information Security: (1)(c) The Department (DAS), in (1)(c) The Department (DAS), in

collaboration with state agencies, shall collaboration with state agencies, shall establish standards for agency information establish standards for agency information assets security plans. … (T)he Department assets security plans. … (T)he Department shall have the right to return the plan to the shall have the right to return the plan to the agency for revision and may decline to agency for revision and may decline to certify such plans until the plan has been certify such plans until the plan has been modified to satisfy the overarching modified to satisfy the overarching objectives of protecting the state’s objectives of protecting the state’s information assets.information assets.

55

Policy RequirementsPolicy Requirements

Information Security statewide policy Information Security statewide policy 107-004-052107-004-052 Each agency will establish a plan to Each agency will establish a plan to

initiate and control the implementation initiate and control the implementation of information security within the agency of information security within the agency and manage risk associated with and manage risk associated with information assetsinformation assets

Agencies have two (2) years from Agencies have two (2) years from effective date of this policy (7/30/2007) to effective date of this policy (7/30/2007) to complycomply

66

Policy Requirements Policy Requirements

77

ResourcesResources

Theresa MasseTheresa MasseState Chief Information Security State Chief Information Security

OfficerOfficer

Department of Administrative Department of Administrative ServicesServices

88

Security Plan ResourcesSecurity Plan Resources Information Security Plan guidelinesInformation Security Plan guidelines

Policy requirements, guidance and best Policy requirements, guidance and best practice examplespractice examples

Information security objectives and controlsInformation security objectives and controls Information Security Plan sample templateInformation Security Plan sample template Agency Information Security Plan review Agency Information Security Plan review

criteriacriteria Proposed criteria sheet ESO will use to Proposed criteria sheet ESO will use to

evaluate agency plansevaluate agency plans Statewide Security Plan Statewide Security Plan

To be published by SeptemberTo be published by September

99

Security Plan ResourcesSecurity Plan Resources Security Plan writing work shopsSecurity Plan writing work shops

For small and medium-sized agencies For small and medium-sized agencies with limited security resourceswith limited security resources

Hands-on setting with assistance from Hands-on setting with assistance from ESO staff and agency mentors using ESO staff and agency mentors using Information Security Plan templateInformation Security Plan template

Two half-day sessions with two weeks Two half-day sessions with two weeks between sessionsbetween sessions September 2008September 2008 October 2008October 2008 February 2009February 2009

1010

Security Plan ResourcesSecurity Plan Resources MentorsMentors

Peer volunteers from agencies to be Peer volunteers from agencies to be mentorsmentors

Will assist during work shops for hands-Will assist during work shops for hands-on support in plan writingon support in plan writing

Will be available by phone and e-mail to Will be available by phone and e-mail to mentor agencies through plan writingmentor agencies through plan writing

1111

Agency PanelAgency Panel

Debbie West, Oregon Medical BoardDebbie West, Oregon Medical Board Lorraine Odell, Judicial DepartmentLorraine Odell, Judicial Department Curt Hartinger, Office of the State Curt Hartinger, Office of the State

TreasurerTreasurer

1212

Agency PanelAgency Panel

Debbie West, Personnel ManagerDebbie West, Personnel Manager

Oregon Medical BoardOregon Medical Board

13

Security Policy –Is it just me or is this thing beyond

comprehension?

14

Getting a handle on it… Reading the statewide policies Approval to roll them all in one

agency policy The project starts to focus!

15

Creation of Policy Ensure all elements of the individual

policies are addressed in the single policy version

Pretty easy since they are so similar Don’t tackle too much at once –

leave the procedures out of the policy

16

Creation of Plan Using the sample created by EISPD,

the plan was easy to create Made sure the plan and the policy

support each other And another light came on!

17

Fitting the Pieces Together

The Security Plan is the “Why” The Security Policy is the “What” The Procedures are the “How” The Policy acts as a bridge between

the Plan and the Procedures.

18

OMB Mission To protect the health, safety and well-being of Oregon citizens by regulating the practice of medicine in a manner

that promotes quality care.

19

My Mantra…… one step at a time … one step at a

time …

2020

Agency PanelAgency Panel

Lorraine Odell, Information Security Lorraine Odell, Information Security OfficerOfficer

Judicial DepartmentJudicial Department

21

Creating an Information Security Plan

OJD Challenges and Solutions

22

Structure of OJD 175 elected judges 36 circuit courts Tax court Appellate courts – Supreme, Appeals Office of the State Court

Administrator Historically, a fairly new concept Centralized administrative duties

23

What Information Needs To Be Protected

Challenge: “Core business”

information was exempted

Administrative items were not initially considered

Solution: Create workgroup

to identify general categories of protection

Meet with each division / unit / court

Check with internal auditors; they have a lot of background information

24

Support from the Top Challenge:

Judges are elected and not subject to rule by OSCA

Competing priorities

Solution: Have the

information security plan and policies supported by the Chief Justice and by the State Court Administrator

25

Allocate Resources Challenge:

As always, there are scarce resources and much to do

Court administrators view this as just another task

Solution: Provide templates

so each court doesn’t have to create their own plan (similar to what DAS is offering as workshops for smaller agencies)

26

Establish Policies Challenge:

OJD is run judicially, by order, rather than administratively, by policy

The existing policy process is cumbersome and seldom used

Resistance to policy, since they limit flexibility

Solution: Have support

from the top Work with courts

and divisions to ensure policies work with real life

Persuade staff that policies can help them know what is expected

27

Train on the Program Challenge:

The courts are geographically disbursed

Not all staff need to have the same information

Solution: Work with the

Training Unit to create a training plan for all staff

Create modules for use with different staff: judges, supervisors, line staff, etc.

DAS Web modules are a great help

28

Risk Assessment Challenge:

“Risk Assessment” is unfamiliar to most managers; it’s considered an audit or an IT function

Nobody wants to add more duties to their already full schedule

Solution: Prepare a basic

template of a risk assessment

Identify people who will be doing the assessments; work with them to see that the assessment is only what they do every day – it’s just now documented

29

Plan Maintenance Challenge:

Information Security Office is not institutionalized

Resources may not permit separate position or office

Solution: Create an office

overseeing all information security issues

If included in other positions, top level management must monitor continuation of the program

3030

Agency PanelAgency Panel

Curt HartingerCurt HartingerInternal Audit Manager / IT Security Internal Audit Manager / IT Security

OfficerOfficer

Office of the State TreasurerOffice of the State Treasurer

31

Objectives How the Oregon Liquor Control

Commission laid the foundation for their information security program by performing an information security risk assessment

Demonstrate how organizations can improve their information security program using tools provided by the DAS/EISPD Enterprise Security Office

32

Materials Available From ESO

ISO 27001 and ISO 27002 Information Security Best Practices

checklist Information Security Plan guidelines Information Security Plan template

33

Statewide Security Policies

DAS Administrative Rule 125-800-0005 Information Asset Classification policy 107-

004-050 Controlling Portable and Removable

Storage Devices Policy 107-004-051 Information Security Policy 107-004-052 Employee Security Policy 107-005-053 Transporting Information Assets Policy 107-

004-100 Acceptable Use of State Information Assets

Policy 107-004-110

34

Documents for Evaluating Program

Data Classification listing Information Security Best Practices

checklist Information Security Plan guide Information Security Plan template Risk Assessment

35

Data Classification Listing

36

Best Practices Checklist

37

Risk Assessment Report

Oregon Liquor Control Commission

Information Security Risk Assessment

Establishing a Foundation for Information Security

Curtis Hartinger, CPA, CISA, CISM, GSNA

38

Building BlocksUntil the foundation blocks for information security are put in place it is difficult, if not impossible, to build an effective information security program. These foundation blocks include:

1.Data Classification – Data owners need to define the value of information to the organization and employees need to know the classification of the information they work with before they can know how they should protect it.

1.Data Classification – Data owners need to define the value of information to the organization and employees need to know the classification of the information they work with before they can know how they should protect it.

39

Building Blocks2. Employee Awareness Training –

employees need to understand the information security policies and procedures that apply to the information they work with. They also need the specialized information they need to perform their job effectively. The four categories of information security training focus on security staff, information technology staff, management, and general staff.

40

Building Blocks3. Policy Development – Policies

state management’s intent. Employees cannot follow management’s intent if that intent is not clearly documented and available to staff.

41

Building Blocks4. Risk Assessment – Management

needs to understand the risks to the information so they can approve and implement appropriate controls to mitigate those risks. Once the risks are understood, then proper controls can be implemented to mitigate those risks to a level that is acceptable to management.

42

Building Blocks5. Defined Roles and Responsibilities

– Employees need to know their responsibilities with regard to information security. This responsibility should be included in each employee’s position description. In addition, they need to be held accountable for those duties by including their security responsibilities as part of their annual evaluation.

43

Building Blocks6. Tone from the Top – Executive

management needs to support and lead by example with regard to information security. Without executive sponsorship and participation, it is very difficult for security staff to stand up and integrate an effective information security program.

44

Results Efficient and beneficial transfer of

knowledge Strong support for improving

information security Prioritized listing of activities to

build an effective information security program using available resources

45

Q & A

4646

For further information For further information ……

Theresa Masse, DAS Enterprise Security OfficeTheresa Masse, DAS Enterprise Security Office(503) 378-4896, theresa.a.masse@state.or.us(503) 378-4896, theresa.a.masse@state.or.us

Debbie West, Oregon Medical BoardDebbie West, Oregon Medical Board(971) 673-2697, debbie.west@state.or.us(971) 673-2697, debbie.west@state.or.us

Lorraine Odell, Judicial DepartmentLorraine Odell, Judicial Department(503) 986-5916, lorraine.odell@state.or.us(503) 986-5916, lorraine.odell@state.or.us

Curt Hartinger, Office of the State Treasurer Curt Hartinger, Office of the State Treasurer (503) 378-3150, curtis.hartinger@state.or.us(503) 378-3150, curtis.hartinger@state.or.us