Upload
lauren-thomas
View
217
Download
3
Tags:
Embed Size (px)
Citation preview
1
July 9, 2009
Information Security Officer Meeting
2
Katrina Yang
Reaching Us…• No change to mailing address• No change to phone numbers• Change to email addresses
• [email protected]• [email protected]• [email protected]• [email protected]• [email protected]
• Office closures due to mandated furloughs
3
Mark Weatherford
OCIO/OIS Organizational Update
• GRP Transition• OIS Vacancies and recruitment efforts• Impact on OIS’ ability to meet prior service
level expectations• Also on the move…
4
Rosa Umbach
ITPL 09-02, Security Segment• Security Survey
5
Michele Robinson
Incident Management FSR Project Update
• Grant funded feasibility study • Stakeholder (owner and user) interviews
were conducted• Information security regulations, policies,
standards, and guidelines were researched
• Market research was performed
6
Michele Robinson
• Problem and needs were validated
• Alternatives were identified
• Based on overall cost/benefit a proposed alternative was selected
• FSR is close to completion (August 2009)
7
Michele Robinson
Alternatives• Leverage Existing Remedy Service Desk
Software
• Acquire a Custom-off-the-Shelf (COTS) Solution
• Partner with CalEMA RIMS (Response Information
Mgmt System) Replacement Project
8
Michele Robinson
Benefits of Partnership with CalEMA• Establishes a unified and coordinated
approach between COIS, CHP, and CalEMA• Consolidation of separate existing (and
conceptual) systems into a single system• Scalable and can be extended to local
governments • Greater security of data • Implementation is expedited by leveraging an
approved FSR• Less costly
9
Michele Robinson
Benefits of Partnership with CalEMAAlignment with:• National strategy
“The government, working with key stakeholders, should design an effective mechanism to achieve a true common operating picture that integrates information from the government and private sector and serves as the basis for informed and prioritized vulnerability mitigation efforts and incident response decisions.” – Cyberspace Policy Review http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf
• Key objectives derived from:• Cyberspace Policy Review• National Strategy to Secure Cyberspace• National Strategy for the Physical Protection of CI/KR
10
Michele Robinson
Benefits of Partnership with CalEMAAlignment with:• State IT Strategic Plan:
– “Information technology support for the Executive Branch of California State Government will operate as a seamless enterprise, delivering consistent, cost-effective, reliable, accessible and secure services that satisfy the needs of its diverse public and private customers, including the People of California, its business communities and its public sector agencies.” - California State Information Technology 2006 Strategic Plan, pg 5
• State IT Capital Plan:– “Facilitate improvements in internal business processes and
financial management through IT investments and enhance and promote enterprise data sharing through IT investments.“ – 2009 ITCP Overview http://www.itsp.ca.gov/Capital_Plan/
11
Michele Robinson
Telework Policy and Security Standards Update
• DGS Telework Policy
– DGS Telework Advisory Group (TAG)
• OIS Telework Security Standards
– DPA will facilitate meet and confer with labor
12
Michele Robinson
Twitter Vulnerabilities• Month long campaign/project entitled the “Month
of Twitter Bugs” or “MoTB”• Began July 1, 2009• Focus on ways to utilize the Twitter website and
third-party Twitter applications to distribute malicious code.
• Malicious code may be used to exploit other third-party programs with a similar codebase as Twitter
• May result in automated programs being written to take advantage these known vulnerabilities.
13
Michele Robinson
Twitter Vulnerabilities• Month of Twitter Bugs:
http://twitpwn.com/ • Aviv Rafi (Creator of "Month of Twitter Bugs"
blog): http://aviv.raffon.net/2009/06/15/MonthOfTwitterBugs.aspx
14
Michele Robinson
Recommendations: • Have a policy on the appropriate use of social
networking sites • Ensure users are trained on the appropriate use
of social networking sites, including:– Enabling the privacy features and disabling of "Auto-Feeds" that
are not approved by your organization. – Not visiting un-trusted websites or follow links provided by
unknown or un-trusted sources. – Understanding the threats posed by hypertext links, especially
from un-trusted sources. – Following your organization's policies for incident reporting.
15
Michele Robinson
Recommendations: • Ensure that all anti-virus software is up-to-
date with the latest signatures. • Ensure that the most recent vendor
patches are applied on all desktops, laptops, mobile devices and servers as soon as possible.
• Deploy network intrusion detection systems to monitor network traffic for malicious activity.
16
Michele Robinson
State Direction on Departmental Use of Social Networking Media
• Agency use versus all employee use
• Argument for advantages of employee access
• Security must help business to achieve the objectives of the directive
17
Mark Weatherford
Strategic Plan and
Policy Refresh Project Update
18
Mark Weatherford
ITPL 09-05
Agency Information Officer and Department Chief Information
Officer Responsibilities
19
Mark Weatherford
ITPL 09-05 QuestionsQ: Does this mean that all ISOs in an IT
classification must report to CIO?
A: Yes, that is the intent.
Q: What does this mean to ISO’s in non-IT classifications?
A: This is currently under consideration.
20
Mark Weatherford
What are the ISO Concerns?
In Addition to Known ITPL 09-05 Concerns
• Reporting to the CIO is a conflict of interest.
• Security and risk issues will not get raised to my agency head as needed and expected.
21
Mark Weatherford
Closing
• Please complete the feedback survey.
• Thank you for your attendance and participation.