1 / 72

Enterprise Security Plan and Standards Forum

Enterprise Security Plan and Standards Forum. Theresa A. Masse State Chief Information Security Officer John Ritchie Senior Security Analyst. 1. Agenda. Background Statewide Information Security Plan Statewide Information Security Standards Agency Next Steps Panel Wrap Up. 2.

Download Presentation

Enterprise Security Plan and Standards Forum

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. Enterprise Security Plan and Standards Forum Theresa A. Masse State Chief Information Security Officer John Ritchie Senior Security Analyst 1

  2. Agenda Background Statewide Information Security Plan Statewide Information Security Standards Agency Next Steps Panel Wrap Up 2

  3. Background The combination of the Statewide Plan, Standards, and Policies in the framework of 27001 & 27002 form the Enterprise Security Architecture 3

  4. Background Based on ISO 27001/27002 Incorporating Best Practices from: National Institute of Standards and Technology (NIST) recommended standards SANS Institute recommended standards and best practices Burton Group recommended methodologies and best practices Vetted by agencies 4

  5. Background ISO 27001 Information Security Management System (ISMS) Foundation - Security Risk Assessment Aligns with Agency’s Strategic Risk Management Policy and Direction 5

  6. Background ISO 27002 Information Security Domains Controls minimize identified risk Risk Assessment identifies areas of Security Control focus 6

  7. ISO 27002 27002 consists of 11 domains Includes an outline for each Domain and corresponding Controls Risk Assessment Security Security Organization Governance & Compliance Security Compliance Policy Human Security Resources Infrastructure & Environment Physical and Asset Environmental Management Security Access Incident Tactical Control Management Security Operations Communications Business System & Operations Continuity Development and Management Management Maintenance 7

  8. Background Policies and standards assist agencies in achieving compliance with state laws ESO cannot establish plans, policies or standards that are less restrictive than state laws Specifically – ORS 182.122 Information Systems Security & ORS 646A.600 the Oregon Identity Theft Protection Act Agencies can implement more restrictive controls as required for compliance with other regulations - IRS, HIPAA, etc. 8

  9. Security Plan Security Management Framework ISO 27001 Agency Annual Risk Assessment Agency Information Systems Security Risk Assessments Agency Information Security Management System 9

  10. Security Plan Security Governance and Compliance ISO 27002 Agency Security Policies & Governance Processes Information Security Audits within Agency 10

  11. Security Plan Security Infrastructure and Environment ISO 27002 Agency Employee Security Policies Process for Access Control to Information Assets within Agency Agency Information Security Awareness Training Agency compliance with Information Asset Classification Policy # 107-004-050 Agency compliance with the Transporting Information Assets Policy #107-005-100 DAS Building Security Access Controls Policy # 125-6-215 Evaluation of Agency facilities for security 11

  12. Security Plan Tactical Security Operations ISO 27002 Agency compliance with the Enterprise Information Security Standards Agency compliance with Employee Security policy #107-004-053 Agency compliance with the Information Security Incident Response policy #107-004-120 Agency BCP per policy # 107-001-010 Agency BCP testing Agency DR testing Agency compliance with Sustainable Acquisition and Disposal of Electronic Equipment (E-waste/Recovery Policy) 12

  13. Security Plan Implementation of Plan Implementation Metrics Submit agency plan to ESO – due July 2009 13

  14. Security Standards Incorporating Best Practices from: International Organization for Standardization (ISO) 27001 & 27002 National Institute of Standards and Technology (NIST) recommended standards SANS Institute recommended standards and best practices Burton Group recommended methodologies and best practices 14

  15. Security Standards Technical Controls Four Domains From ISO 27002 Access Control Information Asset Management Communications & Operations Management Information Systems Acquisition, Development and Management 15

  16. Security Standards Access Control Authentication Standards Authorization Standards Audit of Access Control Standards 16

  17. Security Standards Information Asset Management Protection of Information Assets Standards Handling of Information Assets Standards 17

  18. Security Standards Communications & Operations Management Antivirus and Anti-malware Standards Workstation Management & Desktop Security Standards Mobile Device Management Standards Server Management Standards Log Management Standards Information Backup Standards 18

  19. Security Standards Communications & Operations Management Security Zone and Network Security Management (Local Area Network & Wide Area Network) Standards Intrusion Detection Standards E-mail Standards Remote Access Standards Wireless Access Standards 19

  20. Security Standards Information Systems Acquisition, Development and Management Business Case Standard Encryption Standards Patch Management Standards Information System Development Lifecycle Standards 20

  21. Security Standards One Size Fits All? Small Agencies Most Standards Apply Large Agencies All Standards Apply State Data Center Most Standards Apply Will Assist Agencies 21

  22. Security Standards 22 • Agencies Responsible for Data • Classification • Protection • Agencies and Third Party Providers • Contractors • State Data Center

  23. Security Standards • Standards • Minimum Requirements • “Meet or Exceed” • Recommended Best Practices • Not Mandatory

  24. Security Standards • Standards • Are Specific • Are Interdependent • Must Be Implemented In Entirety, but… • Risk Assessment Drives Implementation • Compensating Controls • Exceptions

  25. Agency Next Steps • Survey • Are you compliant? • If not, do you have a plan? • Do you have the resources to implement plan? • Gap Analysis • Workshop

  26. Panel • Robert Hulshof-Schmidt -State Library, Program Manager, Government Research Services • David Wilson- Department of Corrections, Information Security Officer • Al Grapoli - Network, Security and Voice Services Manager, DAS, State Data Center

  27. Oregon State Library Information Security Plan and Guidelines – Development and Implementation Robert Hulshof-Schmidt, Program Manager, Government Research Services State Library

  28. State Library Overview • 44 employees, 20+ regular volunteers • 4 Teams • Administrative Services • Government Research Services • Library Development Services • Talking Book & Braille Services

  29. OSL Information Assets • Mostly Levels 1 & 2 • No Level 4 • Level 3 almost exclusively in Administrative Services • Consolidated donor info • Patron info streamlined and protected by statute

  30. OSL Info Environment • Most staff are professional information workers • Three full-time IT staff • Agency-wide values on research, openness, information exchange • Generally tech-savvy, gadget-owning staff • At start of security planning: • Lack of concern due to limited level 3 info • Unclear connection to everyday work

  31. Information Security Plan • Used ESO template – covered most of our needs • Started good conversation on physical security, not just electronic • Dovetailed with IT initiative to create stronger domain environment • Valuable, but felt to most staff like a “Business Office/IT” activity only

  32. Making the Connection • Management team conversation about information security • Everything connected to the enterprise carries risk • Even “local-only” connections put our business at risk • All staff have a role and a responsibility • Statewide policies provide a good framework • We need local guidelines

  33. Creating Guidelines Information Asset Use, Implementation, and Security Guidelines • Started with suite of seven statewide policies related to topic • Added reference to statewide policies related to staff behavior (telework, professional workplace, etc.) • Added reference to OSL policies and documents as relevant

  34. Creating Guidelines • Created plain-language definitions of key terms • Did not repeat content of policies • Focused on areas that required agency-specific clarification or interpretation • Pulled common themes from various policies into cohesive sections • Allowed for streamlining

  35. Creating Guidelines • Reference to relevant policies/authorization • Definitions • Appropriate usage times for state assets and systems • Use of personal information systems • Use of networks (state and personal) • Use of Internet resources • Use of electronic communication tools • Passwords • Monitoring behavior • Responding to incidents (tied to plan) • Decision-making, approvals, and access

  36. Guidelines Rollout • Iterative development • Management review • Business office review • IT review • Key staff review • Agency-wide announcement • All staff training • Three sessions • One presenter • IT and HR at all three sessions

  37. Next Steps • IT review of guidelines • Performance gaps • 30-day action plan • Long-term action plan • SDC consultation • Prepare for standards review and implementation • Set priorities based on risk and resources

  38. Questions? • Guidelines available to share • Robert Hulshof-Schmidt • 503.378.5030 • robert.hulshof-schmidt@state.or.us

  39. Department of Corrections David Wilson, Information Security Officer

  40. DOC Mission Statement The mission of the Oregon Department of Corrections is to promote public safety by holding offenders accountable for their actions and reducing the risk of future criminal behavior.

  41. Oregon Accountability Model • Criminal Risk Factor Assessment and Case Planning • Staff-Inmate Interactions • Work and Programs • Children and Families • Re-entry • Community Supervision and Programs

  42. Quick Facts • 14 Institutions • 4 Administration Sites • 2 County Parole & Probation Offices

  43. Quick Facts • 4,426 Employees • 1,970 Active Volunteers • Offenders: • Inmates 13,841 • Parole and Probation 2,794 • Local Control 890 Total Current Offenders 17,525

  44. Quick Facts Others Accessing ODOC Information • Contracted Service Providers • Community Partners • Courts and Legal Professionals • Other Governmental Agencies • The Public

  45. ODOC Information Security History • Information Security Officer • Collateral duty prior to October, 2009 • Projects through Office of Project Management • Information Security Administration • Department-wide Records Management

  46. Project Methodology • Initiated in April, 2008 • ODOC missed early compliance dates • Combined project resources • Chose to focus resources on: • ID of agency Information Assets (IA’s) • Organizing IA’s into a Special Retention Schedule • Use structure to identify “ownership”

  47. Methodology Mistake Information Owners Not defined or identified at the beginning of the projects.

  48. Informed Information Owners Needed • Realized need for: • Definition of Information Owner role and responsibilities • Decision makers to decide Classification • Identified need to: • Educate decision makers • Define Data Handling Standards • Define Classification expectations

  49. “Snap Shot” Standards Needed Methodology and standards: OVERWHELMING! Found something simple: PERS Data Handling Standards http://www.oregon.gov/DAS/EISPD/ESO/IAC.shtml Simple Matrix =Enterprise Standards Reflects PROCESS expectations

  50. Curriculum Identified • Protecting IA’s at the Right Level • Balancing the Risk with the Cost: Confidentiality, Integrity and Accessibility • Public Records Requests - Simple Division • Level 1 & 2: Releasable = Low Risk & Priority • Level 3 & 4: Not releasable = High Risk & Priority • Able to categorize by this division based on known mandates and project team input • Level 3 vs. Level 4 • Mandates vs. Business Decision • Risk of Level 3: Mitigated by agency culture • Cost of Level 4: Resources and Accessibility

More Related