1 / 26

Implementing Executive Order 504 with the Resources Your Agency Has Today

Implementing Executive Order 504 with the Resources Your Agency Has Today. Executive Office of Administration and Finance Information Technology Division Linda Hamel General Counsel, Information Technology Division Stephanie Zierten Deputy General Counsel, Information Technology Division

river
Download Presentation

Implementing Executive Order 504 with the Resources Your Agency Has Today

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Implementing Executive Order 504with the Resources Your Agency Has Today Executive Office of Administration and Finance Information Technology Division Linda Hamel General Counsel, Information Technology Division Stephanie Zierten Deputy General Counsel, Information Technology Division Jenny Hedderman Deputy General Counsel, Comptroller Presentation for Executive Order 504 Train the Trainer Course December 16 and 17, 2008

  2. Agenda • Before Executive Order (E.O.) 504 • Requirements of E.O. 504 • What’s new? • Complying with E.O. 504 with the resources your agency has today Handouts available at: www.mass.gov/itd Executive Order 504

  3. Before Executive Order 504 • Three sources of agency security and (confidentiality) privacy requirements: • ITD Security Policies, Standards and Guidelines • Contracts • State and Federal laws regarding privacy and security Executive Order 504

  4. Before EO 504 • ITD’s Enabling Legislation enables ITD to set information technology standards for the Executive Department • Executive Department budget language annually gives ITD authority over IT projects $200,000 and over. • Enterprise Security Board (ESB) voluntarily created by ITD under CIO’s general authority in 2001 • With the advice of ESB, ITD has issued enterprise security policies addressing • Attack intrusion notification • Cybercrime and security incidents • Electronic messaging communications security • Information security policy • Data classification • E-government apps public access policy and standards • Remote access • Wireless implementations Executive Order 504

  5. Before EO 504, cont. • Agencies subject to contractual security requirements. Examples: • Payment Card Industry (PCI) Data Security Standards • certain data security standards mandated by the credit card industry for all Commonwealth entities that process, transmit, or store credit cardholder data • Social Security Administration Information Exchange Agreement • governs the transmission of data files received from and sent to the Social Security Administration • Business Associate agreements between agencies that are HIPAA covered entities and agencies that act as service providers Executive Order 504

  6. Before EO 504, cont. • Law breaks down along two lines: • Privacy (rules about who gets to see sensitive data – broader than security) • Examples: • see HIPAA privacy rule; • main sections of FIPA (Fair Information Practices Act, MGL. Ch. 66A); exemptions to public records law • CORI Principles governing protection of privacy data • Notice; • Purpose; • Consent; • Security; • Disclosure; • Access; and • Accountability • Security (rules about the physical, technical, administrative methods of limiting access -- a means to effectuate privacy rules) • see HIPAA security rule; • one section of FIPA; • Internal Revenue Manual 30.6.1 Security of Confidential Information Executive Order 504

  7. Before EO 504 • Personnel addressing security and privacy have also traditionally been grouped separately • Technologists handle security • Lawyers, policymakers and program managers manage the privacy rules. Executive Order 504

  8. Before EO 504, cont. • Executive Order 412 • Review policies and practices regarding information related to individuals • Determine minimum quantity of personal information need to collect, and reform policies and practices regarding dissemination and security • Adopt a policy regarding employee expectations of privacy Executive Order 504

  9. Executive Order 504 -- Summary • Revokes EO 412 (but reinstates many of its terms) • Doesn’t change • Pre-existing contractual requirements imposed on the state • Pre-existing security or privacy laws • Requirements Imposed On: • Executive Department Agencies (not Ex. Branch, Leg., Jud., or Authorities) • ITD and the CIO • Enterprise Security Board Executive Order 504

  10. Executive Department Agencies Must… • “Adopt and implement the maximum feasible measures reasonably needed to ensure the security, confidentiality and integrity of” • Personal Information: as defined in the Security Freezes and Notification of Data Breaches Statute (G.L. 93H) • Personal Data: as defined under FIPA • Personal Information (G.L. 93H): • Resident’s first name (or initial) and last name in combination with • Social security number; • Drivers license (or state issued i.d.) number; or • Financial account number • Personal Data under FIPA • Any information which, because of name, identifying number, mark or description can be readily associated with a particular individual. • Except information that is contained within a public record (G.L. c. 4 § 7(26)). Executive Order 504

  11. Executive Department Agencies Must…. • Develop, implement and maintain written information security program, which ensures that the agency: • Collects the minimum quantity of personal information and data reasonably needed to accomplish legitimate purpose for which information being collected • Securely stores and protects personal information and data against unauthorized • access • destruction • use • modification • disclosure • loss • Discloses personal information and data only on a need to know basis • Destroys personal information and data as soon as it is no longer needed or required to be maintained under state or federal law • Addresses the administrative, technical, and physical safeguards • Complies with Federal and state privacy and security laws and regs Executive Order 504

  12. Personal Information and data: Information Security Program Electronic Security Plan Executive Department Agencies Must…. • Develop and implement written information security programs… • Cover all personal information (not restricted to electronic information) • Electronic personal data must be addressed in a subset of the Information Security Program (ISP) called an “electronic security plan” (ESP) Executive Order 504

  13. Executive Department Agencies Must…. • Appoint an Information “Security” Officer (really a Security and Privacy Officer) • Reports directly to Agency head • Sign agency ISP and its ESP • Can be a new responsibility for an existing employee (not required to be a full time responsibility) • Coordinate Agency’s compliance with • E.O. 504 • Federal and state laws and regulations (privacy and security) • ITD security standards and policies • Although not required by EO 504, EO 504 Security Officer to coordinate compliance with contractual security and privacy obligations as well. • Have Agency Head Certify all Programs, Plans, Self-Audits and Reports • By September, 2009, attend mandatory security training for • all agency heads, managers, supervisors, employees (including contract employees) • Re: how to identify, maintain and safeguard records and data • Incorporate required contract language regarding vendor certification in all contracts entered post January 1 2009; breach constitutes breach of contract. • Before entering contract, follow mandatory ITD standards for verifying competence and integrity of contractors and subcontractors, minimizing data and system access, and ensuring security, confidentiality and integrity of such data and systems. • Fully cooperate with ITD, including ITD requests for information, in connection with ITD fulfillment of responsibilities Executive Order 504

  14. ITD and the CIO: Authority and Oversight • CIO shall have the authority, re: Electronic Security Plans (ESPs) (NOT agencies’ entire Information Security Program) to: • Issue guidelines, standards, and policies about development, implementation and maintenance of ESPs; • Require that agencies submit ESPs to ITD for review • Specify when agencies must submit supplemental or updated ESPs • Establish and oversee periodic self-audit reporting requirements (but must require self-audit no less than annually). Self-audits against • ITD standards • ESPs • Federal and state privacy and security laws [Presumably only e-related] • Conduct reviews to assess agency compliance • Issue MGL 93H “report to ITD” policy • How this authority is enforced? • With approval of ANF, determine remedial action for non-compliant agencies and impose terms and conditions on agency’s IT related expenditures and IT capital funding Executive Order 504

  15. ITD and the CIO: Authority and Oversight, cont. • Procurement: • Develop mandatory standards and procedures for agencies to follow before entering contracts that will allow third party access to personal data or personal information or systems containing such information • Draft mandatory ITD standards for verifying competence and integrity of contractors and subcontractors, minimizing data and system access, and ensuring security, confidentiality and integrity of such data and systems.* • Draft, with OSC and OSD, contract provisions* including certification that contractor has • Reviewed and will comply with information security programs, plans, guidelines, standards and policies • Communicate and enforce those provisions against their subcontractors’ • Implement any other reasonable and appropriate measures to protect personal information * To be provided as hand outs today Executive Order 504

  16. Enterprise Security Board • Enterprise Security Board (ESB) has operated for 7 years solely at ITD’s discretion • EO 504 gives legal footing to ESB • Acts as a “consultative body to advise the CIO” • Advises CIO in developing guidelines, standards and policies governing implementation of EO 504 • CIO shall determine members and makeup of ESB, but membership shall be drawn from • State employees from Executive Department • Experience in IT, privacy, and security • Representatives from Judicial and Legislative Branches • Other constitutional offices • Quasi-public authorities Executive Order 504

  17. EO 504 Summary—What’s New? • Requirement for agency security officers (addressing both Privacy and Security) and written information security program (including ESPs) • Requirement for agency at least annual ESP self audit, sent to ITD • Additional ANF/ITD authority over agency IT spending based on agency compliance with ESP self audit • Less uncertainty regarding ESB survival in the future • Focus on data destruction (also required under G.L. c. 93I) • Agencies must give full cooperation, and information, to ITD • Procurement related standards and procedures (vendor certification plus pre contract procedures) Executive Order 504

  18. Due Dates as Per EO504 Due Date: Today • Start using the EO504 ITD Mandatory Procurement Standards and Procedures for all contracts solicited for IT Solutions that involve personal information or personal data. • Appoint an Agency Information Security Officer (ISO) Due Date: January 1, 2009 • Ensure EO504 Vendor Certification included in all contracts involving personal information or personal data (may be on Standard Form Contract by January 1, 2009) Due Date: September 18, 2009 • Create an Information Security Program (including an ESP) • Draft and write ISP and ESP • Have Agency Head and ISO certify the ISP • Submit the ESP to ITD for review of ESP • Train agency head, manager, supervisors and employees (including contract employees) on your plan (Use training materials from December 2008 and other templates that become available in Spring 2009) • Submit first self audit to ITD Thereafter • Submit self-audits as required by ITD, but at least annually Executive Order 504

  19. Suggested Tasks and Timeline to Meet Due Dates of EO504 December 2008 • Start using the EO504 ITD Mandatory Procurement Standards and Procedures for all contracts solicited for IT Solutions that involve personal information or personal data. • Appoint an Agency Information Security Officer (ISO) January 2009 • January 1, 2009: Ensure EO504 Vendor Certification included in all contracts involving personal information or personal data (may be on Standard Form Contract by January 1, 2009) • Train top level manage on general EO504 provisions (feel free to use these training materials) • Start work on agency security/privacy matrix March 2009 • Obtain tools developed by the ESB and provided by ITD (e.g. Templates for the ESPs, guidelines for self-audits, other policies and guidelines developed by ESB and provided by ITD to agencies) Between April and June 2009 • Create an Information Security Program (including an ESP) • Have Agency Head and ISO certify the ISP • Submit the ESP to ITD for review and approval of ESP • Obtain ITD’s approval of ISP (ITD will have 10 business days to review, accept or reject ESP) Between June 2009 and September 2009 • Train agency head, manager, supervisors and employees (including contract employees) on your agency’s ISP (Use training materials from December 2008, agency ISP, and other templates that become available in Spring 2009 for ISP training) • Perform self-audit against ESP • Submit first self audit to ITD Thereafter • Submit self-audits as required by ITD, but at least annually Executive Order 504

  20. Helping your Agency Comply • Tomorrow’s tools • Template for ISP • Template for ISP self-audit • Today’s tools: • EO 504 Checklist (previous slide) • Model Security Matrix • Certification language • ITD EO 504 Pre-Contract Procurement Procedures Executive Order 504

  21. Agency Security Matrix (example) Executive Order 504

  22. Office of the ComptrollerStandard Contract Form Updates • The Standard Contract Form is being updated to include the required Executive Order 504 language in the “Certifications” section of the Instructions. • The new form must be used as of January 1, 2009 for all contracts. Executive Order 504

  23. What if an Executive Department conducted a procurement referencing the current form? • The current Standard Contract Form may be used, however, Executive Departments must have a Contractor sign the “Executive Order 504 Certification Form” IFthe Contractor will have access to personal information or personal data as those terms are defined under G.L. c. 93H and c. 66A or to systems that contain such information or data. Executive Order 504

  24. Do I have to include the Executive Order 504 Certification Form as part of my Procurements? • No. If you are using the new version of the Standard Contract Form, OR if the Contract does not involve access to personal information or data or systems that contain personal information or data. • Yes. If you are not using the new version of the Standard Contract Form AND if the Contractor will have access to personal information or data or systems that contain personal information or data. Executive Order 504

  25. Will the Executive Order 504 Language apply to non-Executive Departments? • No. The Executive Order 504 language applies solely to Executive Department contracts. • However, generic language is being added to the Certification Section to remind ALL Contractors of their broad duty to protect the physical security and restrict access to all Department data (including the Department's public records, documents, files, software, equipment or systems) that the Contractor may have access to under the Contract. Executive Order 504

  26. Ask for Help Use Resources you HaveUse the Tools Provided by ITD and the ESB and Participate with ESB if Possible Linda Hamel, ITD, 617 626 4404 Stephanie Zierten, ITD, 617 626 4698 Jenny Hedderman, OSC, (Contract Questions) 617 973 2656

More Related