Presentation on theme: "January 10, 2008www.infosecurity.ca.gov/1 Role, Responsibility and Authority of New Office Presented by Colleen Pedroza, State Chief Information Security."— Presentation transcript:
January 10, 2008www.infosecurity.ca.gov/1 Role, Responsibility and Authority of New Office Presented by Colleen Pedroza, State Chief Information Security Officer
January 10, 2008www.infosecurity.ca.gov/2 Effective January 1, 2008, the California State Information Security Office joined forces with the California Office of Privacy Protection, creating the new Office of Information Security and Privacy Protection. The new Office reports to the State and Consumer Services Agency. For more details, see Senate Bill 90.Senate Bill 90 Overview
January 10, 2008www.infosecurity.ca.gov/3 Office Overview Office of Privacy Protection Executive Officer Office of Information Security Consumer Focused Consumer Assistance Information & Education Best Practice Recommendations Government Focused Policy, Standards, Guidance Assistance & Advice Education & Awareness Compliance Monitoring State and Consumer Services Agency
January 10, 2008www.infosecurity.ca.gov/4 Immediate Changes There are some exciting new changes Name Change - Office of Information Security Newly Designed Web Site - Public Address - Physical address and phone numbers will remain the same for now
January 10, 2008www.infosecurity.ca.gov/5 Web Site
January 10, 2008www.infosecurity.ca.gov/6 Statewide Information Management Manual (SIMM) Documents –SIMM 65/70 series, 145 will remain with us –Other SIMM products will go to OCIO Policy Communication Channel –Management Memos will release new policies –Budget Letters to remain at Finance Document Ownership
January 10, 2008www.infosecurity.ca.gov/7 What Will Our Office Do? This will be accomplished through a number of efforts, which include: Issuing security and privacy policies and standards Providing guidance and assistance to state agencies Providing training and awareness tools to ensure the state workforce understands its responsibility for good security and privacy habits Conducting or directing compliance reviews, assessments and audits to ensure state agencies are diligent in achieving compliance with laws, policies, and best practice standards Continue to provide leadership and guidance to state government to ensure the confidentiality, integrity and availability of state information assets.
January 10, 2008www.infosecurity.ca.gov/8 Governance Our Office will be: Establishing an ongoing process for developing, vetting, and approving statewide security and privacy policies Establishing a policy committee involving key stakeholders, such as: –SCIO, Agency IOs, CHP, DGS, CalOHI, Legal, DTS, DPA, Finance, and department representation Envision –Policy adoption will occur at the Cabinet level –Agencies would develop a similar governance structure for their departments
January 10, 2008www.infosecurity.ca.gov/ Year of Compliance Certification Filings –Designation Letter (SIMM 70A) –Risk Management and Privacy Program Compliance (SIMM 70C) Due January 31 st of each year or when changes occur Operational Recovery Plan/Certification (SIMM 70B) –ORP Transmittal Letter (SIMM 70D) – New! See Schedule Submission Agency Security Incident Report (SIMM 65A) Due within 10 business days following the incident
January 10, 2008www.infosecurity.ca.gov/10 Review/Assessment What we look for- Are forms complete and properly signed? Designation Letter –Updates distribution and emergency contact lists Program Compliance Certifications –Has agency certified programs/plans are in place? –If not, is remediation plan provided and acceptable (activities, timeline, etc.)? –If yes, schedule for compliance review ORPs –Accompanied by Agency Transmittal Letter (new) –Are there inter-agency dependencies and have these been addressed? –Does it meet the SIMM 65A requirements? –Is a cross reference map included? Incident Reports –Have costs and corrective actions been identified? –Do costs and corrective actions seem reasonable?
January 10, 2008www.infosecurity.ca.gov/11 Follow-up Process If an agency hasnt submitted forms/plan or asked for extension: 1.Reminder to department ISO and CIO 2.Notification to department director and copy to ISO and CIO 3.Notification to departments Agency and copies to ISO, CIO, director and SCIO
January 10, 2008www.infosecurity.ca.gov/12 Requirements for State Agencies Pursuant to Government Code all must comply with policies and filing requirements issued by OISPP
January 10, 2008www.infosecurity.ca.gov/13 Compliance Authority & Monitoring We are required to notify the SCIO when an agency is not in compliance We may conduct compliance reviews We may conduct or require an independent security assessment at the agencys expense We may require an audit at the agencys expense
January 10, 2008www.infosecurity.ca.gov/14 Consequences May impact agencys: –IT Projects or IT Project funding Denial, suspension, or termination –Delegated IT Procurement Cost Thresholds Reduction or elimination
January 10, 2008www.infosecurity.ca.gov/15 Happy New Year! A new year A new office Many new opportunities or many new challenges Its all how we choose to look at it!
January 10, 2008www.infosecurity.ca.gov/16 Questions?
January 10, 2008www.infosecurity.ca.gov/17 Office Updates ORP-COOP/COG Alignment Update SAM/SIMM Restructure New/Revised SIMM Forms and Instructions Presented by Rosa Umbach
January 10, 2008www.infosecurity.ca.gov/18 ORP-COOP/COG Alignment Publication of Workgroup Products –Revised SIMM 65A Instructions –New SIMM 70D –Definitions –Internal Checklist (coming soon) Pending –Working with OES COOP/COG definitions Updating of the COOP/COG Instructions
January 10, 2008www.infosecurity.ca.gov/19 SAM/SIMM Restructure Phase I – Restructure SAM –Working with DGS to publish in SAM –Developing Management Memo for releasing new structure Phase II – Perform Policy Gap Analysis Phase III – Prioritize and begin establishing new policy
January 10, 2008www.infosecurity.ca.gov/20 SAM Restructure
January 10, 2008www.infosecurity.ca.gov/21 SAM Restructure (Continued)
January 10, 2008www.infosecurity.ca.gov/22 Revised SIMM Forms Agency Designation Letter (SIMM 70A) –Director can identify individual to sign as designee Agency Operational Recovery Plan Certification (SIMM 70B) –New Office Name Agency Risk Management and Privacy Program Compliance Certification (SIMM 70C) –Certifies full Risk Management Program is in place or the Agency provides remediation plan to become compliant.
January 10, 2008www.infosecurity.ca.gov/23 SIMM 70A
January 10, 2008www.infosecurity.ca.gov/24 SIMM 70C
January 10, 2008www.infosecurity.ca.gov/25 Risk Management Certification Remediation Plan should include: –List of activities which the agency is not yet compliant with –Timeline for completing each activity –Method for validation of completion –Method of verification of compliance –Contact for remediation plan
January 10, 2008www.infosecurity.ca.gov/26 NEW SIMM Form Agency Operational Recovery Plan Transmittal Letter (SIMM 70D)
January 10, 2008www.infosecurity.ca.gov/27 Questions?