Presentation on theme: "SL21 Information Security Board Mission, Goals and Guiding Principles."— Presentation transcript:
SL21 Information Security Board Mission, Goals and Guiding Principles
SL22 Mission Assist agency management with implementing and maintaining a sound information security program consistent with industry best practices and compliant with state policies.
SL23 Goals 1.Implement policies, procedures, and processes to ensure the information security objectives of confidentiality, integrity, and availability are met. 2.Comply with all statewide information security policies and have best practices identified and implemented when practical. 3.Effectively work with partners (DAS, vendors, etc.) to ensure information security objectives are met. 4.Be proactive in identifying and mitigating risks to information as they emerge, however, when a potential breach does occur, the agency reacts immediately to investigate and take appropriate action. 5.Raise user awareness for information security by establishing regular training and information security communications. 6.Develop and implement metrics to track the progress of the information security program.
SL24 Information Security Guiding Principles 1.We understand that information security affects us all daily 2.We approach information security in layers 3.We grant access based on “least privilege” and “roles” where appropriate 4.We are fiscally responsible 5.We strive for simplicity over complexity 6.We lean toward “buy” versus “build” 7.We strive to implement best practices as appropriate 8.We weigh the benefits of “open” over “commercial” sourced software 9.We adopt industry “standards” where appropriate 10.We use risk management as a tool in decision making 11.We strive to use existing infrastructure where feasible
SL25 Strategies for Goal 1 Implement policies, procedures, and processes to ensure the information security objectives of confidentiality, integrity, and availability are met. –Develop information security goals and objectives. –Implement policies, procedures, and processes. For example: –Completed: »Acceptable Use policy. »Personal Use of State Resources policy. »Security Breach Response Team. –In Process: »Data Classification policy. »Information Handling Standards. »Information Security Plan. –Planning: »Incident Response policy.
SL26 Strategies for Goal 2 Comply with all statewide information security policies and have implemented best practices identified when practical. –Identify statewide policies the agency must comply with. For example: –ORS 646A.600 through 646A.628: Oregon Consumer Identity Theft Protection Act. –ORS 192: Records; Public Reports and Meetings. –ORS 182.122: State Administrative Agencies. –OAR 125-800-0005 through 0020: State Information Security. –DAS policy 107-004-052: Information Security. –Develop suitable set of information security best practices. For example: –Deploy encryption technologies to portable computing and storage devices. –Deploy endpoint management technologies to help prevent data loss. –Develop information security standards and guidelines. For example: –Develop data handling standards.
SL27 Strategies for Goal 3 Effectively work with partners (DAS, vendors, etc.) to ensure information security objectives are met. –For example: Participate on the statewide Information Security Council. –Assigned Jason Stanley and Clint Christopher. Share appropriate information with other state agencies and private organizations.
SL28 Strategies for Goal 4 Be proactive in identifying and mitigating risks to information as they emerge, however, when a potential breach does occur, the agency reacts immediately to investigate and take appropriate action. –For example: Develop an information security incident response team. Revise the Security Breach Incident Response process to include incident response. –Develop an enterprise risk management program.
SL29 Strategies for Goal 5 Raise user awareness for information security by establishing regular training and information security communications. –For example: Develop articles to be published in the PERC and Espersso. Maintain an Intranet site for information security. Develop agency wide email on “hot topics.” Develop information security awareness training using iLearnOregon and other tools.
SL210 Strategies for Goal 6 Develop and implement metrics to track the progress of the information security program. –For example: Awareness: –Do security walkthroughs for workstations “not locked” and compare with previous walkthroughs. –Develop scenario based testing. Incidents: –How many security breaches occurred? Prevention: –How many workstations and servers have “up-to-date” patches? –How many viruses have been detected? Compliance: –Security findings; high, medium, low. Open versus closed.
Your consent to our cookies if you continue to use this website.