Information Security Audits Lessons Learned THE LOCAL CHILD SUPPORT AGENCY PERSPECTIVE
Large County Perspective San Bernardino County DCSS ✷ 125,000 cases ✷ Three offices Two court locations ✷ 430 staff
Small County Perspective El Dorado County DCSS ✷ 7500 cases ✷ Two offices Two court locations ✷ 67 staff
Preparation for Information Security Review “Internal Safeguard Review” Checklist ✷ Guide for ensuring compliance with information security requirements ✷ Checklist was provided to the department prior to the review
Preparation for Information Security Review (cont’d) Functional areas impacted: ✷ Facilities ✷ Security Process ✷ Records Management ✷ Case Management Practices ✷ Policies and Procedures ✷ Employee Awareness ✷ Information Technology
Preparation for Information Security Review (cont’d) Plan: ✷ Assess current level of compliance ✷ Identify any improvements needed ✷ Establish timeline ✷ Communicate with deputy directors and managers ✷ Monitor process to ensure required improvements are implemented
Preparation for Information Security Review (cont’d) Large County Issues: ✷ Coordinating with several deputy directors and managers, working in different office locations ✷ Delegation of administrative and Information Technology functions ✷ Ensuring consistent communication throughout the organization ✷ Updating multiple procedures ✷ Time-frames to implement necessary changes
Preparation for Information Security Review (cont’d) Small County Issues: ✷ No one held responsible for security. Information was outdated and spread out all over two offices. ✷ No one had time to participate and be primarily responsible for preparing the security questionnaire. ✷ Procedures had to be written – MANY were non-existent. ✷ Changes took time and several requests for postponement took place.
Preparation for Information Security Review (cont’d) Review Team Members: ✷ Deputy Directors ✷ Administrative Manager and staff ✷ Operations Managers ✷ Program Specialists (Policy Team) ✷ Staff Analyst ✷ Information Technology Manager
Preparation for Information Security Review (cont’d) Preparation for Review ✷ Coordinated with Review Team ✷ Implemented needed refinements ✷ Prepared/updated policies and procedures ✷ Assembled binders with required documents for DCSS reviewers ✷ Verified implementation of changes
Review Site Review ✷ Entrance Conference ✷ Tour of Loma Linda office ✷ Tours of other facilities ✷ Ongoing discussions with DCSS reviewers ✷ Exit Conference ✷ DCSS Letter of Findings
Small County Review Site Review ✷ Director met with Auditor/Review Staff from DCSS ✷ Toured Placerville office ✷ Questions regarding other offices ✷ Delivered binder including all documents ✷ Exit Conference
Challenges San Bernardino Information Security Challenges: ✷ Updated scans needed ✷ Different information security requirements (State vs. County) ✷ Policies needed to be updated ✷ Logs completed, but did not meet standard set by Information Security Manual (ISM)
Challenges El Dorado Challenges: ✷ Many security/key issues ✷ Building remodeling needed ✷ New contracts and access agreements with third parties such as janitorial, shred contract, etc. ✷ Many policies needed to be re-written – or written ✷ Shortened time for “time outs.” Purchased fingerprint reader – single signons
Ensuring Continued Compliance ■Developing administrative policies and procedures to advise staff of department expectations and their own responsibilities regarding information security ■Establishes timeline for periodic reviews to ensure continuing compliance ✷ Key/badge logs ✷ Floor plans ✷ Visitor logs ✷ Incident logs ✷ Policies and Procedures ✷ “Walking Around” reviews ✷ Document destruction invoices