Developing and Implementing Best-Practice Solutions for Security and Privacy Issues Across County Agencies

1
Developing and Implementing Best-Practice
Solutions for Security and Privacy Issues Across
County Agencies

• Ralph Johnson
• Chief Information Security and Privacy Officer
• King County, Washington

2
Ralph Johnson, CISSP, HISP, CISM, CIPP/US

• Chief Information Security and Privacy Officer
  King County Washington
• Past, Governance Board President, Holistic
  Information Security Practitioner Institute
  (HISPI)
• Member, MS-ISAC Executive Committee
• Co-Chair, MS-ISAC Education and Awareness
  Committee
• Member, MS-ISAC Trusted Purchasing Alliance
  Product Review Board
• Former, Adjunct Instructor ITT Technical
  Institute, Seattle

3
October
Halloweeen
4
King County, Washington

• Population 2,044,000
• 13th Most Populous Countyin the United States
• Employees 13,000
• 428 IT Staff (Executive Branch)
• 2 Information Assurance Staff

5
Critical Success Factors for Information Security
Management Support
Risk Management
Security Policy
Framework
Training
Incident Management
Business Continuity Management
Metrics
Security policy, objectives and activities that
aligned with business objectives.
An approach and framework for designing,
implementing, monitoring, maintaining and
improving security consistent with the
organizations culture.
Visible support and commitment from all levels of
management, especially top management.
An understanding of information asset protection
requirements achieved through an application of
information security risk management.
An effective information security awareness
training and education program informing all
employees and relevant parties of their
information security obligations set forth in the
information security policies and standards and
motivating them to act accordingly.
An effective information security incident
management process
An effective business continuity management
approach.
A measurement system used to evaluate performance
in information security management and feedback
suggestions for improvement.
6
Challenges to Success of Information Security in
Government

• Legacy organizational structures
• Separation of powers
• Changes in elected officials
• Public Disclosure/Freedom of Information (FOIA)
• Information Security is more than just
  information stored in electronic format.
• Established policies and procedures for paper
  records
• IT focusses on information in electronic format
• Information Security reports to IT
• Fragmented across departments/agencies

7
Why Should We Even Meet The Challenges?

• Information is currency.
• We have a duty of care to protect the information
  in the hands of governments.
• Our residents expect us to protect information.
• There are no neighborhoods, time zones or borders
  in cyberspace.
• No single entity is solely responsible for
  securing the Internet.
• If we are to maximize the convenience, speed, and
  future potential of a digital society, we must
  protect the resource that makes it possible.

8
Meeting the Challenges

• IT Organizational Structure
• Governance
• Collaboration and Communication

9
Organizational Structure
Electorate of King County
County Sheriff
County Assessor
County Council
Elections
County Executive
Prosecuting Attorney
District Court
Superior Court
12 IT Staff
10 IT Staff
3 IT Staff
5 IT Staff
3 IT Staff
6 IT Staff
2 IT Staff
25 Judges
9 Council Members
53 Judges
Office of Economic and Financial Analysis
Clerk of the Court
Public Health
Transportation
Adult and Juvenile Detention
Judicial Administration
Public Defense
Information Technology
Community and Human Services
Permitting and Environmental Review
Executive Services
Natural Resources and Parks
4 IT Staff
428 IT Staff
Information Assurance
Office of the CIO
10
Department of Information Technology (KCIT) Our
Service Model
Chief Information Officer/ Department Director
Enterprise Business Services
Deputy Chief Information Officer
Operations
Finance
Information Assurance
Production Operations
SDM - Public Defense
SDM - Executive Services
PMO Service
Human Resources
IT Governance
Customer Solutions Service
Business Solutions Service
SDM - Community and Human Services
SDM - Natural Resources and Parks
Strategic Planning
Communications
Regional Services
E-Government Service
SDM - Public Health
SDM - Permitting and Environmental Review
KCIT Internal Services
Network Services
Business Analysis Service
SDM - Transportation
SDM - Adult and Juvenile Detention
Engineering and Architecture Service
11
King County IT Governance
12
Strategic Advisory Council

• Acts in an advisory capacity to the King County
  Executive in developing long-term strategic
  objectives and planning and implementing for
  information technology deployment countywide.
• Chair King County Executive
• Membership
• King County Executive 2 representatives of the
  King County Council
• King County Sheriff King County Prosecuting
  Attorney
• King County Assessor King County Elections
  Director
• King County Chief Information Officer Presiding
  judge of King County Superior Court
• Presiding judge of King County District Courts 3
  5 External advisors from the private and public
  sectors

13
Business Management Council

• Acts in an advisory capacity to the countys
  Chief Information Officer in carrying out duties
  related to
• Developing short-term, mid-term and strategic
  objectives for information technology countywide
• Recommending information technology proposals for
  funding
• Developing standards, policies and guidelines for
  implementation.
• Chair Chief Information Officer
• Membership
• King County CIO and agency deputy directors or
  business managers designated by each agencys
  director

14
Technology Management Board

• Acts in an advisory capacity to the county's
  Chief Information Officer on technical issues
  including
• Policies and standards for information security,
  applications, infrastructure and data management.
• Chair Chief Information Officer
• Membership
• King County CIO and agency information technology
  directors or managers designated by each agency's
  director and familiar with that agency's
  technology needs and operations.

15
Project Review Board

• Acts in an advisory capacity to the countys
  Chief Information Officer in implementing the
  project management guidelines developed by the
  central information technology project management
  office.
• Chair Chief Information Officer
• Membership
• King County CIO, the Deputy County Executive, the
  Director of the Office of Performance, Strategy
  and Budget, and the Director of the Department of
  Executive Services.

16
IT Security Leads (TMB Security Sub-Team)
Production Operation Service
Independently Elected
County Assessor
District Court
KCIT Services
Network Services
Information Assurance (Chief Information Security
and Privacy Officer)
County Council
Superior Court
Customer Support Service
Engineering and Architecture Service
Elections
County Sheriff
E-Government Service
PMO Service
Human Resources
Finance
Business Solutions Services
IT Governance
Strategic Planning
Prosecuting Attorney
Judicial Administration
Business Analysis Service
Communications
17
KCIT Inter-Agency Collaboration
OCIO Management Team Members
County Assessor
County Executive
District Court
Public Defense
Executive Services
KCIT Liaisons
County Council
Superior Court
Community and Human Services
Natural Resources and Parks
Information Technology
Elections
County Sheriff
Public Health
Permitting and Environmental Review
Deputy Chief Information Officer
Service Delivery Managers
Prosecuting Attorney
Transportation
Adult and Juvenile Detention
Judicial Administration
18
Project Steering Committees

• The key body within the governance structure
  which is responsible for the business issues
  associated with the project that are essential to
  the ensuring the delivery of the project outputs
  and the attainment of project outcomes.

19
Incident Response

• Major Incident Response Process
• Security Incident Response Process
• Incident Analysis
• Containment and Eradication
• Recovery
• Post Incident Activities

Sometimes we need to jump back
20
Change Management

• Change Advisory Board
• Meets Weekly
• Coordinated by Production Operations Service
  Owner
• Chaired by volunteers
• Chair rotates every 6 months

Change Moratorium
Major Changes
Minor Changes
Routine Changes
Emergency Changes
21
KCIT Countywide Services

• Endpoint Security
• Vulnerability Management
• Datacenter
• E-Mail
• Mobile Device Management
• Network Infrastructure
• Server Virtualization
• Cloud (Amazon Web Services)
• SharePoint/Office 365

22
Information Security is an Organization Wide Issue
Who is ultimately Responsible for Information
Security?
Everyone
23
Contact Information
Ralph Johnson Chief Information Security and
Privacy Officer King County, Washington ralph.john
son_at_kingcounty.gov 206-263-7891 Multi-State
Information Sharing and Analysis Center Center
for Internet Security andrew.dolan_at_cisecurity.org
(518) 880-0699