Title: Developing and Implementing Best-Practice Solutions for Security and Privacy Issues Across County Agencies
1Developing and Implementing Best-Practice
Solutions for Security and Privacy Issues Across
County Agencies
- Ralph Johnson
- Chief Information Security and Privacy Officer
- King County, Washington
2Ralph Johnson, CISSP, HISP, CISM, CIPP/US
- Chief Information Security and Privacy Officer
King County Washington - Past, Governance Board President, Holistic
Information Security Practitioner Institute
(HISPI) - Member, MS-ISAC Executive Committee
- Co-Chair, MS-ISAC Education and Awareness
Committee - Member, MS-ISAC Trusted Purchasing Alliance
Product Review Board - Former, Adjunct Instructor ITT Technical
Institute, Seattle
3October
Halloweeen
4King County, Washington
- Population 2,044,000
- 13th Most Populous Countyin the United States
- Employees 13,000
- 428 IT Staff (Executive Branch)
- 2 Information Assurance Staff
5Critical Success Factors for Information Security
Management Support
Risk Management
Security Policy
Framework
Training
Incident Management
Business Continuity Management
Metrics
Security policy, objectives and activities that
aligned with business objectives.
An approach and framework for designing,
implementing, monitoring, maintaining and
improving security consistent with the
organizations culture.
Visible support and commitment from all levels of
management, especially top management.
An understanding of information asset protection
requirements achieved through an application of
information security risk management.
An effective information security awareness
training and education program informing all
employees and relevant parties of their
information security obligations set forth in the
information security policies and standards and
motivating them to act accordingly.
An effective information security incident
management process
An effective business continuity management
approach.
A measurement system used to evaluate performance
in information security management and feedback
suggestions for improvement.
6Challenges to Success of Information Security in
Government
- Legacy organizational structures
- Separation of powers
- Changes in elected officials
- Public Disclosure/Freedom of Information (FOIA)
- Information Security is more than just
information stored in electronic format. - Established policies and procedures for paper
records - IT focusses on information in electronic format
- Information Security reports to IT
- Fragmented across departments/agencies
7Why Should We Even Meet The Challenges?
- Information is currency.
- We have a duty of care to protect the information
in the hands of governments. - Our residents expect us to protect information.
- There are no neighborhoods, time zones or borders
in cyberspace. - No single entity is solely responsible for
securing the Internet. - If we are to maximize the convenience, speed, and
future potential of a digital society, we must
protect the resource that makes it possible.
8Meeting the Challenges
- IT Organizational Structure
- Governance
- Collaboration and Communication
9Organizational Structure
Electorate of King County
County Sheriff
County Assessor
County Council
Elections
County Executive
Prosecuting Attorney
District Court
Superior Court
12 IT Staff
10 IT Staff
3 IT Staff
5 IT Staff
3 IT Staff
6 IT Staff
2 IT Staff
25 Judges
9 Council Members
53 Judges
Office of Economic and Financial Analysis
Clerk of the Court
Public Health
Transportation
Adult and Juvenile Detention
Judicial Administration
Public Defense
Information Technology
Community and Human Services
Permitting and Environmental Review
Executive Services
Natural Resources and Parks
4 IT Staff
428 IT Staff
Information Assurance
Office of the CIO
10Department of Information Technology (KCIT) Our
Service Model
Chief Information Officer/ Department Director
Enterprise Business Services
Deputy Chief Information Officer
Operations
Finance
Information Assurance
Production Operations
SDM - Public Defense
SDM - Executive Services
PMO Service
Human Resources
IT Governance
Customer Solutions Service
Business Solutions Service
SDM - Community and Human Services
SDM - Natural Resources and Parks
Strategic Planning
Communications
Regional Services
E-Government Service
SDM - Public Health
SDM - Permitting and Environmental Review
KCIT Internal Services
Network Services
Business Analysis Service
SDM - Transportation
SDM - Adult and Juvenile Detention
Engineering and Architecture Service
11King County IT Governance
12Strategic Advisory Council
- Acts in an advisory capacity to the King County
Executive in developing long-term strategic
objectives and planning and implementing for
information technology deployment countywide. - Chair King County Executive
- Membership
- King County Executive 2 representatives of the
King County Council - King County Sheriff King County Prosecuting
Attorney - King County Assessor King County Elections
Director - King County Chief Information Officer Presiding
judge of King County Superior Court - Presiding judge of King County District Courts 3
5 External advisors from the private and public
sectors
13Business Management Council
- Acts in an advisory capacity to the countys
Chief Information Officer in carrying out duties
related to - Developing short-term, mid-term and strategic
objectives for information technology countywide - Recommending information technology proposals for
funding - Developing standards, policies and guidelines for
implementation. - Chair Chief Information Officer
- Membership
- King County CIO and agency deputy directors or
business managers designated by each agencys
director
14Technology Management Board
- Acts in an advisory capacity to the county's
Chief Information Officer on technical issues
including - Policies and standards for information security,
applications, infrastructure and data management. - Chair Chief Information Officer
- Membership
- King County CIO and agency information technology
directors or managers designated by each agency's
director and familiar with that agency's
technology needs and operations.
15Project Review Board
- Acts in an advisory capacity to the countys
Chief Information Officer in implementing the
project management guidelines developed by the
central information technology project management
office. - Chair Chief Information Officer
- Membership
- King County CIO, the Deputy County Executive, the
Director of the Office of Performance, Strategy
and Budget, and the Director of the Department of
Executive Services.
16IT Security Leads (TMB Security Sub-Team)
Production Operation Service
Independently Elected
County Assessor
District Court
KCIT Services
Network Services
Information Assurance (Chief Information Security
and Privacy Officer)
County Council
Superior Court
Customer Support Service
Engineering and Architecture Service
Elections
County Sheriff
E-Government Service
PMO Service
Human Resources
Finance
Business Solutions Services
IT Governance
Strategic Planning
Prosecuting Attorney
Judicial Administration
Business Analysis Service
Communications
17KCIT Inter-Agency Collaboration
OCIO Management Team Members
County Assessor
County Executive
District Court
Public Defense
Executive Services
KCIT Liaisons
County Council
Superior Court
Community and Human Services
Natural Resources and Parks
Information Technology
Elections
County Sheriff
Public Health
Permitting and Environmental Review
Deputy Chief Information Officer
Service Delivery Managers
Prosecuting Attorney
Transportation
Adult and Juvenile Detention
Judicial Administration
18Project Steering Committees
- The key body within the governance structure
which is responsible for the business issues
associated with the project that are essential to
the ensuring the delivery of the project outputs
and the attainment of project outcomes.
19Incident Response
- Major Incident Response Process
- Security Incident Response Process
- Incident Analysis
- Containment and Eradication
- Recovery
- Post Incident Activities
Sometimes we need to jump back
20Change Management
- Change Advisory Board
- Meets Weekly
- Coordinated by Production Operations Service
Owner - Chaired by volunteers
- Chair rotates every 6 months
Change Moratorium
Major Changes
Minor Changes
Routine Changes
Emergency Changes
21KCIT Countywide Services
- Endpoint Security
- Vulnerability Management
- Datacenter
- E-Mail
- Mobile Device Management
- Network Infrastructure
- Server Virtualization
- Cloud (Amazon Web Services)
- SharePoint/Office 365
22Information Security is an Organization Wide Issue
Who is ultimately Responsible for Information
Security?
Everyone
23Contact Information
Ralph Johnson Chief Information Security and
Privacy Officer King County, Washington ralph.john
son_at_kingcounty.gov 206-263-7891 Multi-State
Information Sharing and Analysis Center Center
for Internet Security andrew.dolan_at_cisecurity.org
(518) 880-0699