Information Asset Classification Communications Forum - PowerPoint PPT Presentation

1 / 36
About This Presentation
Title:

Information Asset Classification Communications Forum

Description:

Examples: Enterprise risk management planning documents, published internal ... Take time to understand how other initiatives underway in your agency interlace ... – PowerPoint PPT presentation

Number of Views:54
Avg rating:3.0/5.0
Slides: 37
Provided by: Cinn5
Category:

less

Transcript and Presenter's Notes

Title: Information Asset Classification Communications Forum


1
Information Asset ClassificationCommunications
Forum
  • Theresa A. Masse, State Chief Information
    Security Officer
  • Department of Administrative ServicesEnterprise
    Security Office

2
Agenda
  • Policy Overview
  • Community of Practice Update
  • Enterprise Information
  • Agency Plan
  • Methodology and Agency Plan
  • Clearinghouse and QA
  • Wrap up

3
Policy - Overview
  • Information will be classified and managed based
    on its confidentiality, sensitivity, value and
    availability requirements.
  • Identify an Information Owner or Owners
  • Owner responsible for
  • Initial Classification
  • Decisions regarding information management
  • Review and reclassification if appropriate
  • Proper retention and disposal
  • Statewide information
  • Agency information

4
Policy Classification Levels
  • Level 1, Published - Low-sensitive information,
    will not jeopardize the privacy or security of
    agency employees, clients and partners.
  • Examples Press releases, brochures, pamphlets,
    public access Web pages, and materials created
    for public consumption.
  • Level 2, Limited - Sensitive information, may
    jeopardize the privacy or security of agency
    employees, clients, partners.
  • Examples Enterprise risk management planning
    documents, published internal audit reports,
    names and addresses that are not protected from
    disclosure.

5
Policy Classification Levels
  • Level 3, Restricted Sensitive information ,
    unauthorized access could result in financial
    loss or identity theft.
  • Examples Network diagrams, personally
    identifiable information, other information
    exempt from public records disclosure.
  • Level 4, Critical - Extremely sensitive,
    potential to cause major damage or injury.
  • Examples Disclosure that could result in loss
    of life, disability or serious injury or
    regulated information with significant penalties
    for unauthorized disclosure, information that is
    typically exempt from public disclosure.

6
Policy - Compliance Time Line
  • Plan developed by June 30, 2009
  • Level 4 identified and protected by December 31,
    2009
  • All other policy provisions completed by June
    30, 2010
  • Note Agencies are required to comply with the
    Oregon Consumer Identity Theft Protection Act
    (Senate Bill 583, 2007 Legislative Session)

7
Community of Practiceand DHS Approach
  • Kyle Miller
  • Department of Human Services

8
Community of Practice
  • Membership Representatives
  • Human Services
  • Consumer and Business Services
  • Forestry
  • Corrections
  • Transportation
  • Education
  • Administrative Services

9
Community of Practice
  • Goals
  • Methodology document that contains best practices
    and links to tools and resources
  • Best practices for classification
  • Elements of information asset management
  • Recommendations for user awareness
  • Recommendations regarding policy

10
DHS Approach
  • Survey approach
  • Information exchange
  • Forms development
  • Other Initiatives

11
Enterprise Information
  • Bret West
  • Department of Administrative Services

12
Enterprise Information
  • What enterprise information does DAS own?
  • HR
  • Payroll
  • Financial
  • Contracts
  • DAS-Owned Facilities
  • State Network
  • Others

13
Enterprise Information
  • What does ownership mean?
  • DAS is responsible for determining classification
    levels
  • DAS is responsible for communicating
    classification levels to stakeholders
  • Ownership rests with DAS until information is
    transferred to another agency
  • At that point, agencies will be responsible for
    ensuring security

14
Enterprise Information
  • What does ownership mean?
  • Business partners (in this case DAS divisions)
    are responsible for classifying information
    assets
  • This is not a technology issue!

15
Enterprise Information
  • Example Statewide Financial Management
    Application Data
  • The application itself will be classified at
    Level 4
  • Combination of data elements puts the state and
    individuals at risk
  • Specific elements or reports will be classified
    according to the statewide policy guidelines

16
Enterprise Information
  • Example Statewide Financial Management
    Application Data (continued)
  • Specific elements or reports will be classified
    according to the statewide policy guidelines
  • Currently, SFMS staff have labeled reports
    confidential or not confidential based on
    data included
  • Further work will be done to classify these
    reports according to appropriate levels

17
Enterprise Information
  • When will the classifications be available?
  • Our goal is to have all Level 4 data classified
    by July 1, 2008
  • Our draft internal policy requires all Level 3
    data to be classified by January 1, 2009 and all
    Level 2 data classified by July 1, 2009.

18
ODOTS SECURITY FABRICAddressing Information
Security
  • Lisa Martinez
  • Oregon Department of Transportation

19
Where do you begin?
  • Establish a First-Strike project team to
    develop your initial roll out strategy
  • Make sure you have the right blend of business
    and information technology representatives
  • Review and consolidate standards across all of
    the DAS Enterprise Information Security policies
    and Senate Bill 583
  • Develop a final draft of an agency-wide
    assessment tool to determine where your agency is
    in meeting, partially meeting, or not meeting the
    consolidated standards
  • Pilot tool in a few areas to gather information
    on resources and time required to assess across
    your agency

20
Where do you begin? (cont.)
  • Make sure you have the support and commitment of
    your agency Director and his/her direct reports
  • Provide enough information so they understand the
    work effort required by their managers and
    employees
  • Have them provide names of appropriate staff to
    assist on a project team
  • Make sure that you use them to reinforce agency
    commitment if you encounter problems

21
Where do you begin? (cont.)
  • Take time to understand how other initiatives
    underway in your agency interlace with
    Information Security
  • Can you demonstrate benefit to other initiatives
    with regard to information gathering, business
    process mapping, and similar tasks
  • Be willing to share information with other
    project teams
  • Dont overlook everyday work processes they may
    be an easy opportunity to help with culture change

22
Where do you begin? (cont.)
  • Communicate to managers and employees why this
    initiative is important
  • Make it real by giving real life examples
  • Utilize internal communication tools such as
    newsletters, intranet pages, etc.
  • Acknowledge that this will take time and is not
    an overnight process
  • Consider an Information Security hotline
  • Identify Available Resources

23
ODOT Progress Report
  • First Strike Project Team established
    consisting of business and information technology
    staff and contracted project manager
  • Identified standards across policies and SB 583
  • Developing assessment tool, criteria to measure
    current state against standards, glossary of
    terms and background materials
  • Identified two business areas to pilot tool
  • Preparing presentation for Director and his
    direct reports to affirm support and commitment
    and solicit business resources

24
Identified Key Business Challenges and
Opportunities
Reduce Agency Risk Potential to Improve Business
Processes Recognize and Develop
Partnerships Develop and Share Best
Practices Successful Implementation Results in
Improved Agency Compliance
Reliant on Business Line Subject Matter
Experts Competes with Other Priorities Undefined
Roles and Responsibilities Requires Routine
Review and Assessment to Manage Risk
Identify Business Contacts for Each Division,
Region, and Branch
25
Gather Requirements and Identify Gaps
Subject Matter Experts from Lines of Business
  • Project Team
  • Review Results
  • Rank Gaps Based on Risks and Priorities
  • Develop Blueprint of Implementation Plan

High Opportunity
High Risk
Low Opportunity
Low Risk
26
Available Resources
  • Statewide Community of Practice (CoP) Workgroup
    on Information Assets Management Policy
  • Tool development
  • Information asset classification architecture
    methodology
  • Risk assessment tools
  • Communication tools
  • Will continue sharing process documents
  • Web site resource
  • ODOT IS Tech Management Research
  • Inventory and identify capabilities of current
    information security tools
  • Research capabilities of other security tools,
    for example data leakage
  • Business Line Best Practices

27
Information Asset Classification
  • John Koreski
  • Department of Corrections

28
Methodology
  • Information Asset Classification Methodology
  • Identify information assets
  • Identify the owner
  • Conduct an impact assessment
  • Determine the classification
  • Document classified information assets
  • Provide education and awareness
  • Maintain classification and conduct continuous
    review

29
Security
  • Organization Security
  • Legal Implications

30
Recommended Strategy to Implement the Office of
Legal Affairs
  • Phase 1
  • Identify LIO and PIOs 1/08
  • Create Training
  • Deliver Training 3/08
  • DOJ/DOC key staff
  • Management
  • Other impacted staff
  • Create Tracking Mechanisms
  • Establish Measures
  • Complete Phase 1 12/08

12 mos.
31
Recommended Strategy to Implement the Office of
Legal Affairs
  • Phase 2
  • Info. Asset Identification 4/08
  • Project Mgmt. Methodology
  • Archive E-Mail Project
  • Transporting Info. Assets Project
  • Complete Phase 2 6/09

15 mos.
32
Recommended Strategy to Implement the Office of
Legal Affairs
  • Phase 3
  • Begin Grant Admin. Strategy 7/09
  • Hire Info. Security Officer (ISO)
  • See handout for duties
  • Hire Records Officer (RO)
  • See handout for duties
  • Complete Phase 3 1/11

18 mos.
33
Recommended Strategy to Implement the Office of
Legal Affairs
  • Phase 4
  • Electronic Records Management
  • Enterprise Content Management
  • Timeline approximately 1/11 7/11

34
Clearinghouse and Wrap Up
  • Theresa A. Masse, State Chief Information
    Security Officer
  • Department of Administrative ServicesEnterprise
    Security Office

35
Policy Resources
  • A clearinghouse-type Web site with links to best
    practices and tools/templates
  • www.oregon.gov/DAS/EISPD/ESO/IAC.shtml

36
Thank You
  • Other Questions
  • Contact
  • Eva.Doud_at_state.or.us 503-378-3071
  • Cinnamon.S.Albin_at_state.or.us 503-373-1496
Write a Comment
User Comments (0)
About PowerShow.com