Data Privacy Point of Contact

About This Presentation

Title:

Data Privacy Point of Contact

Description:

... and operation of a malicious code. security program. Malicious Code is the most common ... All system assets need to be checked regularly for malicious code ... – PowerPoint PPT presentation

Number of Views:29

Avg rating:3.0/5.0

Slides: 70

Provided by: State7

Category:

more less

Transcript and Presenter's Notes

Title: Data Privacy Point of Contact

1
Data Privacy Point of Contact

Orientation Session

2
Agenda

Introduction Sol Bermann
Executive Order Sol Bermann
Role of CIO, DPPOC Rick Shipley
Ohio IT Security Policies Doug Alt
Encryption Protocol Sam Orth
Acquisition Tom Hart
Q and A
Closing Sol Bermann

3
State of Ohio IT Security
Sol BermannChief Privacy Officer, J.D., CIPP
4
Introduction

Update on Security Breach
State Response/Executive Order
Data Privacy Point of Contacts

5
Executive Order 2007 -13S Improving State Agency
Data Privacy and Security
Sol BermannChief Privacy Officer, J.D., CIPP
6
Which Agencies?

Mandatory
All Cabinet Level Agencies
Voluntary
Non-Cabinet Level Agencies, Boards and Commissions

7
Chief Privacy Officer

Privacy Impact Assessment Protocol by 8/29/07
Data Encryption Protocol by 8/29/07

8
Mandatory Agencies

Security Policy Compliance Report by 8/14/07
Privacy Impact Assessment Implementation by
8/29/07
Develop plan by 11/12/07 for implementing the
Encryption Protocol
Appoint DPPOC by 6/22/07

9
Questions?

Sol Bermann
Chief Privacy Officer, J.D., CIPP
Sol.Bermann_at_oit.ohio.gov
(614) 995-9928

10
Implementation
Rick Shipley Administrator Risk Management
Services
11
Privacy and Security

Privacy Security are flipsides of a coin
Privacy policies, rules laws surrounding data
usage
Security implementation of protection that
enforces the policies, rules laws

12
Role of Agency CIO

Help Oversee Agency Compliance
Executive Order 2007 013S
Privacy, confidentiality, security, disclosure,
and sharing of information
Provide direction and oversee activities
Develop and oversee the implementation of
policies, principles, standards, and guidelines

13
Role of DPPOC

Help with Executive order
Policy Compliance Reporting 2(c)
Privacy Impact Assessment Implementation 2(e)
Data Encryption Protocol Implementation Report
2(f)
Advise or support departmental management on
business and policy issues relating to privacy,
information assurance, and security
Understand the data the agency has and how the
agency uses the data
Sensitive data classification
Work within and across business units

14
Who Is The DPPOC ?

Need people that
understand the data the agency has
how the agency uses the data
understand the concept of data classification
ability to work within and across business units
Does not have to be
CIO or technical security people
Could be
Data Managers
Legal
HR

15
Risk Management Services

Statewide Initiatives Network vulnerability
assessments, cyber security workshops, and crisis
management
Acts as Statewide incident response coordinator
for security incidents (ITP-B.7)
OIT Initiatives Policies, procedures, standards,
IT planning, network vulnerability assessments,
compliance monitoring (auditing), IT risk
management, business continuity planning,
disaster recovery, service level agreements, and
crisis management

16
E.O. IT Security Compliance Report

Compliance checklists to evaluate in detail your
agencys compliance with Ohio IT Security
Policies
Completed document to the Chief Privacy Officer
by close of business on August 14, 2007
(sol.bermann_at_oit.ohio.gov)

17
E.O. Privacy Impact Assessment

Data mapping - understanding data agency has that
might be subjected to privacy and data
classification concerns
Privacy Impact Assessment - an assessment
focusing on the impact if the specific data is
breached and how it would affect agency
Two primary inputs to this phase is the OIT
Statewide Policy for data classification and Ohio
HB 104. In addition, best practices for data
protection will be considered.
Remediation effort estimate - an estimate to get
all of the data into a standardized protection
model
Gap analysis and tool recommendation -
identification of what the areas of improvement
are for agency and a recommendation of some tools
that will assist with meeting that difference
Leads to the creation of replicable processes for
Agencies to internally perform PIA funcations

18
Questions?

Rick Shipley
Administrator Risk Management Services
Rick.Shipley_at_oit.ohio.gov
(614) 995-7632

19
State of Ohio IT Security Policies
Doug Alt State IT Policy Manager
20
Executive Order 2007 013S Improving State
Agency Data Privacy and Security

All agency directors are required to review and
begin updating existing information technology
security policies and practices to make sure that
they comply with the current statewide Office of
Information Technology security policies. Within
sixty days, the Data Privacy Point of Contact
(DPPOC) at each agency is to provide a report to
the Chief Privacy Officer detailing the state of
compliance at their respective agencies and the
steps and time necessary to achieve compliance.

21
State IT Security Related Policies

ITP-B.9 Portable Computing Security
ITP-B.10 Security Notifications
ITP-B.11 Data Classification
ITP-B.12 Intrusion Prevention and
Detection
ITP-E.1 Disposal, Servicing and Transfer
of IT Equipment
ITP-E.7 Business Resumption Planning
ITP-E.8 Use of Internet, E-mail and Other
IT Resources
ITP-E.30 Electronic Records

ITP-B.1 Information Security Framework
ITP-B.2 Boundary Security
ITP-B.3 Password PIN Security
ITP-B.4 Malicious Code Security
ITP-B.5 Remote Access Security
ITP-B.6 Internet Security
ITP-B.7 Security Incident Response
ITP-B.8 Security Education and
Awareness

22
State IT Security Policies

ITP-B.1, Information Security Framework
Establishes a foundation on which your
current and future IT security strategy,
policies, and practices are developed, governed
and administered.
Establish a risk-based foundation from which to
build security programs
Base security decisions upon risk assessments
Address the basic security elements of
confidentiality, integrity and availability in
all security policies, plans and procedures

Key Takeaway
Have a security management plan in place and
review it, update it ,
and audit against it regularly.

23
State IT Security Policies

ITP-B.2, Boundary Security
Guidelines for designing, implementing and
deploying a robust network perimeter defense
capability.
Put safeguards in place to protect state
information and system assets
Limit access points
Provide more robust authentication for access to
sensitive information

Key Takeaway
Allow authorized traffic and deny everything
else.

24
State IT Security Policies

ITP-B.3, Password and Personal Identification
Number Security
Minimum requirements for the selection, use
and management of passwords and personal
identification numbers.
Password strategy driven by risk assessment
Require more complex passwords for more sensitive
information
Authentication is a critical element to data
protection

Key Takeaway
Password and PIN structures must compliment the
confidentiality and criticality of the data they
are securing.

25
State IT Security Policies

ITP-B.4, Malicious Code Security
Guidelines for the implementation and
operation of a malicious code
security program.
Malicious Code is the most common type of attack
State-controlled information systems must be
protected from the introduction of malicious code
All system assets need to be checked regularly
for malicious code
Users need to be aware of malicious code risks

Key Takeaway
Ensure anti-virus software is installed on all
devices authorized for state use and install any
security patches immediately.

26
State IT Security Policies

ITP-B.5, Remote Access Security
Assists in the development, implementation
and operation of security measures governing
remote access to state systems.
Convenient and popular way to accomplish work but
introduces increased risk for state systems
Additional access points need to be secured
Authenticate all remote users
Encrypt transmitted passwords

Key Takeaway
Remote access should be granted following the
concept of least- privilege.

27
State IT Security Policies

ITP-B.6, Internet Security
Security requirements for the use of and
connectivity to the Internet.
Internet is a valuable resource but introduces
risks
Internet connections need to be secure
Internet resource must be used responsibly

Key Takeaway
Educate users on appropriate and inappropriate
uses of the Internet. Prevent behavior that may
put systems and information at risk.

28
State IT Security Policies

ITP-B.7, Security Incident Response
Develop and maintain an adequate response
capability for IT related security incidents.
Recent security incidents demonstrate need for
incident response capability
Continuous review and update of incident response
procedures is critical
Incident reporting assists response and
containment efforts

Key Takeaway
Ensure your agency is ready to respond and roles
and responsibilities are clearly defined.

29
State IT Security Policies

ITP-B.8, Security Education and Awareness
Develop IT security education and awareness
programs for employees and other agents of the
state.
Recent security incidents demonstrate the need
for general security education and awareness
Personnel need to understand how security
measures align with business objectives

Key Takeaway
Provide general information technology security
education as part of
new employee and new contractor orientation.

30
State IT Security Policies

ITP-B.9, Portable Computing Security
Addresses the information technology security
concerns of portable computing devices and
provides guidelines for their use, management and
control.
Portable computing security is a critical area as
illustrated by recent security incidents
Deliberate management decisions need to made as
to use and support
Deliberate decisions need to be made as to
privately-owned devices
Sensitive information needs to be appropriately
secured
Management controls need to ensure portable
devices are reclaimed from separated employees
and that state information and software is
removed from privately-owned devices

Key Takeaway
If portable computing is allowed, your agency
needs to be prepared for the security demands
and have a procedure in place to respond to lost
or stolen devices.

31
State IT Security Policies

ITP-B.10, Security Notifications
Deploy security notifications that serve to
inform users of their duty, limitations on use,
legal requirements and personal privacy
expectations.
Security notifications can assist in the
successful criminal prosecution of violators
Notifications provide the opportunity to disclose
the potential legal implications of unauthorized
access, information misuse, data loss and
corruption

Key Takeaway
Be sure to involve legal counsel in the
development of security
notifications.

32
State IT Security Policies

ITP-B.11, Data Classification
Provides a high-level data classification
methodology for properly identifying and labeling
data and information assets.
Recent security incidents demonstrate the
importance of effectively protecting data
according to its risk
Data security is driven by assigned levels of
confidentiality and criticality
Label data in accordance with any legal
requirements

Key Takeaway
Implement a data classification methodology to
classify data and employ the appropriate
security and access rights.

33
State IT Security Policies

ITP-B.12, Intrusion Prevention and Detection
Identify and create an intrusion prevention
and detection capability that will allow for the
detection and response to unauthorized use of or
attack upon a state computer network or
telecommunications system.
Essential to protecting mission critical
resources
Intrusion prevention should be implemented to
block unauthorized use or attacks
Intrusion detection should be used to detect
unauthorized use or attacks

Key Takeaway
Develop a vetting process for personnel under
consideration for positions of
operational responsibility for your intrusion
prevention and detection
capabilities.

34
State IT Security Related Policies

ITP-E.1, Disposal, Servicing and Transfer of IT
Equipment
Mitigate risks associated with the disposal,
servicing and transfer of IT equipment.
Data stored on IT equipment can be recovered if
not appropriately secured or removed
IT equipment needs to be properly sanitized or
encrypted prior to release
Information stored on IT equipment dictates the
method used to protect or remove data

Key Takeaway
Before IT equipment is released from your
agency, ensure that sensitive information is
sanitized.

35
State IT Security Related Policies

ITP-E.7, Business Resumption Planning
Develop a business resumption plan that
addresses emergency
response, backup and recovery
actions.
Hurricane Katrina devastated nearly 90,000 square
miles
74 percent of respondents to a Network Computing
reader poll said they take snapshots of critical
data only once daily, and
64 percent store protected data less than 30
miles from primary sites

Key Takeaway
Your agency should have a business resumption
plan in place that is updated and tested
regularly and will ensure mission critical
services are recovered as soon as possible.

36
State IT Security Related Policies

ITP-E.8, Use of Internet, E-mail and Other IT
Resources
Establish controls on the use of
state-provided IT resources to ensure they are
appropriately used for the purposes for which
they were acquired.
Misuse of computer resources can pose a serious
security risk to the state
Prohibit sexually explicit materials, operating a
business, gambling, dating services, chat rooms,
blogging, chain letters

Key Takeaway
Ensure restrictions on personal use are clearly
communicated to employees and contractors, and
explain the rationale for prohibiting
certain types of activities.

37
State IT Security Related Policies

ITP-E.30, Electronic Records
Uniform electronic records guidelines
Electronic records need to be secured to maintain
their integrity, usability, and survivability
The requirements of public records law and
retention need to be considered when maintaining
electronic records

Key Takeaway
Electronic records should be created and
maintained in reliable systems consistent with
their respective retention schedules.

38
IT Security Focus Areas

Portable Devices
Personal Use
Access Privileges
Contractors
Disposal, Transfer and Servicing of IT Equipment
Education and Training

39
Focus Area Portable Devices

Make a deliberate decision about whether or not
portable devices are permitted as well as
privately-owned portable devices
Determine extent to which portable devices will
be supported
Construct procedure for responding to incidents
of lost or stolen portable devices
Ensure that if portable devices are allowed, data
on devices is classified and secured accordingly
Implement a management process that will ensure
that portable devices are re-claimed after
service life or in the case of privately-owned
devices the data is recovered, deleted or
overwritten as appropriate
Prohibit the uncontrolled use of sensitive
information on privately owned devices of
employees and contractors
Install firewall and virus protection on portable
devices

40
Focus Area Personal Use

Make deliberate decisions about personal use and
whether it will be permitted in your agencies
Recognize the risks presented by certain types of
personal use and address through security and
prohibitions on use
Educate employees on prohibited activities and
the reasons why they are prohibited
Document a personal use policy and distribute to
employees
Include personal use policy awareness as part of
new employee and new contractor orientation

41
Focus Area Access Privileges

Ensure all users are properly vetted in
accordance with the information they will have
permission to access
Sensitive information access should require
thorough vetting before access is granted
Establish rules concerning which files and which
users are eligible for the use and storage of
sensitive information on mobile devices and media
Implement safeguards such as access logs,
passwords, encryption, biometrics, time-outs,
and/or automatic data deletion for portable
devices containing sensitive data

42
Focus Area Contractors

Make deliberate decisions about the permitted use
of contractor equipment for state purposes
If contractor equipment is used, ensure it is
configured according to your agencys
requirements
Require contractors to abide by state and agency
security policies and practices as a condition of
performance
Ensure state information and software is
recovered from any contractor-owned equipment at
the time of separation
Ensure that data access requirements are
incorporated into contractor service level
agreements and contract terms and conditions as
they relate to classified data
Address data ownership issues
Make deliberate decisions about offshore
contractor management and access of sensitive data

43
Focus Area Disposal, Servicing and Transfer of
IT Equipment

Ensure management controls exist to reclaim IT
equipment from state employees when they are
separated from employment
If the use of privately-owned devices is
permitted, then controls need to exist to recover
information and software from the devices when
the user is separated from state service
Ensure that data is scrubbed from all devices
taken out of state service
Protect sensitive data from exposure if equipment
is temporarily transferred

44
IT Security Policy Support

Security Policy Audit Checklists (incorporated
into Security Compliance Report)
Coming Soon
Security Policy Educational White Papers (sample
provided for ITP-B.2)
Security Policy Tips (sample provided for
ITP-B.2)
Security Policy Resource Guide (sample provided
for ITP-B.2)
Documents will be available at
http//oit.ohio.gov/ITSecurityResources/ITSecurity
Resources.aspx

45
Security Policy Audit Checklists

Compliance
Am I compliant? The Self-audit.
Next Steps
The Action Plan.

46
Security Policy Educational White Papers

The Implementers Perspective
What more do I need to know?
Where do I go for more information?

47
Security Policy Tips

The Subject Matter Expert
What are the key dos and donts of
implementation?

48
Security Policy Resource Guide

The User Perspective
Why?
Whats my role?
What are my responsibilities?
Where do I go for more information?

49
Securing Your SystemA Basic Philosophy

There is no Silver Bullet for securing systems.
Three components for success
People
Processes
Technology
Its about Risk Management

SAIC Why Security Policy Presentation, June 19,
2001
50
Statewide IT Policy Contact InformationTelephone
614-644-9352Facsimile
614-644-9152E-mail State.ITPolicy.Manager_at_oit.
ohio.gov

State of Ohio IT Policy is Available at
http//ohio.gov/itp

51
Questions?

Doug Alt
State IT Policy Manager
State.ITPolicy.Manager_at_oit.ohio.gov
(614) 466-5083

52
State of Ohio IT Data Encryption
StandardDevelopment Overview Status
Sam Orth Enterprise Architecture Standards
Manager
53
Overview

Executive Order 2007-013S
3 Components of Encryption
Goals of the Standard
Research Approach
Standards Development Approach MOA
Research Synopsis
Standards Candidates
Data Encryption Requirements Implementation
Next Steps
Questions

54
Executive Order 2007-013SImproving State Agency
Data Privacy Security

August 29, 2007
November 12, 2007

55
3 Components of Encryption

Cipher encryption/decryption algorithm
Block
Stream
Key expressed in bits
Symmetric
Shared Secret (Private Key)
Asymmetric
Public/Private Key
Digital Signatures
Key Management
Selecting, distributing and storing keys

56
Goals of the Standard (Principles)

Common, durable, doesnt frequently change
Supports a wide variety of systems, components,
architectures, technologies
Can be used across state government
One Size Fits Most 80/20 rule

Agency A
Agency C
Agency B
Unique
Common
Core
57
Research Approach
58
Standards Development ApproachMOA
59
Standards Development ApproachMOA
60
Research Synopsis

32 Other States
13 standards issued or revised since 2006
17 require or recommend AES/TDES or NIST FIPS
standards
7 explicitly prohibit DES or WEP
At least 7 have data classification policy
CO and ME statewide laptop encryption
AZ, IL, KS, KY, MN, NY centralized PKI
Mobile Encryption Data Storage Providers
AES is widely supported and is quickly replacing
TDES
Agency Feedback
Several existing mobile encryption, networking
and tape solutions support AES. Older systems
support TDES.
Federal Government
Review of National Institute of Standards Federal
Information Processing Standards for Encryption
(FIPS 140 series)

AL, AR, AZ, CA, CT, CO, IA, ID, IN, KS, KY, LA,
MA, ME, MD, MN, MS, MI, MO, MT, NC, ND, NJ, NY,
PA, RI, SC, TN, TX, VA, WA, WI
61
Standards Candidates (Minimum)FIPS-140-2
Approved Security Functions
NIST FIPS References 46, 140-2,180-3, 186-2 197
62
Data Encryption Requirements

ITP-B.11 Data Classification
Confidentiality
Public (none required)
Limited Access (agency discretion)
Restricted (required)

Draft OAC Data Sensitivity Rule
Sensitive Data
Any electronic information that a state agency
maintains and must not disclose under penalty of
law (required)
Personal information that consists of an
individuals name linked to any one of the
following
SSN, Drivers License or Account or Credit Card

draft
Governors Executive Order 2007-013S
63
EncryptionImplementationRisk
ProfileTimeEffortTechnology
Applications Servers Storage Databases Network
Connections File Servers Print Servers Mobile
Devices
Systems Complexity
Scope of Effort
64
Next Steps