implementing executive order 504 with the resources your agency has today

Implementing Executive Order 504

with the Resources Your Agency Has Today

Executive Office of Administration and FinanceInformation Technology Division

Linda HamelGeneral Counsel, Information Technology Division

Stephanie ZiertenDeputy General Counsel, Information Technology Division

Jenny HeddermanDeputy General Counsel, Comptroller

Presentation for Executive Order 504 Train the Trainer CourseDecember 16 and 17, 2008

12/18/08 Executive Order 504 2

Agenda

• Before Executive Order (E.O.) 504

• Requirements of E.O. 504

• What’s new?

• Complying with E.O. 504 with the resources your agency has today

Handouts available at: www.mass.gov/itd


Before Executive Order 504

• Three sources of agency security and (confidentiality) privacy requirements:

– ITD Security Policies, Standards and Guidelines– Contracts– State and Federal laws regarding privacy and security


Before EO 504

• ITD’s Enabling Legislation enables ITD to set information technology standards for the Executive Department

• Executive Department budget language annually gives ITD authority over IT projects $200,000 and over.

• Enterprise Security Board (ESB) voluntarily created by ITD under CIO’s general authority in 2001

• With the advice of ESB, ITD has issued enterprise security policies addressing

– Attack intrusion notification– Cybercrime and security incidents– Electronic messaging communications security– Information security policy– Data classification– E-government apps public access policy and standards– Remote access– Wireless implementations


Before EO 504, cont.

• Agencies subject to contractual security requirements. Examples:

– Payment Card Industry (PCI) Data Security Standards• certain data security standards mandated by the credit card industry

for all Commonwealth entities that process, transmit, or store credit cardholder data

– Social Security Administration Information Exchange Agreement• governs the transmission of data files received from and sent to the

Social Security Administration– Business Associate agreements between agencies that are HIPAA

covered entities and agencies that act as service providers



• Law breaks down along two lines: – Privacy (rules about who gets to see sensitive data – broader than security)

• Examples:– see HIPAA privacy rule; – main sections of FIPA (Fair Information Practices Act, MGL. Ch. 66A);

exemptions to public records law – CORIPrinciples governing protection of privacy data– Notice; – Purpose; – Consent; – Security; – Disclosure; – Access; and – Accountability

– Security (rules about the physical, technical, administrative methods of limiting access -- a means to effectuate privacy rules)

• see HIPAA security rule; • one section of FIPA;• Internal Revenue Manual 30.6.1 Security of Confidential Information


Before EO 504

• Personnel addressing security and privacy have also traditionally been grouped separately

– Technologists handle security– Lawyers, policymakers and program managers manage the privacy

rules.



• Executive Order 412– Review policies and practices regarding information related to

individuals– Determine minimum quantity of personal information need to collect,

and reform policies and practices regarding dissemination and security– Adopt a policy regarding employee expectations of privacy


Executive Order 504 -- Summary

• Revokes EO 412 (but reinstates many of its terms)

• Doesn’t change – Pre-existing contractual requirements imposed on

the state– Pre-existing security or privacy laws

• Requirements Imposed On: – Executive Department Agencies (not Ex. Branch, Leg., Jud., or

Authorities)– ITD and the CIO– Enterprise Security Board


Executive Department Agencies Must…

• “Adopt and implement the maximum feasible measures reasonably needed to ensure the security, confidentiality and integrity of”

• Personal Information: as defined in the Security Freezes and Notification of Data Breaches Statute (G.L. 93H)

• Personal Data: as defined under FIPA

• Personal Information (G.L. 93H): – Resident’s first name (or initial) and last name in combination with

• Social security number;• Drivers license (or state issued i.d.) number; or• Financial account number

• Personal Data under FIPA– Any information which, because of name, identifying number, mark or

description can be readily associated with a particular individual.• Except information that is contained within a public record (G.L. c. 4 §

7(26)).


• Develop, implement and maintain written information security program, which ensures that the agency:

– Collects the minimum quantity of personal information and data reasonably needed to accomplish legitimate purpose for which information being collected

– Securely stores and protects personal information and data against unauthorized• access• destruction• use• modification• disclosure• loss

– Discloses personal information and data only on a need to know basis– Destroys personal information and data as soon as it is no longer needed

or required to be maintained under state or federal law– Addresses the administrative, technical, and physical safeguards – Complies with Federal and state privacy and security laws and regs

Executive Department Agencies Must….



• Develop and implement written information security programs…

– Cover all personal information (not restricted to electronic information)

– Electronic personal data must be addressed in a subset of the Information Security Program (ISP) called an “electronic security plan” (ESP) Personal Information and data:

Information Security Program

ElectronicSecurity

Plan



• Appoint an Information “Security” Officer (really a Security and Privacy Officer)

– Reports directly to Agency head– Sign agency ISP and its ESP– Can be a new responsibility for an existing employee (not required to be a full time

responsibility)– Coordinate Agency’s compliance with

• E.O. 504• Federal and state laws and regulations (privacy and security)• ITD security standards and policies• Although not required by EO 504, EO 504 Security Officer to coordinate compliance with

contractual security and privacy obligations as well.

• Have Agency Head Certify all Programs, Plans, Self-Audits and Reports

• By September, 2009, attend mandatory security training for – all agency heads, managers, supervisors, employees (including contract employees) – Re: how to identify, maintain and safeguard records and data

• Incorporate required contract language regarding vendor certification in all contracts entered post January 1 2009; breach constitutes breach of contract.

• Before entering contract, follow mandatory ITD standards for verifying competence and integrity of contractors and subcontractors, minimizing data and system access, and ensuring security, confidentiality and integrity of such data and systems.

• Fully cooperate with ITD, including ITD requests for information, in connection with ITD fulfillment of responsibilities


ITD and the CIO: Authority and Oversight

• CIO shall have the authority, re: Electronic Security Plans (ESPs) (NOT agencies’ entire Information Security Program) to:

– Issue guidelines, standards, and policies about development, implementation and maintenance of ESPs;

– Require that agencies submit ESPs to ITD for review– Specify when agencies must submit supplemental or updated ESPs– Establish and oversee periodic self-audit reporting requirements (but

must require self-audit no less than annually). Self-audits against • ITD standards• ESPs• Federal and state privacy and security laws [Presumably only e-

related] – Conduct reviews to assess agency compliance– Issue MGL 93H “report to ITD” policy– How this authority is enforced?

• With approval of ANF, determine remedial action for non-compliant agencies and impose terms and conditions on agency’s IT related expenditures and IT capital funding


ITD and the CIO: Authority and Oversight, cont.

• Procurement:– Develop mandatory standards and procedures for agencies to follow

before entering contracts that will allow third party access to personal data or personal information or systems containing such information

– Draft mandatory ITD standards for verifying competence and integrity of contractors and subcontractors, minimizing data and system access, and ensuring security, confidentiality and integrity of such data and systems.*

– Draft, with OSC and OSD, contract provisions* including certification that contractor has • Reviewed and will comply with information security programs, plans,

guidelines, standards and policies• Communicate and enforce those provisions against their

subcontractors’• Implement any other reasonable and appropriate measures to

protect personal information * To be provided as hand outs today


Enterprise Security Board

• Enterprise Security Board (ESB) has operated for 7 years solely at ITD’s discretion

• EO 504 gives legal footing to ESB– Acts as a “consultative body to advise the CIO”– Advises CIO in developing guidelines, standards and policies governing

implementation of EO 504

• CIO shall determine members and makeup of ESB, but membership shall be drawn from

– State employees from Executive Department– Experience in IT, privacy, and security– Representatives from Judicial and Legislative Branches – Other constitutional offices – Quasi-public authorities


EO 504 Summary—What’s New?

• Requirement for agency security officers (addressing both Privacy and Security) and written information security program (including ESPs)

• Requirement for agency at least annual ESP self audit, sent to ITD

• Additional ANF/ITD authority over agency IT spending based on agency compliance with ESP self audit

• Less uncertainty regarding ESB survival in the future

• Focus on data destruction (also required under G.L. c. 93I)

• Agencies must give full cooperation, and information, to ITD

• Procurement related standards and procedures (vendor certification plus pre contract procedures)


Due Dates as Per EO504

Due Date: Today Start using the EO504 ITD Mandatory Procurement Standards and Procedures for

all contracts solicited for IT Solutions that involve personal information or personal data.

Appoint an Agency Information Security Officer (ISO)

Due Date: January 1, 2009 Ensure EO504 Vendor Certification included in all contracts involving personal

information or personal data (may be on Standard Form Contract by January 1, 2009)

Due Date: September 18, 2009 Create an Information Security Program (including an ESP) Draft and write ISP and ESP Have Agency Head and ISO certify the ISP Submit the ESP to ITD for review of ESP Train agency head, manager, supervisors and employees (including

contract employees) on your plan (Use training materials from December 2008 and other templates that become available in Spring 2009)

Submit first self audit to ITD

Thereafter Submit self-audits as required by ITD, but at least annually


Suggested Tasks and Timeline to Meet Due Dates of EO504

December 20081. Start using the EO504 ITD Mandatory Procurement Standards and Procedures for all contracts

solicited for IT Solutions that involve personal information or personal data. 2. Appoint an Agency Information Security Officer (ISO)

January 20091. January 1, 2009: Ensure EO504 Vendor Certification included in all contracts involving personal

information or personal data (may be on Standard Form Contract by January 1, 2009)2. Train top level manage on general EO504 provisions (feel free to use these training materials)3. Start work on agency security/privacy matrix

March 20091. Obtain tools developed by the ESB and provided by ITD (e.g. Templates for the ESPs, guidelines

for self-audits, other policies and guidelines developed by ESB and provided by ITD to agencies)

Between April and June 20091. Create an Information Security Program (including an ESP)2. Have Agency Head and ISO certify the ISP3. Submit the ESP to ITD for review and approval of ESP4. Obtain ITD’s approval of ISP (ITD will have 10 business days to review, accept or reject ESP)

Between June 2009 and September 20091. Train agency head, manager, supervisors and employees (including contract employees) on your

agency’s ISP(Use training materials from December 2008, agency ISP, and other templates that become

available in Spring 2009 for ISP training)2. Perform self-audit against ESP3. Submit first self audit to ITD

Thereafter1. Submit self-audits as required by ITD, but at least annually


Helping your Agency Comply

• Tomorrow’s tools– Template for ISP– Template for ISP self-audit

• Today’s tools: – EO 504 Checklist (previous slide)– Model Security Matrix– Certification language– ITD EO 504 Pre-Contract Procurement

Procedures


Agency Security Matrix (example)Type of Data

System Holding Data

Feature 1 (e.g. staffing req.)

Feature 2 (e.g. training req.)

Feature 3 (physical security)

Statute 1 (e.g. FIPA)

PII that is not public record

App Name A, App Name B

Appoint Security Officer

Train all staff (once)

Password require.

Statute 2 (e.g. HIPAA)

PII related to health

App Name C Personnel must be certified

Password require.

Exec. Order (e.g. 504)

PII in general App Name A, App Name B, App Name C

Appoint Security Officer

Train all staff (once)

Contract 1 SSA App Name C Personnel must be certified

Password require.

Contract 2 (e.g. PCI)

Credit card App Name A Train users of system (yearly)

Password require.

Policy 1 (e.g. ITD Policies)

Highly sensitive data

App Name A, App Name B, App Name C

Personnel must be certified


Office of the ComptrollerStandard Contract Form Updates

• The Standard Contract Form is being updated to include the required Executive Order 504 language in the “Certifications” section of the Instructions.

• The new form must be used as of January 1, 2009 for all contracts.


What if an Executive Department conducted a procurement referencing the current form?

• The current Standard Contract Form may be used, however, Executive Departments must have a Contractor sign the “Executive Order 504 Certification Form” IF the Contractor will have access to personal information or personal data as those terms are defined under G.L. c. 93H and c. 66A or to systems that contain such information or data.


Do I have to include the Executive Order 504 Certification Form as part of my Procurements?

• No. If you are using the new version of the Standard Contract Form, OR if the Contract does not involve access to personal information or data or systems that contain personal information or data.

• Yes. If you are not using the new version of the Standard Contract Form AND if the Contractor will have access to personal information or data or systems that contain personal information or data.


Will the Executive Order 504 Language apply to non-Executive Departments?

• No. The Executive Order 504 language applies solely to Executive Department contracts.

• However, generic language is being added to the Certification Section to remind ALL Contractors of their broad duty to protect the physical security and restrict access to all Department data (including the Department's public records, documents, files, software, equipment or systems) that the Contractor may have access to under the Contract.

Ask for Help Use Resources you Have

Use the Tools Provided by ITD and the ESB and Participate with ESB if Possible

Linda Hamel, ITD, 617 626 4404

Stephanie Zierten, ITD, 617 626 4698

Jenny Hedderman, OSC, (Contract Questions)617 973 2656

implementing executive order 504 with the resources your agency has today

Documents

security executive order

itd security policies

agendabefore executive

accountability security

sources of agency security

enterprise security

itd authority

requirements of