january 10, 2008 role, responsibility and authority of new office presented by colleen pedroza,...
TRANSCRIPT
January 10, 2008 www.infosecurity.ca.gov/ 1
Role, Responsibility and Authority of New Office
Presented by Colleen Pedroza,
State Chief Information Security Officer
January 10, 2008 www.infosecurity.ca.gov/ 2
Effective January 1, 2008, the California State Information Security Office joined forces with the California Office of Privacy Protection, creating the new Office of Information Security and Privacy Protection. The new Office reports to the State and Consumer Services Agency. For more details, see Senate Bill 90.
Overview
January 10, 2008 www.infosecurity.ca.gov/ 3
Office Overview
Office of Privacy
Protection
ExecutiveOfficer
Office of Information
Security
Consumer Focused•Consumer Assistance•Information & Education•Best Practice•Recommendations
Government Focused•Policy, Standards, Guidance•Assistance & Advice•Education & Awareness•Compliance Monitoring
State and Consumer Services
Agency
January 10, 2008 www.infosecurity.ca.gov/ 4
Immediate Changes
There are some exciting new changes
• Name Change - Office of Information Security
• Newly Designed Web Site - www.infosecurity.ca.gov/
• Public Email Address - [email protected]
• Physical address and phone numbers will remain the same for now
January 10, 2008 www.infosecurity.ca.gov/ 5
Web Site
January 10, 2008 www.infosecurity.ca.gov/ 6
• Statewide Information Management Manual (SIMM) Documents– SIMM 65/70 series, 145 will remain with us – Other SIMM products will go to OCIO
• Policy Communication Channel– Management Memos will release new policies
– Budget Letters to remain at Finance
Document Ownership
January 10, 2008 www.infosecurity.ca.gov/ 7
What Will Our Office Do?
This will be accomplished through a number of efforts, which include:
• Issuing security and privacy policies and standards
• Providing guidance and assistance to state agencies
• Providing training and awareness tools to ensure the state workforce understands its responsibility for good security and privacy habits
• Conducting or directing compliance reviews, assessments and audits to ensure state agencies are diligent in achieving compliance with laws, policies, and best practice standards
Continue to provide leadership and guidance to state government to ensure the confidentiality, integrity and availability of state information assets.
January 10, 2008 www.infosecurity.ca.gov/ 8
Governance
Our Office will be:• Establishing an ongoing process for developing,
vetting, and approving statewide security and privacy policies
• Establishing a policy committee involving key stakeholders, such as:– SCIO, Agency IOs, CHP, DGS, CalOHI, Legal, DTS,
DPA, Finance, and department representation• Envision
– Policy adoption will occur at the Cabinet level– Agencies would develop a similar governance
structure for their departments
January 10, 2008 www.infosecurity.ca.gov/ 9
2008 -Year of Compliance
• Certification Filings – Designation Letter (SIMM 70A)– Risk Management and Privacy Program Compliance
(SIMM 70C)• Due January 31st of each year or when changes occur
• Operational Recovery Plan/Certification (SIMM 70B)– ORP Transmittal Letter (SIMM 70D) – New!
• See Schedule Submission
• Agency Security Incident Report (SIMM 65A) • Due within 10 business days following the incident
January 10, 2008 www.infosecurity.ca.gov/ 10
Review/AssessmentWhat we look for-• Are forms complete and properly signed?• Designation Letter
– Updates distribution and emergency contact lists • Program Compliance Certifications
– Has agency certified programs/plans are in place?– If not, is remediation plan provided and acceptable (activities, timeline, etc.)?– If yes, schedule for compliance review
• ORPs– Accompanied by Agency Transmittal Letter (new)– Are there inter-agency dependencies and have these been addressed?– Does it meet the SIMM 65A requirements?– Is a cross reference map included?
• Incident Reports– Have costs and corrective actions been identified?– Do costs and corrective actions seem reasonable?
January 10, 2008 www.infosecurity.ca.gov/ 11
Follow-up Process
If an agency hasn’t submitted forms/plan or asked for extension:
1. Reminder to department ISO and CIO
2. Notification to department director and copy to ISO and CIO
3. Notification to department’s Agency and copies to ISO, CIO, director and SCIO
January 10, 2008 www.infosecurity.ca.gov/ 12
Requirements for State Agencies
Pursuant to Government Code 11549.3 all must comply with policies and filing requirements issued by OISPP
January 10, 2008 www.infosecurity.ca.gov/ 13
Compliance Authority & Monitoring• We are required to notify the SCIO when
an agency is not in compliance
• We may conduct compliance reviews
• We may conduct or require an independent security assessment at the agency’s expense
• We may require an audit at the agency’s expense
January 10, 2008 www.infosecurity.ca.gov/ 14
Consequences
May impact agency’s:– IT Projects or IT Project funding
• Denial, suspension, or termination
– Delegated IT Procurement Cost Thresholds• Reduction or elimination
January 10, 2008 www.infosecurity.ca.gov/ 15
Happy New Year!
• A new year
• A new office
• Many new opportunities or many new challenges
It’s all how we choose to look at it!
January 10, 2008 www.infosecurity.ca.gov/ 16
Questions?
January 10, 2008 www.infosecurity.ca.gov/ 17
Office Updates
• ORP-COOP/COG Alignment Update
• SAM/SIMM Restructure
• New/Revised SIMM Forms and Instructions
Presented by Rosa Umbach
January 10, 2008 www.infosecurity.ca.gov/ 18
ORP-COOP/COG Alignment• Publication of Workgroup Products
– Revised SIMM 65A Instructions– New SIMM 70D– Definitions– Internal Checklist (coming soon)
Pending– Working with OES
• COOP/COG definitions• Updating of the COOP/COG Instructions
January 10, 2008 www.infosecurity.ca.gov/ 19
SAM/SIMM Restructure
• Phase I – Restructure SAM 4840-4845– Working with DGS to publish in SAM– Developing Management Memo for releasing
new structure
• Phase II – Perform Policy Gap Analysis
• Phase III – Prioritize and begin establishing new policy
January 10, 2008 www.infosecurity.ca.gov/ 20
SAM Restructure
January 10, 2008 www.infosecurity.ca.gov/ 21
SAM Restructure (Continued)
January 10, 2008 www.infosecurity.ca.gov/ 22
Revised SIMM Forms
• Agency Designation Letter (SIMM 70A)– Director can identify individual to sign as designee
• Agency Operational Recovery Plan Certification (SIMM 70B)– New Office Name
• Agency Risk Management and Privacy Program Compliance Certification (SIMM 70C)– Certifies full Risk Management Program is in place or
the Agency provides remediation plan to become compliant.
January 10, 2008 www.infosecurity.ca.gov/ 23
SIMM 70A
January 10, 2008 www.infosecurity.ca.gov/ 24
SIMM 70C
January 10, 2008 www.infosecurity.ca.gov/ 25
Risk Management Certification• Remediation Plan should include:
– List of activities which the agency is not yet compliant with
– Timeline for completing each activity – Method for validation of completion– Method of verification of compliance– Contact for remediation plan
January 10, 2008 www.infosecurity.ca.gov/ 26
NEW SIMM Form
• Agency Operational Recovery Plan Transmittal Letter (SIMM 70D)
January 10, 2008 www.infosecurity.ca.gov/ 27
Questions?