DataPrivacyPointofContactOrientationSession接觸定位會(huì)話數(shù)據(jù)隱私的角度_第1頁
DataPrivacyPointofContactOrientationSession接觸定位會(huì)話數(shù)據(jù)隱私的角度_第2頁
DataPrivacyPointofContactOrientationSession接觸定位會(huì)話數(shù)據(jù)隱私的角度_第3頁
DataPrivacyPointofContactOrientationSession接觸定位會(huì)話數(shù)據(jù)隱私的角度_第4頁
DataPrivacyPointofContactOrientationSession接觸定位會(huì)話數(shù)據(jù)隱私的角度_第5頁
已閱讀5頁,還剩64頁未讀, 繼續(xù)免費(fèi)閱讀

下載本文檔

版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請(qǐng)進(jìn)行舉報(bào)或認(rèn)領(lǐng)

文檔簡(jiǎn)介

DataPrivacy

PointofContactOrientationSession1AgendaIntroduction SolBermann ExecutiveOrder SolBermannRoleofCIO,DPPOC RickShipleyOhioITSecurityPolicies DougAltEncryptionProtocol SamOrthAcquisition TomHartQandA Closing SolBermann2SolBermann

ChiefPrivacyOfficer,J.D.,CIPP

StateofOhioITSecurity3IntroductionUpdateonSecurityBreachStateResponse/ExecutiveOrderDataPrivacyPointofContacts4SolBermann

ChiefPrivacyOfficer,J.D.,CIPP

ExecutiveOrder2007-13SImprovingStateAgencyDataPrivacyandSecurity5WhichAgencies?MandatoryAllCabinetLevelAgenciesVoluntaryNon-CabinetLevelAgencies,BoardsandCommissions6ChiefPrivacyOfficerPrivacyImpactAssessmentProtocolby8/29/07DataEncryptionProtocolby8/29/077MandatoryAgenciesSecurityPolicyComplianceReportby8/14/07PrivacyImpactAssessmentImplementationby8/29/07Developplanby11/12/07forimplementingtheEncryptionProtocolAppointDPPOCby6/22/078SolBermann

ChiefPrivacyOfficer,J.D.,CIPP(614)995-9928Questions?9RickShipleyAdministratorRiskManagementServicesImplementation10PrivacyandSecurityPrivacy&SecurityareflipsidesofacoinPrivacy=policies,rules&lawssurroundingdatausageSecurity=implementationofprotectionthatenforcesthepolicies,rules&laws11RoleofAgencyCIOHelpOverseeAgencyComplianceExecutiveOrder2007–013SPrivacy,confidentiality,security,disclosure,andsharingofinformationProvidedirectionandoverseeactivitiesDevelopandoverseetheimplementationofpolicies,principles,standards,andguidelines12RoleofDPPOCHelpwithExecutiveorderPolicyComplianceReporting2(c)PrivacyImpactAssessmentImplementation2(e)DataEncryptionProtocolImplementationReport2(f)Adviseorsupportdepartmentalmanagementonbusinessandpolicyissuesrelatingtoprivacy,informationassurance,andsecurityUnderstandthedatatheagencyhasandhowtheagencyusesthedataSensitivedataclassificationWorkwithinandacrossbusinessunits13WhoIsTheDPPOC?NeedpeoplethatunderstandthedatatheagencyhashowtheagencyusesthedataunderstandtheconceptofdataclassificationabilitytoworkwithinandacrossbusinessunitsDoesnothavetobeCIOortechnicalsecuritypeopleCouldbeDataManagersLegalHR14RiskManagementServicesStatewideInitiatives:Networkvulnerabilityassessments,cybersecurityworkshops,andcrisismanagement

ActsasStatewideincidentresponsecoordinatorforsecurityincidents(ITP-B.7)OITInitiatives:Policies,procedures,standards,ITplanning,networkvulnerabilityassessments,compliancemonitoring(auditing),ITriskmanagement,businesscontinuityplanning,disasterrecovery,servicelevelagreements,andcrisismanagement

15E.O.ITSecurityComplianceReportCompliancecheckliststoevaluateindetailyouragency’scompliancewithOhioITSecurityPoliciesCompleteddocumenttotheChiefPrivacyOfficerbycloseofbusinessonAugust14,2007()16E.O.PrivacyImpactAssessmentDatamapping-understandingdataagencyhasthatmightbesubjectedtoprivacyanddataclassificationconcernsPrivacyImpactAssessment-anassessmentfocusingontheimpactifthespecificdataisbreachedandhowitwouldaffectagencyTwoprimaryinputstothisphaseistheOITStatewidePolicyfordataclassificationandOhioHB104.Inaddition,bestpracticesfordataprotectionwillbeconsidered.Remediationeffortestimate-anestimatetogetallofthedataintoastandardizedprotectionmodelGapanalysisandtoolrecommendation-identificationofwhattheareasofimprovementareforagencyandarecommendationofsometoolsthatwillassistwithmeetingthatdifferenceLeadstothecreationofreplicableprocessesforAgenciestointernallyperformPIAfuncations17RickShipley

AdministratorRiskManagementServices(614)995-7632Questions?18DougAltStateITPolicyManagerStateofOhio

ITSecurityPolicies19ExecutiveOrder2007–013S

“ImprovingStateAgencyDataPrivacyandSecurity〞 AllagencydirectorsarerequiredtoreviewandbeginupdatingexistinginformationtechnologysecuritypoliciesandpracticestomakesurethattheycomplywiththecurrentstatewideOfficeofInformationTechnologysecuritypolicies.Withinsixtydays,theDataPrivacyPointofContact(DPPOC)ateachagencyistoprovideareporttotheChiefPrivacyOfficerdetailingthestateofcomplianceattheirrespectiveagenciesandthestepsandtimenecessarytoachievecompliance.20StateITSecurityRelatedPoliciesITP-B.1InformationSecurity FrameworkITP-B.2BoundarySecurityITP-B.3Password&PINSecurityITP-B.4MaliciousCodeSecurityITP-B.5RemoteAccessSecurityITP-B.6InternetSecurityITP-B.7SecurityIncidentResponseITP-B.8SecurityEducationandAwarenessITP-B.9PortableComputingSecurityITP-B.10SecurityNotificationsITP-B.11DataClassificationITP-B.12IntrusionPreventionandDetectionITP-E.1Disposal,ServicingandTransferofITEquipmentITP-E.7BusinessResumptionPlanningITP-E.8UseofInternet,E-mailandOtherITResourcesITP-E.30ElectronicRecords21StateITSecurityPoliciesITP-B.1,InformationSecurityFramework:EstablishesafoundationonwhichyourcurrentandfutureITsecuritystrategy,policies,andpracticesaredeveloped,governedandadministered.Establisharisk-basedfoundationfromwhichtobuildsecurityprogramsBasesecuritydecisionsuponriskassessmentsAddressthebasicsecurityelementsofconfidentiality,integrityandavailabilityinallsecuritypolicies,plansandproceduresKeyTakeaway:Haveasecuritymanagementplaninplaceandreviewit,updateit,andauditagainstitregularly.22StateITSecurityPoliciesITP-B.2,BoundarySecurity:

Guidelinesfordesigning,implementinganddeployingarobustnetworkperimeterdefensecapability.PutsafeguardsinplacetoprotectstateinformationandsystemassetsLimitaccesspointsProvidemorerobustauthenticationforaccesstosensitiveinformationKeyTakeaway:Allowauthorizedtrafficanddenyeverythingelse.23StateITSecurityPoliciesITP-B.3,PasswordandPersonalIdentificationNumberSecurity:

Minimumrequirementsfortheselection,useandmanagementofpasswordsandpersonalidentificationnumbers.PasswordstrategydrivenbyriskassessmentRequiremorecomplexpasswordsformoresensitiveinformationAuthenticationisacriticalelementtodataprotectionKeyTakeaway:PasswordandPINstructuresmustcomplimenttheconfidentialityand criticalityofthedatatheyaresecuring.24StateITSecurityPoliciesITP-B.4,MaliciousCodeSecurity:

Guidelinesfortheimplementationandoperationofamaliciouscodesecurityprogram.MaliciousCodeisthemostcommontypeofattackState-controlledinformationsystemsmustbeprotectedfromtheintroductionofmaliciouscodeAllsystemassetsneedtobecheckedregularlyformaliciouscodeUsersneedtobeawareofmaliciouscoderisksKeyTakeaway:Ensureanti-virussoftwareisinstalledonalldevicesauthorizedfor stateuseandinstallanysecuritypatchesimmediately.25StateITSecurityPoliciesITP-B.5,RemoteAccessSecurity:Assistsinthedevelopment,implementationandoperationofsecuritymeasuresgoverningremoteaccesstostatesystems.ConvenientandpopularwaytoaccomplishworkbutintroducesincreasedriskforstatesystemsAdditionalaccesspointsneedtobesecuredAuthenticateallremoteusersEncrypttransmittedpasswordsKeyTakeaway:Remoteaccessshouldbegrantedfollowingtheconceptofleast- privilege.26StateITSecurityPoliciesITP-B.6,InternetSecurity:SecurityrequirementsfortheuseofandconnectivitytotheInternet.InternetisavaluableresourcebutintroducesrisksInternetconnectionsneedtobesecureInternetresourcemustbeusedresponsiblyKeyTakeaway:EducateusersonappropriateandinappropriateusesoftheInternet. Preventbehaviorthatmayputsystemsandinformationatrisk.27StateITSecurityPoliciesITP-B.7,SecurityIncidentResponse:DevelopandmaintainanadequateresponsecapabilityforITrelatedsecurityincidents.RecentsecurityincidentsdemonstrateneedforincidentresponsecapabilityContinuousreviewandupdateofincidentresponseproceduresiscriticalIncidentreportingassistsresponseandcontainmenteffortsKeyTakeaway:Ensureyouragencyisreadytorespondandrolesand responsibilitiesareclearlydefined.28StateITSecurityPoliciesITP-B.8,SecurityEducationandAwareness:DevelopITsecurityeducationandawarenessprogramsforemployeesandotheragentsofthestate.RecentsecurityincidentsdemonstratetheneedforgeneralsecurityeducationandawarenessPersonnelneedtounderstandhowsecuritymeasuresalignwithbusinessobjectivesKeyTakeaway:Providegeneralinformationtechnologysecurityeducationaspartofnewemployeeandnewcontractororientation.29StateITSecurityPoliciesITP-B.9,PortableComputingSecurity:

Addressestheinformationtechnologysecurityconcernsofportablecomputingdevicesandprovidesguidelinesfortheiruse,managementandcontrol.PortablecomputingsecurityisacriticalareaasillustratedbyrecentsecurityincidentsDeliberatemanagementdecisionsneedtomadeastouseandsupportDeliberatedecisionsneedtobemadeastoprivately-owneddevicesSensitiveinformationneedstobeappropriatelysecuredManagementcontrolsneedtoensureportabledevicesarereclaimedfromseparatedemployeesandthatstateinformationandsoftwareisremovedfromprivately-owneddevicesKeyTakeaway:Ifportablecomputingisallowed,youragencyneedstobepreparedfor thesecuritydemandsandhaveaprocedureinplacetorespondtolostor stolendevices.30StateITSecurityPoliciesITP-B.10,SecurityNotifications:Deploysecuritynotificationsthatservetoinformusersoftheirduty,limitationsonuse,legalrequirementsandpersonalprivacyexpectations.SecuritynotificationscanassistinthesuccessfulcriminalprosecutionofviolatorsNotificationsprovidetheopportunitytodisclosethepotentiallegalimplicationsofunauthorizedaccess,informationmisuse,datalossandcorruptionKeyTakeaway:Besuretoinvolvelegalcounselinthedevelopmentofsecuritynotifications.31StateITSecurityPolicies

ITP-B.11,DataClassification:Providesahigh-leveldataclassificationmethodologyforproperlyidentifyingandlabelingdataandinformation

assets.RecentsecurityincidentsdemonstratetheimportanceofeffectivelyprotectingdataaccordingtoitsriskDatasecurityisdrivenbyassignedlevelsofconfidentialityandcriticalityLabeldatainaccordancewithanylegalrequirementsKeyTakeaway:Implementadataclassificationmethodologytoclassifydataand employtheappropriatesecurityandaccessrights.32StateITSecurityPoliciesITP-B.12,IntrusionPreventionandDetection:Identifyandcreatean

intrusionpreventionand

detectioncapabilitythatwillallowforthedetectionandresponsetounauthorizeduseoforattackuponastatecomputernetworkortelecommunicationssystem.EssentialtoprotectingmissioncriticalresourcesIntrusionpreventionshouldbeimplementedtoblockunauthorizeduseorattacksIntrusiondetectionshouldbeusedtodetectunauthorizeduseorattacksKeyTakeaway:

Developavettingprocessforpersonnelunderconsiderationforpositionsofoperationalresponsibilityforyourintrusionpreventionanddetectioncapabilities.33StateITSecurityRelatedPoliciesITP-E.1,Disposal,ServicingandTransferofITEquipment: Mitigaterisksassociatedwiththedisposal,servicingandtransferofITequipment.

DatastoredonITequipmentcanberecoveredifnotappropriatelysecuredorremovedITequipmentneedstobeproperlysanitizedorencryptedpriortoreleaseInformationstoredonITequipmentdictatesthemethodusedtoprotectorremovedataKeyTakeaway:BeforeITequipmentisreleasedfromyouragency,ensurethat sensitiveinformationissanitized.34StateITSecurityRelatedPoliciesITP-E.7,BusinessResumptionPlanning: Developabusinessresumptionplanthataddressesemergencyresponse,backupandrecoveryactions.HurricaneKatrinadevastatednearly90,000squaremiles74percentofrespondentstoaNetworkComputingreaderpollsaidtheytakesnapshotsofcriticaldataonlyoncedaily,and 64percentstoreprotecteddatalessthan30milesfromprimarysitesKeyTakeaway:Youragencyshouldhaveabusinessresumptionplaninplacethatis updatedandtestedregularlyandwillensuremissioncriticalservices arerecoveredassoonaspossible.35StateITSecurityRelatedPoliciesITP-E.8,UseofInternet,E-mailandOtherITResources: Establishcontrolsontheuseofstate-providedIT resourcestoensuretheyareappropriatelyusedforthe purposesforwhichtheywereacquired.MisuseofcomputerresourcescanposeaserioussecurityrisktothestateProhibitsexuallyexplicitmaterials,operatingabusiness,gambling,datingservices,chatrooms,blogging,chainlettersKeyTakeaway:Ensurerestrictionsonpersonaluseareclearlycommunicatedto employeesandcontractors,andexplaintherationaleforprohibitingcertaintypesofactivities.36StateITSecurityRelatedPoliciesITP-E.30,ElectronicRecords:Uniformelectronicrecordsguidelines

Electronicrecordsneedtobesecuredtomaintaintheirintegrity,usability,andsurvivabilityTherequirementsofpublicrecordslawandretentionneedtobeconsideredwhenmaintainingelectronicrecordsKeyTakeaway:Electronicrecordsshouldbecreatedandmaintainedinreliable systemsconsistentwiththeirrespectiveretentionschedules.37ITSecurityFocusAreasPortableDevicesPersonalUseAccessPrivilegesContractorsDisposal,TransferandServicingofITEquipmentEducationandTraining38FocusArea:PortableDevices

Makeadeliberatedecisionaboutwhetherornotportabledevicesarepermittedaswellasprivately-ownedportabledevicesDetermineextenttowhichportabledeviceswillbesupportedConstructprocedureforrespondingtoincidentsoflostorstolenportabledevicesEnsurethatifportabledevicesareallowed,dataondevicesisclassifiedandsecuredaccordinglyImplementamanagementprocessthatwillensurethatportabledevicesarere-claimedafterservicelifeorinthecaseofprivately-owneddevicesthedataisrecovered,deletedoroverwrittenasappropriateProhibittheuncontrolleduseofsensitiveinformationonprivatelyowneddevicesofemployeesandcontractorsInstallfirewallandvirusprotectiononportabledevices39MakedeliberatedecisionsaboutpersonaluseandwhetheritwillbepermittedinyouragenciesRecognizetheriskspresentedbycertaintypesofpersonaluseandaddressthroughsecurityandprohibitionsonuseEducateemployeesonprohibitedactivitiesandthereasonswhytheyareprohibitedDocumentapersonalusepolicyanddistributetoemployeesIncludepersonalusepolicyawarenessaspartofnewemployeeandnewcontractororientationFocusArea:PersonalUse

40EnsureallusersareproperlyvettedinaccordancewiththeinformationtheywillhavepermissiontoaccessSensitiveinformationaccessshouldrequirethoroughvettingbeforeaccessisgrantedEstablishrulesconcerningwhichfilesandwhichusersareeligiblefortheuseandstorageofsensitiveinformationonmobiledevicesandmediaImplementsafeguardssuchasaccesslogs,passwords,encryption,biometrics,time-outs,and/orautomaticdatadeletionforportabledevicescontainingsensitivedataFocusArea:AccessPrivileges

41MakedeliberatedecisionsaboutthepermitteduseofcontractorequipmentforstatepurposesIfcontractorequipmentisused,ensureitisconfiguredaccordingtoyouragency’srequirementsRequirecontractorstoabidebystateandagencysecuritypoliciesandpracticesasaconditionofperformanceEnsurestateinformationandsoftwareisrecoveredfromanycontractor-ownedequipmentatthetimeofseparationEnsurethatdataaccessrequirementsareincorporatedintocontractorservicelevelagreementsandcontracttermsandconditionsastheyrelatetoclassifieddataAddressdataownershipissuesMakedeliberatedecisionsaboutoffshorecontractormanagementandaccessofsensitivedataFocusArea:Contractors

42EnsuremanagementcontrolsexisttoreclaimITequipmentfromstateemployeeswhentheyareseparatedfromemploymentIftheuseofprivately-owneddevicesispermitted,thencontrolsneedtoexisttorecoverinformationandsoftwarefromthedeviceswhentheuserisseparatedfromstateserviceEnsurethatdataisscrubbedfromalldevicestakenoutofstateserviceProtectsensitivedatafromexposureifequipmentistemporarilytransferredFocusArea:Disposal,Servicingand

TransferofITEquipment

43ITSecurityPolicySupport

SecurityPolicyAuditChecklists(incorporatedintoSecurityComplianceReport)ComingSoon…SecurityPolicyEducationalWhitePapers(sampleprovidedforITP-B.2)

SecurityPolicyTips(sampleprovidedforITP-B.2)SecurityPolicyResourceGuide

(sampleprovidedforITP-B.2)

Documentswillbeavailableat:

44SecurityPolicyAuditChecklists

ComplianceAmIcompliant?TheSelf-audit.NextSteps

TheActionPlan.45SecurityPolicyEducational

WhitePapers

TheImplementer’sPerspectiveWhatmoredoIneedtoknow?WheredoIgoformoreinformation?46SecurityPolicyTips

TheSubjectMatterExpertWhatarethekeydo’sanddon’tsofimplementation?47SecurityPolicyResourceGuide

TheUserPerspectiveWhy?What’smyrole?Whataremyresponsibilities?WheredoIgoformoreinformation?48SecuringYourSystem…

ABasicPhilosophyThereisno“SilverBullet〞forsecuringsystems.Threecomponentsforsuccess:PeopleProcessesTechnologyIt’saboutRiskManagementSAIC“WhySecurityPolicy〞Presentation,June19,200149StatewideITPolicyContactInformation

Telephone: 614-644-9352

Facsimile: 614-644-9152

E-mail:

StateofOhioITPolicyisAvailableat::///itp50DougAltStateITPolicyManager(614)466-5083Questions?51SamOrthEnterpriseArchitecture&StandardsManagerStateofOhio

ITDataEncryptionStandard

DevelopmentOverview&Status52ExecutiveOrder2007-013S3ComponentsofEncryptionGoalsoftheStandardResearchApproachStandardsDevelopmentApproach–MOAResearchSynopsisStandardsCandidatesDataEncryptionRequirements&ImplementationNextStepsQuestionsOverview53ExecutiveOrder2007-013S

ImprovingStateAgencyDataPrivacy&SecurityAugust29,2007November12,2007Withinseventy-fivedays,TheChiefPrivacyOfficershalldevelopadataencryptionprotocolthatestablishesthedatathatshouldbemaintainedinencryptedform(likesocialsecuritynumbersorfinancialaccountinformation),thecircumstancesinwhichsuchdatashouldbeencrypted(likedatakeptonalaptoporotherportabledevice),andtheencryptionstrengthandstandardtobeutilized.Withinseventy-fivedaysthereafter,theDPPOCateachagencyshallprovideareporttotheChiefPrivacyOfficerdetailingthestepsandtimenecessarytoimplementthedataencryptionprotocol.543ComponentsofEncryptionCipher–encryption/decryptionalgorithmBlockStreamKey–expressedinbitsSymmetricSharedSecret(PrivateKey)AsymmetricPublic/PrivateKeyDigitalSignaturesKeyManagementSelecting,distributingandstoringkeys55GoalsoftheStandard(Principles)Common,durable,doesn’tfrequentlychangeSupportsawidevarietyofsystems,components,architectures,technologiesCanbeusedacrossstategovernmentOneSizeFitsMost–’80/20rule’AgencyACoreAgencyCAgencyBCommonUnique56ResearchApproachFederalGovIndustryResearchGartnerAgencyPracticeITVendorsOtherStatesStandardsCandidates57StandardsDevelopmentApproach

MOABusinessApplicationsTechnologySolutionsStandardsDisasterRecoveryBusinessMobilityPersonalProductivityInformationAccessDataNetworksMobileTechnologiesApplicationsStorageTechnologiesStandardsCandidates}CipherKeySizeCipherKeySize“Brick”=StandardNear-termFocusPatterns=UseCasesInitialFocus58

Utimaco

Safeware

CredantTechnologies

Pointsec

SafeBootGartnerMobileDataProtectionLeaders*GartnerResearchIDNumber:G00141980PhysicalPattern:BusinessMobilityTPMAES128bitNTFSWinXPMobile

Encryption

Software

SuiteProcurementOpportunitiesEnterpriseLicenseAgreementsStateTermSchedulesCommunitiesOfInterestSharingofBestPracticesDocumentationTraining}StandardsDevelopmentApproach

MOABusinessApplicationsTechnologySolutionsStandardsDisasterRecoveryBusinessMobilityPersonalProductivityInformationAccessDataNetworksMobileTechnologiesApplicationsStorageTechnologiesCipherKeySizeCipherKeySizeNear-termFocusPatterns=UseCasesMobileEncryptionRemovableStorage59ResearchSynopsis32OtherStates13standardsissuedorrevisedsince200617requireorrecommendAES/TDESorNISTFIPSstandards7explici

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請(qǐng)下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請(qǐng)聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會(huì)有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫網(wǎng)僅提供信息存儲(chǔ)空間,僅對(duì)用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對(duì)用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對(duì)任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請(qǐng)與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶因使用這些下載資源對(duì)自己和他人造成任何形式的傷害或損失。

評(píng)論

0/150

提交評(píng)論