Securing Critical Assets: Arizona’s Security & Privacy Initiatives

Slides:

Advertisements

Similar presentations

1 IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1,

Advertisements

BENEFITS OF SUCCESSFUL IT MODERNIZATION

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Identity Management In A Federated Environment Identity Protection and Management Conference Presented by Samuel P. Jenkins, Director Defense Privacy and.

David A. Brown Chief Information Security Officer State of Ohio

Agenda COBIT 5 Product Family Information Security COBIT 5 content

Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.

Shared Technical Architecture’s Role within the ECIO Organization “Arkansas Shared Technical Architecture”

Information Security Policies Larry Conrad September 29, 2009.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

E-Commerce: Legal and Practical Issues Legal Issues: Security – December 2, 2005 Stephen M. Foxman Philadelphia.

WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.

Keystone Technology Plan Presentation to Chesapeake Bay Program Information Management Subcommittee May 19, 2004 Nancie L. Imler Chief Information Officer.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

OHIO OFFICE OF INFORMATION TECHNOLOGY. Even the agents are suffering…

OneMinnesota January 25, 2012 Carolyn Parnell OET Commissioner and State CIO.

Advisor: Jim French, Dept of Ecology Team Members: Scott Andersen, WSDOT Gary Duffield, DIS Doug Selix, OFM Thelma Smith, WSDOT Brian Sylvester, DOP.

IT Security Challenges In Higher Education Steve Schuster Cornell University.

Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.

Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.

Corporate Ethics Compliance *

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

CUAV Conference Risk Assessment May 18, 2015

HSGP Funding for Security Efforts Presented by Michele Robinson.

No one questions that Microsoft can write great software. Customers want to know if we can be innovative, scalable, reliable in the cloud. (1996) 450M+

Jeffery Graviet Emergency Services Coordinator, Salt Lake County Chairperson, Salt Lake Urban Area Working Group.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Government of CanadaGouvernement du Canada Governments Without Boundaries Serving Citizens in a Digital World Presentation to e-Governance Task Force.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.

Privacy Project Framework & Structure HIPAA Summit Brent Saunders

The Minnesota State Colleges and Universities system is an Equal Opportunity employer and educator. Information Technology Enterprise Strategic Investment.

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.

1 August 18, 2010 Disaster Recovery Coordinators’ Meeting.

Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.

Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

The Direction of Information Security and Privacy in State Government Presented by Colleen Pedroza Chief Information Security Officer California State.

IBM State and Local Government Team Strategic Vision to Transform Government in Arizona – December 20, Presentation to Society for Information Management.

U.S. Department of Education Safeguarding Student Privacy Melanie Muenzer U.S. Department of Education Chief of Staff Office of Planning, Evaluation, and.

Enterprise Cybersecurity Strategy

Agency Name Security Program FY 2009 John Q. Public Agency Director/CIO/ISO.

Welcome and Introduction to the Security Task Force Peter Siegel Co-Chair, Security Task Force Chief Information Officer and Vice Provost University of.

Panelists ASIS International – Dr. Marc Siegel, Security Management System Consultant, ASIS International Disaster Recovery Institute International (DRII)

Urban Group Presentation. Commitment and Leadership Legislate Policies Increase Allocation Sanitation Champions at different levels Sanitation as a separate.

HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Organizing a Privacy Program: Administrative Infrastructure and Reporting Relationships Presented by: Samuel P. Jenkins, Director Defense Privacy Office.

Confidentiality Annual Training. Board Policy JG Please follow the link below to access the board policy dealing with student discipline and confidentiality.

NATIONAL INCIDENT MANAGEMENT SYSTEM Department of Homeland Security Executive Office of Public Safety.

CBIZ RISK & ADVISORY SERVICES BUSINESS CONTINUITY PLANNING Developing a Readiness Strategy that Mitigates Risk and is Actionable and Easy to Implement.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.

© 2010 IBM Corporation STRATEGIC ADVISORY COUNCIL MARCH 2011 Enterprise Architecture - Advisory Discussion – Greg Dietzel Vice President, Client Unit Director,

Cyber Insurance Risk Transfer Alternatives Heather Soronen - Operations Director Rocky Mountain Insurance Information Association.

Information Security Officer Meeting

Governments Without Boundaries Serving Citizens in a Digital World

Cyber Insurance Risk Transfer Alternatives

Chief Information Security and Privacy Officer King County, Washington

Shared Technical Architecture’s Role within the ECIO Organization

General Counsel and Chief Privacy Officer

Confidentiality and Interagency Sharing of Juvenile Information

Privacy Project Framework & Structure

Enforcement and Policy Challenges in Health Information Privacy

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Evaluation and assessment

Presentation transcript:

Securing Critical Assets: Arizona’s Security & Privacy Initiatives This domain is the most complex in terms of understanding how we mange data and information and the systems supporting such data. The intent is to develop a representation of IT reality as it applies to the agency, COI’s and the enterprise. Most Internet-based services in the State are developed and presented separately, according to jurisdictional boundaries of an individual agency rather than being integrated cooperatively according to lines of business or function

Background Arizona has been Identity Theft Capital of U.S. for past 4 years AZ Government has Decentralized Service Delivery & IT Infrastructure Management Increasing Our Security Risks Citizens have ready access to public data (Web Portal, Google partnership, Arizona 2-1-1, etc.) All States subject to Federal Privacy Mandates: Health Insurance Portability and Accountability Act (HIPAA) Federal Information Security Management Act of 2002 (FISMA) Family Educational Rights and Privacy Act (FERPA) Pending Data Security Breach (Privacy Disclosure), etc.

AZ Security & Privacy Initiatives Our Security & Privacy Activities have focused on: State Legislation Executive Policies State Initiatives

Legislative Actions 41-3504 GITA Duties as Statewide Strategic IT Planning and Oversight Agency 44-7501 Notification for Compromised Personal Information. 41-4152 Identifies appropriate information practices and protection of all personal information collected from its citizens and consumers. ***Current Pending Legislation - S.B. 1104 – Proposes Statewide Information Security and Privacy Office to be Placed in GITA & Baseline Statewide Security Risk Assessment***

Executive Policy IT Enterprise Architecture developed in 2003 included Statewide IT Security & Privacy Policies, Standards and Practices (PSP). Project Investment Justification (PIJ) Process, Consulting & Monitoring Functions Cover Security & all other IT Areas. Advisory & Oversight Boards: Emergency Preparedness Oversight Council (EPOC) IT Security Advisory Committee (ITSAC) CIO Council (CIOs of largest State agencies) Program Participation: Multi-State Information Sharing & Analysis Center (MS-ISAC) Participation HIPAAZ Program

State Security & Privacy Initiatives Annual Standards Compliance Assessment (TISA) Gap Closure Process Training & Awareness Linkage with BCPs & IT DR IT Security Training & Awareness Annual CIO Standards Awareness Training Annual BCP Coordinator Training (includes IT/DR) DES Training Pilot Business Continuity Planning IT Disaster Recovery Critical Business Function Resource Mapping Statewide Infrastructure Protection Center (SIPC) Incident Reporting Event Management

Resource References Arizona’s Statewide IT Enterprise Architecture, Quality Assurance, and IT Security Standards: http://azgita.gov/policies_standards/ GITA’s online assessment tools (PARIS, ISIS & TISA) allow streamlined IT planning, standards compliance assessment, and inventory reporting: http://azgita.gov/apps/ Business Continuity/IT Disaster Recovery Planning guide: http://www.dem.state.az.us/busines%20continuity/Phase-2-Guidance%20K-1.pdf

Lessons Learned Privacy protection should drive IT Security standards. Business Leaders must drive BCP, IT/DR, IT Planning & Standards Compliance for effective implementation. Risk Management should be tailored to level of risk: 30 “Group 1” BCP agencies (large, critical) 70 “Group 2” BCP agencies, boards, commissions) Different compliance & training for each group Business Impact Analysis (BIA) should target Critical Business Function (CBF) mapping. Agencies need actionable, documented & tested workaround procedures. Statewide Central Oversight & Control is needed in decentralized environments for security protection to be effective.

Government Information Technology Agency (GITA) Questions/Comments Chris Cummiskey State CIO & Director Government Information Technology Agency (GITA) 602-364-4770 ccummiskey@azgita.gov