Information Security Board

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Why Security? A Commitment for [the Agency’s] Executives [CIO’s name] EC Presentation [date]
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
1 Auditing in the Public Interest Records Management in the Victorian Public Sector Audit objective Audit had two objectives : The first objective was.
SL21 Information Security Board Mission, Goals and Guiding Principles.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
MSIA Introduction to Information Systems Security Training and Policy Week 1 Live Session Presentation.
Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works
IT PLANNING Enterprise Architecture (EA) & Updates to the Plan.
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice
Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.
Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.
1 IT Security Awareness, Training and Education Trends Dan Costello Policy Analyst OMB.
Network security policy: best practices
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Website Hardening HUIT IT Security | Sep
General Awareness Training
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Dell Connected Security Solutions Simplify & unify.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Chapter 6 of the Executive Guide manual Technology.
ISO27001 Introduction to Information Security. Who has day-to-day responsibility? All of us! Why Information Security? Control risk, limit liability What.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Information Systems Security Operational Control for Information Security.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
State Data Center Oregon Consumer Identity Theft Protection Act Information Forum October 31, 2007.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Eliza de Guzman HTM 520 Health Information Exchange.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Information Security 14 October 2005 IT Security Unit Ministry of IT & Telecommunications.
Chapter 2 Securing Network Server and User Workstations.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Managing Records: Good government, Better business. FOI Presentations to Boards & Committees Cayman Islands National Archive November 2008.
Staying ahead of the storm: know your role in information security before a crisis hits Jason Testart, IST Karen Jack, Secretariat.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
The NIST Special Publications for Security Management By: Waylon Coulter.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Information Security in Laurier Grant Li Wilfrid Laurier University.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
Incident Response Strategy and Implementation Anthony J. Scaturro University IT Security Officer September 22, 2004.

Information Security Program
Security Standard: “reasonable security”
Data Architecture World Class Operations - Impact Workshop.
Compliance with hardening standards
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
Paul Woods Chair, MITIGATION: Ensuring we procure cloud services taking into account of the risks involved Paul Woods Chair, ISNorthEast.
I have many checklists: how do I get started with cyber security?
Security Awareness Training: System Owners
The Privacy Cycle A Five-Step Process to Improve Your Privacy Culture
County HIPAA Review All Rights Reserved 2002.
HIPAA Security Standards Final Rule
Security week 1 Introductions Class website Syllabus review
PLANNING A SECURE BASELINE INSTALLATION
Cyber Security in a Risk Management Framework
{Project Name} Organizational Chart, Roles and Responsibilities
Protecting Student Data
Presentation transcript:

Information Security Board Mission, Goals and Guiding Principles SL2

Mission Assist agency management with implementing and maintaining a sound information security program consistent with industry best practices and compliant with state policies. SL2

Goals Implement policies, procedures, and processes to ensure the information security objectives of confidentiality, integrity, and availability are met. Comply with all statewide information security policies and have best practices identified and implemented when practical. Effectively work with partners (DAS, vendors, etc.) to ensure information security objectives are met. Be proactive in identifying and mitigating risks to information as they emerge, however, when a potential breach does occur, the agency reacts immediately to investigate and take appropriate action. Raise user awareness for information security by establishing regular training and information security communications. Develop and implement metrics to track the progress of the information security program. SL2

Information Security Guiding Principles We understand that information security affects us all daily We approach information security in layers We grant access based on “least privilege” and “roles” where appropriate We are fiscally responsible We strive for simplicity over complexity We lean toward “buy” versus “build” We strive to implement best practices as appropriate We weigh the benefits of “open” over “commercial” sourced software We adopt industry “standards” where appropriate We use risk management as a tool in decision making We strive to use existing infrastructure where feasible SL2

Strategies for Goal 1 Implement policies, procedures, and processes to ensure the information security objectives of confidentiality, integrity, and availability are met. Develop information security goals and objectives. Implement policies, procedures, and processes. For example: Completed: Acceptable Use policy. Personal Use of State Resources policy. Security Breach Response Team. In Process: Data Classification policy. Information Handling Standards. Information Security Plan. Planning: Incident Response policy. SL2

Strategies for Goal 2 Comply with all statewide information security policies and have implemented best practices identified when practical. Identify statewide policies the agency must comply with. For example: ORS 646A.600 through 646A.628: Oregon Consumer Identity Theft Protection Act. ORS 192: Records; Public Reports and Meetings. ORS 182.122: State Administrative Agencies. OAR 125-800-0005 through 0020: State Information Security. DAS policy 107-004-052: Information Security. Develop suitable set of information security best practices. Deploy encryption technologies to portable computing and storage devices. Deploy endpoint management technologies to help prevent data loss. Develop information security standards and guidelines. Develop data handling standards. SL2

Strategies for Goal 3 Effectively work with partners (DAS, vendors, etc.) to ensure information security objectives are met. For example: Participate on the statewide Information Security Council. Assigned Jason Stanley and Clint Christopher. Share appropriate information with other state agencies and private organizations. SL2

Strategies for Goal 4 Be proactive in identifying and mitigating risks to information as they emerge, however, when a potential breach does occur, the agency reacts immediately to investigate and take appropriate action. For example: Develop an information security incident response team. Revise the Security Breach Incident Response process to include incident response. Develop an enterprise risk management program. SL2

Strategies for Goal 5 Raise user awareness for information security by establishing regular training and information security communications. For example: Develop articles to be published in the PERC and Espersso. Maintain an Intranet site for information security. Develop agency wide email on “hot topics.” Develop information security awareness training using iLearnOregon and other tools. SL2

Strategies for Goal 6 Develop and implement metrics to track the progress of the information security program. For example: Awareness: Do security walkthroughs for workstations “not locked” and compare with previous walkthroughs. Develop scenario based testing. Incidents: How many security breaches occurred? Prevention: How many workstations and servers have “up-to-date” patches? How many viruses have been detected? Compliance: Security findings; high, medium, low. Open versus closed. SL2

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.