Implementing Executive Order 504 with the Resources Your Agency Has Today Executive Office of Administration and Finance Information Technology Division Linda Hamel General Counsel, Information Technology Division Stephanie Zierten Deputy General Counsel, Information Technology Division Jenny Hedderman Deputy General Counsel, Comptroller Presentation for Executive Order 504 Train the Trainer Course December 16 and 17, 2008

12/18/08Executive Order 5042 Agenda Before Executive Order (E.O.) 504 Requirements of E.O. 504 What’s new? Complying with E.O. 504 with the resources your agency has today Handouts available at:

12/18/08Executive Order 5043 Before Executive Order 504 Three sources of agency security and (confidentiality) privacy requirements: – ITD Security Policies, Standards and Guidelines – Contracts – State and Federal laws regarding privacy and security

12/18/08Executive Order 5044 Before EO 504 ITD’s Enabling Legislation enables ITD to set information technology standards for the Executive Department Executive Department budget language annually gives ITD authority over IT projects $200,000 and over. Enterprise Security Board (ESB) voluntarily created by ITD under CIO’s general authority in 2001 With the advice of ESB, ITD has issued enterprise security policies addressing – Attack intrusion notification – Cybercrime and security incidents – Electronic messaging communications security – Information security policy – Data classification – E-government apps public access policy and standards – Remote access – Wireless implementations

12/18/08Executive Order 5045 Before EO 504, cont. Agencies subject to contractual security requirements. Examples: – Payment Card Industry (PCI) Data Security Standards certain data security standards mandated by the credit card industry for all Commonwealth entities that process, transmit, or store credit cardholder data – Social Security Administration Information Exchange Agreement governs the transmission of data files received from and sent to the Social Security Administration – Business Associate agreements between agencies that are HIPAA covered entities and agencies that act as service providers

12/18/08Executive Order 5046 Before EO 504, cont. Law breaks down along two lines: – Privacy (rules about who gets to see sensitive data – broader than security) Examples: –see HIPAA privacy rule; –main sections of FIPA (Fair Information Practices Act, MGL. Ch. 66A); exemptions to public records law –CORI Principles governing protection of privacy data –Notice; –Purpose; –Consent; –Security; –Disclosure; –Access; and –Accountability – Security (rules about the physical, technical, administrative methods of limiting access -- a means to effectuate privacy rules) see HIPAA security rule; one section of FIPA; Internal Revenue Manual Security of Confidential Information

12/18/08Executive Order 5047 Before EO 504 Personnel addressing security and privacy have also traditionally been grouped separately – Technologists handle security – Lawyers, policymakers and program managers manage the privacy rules.

12/18/08Executive Order 5048 Before EO 504, cont. Executive Order 412 – Review policies and practices regarding information related to individuals – Determine minimum quantity of personal information need to collect, and reform policies and practices regarding dissemination and security – Adopt a policy regarding employee expectations of privacy

12/18/08Executive Order 5049 Executive Order Summary Revokes EO 412 (but reinstates many of its terms) Doesn’t change – Pre-existing contractual requirements imposed on the state – Pre-existing security or privacy laws Requirements Imposed On: – Executive Department Agencies (not Ex. Branch, Leg., Jud., or Authorities) – ITD and the CIO – Enterprise Security Board

12/18/08Executive Order Executive Department Agencies Must… “Adopt and implement the maximum feasible measures reasonably needed to ensure the security, confidentiality and integrity of” Personal Information: as defined in the Security Freezes and Notification of Data Breaches Statute (G.L. 93H) Personal Data: as defined under FIPA Personal Information (G.L. 93H): – Resident’s first name (or initial) and last name in combination with Social security number; Drivers license (or state issued i.d.) number; or Financial account number Personal Data under FIPA – Any information which, because of name, identifying number, mark or description can be readily associated with a particular individual. Except information that is contained within a public record (G.L. c. 4 § 7(26)).

12/18/08Executive Order Develop, implement and maintain written information security program, which ensures that the agency: – Collects the minimum quantity of personal information and data reasonably needed to accomplish legitimate purpose for which information being collected – Securely stores and protects personal information and data against unauthorized access destruction use modification disclosure loss – Discloses personal information and data only on a need to know basis – Destroys personal information and data as soon as it is no longer needed or required to be maintained under state or federal law – Addresses the administrative, technical, and physical safeguards – Complies with Federal and state privacy and security laws and regs Executive Department Agencies Must….

12/18/08Executive Order Executive Department Agencies Must…. Develop and implement written information security programs… – Cover all personal information (not restricted to electronic information) – Electronic personal data must be addressed in a subset of the Information Security Program (ISP) called an “electronic security plan” (ESP) Personal Information and data: Information Security Program Electronic Security Plan

12/18/08Executive Order Executive Department Agencies Must…. Appoint an Information “Security” Officer (really a Security and Privacy Officer) – Reports directly to Agency head – Sign agency ISP and its ESP – Can be a new responsibility for an existing employee (not required to be a full time responsibility) – Coordinate Agency’s compliance with E.O. 504 Federal and state laws and regulations (privacy and security) ITD security standards and policies Although not required by EO 504, EO 504 Security Officer to coordinate compliance with contractual security and privacy obligations as well. Have Agency Head Certify all Programs, Plans, Self-Audits and Reports By September, 2009, attend mandatory security training for – all agency heads, managers, supervisors, employees (including contract employees) – Re: how to identify, maintain and safeguard records and data Incorporate required contract language regarding vendor certification in all contracts entered post January ; breach constitutes breach of contract. Before entering contract, follow mandatory ITD standards for verifying competence and integrity of contractors and subcontractors, minimizing data and system access, and ensuring security, confidentiality and integrity of such data and systems. Fully cooperate with ITD, including ITD requests for information, in connection with ITD fulfillment of responsibilities

12/18/08Executive Order ITD and the CIO: Authority and Oversight CIO shall have the authority, re: Electronic Security Plans (ESPs) (NOT agencies’ entire Information Security Program) to: – Issue guidelines, standards, and policies about development, implementation and maintenance of ESPs; – Require that agencies submit ESPs to ITD for review – Specify when agencies must submit supplemental or updated ESPs – Establish and oversee periodic self-audit reporting requirements (but must require self-audit no less than annually). Self-audits against ITD standards ESPs Federal and state privacy and security laws [Presumably only e- related] – Conduct reviews to assess agency compliance – Issue MGL 93H “report to ITD” policy – How this authority is enforced? With approval of ANF, determine remedial action for non-compliant agencies and impose terms and conditions on agency’s IT related expenditures and IT capital funding

12/18/08Executive Order ITD and the CIO: Authority and Oversight, cont. Procurement: – Develop mandatory standards and procedures for agencies to follow before entering contracts that will allow third party access to personal data or personal information or systems containing such information – Draft mandatory ITD standards for verifying competence and integrity of contractors and subcontractors, minimizing data and system access, and ensuring security, confidentiality and integrity of such data and systems.* – Draft, with OSC and OSD, contract provisions* including certification that contractor has Reviewed and will comply with information security programs, plans, guidelines, standards and policies Communicate and enforce those provisions against their subcontractors’ Implement any other reasonable and appropriate measures to protect personal information * To be provided as hand outs today

12/18/08Executive Order Enterprise Security Board Enterprise Security Board (ESB) has operated for 7 years solely at ITD’s discretion EO 504 gives legal footing to ESB – Acts as a “consultative body to advise the CIO” – Advises CIO in developing guidelines, standards and policies governing implementation of EO 504 CIO shall determine members and makeup of ESB, but membership shall be drawn from – State employees from Executive Department – Experience in IT, privacy, and security – Representatives from Judicial and Legislative Branches – Other constitutional offices – Quasi-public authorities

12/18/08Executive Order EO 504 Summary— What’s New? Requirement for agency security officers (addressing both Privacy and Security) and written information security program (including ESPs) Requirement for agency at least annual ESP self audit, sent to ITD Additional ANF/ITD authority over agency IT spending based on agency compliance with ESP self audit Less uncertainty regarding ESB survival in the future Focus on data destruction (also required under G.L. c. 93I) Agencies must give full cooperation, and information, to ITD Procurement related standards and procedures (vendor certification plus pre contract procedures)

12/18/08Executive Order Due Dates as Per EO504 Due Date: Today  Start using the EO504 ITD Mandatory Procurement Standards and Procedures for all contracts solicited for IT Solutions that involve personal information or personal data.  Appoint an Agency Information Security Officer (ISO) Due Date: January 1, 2009  Ensure EO504 Vendor Certification included in all contracts involving personal information or personal data (may be on Standard Form Contract by January 1, 2009) Due Date: September 18, 2009  Create an Information Security Program (including an ESP)  Draft and write ISP and ESP  Have Agency Head and ISO certify the ISP  Submit the ESP to ITD for review of ESP  Train agency head, manager, supervisors and employees (including contract employees) on your plan (Use training materials from December 2008 and other templates that become available in Spring 2009)  Submit first self audit to ITD Thereafter  Submit self-audits as required by ITD, but at least annually

12/18/08Executive Order Suggested Tasks and Timeline to Meet Due Dates of EO504 December Start using the EO504 ITD Mandatory Procurement Standards and Procedures for all contracts solicited for IT Solutions that involve personal information or personal data. 2.Appoint an Agency Information Security Officer (ISO) January January 1, 2009: Ensure EO504 Vendor Certification included in all contracts involving personal information or personal data (may be on Standard Form Contract by January 1, 2009) 2.Train top level manage on general EO504 provisions (feel free to use these training materials) 3.Start work on agency security/privacy matrix March Obtain tools developed by the ESB and provided by ITD (e.g. Templates for the ESPs, guidelines for self-audits, other policies and guidelines developed by ESB and provided by ITD to agencies) Between April and June Create an Information Security Program (including an ESP) 2.Have Agency Head and ISO certify the ISP 3.Submit the ESP to ITD for review and approval of ESP 4.Obtain ITD’s approval of ISP (ITD will have 10 business days to review, accept or reject ESP) Between June 2009 and September Train agency head, manager, supervisors and employees (including contract employees) on your agency’s ISP (Use training materials from December 2008, agency ISP, and other templates that become available in Spring 2009 for ISP training) 2.Perform self-audit against ESP 3.Submit first self audit to ITD Thereafter 1.Submit self-audits as required by ITD, but at least annually

12/18/08Executive Order Helping your Agency Comply Tomorrow’s tools – Template for ISP – Template for ISP self-audit Today’s tools: – EO 504 Checklist (previous slide) – Model Security Matrix – Certification language – ITD EO 504 Pre-Contract Procurement Procedures

12/18/08Executive Order Agency Security Matrix (example) Type of Data System Holding Data Feature 1 (e.g. staffing req.) Feature 2 (e.g. training req.) Feature 3 (physical security) Statute 1 (e.g. FIPA) PII that is not public record App Name A, App Name B Appoint Security Officer Train all staff (once) Password require. Statute 2 (e.g. HIPAA) PII related to health App Name CPersonnel must be certified Password require. Exec. Order (e.g. 504) PII in generalApp Name A, App Name B, App Name C Appoint Security Officer Train all staff (once) Contract 1 SSAApp Name CPersonnel must be certified Password require. Contract 2 (e.g. PCI) Credit cardApp Name ATrain users of system (yearly) Password require. Policy 1 (e.g. ITD Policies) Highly sensitive data App Name A, App Name B, App Name C Personnel must be certified

12/18/08Executive Order Office of the Comptroller Standard Contract Form Updates The Standard Contract Form is being updated to include the required Executive Order 504 language in the “Certifications” section of the Instructions. The new form must be used as of January 1, 2009 for all contracts.

12/18/08Executive Order What if an Executive Department conducted a procurement referencing the current form? The current Standard Contract Form may be used, however, Executive Departments must have a Contractor sign the “Executive Order 504 Certification Form” IF the Contractor will have access to personal information or personal data as those terms are defined under G.L. c. 93H and c. 66A or to systems that contain such information or data.

12/18/08Executive Order Do I have to include the Executive Order 504 Certification Form as part of my Procurements? No. If you are using the new version of the Standard Contract Form, OR if the Contract does not involve access to personal information or data or systems that contain personal information or data. Yes. If you are not using the new version of the Standard Contract Form AND if the Contractor will have access to personal information or data or systems that contain personal information or data.

12/18/08Executive Order Will the Executive Order 504 Language apply to non-Executive Departments? No. The Executive Order 504 language applies solely to Executive Department contracts. However, generic language is being added to the Certification Section to remind ALL Contractors of their broad duty to protect the physical security and restrict access to all Department data (including the Department's public records, documents, files, software, equipment or systems) that the Contractor may have access to under the Contract.

Ask for Help Use Resources you Have Use the Tools Provided by ITD and the ESB and Participate with ESB if Possible Linda Hamel, ITD, Stephanie Zierten, ITD, Jenny Hedderman, OSC, (Contract Questions)