Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Board

Published byEdith McCarthy Modified over 6 years ago

Similar presentations

Presentation on theme: "Information Security Board"— Presentation transcript:

1 Information Security Board
Mission, Goals and Guiding Principles SL2

2 Mission Assist agency management with implementing and maintaining a sound information security program consistent with industry best practices and compliant with state policies. SL2

3 Goals Implement policies, procedures, and processes to ensure the information security objectives of confidentiality, integrity, and availability are met. Comply with all statewide information security policies and have best practices identified and implemented when practical. Effectively work with partners (DAS, vendors, etc.) to ensure information security objectives are met. Be proactive in identifying and mitigating risks to information as they emerge, however, when a potential breach does occur, the agency reacts immediately to investigate and take appropriate action. Raise user awareness for information security by establishing regular training and information security communications. Develop and implement metrics to track the progress of the information security program. SL2

4 Information Security Guiding Principles
We understand that information security affects us all daily We approach information security in layers We grant access based on “least privilege” and “roles” where appropriate We are fiscally responsible We strive for simplicity over complexity We lean toward “buy” versus “build” We strive to implement best practices as appropriate We weigh the benefits of “open” over “commercial” sourced software We adopt industry “standards” where appropriate We use risk management as a tool in decision making We strive to use existing infrastructure where feasible SL2

5 Strategies for Goal 1 Implement policies, procedures, and processes to ensure the information security objectives of confidentiality, integrity, and availability are met. Develop information security goals and objectives. Implement policies, procedures, and processes. For example: Completed: Acceptable Use policy. Personal Use of State Resources policy. Security Breach Response Team. In Process: Data Classification policy. Information Handling Standards. Information Security Plan. Planning: Incident Response policy. SL2

6 Strategies for Goal 2 Comply with all statewide information security policies and have implemented best practices identified when practical. Identify statewide policies the agency must comply with. For example: ORS 646A.600 through 646A.628: Oregon Consumer Identity Theft Protection Act. ORS 192: Records; Public Reports and Meetings. ORS : State Administrative Agencies. OAR through 0020: State Information Security. DAS policy : Information Security. Develop suitable set of information security best practices. Deploy encryption technologies to portable computing and storage devices. Deploy endpoint management technologies to help prevent data loss. Develop information security standards and guidelines. Develop data handling standards. SL2

7 Strategies for Goal 3 Effectively work with partners (DAS, vendors, etc.) to ensure information security objectives are met. For example: Participate on the statewide Information Security Council. Assigned Jason Stanley and Clint Christopher. Share appropriate information with other state agencies and private organizations. SL2

8 Strategies for Goal 4 Be proactive in identifying and mitigating risks to information as they emerge, however, when a potential breach does occur, the agency reacts immediately to investigate and take appropriate action. For example: Develop an information security incident response team. Revise the Security Breach Incident Response process to include incident response. Develop an enterprise risk management program. SL2

9 Strategies for Goal 5 Raise user awareness for information security by establishing regular training and information security communications. For example: Develop articles to be published in the PERC and Espersso. Maintain an Intranet site for information security. Develop agency wide on “hot topics.” Develop information security awareness training using iLearnOregon and other tools. SL2

10 Strategies for Goal 6 Develop and implement metrics to track the progress of the information security program. For example: Awareness: Do security walkthroughs for workstations “not locked” and compare with previous walkthroughs. Develop scenario based testing. Incidents: How many security breaches occurred? Prevention: How many workstations and servers have “up-to-date” patches? How many viruses have been detected? Compliance: Security findings; high, medium, low. Open versus closed. SL2

Download ppt "Information Security Board"

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Why Security? A Commitment for [the Agency’s] Executives [CIO’s name] EC Presentation [date]

Why Security? A Commitment for [the Agency’s] Executives [CIO’s name] EC Presentation [date]
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
1 Auditing in the Public Interest Records Management in the Victorian Public Sector Audit objective Audit had two objectives : The first objective was.

1 Auditing in the Public Interest Records Management in the Victorian Public Sector Audit objective Audit had two objectives : The first objective was.
SL21 Information Security Board Mission, Goals and Guiding Principles.

SL21 Information Security Board Mission, Goals and Guiding Principles.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
MSIA 711 1 Introduction to Information Systems Security Training and Policy Week 1 Live Session Presentation.

MSIA Introduction to Information Systems Security Training and Policy Week 1 Live Session Presentation.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
IT PLANNING Enterprise Architecture (EA) & Updates to the Plan.

IT PLANNING Enterprise Architecture (EA) & Updates to the Plan.
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.

Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.
Www.adira.org Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.

Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.
1 IT Security Awareness, Training and Education Trends Dan Costello Policy Analyst OMB.

1 IT Security Awareness, Training and Education Trends Dan Costello Policy Analyst OMB.
Network security policy: best practices

Network security policy: best practices

Similar presentations

Ads by Google