1. Information Asset Classification Communications Forum Theresa A. Masse, State Chief Information Security Officer Department of Administrative Services Enterprise Security Office

2. Agenda Policy Overview Policy Overview Community of Practice Update Community of Practice Update Enterprise Information Enterprise Information Agency Plan Agency Plan Methodology and Agency Plan Methodology and Agency Plan Clearinghouse and Q&A Clearinghouse and Q&A Wrap up Wrap up

3. Policy - Overview Information will be classified and managed based on its confidentiality, sensitivity, value and availability requirements. Identify an Information Owner or Owners Identify an Information Owner or Owners Owner responsible for: Owner responsible for:  Initial Classification  Decisions regarding information management  Review and reclassification if appropriate  Proper retention and disposal  Statewide information  Agency information

4. Policy – Classification Levels Level 1, Published - Low-sensitive information, will not jeopardize the privacy or security of agency employees, clients and partners. Level 1, Published - Low-sensitive information, will not jeopardize the privacy or security of agency employees, clients and partners. Examples: Press releases, brochures, pamphlets, public access Web pages, and materials created for public consumption. Level 2, Limited - Sensitive information, may jeopardize the privacy or security of agency employees, clients, partners. Level 2, Limited - Sensitive information, may jeopardize the privacy or security of agency employees, clients, partners. Examples: Enterprise risk management planning documents, published internal audit reports, names and addresses that are not protected from disclosure.

5. Policy – Classification Levels Level 3, Restricted – Sensitive information, unauthorized access could result in financial loss or identity theft. Level 3, Restricted – Sensitive information, unauthorized access could result in financial loss or identity theft. Examples: Network diagrams, personally identifiable information, other information exempt from public records disclosure. Level 4, Critical - Extremely sensitive, potential to cause major damage or injury. Level 4, Critical - Extremely sensitive, potential to cause major damage or injury. Examples: Disclosure that could result in loss of life, disability or serious injury or regulated information with significant penalties for unauthorized disclosure, information that is typically exempt from public disclosure.

6. Policy - Compliance Time Line Plan developed by June 30, 2009 Plan developed by June 30, 2009 Level 4 identified and protected by December 31, 2009 Level 4 identified and protected by December 31, 2009 All other policy provisions completed by June 30, 2010 All other policy provisions completed by June 30, 2010 Note: Note: Agencies are required to comply with the Oregon Consumer Identity Theft Protection Act (Senate Bill 583, 2007 Legislative Session)

7. Community of Practice and DHS Approach Kyle Miller Department of Human Services

8. Community of Practice Membership Representatives Membership Representatives Human Services Human Services Consumer and Business Services Consumer and Business Services Forestry Forestry Corrections Corrections Transportation Transportation Education Education Administrative Services Administrative Services

9. Community of Practice Goals Methodology document that contains best practices and links to tools and resources Methodology document that contains best practices and links to tools and resources Best practices for classification Best practices for classification Elements of information asset management Elements of information asset management Recommendations for user awareness Recommendations for user awareness Recommendations regarding policy Recommendations regarding policy

10. DHS Approach Survey approach Survey approach Information exchange Information exchange Forms development Forms development Other Initiatives Other Initiatives

11. Enterprise Information Bret West Department of Administrative Services

12. Enterprise Information What enterprise information does DAS “own”? What enterprise information does DAS “own”? HR HR Payroll Payroll Financial Financial Contracts Contracts DAS-Owned Facilities DAS-Owned Facilities State Network State Network Others Others

13. Enterprise Information What does ownership mean? What does ownership mean? DAS is responsible for determining classification levels DAS is responsible for determining classification levels DAS is responsible for communicating classification levels to stakeholders DAS is responsible for communicating classification levels to stakeholders Ownership rests with DAS until information is transferred to another agency Ownership rests with DAS until information is transferred to another agency At that point, agencies will be responsible for ensuring security At that point, agencies will be responsible for ensuring security

14. Enterprise Information What does ownership mean? What does ownership mean? Business partners (in this case DAS divisions) are responsible for classifying information assets Business partners (in this case DAS divisions) are responsible for classifying information assets This is not a technology issue! This is not a technology issue!

15. Enterprise Information Example: Statewide Financial Management Application Data Example: Statewide Financial Management Application Data The application itself will be classified at Level 4 The application itself will be classified at Level 4 Combination of data elements puts the state and individuals at risk Combination of data elements puts the state and individuals at risk Specific elements or reports will be classified according to the statewide policy guidelines Specific elements or reports will be classified according to the statewide policy guidelines

16. Enterprise Information Example: Statewide Financial Management Application Data (continued) Example: Statewide Financial Management Application Data (continued) Specific elements or reports will be classified according to the statewide policy guidelines Specific elements or reports will be classified according to the statewide policy guidelines Currently, SFMS staff have labeled reports “confidential” or “not confidential” based on data included Currently, SFMS staff have labeled reports “confidential” or “not confidential” based on data included Further work will be done to classify these reports according to appropriate levels Further work will be done to classify these reports according to appropriate levels

17. Enterprise Information When will the classifications be available? When will the classifications be available? Our goal is to have all Level 4 data classified by July 1, 2008 Our goal is to have all Level 4 data classified by July 1, 2008 Our draft internal policy requires all Level 3 data to be classified by January 1, 2009 and all Level 2 data classified by July 1, 2009. Our draft internal policy requires all Level 3 data to be classified by January 1, 2009 and all Level 2 data classified by July 1, 2009.

18. ODOT’S SECURITY FABRIC Addressing Information Security Lisa Martinez Oregon Department of Transportation

19. Where do you begin? Establish a “First-Strike” project team to develop your initial roll out strategy Establish a “First-Strike” project team to develop your initial roll out strategy Make sure you have the right blend of business and information technology representatives Make sure you have the right blend of business and information technology representatives Review and consolidate standards across all of the DAS Enterprise Information Security policies and Senate Bill 583 Review and consolidate standards across all of the DAS Enterprise Information Security policies and Senate Bill 583 Develop a “final draft” of an agency-wide assessment tool to determine where your agency is in meeting, partially meeting, or not meeting the consolidated standards Develop a “final draft” of an agency-wide assessment tool to determine where your agency is in meeting, partially meeting, or not meeting the consolidated standards Pilot tool in a few areas to gather information on resources and time required to assess across your agency Pilot tool in a few areas to gather information on resources and time required to assess across your agency

20. Where do you begin? (cont.) Make sure you have the support and commitment of your agency Director and his/her direct reports Make sure you have the support and commitment of your agency Director and his/her direct reports Provide enough information so they understand the work effort required by their managers and employees Provide enough information so they understand the work effort required by their managers and employees Have them provide names of appropriate staff to assist on a project team Have them provide names of appropriate staff to assist on a project team Make sure that you use them to reinforce agency commitment if you encounter problems Make sure that you use them to reinforce agency commitment if you encounter problems

21. Where do you begin? (cont.) Take time to understand how other initiatives underway in your agency interlace with Information Security Take time to understand how other initiatives underway in your agency interlace with Information Security Can you demonstrate benefit to other initiatives with regard to information gathering, business process mapping, and similar tasks Can you demonstrate benefit to other initiatives with regard to information gathering, business process mapping, and similar tasks Be willing to share information with other project teams Be willing to share information with other project teams Don’t overlook everyday work processes – they may be an easy opportunity to help with culture change Don’t overlook everyday work processes – they may be an easy opportunity to help with culture change

22. Where do you begin? (cont.) Communicate to managers and employees why this initiative is important Communicate to managers and employees why this initiative is important Make it real by giving real life examples Make it real by giving real life examples Utilize internal communication tools such as newsletters, intranet pages, etc. Utilize internal communication tools such as newsletters, intranet pages, etc. Acknowledge that this will take time and is not an overnight process Acknowledge that this will take time and is not an overnight process Consider an Information Security “hotline” Consider an Information Security “hotline” Identify Available Resources Identify Available Resources

23. ODOT Progress Report “First Strike” Project Team established consisting of business and information technology staff and contracted project manager “First Strike” Project Team established consisting of business and information technology staff and contracted project manager Identified standards across policies and SB 583 Identified standards across policies and SB 583 Developing assessment tool, criteria to measure current state against standards, glossary of terms and background materials Developing assessment tool, criteria to measure current state against standards, glossary of terms and background materials Identified two business areas to pilot tool Identified two business areas to pilot tool Preparing presentation for Director and his direct reports to affirm support and commitment and solicit business resources Preparing presentation for Director and his direct reports to affirm support and commitment and solicit business resources

24. Identified Key Business Challenges and Opportunities Reduce Agency Risk Potential to Improve Business Processes Recognize and Develop Partnerships Develop and Share Best Practices Successful Implementation Results in Improved Agency Compliance Reduce Agency Risk Potential to Improve Business Processes Recognize and Develop Partnerships Develop and Share Best Practices Successful Implementation Results in Improved Agency Compliance Reliant on Business Line Subject Matter Experts Competes with Other Priorities Undefined Roles and Responsibilities Requires Routine Review and Assessment to Manage Risk Reliant on Business Line Subject Matter Experts Competes with Other Priorities Undefined Roles and Responsibilities Requires Routine Review and Assessment to Manage Risk Identify Business Contacts for Each Division, Region, and Branch

25. Gather Requirements and Identify Gaps Gap Analysis Meets or ExceedsDoes Not MeetNot Applicable RequirementsODOT Current  Across State by Lines Initiativesof Business  Project Team: Review Results Rank Gaps Based on Risks and Priorities Develop Blueprint of Implementation Plan High Opportunity High Risk Low Opportunity Low Risk Subject Matter Experts from Lines of Business

26. Available Resources Statewide Community of Practice (CoP) Workgroup on Information Assets Management Policy Statewide Community of Practice (CoP) Workgroup on Information Assets Management Policy – Tool development Information asset classification architecture methodology Information asset classification architecture methodology Risk assessment tools Risk assessment tools Communication tools Communication tools Will continue sharing process documents Will continue sharing process documents – Web site resource ODOT IS Tech Management Research ODOT IS Tech Management Research – Inventory and identify capabilities of current information security tools – Research capabilities of other security tools, for example data leakage Business Line Best Practices Business Line Best Practices

27. Information Asset Classification John Koreski Department of Corrections

28. Methodology Information Asset Classification Methodology Information Asset Classification Methodology Identify information assets Identify the owner Conduct an impact assessment Determine the classification Document classified information assets Provide education and awareness Maintain classification and conduct continuous review

29. Security Organization Security Organization Security Legal Implications Legal Implications

30. Recommended Strategy to Implement the Office of Legal Affairs Phase 1: Identify LIO and PIOs1/08 Identify LIO and PIOs1/08 Create Training Create Training Deliver Training3/08 Deliver Training3/08 DOJ/DOC key staff DOJ/DOC key staff Management Management Other impacted staff Other impacted staff Create Tracking Mechanisms Create Tracking Mechanisms Establish Measures Establish Measures Complete Phase 112/08 Complete Phase 112/08 12 mos.

31. Recommended Strategy to Implement the Office of Legal Affairs Phase 2: Info. Asset Identification4/08 Info. Asset Identification4/08 Project Mgmt. Methodology Project Mgmt. Methodology Archive E-Mail Project Archive E-Mail Project Transporting Info. Assets Project Transporting Info. Assets Project Complete Phase 26/09 Complete Phase 26/09 15 mos.

32. Recommended Strategy to Implement the Office of Legal Affairs Phase 3: Begin Grant Admin. Strategy7/09 Begin Grant Admin. Strategy7/09 Hire Info. Security Officer (ISO) Hire Info. Security Officer (ISO) See handout for duties See handout for duties Hire Records Officer (RO) Hire Records Officer (RO) See handout for duties See handout for duties Complete Phase 31/11 Complete Phase 31/11 18 mos.

33. Recommended Strategy to Implement the Office of Legal Affairs Phase 4: Electronic Records Management Electronic Records Management Enterprise Content Management Enterprise Content Management Timeline: approximately 1/11 – 7/11 Timeline: approximately 1/11 – 7/11

34. Clearinghouse and Wrap Up Theresa A. Masse, State Chief Information Security Officer Department of Administrative Services Enterprise Security Office

35. Policy Resources A clearinghouse-type Web site with links to best practices and tools/templates A clearinghouse-type Web site with links to best practices and tools/templates www.oregon.gov/DAS/EISPD/ESO/IAC.shtml www.oregon.gov/DAS/EISPD/ESO/IAC.shtml www.oregon.gov/DAS/EISPD/ESO/IAC.shtml

36. Thank You Other Questions Other Questions Contact: Contact: Eva.Doud@state.or.us 503-378-3071 Eva.Doud@state.or.us 503-378-3071 Cinnamon.S.Albin@state.or.us 503-373-1496 Cinnamon.S.Albin@state.or.us 503-373-1496