Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing Executive Order 504 with the Resources Your Agency Has Today Executive Office of Administration and Finance Information Technology Division.

Published byLaurel Heath Modified over 9 years ago

Similar presentations

Presentation on theme: "Implementing Executive Order 504 with the Resources Your Agency Has Today Executive Office of Administration and Finance Information Technology Division."— Presentation transcript:

1 Implementing Executive Order 504 with the Resources Your Agency Has Today Executive Office of Administration and Finance Information Technology Division Linda Hamel General Counsel, Information Technology Division Stephanie Zierten Deputy General Counsel, Information Technology Division Jenny Hedderman Deputy General Counsel, Comptroller Presentation for Executive Order 504 Train the Trainer Course December 16 and 17, 2008

2 12/18/08Executive Order 5042 Agenda Before Executive Order (E.O.) 504 Requirements of E.O. 504 What’s new? Complying with E.O. 504 with the resources your agency has today Handouts available at: www.mass.gov/itd

3 12/18/08Executive Order 5043 Before Executive Order 504 Three sources of agency security and (confidentiality) privacy requirements: – ITD Security Policies, Standards and Guidelines – Contracts – State and Federal laws regarding privacy and security

4 12/18/08Executive Order 5044 Before EO 504 ITD’s Enabling Legislation enables ITD to set information technology standards for the Executive Department Executive Department budget language annually gives ITD authority over IT projects $200,000 and over. Enterprise Security Board (ESB) voluntarily created by ITD under CIO’s general authority in 2001 With the advice of ESB, ITD has issued enterprise security policies addressing – Attack intrusion notification – Cybercrime and security incidents – Electronic messaging communications security – Information security policy – Data classification – E-government apps public access policy and standards – Remote access – Wireless implementations

5 12/18/08Executive Order 5045 Before EO 504, cont. Agencies subject to contractual security requirements. Examples: – Payment Card Industry (PCI) Data Security Standards certain data security standards mandated by the credit card industry for all Commonwealth entities that process, transmit, or store credit cardholder data – Social Security Administration Information Exchange Agreement governs the transmission of data files received from and sent to the Social Security Administration – Business Associate agreements between agencies that are HIPAA covered entities and agencies that act as service providers

6 12/18/08Executive Order 5046 Before EO 504, cont. Law breaks down along two lines: – Privacy (rules about who gets to see sensitive data – broader than security) Examples: –see HIPAA privacy rule; –main sections of FIPA (Fair Information Practices Act, MGL. Ch. 66A); exemptions to public records law –CORI Principles governing protection of privacy data –Notice; –Purpose; –Consent; –Security; –Disclosure; –Access; and –Accountability – Security (rules about the physical, technical, administrative methods of limiting access -- a means to effectuate privacy rules) see HIPAA security rule; one section of FIPA; Internal Revenue Manual 30.6.1 Security of Confidential Information

7 12/18/08Executive Order 5047 Before EO 504 Personnel addressing security and privacy have also traditionally been grouped separately – Technologists handle security – Lawyers, policymakers and program managers manage the privacy rules.

8 12/18/08Executive Order 5048 Before EO 504, cont. Executive Order 412 – Review policies and practices regarding information related to individuals – Determine minimum quantity of personal information need to collect, and reform policies and practices regarding dissemination and security – Adopt a policy regarding employee expectations of privacy

9 12/18/08Executive Order 5049 Executive Order 504 -- Summary Revokes EO 412 (but reinstates many of its terms) Doesn’t change – Pre-existing contractual requirements imposed on the state – Pre-existing security or privacy laws Requirements Imposed On: – Executive Department Agencies (not Ex. Branch, Leg., Jud., or Authorities) – ITD and the CIO – Enterprise Security Board

10 12/18/08Executive Order 50410 Executive Department Agencies Must… “Adopt and implement the maximum feasible measures reasonably needed to ensure the security, confidentiality and integrity of” Personal Information: as defined in the Security Freezes and Notification of Data Breaches Statute (G.L. 93H) Personal Data: as defined under FIPA Personal Information (G.L. 93H): – Resident’s first name (or initial) and last name in combination with Social security number; Drivers license (or state issued i.d.) number; or Financial account number Personal Data under FIPA – Any information which, because of name, identifying number, mark or description can be readily associated with a particular individual. Except information that is contained within a public record (G.L. c. 4 § 7(26)).

11 12/18/08Executive Order 50411 Develop, implement and maintain written information security program, which ensures that the agency: – Collects the minimum quantity of personal information and data reasonably needed to accomplish legitimate purpose for which information being collected – Securely stores and protects personal information and data against unauthorized access destruction use modification disclosure loss – Discloses personal information and data only on a need to know basis – Destroys personal information and data as soon as it is no longer needed or required to be maintained under state or federal law – Addresses the administrative, technical, and physical safeguards – Complies with Federal and state privacy and security laws and regs Executive Department Agencies Must….

12 12/18/08Executive Order 50412 Executive Department Agencies Must…. Develop and implement written information security programs… – Cover all personal information (not restricted to electronic information) – Electronic personal data must be addressed in a subset of the Information Security Program (ISP) called an “electronic security plan” (ESP) Personal Information and data: Information Security Program Electronic Security Plan

13 12/18/08Executive Order 50413 Executive Department Agencies Must…. Appoint an Information “Security” Officer (really a Security and Privacy Officer) – Reports directly to Agency head – Sign agency ISP and its ESP – Can be a new responsibility for an existing employee (not required to be a full time responsibility) – Coordinate Agency’s compliance with E.O. 504 Federal and state laws and regulations (privacy and security) ITD security standards and policies Although not required by EO 504, EO 504 Security Officer to coordinate compliance with contractual security and privacy obligations as well. Have Agency Head Certify all Programs, Plans, Self-Audits and Reports By September, 2009, attend mandatory security training for – all agency heads, managers, supervisors, employees (including contract employees) – Re: how to identify, maintain and safeguard records and data Incorporate required contract language regarding vendor certification in all contracts entered post January 1 2009; breach constitutes breach of contract. Before entering contract, follow mandatory ITD standards for verifying competence and integrity of contractors and subcontractors, minimizing data and system access, and ensuring security, confidentiality and integrity of such data and systems. Fully cooperate with ITD, including ITD requests for information, in connection with ITD fulfillment of responsibilities

14 12/18/08Executive Order 50414 ITD and the CIO: Authority and Oversight CIO shall have the authority, re: Electronic Security Plans (ESPs) (NOT agencies’ entire Information Security Program) to: – Issue guidelines, standards, and policies about development, implementation and maintenance of ESPs; – Require that agencies submit ESPs to ITD for review – Specify when agencies must submit supplemental or updated ESPs – Establish and oversee periodic self-audit reporting requirements (but must require self-audit no less than annually). Self-audits against ITD standards ESPs Federal and state privacy and security laws [Presumably only e- related] – Conduct reviews to assess agency compliance – Issue MGL 93H “report to ITD” policy – How this authority is enforced? With approval of ANF, determine remedial action for non-compliant agencies and impose terms and conditions on agency’s IT related expenditures and IT capital funding

15 12/18/08Executive Order 50415 ITD and the CIO: Authority and Oversight, cont. Procurement: – Develop mandatory standards and procedures for agencies to follow before entering contracts that will allow third party access to personal data or personal information or systems containing such information – Draft mandatory ITD standards for verifying competence and integrity of contractors and subcontractors, minimizing data and system access, and ensuring security, confidentiality and integrity of such data and systems.* – Draft, with OSC and OSD, contract provisions* including certification that contractor has Reviewed and will comply with information security programs, plans, guidelines, standards and policies Communicate and enforce those provisions against their subcontractors’ Implement any other reasonable and appropriate measures to protect personal information * To be provided as hand outs today

16 12/18/08Executive Order 50416 Enterprise Security Board Enterprise Security Board (ESB) has operated for 7 years solely at ITD’s discretion EO 504 gives legal footing to ESB – Acts as a “consultative body to advise the CIO” – Advises CIO in developing guidelines, standards and policies governing implementation of EO 504 CIO shall determine members and makeup of ESB, but membership shall be drawn from – State employees from Executive Department – Experience in IT, privacy, and security – Representatives from Judicial and Legislative Branches – Other constitutional offices – Quasi-public authorities

17 12/18/08Executive Order 50417 EO 504 Summary— What’s New? Requirement for agency security officers (addressing both Privacy and Security) and written information security program (including ESPs) Requirement for agency at least annual ESP self audit, sent to ITD Additional ANF/ITD authority over agency IT spending based on agency compliance with ESP self audit Less uncertainty regarding ESB survival in the future Focus on data destruction (also required under G.L. c. 93I) Agencies must give full cooperation, and information, to ITD Procurement related standards and procedures (vendor certification plus pre contract procedures)

18 12/18/08Executive Order 50418 Due Dates as Per EO504 Due Date: Today  Start using the EO504 ITD Mandatory Procurement Standards and Procedures for all contracts solicited for IT Solutions that involve personal information or personal data.  Appoint an Agency Information Security Officer (ISO) Due Date: January 1, 2009  Ensure EO504 Vendor Certification included in all contracts involving personal information or personal data (may be on Standard Form Contract by January 1, 2009) Due Date: September 18, 2009  Create an Information Security Program (including an ESP)  Draft and write ISP and ESP  Have Agency Head and ISO certify the ISP  Submit the ESP to ITD for review of ESP  Train agency head, manager, supervisors and employees (including contract employees) on your plan (Use training materials from December 2008 and other templates that become available in Spring 2009)  Submit first self audit to ITD Thereafter  Submit self-audits as required by ITD, but at least annually

19 12/18/08Executive Order 50419 Suggested Tasks and Timeline to Meet Due Dates of EO504 December 2008 1.Start using the EO504 ITD Mandatory Procurement Standards and Procedures for all contracts solicited for IT Solutions that involve personal information or personal data. 2.Appoint an Agency Information Security Officer (ISO) January 2009 1.January 1, 2009: Ensure EO504 Vendor Certification included in all contracts involving personal information or personal data (may be on Standard Form Contract by January 1, 2009) 2.Train top level manage on general EO504 provisions (feel free to use these training materials) 3.Start work on agency security/privacy matrix March 2009 1.Obtain tools developed by the ESB and provided by ITD (e.g. Templates for the ESPs, guidelines for self-audits, other policies and guidelines developed by ESB and provided by ITD to agencies) Between April and June 2009 1.Create an Information Security Program (including an ESP) 2.Have Agency Head and ISO certify the ISP 3.Submit the ESP to ITD for review and approval of ESP 4.Obtain ITD’s approval of ISP (ITD will have 10 business days to review, accept or reject ESP) Between June 2009 and September 2009 1.Train agency head, manager, supervisors and employees (including contract employees) on your agency’s ISP (Use training materials from December 2008, agency ISP, and other templates that become available in Spring 2009 for ISP training) 2.Perform self-audit against ESP 3.Submit first self audit to ITD Thereafter 1.Submit self-audits as required by ITD, but at least annually

20 12/18/08Executive Order 50420 Helping your Agency Comply Tomorrow’s tools – Template for ISP – Template for ISP self-audit Today’s tools: – EO 504 Checklist (previous slide) – Model Security Matrix – Certification language – ITD EO 504 Pre-Contract Procurement Procedures

21 12/18/08Executive Order 50421 Agency Security Matrix (example) Type of Data System Holding Data Feature 1 (e.g. staffing req.) Feature 2 (e.g. training req.) Feature 3 (physical security) Statute 1 (e.g. FIPA) PII that is not public record App Name A, App Name B Appoint Security Officer Train all staff (once) Password require. Statute 2 (e.g. HIPAA) PII related to health App Name CPersonnel must be certified Password require. Exec. Order (e.g. 504) PII in generalApp Name A, App Name B, App Name C Appoint Security Officer Train all staff (once) Contract 1 SSAApp Name CPersonnel must be certified Password require. Contract 2 (e.g. PCI) Credit cardApp Name ATrain users of system (yearly) Password require. Policy 1 (e.g. ITD Policies) Highly sensitive data App Name A, App Name B, App Name C Personnel must be certified

22 12/18/08Executive Order 50422 Office of the Comptroller Standard Contract Form Updates The Standard Contract Form is being updated to include the required Executive Order 504 language in the “Certifications” section of the Instructions. The new form must be used as of January 1, 2009 for all contracts.

23 12/18/08Executive Order 50423 What if an Executive Department conducted a procurement referencing the current form? The current Standard Contract Form may be used, however, Executive Departments must have a Contractor sign the “Executive Order 504 Certification Form” IF the Contractor will have access to personal information or personal data as those terms are defined under G.L. c. 93H and c. 66A or to systems that contain such information or data.

24 12/18/08Executive Order 50424 Do I have to include the Executive Order 504 Certification Form as part of my Procurements? No. If you are using the new version of the Standard Contract Form, OR if the Contract does not involve access to personal information or data or systems that contain personal information or data. Yes. If you are not using the new version of the Standard Contract Form AND if the Contractor will have access to personal information or data or systems that contain personal information or data.

25 12/18/08Executive Order 50425 Will the Executive Order 504 Language apply to non-Executive Departments? No. The Executive Order 504 language applies solely to Executive Department contracts. However, generic language is being added to the Certification Section to remind ALL Contractors of their broad duty to protect the physical security and restrict access to all Department data (including the Department's public records, documents, files, software, equipment or systems) that the Contractor may have access to under the Contract.

26 Ask for Help Use Resources you Have Use the Tools Provided by ITD and the ESB and Participate with ESB if Possible Linda Hamel, ITD, 617 626 4404 Stephanie Zierten, ITD, 617 626 4698 Jenny Hedderman, OSC, (Contract Questions) 617 973 2656

Download ppt "Implementing Executive Order 504 with the Resources Your Agency Has Today Executive Office of Administration and Finance Information Technology Division."

Similar presentations

IT Security Law for Federal Agencies As of: 30 December 2002.

IT Security Law for Federal Agencies As of: 30 December 2002.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Chapter 43 An Act Relative to Improving Accountability and Oversight of Education Collaboratives Presentation to Board of Elementary and Secondary Education.

Chapter 43 An Act Relative to Improving Accountability and Oversight of Education Collaboratives Presentation to Board of Elementary and Secondary Education.
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Department of Transportation Support Services Branch ODOT Procurement Office Intergovernmental Agreements 455 Airport Rd. SE, Bldg K Salem, OR 97301-5348.

Department of Transportation Support Services Branch ODOT Procurement Office Intergovernmental Agreements 455 Airport Rd. SE, Bldg K Salem, OR
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.

Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
1 Disclaimer The following information was presented by Andrew Levy of the Office of General Counsel of DHS on June 12, 2007 at the 2007 Chemical Sector.

1 Disclaimer The following information was presented by Andrew Levy of the Office of General Counsel of DHS on June 12, 2007 at the 2007 Chemical Sector.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
Procurement Lobbying Legislation New York State Bar Association December 9, 2005 (revised January 4, 2006)

Procurement Lobbying Legislation New York State Bar Association December 9, 2005 (revised January 4, 2006)
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.
ZHRC/HTI Financial Management Training

ZHRC/HTI Financial Management Training
Fraud, Waste & Abuse DEFICIT REDUCTION ACT OF 2005 Presented by: MARCH Vision Care, 2013.

Fraud, Waste & Abuse DEFICIT REDUCTION ACT OF 2005 Presented by: MARCH Vision Care, 2013.

Similar presentations

Ads by Google