版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
DataPrivacy
PointofContactOrientationSession1AgendaIntroduction SolBermann ExecutiveOrder SolBermannRoleofCIO,DPPOC RickShipleyOhioITSecurityPolicies DougAltEncryptionProtocol SamOrthAcquisition TomHartQandA Closing SolBermann2SolBermann
ChiefPrivacyOfficer,J.D.,CIPP
StateofOhioITSecurity3IntroductionUpdateonSecurityBreachStateResponse/ExecutiveOrderDataPrivacyPointofContacts4SolBermann
ChiefPrivacyOfficer,J.D.,CIPP
ExecutiveOrder2007-13SImprovingStateAgencyDataPrivacyandSecurity5WhichAgencies?MandatoryAllCabinetLevelAgenciesVoluntaryNon-CabinetLevelAgencies,BoardsandCommissions6ChiefPrivacyOfficerPrivacyImpactAssessmentProtocolby8/29/07DataEncryptionProtocolby8/29/077MandatoryAgenciesSecurityPolicyComplianceReportby8/14/07PrivacyImpactAssessmentImplementationby8/29/07Developplanby11/12/07forimplementingtheEncryptionProtocolAppointDPPOCby6/22/078SolBermann
ChiefPrivacyOfficer,J.D.,CIPP(614)995-9928Questions?9RickShipleyAdministratorRiskManagementServicesImplementation10PrivacyandSecurityPrivacy&SecurityareflipsidesofacoinPrivacy=policies,rules&lawssurroundingdatausageSecurity=implementationofprotectionthatenforcesthepolicies,rules&laws11RoleofAgencyCIOHelpOverseeAgencyComplianceExecutiveOrder2007–013SPrivacy,confidentiality,security,disclosure,andsharingofinformationProvidedirectionandoverseeactivitiesDevelopandoverseetheimplementationofpolicies,principles,standards,andguidelines12RoleofDPPOCHelpwithExecutiveorderPolicyComplianceReporting2(c)PrivacyImpactAssessmentImplementation2(e)DataEncryptionProtocolImplementationReport2(f)Adviseorsupportdepartmentalmanagementonbusinessandpolicyissuesrelatingtoprivacy,informationassurance,andsecurityUnderstandthedatatheagencyhasandhowtheagencyusesthedataSensitivedataclassificationWorkwithinandacrossbusinessunits13WhoIsTheDPPOC?NeedpeoplethatunderstandthedatatheagencyhashowtheagencyusesthedataunderstandtheconceptofdataclassificationabilitytoworkwithinandacrossbusinessunitsDoesnothavetobeCIOortechnicalsecuritypeopleCouldbeDataManagersLegalHR14RiskManagementServicesStatewideInitiatives:Networkvulnerabilityassessments,cybersecurityworkshops,andcrisismanagement
ActsasStatewideincidentresponsecoordinatorforsecurityincidents(ITP-B.7)OITInitiatives:Policies,procedures,standards,ITplanning,networkvulnerabilityassessments,compliancemonitoring(auditing),ITriskmanagement,businesscontinuityplanning,disasterrecovery,servicelevelagreements,andcrisismanagement
15E.O.ITSecurityComplianceReportCompliancecheckliststoevaluateindetailyouragency’scompliancewithOhioITSecurityPoliciesCompleteddocumenttotheChiefPrivacyOfficerbycloseofbusinessonAugust14,2007()16E.O.PrivacyImpactAssessmentDatamapping-understandingdataagencyhasthatmightbesubjectedtoprivacyanddataclassificationconcernsPrivacyImpactAssessment-anassessmentfocusingontheimpactifthespecificdataisbreachedandhowitwouldaffectagencyTwoprimaryinputstothisphaseistheOITStatewidePolicyfordataclassificationandOhioHB104.Inaddition,bestpracticesfordataprotectionwillbeconsidered.Remediationeffortestimate-anestimatetogetallofthedataintoastandardizedprotectionmodelGapanalysisandtoolrecommendation-identificationofwhattheareasofimprovementareforagencyandarecommendationofsometoolsthatwillassistwithmeetingthatdifferenceLeadstothecreationofreplicableprocessesforAgenciestointernallyperformPIAfuncations17RickShipley
AdministratorRiskManagementServices(614)995-7632Questions?18DougAltStateITPolicyManagerStateofOhio
ITSecurityPolicies19ExecutiveOrder2007–013S
“ImprovingStateAgencyDataPrivacyandSecurity〞 AllagencydirectorsarerequiredtoreviewandbeginupdatingexistinginformationtechnologysecuritypoliciesandpracticestomakesurethattheycomplywiththecurrentstatewideOfficeofInformationTechnologysecuritypolicies.Withinsixtydays,theDataPrivacyPointofContact(DPPOC)ateachagencyistoprovideareporttotheChiefPrivacyOfficerdetailingthestateofcomplianceattheirrespectiveagenciesandthestepsandtimenecessarytoachievecompliance.20StateITSecurityRelatedPoliciesITP-B.1InformationSecurity FrameworkITP-B.2BoundarySecurityITP-B.3Password&PINSecurityITP-B.4MaliciousCodeSecurityITP-B.5RemoteAccessSecurityITP-B.6InternetSecurityITP-B.7SecurityIncidentResponseITP-B.8SecurityEducationandAwarenessITP-B.9PortableComputingSecurityITP-B.10SecurityNotificationsITP-B.11DataClassificationITP-B.12IntrusionPreventionandDetectionITP-E.1Disposal,ServicingandTransferofITEquipmentITP-E.7BusinessResumptionPlanningITP-E.8UseofInternet,E-mailandOtherITResourcesITP-E.30ElectronicRecords21StateITSecurityPoliciesITP-B.1,InformationSecurityFramework:EstablishesafoundationonwhichyourcurrentandfutureITsecuritystrategy,policies,andpracticesaredeveloped,governedandadministered.Establisharisk-basedfoundationfromwhichtobuildsecurityprogramsBasesecuritydecisionsuponriskassessmentsAddressthebasicsecurityelementsofconfidentiality,integrityandavailabilityinallsecuritypolicies,plansandproceduresKeyTakeaway:Haveasecuritymanagementplaninplaceandreviewit,updateit,andauditagainstitregularly.22StateITSecurityPoliciesITP-B.2,BoundarySecurity:
Guidelinesfordesigning,implementinganddeployingarobustnetworkperimeterdefensecapability.PutsafeguardsinplacetoprotectstateinformationandsystemassetsLimitaccesspointsProvidemorerobustauthenticationforaccesstosensitiveinformationKeyTakeaway:Allowauthorizedtrafficanddenyeverythingelse.23StateITSecurityPoliciesITP-B.3,PasswordandPersonalIdentificationNumberSecurity:
Minimumrequirementsfortheselection,useandmanagementofpasswordsandpersonalidentificationnumbers.PasswordstrategydrivenbyriskassessmentRequiremorecomplexpasswordsformoresensitiveinformationAuthenticationisacriticalelementtodataprotectionKeyTakeaway:PasswordandPINstructuresmustcomplimenttheconfidentialityand criticalityofthedatatheyaresecuring.24StateITSecurityPoliciesITP-B.4,MaliciousCodeSecurity:
Guidelinesfortheimplementationandoperationofamaliciouscodesecurityprogram.MaliciousCodeisthemostcommontypeofattackState-controlledinformationsystemsmustbeprotectedfromtheintroductionofmaliciouscodeAllsystemassetsneedtobecheckedregularlyformaliciouscodeUsersneedtobeawareofmaliciouscoderisksKeyTakeaway:Ensureanti-virussoftwareisinstalledonalldevicesauthorizedfor stateuseandinstallanysecuritypatchesimmediately.25StateITSecurityPoliciesITP-B.5,RemoteAccessSecurity:Assistsinthedevelopment,implementationandoperationofsecuritymeasuresgoverningremoteaccesstostatesystems.ConvenientandpopularwaytoaccomplishworkbutintroducesincreasedriskforstatesystemsAdditionalaccesspointsneedtobesecuredAuthenticateallremoteusersEncrypttransmittedpasswordsKeyTakeaway:Remoteaccessshouldbegrantedfollowingtheconceptofleast- privilege.26StateITSecurityPoliciesITP-B.6,InternetSecurity:SecurityrequirementsfortheuseofandconnectivitytotheInternet.InternetisavaluableresourcebutintroducesrisksInternetconnectionsneedtobesecureInternetresourcemustbeusedresponsiblyKeyTakeaway:EducateusersonappropriateandinappropriateusesoftheInternet. Preventbehaviorthatmayputsystemsandinformationatrisk.27StateITSecurityPoliciesITP-B.7,SecurityIncidentResponse:DevelopandmaintainanadequateresponsecapabilityforITrelatedsecurityincidents.RecentsecurityincidentsdemonstrateneedforincidentresponsecapabilityContinuousreviewandupdateofincidentresponseproceduresiscriticalIncidentreportingassistsresponseandcontainmenteffortsKeyTakeaway:Ensureyouragencyisreadytorespondandrolesand responsibilitiesareclearlydefined.28StateITSecurityPoliciesITP-B.8,SecurityEducationandAwareness:DevelopITsecurityeducationandawarenessprogramsforemployeesandotheragentsofthestate.RecentsecurityincidentsdemonstratetheneedforgeneralsecurityeducationandawarenessPersonnelneedtounderstandhowsecuritymeasuresalignwithbusinessobjectivesKeyTakeaway:Providegeneralinformationtechnologysecurityeducationaspartofnewemployeeandnewcontractororientation.29StateITSecurityPoliciesITP-B.9,PortableComputingSecurity:
Addressestheinformationtechnologysecurityconcernsofportablecomputingdevicesandprovidesguidelinesfortheiruse,managementandcontrol.PortablecomputingsecurityisacriticalareaasillustratedbyrecentsecurityincidentsDeliberatemanagementdecisionsneedtomadeastouseandsupportDeliberatedecisionsneedtobemadeastoprivately-owneddevicesSensitiveinformationneedstobeappropriatelysecuredManagementcontrolsneedtoensureportabledevicesarereclaimedfromseparatedemployeesandthatstateinformationandsoftwareisremovedfromprivately-owneddevicesKeyTakeaway:Ifportablecomputingisallowed,youragencyneedstobepreparedfor thesecuritydemandsandhaveaprocedureinplacetorespondtolostor stolendevices.30StateITSecurityPoliciesITP-B.10,SecurityNotifications:Deploysecuritynotificationsthatservetoinformusersoftheirduty,limitationsonuse,legalrequirementsandpersonalprivacyexpectations.SecuritynotificationscanassistinthesuccessfulcriminalprosecutionofviolatorsNotificationsprovidetheopportunitytodisclosethepotentiallegalimplicationsofunauthorizedaccess,informationmisuse,datalossandcorruptionKeyTakeaway:Besuretoinvolvelegalcounselinthedevelopmentofsecuritynotifications.31StateITSecurityPolicies
ITP-B.11,DataClassification:Providesahigh-leveldataclassificationmethodologyforproperlyidentifyingandlabelingdataandinformation
assets.RecentsecurityincidentsdemonstratetheimportanceofeffectivelyprotectingdataaccordingtoitsriskDatasecurityisdrivenbyassignedlevelsofconfidentialityandcriticalityLabeldatainaccordancewithanylegalrequirementsKeyTakeaway:Implementadataclassificationmethodologytoclassifydataand employtheappropriatesecurityandaccessrights.32StateITSecurityPoliciesITP-B.12,IntrusionPreventionandDetection:Identifyandcreatean
intrusionpreventionand
detectioncapabilitythatwillallowforthedetectionandresponsetounauthorizeduseoforattackuponastatecomputernetworkortelecommunicationssystem.EssentialtoprotectingmissioncriticalresourcesIntrusionpreventionshouldbeimplementedtoblockunauthorizeduseorattacksIntrusiondetectionshouldbeusedtodetectunauthorizeduseorattacksKeyTakeaway:
Developavettingprocessforpersonnelunderconsiderationforpositionsofoperationalresponsibilityforyourintrusionpreventionanddetectioncapabilities.33StateITSecurityRelatedPoliciesITP-E.1,Disposal,ServicingandTransferofITEquipment: Mitigaterisksassociatedwiththedisposal,servicingandtransferofITequipment.
DatastoredonITequipmentcanberecoveredifnotappropriatelysecuredorremovedITequipmentneedstobeproperlysanitizedorencryptedpriortoreleaseInformationstoredonITequipmentdictatesthemethodusedtoprotectorremovedataKeyTakeaway:BeforeITequipmentisreleasedfromyouragency,ensurethat sensitiveinformationissanitized.34StateITSecurityRelatedPoliciesITP-E.7,BusinessResumptionPlanning: Developabusinessresumptionplanthataddressesemergencyresponse,backupandrecoveryactions.HurricaneKatrinadevastatednearly90,000squaremiles74percentofrespondentstoaNetworkComputingreaderpollsaidtheytakesnapshotsofcriticaldataonlyoncedaily,and 64percentstoreprotecteddatalessthan30milesfromprimarysitesKeyTakeaway:Youragencyshouldhaveabusinessresumptionplaninplacethatis updatedandtestedregularlyandwillensuremissioncriticalservices arerecoveredassoonaspossible.35StateITSecurityRelatedPoliciesITP-E.8,UseofInternet,E-mailandOtherITResources: Establishcontrolsontheuseofstate-providedIT resourcestoensuretheyareappropriatelyusedforthe purposesforwhichtheywereacquired.MisuseofcomputerresourcescanposeaserioussecurityrisktothestateProhibitsexuallyexplicitmaterials,operatingabusiness,gambling,datingservices,chatrooms,blogging,chainlettersKeyTakeaway:Ensurerestrictionsonpersonaluseareclearlycommunicatedto employeesandcontractors,andexplaintherationaleforprohibitingcertaintypesofactivities.36StateITSecurityRelatedPoliciesITP-E.30,ElectronicRecords:Uniformelectronicrecordsguidelines
Electronicrecordsneedtobesecuredtomaintaintheirintegrity,usability,andsurvivabilityTherequirementsofpublicrecordslawandretentionneedtobeconsideredwhenmaintainingelectronicrecordsKeyTakeaway:Electronicrecordsshouldbecreatedandmaintainedinreliable systemsconsistentwiththeirrespectiveretentionschedules.37ITSecurityFocusAreasPortableDevicesPersonalUseAccessPrivilegesContractorsDisposal,TransferandServicingofITEquipmentEducationandTraining38FocusArea:PortableDevices
Makeadeliberatedecisionaboutwhetherornotportabledevicesarepermittedaswellasprivately-ownedportabledevicesDetermineextenttowhichportabledeviceswillbesupportedConstructprocedureforrespondingtoincidentsoflostorstolenportabledevicesEnsurethatifportabledevicesareallowed,dataondevicesisclassifiedandsecuredaccordinglyImplementamanagementprocessthatwillensurethatportabledevicesarere-claimedafterservicelifeorinthecaseofprivately-owneddevicesthedataisrecovered,deletedoroverwrittenasappropriateProhibittheuncontrolleduseofsensitiveinformationonprivatelyowneddevicesofemployeesandcontractorsInstallfirewallandvirusprotectiononportabledevices39MakedeliberatedecisionsaboutpersonaluseandwhetheritwillbepermittedinyouragenciesRecognizetheriskspresentedbycertaintypesofpersonaluseandaddressthroughsecurityandprohibitionsonuseEducateemployeesonprohibitedactivitiesandthereasonswhytheyareprohibitedDocumentapersonalusepolicyanddistributetoemployeesIncludepersonalusepolicyawarenessaspartofnewemployeeandnewcontractororientationFocusArea:PersonalUse
40EnsureallusersareproperlyvettedinaccordancewiththeinformationtheywillhavepermissiontoaccessSensitiveinformationaccessshouldrequirethoroughvettingbeforeaccessisgrantedEstablishrulesconcerningwhichfilesandwhichusersareeligiblefortheuseandstorageofsensitiveinformationonmobiledevicesandmediaImplementsafeguardssuchasaccesslogs,passwords,encryption,biometrics,time-outs,and/orautomaticdatadeletionforportabledevicescontainingsensitivedataFocusArea:AccessPrivileges
41MakedeliberatedecisionsaboutthepermitteduseofcontractorequipmentforstatepurposesIfcontractorequipmentisused,ensureitisconfiguredaccordingtoyouragency’srequirementsRequirecontractorstoabidebystateandagencysecuritypoliciesandpracticesasaconditionofperformanceEnsurestateinformationandsoftwareisrecoveredfromanycontractor-ownedequipmentatthetimeofseparationEnsurethatdataaccessrequirementsareincorporatedintocontractorservicelevelagreementsandcontracttermsandconditionsastheyrelatetoclassifieddataAddressdataownershipissuesMakedeliberatedecisionsaboutoffshorecontractormanagementandaccessofsensitivedataFocusArea:Contractors
42EnsuremanagementcontrolsexisttoreclaimITequipmentfromstateemployeeswhentheyareseparatedfromemploymentIftheuseofprivately-owneddevicesispermitted,thencontrolsneedtoexisttorecoverinformationandsoftwarefromthedeviceswhentheuserisseparatedfromstateserviceEnsurethatdataisscrubbedfromalldevicestakenoutofstateserviceProtectsensitivedatafromexposureifequipmentistemporarilytransferredFocusArea:Disposal,Servicingand
TransferofITEquipment
43ITSecurityPolicySupport
SecurityPolicyAuditChecklists(incorporatedintoSecurityComplianceReport)ComingSoon…SecurityPolicyEducationalWhitePapers(sampleprovidedforITP-B.2)
SecurityPolicyTips(sampleprovidedforITP-B.2)SecurityPolicyResourceGuide
(sampleprovidedforITP-B.2)
Documentswillbeavailableat:
44SecurityPolicyAuditChecklists
ComplianceAmIcompliant?TheSelf-audit.NextSteps
TheActionPlan.45SecurityPolicyEducational
WhitePapers
TheImplementer’sPerspectiveWhatmoredoIneedtoknow?WheredoIgoformoreinformation?46SecurityPolicyTips
TheSubjectMatterExpertWhatarethekeydo’sanddon’tsofimplementation?47SecurityPolicyResourceGuide
TheUserPerspectiveWhy?What’smyrole?Whataremyresponsibilities?WheredoIgoformoreinformation?48SecuringYourSystem…
ABasicPhilosophyThereisno“SilverBullet〞forsecuringsystems.Threecomponentsforsuccess:PeopleProcessesTechnologyIt’saboutRiskManagementSAIC“WhySecurityPolicy〞Presentation,June19,200149StatewideITPolicyContactInformation
Telephone: 614-644-9352
Facsimile: 614-644-9152
E-mail:
StateofOhioITPolicyisAvailableat::///itp50DougAltStateITPolicyManager(614)466-5083Questions?51SamOrthEnterpriseArchitecture&StandardsManagerStateofOhio
ITDataEncryptionStandard
DevelopmentOverview&Status52ExecutiveOrder2007-013S3ComponentsofEncryptionGoalsoftheStandardResearchApproachStandardsDevelopmentApproach–MOAResearchSynopsisStandardsCandidatesDataEncryptionRequirements&ImplementationNextStepsQuestionsOverview53ExecutiveOrder2007-013S
ImprovingStateAgencyDataPrivacy&SecurityAugust29,2007November12,2007Withinseventy-fivedays,TheChiefPrivacyOfficershalldevelopadataencryptionprotocolthatestablishesthedatathatshouldbemaintainedinencryptedform(likesocialsecuritynumbersorfinancialaccountinformation),thecircumstancesinwhichsuchdatashouldbeencrypted(likedatakeptonalaptoporotherportabledevice),andtheencryptionstrengthandstandardtobeutilized.Withinseventy-fivedaysthereafter,theDPPOCateachagencyshallprovideareporttotheChiefPrivacyOfficerdetailingthestepsandtimenecessarytoimplementthedataencryptionprotocol.543ComponentsofEncryptionCipher–encryption/decryptionalgorithmBlockStreamKey–expressedinbitsSymmetricSharedSecret(PrivateKey)AsymmetricPublic/PrivateKeyDigitalSignaturesKeyManagementSelecting,distributingandstoringkeys55GoalsoftheStandard(Principles)Common,durable,doesn’tfrequentlychangeSupportsawidevarietyofsystems,components,architectures,technologiesCanbeusedacrossstategovernmentOneSizeFitsMost–’80/20rule’AgencyACoreAgencyCAgencyBCommonUnique56ResearchApproachFederalGovIndustryResearchGartnerAgencyPracticeITVendorsOtherStatesStandardsCandidates57StandardsDevelopmentApproach
MOABusinessApplicationsTechnologySolutionsStandardsDisasterRecoveryBusinessMobilityPersonalProductivityInformationAccessDataNetworksMobileTechnologiesApplicationsStorageTechnologiesStandardsCandidates}CipherKeySizeCipherKeySize“Brick”=StandardNear-termFocusPatterns=UseCasesInitialFocus58
Utimaco
Safeware
CredantTechnologies
Pointsec
SafeBootGartnerMobileDataProtectionLeaders*GartnerResearchIDNumber:G00141980PhysicalPattern:BusinessMobilityTPMAES128bitNTFSWinXPMobile
Encryption
Software
SuiteProcurementOpportunitiesEnterpriseLicenseAgreementsStateTermSchedulesCommunitiesOfInterestSharingofBestPracticesDocumentationTraining}StandardsDevelopmentApproach
MOABusinessApplicationsTechnologySolutionsStandardsDisasterRecoveryBusinessMobilityPersonalProductivityInformationAccessDataNetworksMobileTechnologiesApplicationsStorageTechnologiesCipherKeySizeCipherKeySizeNear-termFocusPatterns=UseCasesMobileEncryptionRemovableStorage59ResearchSynopsis32OtherStates13standardsissuedorrevisedsince200617requireorrecommendAES/TDESorNISTFIPSstandards7explici
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 聚丙烯酰胺装置操作工岗中理论综合考核试卷含答案
- 玉米收获机操作工激励考核试卷含答案
- 灯具零部件制造工安全生产知识评优考核试卷含答案
- 高海拔宇宙线观测站LHAASO之KM2A电子学批量测试平台关键技术与应用研究
- 高气压环境下脉冲MIG焊脉冲波形对电弧的影响及其控制
- 高校跨学科学术组织激励的困境剖析与路径重构
- 高校数字化转型下大学生综合评测系统的设计与实现-以具体高校为例
- 高校心理危与机:大学生心理危机应对体系的构建与突破
- 高校后勤实体归属性与人力资源配置的协同发展研究
- 高校人力资源配置机制创新研究
- 2025年执业医师考试(临床执业医师)试题及答案
- 医学静脉疗法考试试卷集
- 道路勘测设计说课课件
- T-CAWABJ 002-2025 疗愈犬服务标准
- DB13-T2342-2016-商业物业管理服务规范-河北省
- 行业标准立项答辩
- DBJ45 024-2016 岩溶地区建筑地基基础技术规范
- 第十三届全国黄金行业职业技能竞赛(首饰设计师赛项)考试题库(含答案)
- 城市道路养护与管理北京城市道路养护管理中心
- GB/T 24820-2024实验室家具通用技术条件
- 精神病学智慧树知到期末考试答案章节答案2024年齐鲁医药学院
评论
0/150
提交评论