DataPrivacyPointofContactOrientationSession接触定位会话数据隐私的角度_第1页
DataPrivacyPointofContactOrientationSession接触定位会话数据隐私的角度_第2页
DataPrivacyPointofContactOrientationSession接触定位会话数据隐私的角度_第3页
DataPrivacyPointofContactOrientationSession接触定位会话数据隐私的角度_第4页
DataPrivacyPointofContactOrientationSession接触定位会话数据隐私的角度_第5页
已阅读5页,还剩64页未读 继续免费阅读

下载本文档

版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领

文档简介

DataPrivacy

PointofContactOrientationSession1AgendaIntroduction SolBermann ExecutiveOrder SolBermannRoleofCIO,DPPOC RickShipleyOhioITSecurityPolicies DougAltEncryptionProtocol SamOrthAcquisition TomHartQandA Closing SolBermann2SolBermann

ChiefPrivacyOfficer,J.D.,CIPP

StateofOhioITSecurity3IntroductionUpdateonSecurityBreachStateResponse/ExecutiveOrderDataPrivacyPointofContacts4SolBermann

ChiefPrivacyOfficer,J.D.,CIPP

ExecutiveOrder2007-13SImprovingStateAgencyDataPrivacyandSecurity5WhichAgencies?MandatoryAllCabinetLevelAgenciesVoluntaryNon-CabinetLevelAgencies,BoardsandCommissions6ChiefPrivacyOfficerPrivacyImpactAssessmentProtocolby8/29/07DataEncryptionProtocolby8/29/077MandatoryAgenciesSecurityPolicyComplianceReportby8/14/07PrivacyImpactAssessmentImplementationby8/29/07Developplanby11/12/07forimplementingtheEncryptionProtocolAppointDPPOCby6/22/078SolBermann

ChiefPrivacyOfficer,J.D.,CIPP(614)995-9928Questions?9RickShipleyAdministratorRiskManagementServicesImplementation10PrivacyandSecurityPrivacy&SecurityareflipsidesofacoinPrivacy=policies,rules&lawssurroundingdatausageSecurity=implementationofprotectionthatenforcesthepolicies,rules&laws11RoleofAgencyCIOHelpOverseeAgencyComplianceExecutiveOrder2007–013SPrivacy,confidentiality,security,disclosure,andsharingofinformationProvidedirectionandoverseeactivitiesDevelopandoverseetheimplementationofpolicies,principles,standards,andguidelines12RoleofDPPOCHelpwithExecutiveorderPolicyComplianceReporting2(c)PrivacyImpactAssessmentImplementation2(e)DataEncryptionProtocolImplementationReport2(f)Adviseorsupportdepartmentalmanagementonbusinessandpolicyissuesrelatingtoprivacy,informationassurance,andsecurityUnderstandthedatatheagencyhasandhowtheagencyusesthedataSensitivedataclassificationWorkwithinandacrossbusinessunits13WhoIsTheDPPOC?NeedpeoplethatunderstandthedatatheagencyhashowtheagencyusesthedataunderstandtheconceptofdataclassificationabilitytoworkwithinandacrossbusinessunitsDoesnothavetobeCIOortechnicalsecuritypeopleCouldbeDataManagersLegalHR14RiskManagementServicesStatewideInitiatives:Networkvulnerabilityassessments,cybersecurityworkshops,andcrisismanagement

ActsasStatewideincidentresponsecoordinatorforsecurityincidents(ITP-B.7)OITInitiatives:Policies,procedures,standards,ITplanning,networkvulnerabilityassessments,compliancemonitoring(auditing),ITriskmanagement,businesscontinuityplanning,disasterrecovery,servicelevelagreements,andcrisismanagement

15E.O.ITSecurityComplianceReportCompliancecheckliststoevaluateindetailyouragency’scompliancewithOhioITSecurityPoliciesCompleteddocumenttotheChiefPrivacyOfficerbycloseofbusinessonAugust14,2007()16E.O.PrivacyImpactAssessmentDatamapping-understandingdataagencyhasthatmightbesubjectedtoprivacyanddataclassificationconcernsPrivacyImpactAssessment-anassessmentfocusingontheimpactifthespecificdataisbreachedandhowitwouldaffectagencyTwoprimaryinputstothisphaseistheOITStatewidePolicyfordataclassificationandOhioHB104.Inaddition,bestpracticesfordataprotectionwillbeconsidered.Remediationeffortestimate-anestimatetogetallofthedataintoastandardizedprotectionmodelGapanalysisandtoolrecommendation-identificationofwhattheareasofimprovementareforagencyandarecommendationofsometoolsthatwillassistwithmeetingthatdifferenceLeadstothecreationofreplicableprocessesforAgenciestointernallyperformPIAfuncations17RickShipley

AdministratorRiskManagementServices(614)995-7632Questions?18DougAltStateITPolicyManagerStateofOhio

ITSecurityPolicies19ExecutiveOrder2007–013S

“ImprovingStateAgencyDataPrivacyandSecurity〞 AllagencydirectorsarerequiredtoreviewandbeginupdatingexistinginformationtechnologysecuritypoliciesandpracticestomakesurethattheycomplywiththecurrentstatewideOfficeofInformationTechnologysecuritypolicies.Withinsixtydays,theDataPrivacyPointofContact(DPPOC)ateachagencyistoprovideareporttotheChiefPrivacyOfficerdetailingthestateofcomplianceattheirrespectiveagenciesandthestepsandtimenecessarytoachievecompliance.20StateITSecurityRelatedPoliciesITP-B.1InformationSecurity FrameworkITP-B.2BoundarySecurityITP-B.3Password&PINSecurityITP-B.4MaliciousCodeSecurityITP-B.5RemoteAccessSecurityITP-B.6InternetSecurityITP-B.7SecurityIncidentResponseITP-B.8SecurityEducationandAwarenessITP-B.9PortableComputingSecurityITP-B.10SecurityNotificationsITP-B.11DataClassificationITP-B.12IntrusionPreventionandDetectionITP-E.1Disposal,ServicingandTransferofITEquipmentITP-E.7BusinessResumptionPlanningITP-E.8UseofInternet,E-mailandOtherITResourcesITP-E.30ElectronicRecords21StateITSecurityPoliciesITP-B.1,InformationSecurityFramework:EstablishesafoundationonwhichyourcurrentandfutureITsecuritystrategy,policies,andpracticesaredeveloped,governedandadministered.Establisharisk-basedfoundationfromwhichtobuildsecurityprogramsBasesecuritydecisionsuponriskassessmentsAddressthebasicsecurityelementsofconfidentiality,integrityandavailabilityinallsecuritypolicies,plansandproceduresKeyTakeaway:Haveasecuritymanagementplaninplaceandreviewit,updateit,andauditagainstitregularly.22StateITSecurityPoliciesITP-B.2,BoundarySecurity:

Guidelinesfordesigning,implementinganddeployingarobustnetworkperimeterdefensecapability.PutsafeguardsinplacetoprotectstateinformationandsystemassetsLimitaccesspointsProvidemorerobustauthenticationforaccesstosensitiveinformationKeyTakeaway:Allowauthorizedtrafficanddenyeverythingelse.23StateITSecurityPoliciesITP-B.3,PasswordandPersonalIdentificationNumberSecurity:

Minimumrequirementsfortheselection,useandmanagementofpasswordsandpersonalidentificationnumbers.PasswordstrategydrivenbyriskassessmentRequiremorecomplexpasswordsformoresensitiveinformationAuthenticationisacriticalelementtodataprotectionKeyTakeaway:PasswordandPINstructuresmustcomplimenttheconfidentialityand criticalityofthedatatheyaresecuring.24StateITSecurityPoliciesITP-B.4,MaliciousCodeSecurity:

Guidelinesfortheimplementationandoperationofamaliciouscodesecurityprogram.MaliciousCodeisthemostcommontypeofattackState-controlledinformationsystemsmustbeprotectedfromtheintroductionofmaliciouscodeAllsystemassetsneedtobecheckedregularlyformaliciouscodeUsersneedtobeawareofmaliciouscoderisksKeyTakeaway:Ensureanti-virussoftwareisinstalledonalldevicesauthorizedfor stateuseandinstallanysecuritypatchesimmediately.25StateITSecurityPoliciesITP-B.5,RemoteAccessSecurity:Assistsinthedevelopment,implementationandoperationofsecuritymeasuresgoverningremoteaccesstostatesystems.ConvenientandpopularwaytoaccomplishworkbutintroducesincreasedriskforstatesystemsAdditionalaccesspointsneedtobesecuredAuthenticateallremoteusersEncrypttransmittedpasswordsKeyTakeaway:Remoteaccessshouldbegrantedfollowingtheconceptofleast- privilege.26StateITSecurityPoliciesITP-B.6,InternetSecurity:SecurityrequirementsfortheuseofandconnectivitytotheInternet.InternetisavaluableresourcebutintroducesrisksInternetconnectionsneedtobesecureInternetresourcemustbeusedresponsiblyKeyTakeaway:EducateusersonappropriateandinappropriateusesoftheInternet. Preventbehaviorthatmayputsystemsandinformationatrisk.27StateITSecurityPoliciesITP-B.7,SecurityIncidentResponse:DevelopandmaintainanadequateresponsecapabilityforITrelatedsecurityincidents.RecentsecurityincidentsdemonstrateneedforincidentresponsecapabilityContinuousreviewandupdateofincidentresponseproceduresiscriticalIncidentreportingassistsresponseandcontainmenteffortsKeyTakeaway:Ensureyouragencyisreadytorespondandrolesand responsibilitiesareclearlydefined.28StateITSecurityPoliciesITP-B.8,SecurityEducationandAwareness:DevelopITsecurityeducationandawarenessprogramsforemployeesandotheragentsofthestate.RecentsecurityincidentsdemonstratetheneedforgeneralsecurityeducationandawarenessPersonnelneedtounderstandhowsecuritymeasuresalignwithbusinessobjectivesKeyTakeaway:Providegeneralinformationtechnologysecurityeducationaspartofnewemployeeandnewcontractororientation.29StateITSecurityPoliciesITP-B.9,PortableComputingSecurity:

Addressestheinformationtechnologysecurityconcernsofportablecomputingdevicesandprovidesguidelinesfortheiruse,managementandcontrol.PortablecomputingsecurityisacriticalareaasillustratedbyrecentsecurityincidentsDeliberatemanagementdecisionsneedtomadeastouseandsupportDeliberatedecisionsneedtobemadeastoprivately-owneddevicesSensitiveinformationneedstobeappropriatelysecuredManagementcontrolsneedtoensureportabledevicesarereclaimedfromseparatedemployeesandthatstateinformationandsoftwareisremovedfromprivately-owneddevicesKeyTakeaway:Ifportablecomputingisallowed,youragencyneedstobepreparedfor thesecuritydemandsandhaveaprocedureinplacetorespondtolostor stolendevices.30StateITSecurityPoliciesITP-B.10,SecurityNotifications:Deploysecuritynotificationsthatservetoinformusersoftheirduty,limitationsonuse,legalrequirementsandpersonalprivacyexpectations.SecuritynotificationscanassistinthesuccessfulcriminalprosecutionofviolatorsNotificationsprovidetheopportunitytodisclosethepotentiallegalimplicationsofunauthorizedaccess,informationmisuse,datalossandcorruptionKeyTakeaway:Besuretoinvolvelegalcounselinthedevelopmentofsecuritynotifications.31StateITSecurityPolicies

ITP-B.11,DataClassification:Providesahigh-leveldataclassificationmethodologyforproperlyidentifyingandlabelingdataandinformation

assets.RecentsecurityincidentsdemonstratetheimportanceofeffectivelyprotectingdataaccordingtoitsriskDatasecurityisdrivenbyassignedlevelsofconfidentialityandcriticalityLabeldatainaccordancewithanylegalrequirementsKeyTakeaway:Implementadataclassificationmethodologytoclassifydataand employtheappropriatesecurityandaccessrights.32StateITSecurityPoliciesITP-B.12,IntrusionPreventionandDetection:Identifyandcreatean

intrusionpreventionand

detectioncapabilitythatwillallowforthedetectionandresponsetounauthorizeduseoforattackuponastatecomputernetworkortelecommunicationssystem.EssentialtoprotectingmissioncriticalresourcesIntrusionpreventionshouldbeimplementedtoblockunauthorizeduseorattacksIntrusiondetectionshouldbeusedtodetectunauthorizeduseorattacksKeyTakeaway:

Developavettingprocessforpersonnelunderconsiderationforpositionsofoperationalresponsibilityforyourintrusionpreventionanddetectioncapabilities.33StateITSecurityRelatedPoliciesITP-E.1,Disposal,ServicingandTransferofITEquipment: Mitigaterisksassociatedwiththedisposal,servicingandtransferofITequipment.

DatastoredonITequipmentcanberecoveredifnotappropriatelysecuredorremovedITequipmentneedstobeproperlysanitizedorencryptedpriortoreleaseInformationstoredonITequipmentdictatesthemethodusedtoprotectorremovedataKeyTakeaway:BeforeITequipmentisreleasedfromyouragency,ensurethat sensitiveinformationissanitized.34StateITSecurityRelatedPoliciesITP-E.7,BusinessResumptionPlanning: Developabusinessresumptionplanthataddressesemergencyresponse,backupandrecoveryactions.HurricaneKatrinadevastatednearly90,000squaremiles74percentofrespondentstoaNetworkComputingreaderpollsaidtheytakesnapshotsofcriticaldataonlyoncedaily,and 64percentstoreprotecteddatalessthan30milesfromprimarysitesKeyTakeaway:Youragencyshouldhaveabusinessresumptionplaninplacethatis updatedandtestedregularlyandwillensuremissioncriticalservices arerecoveredassoonaspossible.35StateITSecurityRelatedPoliciesITP-E.8,UseofInternet,E-mailandOtherITResources: Establishcontrolsontheuseofstate-providedIT resourcestoensuretheyareappropriatelyusedforthe purposesforwhichtheywereacquired.MisuseofcomputerresourcescanposeaserioussecurityrisktothestateProhibitsexuallyexplicitmaterials,operatingabusiness,gambling,datingservices,chatrooms,blogging,chainlettersKeyTakeaway:Ensurerestrictionsonpersonaluseareclearlycommunicatedto employeesandcontractors,andexplaintherationaleforprohibitingcertaintypesofactivities.36StateITSecurityRelatedPoliciesITP-E.30,ElectronicRecords:Uniformelectronicrecordsguidelines

Electronicrecordsneedtobesecuredtomaintaintheirintegrity,usability,andsurvivabilityTherequirementsofpublicrecordslawandretentionneedtobeconsideredwhenmaintainingelectronicrecordsKeyTakeaway:Electronicrecordsshouldbecreatedandmaintainedinreliable systemsconsistentwiththeirrespectiveretentionschedules.37ITSecurityFocusAreasPortableDevicesPersonalUseAccessPrivilegesContractorsDisposal,TransferandServicingofITEquipmentEducationandTraining38FocusArea:PortableDevices

Makeadeliberatedecisionaboutwhetherornotportabledevicesarepermittedaswellasprivately-ownedportabledevicesDetermineextenttowhichportabledeviceswillbesupportedConstructprocedureforrespondingtoincidentsoflostorstolenportabledevicesEnsurethatifportabledevicesareallowed,dataondevicesisclassifiedandsecuredaccordinglyImplementamanagementprocessthatwillensurethatportabledevicesarere-claimedafterservicelifeorinthecaseofprivately-owneddevicesthedataisrecovered,deletedoroverwrittenasappropriateProhibittheuncontrolleduseofsensitiveinformationonprivatelyowneddevicesofemployeesandcontractorsInstallfirewallandvirusprotectiononportabledevices39MakedeliberatedecisionsaboutpersonaluseandwhetheritwillbepermittedinyouragenciesRecognizetheriskspresentedbycertaintypesofpersonaluseandaddressthroughsecurityandprohibitionsonuseEducateemployeesonprohibitedactivitiesandthereasonswhytheyareprohibitedDocumentapersonalusepolicyanddistributetoemployeesIncludepersonalusepolicyawarenessaspartofnewemployeeandnewcontractororientationFocusArea:PersonalUse

40EnsureallusersareproperlyvettedinaccordancewiththeinformationtheywillhavepermissiontoaccessSensitiveinformationaccessshouldrequirethoroughvettingbeforeaccessisgrantedEstablishrulesconcerningwhichfilesandwhichusersareeligiblefortheuseandstorageofsensitiveinformationonmobiledevicesandmediaImplementsafeguardssuchasaccesslogs,passwords,encryption,biometrics,time-outs,and/orautomaticdatadeletionforportabledevicescontainingsensitivedataFocusArea:AccessPrivileges

41MakedeliberatedecisionsaboutthepermitteduseofcontractorequipmentforstatepurposesIfcontractorequipmentisused,ensureitisconfiguredaccordingtoyouragency’srequirementsRequirecontractorstoabidebystateandagencysecuritypoliciesandpracticesasaconditionofperformanceEnsurestateinformationandsoftwareisrecoveredfromanycontractor-ownedequipmentatthetimeofseparationEnsurethatdataaccessrequirementsareincorporatedintocontractorservicelevelagreementsandcontracttermsandconditionsastheyrelatetoclassifieddataAddressdataownershipissuesMakedeliberatedecisionsaboutoffshorecontractormanagementandaccessofsensitivedataFocusArea:Contractors

42EnsuremanagementcontrolsexisttoreclaimITequipmentfromstateemployeeswhentheyareseparatedfromemploymentIftheuseofprivately-owneddevicesispermitted,thencontrolsneedtoexisttorecoverinformationandsoftwarefromthedeviceswhentheuserisseparatedfromstateserviceEnsurethatdataisscrubbedfromalldevicestakenoutofstateserviceProtectsensitivedatafromexposureifequipmentistemporarilytransferredFocusArea:Disposal,Servicingand

TransferofITEquipment

43ITSecurityPolicySupport

SecurityPolicyAuditChecklists(incorporatedintoSecurityComplianceReport)ComingSoon…SecurityPolicyEducationalWhitePapers(sampleprovidedforITP-B.2)

SecurityPolicyTips(sampleprovidedforITP-B.2)SecurityPolicyResourceGuide

(sampleprovidedforITP-B.2)

Documentswillbeavailableat:

44SecurityPolicyAuditChecklists

ComplianceAmIcompliant?TheSelf-audit.NextSteps

TheActionPlan.45SecurityPolicyEducational

WhitePapers

TheImplementer’sPerspectiveWhatmoredoIneedtoknow?WheredoIgoformoreinformation?46SecurityPolicyTips

TheSubjectMatterExpertWhatarethekeydo’sanddon’tsofimplementation?47SecurityPolicyResourceGuide

TheUserPerspectiveWhy?What’smyrole?Whataremyresponsibilities?WheredoIgoformoreinformation?48SecuringYourSystem…

ABasicPhilosophyThereisno“SilverBullet〞forsecuringsystems.Threecomponentsforsuccess:PeopleProcessesTechnologyIt’saboutRiskManagementSAIC“WhySecurityPolicy〞Presentation,June19,200149StatewideITPolicyContactInformation

Telephone: 614-644-9352

Facsimile: 614-644-9152

E-mail:

StateofOhioITPolicyisAvailableat::///itp50DougAltStateITPolicyManager(614)466-5083Questions?51SamOrthEnterpriseArchitecture&StandardsManagerStateofOhio

ITDataEncryptionStandard

DevelopmentOverview&Status52ExecutiveOrder2007-013S3ComponentsofEncryptionGoalsoftheStandardResearchApproachStandardsDevelopmentApproach–MOAResearchSynopsisStandardsCandidatesDataEncryptionRequirements&ImplementationNextStepsQuestionsOverview53ExecutiveOrder2007-013S

ImprovingStateAgencyDataPrivacy&SecurityAugust29,2007November12,2007Withinseventy-fivedays,TheChiefPrivacyOfficershalldevelopadataencryptionprotocolthatestablishesthedatathatshouldbemaintainedinencryptedform(likesocialsecuritynumbersorfinancialaccountinformation),thecircumstancesinwhichsuchdatashouldbeencrypted(likedatakeptonalaptoporotherportabledevice),andtheencryptionstrengthandstandardtobeutilized.Withinseventy-fivedaysthereafter,theDPPOCateachagencyshallprovideareporttotheChiefPrivacyOfficerdetailingthestepsandtimenecessarytoimplementthedataencryptionprotocol.543ComponentsofEncryptionCipher–encryption/decryptionalgorithmBlockStreamKey–expressedinbitsSymmetricSharedSecret(PrivateKey)AsymmetricPublic/PrivateKeyDigitalSignaturesKeyManagementSelecting,distributingandstoringkeys55GoalsoftheStandard(Principles)Common,durable,doesn’tfrequentlychangeSupportsawidevarietyofsystems,components,architectures,technologiesCanbeusedacrossstategovernmentOneSizeFitsMost–’80/20rule’AgencyACoreAgencyCAgencyBCommonUnique56ResearchApproachFederalGovIndustryResearchGartnerAgencyPracticeITVendorsOtherStatesStandardsCandidates57StandardsDevelopmentApproach

MOABusinessApplicationsTechnologySolutionsStandardsDisasterRecoveryBusinessMobilityPersonalProductivityInformationAccessDataNetworksMobileTechnologiesApplicationsStorageTechnologiesStandardsCandidates}CipherKeySizeCipherKeySize“Brick”=StandardNear-termFocusPatterns=UseCasesInitialFocus58

Utimaco

Safeware

CredantTechnologies

Pointsec

SafeBootGartnerMobileDataProtectionLeaders*GartnerResearchIDNumber:G00141980PhysicalPattern:BusinessMobilityTPMAES128bitNTFSWinXPMobile

Encryption

Software

SuiteProcurementOpportunitiesEnterpriseLicenseAgreementsStateTermSchedulesCommunitiesOfInterestSharingofBestPracticesDocumentationTraining}StandardsDevelopmentApproach

MOABusinessApplicationsTechnologySolutionsStandardsDisasterRecoveryBusinessMobilityPersonalProductivityInformationAccessDataNetworksMobileTechnologiesApplicationsStorageTechnologiesCipherKeySizeCipherKeySizeNear-termFocusPatterns=UseCasesMobileEncryptionRemovableStorage59ResearchSynopsis32OtherStates13standardsissuedorrevisedsince200617requireorrecommendAES/TDESorNISTFIPSstandards7explici

温馨提示

  • 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
  • 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
  • 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
  • 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
  • 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
  • 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
  • 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

评论

0/150

提交评论