Information Asset Classification Communications Forum

Information Asset Information Asset ClassificationClassification

Communications ForumCommunications Forum

Theresa A. Masse, State Chief Information Theresa A. Masse, State Chief Information Security OfficerSecurity Officer

Department of Administrative ServicesDepartment of Administrative ServicesEnterprise Security OfficeEnterprise Security Office

AgendaAgenda

Policy OverviewPolicy Overview Community of Practice UpdateCommunity of Practice Update Enterprise InformationEnterprise Information Agency PlanAgency Plan Methodology and Agency PlanMethodology and Agency Plan

Clearinghouse and Q&AClearinghouse and Q&A Wrap upWrap up

Policy - OverviewPolicy - Overview

Information will be classified and managed Information will be classified and managed based on its confidentiality, sensitivity, based on its confidentiality, sensitivity, value and availability requirements.value and availability requirements. Identify an Information Owner or OwnersIdentify an Information Owner or Owners Owner responsible for:Owner responsible for:

Initial ClassificationInitial Classification Decisions regarding information managementDecisions regarding information management Review and reclassification if appropriateReview and reclassification if appropriate Proper retention and disposalProper retention and disposal

Statewide informationStatewide information Agency informationAgency information

Policy – Classification Policy – Classification Levels Levels

Level 1, PublishedLevel 1, Published - - Low-sensitive Low-sensitive information, will not jeopardize the privacy or information, will not jeopardize the privacy or security of agency employees, clients and partnerssecurity of agency employees, clients and partners..Examples: Examples: Press releases, brochures, pamphlets, public Press releases, brochures, pamphlets, public access Web pages, and materials created for public access Web pages, and materials created for public consumption.consumption.

Level 2, LimitedLevel 2, Limited - - Sensitive information, may Sensitive information, may jeopardize the privacy or security of agency jeopardize the privacy or security of agency employees, clients, partners.employees, clients, partners.

Examples: Examples: Enterprise risk management planning documents, Enterprise risk management planning documents, published internal audit reports, names and addresses that published internal audit reports, names and addresses that are not protected from disclosure.are not protected from disclosure.

Policy – Classification Policy – Classification LevelsLevels

Level 3, RestrictedLevel 3, Restricted – – Sensitive information , Sensitive information , unauthorized access could result in financial loss unauthorized access could result in financial loss or identity theft. or identity theft.

Examples: Examples: Network diagrams, personally identifiable Network diagrams, personally identifiable information, other information exempt from public records information, other information exempt from public records disclosure.disclosure.

Level 4, CriticalLevel 4, Critical - - Extremely sensitive, Extremely sensitive, potential to cause major damage or injury.potential to cause major damage or injury.

Examples: Examples: Disclosure that could result in loss of life, Disclosure that could result in loss of life, disability or serious injury or regulated information with disability or serious injury or regulated information with significant penalties for unauthorized disclosure, significant penalties for unauthorized disclosure, information that is typically exempt from public disclosure.information that is typically exempt from public disclosure.

Policy - Compliance Policy - Compliance Time LineTime Line

Plan developed by June 30, 2009Plan developed by June 30, 2009

Level 4 identified and protected by December 31, Level 4 identified and protected by December 31,

20092009

All other policy provisions completed by June 30, All other policy provisions completed by June 30,

20102010

Note: Note: Agencies are required to comply with the Oregon Consumer Identity Theft Protection Act (Senate Bill 583, 2007 Legislative Session)

Community of Community of PracticePractice

and DHS Approachand DHS Approach

Kyle MillerKyle Miller

Department of Human ServicesDepartment of Human Services

Community of PracticeCommunity of Practice

Membership Representatives Membership Representatives Human ServicesHuman Services Consumer and Business ServicesConsumer and Business Services ForestryForestry CorrectionsCorrections TransportationTransportation EducationEducation Administrative ServicesAdministrative Services

Community of PracticeCommunity of Practice

GoalsGoals

Methodology document that contains Methodology document that contains best practices and links to tools and best practices and links to tools and resources resources

Best practices for classification Best practices for classification Elements of information asset managementElements of information asset management

Recommendations for user awarenessRecommendations for user awareness Recommendations regarding policyRecommendations regarding policy

DHS ApproachDHS Approach

Survey approachSurvey approach

Information exchangeInformation exchange

Forms developmentForms development

Other InitiativesOther Initiatives

Enterprise Enterprise InformationInformation

Bret WestBret West

Department of Administrative Department of Administrative ServicesServices

Enterprise InformationEnterprise Information

What enterprise information does What enterprise information does DAS “own”?DAS “own”?

HRHR PayrollPayroll FinancialFinancial ContractsContracts DAS-Owned FacilitiesDAS-Owned Facilities State NetworkState Network OthersOthers


What does ownership mean?What does ownership mean? DAS is responsible for determining DAS is responsible for determining

classification levelsclassification levels DAS is responsible for communicating DAS is responsible for communicating

classification levels to stakeholdersclassification levels to stakeholders Ownership rests with DAS until Ownership rests with DAS until

information is transferred to another information is transferred to another agencyagency At that point, agencies will be responsible At that point, agencies will be responsible

for ensuring securityfor ensuring security


What does ownership mean?What does ownership mean? Business partners (in this case Business partners (in this case

DAS divisions) are responsible for DAS divisions) are responsible for classifying information assetsclassifying information assets This is not a technology issue!This is not a technology issue!


Example: Statewide Financial Example: Statewide Financial Management Application DataManagement Application Data The application itself will be The application itself will be

classified at Level 4classified at Level 4 Combination of data elements puts Combination of data elements puts

the state and individuals at riskthe state and individuals at risk Specific elements or reports will Specific elements or reports will

be classified according to the be classified according to the statewide policy guidelinesstatewide policy guidelines

Enterprise InformationEnterprise Information Example: Statewide Financial Example: Statewide Financial

Management Application Data (continued)Management Application Data (continued) Specific elements or reports will be Specific elements or reports will be

classified according to the statewide classified according to the statewide policy guidelinespolicy guidelines

Currently, SFMS staff have labeled Currently, SFMS staff have labeled reports “confidential” or “not reports “confidential” or “not confidential” based on data includedconfidential” based on data included

Further work will be done to classify Further work will be done to classify these reports according to appropriate these reports according to appropriate levelslevels


When will the classifications be When will the classifications be available?available? Our goal is to have all Level 4 data Our goal is to have all Level 4 data

classified by July 1, 2008classified by July 1, 2008 Our draft internal policy requires all Our draft internal policy requires all

Level 3 data to be classified by January Level 3 data to be classified by January 1, 2009 and all Level 2 data classified 1, 2009 and all Level 2 data classified by July 1, 2009.by July 1, 2009.

ODOT’S SECURITY ODOT’S SECURITY FABRICFABRIC

Addressing Information Addressing Information

SecuritySecurity

Lisa Martinez Lisa Martinez

Oregon Department of Oregon Department of TransportationTransportation

Where do you begin?Where do you begin? Establish a “First-Strike” project Establish a “First-Strike” project

team to develop your initial roll out team to develop your initial roll out strategystrategy Make sure you have the right blend of business Make sure you have the right blend of business

and information technology representativesand information technology representatives Review and consolidate standards across all of the Review and consolidate standards across all of the

DAS Enterprise Information Security policies and DAS Enterprise Information Security policies and Senate Bill 583Senate Bill 583

Develop a “final draft” of an agency-wide Develop a “final draft” of an agency-wide assessment tool to determine where your agency is assessment tool to determine where your agency is in meeting, partially meeting, or not meeting the in meeting, partially meeting, or not meeting the consolidated standardsconsolidated standards

Pilot tool in a few areas to gather information on Pilot tool in a few areas to gather information on resources and time required to assess across your resources and time required to assess across your agency agency

Where do you begin? Where do you begin? (cont.)(cont.)

Make sure you have the support and Make sure you have the support and commitment of your agency Director commitment of your agency Director and his/her direct reportsand his/her direct reports Provide enough information so they understand Provide enough information so they understand

the work effort required by their managers and the work effort required by their managers and employeesemployees

Have them provide names of appropriate staff to Have them provide names of appropriate staff to assist on a project teamassist on a project team

Make sure that you use them to reinforce agency Make sure that you use them to reinforce agency commitment if you encounter problems commitment if you encounter problems


Take time to understand how other Take time to understand how other initiatives underway in your agency initiatives underway in your agency interlace with Information Securityinterlace with Information Security Can you demonstrate benefit to other initiatives Can you demonstrate benefit to other initiatives

with regard to information gathering, business with regard to information gathering, business process mapping, and similar tasksprocess mapping, and similar tasks

Be willing to share information with other project Be willing to share information with other project teamsteams

Don’t overlook everyday work processes – they Don’t overlook everyday work processes – they may be an easy opportunity to help with culture may be an easy opportunity to help with culture changechange


Communicate to managers and Communicate to managers and employees why this initiative is employees why this initiative is importantimportant Make it real by giving real life examplesMake it real by giving real life examples Utilize internal communication tools such as Utilize internal communication tools such as

newsletters, intranet pages, etc.newsletters, intranet pages, etc. Acknowledge that this will take time and is not an Acknowledge that this will take time and is not an

overnight processovernight process Consider an Information Security “hotline”Consider an Information Security “hotline”

Identify Available ResourcesIdentify Available Resources

ODOT Progress ReportODOT Progress Report

““First Strike” Project Team established First Strike” Project Team established consisting of business and information consisting of business and information technology staff and contracted project technology staff and contracted project managermanager

Identified standards across policies and SB 583Identified standards across policies and SB 583 Developing assessment tool, criteria to Developing assessment tool, criteria to

measure current state against standards, measure current state against standards, glossary of terms and background materialsglossary of terms and background materials

Identified two business areas to pilot toolIdentified two business areas to pilot tool Preparing presentation for Director and his Preparing presentation for Director and his

direct reports to affirm support and direct reports to affirm support and commitment and solicit business resourcescommitment and solicit business resources

Identified Key Business Identified Key Business Challenges and Opportunities Challenges and Opportunities

Reduce Agency Risk

Potential to Improve Business Processes

Recognize and Develop Partnerships

Develop and Share Best Practices

Successful Implementation Results in Improved Agency Compliance

Reduce Agency Risk

Potential to Improve Business Processes

Recognize and Develop Partnerships

Develop and Share Best Practices

Successful Implementation Results in Improved Agency Compliance

Reliant on Business Line Subject Matter Experts

Competes with Other Priorities

Undefined Roles and Responsibilities

Requires Routine Review and Assessment to Manage Risk

Reliant on Business Line Subject Matter Experts

Competes with Other Priorities

Undefined Roles and Responsibilities

Requires Routine Review and Assessment to Manage Risk

Identify Business Contacts for Each Division, Region, and Branch

Gather Requirements and Identify Gather Requirements and Identify GapsGaps

Gap Analysis

Meets or Exceeds Does Not Meet Not Applicable

Requirements ODOT

Current

Across State by

Lines

Initiatives of Business

Project Team:

• Review Results

• Rank Gaps Based on Risks and Priorities

• Develop Blueprint of Implementation Plan

High Opportunity High Risk

Low Opportunity Low Risk

Subject Matter Experts from Lines of Business

Available ResourcesAvailable Resources• Statewide Community of Practice (CoP) Statewide Community of Practice (CoP)

Workgroup on Information Assets Management Workgroup on Information Assets Management PolicyPolicy– Tool developmentTool development

• Information asset classification architecture methodologyInformation asset classification architecture methodology• Risk assessment toolsRisk assessment tools• Communication toolsCommunication tools• Will continue sharing process documentsWill continue sharing process documents

– Web site resourceWeb site resource

• ODOT IS Tech Management ResearchODOT IS Tech Management Research– Inventory and identify capabilities of current Inventory and identify capabilities of current

information security toolsinformation security tools– Research capabilities of other security tools, for Research capabilities of other security tools, for

example data leakage example data leakage

• Business Line Best PracticesBusiness Line Best Practices

Information Asset Information Asset

ClassificationClassification

John Koreski John Koreski

Department of CorrectionsDepartment of Corrections

MethodologyMethodology Information Asset Classification MethodologyInformation Asset Classification Methodology

Identify information assets

Identify the owner

Conduct an impact assessment

Determine the classification

Document classified information assets

Provide education and awareness

Maintain classification and conduct continuous

review

SecuritySecurity

Organization SecurityOrganization Security Legal ImplicationsLegal Implications

Recommended Strategy to Implement Recommended Strategy to Implement the Office of Legal Affairsthe Office of Legal Affairs

Phase 1:Phase 1: Identify LIO and PIOsIdentify LIO and PIOs 1/081/08 Create TrainingCreate Training Deliver TrainingDeliver Training 3/083/08

DOJ/DOC key staffDOJ/DOC key staff ManagementManagement Other impacted staffOther impacted staff

Create Tracking MechanismsCreate Tracking Mechanisms Establish MeasuresEstablish Measures Complete Phase 1Complete Phase 1 12/0812/08

12 mos.


Phase 2:Phase 2: Info. Asset IdentificationInfo. Asset Identification 4/084/08

Project Mgmt. MethodologyProject Mgmt. Methodology Archive E-Mail ProjectArchive E-Mail Project Transporting Info. Assets ProjectTransporting Info. Assets Project Complete Phase 2Complete Phase 2 6/096/09

15 mos.


Phase 3:Phase 3: Begin Grant Admin. StrategyBegin Grant Admin. Strategy 7/097/09 Hire Info. Security Officer (ISO)Hire Info. Security Officer (ISO)

See handout for dutiesSee handout for duties Hire Records Officer (RO)Hire Records Officer (RO)

See handout for dutiesSee handout for duties Complete Phase 3Complete Phase 3 1/111/11

18 mos.


Phase 4:Phase 4: Electronic Records ManagementElectronic Records Management Enterprise Content ManagementEnterprise Content Management Timeline: approximately 1/11 – 7/11Timeline: approximately 1/11 – 7/11

Clearinghouse and Clearinghouse and Wrap UpWrap Up

Theresa A. Masse, State Chief Information Theresa A. Masse, State Chief Information Security OfficerSecurity Officer

Department of Administrative ServicesDepartment of Administrative ServicesEnterprise Security OfficeEnterprise Security Office

Policy ResourcesPolicy Resources A clearinghouse-type Web site with links A clearinghouse-type Web site with links

to best practices and tools/templatesto best practices and tools/templates www.oregon.gov/DAS/EISPD/ESO/IAC.shtmlwww.oregon.gov/DAS/EISPD/ESO/IAC.shtml

Thank YouThank You

Other QuestionsOther Questions

Contact: Contact: [email protected] [email protected] 503-378-503-378-

30713071

[email protected]@state.or.us 503-503-373-1496373-1496

Date post:	01-Feb-2016
Category:	Documents
Upload:	tam
View:	38 times
Download:	0 times

Information Asset Classification Communications Forum

Documents