Information Asset Information Asset ClassificationClassification
Communications ForumCommunications Forum
Theresa A. Masse, State Chief Information Theresa A. Masse, State Chief Information Security OfficerSecurity Officer
Department of Administrative ServicesDepartment of Administrative ServicesEnterprise Security OfficeEnterprise Security Office
AgendaAgenda
Policy OverviewPolicy Overview Community of Practice UpdateCommunity of Practice Update Enterprise InformationEnterprise Information Agency PlanAgency Plan Methodology and Agency PlanMethodology and Agency Plan
Clearinghouse and Q&AClearinghouse and Q&A Wrap upWrap up
Policy - OverviewPolicy - Overview
Information will be classified and managed Information will be classified and managed based on its confidentiality, sensitivity, based on its confidentiality, sensitivity, value and availability requirements.value and availability requirements. Identify an Information Owner or OwnersIdentify an Information Owner or Owners Owner responsible for:Owner responsible for:
Initial ClassificationInitial Classification Decisions regarding information managementDecisions regarding information management Review and reclassification if appropriateReview and reclassification if appropriate Proper retention and disposalProper retention and disposal
Statewide informationStatewide information Agency informationAgency information
Policy – Classification Policy – Classification Levels Levels
Level 1, PublishedLevel 1, Published - - Low-sensitive Low-sensitive information, will not jeopardize the privacy or information, will not jeopardize the privacy or security of agency employees, clients and partnerssecurity of agency employees, clients and partners..Examples: Examples: Press releases, brochures, pamphlets, public Press releases, brochures, pamphlets, public access Web pages, and materials created for public access Web pages, and materials created for public consumption.consumption.
Level 2, LimitedLevel 2, Limited - - Sensitive information, may Sensitive information, may jeopardize the privacy or security of agency jeopardize the privacy or security of agency employees, clients, partners.employees, clients, partners.
Examples: Examples: Enterprise risk management planning documents, Enterprise risk management planning documents, published internal audit reports, names and addresses that published internal audit reports, names and addresses that are not protected from disclosure.are not protected from disclosure.
Policy – Classification Policy – Classification LevelsLevels
Level 3, RestrictedLevel 3, Restricted – – Sensitive information , Sensitive information , unauthorized access could result in financial loss unauthorized access could result in financial loss or identity theft. or identity theft.
Examples: Examples: Network diagrams, personally identifiable Network diagrams, personally identifiable information, other information exempt from public records information, other information exempt from public records disclosure.disclosure.
Level 4, CriticalLevel 4, Critical - - Extremely sensitive, Extremely sensitive, potential to cause major damage or injury.potential to cause major damage or injury.
Examples: Examples: Disclosure that could result in loss of life, Disclosure that could result in loss of life, disability or serious injury or regulated information with disability or serious injury or regulated information with significant penalties for unauthorized disclosure, significant penalties for unauthorized disclosure, information that is typically exempt from public disclosure.information that is typically exempt from public disclosure.
Policy - Compliance Policy - Compliance Time LineTime Line
Plan developed by June 30, 2009Plan developed by June 30, 2009
Level 4 identified and protected by December 31, Level 4 identified and protected by December 31,
20092009
All other policy provisions completed by June 30, All other policy provisions completed by June 30,
20102010
Note: Note: Agencies are required to comply with the Oregon Consumer Identity Theft Protection Act (Senate Bill 583, 2007 Legislative Session)
Community of Community of PracticePractice
and DHS Approachand DHS Approach
Kyle MillerKyle Miller
Department of Human ServicesDepartment of Human Services
Community of PracticeCommunity of Practice
Membership Representatives Membership Representatives Human ServicesHuman Services Consumer and Business ServicesConsumer and Business Services ForestryForestry CorrectionsCorrections TransportationTransportation EducationEducation Administrative ServicesAdministrative Services
Community of PracticeCommunity of Practice
GoalsGoals
Methodology document that contains Methodology document that contains best practices and links to tools and best practices and links to tools and resources resources
Best practices for classification Best practices for classification Elements of information asset managementElements of information asset management
Recommendations for user awarenessRecommendations for user awareness Recommendations regarding policyRecommendations regarding policy
DHS ApproachDHS Approach
Survey approachSurvey approach
Information exchangeInformation exchange
Forms developmentForms development
Other InitiativesOther Initiatives
Enterprise Enterprise InformationInformation
Bret WestBret West
Department of Administrative Department of Administrative ServicesServices
Enterprise InformationEnterprise Information
What enterprise information does What enterprise information does DAS “own”?DAS “own”?
HRHR PayrollPayroll FinancialFinancial ContractsContracts DAS-Owned FacilitiesDAS-Owned Facilities State NetworkState Network OthersOthers
Enterprise InformationEnterprise Information
What does ownership mean?What does ownership mean? DAS is responsible for determining DAS is responsible for determining
classification levelsclassification levels DAS is responsible for communicating DAS is responsible for communicating
classification levels to stakeholdersclassification levels to stakeholders Ownership rests with DAS until Ownership rests with DAS until
information is transferred to another information is transferred to another agencyagency At that point, agencies will be responsible At that point, agencies will be responsible
for ensuring securityfor ensuring security
Enterprise InformationEnterprise Information
What does ownership mean?What does ownership mean? Business partners (in this case Business partners (in this case
DAS divisions) are responsible for DAS divisions) are responsible for classifying information assetsclassifying information assets This is not a technology issue!This is not a technology issue!
Enterprise InformationEnterprise Information
Example: Statewide Financial Example: Statewide Financial Management Application DataManagement Application Data The application itself will be The application itself will be
classified at Level 4classified at Level 4 Combination of data elements puts Combination of data elements puts
the state and individuals at riskthe state and individuals at risk Specific elements or reports will Specific elements or reports will
be classified according to the be classified according to the statewide policy guidelinesstatewide policy guidelines
Enterprise InformationEnterprise Information Example: Statewide Financial Example: Statewide Financial
Management Application Data (continued)Management Application Data (continued) Specific elements or reports will be Specific elements or reports will be
classified according to the statewide classified according to the statewide policy guidelinespolicy guidelines
Currently, SFMS staff have labeled Currently, SFMS staff have labeled reports “confidential” or “not reports “confidential” or “not confidential” based on data includedconfidential” based on data included
Further work will be done to classify Further work will be done to classify these reports according to appropriate these reports according to appropriate levelslevels
Enterprise InformationEnterprise Information
When will the classifications be When will the classifications be available?available? Our goal is to have all Level 4 data Our goal is to have all Level 4 data
classified by July 1, 2008classified by July 1, 2008 Our draft internal policy requires all Our draft internal policy requires all
Level 3 data to be classified by January Level 3 data to be classified by January 1, 2009 and all Level 2 data classified 1, 2009 and all Level 2 data classified by July 1, 2009.by July 1, 2009.
ODOT’S SECURITY ODOT’S SECURITY FABRICFABRIC
Addressing Information Addressing Information
SecuritySecurity
Lisa Martinez Lisa Martinez
Oregon Department of Oregon Department of TransportationTransportation
Where do you begin?Where do you begin? Establish a “First-Strike” project Establish a “First-Strike” project
team to develop your initial roll out team to develop your initial roll out strategystrategy Make sure you have the right blend of business Make sure you have the right blend of business
and information technology representativesand information technology representatives Review and consolidate standards across all of the Review and consolidate standards across all of the
DAS Enterprise Information Security policies and DAS Enterprise Information Security policies and Senate Bill 583Senate Bill 583
Develop a “final draft” of an agency-wide Develop a “final draft” of an agency-wide assessment tool to determine where your agency is assessment tool to determine where your agency is in meeting, partially meeting, or not meeting the in meeting, partially meeting, or not meeting the consolidated standardsconsolidated standards
Pilot tool in a few areas to gather information on Pilot tool in a few areas to gather information on resources and time required to assess across your resources and time required to assess across your agency agency
Where do you begin? Where do you begin? (cont.)(cont.)
Make sure you have the support and Make sure you have the support and commitment of your agency Director commitment of your agency Director and his/her direct reportsand his/her direct reports Provide enough information so they understand Provide enough information so they understand
the work effort required by their managers and the work effort required by their managers and employeesemployees
Have them provide names of appropriate staff to Have them provide names of appropriate staff to assist on a project teamassist on a project team
Make sure that you use them to reinforce agency Make sure that you use them to reinforce agency commitment if you encounter problems commitment if you encounter problems
Where do you begin? Where do you begin? (cont.)(cont.)
Take time to understand how other Take time to understand how other initiatives underway in your agency initiatives underway in your agency interlace with Information Securityinterlace with Information Security Can you demonstrate benefit to other initiatives Can you demonstrate benefit to other initiatives
with regard to information gathering, business with regard to information gathering, business process mapping, and similar tasksprocess mapping, and similar tasks
Be willing to share information with other project Be willing to share information with other project teamsteams
Don’t overlook everyday work processes – they Don’t overlook everyday work processes – they may be an easy opportunity to help with culture may be an easy opportunity to help with culture changechange
Where do you begin? Where do you begin? (cont.)(cont.)
Communicate to managers and Communicate to managers and employees why this initiative is employees why this initiative is importantimportant Make it real by giving real life examplesMake it real by giving real life examples Utilize internal communication tools such as Utilize internal communication tools such as
newsletters, intranet pages, etc.newsletters, intranet pages, etc. Acknowledge that this will take time and is not an Acknowledge that this will take time and is not an
overnight processovernight process Consider an Information Security “hotline”Consider an Information Security “hotline”
Identify Available ResourcesIdentify Available Resources
ODOT Progress ReportODOT Progress Report
““First Strike” Project Team established First Strike” Project Team established consisting of business and information consisting of business and information technology staff and contracted project technology staff and contracted project managermanager
Identified standards across policies and SB 583Identified standards across policies and SB 583 Developing assessment tool, criteria to Developing assessment tool, criteria to
measure current state against standards, measure current state against standards, glossary of terms and background materialsglossary of terms and background materials
Identified two business areas to pilot toolIdentified two business areas to pilot tool Preparing presentation for Director and his Preparing presentation for Director and his
direct reports to affirm support and direct reports to affirm support and commitment and solicit business resourcescommitment and solicit business resources
Identified Key Business Identified Key Business Challenges and Opportunities Challenges and Opportunities
Reduce Agency Risk
Potential to Improve Business Processes
Recognize and Develop Partnerships
Develop and Share Best Practices
Successful Implementation Results in Improved Agency Compliance
Reduce Agency Risk
Potential to Improve Business Processes
Recognize and Develop Partnerships
Develop and Share Best Practices
Successful Implementation Results in Improved Agency Compliance
Reliant on Business Line Subject Matter Experts
Competes with Other Priorities
Undefined Roles and Responsibilities
Requires Routine Review and Assessment to Manage Risk
Reliant on Business Line Subject Matter Experts
Competes with Other Priorities
Undefined Roles and Responsibilities
Requires Routine Review and Assessment to Manage Risk
Identify Business Contacts for Each Division, Region, and Branch
Gather Requirements and Identify Gather Requirements and Identify GapsGaps
Gap Analysis
Meets or Exceeds Does Not Meet Not Applicable
Requirements ODOT
Current
Across State by
Lines
Initiatives of Business
Project Team:
• Review Results
• Rank Gaps Based on Risks and Priorities
• Develop Blueprint of Implementation Plan
High Opportunity High Risk
Low Opportunity Low Risk
Subject Matter Experts from Lines of Business
Available ResourcesAvailable Resources• Statewide Community of Practice (CoP) Statewide Community of Practice (CoP)
Workgroup on Information Assets Management Workgroup on Information Assets Management PolicyPolicy– Tool developmentTool development
• Information asset classification architecture methodologyInformation asset classification architecture methodology• Risk assessment toolsRisk assessment tools• Communication toolsCommunication tools• Will continue sharing process documentsWill continue sharing process documents
– Web site resourceWeb site resource
• ODOT IS Tech Management ResearchODOT IS Tech Management Research– Inventory and identify capabilities of current Inventory and identify capabilities of current
information security toolsinformation security tools– Research capabilities of other security tools, for Research capabilities of other security tools, for
example data leakage example data leakage
• Business Line Best PracticesBusiness Line Best Practices
Information Asset Information Asset
ClassificationClassification
John Koreski John Koreski
Department of CorrectionsDepartment of Corrections
MethodologyMethodology Information Asset Classification MethodologyInformation Asset Classification Methodology
Identify information assets
Identify the owner
Conduct an impact assessment
Determine the classification
Document classified information assets
Provide education and awareness
Maintain classification and conduct continuous
review
SecuritySecurity
Organization SecurityOrganization Security Legal ImplicationsLegal Implications
Recommended Strategy to Implement Recommended Strategy to Implement the Office of Legal Affairsthe Office of Legal Affairs
Phase 1:Phase 1: Identify LIO and PIOsIdentify LIO and PIOs 1/081/08 Create TrainingCreate Training Deliver TrainingDeliver Training 3/083/08
DOJ/DOC key staffDOJ/DOC key staff ManagementManagement Other impacted staffOther impacted staff
Create Tracking MechanismsCreate Tracking Mechanisms Establish MeasuresEstablish Measures Complete Phase 1Complete Phase 1 12/0812/08
12 mos.
Recommended Strategy to Implement Recommended Strategy to Implement the Office of Legal Affairsthe Office of Legal Affairs
Phase 2:Phase 2: Info. Asset IdentificationInfo. Asset Identification 4/084/08
Project Mgmt. MethodologyProject Mgmt. Methodology Archive E-Mail ProjectArchive E-Mail Project Transporting Info. Assets ProjectTransporting Info. Assets Project Complete Phase 2Complete Phase 2 6/096/09
15 mos.
Recommended Strategy to Implement Recommended Strategy to Implement the Office of Legal Affairsthe Office of Legal Affairs
Phase 3:Phase 3: Begin Grant Admin. StrategyBegin Grant Admin. Strategy 7/097/09 Hire Info. Security Officer (ISO)Hire Info. Security Officer (ISO)
See handout for dutiesSee handout for duties Hire Records Officer (RO)Hire Records Officer (RO)
See handout for dutiesSee handout for duties Complete Phase 3Complete Phase 3 1/111/11
18 mos.
Recommended Strategy to Implement Recommended Strategy to Implement the Office of Legal Affairsthe Office of Legal Affairs
Phase 4:Phase 4: Electronic Records ManagementElectronic Records Management Enterprise Content ManagementEnterprise Content Management Timeline: approximately 1/11 – 7/11Timeline: approximately 1/11 – 7/11
Clearinghouse and Clearinghouse and Wrap UpWrap Up
Theresa A. Masse, State Chief Information Theresa A. Masse, State Chief Information Security OfficerSecurity Officer
Department of Administrative ServicesDepartment of Administrative ServicesEnterprise Security OfficeEnterprise Security Office
Policy ResourcesPolicy Resources A clearinghouse-type Web site with links A clearinghouse-type Web site with links
to best practices and tools/templatesto best practices and tools/templates www.oregon.gov/DAS/EISPD/ESO/IAC.shtmlwww.oregon.gov/DAS/EISPD/ESO/IAC.shtml
Thank YouThank You
Other QuestionsOther Questions
Contact: Contact: [email protected] [email protected] 503-378-503-378-
30713071
[email protected]@state.or.us 503-503-373-1496373-1496