January 10, 2008 Role, Responsibility and Authority of New Office Presented by Colleen Pedroza, State Chief Information Security.

January 10, 2008 www.infosecurity.ca.gov/ 1

Role, Responsibility and Authority of New Office

Presented by Colleen Pedroza,

State Chief Information Security Officer

January 10, 2008 www.infosecurity.ca.gov/ 2

Effective January 1, 2008, the California State Information Security Office joined forces with the California Office of Privacy Protection, creating the new Office of Information Security and Privacy Protection. The new Office reports to the State and Consumer Services Agency. For more details, see Senate Bill 90.

Overview

January 10, 2008 www.infosecurity.ca.gov/ 3

Office Overview

Office of Privacy

Protection

ExecutiveOfficer

Office of Information

Security

Consumer Focused•Consumer Assistance•Information & Education•Best Practice•Recommendations

Government Focused•Policy, Standards, Guidance•Assistance & Advice•Education & Awareness•Compliance Monitoring

State and Consumer Services

Agency

January 10, 2008 www.infosecurity.ca.gov/ 4

Immediate Changes

There are some exciting new changes

• Name Change - Office of Information Security

• Newly Designed Web Site - www.infosecurity.ca.gov/

• Public Email Address - [email protected]

• Physical address and phone numbers will remain the same for now

January 10, 2008 www.infosecurity.ca.gov/ 5

Web Site

January 10, 2008 www.infosecurity.ca.gov/ 6

• Statewide Information Management Manual (SIMM) Documents– SIMM 65/70 series, 145 will remain with us – Other SIMM products will go to OCIO

• Policy Communication Channel– Management Memos will release new policies

– Budget Letters to remain at Finance

Document Ownership

January 10, 2008 www.infosecurity.ca.gov/ 7

What Will Our Office Do?

This will be accomplished through a number of efforts, which include:

• Issuing security and privacy policies and standards

• Providing guidance and assistance to state agencies

• Providing training and awareness tools to ensure the state workforce understands its responsibility for good security and privacy habits

• Conducting or directing compliance reviews, assessments and audits to ensure state agencies are diligent in achieving compliance with laws, policies, and best practice standards

Continue to provide leadership and guidance to state government to ensure the confidentiality, integrity and availability of state information assets.

January 10, 2008 www.infosecurity.ca.gov/ 8

Governance

Our Office will be:• Establishing an ongoing process for developing,

vetting, and approving statewide security and privacy policies

• Establishing a policy committee involving key stakeholders, such as:– SCIO, Agency IOs, CHP, DGS, CalOHI, Legal, DTS,

DPA, Finance, and department representation• Envision

– Policy adoption will occur at the Cabinet level– Agencies would develop a similar governance

structure for their departments

January 10, 2008 www.infosecurity.ca.gov/ 9

2008 -Year of Compliance

• Certification Filings – Designation Letter (SIMM 70A)– Risk Management and Privacy Program Compliance

(SIMM 70C)• Due January 31st of each year or when changes occur

• Operational Recovery Plan/Certification (SIMM 70B)– ORP Transmittal Letter (SIMM 70D) – New!

• See Schedule Submission

• Agency Security Incident Report (SIMM 65A) • Due within 10 business days following the incident

January 10, 2008 www.infosecurity.ca.gov/ 10

Review/AssessmentWhat we look for-• Are forms complete and properly signed?• Designation Letter

– Updates distribution and emergency contact lists • Program Compliance Certifications

– Has agency certified programs/plans are in place?– If not, is remediation plan provided and acceptable (activities, timeline, etc.)?– If yes, schedule for compliance review

• ORPs– Accompanied by Agency Transmittal Letter (new)– Are there inter-agency dependencies and have these been addressed?– Does it meet the SIMM 65A requirements?– Is a cross reference map included?

• Incident Reports– Have costs and corrective actions been identified?– Do costs and corrective actions seem reasonable?

January 10, 2008 www.infosecurity.ca.gov/ 11

Follow-up Process

If an agency hasn’t submitted forms/plan or asked for extension:

1. Reminder to department ISO and CIO

2. Notification to department director and copy to ISO and CIO

3. Notification to department’s Agency and copies to ISO, CIO, director and SCIO

January 10, 2008 www.infosecurity.ca.gov/ 12

Requirements for State Agencies

Pursuant to Government Code 11549.3 all must comply with policies and filing requirements issued by OISPP

January 10, 2008 www.infosecurity.ca.gov/ 13

Compliance Authority & Monitoring• We are required to notify the SCIO when

an agency is not in compliance

• We may conduct compliance reviews

• We may conduct or require an independent security assessment at the agency’s expense

• We may require an audit at the agency’s expense

January 10, 2008 www.infosecurity.ca.gov/ 14

Consequences

May impact agency’s:– IT Projects or IT Project funding

• Denial, suspension, or termination

– Delegated IT Procurement Cost Thresholds• Reduction or elimination

January 10, 2008 www.infosecurity.ca.gov/ 15

Happy New Year!

• A new year

• A new office

• Many new opportunities or many new challenges

It’s all how we choose to look at it!

January 10, 2008 www.infosecurity.ca.gov/ 16

Questions?

January 10, 2008 www.infosecurity.ca.gov/ 17

Office Updates

• ORP-COOP/COG Alignment Update

• SAM/SIMM Restructure

• New/Revised SIMM Forms and Instructions

Presented by Rosa Umbach

January 10, 2008 www.infosecurity.ca.gov/ 18

ORP-COOP/COG Alignment• Publication of Workgroup Products

– Revised SIMM 65A Instructions– New SIMM 70D– Definitions– Internal Checklist (coming soon)

Pending– Working with OES

• COOP/COG definitions• Updating of the COOP/COG Instructions

January 10, 2008 www.infosecurity.ca.gov/ 19

SAM/SIMM Restructure

• Phase I – Restructure SAM 4840-4845– Working with DGS to publish in SAM– Developing Management Memo for releasing

new structure

• Phase II – Perform Policy Gap Analysis

• Phase III – Prioritize and begin establishing new policy

January 10, 2008 www.infosecurity.ca.gov/ 20

SAM Restructure

January 10, 2008 www.infosecurity.ca.gov/ 21

SAM Restructure (Continued)

January 10, 2008 www.infosecurity.ca.gov/ 22

Revised SIMM Forms

• Agency Designation Letter (SIMM 70A)– Director can identify individual to sign as designee

• Agency Operational Recovery Plan Certification (SIMM 70B)– New Office Name

• Agency Risk Management and Privacy Program Compliance Certification (SIMM 70C)– Certifies full Risk Management Program is in place or

the Agency provides remediation plan to become compliant.

January 10, 2008 www.infosecurity.ca.gov/ 23

SIMM 70A

January 10, 2008 www.infosecurity.ca.gov/ 24

SIMM 70C

January 10, 2008 www.infosecurity.ca.gov/ 25

Risk Management Certification• Remediation Plan should include:

– List of activities which the agency is not yet compliant with

– Timeline for completing each activity – Method for validation of completion– Method of verification of compliance– Contact for remediation plan

January 10, 2008 www.infosecurity.ca.gov/ 26

NEW SIMM Form

• Agency Operational Recovery Plan Transmittal Letter (SIMM 70D)

January 10, 2008 www.infosecurity.ca.gov/ 27

Questions?