1 july 9, 2009 information security officer meeting
TRANSCRIPT
![Page 1: 1 July 9, 2009 Information Security Officer Meeting](https://reader036.vdocuments.site/reader036/viewer/2022062802/56649ea45503460f94ba8f1b/html5/thumbnails/1.jpg)
1
July 9, 2009
Information Security Officer Meeting
![Page 2: 1 July 9, 2009 Information Security Officer Meeting](https://reader036.vdocuments.site/reader036/viewer/2022062802/56649ea45503460f94ba8f1b/html5/thumbnails/2.jpg)
2
Katrina Yang
Reaching Us…• No change to mailing address• No change to phone numbers• Change to email addresses
• [email protected]• [email protected]• [email protected]• [email protected]• [email protected]
• Office closures due to mandated furloughs
![Page 3: 1 July 9, 2009 Information Security Officer Meeting](https://reader036.vdocuments.site/reader036/viewer/2022062802/56649ea45503460f94ba8f1b/html5/thumbnails/3.jpg)
3
Mark Weatherford
OCIO/OIS Organizational Update
• GRP Transition• OIS Vacancies and recruitment efforts• Impact on OIS’ ability to meet prior service
level expectations• Also on the move…
![Page 4: 1 July 9, 2009 Information Security Officer Meeting](https://reader036.vdocuments.site/reader036/viewer/2022062802/56649ea45503460f94ba8f1b/html5/thumbnails/4.jpg)
4
Rosa Umbach
ITPL 09-02, Security Segment• Security Survey
![Page 5: 1 July 9, 2009 Information Security Officer Meeting](https://reader036.vdocuments.site/reader036/viewer/2022062802/56649ea45503460f94ba8f1b/html5/thumbnails/5.jpg)
5
Michele Robinson
Incident Management FSR Project Update
• Grant funded feasibility study • Stakeholder (owner and user) interviews
were conducted• Information security regulations, policies,
standards, and guidelines were researched
• Market research was performed
![Page 6: 1 July 9, 2009 Information Security Officer Meeting](https://reader036.vdocuments.site/reader036/viewer/2022062802/56649ea45503460f94ba8f1b/html5/thumbnails/6.jpg)
6
Michele Robinson
• Problem and needs were validated
• Alternatives were identified
• Based on overall cost/benefit a proposed alternative was selected
• FSR is close to completion (August 2009)
![Page 7: 1 July 9, 2009 Information Security Officer Meeting](https://reader036.vdocuments.site/reader036/viewer/2022062802/56649ea45503460f94ba8f1b/html5/thumbnails/7.jpg)
7
Michele Robinson
Alternatives• Leverage Existing Remedy Service Desk
Software
• Acquire a Custom-off-the-Shelf (COTS) Solution
• Partner with CalEMA RIMS (Response Information
Mgmt System) Replacement Project
![Page 8: 1 July 9, 2009 Information Security Officer Meeting](https://reader036.vdocuments.site/reader036/viewer/2022062802/56649ea45503460f94ba8f1b/html5/thumbnails/8.jpg)
8
Michele Robinson
Benefits of Partnership with CalEMA• Establishes a unified and coordinated
approach between COIS, CHP, and CalEMA• Consolidation of separate existing (and
conceptual) systems into a single system• Scalable and can be extended to local
governments • Greater security of data • Implementation is expedited by leveraging an
approved FSR• Less costly
![Page 9: 1 July 9, 2009 Information Security Officer Meeting](https://reader036.vdocuments.site/reader036/viewer/2022062802/56649ea45503460f94ba8f1b/html5/thumbnails/9.jpg)
9
Michele Robinson
Benefits of Partnership with CalEMAAlignment with:• National strategy
“The government, working with key stakeholders, should design an effective mechanism to achieve a true common operating picture that integrates information from the government and private sector and serves as the basis for informed and prioritized vulnerability mitigation efforts and incident response decisions.” – Cyberspace Policy Review http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf
• Key objectives derived from:• Cyberspace Policy Review• National Strategy to Secure Cyberspace• National Strategy for the Physical Protection of CI/KR
![Page 10: 1 July 9, 2009 Information Security Officer Meeting](https://reader036.vdocuments.site/reader036/viewer/2022062802/56649ea45503460f94ba8f1b/html5/thumbnails/10.jpg)
10
Michele Robinson
Benefits of Partnership with CalEMAAlignment with:• State IT Strategic Plan:
– “Information technology support for the Executive Branch of California State Government will operate as a seamless enterprise, delivering consistent, cost-effective, reliable, accessible and secure services that satisfy the needs of its diverse public and private customers, including the People of California, its business communities and its public sector agencies.” - California State Information Technology 2006 Strategic Plan, pg 5
• State IT Capital Plan:– “Facilitate improvements in internal business processes and
financial management through IT investments and enhance and promote enterprise data sharing through IT investments.“ – 2009 ITCP Overview http://www.itsp.ca.gov/Capital_Plan/
![Page 11: 1 July 9, 2009 Information Security Officer Meeting](https://reader036.vdocuments.site/reader036/viewer/2022062802/56649ea45503460f94ba8f1b/html5/thumbnails/11.jpg)
11
Michele Robinson
Telework Policy and Security Standards Update
• DGS Telework Policy
– DGS Telework Advisory Group (TAG)
• OIS Telework Security Standards
– DPA will facilitate meet and confer with labor
![Page 12: 1 July 9, 2009 Information Security Officer Meeting](https://reader036.vdocuments.site/reader036/viewer/2022062802/56649ea45503460f94ba8f1b/html5/thumbnails/12.jpg)
12
Michele Robinson
Twitter Vulnerabilities• Month long campaign/project entitled the “Month
of Twitter Bugs” or “MoTB”• Began July 1, 2009• Focus on ways to utilize the Twitter website and
third-party Twitter applications to distribute malicious code.
• Malicious code may be used to exploit other third-party programs with a similar codebase as Twitter
• May result in automated programs being written to take advantage these known vulnerabilities.
![Page 13: 1 July 9, 2009 Information Security Officer Meeting](https://reader036.vdocuments.site/reader036/viewer/2022062802/56649ea45503460f94ba8f1b/html5/thumbnails/13.jpg)
13
Michele Robinson
Twitter Vulnerabilities• Month of Twitter Bugs:
http://twitpwn.com/ • Aviv Rafi (Creator of "Month of Twitter Bugs"
blog): http://aviv.raffon.net/2009/06/15/MonthOfTwitterBugs.aspx
![Page 14: 1 July 9, 2009 Information Security Officer Meeting](https://reader036.vdocuments.site/reader036/viewer/2022062802/56649ea45503460f94ba8f1b/html5/thumbnails/14.jpg)
14
Michele Robinson
Recommendations: • Have a policy on the appropriate use of social
networking sites • Ensure users are trained on the appropriate use
of social networking sites, including:– Enabling the privacy features and disabling of "Auto-Feeds" that
are not approved by your organization. – Not visiting un-trusted websites or follow links provided by
unknown or un-trusted sources. – Understanding the threats posed by hypertext links, especially
from un-trusted sources. – Following your organization's policies for incident reporting.
![Page 15: 1 July 9, 2009 Information Security Officer Meeting](https://reader036.vdocuments.site/reader036/viewer/2022062802/56649ea45503460f94ba8f1b/html5/thumbnails/15.jpg)
15
Michele Robinson
Recommendations: • Ensure that all anti-virus software is up-to-
date with the latest signatures. • Ensure that the most recent vendor
patches are applied on all desktops, laptops, mobile devices and servers as soon as possible.
• Deploy network intrusion detection systems to monitor network traffic for malicious activity.
![Page 16: 1 July 9, 2009 Information Security Officer Meeting](https://reader036.vdocuments.site/reader036/viewer/2022062802/56649ea45503460f94ba8f1b/html5/thumbnails/16.jpg)
16
Michele Robinson
State Direction on Departmental Use of Social Networking Media
• Agency use versus all employee use
• Argument for advantages of employee access
• Security must help business to achieve the objectives of the directive
![Page 17: 1 July 9, 2009 Information Security Officer Meeting](https://reader036.vdocuments.site/reader036/viewer/2022062802/56649ea45503460f94ba8f1b/html5/thumbnails/17.jpg)
17
Mark Weatherford
Strategic Plan and
Policy Refresh Project Update
![Page 18: 1 July 9, 2009 Information Security Officer Meeting](https://reader036.vdocuments.site/reader036/viewer/2022062802/56649ea45503460f94ba8f1b/html5/thumbnails/18.jpg)
18
Mark Weatherford
ITPL 09-05
Agency Information Officer and Department Chief Information
Officer Responsibilities
![Page 19: 1 July 9, 2009 Information Security Officer Meeting](https://reader036.vdocuments.site/reader036/viewer/2022062802/56649ea45503460f94ba8f1b/html5/thumbnails/19.jpg)
19
Mark Weatherford
ITPL 09-05 QuestionsQ: Does this mean that all ISOs in an IT
classification must report to CIO?
A: Yes, that is the intent.
Q: What does this mean to ISO’s in non-IT classifications?
A: This is currently under consideration.
![Page 20: 1 July 9, 2009 Information Security Officer Meeting](https://reader036.vdocuments.site/reader036/viewer/2022062802/56649ea45503460f94ba8f1b/html5/thumbnails/20.jpg)
20
Mark Weatherford
What are the ISO Concerns?
In Addition to Known ITPL 09-05 Concerns
• Reporting to the CIO is a conflict of interest.
• Security and risk issues will not get raised to my agency head as needed and expected.
![Page 21: 1 July 9, 2009 Information Security Officer Meeting](https://reader036.vdocuments.site/reader036/viewer/2022062802/56649ea45503460f94ba8f1b/html5/thumbnails/21.jpg)
21
Mark Weatherford
Closing
• Please complete the feedback survey.
• Thank you for your attendance and participation.