1

July 9, 2009

Information Security Officer Meeting

2

Katrina Yang

Reaching Us…• No change to mailing address• No change to phone numbers• Change to email addresses

• security@state.ca.gov• mark.weatherford@state.ca.gov• rosa.umbach@state.ca.gov• michele.robinson@state.ca.gov• katrina.yang@state.ca.gov

• Office closures due to mandated furloughs

3

Mark Weatherford

OCIO/OIS Organizational Update

• GRP Transition• OIS Vacancies and recruitment efforts• Impact on OIS’ ability to meet prior service

level expectations• Also on the move…

4

Rosa Umbach

ITPL 09-02, Security Segment• Security Survey

5

Michele Robinson

Incident Management FSR Project Update

• Grant funded feasibility study • Stakeholder (owner and user) interviews

were conducted• Information security regulations, policies,

standards, and guidelines were researched

• Market research was performed

6

Michele Robinson

• Problem and needs were validated

• Alternatives were identified

• Based on overall cost/benefit a proposed alternative was selected

• FSR is close to completion (August 2009)

7

Michele Robinson

Alternatives• Leverage Existing Remedy Service Desk

Software

• Acquire a Custom-off-the-Shelf (COTS) Solution

• Partner with CalEMA RIMS (Response Information

Mgmt System) Replacement Project

8

Michele Robinson

Benefits of Partnership with CalEMA• Establishes a unified and coordinated

approach between COIS, CHP, and CalEMA• Consolidation of separate existing (and

conceptual) systems into a single system• Scalable and can be extended to local

governments • Greater security of data • Implementation is expedited by leveraging an

approved FSR• Less costly

9

Michele Robinson

Benefits of Partnership with CalEMAAlignment with:• National strategy

“The government, working with key stakeholders, should design an effective mechanism to achieve a true common operating picture that integrates information from the government and private sector and serves as the basis for informed and prioritized vulnerability mitigation efforts and incident response decisions.” – Cyberspace Policy Review http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf

• Key objectives derived from:• Cyberspace Policy Review• National Strategy to Secure Cyberspace• National Strategy for the Physical Protection of CI/KR

10

Michele Robinson

Benefits of Partnership with CalEMAAlignment with:• State IT Strategic Plan:

– “Information technology support for the Executive Branch of California State Government will operate as a seamless enterprise, delivering consistent, cost-effective, reliable, accessible and secure services that satisfy the needs of its diverse public and private customers, including the People of California, its business communities and its public sector agencies.” - California State Information Technology 2006 Strategic Plan, pg 5

• State IT Capital Plan:– “Facilitate improvements in internal business processes and

financial management through IT investments and enhance and promote enterprise data sharing through IT investments.“ – 2009 ITCP Overview http://www.itsp.ca.gov/Capital_Plan/

11

Michele Robinson

Telework Policy and Security Standards Update

• DGS Telework Policy

– DGS Telework Advisory Group (TAG)

• OIS Telework Security Standards

– DPA will facilitate meet and confer with labor

12

Michele Robinson

Twitter Vulnerabilities• Month long campaign/project entitled the “Month

of Twitter Bugs” or “MoTB”• Began July 1, 2009• Focus on ways to utilize the Twitter website and

third-party Twitter applications to distribute malicious code. 

• Malicious code may be used to exploit other third-party programs with a similar codebase as Twitter

• May result in automated programs being written to take advantage these known vulnerabilities.

13

Michele Robinson

Twitter Vulnerabilities• Month of Twitter Bugs:

http://twitpwn.com/ • Aviv Rafi (Creator of "Month of Twitter Bugs"

blog): http://aviv.raffon.net/2009/06/15/MonthOfTwitterBugs.aspx

14

Michele Robinson

Recommendations: • Have a policy on the appropriate use of social

networking sites • Ensure users are trained on the appropriate use

of social networking sites, including:– Enabling the privacy features and disabling of "Auto-Feeds" that

are not approved by your organization. – Not visiting un-trusted websites or follow links provided by

unknown or un-trusted sources. – Understanding the threats posed by hypertext links, especially

from un-trusted sources. – Following your organization's policies for incident reporting.

15

Michele Robinson

Recommendations: • Ensure that all anti-virus software is up-to-

date with the latest signatures. • Ensure that the most recent vendor

patches are applied on all desktops, laptops, mobile devices and servers as soon as possible.

• Deploy network intrusion detection systems to monitor network traffic for malicious activity.

16

Michele Robinson

State Direction on Departmental Use of Social Networking Media

• Agency use versus all employee use

• Argument for advantages of employee access

• Security must help business to achieve the objectives of the directive

17

Mark Weatherford

Strategic Plan and

Policy Refresh Project Update

18

Mark Weatherford

ITPL 09-05

Agency Information Officer and Department Chief Information

Officer Responsibilities

19

Mark Weatherford

ITPL 09-05 QuestionsQ: Does this mean that all ISOs in an IT

classification must report to CIO?

A: Yes, that is the intent.

Q: What does this mean to ISO’s in non-IT classifications?

A: This is currently under consideration.

20

Mark Weatherford

What are the ISO Concerns?

In Addition to Known ITPL 09-05 Concerns

• Reporting to the CIO is a conflict of interest.

• Security and risk issues will not get raised to my agency head as needed and expected.

21

Mark Weatherford

Closing

• Please complete the feedback survey.

• Thank you for your attendance and participation.