Public Employees Retirement System October 31, 2007 Eric Sokol, CSD Administrator Jeffrey Marecic,...
-
Upload
gerard-daniel -
Category
Documents
-
view
213 -
download
0
Transcript of Public Employees Retirement System October 31, 2007 Eric Sokol, CSD Administrator Jeffrey Marecic,...
Public Employees Retirement SystemPublic Employees Retirement System
October 31, 2007October 31, 2007
Eric Sokol, CSD AdministratorEric Sokol, CSD AdministratorJeffrey Marecic, ISD AdministratorJeffrey Marecic, ISD Administrator
Senate Bill 583 Senate Bill 583 Implementation Implementation
22
PERS SB 583 PERS SB 583 Program ComponentsProgram Components
Incident Response PlanIncident Response Plan Eliminate Sending Personal InformationEliminate Sending Personal Information Information Security ProgramInformation Security Program IssuesIssues
33
HQ
72nd
SDC
VPN
BHS
Mercer
Iron Mtn
CitiStreet
Salem
PERS
Rev-Q
VPN
VPN
FTP/
VPN
FTP
Manual
Manual
SaberVPN Internet
VPN
VPN
VPN
Manual
D.O.R.Treasury
Employers
VPN
Health Care Insurance Carriers
Medical Advisors
PERS Business PERS Business NetworkNetwork
44
Two Incident Response TeamsTwo Incident Response Teams– Executive team makes policy and Executive team makes policy and
response decisions.response decisions.– Security Breach Response Team (SBRT) Security Breach Response Team (SBRT)
works under the direction of the Executive works under the direction of the Executive team and provides coordination, analysis, team and provides coordination, analysis, procedures and actions associated with procedures and actions associated with suspected breaches.suspected breaches.
Other Sections of Agency Get Involved Other Sections of Agency Get Involved as Neededas Needed
Incident Response PlanIncident Response Plan
Notification Best Practices Checklist Greatly Assisted in Developing This Plan
55
Incident Response PlanIncident Response Plan
Security Breach Notification Process
IIM
La
w
En
forc
em
en
t
Ma
na
ge
r /
Co
ntr
ac
t A
dm
inis
tra
tor
Ex
ec
uti
ve
T
ea
mS
BR
TC
SD
Sta
ff /
Ve
nd
ors Staff report incident
to Manager/Vendors report incident to
Contract Administrator
(Step 1)
Incident occurs
Reports to the Executive Team
(Step 2)
Review the breach incident (Step 3)
Has a Personal information
been breached?
SBRT documents and Closes the incident report
(Step 4A)
No
Assign to SBRT and Completes a Risk Assessment
(Step 4B)
Yes
Incident Documents
Archived by IIM(Step 4A)
SBRT investigates, prepares plan of action, prepares
announcement and stops breach
(Section 5 and 6)(Step 5)
Incident reported to Law
Enforcement(Section 3)
Does this breach require
Contacting Law Enforcement?
Draft announcement and Scripting
completed for Staff (Section 8)
No
Yes
Check Point! Is everything complete?(Section 9)
Approve all materials; (Section 9)
Train CSC Staff, set up “Hot Topic”
and follow-up (Section 9)
No
CSC handles phones, and
tracks contact with individuals
(Section 10)
Retrospective, Update Security Plan and close
incident (Section 10)
Documents Archived in IIM
(Section 10)
Insure all Follow-up actions have
been taken (Section 9)
Yes
Complete remaining Internal
Issues: HR, Financial etc.
66
Inventoried All System Generated Inventoried All System Generated CorrespondenceCorrespondence
Completed/Nearly CompletedCompleted/Nearly Completed– Remove SSN Completely Where PossibleRemove SSN Completely Where Possible– Use Last 4 Digits Where NeededUse Last 4 Digits Where Needed– Move to PERS ID in the Long TermMove to PERS ID in the Long Term
Relaxed Procedural Requirements that Lead to Relaxed Procedural Requirements that Lead to Returned Documents in the First PlaceReturned Documents in the First Place
Move to Redacting SSN and Personal Move to Redacting SSN and Personal Information on Member Records RequestsInformation on Member Records Requests
Move to Secure FTP and VPN Instead of Move to Secure FTP and VPN Instead of Tapes/DisksTapes/Disks
Eliminate Sending/TransportingEliminate Sending/Transporting
Personal InformationPersonal Information
77
Information Security Information Security ProgramProgram
Information Security Message Information Security Message Begins at the TopBegins at the Top
Information Security is Everyone’s Information Security is Everyone’s JobJob
Information Security Board FormedInformation Security Board Formed Security Awareness TrainingSecurity Awareness Training
– HR and ISD Leads the Training Effort – HR and ISD Leads the Training Effort – Division Administrators Ensure Division Administrators Ensure ComplianceCompliance
88
Information Security Information Security ProgramProgram
Policies and ProceduresPolicies and Procedures– Review and UpdateReview and Update
Data ClassificationData Classification Data/Document Labeling and HandlingData/Document Labeling and Handling ‘‘Clean Desk’ ProvisionsClean Desk’ Provisions Consultant/Contractor ComplianceConsultant/Contractor Compliance
99
Physical SecurityPhysical Security– Key Card Access to All Work Areas Key Card Access to All Work Areas
and Sensitive Informationand Sensitive Information– Limited Access to Records Limited Access to Records
Management AreaManagement Area– Monthly Review of Access SystemMonthly Review of Access System
Information Security Information Security ProgramProgram
1010
Data FilesData Files– Network File Structure and AccessNetwork File Structure and Access– Data in Transport (Tapes, Disks, etc.)Data in Transport (Tapes, Disks, etc.)
EncryptEncrypt Password ProtectPassword Protect Log Movements (senders and receivers)Log Movements (senders and receivers)
– Electronic Transfer (SFTP, VPN, EDX, Email)Electronic Transfer (SFTP, VPN, EDX, Email) EncryptionEncryption
– Developer Environments Developer Environments Encrypted, Scrambled, Fictitious DataEncrypted, Scrambled, Fictitious Data
Information Security Information Security ProgramProgram
1111
Backup TapesBackup Tapes– EncryptEncrypt– Log movementsLog movements
Information Security Information Security ProgramProgram
1212
Information Security Information Security ProgramProgram
System Generated ReportsSystem Generated Reports– Remove SSN Where PossibleRemove SSN Where Possible– Limit Internal Distribution to Those Limit Internal Distribution to Those
Who ‘Need to Know’Who ‘Need to Know’– Track ReportsTrack Reports
When PrintedWhen Printed When Delivered (internally)When Delivered (internally)
1313
Public Records RequestsPublic Records Requests– Redaction policy & procedureRedaction policy & procedure
Information Security Information Security ProgramProgram
1414
ApplicationsApplications– Remove SSN From ScreensRemove SSN From Screens– Implement Role Based Access Implement Role Based Access
Control (RBAC)Control (RBAC)– Replace SSN as Account IdentifierReplace SSN as Account Identifier– ORION is Being Developed to ORION is Being Developed to
ComplyComply– RIMS will be retired Q4/2009RIMS will be retired Q4/2009
Information Security Information Security ProgramProgram
1515
Internal AuditInternal Audit– Provides Periodic Assessments of Provides Periodic Assessments of
Agency Compliance to Information Agency Compliance to Information Security ProgramSecurity Program
Information Security Information Security ProgramProgram
1616
ISSUESISSUES
33rdrd party vendors out-of-state party vendors out-of-state– Vendor Certifications Required?Vendor Certifications Required?
Members Sending Original Members Sending Original DocumentsDocuments
Public Records Requests Public Records Requests Member Records RequestsMember Records Requests Movement of Personnel FilesMovement of Personnel Files Employer Data Exchange (SSN vs Employer Data Exchange (SSN vs
Another Identifier)Another Identifier)