Public Employees Retirement System October 31, 2007 Eric Sokol, CSD Administrator Jeffrey Marecic,...

Public Employees Retirement SystemPublic Employees Retirement System

October 31, 2007October 31, 2007

Eric Sokol, CSD AdministratorEric Sokol, CSD AdministratorJeffrey Marecic, ISD AdministratorJeffrey Marecic, ISD Administrator

Senate Bill 583 Senate Bill 583 Implementation Implementation

22

PERS SB 583 PERS SB 583 Program ComponentsProgram Components

Incident Response PlanIncident Response Plan Eliminate Sending Personal InformationEliminate Sending Personal Information Information Security ProgramInformation Security Program IssuesIssues

33

HQ

72nd

SDC

VPN

BHS

Mercer

Iron Mtn

CitiStreet

Salem

PERS

Rev-Q

VPN

VPN

FTP/

VPN

FTP

Manual

Manual

SaberVPN Internet

VPN

VPN

VPN

Manual

D.O.R.Treasury

Employers

VPN

Health Care Insurance Carriers

Medical Advisors

PERS Business PERS Business NetworkNetwork

44

Two Incident Response TeamsTwo Incident Response Teams– Executive team makes policy and Executive team makes policy and

response decisions.response decisions.– Security Breach Response Team (SBRT) Security Breach Response Team (SBRT)

works under the direction of the Executive works under the direction of the Executive team and provides coordination, analysis, team and provides coordination, analysis, procedures and actions associated with procedures and actions associated with suspected breaches.suspected breaches.

Other Sections of Agency Get Involved Other Sections of Agency Get Involved as Neededas Needed

Incident Response PlanIncident Response Plan

Notification Best Practices Checklist Greatly Assisted in Developing This Plan

55

Incident Response PlanIncident Response Plan

Security Breach Notification Process

IIM

La

w

En

forc

em

en

t

Ma

na

ge

r /

Co

ntr

ac

t A

dm

inis

tra

tor

Ex

ec

uti

ve

T

ea

mS

BR

TC

SD

Sta

ff /

Ve

nd

ors Staff report incident

to Manager/Vendors report incident to

Contract Administrator

(Step 1)

Incident occurs

Reports to the Executive Team

(Step 2)

Review the breach incident (Step 3)

Has a Personal information

been breached?

SBRT documents and Closes the incident report

(Step 4A)

No

Assign to SBRT and Completes a Risk Assessment

(Step 4B)

Yes

Incident Documents

Archived by IIM(Step 4A)

SBRT investigates, prepares plan of action, prepares

announcement and stops breach

(Section 5 and 6)(Step 5)

Incident reported to Law

Enforcement(Section 3)

Does this breach require

Contacting Law Enforcement?

Draft announcement and Scripting

completed for Staff (Section 8)

No

Yes

Check Point! Is everything complete?(Section 9)

Approve all materials; (Section 9)

Train CSC Staff, set up “Hot Topic”

and follow-up (Section 9)

No

CSC handles phones, and

tracks contact with individuals

(Section 10)

Retrospective, Update Security Plan and close

incident (Section 10)

Documents Archived in IIM

(Section 10)

Insure all Follow-up actions have

been taken (Section 9)

Yes

Complete remaining Internal

Issues: HR, Financial etc.

66

Inventoried All System Generated Inventoried All System Generated CorrespondenceCorrespondence

Completed/Nearly CompletedCompleted/Nearly Completed– Remove SSN Completely Where PossibleRemove SSN Completely Where Possible– Use Last 4 Digits Where NeededUse Last 4 Digits Where Needed– Move to PERS ID in the Long TermMove to PERS ID in the Long Term

Relaxed Procedural Requirements that Lead to Relaxed Procedural Requirements that Lead to Returned Documents in the First PlaceReturned Documents in the First Place

Move to Redacting SSN and Personal Move to Redacting SSN and Personal Information on Member Records RequestsInformation on Member Records Requests

Move to Secure FTP and VPN Instead of Move to Secure FTP and VPN Instead of Tapes/DisksTapes/Disks

Eliminate Sending/TransportingEliminate Sending/Transporting

Personal InformationPersonal Information

77

Information Security Information Security ProgramProgram

Information Security Message Information Security Message Begins at the TopBegins at the Top

Information Security is Everyone’s Information Security is Everyone’s JobJob

Information Security Board FormedInformation Security Board Formed Security Awareness TrainingSecurity Awareness Training

– HR and ISD Leads the Training Effort – HR and ISD Leads the Training Effort – Division Administrators Ensure Division Administrators Ensure ComplianceCompliance

88


Policies and ProceduresPolicies and Procedures– Review and UpdateReview and Update

Data ClassificationData Classification Data/Document Labeling and HandlingData/Document Labeling and Handling ‘‘Clean Desk’ ProvisionsClean Desk’ Provisions Consultant/Contractor ComplianceConsultant/Contractor Compliance

99

Physical SecurityPhysical Security– Key Card Access to All Work Areas Key Card Access to All Work Areas

and Sensitive Informationand Sensitive Information– Limited Access to Records Limited Access to Records

Management AreaManagement Area– Monthly Review of Access SystemMonthly Review of Access System


1010

Data FilesData Files– Network File Structure and AccessNetwork File Structure and Access– Data in Transport (Tapes, Disks, etc.)Data in Transport (Tapes, Disks, etc.)

EncryptEncrypt Password ProtectPassword Protect Log Movements (senders and receivers)Log Movements (senders and receivers)

– Electronic Transfer (SFTP, VPN, EDX, Email)Electronic Transfer (SFTP, VPN, EDX, Email) EncryptionEncryption

– Developer Environments Developer Environments Encrypted, Scrambled, Fictitious DataEncrypted, Scrambled, Fictitious Data


1111

Backup TapesBackup Tapes– EncryptEncrypt– Log movementsLog movements


1212


System Generated ReportsSystem Generated Reports– Remove SSN Where PossibleRemove SSN Where Possible– Limit Internal Distribution to Those Limit Internal Distribution to Those

Who ‘Need to Know’Who ‘Need to Know’– Track ReportsTrack Reports

When PrintedWhen Printed When Delivered (internally)When Delivered (internally)

1313

Public Records RequestsPublic Records Requests– Redaction policy & procedureRedaction policy & procedure


1414

ApplicationsApplications– Remove SSN From ScreensRemove SSN From Screens– Implement Role Based Access Implement Role Based Access

Control (RBAC)Control (RBAC)– Replace SSN as Account IdentifierReplace SSN as Account Identifier– ORION is Being Developed to ORION is Being Developed to

ComplyComply– RIMS will be retired Q4/2009RIMS will be retired Q4/2009


1515

Internal AuditInternal Audit– Provides Periodic Assessments of Provides Periodic Assessments of

Agency Compliance to Information Agency Compliance to Information Security ProgramSecurity Program


1616

ISSUESISSUES

33rdrd party vendors out-of-state party vendors out-of-state– Vendor Certifications Required?Vendor Certifications Required?

Members Sending Original Members Sending Original DocumentsDocuments

Public Records Requests Public Records Requests Member Records RequestsMember Records Requests Movement of Personnel FilesMovement of Personnel Files Employer Data Exchange (SSN vs Employer Data Exchange (SSN vs

Another Identifier)Another Identifier)

Public Employees Retirement System October 31, 2007 Eric Sokol, CSD Administrator Jeffrey Marecic,...

Documents

Transcript of Public Employees Retirement System October 31, 2007 Eric Sokol, CSD Administrator Jeffrey Marecic,...