September 29, 2015 1
History and Background State policy (SAM Section 5305.1) requires a plan of action and milestone but gives little to no direction or assistance The California Information Security Office (CISO) released a standardized tool for reporting (with procedures) The POAM Tool is purposely simple to complete and submit 2
History and Background Data elements collected will be uniform The Department of Technology and the CISO will be able to aggregate the data and evaluate risks at several organizational levels entity, agency, or statewide Data will reveal and categorize weaknesses - by control/policy, by risk rating, by completion date, and others 3
Mission Simple Meaningful Temporary 4
Instructions and Use Column E (Describe the Weakness or Area of Non- Compliance): Briefly describe the nature and characteristics of the risk. Column B (NIST Families): Select from drop-down one of the NIST families within the drop down menu that best describes the security audit finding, compliance deficiency, security risk, incident remediation activity, or other gap (henceforth referred to as risk ). Column C (SAM & SIMM Policies): Select from the drop-down one of the SAM sections or Sub-section. Your selection in Column C must align with your section in Column B. 5
Instructions and Use Column F (Compensating Controls): Briefly describe any short or long-term compensating controls in play. Column G (Source): Select from drop-down the source activity (how the risk was initially identified). Column H (Describe the Information Asset at Risk): Briefly describe the information asset(s) that may be impacted by this risk. An information asset can be a system, a data element, a person, a facility, a record, a file, a piece of paper, hardware, software, etc. See the definition for this and other terms in SAM Section 5300.4. 6
Instructions and Use Column I (Assigned To): Identify the person(s) responsible for this risk, including name, title and/or classification. By policy, the state entity head (director) is responsible for all risks, but for purposes of the POAM, please indicate who will own the risk and secure the necessary resources (persons or funding) to address the risk. This is the person the CISO may contact for more information. Column J (Plan of Action): Describe the steps the state entity will take to address the risk, including short and longer-term plans. If Plan of Action is significant and includes several major milestones, submit your detailed plan as a separate file. Column K (When First Identified): Record the date when the risk was first identified. 7
Instructions and Use Column L (Start Date): Indicate the date you did or will address the risk. Column M (Completion Date): Indicate the projected completion date. NOTE: CISO will know if it s a projected or actual completion date based on the status of the risk. Column N (Status): Select from one of the four (4) status types. NOTE: Even after a risk is reported as "Completed" it must remain on the tool. Column O (Status Date): Use Column O to record the date for the status selected in Column N. 8
Instructions and Use Column P (Risk Rating): Use the NIST risk categories described in Special Publication 800-30 to determine if the risk is a Very Low, Low, Moderate, High, or Very High value. Column Q (Barriers or Constraints): Briefly describe any constraints to remediating this risk. If necessary, a separate file may be submitted to the CISO. NOTE: All files must begin with your Org Code. 9
Transformation: Raw Data to Actionable Business Intelligence Statewide Risks Training 7% Remote Access 31% Incident Response 12% Access Controls 5% Media Protection 10% Acquisition 10% Governance 25% Sample Data 10
Secure File Transfer (SFT) 11
Case Studies For each of the following Case Studies, we need to provide the following information: Simple Description of the Weakness? NIST Family and/or SAM/SIMM Policy? Compensating Controls? Source? Information Asset at Risk? Assigned To? Plan of Action? Barriers of Constraints 12
Case #1 Case Studies During a routine meeting with your CIO, you are informed that your Admin Division has purchased a dozen new multi-function copiers/printers and the IT shop has been asked to work with the vendor to install them on the network. No consideration was given to information security during the procurement. Simple Description of the Weakness? NIST Family and/or SAM/SIMM Policy? Compensating Controls? Source? Information Asset at Risk? Assigned To? Plan of Action? Barriers of Constraints 13
Case #2 Case Studies An incident is reported that PII was faxed to an out-of-date fax group and 7 of the recipients have no business need to see this PII. Simple Description of the Weakness? NIST Family and/or SAM/SIMM Policy? Compensating Controls? Source? Information Asset at Risk? Assigned To? Plan of Action? Barriers of Constraints 14
Case #3 Case Studies Your department has not updated their TRP in 6 years. As you plan to address this risk and out-of-compliance condition, your list of activities are extensive; including 5 major milestones. You report that this risk will not be fully addressed until you test the new plan in the summer of 2018. Simple Description of the Weakness? NIST Family and/or SAM/SIMM Policy? Compensating Controls? Source? Information Asset at Risk? Assigned To? Plan of Action? Barriers of Constraints 15
Case #4 Case Studies Your budget office has a mission critical financial system running on a Microsoft Server 2003 operating system. The financial application is written in a language that is no longer supported and will not execute on anything but Server 2003. Simple Description of the Weakness? NIST Family and/or SAM/SIMM Policy? Compensating Controls? Source? Information Asset at Risk? Assigned To? Plan of Action? Barriers of Constraints 16
Case #5 Case Studies Examples from the audience Simple Description of the Weakness? NIST Family and/or SAM/SIMM Policy? Compensating Controls? Source? Information Asset at Risk? Assigned To? Plan of Action? Barriers of Constraints 17