Information Security Program CHARTER



Similar documents
Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

DUUS Information Technology (IT) Incident Management Standard

Information Security Program Management Standard

NSW Government Digital Information Security Policy

CHAPTER Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

CITY UNIVERSITY OF HONG KONG

INFORMATION TECHNOLOGY POLICY

Computer Security Incident Response Plan. Date of Approval: 23- FEB- 2015

University of Sunderland Business Assurance Information Security Policy

HIPAA Privacy Rule Policies

Information Security Program

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

Information Technology Policy

(Instructor-led; 3 Days)

Office of Inspector General

Utica College. Information Security Plan

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

State of Minnesota. Enterprise Security Program Policy. Office of Enterprise Technology. Enterprise Security Office Policy. Version 1.

Information security controls. Briefing for clients on Experian information security controls

Domain 1 The Process of Auditing Information Systems

State of South Carolina Initial Security Assessment

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Data Security Incident Response Plan. [Insert Organization Name]

NSW Government Digital Information Security Policy

CLASSIFICATION SPECIFICATION FORM

Privacy Governance and Compliance Framework Accountability

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Guide for the Role and Responsibilities of an Information Security Officer Within State Government

State of Oregon. State of Oregon 1

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

State of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard

Compliance Management, made easy

Risk Management Guide for Information Technology Systems. NIST SP Overview

John Essner, CISO Office of Information Technology State of New Jersey

Federal Bureau of Investigation s Integrity and Compliance Program

Guideline for Roles & Responsibilities in Information Asset Management

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

RISK AND COMPLIANCE COMMITTEE CHARTER

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Computer Security Incident Response Team

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

FedRAMP Standard Contract Language

Newcastle University Information Security Procedures Version 3

Subject: Safety and Soundness Standards for Information

Our Commitment to Information Security

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

Information Security Policy

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Computer Security Incident Response Team

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Information Governance Management Framework

WHITEPAPER Complying with HIPAA LogRhythm and HIPAA Compliance

Privacy & Security Matters: Protecting Personal Data. Privacy & Security Project

Information Security Plan May 24, 2011

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

CISM (Certified Information Security Manager) Document version:

I S O I E C I N F O R M A T I O N S E C U R I T Y A U D I T T O O L

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Data Loss Prevention and HIPAA. Kit Robinson Director

ADMINISTRATIVE POLICY # (2014) Information Security Roles and Responsibilities

Third Party Security Requirements Policy

Version 1.0. IT Service Management & IT Asset Management Services (ITSM & ITAM Services) Governance Process

UF IT Risk Assessment Standard

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland

Information Security Policies. Version 6.1

DHHS Information Technology (IT) Access Control Standard

Cloud Computing: Legal Risks and Best Practices

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

OCIE CYBERSECURITY INITIATIVE

Computer Security Incident Reporting and Response Policy

Domain 5 Information Security Governance and Risk Management

CORE Security and GLBA

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

The Value of Vulnerability Management*

The Protection Mission a constant endeavor

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Review of the SEC s Systems Certification and Accreditation Process

Missouri Student Information System Data Governance

Attachment A. Identification of Risks/Cybersecurity Governance

Transcription:

State of Louisiana Information Security Program CHARTER Date Published: 12, 09, 2015

Contents Executive Sponsors... 3 Program Owner... 3 Introduction... 4 Statewide Information Security Strategy... 4 Information Security Program... 4 Purpose and Scope... 4 Program Components... 4 Information Security Governance... 5 Governance Structure... 5 Roles and Responsibilities... 5 Changes and Amendments...11 Approval...11 Document Revision Log...11 Classification: Public Page 2 of 11

Executive Sponsors State Chief Information Officer Dep. State Chief Information Officer Director of Human Capital Management Asst. Commissioner of Administration Facility Planning & Control Asst. Commissioner of Administration Management & Finance Asst. Commissioner of Administration Procurement, General Counsel Commissioner of Administration Program Owner Dustin Glover, Chief Information Security Officer Classification: Public Page 3 of 11

Introduction This charter defines the Information Security Strategy, Purpose, Scope, and Components of the Information Security Program; and management roles and responsibilities, including the role of the Chief Information Security Officer (CISO) and the Information Security Team (IST). Statewide Information Security Strategy The State of Louisiana and its operational Agencies are entrusted with sensitive and confidential information including, but not limited to, Criminal Justice Information (CJI), Protected Health Information (PHI), Federal Tax Information (FTI), and Personally Identifiable Information (PII) and acknowledges the responsibility and steps required to protect that information. As such, the State has adopted an Information Security Strategy intended to align information security with operational strategy; to comply with applicable legal and regulatory requirements; to achieve industry standards; to manage, monitor, and mitigate information security risks and incidents; to optimize information security investments; to manage information security resources efficiently; and to monitor the ongoing effectiveness of the Information Security Program. Information Security Program Purpose and Scope In order to implement the Information Security Strategy, the has developed and implemented an Information Security Program. The scope of the Program includes all people, processes, technologies, and environmental factors involved in the creation, use, destruction, storage, restoration, management, and governance of information and information assets. Additionally, the Program is designed to provide for the availability, integrity, authentication, confidentiality, and non-repudiation of information systems and information assets. Program Components Information Risk Management Identify and manage information security risks and align Information Security Strategy with the operational needs of the State. Information Security Program Development Create and maintain a program to implement the Information Security Strategy. Information Security Program Management Oversee, direct, and monitor information security activities to execute the Information Security Program. Incident Management & Response Plan, develop, and manage appropriate capabilities and measures to detect, respond to and recover from information security incidents. Information Security Governance Establish and maintain a governance structure to provide for accountability and assurance that the Information Security Strategy is aligned with the operational needs of the State and consistent with applicable law, regulations, and industry best practices. Classification: Public Page 4 of 11

Information Security Governance Governance Structure Governance Board (ISGB) Steering Committee (ISSC) Information Security Program Advisory Council (ISAC) Roles and Responsibilities Information Security Governance Board (ISGB) The ISGB is responsible for confirming that the State: Aligns the Information Security Strategy with the State s operational strategies. Manages information security risks through appropriate risk tolerance levels and risk policies. Assigns priority for information security activities and investments. Requires reporting of security activity costs and security breaches. Monitors the effectiveness of security measures. Manages, assigns, and monitors resources utilization. Oversees security process integrations within the State. Monitor regulatory compliance. Oversees the incident management and reporting of security breaches. Confirms information security processes utilize and produce effective metrics. Meetings: The ISGB meets quarterly. Membership: The ISGB is comprised of members of the s Executive Staff and Agency Leadership. Additions and changes to the membership of the ISGB may be proposed and approved by the ISGB. As of 09/01/2015 the ISGB Members: 1. State Chief Information Officer (ISGB Co-Chair) 2. Chief Information Security Officer (ISGB Co-Chair) 3. General Counsel 4. Assistant Commissioner Procurement 5. Assistant Commissioner Facility Planning and Control 6. Director, Office of State Human Capital Management 7. Director, Office of Planning and Budget 8. Agency Deputy Executive Director (3) (Alternating 2 year terms) Classification: Public Page 5 of 11

Information Security Steering Committee (ISSC) The ISSC is responsible for assisting the ISGB and CISO with implementing and maintaining the Information Security Strategy and Information Security Program. The core functions of the ISSC include: Managing security strategy and integration efforts Operational support and service integration Assist with identifying emerging risks Promoting security practices Identifying compliance issues Reviewing and advising on the adequacy of security initiatives to service the operational needs of the State Assist with identifying of critical processes and assurance Directing Assurance integration efforts Require monitory and business case studies of security initiatives Meetings: ISSC meets monthly. Membership: The ISSC is comprised of members of the s Office of Technology Services (OTS) Executive Leadership Team. Additions and changes to the membership of the ISSC may be proposed and approved by the ISSC. 1. Deputy Chief Information Officer (ISSC Co-Chair) 2. Chief Information Security Officer (ISSC Co-Chair) 3. Chief Technology Officer 4. Chief Data Officer 5. Director of Data Center Operations 6. Director of Application and Data Management 7. Director of Network Services 8. Director of End User Computing 9. Director of Agency Relationship Management 10. Director of Project Management Classification: Public Page 6 of 11

Information Security Advisory Council (ISAC) The ISAC is responsible for advising the CISO on any emerging information security risk(s) and statewide program effectiveness. The core functions of the ISSC include: Communicate identified, emerging, or potential information security risk(s) Identifying upcoming changes in federal or state regulatory or compliance related information security requirements Reviewing and advising on the adequacy of security initiatives to service the operational needs of the State Assist with identifying of critical processes Identify opportunities to address information security risk(s) with consistent, efficient, and standardized methods Meetings: ISAC meets bi-annually or as needed. Membership: The ISAC is comprised of subject matter experts from various state, federal, or local entities selected by the CISO or ISGB. Additions and changes to the membership of the ISAC may be proposed by any member of the ISAC, ISGB, or ISSC and approved by the CISO. 1. Chief Information Security Officer (ISAC Chair) 2. Information Security Team 3. Representative(s) from Out of Scope Agencies. (Higher Education, Enforcement Agencies, Etc.) Classification: Public Page 7 of 11

Chief Information Security Officer (CISO) The CISO is responsible for the development, maintenance, and implementation of the Information Security Program. The CISO leads the Information Security Team (IST) and works with various State Offices, Agencies, assurance functions, and internal or external parties to implement, monitor, and execute the Program. The CISO is empowered and authorized to take appropriate steps and actions to successfully manage the Program and respond to security incidents while working closely with Legal, Compliance, and Human Resources Offices as appropriate. The core responsibilities of the CISO are: Governance Develop, in conjunction with the ISGB, the Information Security Strategy. Develop, oversee, implement, and maintain the Information Security Program and related initiatives. Align, in conjunction with the ISGB, the Information Security Strategy with the operational strategy of the State. Liaise with agency leadership and process owners to support ongoing alignment and verify risk and operational impact assessments are conducted and that risk mitigation strategies are being implemented. Assist in identifying current and potential legislation and regulatory requirements affecting information security. Monitor utilization and effectiveness of information security resources by developing and implementing monitoring and metrics. Direct and monitor information security activities. Liaise with other assurance providers (e.g., Internal Audit, Louisiana Legislative Audit, External Auditors, Compliance Counsel, Privacy Officer, etc.) regarding information security. Provide assurance for proper response and reporting of information security incidents. Define information security roles and responsibilities throughout the State. Working with ISGB, establish reporting and communication needed to support the Information Security Program. Information Risk Management Establish and maintain processes for information asset classification and ownership. Implement a systematic and structured information risk assessment process. Confirm operational impact assessments are conducted periodically. Verify threat and vulnerability evaluations are performed on an ongoing basis. Identify and periodically evaluate information security controls and countermeasures for mitigation of risk to acceptable levels. Integrate risk, threat, and vulnerability management into operational life cycle processes (e.g., project management, development, procurement, and employment life cycles). Report significant changes in information security risk to appropriate levels of management on both periodic and event-driven basis. Classification: Public Page 8 of 11

Information Security Program Development and Management Develop, maintain, and manage plans to implement the Information Security Strategy while providing clear visibility to the specific activities being performed within the Information Security Program. Establish, communicate, and maintain information security policies, and verify that processes and procedures are performed in a compliant manner. Confirm the development, communication, and maintenance of standards, procedures, and other documentation (e.g., guidelines, baselines, codes of conduct) that support information security policies. Develop the information security resources, including people, processes, and technology. When applicable, working with the CIO and Dep. CIO, identify and manage internal and external resources (e.g., finances, people, equipment, systems) required for the execution of the program. Develop processes to ensure applicable contracts and agreements contain the necessary information security controls (e.g., outsourced providers, residents, third parties). Identify opportunities to integrate information security requirements within the State s operational processes and life cycle activities. Provide Information Security advice and guidance (e.g., risk and analysis, control options) to the State. Ensure alignment between the Information Security Program and other assurance functions. Design, develop, and manage processes to provide information security awareness, training, and education to the appropriate audiences.(e.g., process owners, users, OTS resources). Define and establish metrics to evaluate the effectiveness of the Information Security Program Verify any Information Security Program compliance issue or other variance is resolved in a timely manner. Monitor, measure, validate, and report on the effectiveness and efficiency of information security controls and program compliance. Incident Management and Response Develop and implement processes to prevent, detect, respond, and recover from information security incidents. Establish clear escalation and communication processes including lines of authority during incident response. Develop and maintain incident response plans to ensure timely response, reporting, and remediation. Establish the capability to investigate and analyze information security incidents in order to determine root cause (e.g., forensics, evidence collection and preservation, log analysis, interviewing). Develop a process in accordance with Incident Management & Response Policy to communicate with internal parties and external organizations (e.g., media, law enforcement, residents). Integrate information security incident response plans with the State s disaster recovery and operational continuity plans. Periodically test and refine information security incident response plans. Manage the response to information security incidents. As needed, conduct reviews of systems, applications, networks, or processes related to previous information security incidents to ensure remediation actions are working as designed. Develop corrective actions, reassess risk, and establish monitoring mechanisms as needed. Classification: Public Page 9 of 11

Information Security Team (IST) The IST is comprised of specifically selected OTS resources at various operational levels with the primary responsibility of performing operational information security functions. Lead by the CISO, the IST works with applicable OTS and Agency resources to develop, implement, communicate, and apply the Information Security Policy to State Systems and Data. As needed the IST is authorized to add, modify, or remove safeguards and controls to improve the information security posture of the State. The core responsibilities of the IST are: Provide guidance, support, direction, and authority for all information security activities for the State in accordance with and in support of the Information Security Program. Employ a series of layered technical and non-technical safeguards and controls leveraging manual or automated processes and procedures in order to protect the State s information and information assets. Enforce the information security policy and provide direction for all information security activities for the State in accordance with and in support of the Information Security Program. Engage and work with various State agencies, offices, assurance functions, and internal and external parties as needed for managing the program. Take appropriate steps and actions for managing and responding to information security incidents, policy violations, forensics and investigations, internal or external exploits, threats and vulnerabilities. Provide management direction in line with operational goals and objectives and relevant law and regulations, demonstrate support for, and commitment to information through the maintenance and implementation of the Information Security Policy across the State. Additionally, in accordance with the Information Security Program and Policy, the IST will implement, manage, validate, and monitor relevant information security controls for: Identity and Access Management Information Security Risk Management Incident Management Data Center Security Network Communications and Device Security Configuration Management Data Sanitization Vulnerability Management Audit Logging and Event Monitoring Information Asset Management Information Security Training and Awareness Data Protection and Encryption Requirements Classification: Public Page 10 of 11

Information Security Officer (ISO) The CISO will assign specific members of the IST to serve as an ISO. An ISO will assist in leading Information Security Program initiatives related to specific regulatory environments. An ISO will also function as a dedicated resource for agencies to assist with planning, audits, incident response, data protection, disclosure, notifications, and ensure regulatory requirements are implemented in a verifiable manner. Minimally, an individual ISO shall be assigned for the following Restricted Data types: Federal Tax Information (FTI) Protected Health Information (PHI) Criminal Justice Information (CJI) Changes and Amendments Changes and Amendments to this may be proposed by any member of the ISGB. The ISGB will review and approve the proposed changes or amendments. Approval Document Revision Log Name Date Action Dustin Glover, CISO 05/01/2015 Created Draft Dustin Glover, CISO 08/03/2015 Finalized Draft Dustin Glover, CISO 10/21/2015 Updated with initial OGC recommendations Dustin Glover, CISO 12/04/2015 Updated Executive Sponsors based on leadership change. Classification: Public Page 11 of 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information