Information Security Officer Meeting. November 10, 2009

Similar documents
Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record

Legislative Language

Preventing and Defending Against Cyber Attacks November 2010

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015

New Privacy Laws Impacting the Health Care Work Place

H. R SEC DIRECTORATE FOR INFORMATION ANALYSIS AND INFRA STRUCTURE PROTECTION.

Preventing and Defending Against Cyber Attacks October 2011

CYBER SECURITY GUIDANCE

Preventing and Defending Against Cyber Attacks June 2011

Myths and Facts about the Cyber Intelligence Sharing and Protection Act (CISPA)

Data Security 101. Christopher M. Brubaker. A Lawyer s Guide to Ethical Issues in the Digital Age. cbrubaker@clarkhill.com

National Cybersecurity & Communications Integration Center (NCCIC)

The Department of Homeland Security The Department of Justice

I N T E L L I G E N C E A S S E S S M E N T

Secretary of the Senate. Chief Clerk of the Assembly. Private Secretary of the Governor

State Governments at Risk: The Data Breach Reality

S. ll IN THE SENATE OF THE UNITED STATES A BILL

Cybersecurity Information Sharing Legislation Protecting Cyber Networks Act (PCNA) National Cybersecurity Protection Advancement (NCPA) Act

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for Institutions of Higher Education (IHEs)

Senate Bill No. 38 Committee on Transportation and Homeland Security

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Education

Computer Network Security & Privacy Protection

The U.S. Department of Homeland Security s Response to Senator Franken s July 1, 2015 letter

114 th Congress March, Cybersecurity Legislation and Executive Branch Activity I. ADMINSTRATION S CYBERSECURITY PROPOSALS

SAN FRANCISCO ADMINISTRATIVE CODE CHAPTER 96: COORDINATION BETWEEN THE POLICE DEPARTMENT AND THE OFFICE OF CITIZEN COMPLAINTS

NGA Paper. Act and Adjust: A Call to Action for Governors. for cybersecurity;

CHAPTER Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033

Standard: Information Security Incident Management

NH!ISAC"ADVISORY"201.13" NATIONAL"CRITICAL"INFRASTRUCTURE"RESILIENCE"ANALYSIS"REPORT""

Senate Bill No. 962 CHAPTER 517

Department of Homeland Security

BUSINESS ASSOCIATE AGREEMENT

Get the most out of Public Sector Cyber Security Associations & Collaboration

To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.

INCREASED PENALTIES FOR CYBER SECURITY OFFENSES

Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP

HOUSE ENROLLED ACT No. 1009

HIPAA BUSINESS ASSOCIATE AGREEMENT

CYBERSECURITY INFORMATION SHARING BILLS FALL SHORT ON PRIVACY PROTECTIONS

What are you trying to secure against Cyber Attack?

No. 33 February 19, The President

Missouri Student Information System Data Governance

Information Security Program Management Standard

Into the cybersecurity breach

ASSEMBLY BILL No. 1521

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

ACE Advantage PRIVACY & NETWORK SECURITY

Privacy Law Basics and Best Practices

DIVISION N CYBERSECURITY ACT OF 2015

Coverage is subject to a Deductible

The Computerworld Honors Program

S. ll. To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.

The Matrix Reloaded: Cybersecurity and Data Protection for Employers. Jodi D. Taylor

NIST Cybersecurity Framework Impacting Your Company? April 24, 2014 Presented By Sheila FitzPatrick, NetApp Jeff Greene, Symantec Andy Serwin, MoFo

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

S AN ACT. To codify an existing operations center for cybersecurity.

Personal Security Practices of the CAO

Cybersecurity and Information Sharing: Comparison of H.R and H.R. 1731

Sixty-fourth Legislative Assembly of North Dakota In Regular Session Commencing Tuesday, January 6, 2015

ANALYSIS OF ORIGINAL BILL

As Amended by Senate Committee SENATE BILL No. 408

H. R. ll IN THE HOUSE OF REPRESENTATIVES A BILL

NATIONAL CYBERSECURITY PROTECTION ACT OF 2014

Working with the FBI

Cyberprivacy and Cybersecurity for Health Data

E-Discovery: New to California 1

PERSONALLY IDENTIFIABLE INFORMATION (Pin BREACH NOTIFICATION CONTROLS

Cybersecurity: Protecting Your Business. March 11, 2015

Garden City Public Schools CHILD ABUSE IN AN EDUCATIONAL SETTING EXHIBIT - NOTICE/REPORTING REQUIREMENTS

1st Session NATIONAL CYBERSECURITY PROTECTION ADVANCEMENT ACT OF 2015

BUDGET LETTER PEER-TO-PEER FILE SHARING , , EXECUTIVE ORDER S-16-04

Privacy Act of 1974; Department of Homeland Security <Component Name> - <SORN. AGENCY: Department of Homeland Security, Privacy Office.

Preservation of longstanding, roles and missions of civilian and intelligence agencies

THE DATA BREACH: How to stay defensible before, during and after the incident. after the incident.

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

2015 Michigan NASCIO Award Nomination. Cyber Security Initiatives: Michigan Cyber Disruption Response Strategy

HIPAA BUSINESS ASSOCIATE AGREEMENT

Mustafa AYDINLI NLO CYBER SECURITY ADVISOR

BUSINESS ASSOCIATE AGREEMENT

Brief. The BakerHostetler Data Security Incident Response Report 2015

HIPAA BUSINESS ASSOCIATE AGREEMENT

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

Morrisville State College Web Environment Privacy Policy

HIPAA Compliance: Are you prepared for the new regulatory changes?

28042 Federal Register / Vol. 75, No. 96 / Wednesday, May 19, 2010 / Notices

Please read and execute the attached Los Angeles World Airports (LAWA) Non-Disclosure Agreement (NDA).

GENOA, a QoL HEALTHCARE COMPANY, LLC WEBSITE PRIVACY POLICY

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

BY COMPLETING THIS NEW BUSINESS APPLICATION THE APPLICANT IS APPLYING FOR COVERAGE WITH FEDERAL INSURANCE COMPANY (THE COMPANY )

Cybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues

The Heart of the Matter:

Public Law th Congress An Act

THE HARTFORD ASSET MANAGEMENT CHOICE sm POLICY NETWORK

Regular Session, ACT No To amend and reenact R.S. 9:3573.1, (A), (1), (8), (9) and (10), ,

Data Compliance. And. Your Obligations

New Devices Mean New Risks: The Potential for Liability When Software is a Component of Medical Devices. September 25, 2013

Transcription:

Information Security Officer Meeting November 10, 2009 1

Meeting Agenda Short Subjects: Cyber Security Awareness Month 2009 Retrospective Legislation Update The Information Security Profession is Changing SIMM Form and Leader List Updates California Information Security Strategic Plan Incident Management New Information Security Policy Phase I Vetting Phase II Preparing to vet

Cyber Security Awareness Month 2009 A California Retrospective 1. September 30, 2009 CISO Lecture Series 2. October 1, 2009 Governor Schwarzenegger signed National Cyber Security Awareness month proclamation 3. October 1, 2009 Cyber Security Awareness statement on all state employee pay warrants 4. October 4, 2009 Four weekly security awareness bulletins. 5. October 8, 2009 - Emergency Awareness Fair 6. October 14, 2009 West Coast Kickoff Conference for National Cyber Security Awareness Month titled Cyber Security West 2009: Our Shared Responsibility 7. October 15, 2009 Participated in the CISO Executive Summit in San Francisco 8. October 21/22 - California State Security Awareness Fair 3

Cyber Security Awareness Month 2009 A National Retrospective 1. The first time all 50 states participated in Cyber Security Month by issuing an executive proclamation 2. The first time the President has issued a proclamation 3. Whitehouse BLOG and presidential video 4. The first time the United States House of Representatives issued a proclamation 5. The first time the U. S. Senate issued a proclamation 6. National Webcast Initiative hosted by MS-ISAC 7. DHS Secretary Napolitano Webinar on Cyber Security Month 4

Cyber Security Awareness Month 2010 Planning More handouts? Radio and TV spots? National Poster Contest? Is there more we can do as a community? Your ideas? 5

Legislation Update LEGISLATIVE WATCH UPDATE Introduced: California (Either Legislative House introduced a bill) AB 5 Civil Discovery: Electronic Discovery Act Status: Chaptered This bill would make changes to the Civil Discovery Act in order to take account of the growing volume of information stored in electronic form. Existing law permits a party to obtain paper documents and other "tangible" things from the opposing party. However, the increasing use of electronically and digitally stored documents and information has many implications for the discovery process, affecting not only the volume but the form of discoverable material. This bill expressly authorizes the discovery of electronically stored information and amends procedures in existing law so as to better address issues unique to the format of such information. Many of the bill's specific provisions are drawn from recently enacted federal rules and from recommendations of the National Conference of Commissioners on Uniform State Laws. The bill is co-sponsored by the Judicial Council, the Civil Defense Counsel, and the Consumer Attorneys of California. Except for a few non-substantive technical changes and the addition of an urgency clause, the bill is identical to last year's AB 926 by the same author. That bill passed out of this Committee on consent and passed out of all other Committees and off the floors of both houses without a single dissenting vote. AB 926 was vetoed, but as one of the many bills that the Governor vetoed because of his stated concerns about not having sufficient time to review much of that year's legislation due to the budget crisis. AB 22 Penal Code, relating to computer hacking Status: Chaptered As originally introduced this bill would increase the maximum fines for those convicted of feloniously tampering, interfering, damaging, and obtaining unauthorized access to computer data and computer systems from the current maximum of $10, 000 to a maximum of $50,000. This bill was recently amended to increase the fine for the felony conviction to an amount not exceeding $12,000. AB 32 Public officials: personal information Status: Chaptered This bill would require the removal of personal information of specified officials from the Internet, and permits employers or professional organizations to assert the rights of the official in removing the personal information from the Internet. With regard to a violation of this prohibition, existing law requires a jury or court that finds a violation has occurred to award damages to that official in an amount up to a maximum of 3 times the actual damages but not less than $4,000. This bill proposes to instead require a jury or court to award damages in that amount to an official whose home address or telephone number is solicited, sold, or traded in violation of any of those prohibitions. AB 130 Vital records: marriage records Status: Chaptered (10-11-09) By changing the definition of the crime of perjury, and by imposing new duties on local officials, this bill would create a state-mandated local program. AB 255 Internet security: virtual globe technology Status: Active Existing law requires the operator of a commercial Internet Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Internet Web site or online service to post its privacy policy on its Internet Web site or make that policy available, as specified. This bill would prohibit an operator, as defined, of a commercial Internet Web site or online service that makes a virtual globe browser available to members of the public from providing aerial or satellite photographs or imagery of places in this state that have been identified on the Internet Web site by the operator as 6

Information Security Profession Becoming more cyber but it s still all about risk Full-time focus Can t leave it at the office National impact More than just financial harm 7

SIMM Form and Leader List Updates SIMM Form Changes: Name Change from OISPP to OIS Other minor clarification changes SIMM70A (Agency Designation Letter) and SIMM70C ( Agency Risk Management and Privacy Program Compliance Certification) Forms due January 31, 2010 Leader List Updates for: Information Security Officers Privacy Officers and DR Coordinators All available on website by 11/30/09 8

California Information Security Strategic Plan California Information Security Strategic Plan October 2009 Cybersecurity and Privacy Concepts, Strategies & Goals Volume 4 Arnold Schwarzenegger Governor OCIO 2009 Information Technology Strategic Plan Six Strategic Concepts IT as reliable as electricity Fulfilling technology s potential to transform lives Self-governance in the digital age Information as an asset Economic and sustainable Facilitating collaboration that breeds better solutions Teri Takai Chief Information Officer, Office of the CIO Mark Weatherford Chief Information Security Officer, Office of Information Security 9

Overview of US-CERT & MS-ISAC Security Notifications Who are US-CERT and MS-ISAC Types of Security Notifications

Housekeeping UNCLASSIFIED//FOR OFFICIAL USE ONLY (U//FOUO) Can I distribute or share this information with other people? Per the U//FOUO warning, this document may only be shared with personnel who have a valid "need to know." With the case of the information about to be shared that is defined as a person or group that has a direct role in responding to the types of security incidents discussed herein.

Who are they? Who is US-CERT? United States Computer Emergency Readiness Team Operational arm of the National Cyber Security Division at the Department of Homeland Security A public-private partnership http://www.us-cert.gov/ Who is MS-ISAC? Multi-State Information Sharing and Analysis Center A collaborative organization with participation from all 50 States, the District of Columbia, local governments, and U.S. Territories A central resource for gathering information on cyber threats to critical infrastructure from the states http://www.msisac.org/

US-CERT & MS-ISAC Security Notifications XSS Vulnerability Detection Host reported to MS-ISAC as having one or more XSS vulnerability Host may have other application-level vulnerabilities Host could be used by attacker in attempt to attack other hosts Web Defacement Detection Host appears to have a public-facing web defacement Notification is made when website appears to still be defaced DarkNet General Traffic Detection Host has sent traffic captured by the EINSTIEN program Host is possibly compromised with some kind of malware attempting to propagate on the public Internet

US-CERT & MS-ISAC Security Notifications CySearch MS-ISAC uses its custom tool to search the Internet for: 1. Inappropriate terms (e.g., porn, Viagra, free Rolex watches). Attackers inject these terms along with links to web pages to boost ranking in various search engines 2. Indicators of malicious activity on government websites (e.g., malicious domain names, IP addresses, JavaScripts, hidden iframes)

Information Security Policy Phase I - Vetting 15

Information Security Policy Phase II Preparing to Vet 5315 Organization 5320.1 Information Asset Oversight 5320.2 Information Asset Trustees 5320.3 Users of Information Assets 5320-S1 Information Asset Classification Standard 5320-S2 Information Asset Handling Standard 5330.1 Facility Leader Responsibilities 5330.2 Information Asset Trustee Responsibilities 5340.1 Access Management Standard 5340.2 User Responsibilities 5340-S1 User Access Management Standard 5340-S2 Password Management Standard 16

Information Security Policy Phase II Preparing to Vet 5355 Disaster Recovery 5355-S1 Disaster Recovery Standard 5360-P1 Annual Compliance Reporting Procedure 5365.1 Agency Heads Responsible 5365.2 Agency Privacy Statement and Notices 5365.3 Limiting Collection 5365.4 Limiting Use and Disclosure 5365.5 Individual Access to Personal Information 5365.6 Information Integrity 5365.7 Data Retention and Destruction 5365.8 Security Safeguards 5365-S1 Privacy Statement and Notices Standard 17 5365-S2 Individual Access Standard

Questions 18

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information