Information Security Series 1 of 5 booklets in the series 1 Evaluate Your Information Security Program Survey to find out if you are making progress Date: 01/29/2008 Version: 3.0 County of Sacramento
Evaluate Your Information Security Program The Entire Information Security Series booklets A Guide to Using the Information Security Series Using the booklets to clarify your focus, consolidate efforts, and commit to disciplines 1 Evaluate Your Information Security Program Survey to find out if you are making progress 2 Anchor Your Information Security Program Set a goal, a strategy, and take the best first step 3 Build Your Information Security Program Tips to help you start and sustain your program 4 Develop Your Information Security Business Plan Define focus areas and short term objectives 5 Manage Your Information Security Program Use a method to organize, prioritize, and evaluate Page 2
County of Sacramento Summary of Contents Using a survey to help develop strategy Management Survey Workforce Survey Survey results, observations, and action Leadership Planning Customer Focus Measurement Human Resources Processes Business Results Survey written comments Survey action plan Page 3
Evaluate Your Information Security Program Introduction I ve just been appointed the ISO for the County s IT department! Where do I begin? I know that deploying a security strategy can be a lot harder than just developing it. This questionnaire helped me assess how my organization is doing and learn what can be improved. This questionnaire is based on the Baldrige Criteria for Performance Excellence found at http://www.quality.nist.gov/progress.htm. It helps you focus your improvement and communication efforts on areas needing the most attention from the perspective of s and leaders. The results included here can be used as valuable data for any organization to determine progress and to help set priorities for improvement. Asking for input is always a good thing to do. For me, it formed the basis for my plans during my first year as the ISO. Best regards, Jim Reiner Background and Purpose The OCIT Information Security Officer is seeking information to assist with developing a security strategy. The results will help the OCIT Security Committee focus its improvement efforts. A 16-item survey was administered in September 2006 to 35 s and 13 in OCIT. Results of each group is displayed separately. Page 4
County of Sacramento Using a survey to help develop strategy Management Survey Page 1 of 2 Page 5
Evaluate Your Information Security Program Management Survey Page 2 of 2 Page 6
County of Sacramento Workforce Survey Page 1 of 2 Page 7
Evaluate Your Information Security Program Workforce Survey Page 2 of 2 Page 8
County of Sacramento Category 1: Leadership Observation: are harder on themselves with these issues than s. Action: develop a strategy, identify goals, priorities, and tasks. Share these regularly. 1a) Employees know what the Security Committee is trying to accomplish. 15% 58% 42% 85% Page 9
Evaluate Your Information Security Program Category 1: Leadership, continued 1b) The organization s leaders share information about the Security Committee. 31% 55% 69% 45% 1c) Employees know what the Security Committee thinks is important. 42% 45% 58% 55% Page 10
County of Sacramento Category 2: Planning Observation: neither say they know why we have a security program or what it means to them. Action: develop a strategy, identify goals, priorities, and tasks. Share these regularly. The Information Security Program Model Governance Information Security Professionals Employee Security Training Security Controls Information Classification Monitoring & Auditing Policies, Standards, and Procedures Business Continuity & Disaster Planning Information Risk Management Page 11
Evaluate Your Information Security Program Category 2: Planning, continued 2a) The organization has quantified the benefits of a security program. 8% 39% 61% 92% 2b) Employees know the security committee plans that affect them and their work. 25% 45% 55% 75% Page 12
County of Sacramento Category 3: Customer Focus Observation: both think they know customer needs, though view is much stronger. Action: reaffirm legal, compliance, and business needs, such as HIPAA, 45 CFR, 42 CFR, MHTC, etc. 3a) Employees know their customer s privacy and security business needs. 54% 75% 25% 46% Page 13
Evaluate Your Information Security Program Category 4: Measurement Observation: very different opinions about measuring work and getting the information needed. Managers grade themselves harder. Action: need quantifiable, objective measures as well as definite work requirements so it is not so subjective. 4a) Employees know how to measure work quality relative to security. 17% 67% 83% 33% Page 14
County of Sacramento Category 4: Measurement, continued 4b) Employees get the privacy and security information they need to do their job. 42% 63% 58% 37% 4c) Compliance with policies does not prevent s from doing work. 69% 100% 0% 31% manager Page 15
Evaluate Your Information Security Program Category 5: Human Resource Focus Observation: general agreement in this area; however, there is a large gap in attitudes about knowing our role in protecting information. Action: develop definitive list of expectations and accountability with respect to exactly what the role is. 5a) Our security people cooperate and work together as a team. 58% 75% 25% 42% Page 16
County of Sacramento Category 5: Human Resource Focus, continued 5b) Employees feel they have a safe workplace. 91% 100% 0% 9% 5c) Employees know their role in protecting information. 55% 94% 45% 6% Page 17
Evaluate Your Information Security Program Category 6: Process Management Observation: agreement that our processes could be better. Action: do some process & workflow analysis. Identify concerns and issues. Incrementally make improvements. Measure before and after. 6a) We have good processes that incorporate privacy and security into our work. 38% 47% 53% 62% Page 18
County of Sacramento Category 7: Business Results Observation: general agreement about high standards achieved, but differing opinions about knowing what we are responsible for. Action: this area needs specific, objective standards and expectations. These need to be regularly communicated. No guessing allowed! 7a) Our organization obeys laws and regulations. 75% 100% 0% 25% Page 19
Evaluate Your Information Security Program Category 7: Business Results, continued 7b) Our organization has high standards and ethics. 67% 92% 8% 33% 7c) Employees have received guidance re: measures and actions they are responsible for. 50% 69% 31% 50% Page 20
County of Sacramento 2006 Survey Written Comments I think the security program is missing a focus on training and awareness. This is a huge issue within and outside OCIT. Is assessing customer security needs relevant to us? Is this a role for the security committee? Just who are our security people? Who is doing what with security? We need a consistent message from our leadership. The weekly news provides security information, but we need other methods as well. Maybe the Computer News? Quantify hinder vs. prevent related to security policy compliance and its affect on getting the job done. We need a security policy for our SAP system. I think many people are not even aware there is a security committee or what it does. In general, I m not well versed in our security policies and practices. Page 21
Evaluate Your Information Security Program Survey Action Plan Define and implement an information privacy and security program define the components identify the benefits: the reasons why identify who is involved in doing what in OCIT relative to security Establish goals based on program components and survey data Initiate a security assessment within OCIT audit compliance with existing policies determine our gap with generally accepted practices determine performance metrics Develop and implement a communications plan identify methods and approaches put in place processes for awareness and feedback Page 22
County of Sacramento Jim Reiner is an IT Manager in the Office of Communications and Information Technology (OCIT) at the County of Sacramento where he has served since 1979. A quality information security program is possible. Jim believes in giving back to make a difference for others. Creating the information security series is just one way he invests in others to help them be a success. "With this series, you not only have the power to create a great security program... you have the power to make a difference." His current activities involve managing the Continuity Planning Team, the HIPAA Security Program, and working as the OCIT Information Security Officer. His work has always had a special focus on enterprise planning. He coordinated the efforts for County HIPAA Security Compliance (2005), architected the County IT Plan (2003), established the County IT Constitution the basis for IT Governance in the County (2000), is a frequent speaker and trainer, a past manager of the Web team (2002), the Planning and Advanced Technology team (1999), the Enterprise Network Team (1995), the PC/server team( 1992), and in the distant past, a system programmer. You can see some of his work on the Sacramento County website. The Sacramento County IT Plan, Board letter, presentations and progress reports can be found at: http://www.itpb.saccounty.net/itplans/index.htm The Sacramento County IT Constitution and Board letter can be found at: http://www.itpb.saccounty.net/itconstitution/index.htm This publication may be stored or reproduced in any way you find helpful. The author, Jim Reiner, and the County of Sacramento, have made their best effort to produce a high quality, informative and helpful book. But they make no representation or warranties of any kind with regard to the completeness or accuracy of the contents of the book. They accept no liability or any kind for any losses or damages caused, or alleged to be caused, directly or indirectly, from using the information contained in this book. Screenshots in this book are directly from publicly accessible file archives. They are used as fair use under 17 U.S.C. Section 107 for news reportage purposes only, to illustrate various points that are made in the book. Text and images available over the Internet may be subject to copyright and other intellectual rights owned by third parties. County of Sacramento Sacramento, California USA 95814 Page 23
County of Sacramento www.saccounty.net Board of Supervisors 2008 Roger Dickinson, 1 st District Jimmie Yee, 2 nd District Susan Peters, 3 rd District Roberta MacGlashan, 4 th District Don Nottoli, 5 th District Terry Schutten County Executive Published by: Office of Communications and Information Technology County of Sacramento 799 G Street Sacramento, CA 95814 (916) 874-7825 January 2008