Better Security More Often. How to Keep Sacramento County Information Systems and Data Secure While Achieving Your Department Mission

Transcription

1 How to Keep Sacramento County Information Systems and Data Secure While Achieving Your Department Mission 1

2 Table of contents Privacy and Security Matter: You Decide How Much A Look Inside Sacramento County Your Data is Being Attacked Right Here, Right Now The General Solution: A Goal & Strategy; The Best First Actions to Take Best Practices: Specific Action You Can Take Where To Get Help If Needed July

3 Better Security More Often Easy-to-implement best practices Who is this publication for? Elected and Appointed Officials Agency Administrators Department Heads Program Managers What is this publication about? Why information security? How serious are the threats? What do we need to do? Who needs to be involved? Where do we begin? The privacy and security of information plays a major role in your department s success. So, how you can keep your Sacramento County information systems and data secure while achieving your department mission? Government in a digital world Technology makes so much possible for government. Yet, when an information security breach disrupts government operations, the results can be disastrous. The threats against government operating in a digital age are increasing. It is like fighting a storm that never ends. The threats are everywhere outside and inside and they are always changing and adapting. Protecting your department s financial future This white paper discusses how and when you as a department head choose to implement an information security program that is reasonable and appropriate for Sacramento County. Information security can be of immense value to you. 3

4 Privacy & Security Matter: You Decide How Much More than any other business, government is responsible to protect the data of every individual in this county. Our most important work is: 1. to protect the integrity of the public record, and 2. to nurture the maintenance of public trust as the steward of public records. Safeguarding your information may not be the most important thing in your business. But as a department director, privacy and security of information should be on your agenda. Because like it or not how you protect information will affect your ability to provide cost effective services and maintain constituent confidence. Privacy and security. What does that mean? Information privacy is the relationship between the collection and the use of data. Wherever personally identifiable information is collected and stored, controls need to be in place to ensure it is disclosed only to those who are authorized and need the data. Experts agree that you can t have privacy without security. These two fit tightly together. However, even experts disagree at times on what it takes for information to be secure. Yes, information security is a relative concept. But in order to talk about it productively, we must agree on a single definition. For the purposes of this whitepaper, this will be the definition: Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. If you accept this definition, you must recognize one important fact. You need more than technology and skilled staff for information to be secure. Many people don t understand this. Too often we equate quantity of technology with how secure information is. 4

5 If you want your staff and program to have the greatest success, then you are going to have to acquire knowledge and skill in safeguarding information with a portion of your time. Safeguarding the privacy and security of information is a great objective. So, here s the real goal: keep Sacramento County information systems and data secure while achieving your department mission. The fact is: every County department is different size, composition, client base, services, mandates, and budget. But, many leaders are convinced that privacy and security matter. By thinking through these initial ideas, you have already accomplished more in terms of investing in securing your information than many people ever accomplish. Congratulations! 5

6 A Look Inside Sacramento County You are a target! Board resolution declaring October 2009 as Cyber Security Awareness Month. The County of Sacramento is increasingly reliant on the Internet to bring government services and information to constituents, employees, businesses, and other organizations. Internet users and the County s information infrastructure face an increasing threat of malicious cyber attack, loss of privacy from spyware and adware and significant financial and personal privacy losses due to identity theft and fraud. Maintaining the security of cyberspace is a shared responsibility in which each of us has a critical role, and awareness of computer security essentials will improve the security of the County of Sacramento s information infrastructure and economy. Here s what s happening. Your customer and employee information is being attacked, lost, stolen, and misused. As a result your service is disrupted, ineffective, or completely unavailable at times. This in turn causes constituents and employees to lose confidence in you, question whether you really care about them, and it puts you at risk of financial loss. Incidents happen. Shouldn t you know about incidents? If you did find out, what would you do? Report it? To whom? What would happen? Wouldn t you seize an opportunity to increase productivity? If so, start with these three questions: 1. If you had an information privacy or security breach, do you want to know? 2. If you do want to know, then would you want to do something about it? 3. If so, would you like a plan or process to help manage this? Yes? Keep reading! All citizens are encouraged to learn about cyber security and put that knowledge into practice in their homes, schools, workplaces, and businesses. 6

7 The problem exists right here, right now. But some say, So what? Who cares? Today in Sacramento County incident reporting is for the most part voluntary and optional. Exceptions, for example, include staff covered by HIPAA who must report information privacy and security incidents. Therefore, you need to be aware of a couple things when looking at the data we have. It will include incidents from HIPAA covered components because they must be reported. This represents about 10 percent of the county workforce. Therefore, there are likely 10 times as many incidents countywide. We just don t know. Summary of known security incidents. Note: 2011 data is for Jan June. Here are the top five worst security mistakes Failing to install anti-virus, keep its signatures up to date, and apply it to all files. Opening unsolicited attachments without verifying their source and checking their content first, or executing games or screen savers or other programs from untrusted sources. Failing to install security patches - especially for Microsoft Office, Microsoft Internet Explorer, Firefox, and Netscape. Not making and testing backups. Carelessness with portable equipment leading to theft. Incident Type Reported in 2009 Reported in 2010 Reported in 2011 Lost/stolen PC or laptop Lost/stolen PDA or phone Lost/stolen CCURE cardkey Successful virus attack Successful hacker/spammer attack Hacked / defaced county website Unauthorized system access Unauthorized building access Unauthorized release of personal information

8 But it gets worse. Here s why action is necessary now Federal Sentencing Guidelines have formed an important underpinning of corporate compliance programs by setting normative standards for good corporate citizenship. An organization shall: 1. exercise due diligence to prevent and detect criminal conduct. 2. promote a culture that encourages ethical conduct and commitment to compliance with law. Due diligence minimally requires the following: 1. Establish standards and procedures to prevent and detect criminal conduct 2. The governing authority shall exercise oversight with respect to the implementation and effectives of the program. 3. High level personnel shall ensure the organization has an effective program. 4. Specific individuals shall be delegated responsibility for the program. 5. Take reasonable steps to communicate periodically and in a practical manner its standards and procedures. 6. Take reasonable steps to ensure the program is followed, promoted, and enforced consistently 7. Take reasonable steps to respond appropriately to criminal conduct 8. Periodically assess the risk and take appropriate steps to design, implement, and modify the program to reduce risk identified through this process You are probably aware of the concept of due diligence and due care. Due care is doing the appropriate thing. Due diligence is doing the right thing within a reasonable timeframe. So what is reasonable and appropriate for us? Sacramento County is the equivalent to Fortune 500 company. There is a both a public and a legal expectation that we will be as rigorous with information privacy and security as any other 3 billion dollar plus company. There are civil and criminal penalties for knowingly and wrongfully misusing personal health information. This is covered under HIPAA, the Medical agreement, and an assortment of state and federal laws. Soon the same such penalties will apply across the board to any and all personally identifiable information. Federal legislation is in progress right now. In addition, you might also have critical infrastructure information about roads, water, electricity, or communications. This also needs to be safeguarded with similar privacy and security controls. The point of a security program is to manage risks to your business. And your business risk affects the County as a whole. Ultimately this affects constituent confidence and may also result in financial loss. As a department head, wouldn t you be concerned if your program is at risk for litigation or liability? In the next sections you will see how you can solve this. When, not if, there is another privacy or security incident you need to be able to answer this question: You know there are problems. Shouldn t you do something about it? 8

9 The general solution to this crisis Set a goal, a strategy, and take the best first steps Do you believe securing your information privacy and security is essential to your department s growth and success? While that may sound daunting, the good news is that this business need has already been solved by many organizations public and private. We can learn from the best implementations. The first part of the strategy is to use a best practices security program model. It answers the essential planning question, what does done look like? The second part of the strategy focuses on taking best first steps for implementation. It answers the question, how do we start to build this security program? Foundational documents: Information security policy Program framework Risk management methodology Information security standards The three big strategic questions: 1. What is our end goal with security? 2. What s the best strategy to get us to that goal? 3. And how can we get there? So, here s the first step. Start by defining the foundational documents that help the organization focus on roles, responsibilities, and outcomes. These policy documents provide a program framework, a methodology for managing risk, and baseline security standards. The next step is to conduct an assessment or gap analysis comparing existing policies and practices with generally accepted best practices. This is done by using a standard to measure against. Experienced leaders understand they need to think strategically about this issue. This is not a new issue for business or government. You have at your disposal some of the best resources who have spent their career thinking about this subject and how to be successful with it. 9

10 Best practices you can use Establish a focal point: You might want to put someone in charge of all this. Control access: You want to be sure only the right people can get to your stuff your computers, your buildings, your information. Protect your assets: You might not have security problems that you know of, but plenty of your peers do. Are you taking basic precautions to protect yourself? And if you share information or computers with other departments or consultants then you want to be sure they are doing a good job protecting your stuff too. Know what you have: Inventory so you know what you have. You need to know what you want to protect. You need an inventory of people, computers, and location of your information. Self Assessment: Audit yourself to be sure things are working the way you want; check it out once in a while see if people are doing what you expect. Legal mandates You might have some laws you are supposed to be following. Do you know what they are and do you know if you are doing what they say? Disposal: Take Steps to Securely Dispose of Storage Media and Equipment Manage risk: Do you have a way to tell what, if anything, you should be concerned about? And a way to tell what you should do about any security concerns? Governance: If you make decisions about how you want things to work and how you want staff to behave, then write down those decisions and review them. Employee Training: You want staff to have some basic training about how to stay safe online, how to take care of their computers and phones, and who to go to with questions. Does your staff know what you expect from them? What if your staff misuse or steal your information? What are you going to do about it? Incident Management: If something goes wrong you want staff to tell you. And you want to have a plan in place to deal with the problem. 10

11 This is a human problem, not just a technical problem. John Streufert, CISO, US Department of State Conclusion. Solving the Problem Facing You Here s how you as a department head can keep Sacramento County information systems and data secure while achieving your department mission: 1. Become aware of the threats you face 2. Help create baseline security standards 3. Develop your department s security program 4. Champion workforce training and awareness Experienced leaders understand the value of information privacy and security as a necessary part of delivering a quality program. Leaders help develop a corporate security culture grounded in fairness, commitment, and personal accountability for improvement. For more information about putting in place best practices to secure your data, please contact: David Villanueva, interim Chief Information Security Officer County of Sacramento VillanuevaD@saccounty.net Phone Jim Reiner, Information Technology Manager Business Services Division ReinerJ@saccounty.net Phone