State Data Center

1

• State Data Center
• Oregon Consumer Identity Theft Protection Act
• Information Forum
• October 31, 2007

2
SB 583 Technical Requirements

• Assess risks in network and software design
• Assess risks in information processing,
  transmission and storage
• Test and monitor key controls, systems and
  procedures
• Detect, prevent and respond to intrusions

3
Protecting Personal Information

• Agencies own their data, including personal
  information, and are responsible for protecting
  it and reporting breaches
• Technical architecture at the State Data Center
  can assist agencies in protecting personal
  information

4
State Data Center Role in Assessment

• Provide input to the risk assessment process
  regarding
• Network design
• Network security controls
• Storage architecture
• Location of applications

5
State Data Center Role in Monitoring and
Intrusion Detection

• System monitoring tools can be set up to alert on
  key failures
• Log aggregation tools can provide alerting on key
  events
• Network intrusion detection can alert on attempts
  to access key systems from the Internet

6
How State Data Center efforts will benefit
agencies

• New technical environment, Shared Services,
  provides granular network control
• Increased network intrusion detection
• Standard technical security controls on systems

7
Next steps

• Convene a work group of SDC staff and state
  agency representatives to
• Develop a common framework for assessing
  technical risks
• Develop a set of best practices for applying
  technical safeguards to protect personal
  information
• Identify opportunities to apply consistent
  controls to personal information access

8
Contact information

• Marshall Wells, Security ManagerState Data
  Center(503) 373-0949
• Al Grapoli, Network Services ManagerState Data
  Center(503) 378-3338