Information Security for Executives v1.0 - PowerPoint PPT Presentation

Loading...

PPT – Information Security for Executives v1.0 PowerPoint presentation | free to download - id: 42c4de-ZWNmM



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Information Security for Executives v1.0

Description:

Information Security for Executives v1.0 MAY 2011 * * * Appendix Security Authorization OMB requires agencies to assess security controls to determine their overall ... – PowerPoint PPT presentation

Number of Views:172
Avg rating:3.0/5.0
Slides: 35
Provided by: danielle90
Learn more at: http://www.dhhs.gov
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Information Security for Executives v1.0


1
Information Security for Executives v1.0
MAY 2011
2
Information Security for Executives
  • Course Introduction
  • Information Security Overview
  • Security Policy and Governance
  • Privacy Protection
  • Security and Your Business
  • Course Summary
  • Appendix

3
Course IntroductionExecutive Introduction
  • Welcome to Information Security for Executives
  • As an executive of the Department of Health and
    Human Services (HHS), securing the Departments
    information and protecting the privacy of the
    citizens we serve should be one of your top
    priorities.

Mike Carleton Chief Information Officer (CIO), HHS
4
Course IntroductionThe HHS Executives Security
Role
  • Help employees understand why security and
    privacy are important and empower them to make
    protecting the information, health, safety, and
    well-being of the American people their personal
    mission.
  • Incorporate security into your management
    philosophy make it a routine topic in staff
    meetings and when making management decisions.
  • Allocate resources to ensure that systems are
    adequately protected to prevent compromise of
    sensitive information.
  • Ensure that employees receive the training they
    need and are held accountable for protecting
    sensitive information.
  • Heighten awareness on how to quickly identify
    sensitive data and how to handle this data on a
    day-to-day basis.
  • Ensure that information security and privacy are
    integrated into all information systems
    development activities.

5
Course IntroductionCourse Objectives
  • At the end of this course you will be able to
  • Define information security and emerging threats.
  • Identify governing bodies and legislative drivers
    for protecting information security.
  • Define privacy and why it is important to protect
    your assets and investments.
  • Understand your role and responsibilities as an
    HHS executive in the areas of information
    security and privacy.
  • Identify where to locate HHS information security
    resources.

6
Information Security OverviewWhat is Information
Security?
  • Information Security The protection of
    information and information systems from
    unauthorized access, use, disclosure, disruption,
    modification, or destruction in order to provide
    confidentiality, integrity, and availability.
  • Achieved through implementing technical,
    management, and operational measures designed to
    protect the confidentiality, availability, and
    integrity of information.
  • The goal of an information security program is
    to reduce, manage, and understand the risk to
    information under the control of the
    organization.
  • In the 21st century, information assets have
    become a great source of value and wealth for
    individuals with malicious intent. Therefore,
    protection of our information at HHS must be a
    priority in your day-to-day actions.

7
Information Security OverviewKey Items to
Information Security
  • Confidentiality Protecting information from
    unauthorized disclosure to people or processes.
  • Availability Defending information and
    resources from unauthorized or malicious use to
    ensure information resources are accessible.
  • Integrity Assuring the reliability and accuracy
    of information and information technology (IT)
    resources.

8
Information Security OverviewInformation
Security Threats
  • Threat The potential to cause unauthorized
    disclosure, changes, or destruction to an asset.
  • Impact potential breach in confidentiality,
    unavailability of information, and integrity
    failure
  • Types natural, environmental, and man-made

9
Information Security OverviewWhat is a Cyber
Attack?
  • Cyber attacks Attacks that are malicious with
    the intent to cause major disruptions to our
    everyday government operations.
  • The Department of Defense (DoD) detects three
    million unauthorized scans- or attempts by
    possible intruders to access official networks
    every day.
  • The Department of Homeland Security (DHS)
    received 37,000 reports of attempted breaches on
    government and private systems within Fiscal Year
    (FY) 2007 an increase of 54 percent from FY2006.

10
Information Security OverviewPotential Impacts
Resulting from the Loss of Sensitive Information
  • Failure to exercise due diligence in protecting
    sensitive information can result in
  • Reputation damage for HHS
  • Loss of trust in HHS
  • Legal ramifications for HHS
  • Loss/misuse of sensitive information
  • Injury or damage for those who have had their
    private information exposed and
  • Potential financial ramifications for those
    affected.

11
Federal Government Governance
Security Policy and GovernanceFederal Government
Governance
The following governing bodies are responsible
for providing legislative guidance to protect
Federal information and systems.
US Congress Office of Management and Budget (OMB) National Institute of Standards and Technology (NIST)
Created the E-Government Act of 2002 (H.R. 2458/S.803) Title III of the E-Government Act of 2002 (Public Law 107-347, 116 Stat. 2899), details the Federal Information Security Management Act (FISMA) of 2002 Evaluates agency effectiveness of programs, policies, and procedures Improves administration management through developing performance measures Develops and issues standards, guidelines, and other publications to assist federal agencies in implementing security requirements
See Appendix for a list of HHS security and
privacy information resources.
12
Security Policy and GovernanceDepartmental
Governance HHS Cybersecurity Program
  • HHS Cybersecurity Program is our Departments
    information security program.
  • HHS Headquarters (HQ) sets programmatic direction
    by developing standards guidance, providing an
    enterprise-wide perspective, facilitating
    coordination among key stakeholders, setting
    standards and providing guidance, and supporting
    streamlined reporting and metrics capabilities.
  • Operating Divisions (OPDIVs) implement programs
    that meet specific business needs, provide
    business/domain expertise, participate in
    establishing an enterprise-wide baseline, manage
    implementation at the OPDIV level, and manage
    ongoing operations.
  • HHS Cybersecurity Program oversight is provided
    by the Office of the Chief Information Officer
    (CIO) and Chief Information Security Officer
    (CISO).

13
Privacy ProtectionWhat is Privacy?
  • Privacy A set of fair information practices to
    ensure that an individuals personal information
    is accurate, secure, and current, and that
    individuals know about the uses of their date.
  • Personally identifiable information (PII) Any
    information that identifies or can be used to
    identify, contact, or locate the person to whom
    such information pertains.

14
Privacy ProtectionHHS Role in Protecting
Sensitive Information
  • Protect the personal information of individuals.
  • Protect individuals from harm that might be
    imposed upon them, if certain information were to
    be released without their consent.
  • Sensitive information in transit should be
    encrypted.
  • Encrypt devices containing PII and all other
    sensitive information, such as financial and
    personnel data with federally approved encryption
    software.

15
Security and Your BusinessHow Does Security Have
An Impact on My Business?
  • Enterprise Performance Lifecycle (EPLC)
  • Capital Planning and Investment Control (CPIC)
  • Training Awareness
  • Contract Oversight
  • Inappropriate Behavior
  • Incident Reporting

16
Security and Your BusinessEnterprise Performance
Lifecycle
  • EPLC is HHS IT project management methodology
    that incorporates best government and commercial
    practices through a consistent and repeatable
    process, and provides a standard structure for
    planning, managing and overseeing IT projects
    over their entire life cycle. 
  • Maximizes project and investment alignment with
    Departmental and OPDIV strategic goals.
  • Security must be incorporated in all phases
    of EPLC in order to reduce system risk and
    enhance the confidentiality, integrity and
    availability of HHS IT systems.

17
Security and Your BusinessEnterprise Performance
Lifecycle
  • For more information on the EPLC framework see
    Appendix E Security Deliverables of the
    Enterprise Performance Life Cycle Framework

18
Security and Your BusinessSecurity and the
Capital Planning and Investment Control (CPIC)
Process
  • CPIC the primary process for making investment
    decisions, assessing investment process,
    effectiveness, and refining related policies and
    procedures.
  • Ensures fiscal accountability of Exhibit 300
    business cases.
  • Integrate information security into the CPIC
    process to avoid budgeting ramifications.
  • Utilize the EPLC framework to strengthen
    measureable results for IT investments.

19
Security and Your BusinessSecurity Training
Awareness
  • All system users must complete mandatory security
    awareness training and privacy awareness training
    before receiving system access.
  • Security awareness training and privacy awareness
    training must be taken every year by employees,
    contractor personnel, interns and other
    non-government employees conducting business for
    on behalf of the Department through contractual
    relationships or memoranda of agreement when
    using IT resources.
  • Role-based training (RBT) is also required for
    individuals with significant security
    responsibilities (SSR).

20
Security and Your BusinessContracts and
Contractors
  • Executives must ensure that contracts and
    contractors support the security environment.
  • Contracts must include applicable security
    requirements. See the Security and Privacy
    Considerations to Guide IT Procurement (in
    development) for more information.
  • Contractors must fulfill security training
    requirements.
  • Non-disclosure agreements (NDA) must be signed by
    all with access to sensitive information.
  • Reference the HHS Contractor Oversight Guide for
    detailed information pertaining to adaptable
    oversight directions.

21
Security and Your BusinessWhat is Inappropriate
Behavior?
  • Employees are permitted limited personal use of
    HHS IT resources. This personal use shall not
  • result in loss of employee productivity,
    interference with official duties or other than
    minimal additional expense to HHS.
  • Viewing inappropriate websites, gambling online,
    and installing unauthorized software is
    considered inappropriate behavior.
  • Refer to the HHS Information Resource Management
    (IRM) Policy for Personal Use of Information
    Technology Resources for guidance on sanctions
    for misuse.
  • Refer to the HHS Rules of Behavior (HHS Rules)
    and your local OPDIV procedures.

22
Security and Your BusinessIncident Handling
  • Encourage compliance and awareness with
    applicable Department policies
  • HHS Incident Notification Process
  • HHS Information Resource Management (IRM) Policy
    for Establishing an Incident Response Capability
  • Updated Departmental Standard for the Definition
    of Sensitive Information
  • Standard for Encryption
  • Contact your OPDIV CISO or Incident Response Team
    (IRT) to verify local incident notification
    procedures

23
Course SummarySummary of the HHS Executives
Security Role
  • Help employees understand why security and
    privacy are important and empower them to make
    protecting the information, health, safety, and
    well-being of the American people their personal
    mission.
  • Incorporate security into your management
    philosophy make it a routine topic in staff
    meetings and when making management decisions.
  • Allocate resources to ensure that systems are
    adequately protected to prevent compromise of
    sensitive information.
  • Ensure that employees receive the training they
    need and are held accountable for protecting
    sensitive information.
  • Heighten awareness on how to quickly identify
    sensitive data and how to handle this data on a
    day-to-day basis.
  • Ensure that information security and privacy are
    integrated into all information systems
    development activities.
  • Ensure that security is included in all
    contracts.

24
Course Summary
  • You should now be able to
  • Define information security and emerging threats
  • Identify governing bodies and legislative drivers
    for protecting information security
  • Define privacy and why it is important to
    protect
  • Understand your role and responsibilities as an
    HHS executive in the areas of information
    security and privacy and
  • Identify where to locate HHS information security
    resources.

25
Congratulations
  • Congratulations!
  • You have completed the Information Security for
    Executives course.

26
AppendixHHS Resources
  • Information pertaining to HHS policy and guidance
    can be located by accessing the following links
  • OCIO Policy
  • HHS Cybersecurity Program Online

27
AppendixHHS Resources (Continued)
  • Federal compliance can be accessed using the
    following links
  • Public Law 93-579, U.S. Code 532(a), the Privacy
    Act (1974), http//www.justice.gov/opcl/privacyact
    1974.htm
  • OMB Circular A-130, Management of Federal
    Information Resources http//www.whitehouse.gov/om
    b/circulars_a130_a130trans4/
  • Public Law 104-106 40 USC Section 1401 (1996)
    Information Technology Management Reform Act
    (Clinger-Cohen Act), http//www.cio.gov/Documents/
    it_management_reform_act_Feb_1996.html
  • Health Insurance Portability and Accountability
    Act (HIPAA), http//www.cms.gov/HIPAAGenInfo/

28
AppendixHHS Resources (Continued)
  • Federal compliance can be accessed using the
    following links
  • Health Information Technology for Economic and
    Clinical Health Act (HITECH),
  • http//www.hhs.gov/ocr/privacy/hipaa/unders
    tanding/coveredentities/hitechact.pdf
  • Public Law 107-347, Federal Information Security
    Management Act of 2002 (FISMA), supersedes the
    Computer Security Act (1987), http//csrc.nist.gov
    /drivers/documents/HR2458-final.pdf
  • Homeland Security Presidential Directive (HSPD) 7
    (2003), http//www.dhs.gov/xabout/laws/gc_12145979
    89952.shtm
  • HSPD-12 (2004), http//www.dhs.gov/xabout/laws/gc_
    1217616624097.shtm

29
AppendixPrivacy Resources
  • Privacy Resource Center A compilation of
    privacy resources to help all HHS employees
    understand privacy and what they can do to
    protect PII at work and home.
  • Privacy Breach Frequently Asked Questions
    Outlines frequently asked questions about how to
    identify and report a privacy breach.
  • Privacy Impact Assessment (PIA) Standard
    Operating Procedures Outlines the standard
    approach for conducting a PIA for all Department
    systems (2010).
  • Policy for Information Systems Security and
    Privacy Establishes comprehensive IT security
    and privacy requirements for the IT security
    programs and information systems of OPDIVs and
    STAFFDIVs within HHS (2010).
  • Access the HHS Cybersecurity Program intranet
    page for additional guidance.

30
AppendixInformation Security Requirements
  • FISMA Statutory Requirements OMB Budgeting and
    Reporting Requirements
  • OMB Circular A-11, Section 53, Information
    Technology and E-Government (2007)
  • OMB A-130, Appendix III, Security of Federal
    Automated Information Resources
  • OMB Memorandum (M) 03-22, Guidance for
    Implementing the Privacy Provisions of the
    E-Government Act of 2002 (2003)
  • OMB M-04-04, E-Authentication Guidance for
    Federal Agencies (2003)
  • OMB M-05-08, Designation of Senior Agency
    Officials for Privacy (2005)
  • OMB M-10-15, FY 2010 Reporting Instructions for
    the Federal Information Security Management Act
    and Agency Privacy Management

31
AppendixInformation Security Requirements
(Continued)
  • FISMA Statutory Requirements NIST Security
    Standards and Implementation Requirements
  • NIST Special Publication (SP) 800-30, Risk
    Management Guide for Information Technology
    Systems (2002)
  • NIST SP 800-34 Revision 1, Contingency Planning
    Guide for Federal Information Systems (2010)
  • NIST SP 800-37 Revision 1, Guide for Applying the
    Risk Management Framework to Federal Information
    Systems (2010)
  • NIST SP 800-53 Revision 3, Recommended Security
    Controls for Federal Information Systems and
    Organizations (2009)
  • NIST SP 800-65 Revision 1 (DRAFT),
    Recommendations for Integrating Information
    Security into the Capital Planning and Investment
    Control Process (CPIC) (2009)
  • Read the full NIST documents

32
AppendixInformation Security Requirements
(Continued)
  • FISMA Statutory Requirements NIST Security
    Standards and Implementation Requirements
  • Federal Information Processing Standard (FIPS)
    199, Standards for Security Categorization of
    Federal Information and Information Systems
    (2004)
  • FIPS 200, Minimum Security Requirements for
    Federal Information and Information Systems
    (2006)
  • Read the full FIPS documents

33
AppendixPersonnel and Physical Security
  • Information, personnel and physical security
    teams at HHS work hand in hand to ensure the
    security of our information.
  • The Office of Security and Strategic Information
    (OSSI)
  • Leads and manages personnel security/suitability,
    information security, drug testing, and foreign
    travel/visitor policy for the Department.
  • Ensures HHS compliance with Homeland Security
    Presidential Directive 12 (HSPD-12).
  • Physical Security
  • Protects offices, staff, contractors, visitors,
    and HHS assets the prevention, investigation,
    and detection of crimes and the apprehension of
    offenders.

34
AppendixSecurity Authorization
  • OMB requires agencies to assess security controls
    to determine their overall effectiveness and
    formally authorize and accept the risk associated
    with their operation.
  • Security Authorization (formerly Certification
    Accreditation) is initiated when a system is
    developed or modified in response to mission need
    business case, operational requirement or
    significant change.
  • NIST SP 800-53 Rev. 1 establishes government-wide
    responsibilities for federal computer security,
    and requires agencies to adopt a minimum set of
    security controls.
About PowerShow.com