The URL can be used to link to this page

Home My WebLink AboutMINUTES - 03232004 - SD2 TO: BEARD OF SUPERVISORS FROM: Tam Whittington CIO,Department of Information Technology DATE: March 23,2004 SUBJECT: Contra Costa County information Security Program Sp®cEfc Request{s)or Recornmendations(s)&Background&Justificabon 1. RECOMMENDED ACTION: ADOPT the Contra Costa County Information Security Program as outlined in the attachment. 11. BACKGROIrT1VD: The Department of Information Technology is requesting that the Board of Supervisors formally adopt the Countywide Information Security Program that has been operating on an administrative level since 1997.The Information Security Program was compiled by using information from the International Organization for Standardization's(ISO)Code of Practice for Information Security Management(ISO 17799), State and Federal Statutes,the County Information Security Forum's members' expertise and experience,the National Security Agency(NSA),the National Institute of Standards and Technology(NIST),and the Generally Accepted Systems Security Principles(GASSP). It outlines industry-proven components that constitute a comprehensive program. The Information Security Program outlined in this document is used by Contra Costa County as a foundation for its efforts in providing availability, integrity and confidentiality of all County-controlled assets,both logical (e.g.,computers)and physical(e.g., building,personnel,hardcopy). This program is based upon industry standards and governmental `best practices', and promotes both effective and efficient methods to safeguard assets under County control. Each component outlined in the recommendation is required for the program to meet those standards. Furthermore,adoption of this program allows Contra Costa County to share informational assets with other counties that have adopted a program as well,including State and Federal CONTINUED ON ATTACHMENT: X YES SIGNATURE: `"Recommendation of County Administrator Recommendation of Board Committee Approve Other Signature( : t Action of BoaM:tt'on: March 23, 2004 Approved as Recommended X Other VOTE OF SUPERVISORS: I HEREBY CERTIFY THAT THIS IS A TRUE AND CORRECT COPY OF AN ACTION TAKEN X Unanimous(Absent - None } AND ENTERED ON THE MINUTES OF THE Ayes: Noes: _ BOARD OF SUPERVISORS ON DATE SHOWN. Absent: Abstain: Attested: March 23, 2004 cc: (4) Department of Information Technology John Sweeten, Clerk of the Board of (1) County Administrator Supervisors and County Administrator By: �> r` y: DEPUTY agencies that are mandated by law to comply with published standards in Information Security. Contra Costa County can now adopt these standards in a proactive manner to combat threats to the County's information assets(e.g. computer viruses and malicious software), facilities,and personnel, from sources both foreign and domestic. Adoption of the Information Security Program outlined in the attached document will effectively,through threat avoidance,provide a level of security that will protect information maintained by the County on behalf of its citizens. Contra Costa County Information Security Program Chief Information Security Officer(CISO) The Chief Information Security Officer is the key to the development and enforcement of a comprehensive Information Security Program (ISP). This position will ensure the continuous development and review of Countywide policies and assist departments in the development of procedures for adherence to the ISP. Information Security Advisory Committee(ISAC) The Information Security Advisory Committee, comprising departmental representatives and the Chief Information Security Officer, will establish, review and update the Information Security Program and Best Practices as necessary. The ISAC sees that the Best Practices enable County agencies to accomplish their objectives. The input of the Information Security Advisory Committee will keep the Best Practices and business goals in line, and will allow implementation at a much faster pace because of cross-departmental involvement. Advisory committee members will also act as the security representatives for their respective departments. They will work with departmental managers to ensure that data has designated owners, will coordinate requests for data system access, and will participate in the development of agency-specific information security best practices. Information Security Best Practices The Information Security Program will prescribe "best practices" that management will use to development specific security measures. The Best Practices Statement will set forth the basic security philosophy of the County and determine the functional areas where controls must be established. The Best Practices Statement will be drafted by the ISAC and CISO, and submitted to the CAO for approval and adoption through Administrative Bulletins. Information Security Awareness Training and Education Employee security awareness training is a key component of the program and one of the most common means available to achieve recognition of responsibility and information asset worth. Each County employee should be required to sign an agreement that includes the protection of information assets as a condition of employment. Employee awareness to security issues will be promoted in many forms, including posters, videos, e-mail reminders, brochures, and on-line (web-based)presentations and information. Information Identification and Classification The Information Security Program will establish standards and procedures by which information resources are managed and accessed. 'These standards will be applied in the identification and classification of the information collected and maintained by the information owner, based on that information's content, sensitivity and importance. An identification methodology is used to categorize information content into distinguishable categories. These categories then facilitate subsequent classification. A classification scheme is used to determine adequate and appropriate procedures and their associated access controls for information protection and distribution. Access control must be consistent with the classified value of the information resources to be protected and the severity of the threat to them. Information Risk Assessment Once County information is identified and classified, a risk assessment will be conducted to measure the sensitivity of the information, identify any vulnerabilities of the information, and anticipate the consequences of any vulnerabilities being exploited. For the County, the fundamental concepts of such a risk assessment include: o A business risk is anything that could potentially harm the County or its assets; • Risk analysis is a formal process of determining the worth of computing assets, identifying vulnerabilities by discovering where threats/exposures could occur, then determining how much potential harm could be caused if the identified vulnerabilities are exploited; u As there are costs associated with information security policies, for all vulnerabilities identified, a cost vs. benefit analysis is performed to determine if the cost to implement fixes or increase protection is justified by the cost of the asset's loss. Thus, information security policies and risk go hand in hand: policies are needed to reduce risk, and risk analysis is used to justify security policies. Implementation of Information Security Controls The success of an Information Security Program depends on the clear understanding by all County employees of their roles and responsibilities in protecting the County's assets. "Management rs role" All County department and program managers and administrators should be familiar with the Information Security Program and how it applies to the County assets they manage. Those individuals in a leadership role are responsible for implementing the Information Security Program based on the principles of information classification, risk assessment, and cost benefit analysis of security measures. r'Emplvyere rs role n Employees must recognize that the government data is both valuable and vulnerable. They must understand their(legal)responsibilities regarding the unauthorized release of sensitive data.Note that sensitive data means data that requires protection due to the risk and magnitude of loss or harm that could result from unavailability,disclosure, alteration, or destruction. Monitor Program Effectiveness The County must be able to assess the measures that have been implemented within the Information Security Program and determine that its security goals are being met. Program evaluation should be conducted independent of the program itself. Separation of duties is extremely important in maintaining the objectivity and integrity of the program evaluation. Business Continuity and Disaster Recovery Contingency plans (or `Business Continuity Plans") differ from Disaster Recovery Plans {"Operational recovery Plans") in that contingency plans address the business side (facilities, personnel, procedures, forms, day-to-day supplies) of departments, whereas disaster recovery plans focus more on recovery of information technology assets (computers, storage, electronic communications and data). Both types of plans facilitate data recovery and resumption of services in the event that a man-made or natural disaster occurs. Development of such plans requires the identification of those applications critical to survival, e.g., storage of the related operating systems, operator instructions, utilities, programs, and data in an off-site storage facility. The most crucial aspect of business continuity and disaster recovery plan development is testing the plans using the designated alternate processing sites.