|
|
|
 |
| Workshops |
|
Purpose: Oregon Administrative Rule 125-800-0005 -- 20 requires all agencies to complete information security plans and submit them to DAS for approval. Plans are due on or before July 30, 2009. DAS is facilitating hands-on workshops to assist small and medium sized agencies in writing their security plans. Participants will use the DAS-developed template and agency peers will be available to serve as mentors both in the workshop setting and by telephone and e-mail. Participants can bring laptops or work with hard copies of the template.
Each workshop will consist of two 3-1/2 hour sessions. During the first session, participants will be oriented to the purpose and objectives of the security plan, statewide policies, and information security control objectives; discuss what information is needed and who in the agency should be included in the planning process; and work through the plan template. Between sessions, participants will be expected to work with their agency staff to gather information and requirements and begin drafting their plans. In the second session, work on the drafts will continue and we will discuss next steps such as implementing the plan, employee awareness, and measuring success. Mentors and ESO staff will be available to review the drafts and assist with additional questions.
Audience: The workshops are targeted at small and medium sized agencies with limited information security staff resources. Participation will be limited to no more than two representatives from any one agency.
Work Shop One:
Session 1
|
Session 2
|
Tuesday, September 9, 2008
8:30 a.m. to 12:00 noon
Salem
|
Monday, September 29, 2008
1:00 p.m. to 4:30 p.m.
Salem
|
Work Shop Two:
Session 1
|
Session 2
|
Tuesday, October 7, 2008
8:30 a.m. to 12:00 noon
Salem
|
Monday, October 27, 2008
1:00 p.m. to 4:30 p.m.
Salem
|
Work Shop Three:
Session 1
|
Session 2
|
February 2009 (date TBA)
8:30 a.m. to 12:00 noon
Portland
|
February 2009 (date TBA)
1:00 p.m. to 4:30 p.m.
Portland
|
Registration: Class size is limited and participants are required to register in advance. To register, contact Cinnamon Albin or Eva Doud at the DAS Enterprise Security Office.
|
|
|
| Purpose |
|
The purpose of the statewide Information Security policy 107-004-052 (effective 7/30/2007) is to emphasize the state's commitment to information security and provide direction and support for information security in accordance with business requirements and relevant laws and regulations.
The policy requires agencies to develop and implement information security plans, policies and procedures that protect their information assets from the time of creation, through useful life and through proper disposal. Per Administrative Rule 125-800-0005 -- 0020, agency plans must be approved by DAS. Plans need be submitted to DAS through the EISPD Enterprise Security Office on or before July 30, 2009. The basic information protection requirements include, but are not limited to:
- Compliance with applicable legislative, regulatory, and contractual requirements;
- Identifying information assets;
- Determining the value of information assets to the agency and the business processes they support;
- Assessing the vulnerability and risk associated with information assets;
- Providing the level of protection that is appropriate to the information assets' vulnerability, risk level, and agency value;
- Security education, training, and awareness for all users of agency information assets;
- Identification of general and specific responsibilities for information security management, including reporting information security incidents;
- Communication of information security policies throughout the agency to users in a form that is relevant, accessible and understandable.
Each agency will establish a security plan to initiate and control the implementation of information security within the agency and manage risk associated with information assets. The plan will include:
- Processes to:
- Identify agency information assets;
- Determine information sensitivity;
- Determine the appropriate levels of protection for that information;
- Applicable state directives and legal and regulatory requirements;
- Identification of roles and responsibilities for information security within the agency;
- Identification of user security awareness and training elements; and,
- Information security policies that govern agency information security activities.
|
|
|
| Agency Resources |
|
- Information Security policy
|
pdf |
- Communication Forum presentation (6/23/2008)
|
PowerPoint |
The Enterprise Security Office has developed plan guidelines, a sample template, and a criteria sheet all agencies will use to transmit their plans for ESO review.
- Information Security Plan Guidelines (rev. 4/10/2008)
|
Word |
- Information Security Plan sample template
|
Word |
- Agency Information Security Plan Review Criteria
|
Word |
|
|
|
|
