Contents
Information security policies provide vital support to security professionals as they strive to reduce the risk profile of a business and fend off both internal and external threats.
The trouble is that very few organisations take the time and trouble to create decent policies; instead they are happy to download examples from the web and cut and paste as they see fit. The resultant mess is no good to anyone, and can often leave the business open to unforeseen issues.
A prime example of producing both good and bad information security policies is the National Health Service (NHS).
This huge organisation both shares and consumes vast amounts of very private information on a daily basis, so quite rightly there is a requirement on those that handle such data to have in place supporting information security policies that are in turn subject to an annual audit.
During February and March, throughout the length and breadth of the country, information governance (IG) leads of NHS trusts and other assorted healthcare providers gather evidence to submit to the Department of Health (DH) for this audit, otherwise called the IG Toolkit.
Information governance toolkit sets NHS service levels
The IG Toolkit is loosely based on the ISO 27001 standard and is mandatory for all NHS organisations and any others who wish to provide services into the NHS. This covers the main areas of governance and assurance:
- Information governance management
- Confidentiality and data protection assurance
- Information security assurance
- Clinical information assurance
- Corporate information assurance.
The major area of focus is information security assurance. Interestingly, information security assurance accounts for about one-third of the requirements, which are combined to form an annual score.
For an organisation to pass the audit and achieve a 'satisfactory' rating, they must now achieve a level 2 score for every requirement (each requirement has a possible score of 0-3). Failure to meet those minimum requirements would mean the organisation cannot be commissioned to provide services to the NHS. Clearly, failing to meet this would have a significant impact on any organisation currently providing services or those wishing to do so from 1 April 2013.
Despite the IG toolkit being very well established in the NHS arena – it is now in its 10th year – NHS trusts are still in need of specialist IG expertise to navigate the difficult waters of the toolkit, and non-NHS organisations coming to this for the first time find themselves very quickly out of their depth.
A lot of the issues are in the interpretation of the requirements and the specialised environment in which the NHS operates. Insider knowledge and experience are certainly key to a smoother ride when making a submission.
Information security policies are supposed to be read, understood and followed by all staff in the organisation
Information security policies and procedures
Not surprisingly, information policies and procedures make up the bulk of the evidence required to be submitted. Lest they be accused of wasting scarce public resources by continually reinventing the wheel, it is common practice for trusts to borrow such policies and procedure documents from friendly neighbours. This is fine until these policies are subject to an audit.
On undertaking a full review of information security policies, it very quickly became clear that the public sector has a specific and unusual way of tackling such documentation. A typical information security policy in the NHS runs to between 35 and 45 pages and goes into incredible detail about all sorts of minutia, including such esoteric concerns as to the cable trays necessary for datacentres.
This demonstrates a fundamental misunderstanding of the intended audience for these documents. It is not the IT professional looking to install or otherwise look after NHS IT systems – instead they are supposed to be read, understood and followed by all staff in the organisation.
The audience had been completely forgotten in the process of producing this document, compounded by the fact that the same document (slightly altered in each case to fit the name of the different trust) was being used across the patch as an exemplar of what should appear in the policy.
This is a crazy situation and a fresh approach is needed.
Building a structured and accessible policy
I suggest that each information security policy is approached from a number of key questions:
- What purpose is this policy meant to serve? Am I ticking a box, or is it adding real value?
- Have I aligned my policy with any subsequent information governance training I might deliver?
- Have I aligned my policy to the business objectives of the organisation?
- Is there a regulatory and/or statutory basis to the policy, or is it more guidance on good practice?
- Who is my audience for this policy?
- What is the absolute minimum information they need to have? Do I really need all the detail written into this policy, or is this better written in System Specific Security Policies (SSSPs) for the IT professional?
- What is the best format for my audience to receive this information?
- What are the key messages that I want them to retain?
In answering these questions and thinking from the user's point of view, I am often able successfully to cull policies from 45 pages down to six, including the necessary title pages and the Equal Opportunities Impact Assessment (these are mandatory for NHS documentation such as this.)
The essence of a good policy
- Keep it as short as possible
- Keep it relevant to the audience
- Keep it aligned to the needs of the business
- Keep it aligned to the legislation and regulatory frameworks in which you operate
- Do not marginalise it by aiming to 'tick the box', as the policy needs to add value to the employee and the overall outcomes and behaviours you are looking to promote
The typical information security policy may have the following headings:
- Document Control
- Document Location
- Revision History
- Approvals
- Distribution
- Document History
- Enquiries
- Introduction and Purpose
- Scope
- Your Responsibilities
- Our Responsibilities
- Where to find more information
- Equal Opportunities Impact Assessment
This provides a more structured and accessible document.
I accept that you may feel I have left out some key components into other separate documents and will be relying on the user to source and read them as well, but I still feel it a valid direction in which to travel.
You may also have expected to see something in there about passwords or other aspects of information security, but the point is that the other key security issues will be dealt with in the 'acceptable use policy' and the 'use of internet and email policy', tangible data assets dealt with in the 'clear desk policy', and so on.
Sharing policies with staff
In addition to making staff read and sign to acknowledge any documents, it is key to ensure that they have read and actually understood the policies in question. The best way of achieving this is to provide suitable and focused governance training to reinforce the messages and bring the policy alive with current local examples.
It is important to spend considerable time making training relevant and accessible for all attendees so they leave the session with an engaged attitude to information security, rather than feel they have been put through an obligatory sheep dip and learnt nothing of relevance.
Information governance is a massive area, and users need to tackle the elephant one chunk at a time, rather than as a whole.
In the broadest sense, awareness training should inform users of the broad scope of IG – that it covers appropriate collection of data, appropriate use, data quality, records management, archiving and secure destruction, privacy, confidentiality, appropriate use of business-provided IT systems, appropriate use of social networking and so on. Each area benefits from its own policy documents, which can similarly be kept to minimum size and scope so users are not overwhelmed by the full scope of their responsibilities.
Download additional articles on information security
The policy document is exactly that – a simple statement of the business position on the chosen topic (the 'why'), not to be confused with the procedural documentation which deals with 'how' the policy is to be enacted. Procedures are sometimes necessarily much longer documents if they are describing complex processes which must be followed. The system-specific security policies and corresponding procedures mentioned earlier tend to fall into this category.
Ideally, the policy should be brief and to the point about the user’s responsibilities towards the information they collect, use, access or otherwise process, and to sign-post them to the other relevant policies and procedures for the areas in which they operate. There is very little point subjecting a hospital porter to a treatise on how to use the patient administration system, for example, if they will never have access to that system.
By following these ideas, you should be able to create an excellent information security policy, but more importantly have an engaged set of employees looking after your organisation’s assets.
Andi Scott is a senior information governance consultant and practice head at Incoming Thought
Image: Creatas Images/Thinkstock
Incident Management
Overview
The California Office of Information Security works collaboratively with agency California Highway Patrol (CHP), California Cybersecurity Integration Center (Cal-CSIC), California Military Department (CMD), Office of Health Information Integrity, and other essential agencies on mitigating, identifying, responding to, and reporting information security incidents.
The following policy, standards, and guidelines are provided to assist state agencies in compliance with current incident response and reporting requirements, to establish and maintain internal incident management functions.
SAM 5340 – Incident Management (PDF)
Incident Management Reporting
Incident Reporting
State policy requires agencies to follow a prescribed process when information security incidents occur. Typically, it is each agency’s Information Security Officer’s (ISO) responsibility to notify the proper authorities. The prescribed process includes the following steps:
1. Reporting Incident through the California Compliance and Security Incident Reporting System (Cal-CSIRS)
State policy requires state entities to make notification to the California Office of Information Security (OIS) and the California Highway Patrol (CHP) immediately following discovery of an incident. Each state entity’s Chief Information Officer (CIO), Information Security Officer (ISO), or the assigned incident reporting personnel (as designated on the Cal-CSIRS Designee Request Form (XLSX)), collectively hereinafter referred to as authorized California Compliance and Security Incident Reporting System (Cal-CSIRS) user, is responsible for notifying the proper authorities.
Immediately report the incident through the Cal-CSIRS. Cal-CSIRS will require specific information about the incident and will notify the OIS and the CHP Computer Crimes Investigation Unit (CCIU). A system generated e-mail confirmation will be sent to the authorized Cal-CSIRS users acknowledging the OIS and CCIU have received the Cal-CSIRS notification.
IMPORTANT: Incident notification made to CHP or our Office outside of the Cal-CSIRS notification process by email or other means is NOT an acceptable substitute for the required notification through Cal-CSIRS.
2. Instructions and Guidance for Reporting an Incident
Refer to SIMM 5340-A – Incident Reporting and Response Instructions (PDF) and/or the California Highway Patrol website for guidance when reporting an incident. Notification and reporting requirements, along with security tips, can be found on the CHP’s “Computer Crime Reporting for State Agencies“.
Iskysoft dvd creator review. The ISO should attempt to gather the following information before reporting the incident on Cal-CSIRS:
- Name and address of the reporting entity.
- Name, address, e-mail address, and phone number(s) of the reporting person.
- Name, address, e-mail address, and phone number(s) of the ISO.
- Name, address, e-mail address, and phone number(s) of the alternate contact (e.g., alternate ISO, system administrator, etc.).
- Description of the incident.
- Date and time the incident occurred.
- Date and time the incident was discovered.
- Any actions at and following the time of discovery that were taken prior to reporting incident on Cal-CSIRS.
The ISO should attempt to gather the following additional information before reporting incident about incidents involving computer-related theft or crime:
- Make / model of the affected computer(s).
- Serial and state asset identification numbers of affected devices.
- IP address of the affected computer(s).
- Assigned name of the affected computer(s).
- Operating system of the affected computer(s).
- Location of the affected computer(s).
IMPORTANT: Reporting should NOT be delayed until all of this information is gathered. It is understood that in some circumstances this information may not always be readily available when first reported to the ISO. Therefore the ISO should make the report to ENTAC providing as much information as possible at the time of receiving the report.
Then the game freezes. After having to fight everyone from soliders to commoners.well I get to the ship and head back to Dxun and once I get to the hanger and have my conversation with Mandalore, Atton walks up. Kotor 2 droid warehouse door.
3. Personally Identifiable Information
During this reporting process, it is also important to report if the incident involves personally identifiable information, such as breach notice-triggering personal information as defined in California Civil Code Section 1798.29.
Effective January 1, 2016, California’s Civil Codes 1798.29 and 1798.82 were amended to require breach notifications to be provided in a specific format and include certain content. Security Breach Reporting and Notification Templates are provided on the Resources page. Policy requires state entities to submit any breach notification to the Office of Information Security for review and approval prior to its release.
Further, Civil Code Section 1798.29 (e) requires any state entity that is required to issue a security breach notification to more than 500 California residents, as a result of a single breach, to electronically submit a sample copy of the breach notification, excluding any personally identifiable information, to the Attorney General. The Attorney General’s procedures for sample submission are available on its website. See SIMM 5340-C (PDF) for instructions and process.
4. Emergency Assistance Outside of Normal Business Hours
In the case that the Cal-CSIRS system is offline during normal business hours, contact OIS directly by phone at (916) 445-5239 or by e-mail at [email protected] for assistance. If the Cal-CSIRS system is offline outside of normal business hours and you require immediate law enforcement assistance, contact CHP’s Emergency Notification and Tactical Alert Center (ENTAC) at (916) 843-4199. This telephone number is staffed 24-hours a day, seven days a week. The officers at ENTAC will forward that information to CCIU for immediate assistance. In the situation that notification is made outside of normal business hours through CHP, it is the state entity’s responsibility to notify OIS of the incident the next business day.
5. Additional Information and Forms
Depending upon the nature of the incident and the assets affected by the incidents, the entity may be required to submit the following additional written reports to other state entities:
The CCIU and/or the OIS may contact the entity for additional information.
Questions and Contacts
- California Office of Information Security – (916) 445-5239
- California Highway Patrol ENTAC – (916) 843-4199
- Department of Justice’s Privacy Enforcement and Protection Unit – (916) 322–3360
- California Office of Health Information Integrity (CalOHII) – (916) 651-3366
Other Resources
Security Awareness Videos
Privacy Management
This section provides resources for California state government agencies on privacy practices and policies for protecting personal information.
Also see our Frequently Asked Questions.
State Employee Privacy Awareness Training
Protecting Privacy in State Government. Basic Training for State Employees.
Video and Hand Out Materials
Privacy Videos
Risk Management
The following resources provide policy, standards, and guidelines to assist state agencies in the development and maintenance of their risk management programs.
Also see our Frequently Asked Questions.
State Administrative Manual (SAM)
The SAM is a central point for statewide policies, procedures, regulations and information developed and issued by authoring agencies such as this Office, the Department of Finance (Finance), Department of General Services (DGS), and Governor’s Office. The following SAM policies directly relate to operational recovery and business continuity.As announced in Management Memo (MM) 08-02 (PDF), the policy sections related to information security and privacy have been restructured and renumbered effective February 19, 2008. No policies were changed through MM 08-02 or this restructure.
Statewide Information Management Manual (SIMM)
The following SIMM sections are applicable to risk management.
Agency Information Security and Privacy Program Compliance Certification (SIMM 5330-B (DOCX))
The signed Certification acknowledges that each agency is in compliance with state policy governing risk management and privacy requirements as defined in SAM Section 5305.2 (PDF), Government Code Section 11019.9, and the Information Practices Act (Civil Code Section 1798 et seq.). It is due to the California Office of Information Security by January 31st of each year.
Plan of Action and Milestones (SIMM 5305-C (XLSX))
Each state entity is responsible for establishing an Information Security Program to effectively manage risk. The state entity’s information security program shall incorporate an Information Security Program Plan (ISPP) to provide for the proper use and protection of its information assets, this is to include a Plan of Action and Milestones (POAM) process for addressing information security program deficiencies.
Risk Management Resources
These are tools for agencies to use in identifying information security risks and to help mitigate the issues.
Risk Assessment Toolkit
These are tools for agencies to use in identifying information security risks and to help mitigate the issues.
As outlined in the State Administrative Manual (SAM) Section 5305 et seq (PDF)., risk management is the process of taking actions to avoid or reduce risk to acceptable levels. This process includes both the identification and assessment of risk through risk analysis (SAM Section 5305.1) and the initiation and monitoring of appropriate practices in response to that analysis through the agency’s risk management program.
Risk assessment is a critical component of that process to ensure state agencies have an effective risk management plan in place as defined in the SAM Sections 5305 et seq. Although the following tools are available for agencies to use in identifying information security risks and helping to mitigate the issues, it may be difficult for an agency to determine where to start with a risk assessment or which tool might be the best tool to use. Guidance for implementing a suggested strategy for a successful information security program and conducting an effective risk assessment can be found in the following Information.
The California Office of Information Security (Office) web site contains links to other sites that are not owned or controlled by us. The information provided at these sites does not reflect the views of this Office or indicate an endorsement of a particular company or product. Sims 4 melanin pack. Please be aware that our Office is not responsible for the security and privacy practices of such other sites.
Information Security Risk Assessment Checklist (DOC)
This simple checklist provides a high-level view of common security practices. It is not intended to cover all of the steps agencies must take to complete the annual risk certification process. However, it may be useful as part of a periodic risk analysis or for a targeted review of security practices in specific areas. General instructions for its use are included in the Checklist’s Introduction section. Its targeted audience is generally focused towards executive management to use as a basic tool for risk assessment.
SANS Information Security Management Audit Checklist (DOC)
A comprehensive risk assessment checklist developed by the SANS (SysAdmin, Audit, Network, Security) Institute and based upon the International Organization for Standardization (ISO) 17799:2005 standards for an information security program. This checklist does not provide vendor specific security considerations but rather attempts to provide a generic checklist of security considerations to be used when auditing an organization’s Information Technology Security. Its targeted audience is generally focused towards a team approach, which might include members from the agency’s business and program areas, information technology, human resources, and the agency’s Information Security Officer.
Security Risk Assessment Tool
HIPAA requires every organization that maintains or transmits personal health information to take specific steps to comply with regulations in the areas of privacy, technology, security, and transaction coding. The California Office of Health Information Integrity (CalOHII) has provided the following HIPAA Security Compliance Review Tool to help agencies determine their level of compliance with the Final Security Rule.
Payment Card Industry (PCI) Self-Assessment Questionnaire
The Payment Card Industry (PCI) Data Security Standard (DSS) is the set of security and compliance monitoring requirements every organization must follow in order to protect cardholder data and accept payment cards for the reimbursement of fees and services. The following tools are available to assist agencies with meeting these requirements:
This Questionnaire is an important validation tool that is primarily used by smaller merchants and service providers to demonstrate compliance with the PCI DSS.
This Questionnaire is an important validation tool that is primarily used by smaller merchants and service providers to demonstrate compliance with the PCI DSS.
PCI DSS Supporting Documents
PCI DSS Supporting Documents.
Sample Risk Assessment Report (DOC)
It is important to document the results of the risk assessment in the form of a report that can be given to the agency’s executive management. This sample report provides a template for a brief overview, the problems identified, and the recommendations for corrections or mitigation. Consider using this format for reporting your findings and recommendations to your executive management.
Sample Matrix Report (DOC)
Information Security Policy Document Structure
This sample report provides an agency the appropriate risk level for action items resulting from an information security risk assessment.
MS-ISAC Nationwide Cyber Security Review Self-Assessment Reporting Tool (NCSR)
The Nationwide Cyber Security Review (NCSR) is a voluntary self-assessment survey designed to evaluate cyber security management. The NCSR will provide participants with instructions and guidance, supplemental documentation, and the ability to contact the NCSR help desk directly from the survey. The survey is available October 1, to coincide with National Cyber Security Awareness Month, and closes on November 30.
Once complete, participants will have immediate access to an individualized report that measures the level of adoption of security controls within their organization and includes recommendations on how to raise the organization’s risk awareness. In alternate years only (odd numbered years) the MS-ISAC and DHS will aggregate all review data and share a high level summary with all participants. The names of participants and their organizations will not be identified in this report. This report is provided to Congress in alternate years (odd numbered years) to highlight cybersecurity gaps and capabilities among our State, Local, Territorial and Tribal Governments.
Risk Management Videos
Technology Recovery Management
Technology Recovery Program
State Administrative Manual (SAM)
The SAM is a central point for statewide policies, procedures, regulations and information developed and issued by authoring agencies such as this Office, the Department of Finance (Finance), Department of General Services (DGS), and Governor’s Office. The following SAM policies directly relate to technology recovery and business continuity requirements.
Statewide Information Management Manual (SIMM)
The following SIMM sections are applicable to Technology Recovery Plan requirements.
- SIMM 5325-A – Technology Recovery Plan Instructions (PDF) – Updated June 2018
- SIMM 5325-B – Technology Recovery Program Certification (DOCX) – Updated June 2018
Schedule for Submission of Technology Recovery Plans
Refer to the Information Security Compliance Reporting Schedule (SIMM 5330-C) for the due date for each organization.
Continuity Planning
The Governor’s Office of Emergency Services’ (Cal OES) Continuity Planning Maintenance Program requirements.
Compliance Schedules
Schedule of Required Reporting Activities
The following provides a summary schedule of required security reporting activities with corresponding due dates. Compliance reporting requirements are clearly outlined in State Administrative Manual (SAM) Section 5330.2 (PDF). All state entity’s scheduled reporting months are outlined in the Information Security Compliance Reporting Schedule (SIMM 5330-C).
Designation Letter (SIMM 5330-A)
Due annually on the last business day of the state entity’s scheduled reporting month, and within ten (10) business days of any designee changes.
Information Security and Privacy Program Compliance Certification (SIMM 5330-B)
Due annually on the last business day of the state entity’s scheduled reporting month.
Technology Recovery Program Certification (SIMM 5325-B)
Due annually on the last business day of the state entity’s scheduled reporting month.
Information Security Incident Report
Within ten (10) business days from submittal into the California Compliance and Security Incident Reporting System (Cal-CSIRS).
Plan of Action and Milestones Worksheet (SIMM 5305-C)
Unless otherwise directed, each state Agency/entity shall provide quarterly updates on progress toward completion of the plans. Quarterly due dates are on the last business day of January, April, July, and October.
Schedule for Submission of Technology Recovery Plans
State Policy, pursuant to State Administrative Manual (SAM) Section 5325.1 (PDF) requires each agency to file a copy of its Technology Recovery Plan (TRP) with the Office of Information Security annually on the last business day of the state entity’s scheduled reporting month, in accordance with the SIMM 5330-C – Information Security Compliance Reporting Schedule. Due to the confidential nature of the TRP, please hand deliver all TRP’s to our office at:
Office of Information Security
10860 Gold Center Drive, Suite 200
Rancho Cordova, CA 95670
10860 Gold Center Drive, Suite 200
Rancho Cordova, CA 95670
Upon arrival, please go to the 2nd floor security desk (Suite 200). The security desk staff will contact someone from our office to pick up your materials. Note: If you choose to mail in the TRP, be sure to confirm delivery with your selected courier service prior to sending, contracted Delivery/Courier Services may not deliver to the PO Box or to the physical address.
OIS Foundational Framework
State Administrative Manual (SAM) 5300
The State Administrative Manual (SAM) is a central point for statewide policies, procedures, regulations and information developed and issued by authoring agencies such as this Office, the Department of Finance (Finance), Department of General Services (DGS), and Governor’s Office. A searchable copy of the document is available by clicking on State Administrative Manual (SAM).
SAM Frequently Asked Questions (FAQ)
SAM 5300 Definitions
Policy Resources
Statewide Information Management Manual (SIMM)
The Statewide Information Management Manual (SIMM) Sections 10 through 80 and Sections 5300 et seq. contain standards, instructions, forms and templates that State agencies must use to comply with Information Technology (IT) policy.
Management Memos (MM)
A number of Management Memos are related to information technology. Click on “Management Memos Related to IT” to see a full list of IT related Management Memos.
The following Management Memos are most relevant to information security:
Budget Letters (BL)
A number of Budget Letters are related to information technology. Click on “Budget Letters Related to IT” to see a full list of IT related Budget Letters.
The following Budget Letters are most relevant to information security:
Technology Letters (TL)
Sample Information Security Policy Doc…
Technology Letters contain official communications regarding state IT, including new (or changes to existing) IT policies, procedures, services or standards.