Information Asset Classification
Communications Forum
Theresa A. Masse, State Chief Information Security
Officer
Department of Administrative Services
Enterprise Security Office
Agenda







Policy Overview
Community of Practice Update
Enterprise Information
Agency Plan
Methodology and Agency Plan
Clearinghouse and Q&A
Wrap up
Policy - Overview
Information will be classified and managed based on
its confidentiality, sensitivity, value and availability
requirements.


Identify an Information Owner or Owners
Owner responsible for:




Initial Classification
Decisions regarding information management
Review and reclassification if appropriate
Proper retention and disposal
 Statewide information
 Agency information
Policy – Classification Levels

Level 1, Published - Low-sensitive information, will not
jeopardize the privacy or security of agency employees, clients
and partners.
Examples: Press releases, brochures, pamphlets, public access Web pages, and
materials created for public consumption.

Level 2, Limited - Sensitive information, may jeopardize the
privacy or security of agency employees, clients, partners.
Examples: Enterprise risk management planning documents, published
internal audit reports, names and addresses that are not protected from
disclosure.
Policy – Classification Levels

Level 3, Restricted – Sensitive information , unauthorized
access could result in financial loss or identity theft.
Examples: Network diagrams, personally identifiable information, other
information exempt from public records disclosure.

Level 4, Critical - Extremely sensitive, potential to cause
major damage or injury.
Examples: Disclosure that could result in loss of life, disability or serious
injury or regulated information with significant penalties for unauthorized
disclosure, information that is typically exempt from public disclosure.
Policy - Compliance Time Line

Plan developed by June 30, 2009

Level 4 identified and protected by December 31, 2009

All other policy provisions completed by June 30, 2010
Note: Agencies are required to comply with the Oregon Consumer Identity
Theft Protection Act (Senate Bill 583, 2007 Legislative Session)
Community of Practice
and DHS Approach
Kyle Miller
Department of Human Services
Community of Practice

Membership Representatives
Human Services
 Consumer and Business Services
 Forestry
 Corrections
 Transportation
 Education
 Administrative Services

Community of Practice
Goals

Methodology document that contains best
practices and links to tools and resources
Best practices for classification
 Elements of information asset management



Recommendations for user awareness
Recommendations regarding policy
DHS Approach

Survey approach

Information exchange

Forms development

Other Initiatives
Enterprise Information
Bret West
Department of Administrative Services
Enterprise Information

What enterprise information does DAS “own”?
 HR
 Payroll
 Financial
 Contracts
 DAS-Owned
Facilities
 State Network
 Others
Enterprise Information

What does ownership mean?
 DAS is responsible for determining
classification levels
 DAS is responsible for communicating
classification levels to stakeholders
 Ownership rests with DAS until information
is transferred to another agency
 At
that point, agencies will be responsible for
ensuring security
Enterprise Information

What does ownership mean?
 Business partners (in this case DAS divisions)
are responsible for classifying information
assets
 This
is not a technology issue!
Enterprise Information

Example: Statewide Financial Management
Application Data
 The application itself will be classified at
Level 4
 Combination
of data elements puts the state and
individuals at risk
 Specific
elements or reports will be classified
according to the statewide policy guidelines
Enterprise Information

Example: Statewide Financial Management
Application Data (continued)
 Specific elements or reports will be classified
according to the statewide policy guidelines
 Currently, SFMS staff have labeled reports
“confidential” or “not confidential” based on
data included
 Further work will be done to classify these
reports according to appropriate levels
Enterprise Information

When will the classifications be available?
Our goal is to have all Level 4 data classified by July
1, 2008
 Our draft internal policy requires all Level 3 data to
be classified by January 1, 2009 and all Level 2 data
classified by July 1, 2009.

ODOT’S SECURITY FABRIC
Addressing Information Security
Lisa Martinez
Oregon Department of Transportation
Where do you begin?

Establish a “First-Strike” project team to
develop your initial roll out strategy
Make sure you have the right blend of business and
information technology representatives
 Review and consolidate standards across all of the
DAS Enterprise Information Security policies and
Senate Bill 583
 Develop a “final draft” of an agency-wide
assessment tool to determine where your agency is
in meeting, partially meeting, or not meeting the
consolidated standards
 Pilot tool in a few areas to gather information on
resources and time required to assess across your
agency

Where do you begin? (cont.)

Make sure you have the support and
commitment of your agency Director and
his/her direct reports
Provide enough information so they understand
the work effort required by their managers and
employees
 Have them provide names of appropriate staff to
assist on a project team
 Make sure that you use them to reinforce agency
commitment if you encounter problems

Where do you begin? (cont.)

Take time to understand how other initiatives
underway in your agency interlace with
Information Security
Can you demonstrate benefit to other initiatives
with regard to information gathering, business
process mapping, and similar tasks
 Be willing to share information with other project
teams
 Don’t overlook everyday work processes – they
may be an easy opportunity to help with culture
change

Where do you begin? (cont.)

Communicate to managers and employees why
this initiative is important
Make it real by giving real life examples
 Utilize internal communication tools such as
newsletters, intranet pages, etc.
 Acknowledge that this will take time and is not an
overnight process
 Consider an Information Security “hotline”


Identify Available Resources
ODOT Progress Report





“First Strike” Project Team established consisting of
business and information technology staff and
contracted project manager
Identified standards across policies and SB 583
Developing assessment tool, criteria to measure current
state against standards, glossary of terms and
background materials
Identified two business areas to pilot tool
Preparing presentation for Director and his direct
reports to affirm support and commitment and solicit
business resources
Identified Key Business
Challenges and Opportunities
Reliant on Business Line
Subject Matter Experts
Competes with Other
Priorities
Undefined Roles and
Responsibilities
Requires Routine Review and
Assessment to Manage Risk
Reduce Agency Risk
Potential to Improve
Business Processes
Recognize and Develop
Partnerships
Develop and Share Best
Practices
Successful Implementation
Results in Improved Agency
Compliance
Identify Business Contacts for Each Division, Region, and Branch
Gather Requirements and Identify Gaps
Gap Analysis
Subject Matter Experts
from Lines of Business
Meets or Exceeds
Requirements
ODOT Current
Across
State by Lines
Initiatives
of Business
Does Not Meet
Not Applicable


Project Team:
• Review Results
• Rank Gaps Based on Risks and Priorities
• Develop Blueprint of Implementation Plan

High
Opportunity
High Risk
Low
Opportunity
Low Risk
Available Resources
•
Statewide Community of Practice (CoP) Workgroup on
Information Assets Management Policy
–
Tool development
•
•
•
•
–
•
Web site resource
ODOT IS Tech Management Research
–
–
•
Information asset classification architecture methodology
Risk assessment tools
Communication tools
Will continue sharing process documents
Inventory and identify capabilities of current information security tools
Research capabilities of other security tools, for example data leakage
Business Line Best Practices
Information Asset
Classification
John Koreski
Department of Corrections
Methodology

Information Asset Classification Methodology

Identify information assets

Identify the owner

Conduct an impact assessment

Determine the classification

Document classified information assets

Provide education and awareness

Maintain classification and conduct continuous review
Security


Organization Security
Legal Implications
Recommended Strategy to Implement the Office of
Legal Affairs
Phase 1:
 Identify LIO and PIOs
 Create Training
 Deliver Training






1/08
3/08
DOJ/DOC key staff
Management
Other impacted staff
Create Tracking Mechanisms
Establish Measures
Complete Phase 1
12/08
12 mos.
Recommended Strategy to Implement the Office of
Legal Affairs
Phase 2:

Info. Asset Identification

Project Mgmt. Methodology

Archive E-Mail Project
Transporting Info. Assets Project

Complete Phase 2

4/08
15 mos.
6/09
Recommended Strategy to Implement the Office of
Legal Affairs
Phase 3:
 Begin Grant Admin. Strategy
 Hire Info. Security Officer (ISO)


See handout for duties
18 mos.
Hire Records Officer (RO)


7/09
See handout for duties
Complete Phase 3
1/11
Recommended Strategy to Implement the Office of
Legal Affairs
Phase 4:
 Electronic Records Management
 Enterprise Content Management
 Timeline: approximately 1/11 – 7/11
Clearinghouse and Wrap Up
Theresa A. Masse, State Chief Information Security
Officer
Department of Administrative Services
Enterprise Security Office
Policy Resources

A clearinghouse-type Web site with links to best
practices and tools/templates

www.oregon.gov/DAS/EISPD/ESO/IAC.shtml
Thank You

Other Questions

Contact:

[email protected]
503-378-3071

[email protected]
503-373-1496