1 / 23

Ralph Johnson Chief Information Security and Privacy Officer King County, Washington

Developing and Implementing Best-Practice Solutions for Security and Privacy Issues Across County Agencies. Ralph Johnson Chief Information Security and Privacy Officer King County, Washington. Ralph Johnson, CISSP, HISP, CISM, CIPP/US.

erinr
Télécharger la présentation

Ralph Johnson Chief Information Security and Privacy Officer King County, Washington

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Developing and Implementing Best-Practice Solutions for Security and Privacy Issues Across County Agencies Ralph Johnson Chief Information Security and Privacy Officer King County, Washington

  2. Ralph Johnson, CISSP, HISP, CISM, CIPP/US • Chief Information Security and Privacy Officer – King County Washington • Past, Governance Board President, Holistic Information Security Practitioner Institute (HISPI) • Member, MS-ISAC Executive Committee • Co-Chair, MS-ISAC Education and Awareness Committee • Member, MS-ISAC Trusted Purchasing Alliance Product Review Board • Former, Adjunct Instructor – ITT Technical Institute, Seattle

  3. October Halloweeen

  4. King County, Washington • Population: 2,044,000 • 13th Most Populous Countyin the United States • Employees: 13,000 • 428 IT Staff (Executive Branch) • 2 Information Assurance Staff

  5. Critical Success Factors for Information Security Business Continuity Management Incident Management Management Support Risk Management Security Policy Framework Training Metrics An effective information security awareness training and education program informing all employees and relevant parties of their information security obligations set forth in the information security policies and standards and motivating them to act accordingly. An effective information security incident management process An understanding of information asset protection requirements achieved through an application of information security risk management. Visible support and commitment from all levels of management, especially top management. An approach and framework for designing, implementing, monitoring, maintaining and improving security consistent with the organizations culture. Security policy, objectives and activities that aligned with business objectives. A measurement system used to evaluate performance in information security management and feedback suggestions for improvement. An effective business continuity management approach.

  6. Challenges to Success of Information Security in Government • Legacy organizational structures • Separation of powers • Changes in elected officials • Public Disclosure/Freedom of Information (FOIA) • Information Security is more than just information stored in electronic format. • Established policies and procedures for paper records • IT focusses on information in electronic format • Information Security reports to IT • Fragmented across departments/agencies

  7. Why Should We Even Meet The Challenges? • Information is currency. • We have a duty of care to protect the information in the hands of governments. • Our residents expect us to protect information. • There are no neighborhoods, time zones or borders in cyberspace. • No single entity is solely responsible for securing the Internet. • If we are to maximize the convenience, speed, and future potential of a digital society, we must protect the resource that makes it possible.

  8. Meeting the Challenges • IT Organizational Structure • Governance • Collaboration and Communication

  9. Organizational Structure Electorate of King County County Sheriff County Executive Prosecuting Attorney District Court Superior Court County Assessor Elections County Council 12 IT Staff 10 IT Staff 3 IT Staff 5 IT Staff 3 IT Staff 6 IT Staff 2 IT Staff 25 Judges 53 Judges 9 Council Members Office of Economic and Financial Analysis Clerk of the Court Public Defense Information Technology Community and Human Services Permitting and Environmental Review Executive Services Natural Resources and Parks Public Health Transportation Adult and Juvenile Detention Judicial Administration 428 IT Staff 4 IT Staff Office of the CIO Information Assurance

  10. Department of Information Technology (KCIT) Our Service Model Chief Information Officer/ Department Director Operations Enterprise Business Services Deputy Chief Information Officer Finance Information Assurance Production Operations PMO Service SDM - Public Defense SDM - Executive Services Human Resources IT Governance Customer Solutions Service Business Solutions Service SDM - Community and Human Services SDM - Natural Resources and Parks Communications Strategic Planning Regional Services E-Government Service SDM - Permitting and Environmental Review SDM - Public Health KCIT Internal Services Network Services Business Analysis Service SDM - Transportation SDM - Adult and Juvenile Detention Engineering and Architecture Service

  11. King County IT Governance

  12. Strategic Advisory Council • Acts in an advisory capacity to the King County Executive in developing long-term strategic objectives and planning and implementing for information technology deployment countywide. • Chair: King County Executive • Membership: • King County Executive 2 representatives of the King County Council • King County Sheriff King County Prosecuting Attorney • King County Assessor King County Elections Director • King County Chief Information Officer Presiding judge of King County Superior Court • Presiding judge of King County District Courts 3 – 5 External advisors from the private and public sectors

  13. Business Management Council • Acts in an advisory capacity to the county’s Chief Information Officer in carrying out duties related to: • Developing short-term, mid-term and strategic objectives for information technology countywide • Recommending information technology proposals for funding • Developing standards, policies and guidelines for implementation. • Chair: Chief Information Officer • Membership: • King County CIO and agency deputy directors or business managers designated by each agency’s director

  14. Technology Management Board • Acts in an advisory capacity to the county's Chief Information Officer on technical issues including: • Policies and standards for information security, applications, infrastructure and data management. • Chair: Chief Information Officer • Membership: • King County CIO and agency information technology directors or managers designated by each agency's director and familiar with that agency's technology needs and operations.

  15. Project Review Board • Acts in an advisory capacity to the county’s Chief Information Officer in implementing the project management guidelines developed by the central information technology project management office. • Chair: Chief Information Officer • Membership: • King County CIO, the Deputy County Executive, the Director of the Office of Performance, Strategy and Budget, and the Director of the Department of Executive Services.

  16. IT Security Leads (TMB Security Sub-Team) Independently Elected Production Operation Service District Court County Assessor KCIT Services Network Services Information Assurance (Chief Information Security and Privacy Officer) Superior Court County Council Customer Support Service Engineering and Architecture Service County Sheriff Elections PMO Service E-Government Service Finance Human Resources Business Solutions Services Strategic Planning IT Governance Judicial Administration Prosecuting Attorney Business Analysis Service Communications

  17. KCIT Inter-Agency Collaboration OCIO Management Team Members District Court County Assessor Public Defense Executive Services County Executive KCIT Liaisons Superior Court County Council Community and Human Services Natural Resources and Parks Information Technology County Sheriff Elections Permitting and Environmental Review Public Health Deputy Chief Information Officer Service Delivery Managers Judicial Administration Transportation Adult and Juvenile Detention Prosecuting Attorney

  18. Project Steering Committees • The key body within the governance structure which is responsible for the business issues associated with the project that are essential to the ensuring the delivery of the project outputs and the attainment of project outcomes.

  19. Incident Response • Major Incident Response Process • Security Incident Response Process • Incident Analysis • Containment and Eradication • Recovery • Post Incident Activities Sometimes we need to jump back

  20. Change Management • Change Advisory Board • Meets Weekly • Coordinated by Production Operations Service Owner • Chaired by volunteers • Chair rotates every 6 months Change Moratorium Emergency Changes Routine Changes Minor Changes Major Changes

  21. KCIT Countywide Services • Endpoint Security • Vulnerability Management • Datacenter • E-Mail • Mobile Device Management • Network Infrastructure • Server Virtualization • Cloud (Amazon Web Services) • SharePoint/Office 365

  22. Information Security is an Organization Wide Issue Who is ultimately Responsible for Information Security? Everyone

  23. Contact Information Ralph Johnson Chief Information Security and Privacy Officer King County, Washington ralph.johnson@kingcounty.gov 206-263-7891 Multi-State Information Sharing and Analysis Center Center for Internet Security andrew.dolan@cisecurity.org (518) 880-0699

More Related