CSDAPolicy &Regulations Committee LCSA FEEDBACK FORM New Information Security Standards and Revisions to the Information Security Manuel Identification: Date Draft Letter Issued for Review: August 18, 2009 Date LCSA Feedback is DUE: August 25, 2009 Letter Topic: New Information Security Standards and Revisions to the Information Security Manuel LCSA Feedback: LOCAL RESOURCE IMPACTS San Bernardino (Efficiency) The proposed new policies will have limited impact on local resources and efficiency primarily resulting from staff hours needed to update local policies and procedures. San Diego Negative Impact. San Diego estimates an increase in resources needed to support these standards. Santa Clara Physical Security Standard Section 2.2.2 item 7. We share a building with a branch of the SCC District Attorney. There are safeguards to get into the secure area of the building, but once in, the elevator stops at all floors. There is no physical way of preventing someone from getting off the elevator on one of our LCSA's floors. As a note, the SCC DA personnel concerned are cleared for more confidential information than are our LCSA personnel. Stanislaus Local resource impacts should be minimal depending upon how much documentation the local agencies currently maintain related to facility security. Elimination of the annual Certification Compliance requirement in favor of compliance visits on a three-year cycle will be a slight positive impact to local resources. FEDERAL AND STATE Stanislaus PERFORMANCE MEASURE No anticipated impact on federal performance measures. IMPACT(S) (EFFECTIVENESS) POLICY ISSUES Kern In regards to Section 2.1.1 item 2-Are we required to get a risk assessment from our off-site storage vendor and from our document destruction vendor in order to be in compliance? San Bernardino DCSS ISM 2109, Section 2: The last sentence in the Confidential Information paragraph provides that FTI may not be transferred via email. However, DCSS ISM 2111 provides Page 1 of 4 CSDAPolicy &Regulations Committee LCSA FEEDBACK FORM New Information Security Standards and Revisions to the Information Security Manuel that confidential information may be transmitted over a public network if it is encrypted. The sentence in Section 2 should clarify whether an encrypted email may be used to transfer FTI. DCSS ISM 2108; Section 2.1.2: Security guards/staff should be included as a measure of securing perimeters. San Diego 2.1 Facility Security 2.1.4.1 – 6 -The processes and procedures outlined in this section will require FTE resources to produce and maintain. 2.1.4.1 (Risk Assessment) -Can the state ISO provide a more defined procedure? What Risk Assessment policy/procedures should LCSA’s follow? 2.1.4.6.d (Log and Audit Child Support Employee’s access to facilities) - Is this requirement necessary? The logging and auditing of Child Support employees into LCSA facilities will take considerable effort. A solution would be to automate security access with approved funding (ie…Access Card systems). 2.2 Work Area Security 2.2.1 Physical Premises training -Can the state provide a syllabus that would allow for consistency? San Diego Department of Child Support Services follows County Security policies and administrative procedures that are for the most part in alignment with the proposed State ISO standards. A few exceptions that the State ISO is recommending will cause an impact to local resources and efficiencies to meet state compliance. These exceptions are: Information Owner Requirements: (Section 3.1) -Steps 1 – 10 will require FTE resources to ensure and document existing contracts and MOU’s for compliance. Data Transfer Agreement Requirements (Section 3.2) -The requirement to develop and implement security measures outlined in section 3.2 will impact both local resources and external entities to some measure. -3.2.6 Security Awareness Training….Will the state provide LCSA’s with an approved Awareness training syllabus to Page 2 of 4 CSDAPolicy &Regulations Committee LCSA FEEDBACK FORM New Information Security Standards and Revisions to the Information Security Manuel ensure consistency? -3.2.7 Statement of Confidentiality…..Will the state provide a form to ensure consistency? -Suggests the state provide training materials which would provide external entities with an ISO approved curriculum. -3.2.8 “All access to transferred Child Support Information must be recorded….” Please provide an approved recording record. Information Custodian Requirements (Section 3.3) -3.3.7 Record/Logs retention San Diego County uses a 4 year, 4 month retention policy. The state ISO recommendation for 6 years is a concern to our policy. Stanislaus Clarification needed on new Standard (2109) Secure Data Transfer. As written, this standard addresses the security requirements for transferring confidential and personal Child Support Information to an external entity as a result of a data sharing or exchange agreement, such as a contract, inter-agency agreement (IAA), memorandum of understanding (MOU), etc. Would agencies granted 'view only' access to CSE, namely welfare agencies, need to comply with this new standard? If so, would LCSA's be responsible for ensuring compliance with ISM requirements or would DCSS? In addition, would this Standard apply to process servers currently offering e-Service capabilities via CSE? They are retrieving images of documents for the purposes of attempting service. Said documents will contain certain personal Child Support Information. If so, which agency would review and monitor for compliance? EDITORIAL FEEDBACK San Diego DCSS ISM 2108; Section 2.1.2, Item 6: The term "mantraps" should be defined or explained. TECHNICAL FEEDBACK AUTOMATION IMPACTS OTHER/MISCELLANEOUS Kern In regards to Section 2.2 Work security-Is the requirement that we ban cell phones with cameras and video from the Child Support office? Page 3 of 4 CSDAPolicy &Regulations Committee LCSA FEEDBACK FORM New Information Security Standards and Revisions to the Information Security Manuel Los Angeles Materials reviewed by Chris Paltao, Departmental Information Security Officer, Los Angeles County Child Support Services Department, Bureau of Administrative Services; no comments. Thank you for the opportunity to review this draft. San Bernardino Recommendation: The State should consider developing standard Memorandum of Understanding (MOU) language for LCSAs who have or will establish MOUs with outside agencies. Question: DCSS ISM 2109; Section 3.2; Item 8 provides that all access to tranferred Child Support information must be recorded and access records maintained for 6 years. Why is this retention period greater than the Child Support record retention period of 4 years and 4 months? Page 4 of 4