Date Issued for Review:

advertisement
CSDAPolicy &Regulations Committee
LCSA FEEDBACK FORM
New Information Security Standards and Revisions to the Information
Security Manuel
Identification:
Date Draft Letter Issued for Review:
August 18, 2009
Date LCSA Feedback is DUE:
August 25, 2009
Letter Topic:
New Information Security Standards and
Revisions to the Information Security Manuel
LCSA Feedback:
LOCAL RESOURCE IMPACTS San Bernardino
(Efficiency)
The proposed new policies will have limited impact on local
resources and efficiency primarily resulting from staff hours
needed to update local policies and procedures.
San Diego
Negative Impact. San Diego estimates an increase in
resources needed to support these standards.
Santa Clara
Physical Security Standard Section 2.2.2 item 7. We share a
building with a branch of the SCC District Attorney. There are
safeguards to get into the secure area of the building, but once
in, the elevator stops at all floors. There is no physical way of
preventing someone from getting off the elevator on one of our
LCSA's floors. As a note, the SCC DA personnel concerned are
cleared for more confidential information than are our LCSA
personnel.
Stanislaus
Local resource impacts should be minimal depending upon how
much documentation the local agencies currently maintain
related to facility security.
Elimination of the annual Certification Compliance requirement
in favor of compliance visits on a three-year cycle will be a
slight positive impact to local resources.
FEDERAL AND STATE Stanislaus
PERFORMANCE MEASURE
No anticipated impact on federal performance measures.
IMPACT(S) (EFFECTIVENESS)
POLICY ISSUES Kern
In regards to Section 2.1.1 item 2-Are we required to get a risk
assessment from our off-site storage vendor and from our
document destruction vendor in order to be in compliance?
San Bernardino
DCSS ISM 2109, Section 2: The last sentence in the
Confidential Information paragraph provides that FTI may not
be transferred via email. However, DCSS ISM 2111 provides
Page 1 of 4
CSDAPolicy &Regulations Committee
LCSA FEEDBACK FORM
New Information Security Standards and Revisions to the Information
Security Manuel
that confidential information may be transmitted over a public
network if it is encrypted. The sentence in Section 2 should
clarify whether an encrypted email may be used to transfer FTI.
DCSS ISM 2108; Section 2.1.2: Security guards/staff should be
included as a measure of securing perimeters.
San Diego
2.1 Facility Security
2.1.4.1 – 6
-The processes and procedures outlined in this section will
require FTE resources to produce and maintain.
2.1.4.1 (Risk Assessment)
-Can the state ISO provide a more defined procedure? What
Risk Assessment policy/procedures should LCSA’s follow?
2.1.4.6.d (Log and Audit Child Support Employee’s access to
facilities)
- Is this requirement necessary? The logging and auditing of
Child Support employees into LCSA facilities will take
considerable effort. A solution would be to automate security
access with approved funding (ie…Access Card systems).
2.2
Work Area Security
2.2.1
Physical Premises training
-Can the state provide a syllabus that would allow for
consistency?
San Diego Department of Child Support Services follows
County Security policies and administrative procedures that are
for the most part in alignment with the proposed State ISO
standards. A few exceptions that the State ISO is
recommending will cause an impact to local resources and
efficiencies to meet state compliance. These exceptions are:
Information Owner Requirements: (Section 3.1)
-Steps 1 – 10 will require FTE resources to ensure and
document existing contracts and MOU’s for compliance.
Data Transfer Agreement Requirements (Section 3.2)
-The requirement to develop and implement security measures
outlined in section 3.2 will impact both local resources and
external entities to some measure.
-3.2.6 Security Awareness Training….Will the state provide
LCSA’s with an approved Awareness training syllabus to
Page 2 of 4
CSDAPolicy &Regulations Committee
LCSA FEEDBACK FORM
New Information Security Standards and Revisions to the Information
Security Manuel
ensure consistency?
-3.2.7 Statement of Confidentiality…..Will the state provide a
form to ensure consistency?
-Suggests the state provide training materials which would
provide external entities with an ISO approved curriculum.
-3.2.8 “All access to transferred Child Support Information must
be recorded….” Please provide an approved recording record.
Information Custodian Requirements (Section 3.3)
-3.3.7 Record/Logs retention
San Diego County uses a 4 year, 4 month retention policy. The
state ISO recommendation for 6 years is a concern to our
policy.
Stanislaus
Clarification needed on new Standard (2109) Secure Data
Transfer.
As written, this standard addresses the security requirements
for transferring confidential and personal Child Support
Information to an external entity as a result of a data sharing or
exchange agreement, such as a contract, inter-agency
agreement (IAA), memorandum of understanding (MOU), etc.
Would agencies granted 'view only' access to CSE, namely
welfare agencies, need to comply with this new standard? If so,
would LCSA's be responsible for ensuring compliance with ISM
requirements or would DCSS?
In addition, would this Standard apply to process servers
currently offering e-Service capabilities via CSE? They are
retrieving images of documents for the purposes of attempting
service. Said documents will contain certain personal Child
Support Information. If so, which agency would review and
monitor for compliance?
EDITORIAL FEEDBACK San Diego
DCSS ISM 2108; Section 2.1.2, Item 6: The term "mantraps"
should be defined or explained.
TECHNICAL FEEDBACK
AUTOMATION IMPACTS
OTHER/MISCELLANEOUS Kern
In regards to Section 2.2 Work security-Is the requirement that
we ban cell phones with cameras and video from the Child
Support office?
Page 3 of 4
CSDAPolicy &Regulations Committee
LCSA FEEDBACK FORM
New Information Security Standards and Revisions to the Information
Security Manuel
Los Angeles
Materials reviewed by Chris Paltao, Departmental Information
Security Officer, Los Angeles County Child Support Services
Department, Bureau of Administrative Services; no comments.
Thank you for the opportunity to review this draft.
San Bernardino
Recommendation: The State should consider developing
standard Memorandum of Understanding (MOU) language for
LCSAs who have or will establish MOUs with outside agencies.
Question: DCSS ISM 2109; Section 3.2; Item 8 provides that all
access to tranferred Child Support information must be
recorded and access records maintained for 6 years. Why is
this retention period greater than the Child Support record
retention period of 4 years and 4 months?
Page 4 of 4
Download