The URL can be used to link to this page

2006-74-Minutes for Meeting October 27,2005 Recorded 1/24/2006E8 C °jG 2 Cl { Deschutes County Board of Commissioners 1130 NW Harriman St., Bend, OR 97701-1947 (541) 388-6570 - Fax (541) 388-4752 - www.deschutes.orc MINUTES OF DEPARTMENT UPDATE - INFORMATION TECHNOLOGY DESCHUTES COUNTY BOARD OF COMMISSIONERS THURSDAY, OCTOBER 27, 2005 Commissioners' Conference Room - Administration Building - 1300 NW Wall St.., Bend Present were Commissioners Michael M. Daly, Tom De Wolf and Dennis R. Luke. Also present were Mike Maier, County Administrator; and Dave Peterson, Bob Haas and Kevin Furlong, Information Technology. No representatives of the media or other citizens were present. The meeting began at 10:00 a.m. See the attached agenda for the items discussed. No formal action was taken by the Board. Being no further items addressed, the meeting adjourned at 2:15 p.m. DATED this 27th Day of October 2005 for the Deschutes County Board of Commissioners. A TEST: Kb(k Recording Secretary Tnm eWnlf C hnir DESCHUTES COUNTY OFFICIAL NANCY BLANKENSHIP, COUNTY COMMISSIONERS' JOURNAL 111111111 IIIIIIIIIII 11111111 200 -74 RECORDS CLERK 4J DS 01/24/2006 03:37:07 PM Dennis R. Luke, Commissioner Page 1 of 1 Dave Peterson From: Dave Peterson Sent: Wednesday, October 26, 2005 10:24 AM To: Kevin Furlong; Bob Haas; Dennis Luke; Mike Daly Cc: Mike Viegas Subject: IT's 10/27 meeting agenda. Attachments: security initiative presentation for the bocc.doc There are two major topics we wish to discuss at our quarterly liaison meeting. 1. Email management software - features, capabilities, issues, and impact 2. County-wide IT security initiative (please refer to the attached document) See you on the 27th at 10:00. Dave Peterson Information Technology Director Deschutes County 14 NW Kearney Av. Bend, Or. 97701 Phone :(541) 388-6530; Fax: (541) 317-3180 mailto:dave peterson@.co.deschutes.or.us 10/27/2005 County Security Program Initiative Forward - The following is a brief abstract of a report prepared by Julia Allen which is titled "Governing for Enterprise Security". The contents have been change somewhat to make it relevant to our County government environment. In today's political, social, and economic environments, addressing security is becoming a necessity for most, if not all, organizations. Customers, stakeholders, and citizens are demanding security as concerns about privacy and identity theft rise. Business partners, suppliers, and vendors are requiring it from one another, particularly when providing mutual network and information access. Espionage through the use of networks to gain intelligence and to extort organizations is becoming more prevalent. State, national and international regulations are calling for organizations and their leaders to demonstrate due care with respect to security. Consider what may happen if the following occurred • customer data is compromised and it makes the headlines • our reputation is negatively affected by a security breach, resulting in a loss of employee and constituent confidence and loyalty • sensitive personal information such as mental health, room-tax, or criminal investigation data is stolen and made public • we are found to be non-compliant with regulations (national, state, local) as they relate to the protection of information and information security (HIPPA and CJIS) • our network goes down because of a security breach and we cannot conduct business • we can't detect security breaches The County's ability to take advantage of new technology opportunities may very well depend on its ability to provide open, accessible, available, and secure network connectivity and services. Having a reputation for safeguarding information and the environment within which it resides will enhance the County's ability to provide services to its citizens and business partners. Opportunities deriving from an effective security program could include • enabling new types of products and services which lower costs and improve service • communicating with customers and business partners in a reliable, cost-effective, and timely manner • providing more secure access for internal and external staff to enterprise applications Establishing and maintaining confidence in an organization's security and privacy posture increase the likelihood that our citizens will use the products and services offered by the County In addition, being viewed as an ethical organization with a culture of doing the right things and doing things right (including security) has tangible value, as does being able to reliably demonstrate compliance and duty of care with respect to applicable regulations and laws. Security is a Concern at the Highest Management Levels Enterprise security is important to almost all organizations. But with so many other topics vying for leadership attention, what priority should be assigned to enterprise security? What constitutes adequate security and what constitutes adequate oversight of it? How can leaders use governance to sustain adequate security in a constantly changing business, customer, risk, and technology environment? Adequate security is about managing risk. Governance and risk management are inextricably linked-governance is an expression of responsible risk management, and effective risk management requires efficient governance. Inserting security into ongoing governance and risk management considerations is an effective and sustainable approach for addressing security. It is the fiduciary responsibility of senior management in organizations to take reasonable steps to secure their information systems. Information security is not just a technology issue; it is also a corporate governance issue. As a result, director and officer oversight of corporate digital security is embedded within the fiduciary duty of care owed to the County's citizens, employees, stakeholders, and business partners. Enterprise security means viewing adequate security as a non-negotiable requirement of doing business. To achieve a sustainable security capability, enterprise security must be addressed at the highest management levels and not be relegated to a technical specialty within the IT department. The role of boards of directors, senior executives, and indeed all managers includes establishing and reinforcing the business need for effective enterprise security. Otherwise, the organization's desired state of security will not be articulated, achieved, or sustained. If the responsibility for enterprise security is relegated to a role in the organization that lacks the authority, accountability, and resources to act and enforce, enterprise security will not be optimal. Characteristics of Effective Enterprise Security Governance County objectives guide and drive actions needed to govern for enterprise security. The connection to County objectives is evident from a list of organizational strengths that can be negatively affected if security governance is performed poorly such as trust, reputation, public perception, competence, and the ability to offer and fulfill County services. Organizations are much more competent in addressing this subject if their leaders are aware of and knowledgeable about the issues and treat the governance of enterprise security as essential to their business. For the past 18 months, Carnegie Mellon University's Software Engineering Institute has conducted in-depth discussions and interviews, workshops, and work with a wide range of organizations committed to improving their security capabilities. Based on this work, they've identified the following set of beliefs, behaviors, capabilities, and actions that consistently indicate that an organization is addressing security as a governance concern: • Security is enacted at an enterprise level. C-level (Commissioners, CEO, CFO, Boards of Directors) leaders understand their accountability and responsibility with respect to security for the organization, for their stakeholders, and for the communities they serve including the Internet community, and for the protection of critical local infrastructures. • Security is treated the same as any other business requirement. It is considered a cost of doing business, not a discretionary or negotiable budget-line item that needs to be regularly defended. Business units and staff don't get to decide unilaterally how much security they want. Adequate and sustained funding and allocation of security resources are required as part of the operational projects and processes they support. • Security is considered during normal strategic and operational planning cycles. Security has achievable, measurable objectives that directly align with enterprise objectives. Determining how much security is enough equates to how much risk and how much exposure an organization can tolerate. • All function and department leaders within the organization understand how security serves as a business enabler (versus an inhibitor). They view security as part of their responsibility and understand that their performance with respect to security is measured as part of their overall performance. • Security is integrated into enterprise functions and processes. These include risk management, human resources (hiring, firing), audit/compliance, disaster recovery, business continuity, asset management, change control, and IT operations. Security is actively considered as part of new-project initiation and ongoing project management, and during all phases of any software-development life cycle (applications and operations). • All personnel who have access to enterprise networks understand their individual responsibilities with respect to protecting and preserving the organization's security condition. Rewards, recognition, and consequences with respect to security policy compliance are consistently applied and reinforced. Which of these statements and actions are most important depends on an organization's culture. C-level leaders committed to dealing with security as a governance-level concern can use these statements to determine the extent to which this perspective is present or needs to be present in their organizations. Summary Governing for enterprise security means viewing adequate security as a non-negotiable requirement of being in business. If an organization's management including boards of directors, senior executives, and all managers do not establish and reinforce the business need for effective enterprise security, the organization's desired state of security will not be articulated, achieved, or sustained. To achieve a sustainable capability, organizations must make enterprise security the responsibility of leaders at the highest level, not of other organizational roles that lack the authority, accountability, and resources to act and enforce compliance. What Now? I respectfully request your support to develop a security program for the County which meets the objectives stated above. One of my greatest fears is discover our IT security program did not protect our systems, threatening the integrity of the County and the confidentiality of its citizens. Initially, I do not anticipate a need for additional resources to begin this project. We have contracted with Redhawk Network Engineering to provide IT security reviews annually for the next three years. The security reviews have been budgeted with the costs shared between Risk Management and Information Technology. Redhawk's assessment may recommend the acquisition of software and hardware to better manage and support our security program. These recommendations will most certainly increase our costs, but to what degree is not known at this time. Thank you for your consideration. ~ ~ ~ ~ O ~ ~ ~ ~ a~ ~ ~ o~ ~ U ~ Q ~ W ~ Q ~ 0 U N U Q' C~ O bA v~ • ~ • p ~ N O o 0 ago ~ ~ C O Cid a~ . o ~ Cid a~ U ~ U U O i 4-; ct cn Ln N O ct ct Con ~ N O •c 'Co C U Ct r--~ ' ct cn o ~ ~ ~ o V N O U a~i Q • 'c U ~i O ~ U p ♦j ct •Cld ct M 0 N 7~ cn bA O O M 00 r--4 CC3 O a ct ~ N O 4J C13 clt O c O u ^ N 01 U ct M •M ' v~ P•~ O ~ U p ~ O O U ~ ~ 4J U cn O U n n VJ 3 V-4 c n ct r--~ V V 0 U N U Q v O N O U ~ 't7 'd O O > N i? C Q C N U O r-0 elt N c~ U N r-C N r--~ ct v 0 U N U N Q w O j L q® 6L Q C p~ L 1 1. Q A~ W O 0 U U rn Q O ~ O cis U •Ct ~ • N CC3 p ~ i N ~ N U c 4~ U O ~ ~ U crj Cl 'm 4-j cri N COO ~ N U U ~ H ~ , H W At~ 0 r--o ~.b 0 U C/] U N Q 1:::",, w T-,~ 1 1U O if a~ OZ Q .C a) 'o U E U O 0 U U N Q N r-M-4 r ct U O • rl 4--4 O a~ ~ O . 4 O ct O ct 03 03 p---q c C/0 ,WJ • r-d ~-~4 rz~ U ~ O •r--4 o . . O WJ O ~-1 O O O 0 0 U U N Q 5 U U ct3 O ~ ~ U O ~ O w O ~ cri c • i N H ~ ~ w 0 U U Q C~ ~ •O U v~ ct cn bA ct O ~ o cn lc~ U N o3 • ,--i . Cc3 C~ N ^ c~ ~ U U U ct o U U Cid U) ct -c = N Cfs U 4~ U ct C't f1 n c~ 0 U U v~ N Q t t*~ 1) 7---7410 O O O 2Z N 0 U U N Q C~ • O 4.~ O b.Q r 03 4J Cld 0 O O O v~ • O 4J ~ ~ N O ct N ~ bA N O • C~j «3 O cC N O ~ ~ U a O ~ o v~ a~ 0 U U lzi U a~ c~ 0 CA a 0 a~ P4 «3 U O el (1) a M N O O o U ~ O o O . r, 03 U U N 4-a U 0 r--4 Cd U a 0 U U N Q Cl-- O O b1J U O 3 .--a M O O O O ct y Ct WJ CA ct O O ~ 4-j CA ~ U O O 3 4~ U U .-j U V] CC3 Ct lc~ 4-4 ct U 0 U O U 0 U U a~ QI O ct c ~ ct M ct o cc3 r4 ~ •O ~ U ct3 N O O ~ c1d N co 0 U U 4J Q R3 0i O O N COO ct ct 4J N U Ct O ~ U C'n N ~ C~ w~ 4J r~ ct v U ~ O N O cc • ct ~ U N N ~ ~ O p O `n O ^ U b1J ~ d--a CC3 4"'4 u U) M al cid 404 i--i ' R3 ^ N 00 ct U • N ''1 ct ;z ct CA ct 4--4 . cn ct ~124° ~ 4.) O N 4-4 ° >1 ~r..4 u4 cull ;n:l 4~ E-+ sa~ aj U bA 0 U N U N Q M U U Ct N O U O U U r~ O ~ 4-4 U ~ O O ~ O H ct E ~ sa, c~ ct O Ct Ell C~ ct ~ 4J O ~ w cAMI s...~ . r, y N cis 4 Q c~ I I I w