Welcome

Department of Child Support Services Information Security Office

Information Security Awareness Training

1

DCSS INFORMATION SECURITY OFFICE

Policy / Information Security Awareness Risk Management Program and Systems Security

Incident Management Monitoring

Business Continuity

Compliance

Safeguard Reviews
2

INFORMATION SECURITY

SEC-

-Y

Training Objectives
Enhance awareness and understanding of:

Information Security Requirements

Challenges and Vulnerabilities Responsibilities in accessing Child Support Services information

Security Practices
4

What is Information Security?

Information Security is the protection of

information and assets to preserve :

Confidentiality Integrity Availability

Why Information Security?

Federal Protect

and State Requirements

Child Support Information and Services Public Trust

Preserve

Financial
Makes

Losses

Business Sense
6

Information and Assets

Information Systems

Facilities

Support Customer Applications

Newsletter

Equipment

Responsibility

Asset Owner Custodian

User

Information Classification

Public Information Confidential Information

Personal Sensitive

Public Information
Information

authorized for access and disclosure

10

Confidential Information
Protected from disclosure by law
Information maintained by state/ local agencies that require precautions to protect it from unauthorized access, modification, or deletion.
Examples of Confidential Information:

Child Support participant information System navigation manuals (procedure or access codes, etc), Legal Opinions, and some operational manuals

11

Confidential Information
Personal Information:
An individuals name in combination with one or more of the following elements:

Social security numbers Drivers license numbers Account number; credit card or debit card number, in combination with a required access code

12

Confidential Information
Sensitive Information:
Requires special precautions in handling and disclosure.
Agency

operational or procedural manuals

Integrity

Organizational

13

Child Support Information Security Laws and Regulation

Internal Revenue Code section 6103, 7431,

7213(a), 7213A

42 United States Code section 454 California Welfare and Institutions Code sections 11478.1 California Family Law Code section 17212

22 California Code of Regulations sections

111430
14

Laws and Regulation

Compliance matters: Unauthorized access, use or disclosure of confidential information is:
Criminal

under State and Federal laws

Punishable

15

Federal IRS Requirement (UNAX)

The willful and unauthorized inspection or unwarranted disclosure or use of Federal Tax Information (FTI).

Fine: Jail :

Penalties California Law Misdemeanor up to $1000 Up to 6 months

Federal Law Felony Up to $5000 Up to 5 years

16

Shared Confidential Information

Internal

Revenue Service

CA
CA

Franchise Tax Board

Employment Development Department

CA

Department of Motor Vehicles

17

Information Security Policies and Practices

18

DCSS Information Security Policy

YOUR RESPONSIBILITY

Access Management Separation of Duties Acceptable Use Data Protection Physical Security Passwords

Social Engineering Remote Access Portable / Mobile Computing and Storage Devices Conflict Recusal Incident Reporting

19

Access Management
Golden Rule
Acceptable Use
Need

to Know

Authorized

20

Separation of Duties

Split sensitive/ critical tasks among individuals to:

Avoid fraud Corruption Inappropriate activities

Enforce controls requiring collaboration for wrong doing

21

Acceptable Use

Use resources for authorized purposes Use of Child Support resources may be monitored

Expect monitoring and inspection of your

acitivities Protect the Child Support Information & Resources
22

Data Protection

Hard Copy
Lock

it up

Printer/fax Shred

23

Data Protection
Encrypt Electronic Data
In Transit
Secure web services Data transfer VPN E-mail

In Storage
Portable
Laptops Hard

Devices

Disk / CDs

USB
DVD

24

Physical Security

Use badge Proper display of badge NO tailgating Escort Visitors Report

25

Physical Security
Work Area Security Practices

Protect printer and fax machine Clean Desk Lock Computer Secure information on the monitor

Shred confidential and sensitive

26

27

Passwords Protect IT!

Long Hard to guess Change frequently Select strong password:

Refer Information Security Manual 2101

Passwords Standard

28

Passwords
You are personally responsible and accountable for all activity occurring under your User ID and password.

Protect Your Password

29

DO YOU KNOW THEIR IDENTITY?

30

Peter Steiner, New Yorker 1993

Social Engineering
Dont give out Information unless you determine:

The receiver has the Need To Know

The receiver is authorized to receive

31

Phishing Stats
6.1 billion phishing emails per month 28,888 phishing reports (Jun 07) 55,643 phishing websites reported (Apr 07)

Anti-phishing.org

32

Remote Access

You must have a business need

Management approval
DCSS approved solution

Contact your IT or ISO for help

33

Portable or Mobile Devices

Department

owned

Encryption
Physical Report Logical

activated

protection

lost/stolen protection

34

Conflict Recusal
Employees must not access information from any Child Support case in which one participant is a(n): Employee Relative of the Child Support employee Person with whom the Child Support employee cohabits Close Friend or Business Associate

35

INCIDENT MANAGEMENT

Incident Reporting

36

What To Report?

Any suspected or actual event that threatens:

The confidentiality, integrity and/or availability of Child Support information A person or property located at any Child Support facility Suspected virus or computer problem Lost or stolen information/ information asset Unauthorized access Inappropriate activities Unauthorized/suspicious people or activity in facility
37

Examples:

Where To Report

CONTACT

Local Management or information security person

Call the DCSS Security Desk at 888-DCSS-Help; 888-327-7435 Email the DCSS Security Desk at [email protected] Mail completed incident report

DCSS Information Security Office P.O. BX 419064, MS10 Rancho Cordova, CA 95741-9064

38

ANNUAL CERTIFICATION REQUIREMENT

Execution of Confidentiality Statement & UNAX

UNAX 39

Final Thoughts
If not you, who? If not now, when?

40

Remember!

Security is Everyones Business!!

Department of Child Support Services

41