Text Size:   A+ A- A   •   Text Only
Find     
Site Image
Security Plans
Workshops
writing
 
Purpose: Oregon Administrative Rule 125-800-0005 -- 20 requires all agencies to complete information security plans and submit them to DAS for approval. Plans are due on or before July 30, 2009. DAS is facilitating hands-on workshops to assist small and medium sized agencies in writing their security plans. Participants will use the DAS-developed template and agency peers will be available to serve as mentors both in the workshop setting and by telephone and e-mail. Participants can bring laptops or work with hard copies of the template.
 
Each workshop will consist of two 3-1/2 hour sessions. During the first session, participants will be oriented to the purpose and objectives of the security plan, statewide policies, and information security control objectives; discuss what information is needed and who in the agency should be included in the planning process; and work through the plan template. Between sessions, participants will be expected to work with their agency staff to gather information and requirements and begin drafting their plans. In the second session, work on the drafts will continue and we will discuss next steps such as implementing the plan, employee awareness, and measuring success. Mentors and ESO staff will be available to review the drafts and assist with additional questions.
 
Audience: The workshops are targeted at small and medium sized agencies with limited information security staff resources. Participation will be limited to no more than two representatives from any one agency.
 
Work Shop One:

Session 1
Session 2
Tuesday, September 9, 2008
** COMPLETED **
Monday, September 29, 2008
** COMPLETED **


Work Shop Two:

Session 1
Session 2
Tuesday, October 7, 2008
** COMPLETED **
Monday, October 27, 2008
** SESSION FULL **
Work Shop Three:



Session 1
Session 2
Wednesday, November 5, 2008
1:00 p.m. to 4:30 p.m.
Salem
Thursday, December 4, 2008
1:00 p.m. to 4:30 p.m.
Salem
Work Shop Four:


Session 1
Session 2
Thursday, February 5, 2009
8:30 a.m. to 12:00 noon
Portland
Thursday, February 26, 2009
1:00 p.m. to 4:30 p.m.
Portland

 
Registration:  Class size is limited and participants are required to register in advance. To register, contact Cinnamon Albin at the DAS Enterprise Security Office.
 
 
 

 
Purpose
executives
The purpose of the statewide Information Security policy 107-004-052 (effective 7/30/2007) is to emphasize the state's commitment to information security and provide direction and support for information security in accordance with business requirements and relevant laws and regulations.
 
The policy requires agencies to develop and implement information security plans, policies and procedures that protect their information assets from the time of creation, through useful life and through proper disposal. Per Administrative Rule 125-800-0005 -- 0020, agency plans must be approved by DAS. Plans need be submitted to DAS through the EISPD Enterprise Security Office on or before July 30, 2009. The basic information protection requirements include, but are not limited to:
  • Compliance with applicable legislative, regulatory, and contractual requirements;
  • Identifying information assets;
  • Determining the value of information assets to the agency and the business processes they support;
  • Assessing the vulnerability and risk associated with information assets;
  • Providing the level of protection that is appropriate to the information assets' vulnerability, risk level, and agency value;
  • Security education, training, and awareness for all users of agency information assets;
  • Identification of general and specific responsibilities for information security management, including reporting information security incidents;
  • Communication of information security policies throughout the agency to users in a form that is relevant, accessible and understandable.
 
Each agency will establish a security plan to initiate and control the implementation of information security within the agency and manage risk associated with information assets. The plan will include:
  • Processes to:
    • Identify agency information assets;
    • Determine information sensitivity;
    • Determine the appropriate levels of protection for that information;
  • Applicable state directives and legal and regulatory requirements;
  • Identification of roles and responsibilities for information security within the agency;
  • Identification of user security awareness and training elements; and,
  • Information security policies that govern agency information security activities.
 
 
 

 
Agency Resources

 
The Enterprise Security Office has developed plan guidelines, a sample template, and a criteria sheet all agencies will use to transmit their plans for ESO review.
 

  • Information Security Plan Guidelines (rev. 9/2/2008)
 Word
  • Information Security Plan sample template
 Word
  • Agency Information Security Plan Review Criteria
 Word
  • Information Security policy
 pdf 
  • Communication Forum presentation (6/23/2008)
 PowerPoint
 
WORKSHOPS -- Agency-provided resources
 
Public Employees Retirement System:

  • Information Security Plan (draft)
Word 
  • End-User development standards
 pdf
  • Information Security Board mission, goals and guiding principles
 PowerPoint
  • Information Asset Classification project plan
 Word
  • Information Security guiding principles (draft)
 Word
  • Information Security Plan excerpt - Security Policy (draft)
 Word
  • Information Security Plan excerpt - Physical Security (draft)
 Word
  • ISB Charter
 Word
  • ISB Information Handling Standards Questions
 Excel
 
Secretary of State:

  • Awareness Program Recommendations
 Word
  • Information Security Review Board charter
 Word
  • Non-Disclosure Agreement
 pdf
  • Employee Agreement to Comply with Information Security Policy
 pdf
  • Information Security policy
 pdf
  • Information Asset Classification policy
 pdf
  • Acceptable Use of Electronic Systems policy
 pdf
  • User Password policy
 pdf

 
Agency Provided Material
PERS
  • Information Security Policy (2012) 
 (pdf) 
  • Password Policy (2012)​
 (pdf)
  • Data Classification Policy (2012)​
 (pdf)
  • Physical Security Facility Access Policy 
 (pdf) 
  • SDLC Policy 
 (pdf) 
  • Systems Access and Termination Policy

 (pdf)