State Data CenterState Data Center

Oregon Consumer Identity Theft Protection Oregon Consumer Identity Theft Protection ActAct

Information ForumInformation ForumOctober 31, 2007October 31, 2007

SB 583 Technical RequirementsSB 583 Technical Requirements

Assess risks in network and software Assess risks in network and software designdesign

Assess risks in information processing, Assess risks in information processing, transmission and storagetransmission and storage

Test and monitor key controls, systems Test and monitor key controls, systems and proceduresand procedures

Detect, prevent and respond to intrusionsDetect, prevent and respond to intrusions

Protecting Personal InformationProtecting Personal Information

Agencies own their data, including Agencies own their data, including personal information, and are responsible personal information, and are responsible for protecting it and reporting breachesfor protecting it and reporting breaches

Technical architecture at the State Data Technical architecture at the State Data Center can assist agencies in protecting Center can assist agencies in protecting personal informationpersonal information

State Data Center Role in State Data Center Role in AssessmentAssessment

Provide input to the risk assessment Provide input to the risk assessment process regarding:process regarding: Network designNetwork design Network security controlsNetwork security controls Storage architectureStorage architecture Location of applicationsLocation of applications

State Data Center Role in State Data Center Role in Monitoring and Intrusion DetectionMonitoring and Intrusion Detection

System monitoring tools can be set up to System monitoring tools can be set up to alert on key failuresalert on key failures

Log aggregation tools can provide alerting Log aggregation tools can provide alerting on key eventson key events

Network intrusion detection can alert on Network intrusion detection can alert on attempts to access key systems from the attempts to access key systems from the InternetInternet

How State Data Center efforts How State Data Center efforts will benefit agencieswill benefit agencies

New technical environment, “Shared New technical environment, “Shared Services,” provides granular network Services,” provides granular network controlcontrol

Increased network intrusion detectionIncreased network intrusion detection

Standard technical security controls on Standard technical security controls on systemssystems

Next steps …Next steps …

Convene a work group of SDC staff and Convene a work group of SDC staff and state agency representatives to:state agency representatives to: Develop a common framework for assessing Develop a common framework for assessing

technical riskstechnical risks Develop a set of best practices for applying Develop a set of best practices for applying

technical safeguards to protect personal technical safeguards to protect personal informationinformation

Identify opportunities to apply consistent Identify opportunities to apply consistent controls to personal information accesscontrols to personal information access

Contact informationContact information

Marshall Wells, Security ManagerMarshall Wells, Security ManagerState Data CenterState Data Center(503) 373-0949(503) 373-0949

Al Grapoli, Network Services ManagerAl Grapoli, Network Services ManagerState Data CenterState Data Center(503) 378-3338(503) 378-3338