- Government Finance Officers Association

Avoiding Yesterday’s News: Keeping IT Policies
and Procedures Up To Date
May 23, 2016 | 10:30 am – 12:10 pm | 2 CPEs
Deirdre Finneran, Deputy Director of Finance, Fairfax County, VA
Lea Deesing, MPA, PMP, Chief Innovation Officer, City of Riverside, CA
Samuel BowerCraft, MSIS, CISA , Senior Manager, McKonly & Asbury, LLP
Mike Riffel, Senior Manager, Plante Moran
IT Policies: What is At Risk?
Innovation and Technology Department
City of Riverside, California
Presented by Lea Deesing, MPA, PMP
Chief Innovation Officer
RiversideCa.gov
RiversideCa.gov
RIVERSIDE, CALIFORNIA
“CITY OF ARTS AND INNOVATION”
RiversideCa.gov
RIVERSIDE, CALIFORNIA
• 
• 
• 
• 
• 
• 
Inland Southern California
Population 322,000
83 Square Miles
Charter City
Council-Manager based
Full Service City
– Water, Electric, Police, Fire, Trash,
Museum, Libraries
•  Operating budget $696M
•  Total budget $983M RiversideCa.gov
RECENT CITY DESIGNATIONS
– Forbes 8th Coolest City in America
– Forbes Rank #2 “Millennial
Boomtown City”
– California Air Resources Board’s
“Coolest California City”
– CareerBliss.com’s Rank #6 “Nation’s
Happiest Cities for Young
Professionals”
– SBA Startup in a Day Winner $50k
– 2016 Federally designated “Tech
Hire” community
RiversideCa.gov
INNOVATION & TECHNOLOGY DEPARTMENT
•  60 staff members
•  $11M department operating budget
RiversideCa.gov
RECENT IT AWARDS (2014/2015)
Finalist for Best Web Portal in
the Nation from the Center
for Digital Government
(2015)
Award of Excellence from the
Municipal Information Systems
Association of CA (2013, 2014, 2015)
Top 5 Government Website (2014)
Top 7 Best of the Web (2013,
2014, 2015)
Best Office of the CIO Award (2014)
Harvard
Innovation
Award for
Mobile
Applications
(2015)
Top 6 in the Digital
Cities Award for Cities
over 250,000 (2013,
2014, 2015)
RiversideCa.gov
HIGH-RISK IT POLICY AREAS
•  Technology Use and
Security Policy
–  For all City staff
•  Information Systems Security
Policy
–  For IT Staff
RiversideCa.gov
Why We Need Layered
Security, Defense In
Depth, and
Cybersecurity Training
…and a policy or two
RiversideCa.gov
WE ARE AT WAR
Real-time Attack Map
RiversideCa.gov
“There are two kinds of big companies in the
United States.
There are those who've been hacked by the
Chinese…
…and those who don't know they've been
hacked by the Chinese.”
--FBI Director James Comey, October, 2014
RiversideCa.gov
2014: “YEAR OF THE HACK”
RiversideCa.gov
THE THREAT LANDSCAPE
HAS CHANGED
•  Antivirus
•  Server Patches
•  A Rock-Solid
Firewall
•  Periodic Audits
–  Didn’t have time
to look at server
logs proactively
RiversideCa.gov
DEFENSE IN DEPTH
Our policies should reflect these layers
RiversideCa.gov
BREACH TIMELINE
Breach Occurs START 60% of data in breaches is stolen in hours Hours 54% of breaches remain undiscovered for months Months Information of up to 750 million people on the black market over the last three years Years RiversideCa.gov
Graphic provided by Sigmanet EARLY DETECTION IS KEY
•  Complete Prevention is impossible
•  Early detection and remediation is key
–  Detect and stop advanced attacks while they
are happening, or soon thereafter
•  User Cybersecurity Training is critical
RiversideCa.gov
TECHNOLOGY USE AND
SECURITY POLICY
•  For end users
•  Signed by end users, placed into HR manual
•  Requires annual security awareness training
•  Includes:
–  Acceptable Use, Unacceptable Use –  Cybersecurity training requirements –  Password requirements –  Screen saver requirements –  Software requirements –  Remote Access –  Web monitoring/filtering –  List prohibited types of sites –  …much more •  Place “I have read…” upon login screen.
RiversideCa.gov
IT SECURITY POLICY
•  For IT Department
•  Signed by all IT Employees (technical staff)
•  Includes:
– Internal security procedures – Ethics – must have a business need to access systems or data – External security audit requirements – Account audit requirements RiversideCa.gov
HIGH-RISK IT POLICY AREAS
•  Data Loss Prevention
•  Data Management
•  Data Hygiene
RiversideCa.gov
DATA LOSS PREVENTION
•  Data Loss Prevention (DLP)
• 
• 
• 
• 
You can’t protect what you don’t know you have You can’t afford all the layers you need You can’t afford a breach (average $200 per record) You need to prioritize layers around protecting your crown jewels •  Detection/Scanning of PII
RiversideCa.gov
PERSONALLY IDENTIFIABLE
INFORMATION (PII) SCANNING
RiversideCa.gov
DATA MANAGEMENT
•  Data management policy for good data
hygiene
–  Guidelines on where to store confidential data
–  Guidelines on where confidential data may be
printed (hardcopy)
–  When NOT to store data
–  Frequency of routine scans
–  Department’s active involvement on
maintaining good data hygiene
–  Records retention schedules should be up-todate
RiversideCa.gov
HIGH-RISK IT POLICY AREAS
•  Physical Security
RiversideCa.gov
ADDITIONAL SECURITY INITIATIVES
•  Physical security Policy
–  Employee Access/Photo Badges
•  Require employee to wear badges
•  Audit badge security access—need based only
•  “No tailgating” rule
–  Require Inventory of all IT facilities
•  Training for those who service data centers
•  Assess and document security equipment,
Uninterruptable Power Supplies (UPS), cable
management, door locks, HVAC, ventilation
•  What else is stored in these locations?
•  Take measures to improve
RiversideCa.gov
ADDITIONAL IT POLICY AREAS
•  Equipment Inventory
•  Software Licensing
Inventory
•  Internal Controls & Audits
•  Mobile Device Policy
RiversideCa.gov
EQUIPMENT INVENTORY
•  Inventory Anything
over $100?
–  Hold someone
accountable for
items
–  Sign check-out
sheet, store in HR
files
–  Pull these forms
during HR outprocessing
RiversideCa.gov
SOFTWARE INVENTORY
•  Annual Inventory
or Audit of
Software
Licensing
–  Understand what
types of licensing
you have
employed
–  How is an
accurate count
being tracked?
RiversideCa.gov
SOFTWARE INVENTORY
•  Software Licensing
–  Operating Systems,
Databases,
Backups, Virtual
Servers
–  Mobile Software
–  Utilities
–  Clip art
RiversideCa.gov
INTERNAL CONTROLS & AUDITS
•  Tight Controls over
Approval Routing Security
–  What if someone moves to
another department?
–  Audit! Ask IT Department for
monthly reports showing who
can approve what and
when
RiversideCa.gov
MOBILE DEVICE MANAGEMENT
•  Mobile Device Policy
Addresses:
–  Remote management
–  Safety issues
–  Security issues
–  Privacy issues
–  Who must have Mobile
Device Management
(MDM) Software installed?
•  Stipend devices?
•  City-owned devices?
RiversideCa.gov
HIGH-RISK IT POLICY AREAS
•  Technology Procurement
Policy
RiversideCa.gov
SOFTWARE PROCUREMENT
•  Cloud-based software vs. Onpremise
•  Cloud “Software As A
Service” (SaaS)
–  Slick Factor/Ease of procurement
–  Often result in rogue purchases
•  Important to have purchasing
controls, policy, & training around
this issue
•  We have a checklist – we need a
policy
RiversideCa.gov
SOFTWARE PROCUREMENT
•  Once cloud software is in
use by a number of
employees, it is often too
late to ask these questions
•  Have procurement
policies in place up front
RiversideCa.gov
ADDITIONAL INFORMATION
•  Exception Management
•  Build a process into your policy for
exceptions - multiple signatures
•  Evaluate risks associated with
exceptions
•  Periodically Review Proposed
Policies
•  Agency-wide Departments
•  Human Resources Department
•  Unions
RiversideCa.gov
THANK YOU
RiversideCa.gov
The Importance of Policy and Process Setting the Bar –  Senior Manager in the Internal Audit and Management Consulting Group. –  Security consulting related to financial data, information systems, and assets. Samuel BowerCraft –  Experience with strategic oversight and planning; management; operations and installation of technical infrastructure; software; and systems. –  M.S., Information Systems –  B.S., Engineering –  Certified Information Systems Auditor (CISA) Agenda –  Purpose of IT –  Governance, Policy, and Communicating Expectations –  Policy / Procedure Basics The Illusion of Transparency –  What is your philosophy? Philosophy of Technology –  How do you view technology? –  How do you perceive technology for: –  Getting personal things achieved? –  An organization and how they achieve their required objectives? –  Getting things done? Data drives decisions… Decisions drive behavior… The Age of Data Behavior drives consequences… Consequences determine our happiness. Who cares about their happiness? –  IT is central to <blank> in your organization. –  If it is central, it must be important. IT Plays a Role –  We [should] protect what is important http://www.xkcd.com/1215/
10 Reasons People Don’t Exercise 1. 
You hate to do it. 2. 
You tried, but quit. 3. 
6. 
You want to, but you have other priorities. You can’t afford it. 7. 
You lose motivation. 4. 
You don’t see a change. 8. 
It is hard (ouch). 5. 
You don’t know how. 9. 
Maintaining the routine is difficult. 10.  No time! 10 Reasons People Don’t Focus On IT Security / Policies 1. 
You hate to do it. 2. 
You tried, but quit. 3. 
6. 
You want to, but you have other priorities. You can’t afford it. 7. 
You lose motivation. 4. 
You don’t see a change. 8. 
It is hard (ouch). 5. 
You don’t know how. 9. 
Maintaining the routine is difficult. 10.  No time! Communication How will you practice? –  Clarity –  Consistency –  Purpose Governance –  A policy is a deliberate system of principles to guide decisions and achieve rational outcomes. –  A policy is a statement of intent, and is implemented as a procedure or protocol. Objectives Role of Policy in Your Organization Policy & Procedures Risks, Processes, & Controls Application Controls Information Technology IT governance is defined as: ITGI (ISACA) Definition – …governance is the responsibility of the board of directors and executive management. IT is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives. 48 –  There is a need for greater accountability for decision-­‐making around the use of IT in the best interest of all stakeholders. Governance & Policies –  IT capability is directly related to the choices made by management with long term consequences for various stakeholders. –  There should be clear accountability for respective responsibilities in the decision making processes affecting IT (execs, mgmt., users, IT). –  Communication is VITAL! –  Define, establish and align expectations with the overall enterprise and control environment. Objectives & Purpose of Policies –  Use a framework from a suitable IT process and control model (e.g. COBIT) – helps to cover your bases (checklist). –  Confirm the framework ensures compliance. –  Aligned with and confirms delivery of enterprise strategies and objectives. –  Regular reporting is required and delivered… as expected based on policy. Policy and Processes Knowledge Requirements Identified Why So Important? Communication and Training Performed –  How can one be successful without the proper knowledge to succeed? Processes Performed The MAIN Risk –  Lack of clarity of: –  Purpose –  Objectives –  Expectations –  Which leads to: –  Wasted time –  Wasted resources –  Policy’s Function The Basics –  What needs to be done. –  Statement of intent. Policy’s Purpose –  Communication –  Expectations and responsibilities –  Consequences –  Consistency The Basics –  Influence behavior –  Simplify decision making –  Improve productivity –  Meet requirements –  Checklists work –  Specific as needed –  Avoid problems –  Procedure’s Function –  What needs to be done and how. –  Statement of process to achieve an intended result. The Basics Procedure’s Purpose –  Communication –  Expectations and responsibilities –  Detailed steps –  Consequences –  Consistency The Basics –  Influence behavior –  Simplify decision making –  Improve productivity –  Meet requirements –  Checklists work –  Specific as needed –  Avoid problems Policy: What to do. The Basics Procedure: How to do it. Policies: The Universe –  All IT Policies –  Scoping Policies for your Environment –  Developing Policies Policies: The Universe –  Mike Riffel 1.  Stakeholders Policies: The Universe Communication 2.  Overview 16.  Computer Resources 3.  Scope 17.  Employee -­‐ Email Use 4.  Compliance 18.  Smart Mobile Devices 5.  Maintenance 19.  Remote Access 6.  Security Responsibilities 20.  Traveling with Devices 7.  Violations 21.  Security Program 8.  Governance 22.  Risk Management 9.  Roles and Responsibilities 23.  Security Training and Awareness 10.  Enterprise Information Model and Data Classification 11.  Confidential Information 12.  Production Information 13.  Personal Information 14.  Employee -­‐ Acceptable Use 15.  Monitoring of Electronic 24.  Incident Reporting and Response 25.  Security Practices 26.  Network Security and Perimeter 27.  General 28.  Modems Policies: The Universe 29.  Firewalls 37.  Audit Policy 38.  Antivirus Policy 39.  Physical and Environment Security 40.  Backup and Recovery 41.  Patch Management 42.  Change Management 43.  Monitoring and Evaluation 30.  Vulnerability and Penetration Testing 31.  Wireless Security 32.  Applications and Database Security 33.  Access Control 34.  Service Accounts 35.  Default, Guest, and Vendor Accounts 36.  Password Policy Policies: The Universe SANS Version https://www.sans.org/security-resources/policies/
Policy Components –  Use a framework to guide you. –  You are building a governance structure – this requires planning. –  Management principles are being memorialized. –  These are decisions made now regarding how to act later. Policies: Scoping –  Begin with: –  An overview of your environment; –  Inventory of systems and hardware; and –  Documentation of responsibilities. –  Define the purpose and intent of the policies required: –  Setting expectations on what must be done to achieve goals, and –  To ensure continued business operations. –  Review your objectives for information technology: –  How does IT support the business? –  What does IT need to do in the normal course of operations? How to Scope –  IT General Controls –  Review your policy requirements: –  Regulatory requirements for policies. –  Communication requirement: what should be written down? –  Expectation requirement: what must be written down? Business How to Scope Information Systems Regulatory Individuals with IT Responsibilities –  CEO –  CFO Roles To Review –  CIO –  CSO (security) –  CRO (risk) –  IT Governance Committee members –  IT Resources –  IT Users Area How to Scope Policy Area Policy Owner Business User Access Process Data Backup Business Owner w/ IT IT IT IT w/ Business Owners General IT Controls Incident Response Regulato Regulatory Specifics ry Personal Information Security CIO, Director –  Tools are available to help structure and communicate policies. Developing Policies –  GRC toolsets –  Can be helpful –  You must have a process that will be supported by the software! –  A list: http://www.capterra.com/policy-­‐management-­‐software/ –  Boilerplate language will help you get started, but… –  YOU MUST STILL REVIEW THE POLICY TO CONFIRM ITS ACCURACY. –  Which is worse: –  Having a policy and not following it? –  Not having a policy in place? 1.  Use a consistent structure -­‐ template. 2.  Identify common information to include: title, date created, date updated/version, purpose, owner (one person), contributors (many people). Developing Policies Key Steps 3.  Identify dates for next review and who should receive the policy. 4.  Keep the policy clear and simple: 1. 
2. 
3. 
Longer policies are not necessarily better. Focus on the purpose of the policy: to communicate expectations and principles. Reference process documents in the policy as needed. 5.  Group policies together as appropriate. 1. 
2. 
One file with 50 related policies versus, 50 policy files. Common information to include: –  Title –  Date created –  Date updated/version, next review date Developing Policies Key Steps –  Owner (one person) –  Contributors (many people) –  Overview/Background (context) –  Purpose –  Scope (what is in, what is out) –  Policy –  Policy Compliance (consequences, exceptions) –  Related Standards (other policies, procedures) –  Definitions/Terms Developing Policies Example Developing Policies Developing Policies Developing Policies Communicating Policies Have a plan for: –  Reviewing policies (note who owns a policy and who has input). –  Re-­‐issuing / re-­‐communicating policies: –  Where is your timeline? –  What is your plan? –  Hope is not a plan. –  “I will remember” is not a good plan.
–  A tool (software) can support this process, but only if you have a process for it to support. Common information to include: –  Title –  Date created Developing Procedures Key Steps –  Date updated/version, next review date –  Owner (one person) –  Contributors (many people) –  Overview/Background (context) –  Purpose –  Procedures (checklist) –  Related Standards (other policies, procedures) –  Definitions/Terms Maturity Model –  Policies (& procedures) can be at different levels of maturity –  Levels with management response: Maturity Model –  COBIT 4.1 – has detailed explanations for each process and maturity level (great resource). –  COBIT 5 – new view of maturity; similar… but different. Figure 1: COBIT Focus, Volume 3, July 2012
“Why Using Visual Maturity Scoring Is an Added Value for Any Auditor”, Marc Vael
Maturity Model –  Definitions of Levels: Figure 12: COBIT 4.1; 2007
Policy / Document Review Tip –  I highlight the entire document in yellow… –  And un-­‐highlight as I go. –  I then know what is reviewed and what is pending. Sharpen Ourselves “Through readiness and discipline we are masters of our fate.” –  Master Sergeant Farell Knowledge Levels –  http://www.psia-­‐nw.org/newsletter-­‐articles/blooms-­‐taxonomy-­‐levels-­‐of-­‐understanding/?doing_wp_cron=1406400452.1632280349731445312500 Keep Calm and Carry On –  SANS 20 Critical Controls –  https://www.sans.org/media/critical-­‐security-­‐controls/CSC-­‐5.pdf –  SANS Policies –  https://www.sans.org/security-­‐resources/policies/ References –  Article on Working Across Business Groups –  https://hbr.org/2015/09/jack-­‐welchs-­‐approach-­‐to-­‐breaking-­‐down-­‐silos-­‐
still-­‐works –  Great Book: The Checklist Manifesto –  http://atulgawande.com/book/the-­‐checklist-­‐manifesto/ –  Go see Zootopia (it was amazing) –  http://www.imdb.com/title/tt2948356/ Questions? Samuel BowerCraft [email protected]
Implementing Policies: Taming the Dragon Thank you. Avoiding Yesterday's News: Keeping
IT Policies and Procedures Up to Date
2016 GFOA CONFERENCE
Influences of Technology Evolution
• 
External influences will
impact your future
direction as much as or
more than maintaining
the existing
environment.
• 
Will drive future
technology policy,
planning and
investments.
• 
Not every IT “buzzword”
should be immediately
actionable
Mobile Green IT Current
Gov IT
Operations
Cloud Others 89
Digital Government
Ci4zen Experience Enhanced Control Data Analy4cs Connec4vity Automa4on Innova4on Big Data Service Innova4on Service Delivery 90
Technology Project Portfolio
• 
• 
• 
• 
Align projects with strategic vision
Determine priority/timing
Identify Policy ‘Gaps’ Proactively
2015-2016 Popular Initiatives
- 
- 
- 
- 
- 
- 
Workforce Mobility
Cloud
Collaboration
eCommerce
Strategic Sourcing
Big Data
91
Aligning Policy with Vision
Workforce Mobility
•  Computer and Internet Usage Policy/
Acceptable Use Policy
•  Remote Access Policy
•  Data Back-Up Policy
•  Mobile and Personal Device Policy
•  Portable Storage Policy
‘Cloud’
• 
• 
• 
• 
Cloud Computing Policy
User Access Policy
Compliance Policy
Exit strategy
Collaboration
•  Social Media Policy
•  Acceptable Use Policy
•  Compliance Policy
Strategic Sourcing
•  IT Asset Management Policy
•  IT Service Catalog
•  Service Level Agreements
IT Services Catalog
IT Governance IT Strategy and Leadership IT Planning and Project Management Infrastructure Network / Telecom. General Support Applica3ons Help Desk Applica4on Development Desktop Support Applica4on Maintenance Database Administra4on Applica4on Support & Deployment Fiber Infrastructure Radio / Wireless Data Center Opera4ons Phone System Security Disaster Recovery Provided In-­‐House Par4ally Outsourced Fully Outsourced 97
Business Intelligence/‘Big Data’
• 
• 
• 
• 
Data management and retention policy
Data back-up policy
Compliance policy
Performance metrics
E-commerce
•  Security penetration testing policy
•  Compliance policy
•  Help desk policy
IT Policy Building Blocks
• 
• 
• 
• 
• 
• 
Disaster Recovery Plan
Password Policy
Email Usage Policy
Change Management Policy
Infrastructure Refresh Policy
Patch Management Policy
Incident Response
101
Incident Response Plan
•  Communication
•  Continuity of Operations
•  Recovery
Keeping Policy Current
103
Updating Policy
•  Who makes IT policy?
•  Who identifies policy requirements prior to a
project?
•  IT Governance is imperative
IT Governance
Implement an IT Governance Model that
encompasses:
- 
- 
- 
- 
- 
- 
IT policy
IT procedures
IT standards
Annual technology budgeting
Project portfolio management
Return on investment (ROI)
Sample IT Governance Structure
Administrator/Manager/CEO Approve IT Policies and Procedures IT Steering Commi9ee IT Standards IT Leadership Team/CIO Technology Standards Commi9ee Assistant Manager Support Review IT Administrator Central IT Staff Departmental Stakeholders Annual Technology Planning Annual Technology Budget Dept. and Line of Business Projects Create Enterprise Projects 106
Sample IT Governance Functions
IT Policies & Procedures IT Standards Annual Technology Planning Annual Technology Budget Departmental and Line of Business Projects Enterprise Projects ExecuJve/CIO Approve Approve Support Approve Support Approve IT Steering Commi9ee Approve Approve Approve Approve Support Support Review Approve Review Review Support Support CFO 107
IT Steering Committee
ResponsibiliJes IT Policies & Procedures •  Approve IT procedures IT Standards •  Approve IT standards Annual Technology Planning •  Approve, as needed, the strategic technology impera4ves in terms of relevance and priority Annual Technology Budget •  Approve ROI model •  Review and approve project priori4za4on criteria and weigh4ng •  Review, rank and priori4ze ad-­‐hoc commiSee, CIP and non-­‐CIP project requests Departmental and Line of Business Projects •  Provide oversight to major projects Enterprise Projects •  Give life to poten4al Enterprise-­‐wide ini4a4ves that may originate from mul4ple sources •  Ini4ate subcommiSee to evaluate Enterprise-­‐wide ini4a4ve feasibility •  Conduct periodic monitoring of Enterprise-­‐wide projects 108
Influences of Technology Evolution
• 
External influences will
impact your future
direction as much as or
more than refinements
to the existing
environment.
• 
Will drive future
technology planning
and investments.
• 
Not every IT “buzzword”
will be immediately
actionable
Mobile Green IT Current
Gov IT
Operations
Cloud Others 109
Questions
Thank You
Mike Riffel
[email protected]