Current Activities

 

ISO 27001 Security Assessment

The purpose of this project is to develop a gap analysis of OIT’s current IS Security status as measured against ‘best practice’ within an IS0 27001 framework and an action plan that will allow OIT to plan resources/budgets for closing any identified gaps.

ISO/IEC 27001 is a standard setting out the requirements for an Information Security Management System.  It helps identify, manage and quantify the range of threats to which information is regularly subjected.

Annex A of ISO 27001/ ISO 17799 identifies the following 11 controls:

  • Security policy - This provides management direction and support for information security
  • Organization of assets and resources - To help you manage information security within the organization
  • Asset classification and control - To help you identify your assets and appropriately protect them
  • Personnel security - To reduce the risks of human error, theft, fraud or misuse of facilities
  • Physical and environmental security - To prevent unauthorized access, damage and interference to business premises and information
  • Communications and operations management - To ensure the correct and secure operation of information processing facilities
  • Access control - To control access to information
  • Systems development and maintenance - To ensure that security is built into information systems
  • Information security incident management – To ensure continuous improvement of information security in the organization
  • Business continuity management - To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters
  • Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirement

The primary function of this project is to develop a gap analysis of OIT’s current IS Security status as measured against ‘best practice’ within an IS0 27001 framework. Areas to be covered include all 11 control areas mentioned above.

 

Cabinet Agency Network Vulnerability Assessment

OIT sponsors an annual network vulnerability program.  The program was developed in response to a recommendation of the Technology, Research, and Development subcommittee of the State of Ohio Security Task Force. The primary objectives of this program are to: 

  • cooperatively assess the information technology security vulnerabilities and security risks of Ohio’s cabinet agencies;
  • support agencies in identifying vulnerabilities that, if exploited, could impact business operations; and
  • support agencies in identifying remediation actions for the identified vulnerabilities; and
  • provide independent assessments to each agency.

 

OIT Business Resumption Plan – Phase I (FY08)

OIT is approaching business resumption planning in two phases by conducting a Business Impact Analysis and Risk Assessment as phase I, and a Business Resumption Plan as phase II.

OIT will use the results of the Business Impact Analysis and Risk Assessment exercises to develop and implement an OIT Business Resumption plan that provides for the ability to continue critical IT processes and deliver essential services at an acceptable level in the event of a disruption of service and allows for the recovery of OIT IT facilities and capabilities. 

 

The following deliverables are identified for this project:

 

  • Business Impact Analysis Report - Provide a report identifying the business impacts and recovery preparedness findings in writing. These findings will aid OIT’s management’s understanding of the potential consequences from a business interruption.  The analysis report shall illustrate various consequences of a business interruption including but not limited to the following:
  • Impact of business disruptions on internal and external stakeholders.
  • Inter-dependency and/or interactivity that each IT function has with other agencies, organizations and/or the public.
  • Criticality of all IT business functions within OIT and the criticality of the function in relation to OIT’s overall operations. 
  • Recovery Time Objective’s for each IT business function.
  • Recovery Point Objective’s for each IT business function.
  • Risk Assessment Report –  Provide a report considering the nature of OIT’s information and systems, the business purpose, the operating environment, existing protections, impact of a security breach, and the likelihood of a breach occurring. The report shall illustrate various aspects of risk to OIT  including but not limited to the following
  • Documentation of possible threats with the potential to cause harm to an IT process or service. 
  • Documentation of the vulnerabilities that exist within OIT’s environment that could be exploited by the potential threats.
  • Documented analysis of the controls that have been implemented in order to minimize the likelihood of a threat exercising one or more vulnerabilities. 
  • Document the probability of identified vulnerabilities being exploited and the existence and effectiveness of current controls.
  • Recommend acceptable levels of risk, based upon industry best practices, for each IT business function.