Public Employees Retirement System

1
Senate Bill 583 Implementation

• Public Employees Retirement System
• October 31, 2007
• Eric Sokol, CSD Administrator
• Jeffrey Marecic, ISD Administrator

2
PERS SB 583 Program Components

• Incident Response Plan
• Eliminate Sending Personal Information
• Information Security Program
• Issues

3
PERS Business Network
Employers
VPN
Treasury
D.O.R.
Salem PERS
VPN
VPN
SDC
VPN
Internet
VPN
VPN
BHS
Manual
CitiStreet
Rev-Q
Health Care Insurance Carriers
Mercer
Manual
VPN
Medical Advisors
72nd
Iron Mtn
Manual
HQ
4
Incident Response Plan

• Two Incident Response Teams
• Executive team makes policy and response
  decisions.
• Security Breach Response Team (SBRT) works under
  the direction of the Executive team and provides
  coordination, analysis, procedures and actions
  associated with suspected breaches.
• Other Sections of Agency Get Involved as Needed

Notification Best Practices Checklist Greatly
Assisted in Developing This Plan
5
Incident Response Plan
6
Eliminate Sending/Transporting Personal
Information

• Inventoried All System Generated Correspondence
• Completed/Nearly Completed
• Remove SSN Completely Where Possible
• Use Last 4 Digits Where Needed
• Move to PERS ID in the Long Term
• Relaxed Procedural Requirements that Lead to
  Returned Documents in the First Place
• Move to Redacting SSN and Personal Information on
  Member Records Requests
• Move to Secure FTP and VPN Instead of Tapes/Disks

7
Information Security Program

• Information Security Message Begins at the Top
• Information Security is Everyones Job
• Information Security Board Formed
• Security Awareness Training
• HR and ISD Leads the Training Effort Division
  Administrators Ensure Compliance

8
Information Security Program

• Policies and Procedures
• Review and Update
• Data Classification
• Data/Document Labeling and Handling
• Clean Desk Provisions
• Consultant/Contractor Compliance

9
Information Security Program

• Physical Security
• Key Card Access to All Work Areas and Sensitive
  Information
• Limited Access to Records Management Area
• Monthly Review of Access System

10
Information Security Program

• Data Files
• Network File Structure and Access
• Data in Transport (Tapes, Disks, etc.)
• Encrypt
• Password Protect
• Log Movements (senders and receivers)
• Electronic Transfer (SFTP, VPN, EDX, Email)
• Encryption
• Developer Environments
• Encrypted, Scrambled, Fictitious Data

11
Information Security Program

• Backup Tapes
• Encrypt
• Log movements

12
Information Security Program

• System Generated Reports
• Remove SSN Where Possible
• Limit Internal Distribution to Those Who Need to
  Know
• Track Reports
• When Printed
• When Delivered (internally)

13
Information Security Program

• Public Records Requests
• Redaction policy procedure

14
Information Security Program

• Applications
• Remove SSN From Screens
• Implement Role Based Access Control (RBAC)
• Replace SSN as Account Identifier
• ORION is Being Developed to Comply
• RIMS will be retired Q4/2009

15
Information Security Program

• Internal Audit
• Provides Periodic Assessments of Agency
  Compliance to Information Security Program

16
ISSUES

• 3rd party vendors out-of-state
• Vendor Certifications Required?
• Members Sending Original Documents
• Public Records Requests
• Member Records Requests
• Movement of Personnel Files
• Employer Data Exchange (SSN vs Another Identifier)