Scribd Logo
Upload

Welcome to Scribd!

  • Enterprise Information Security Risk Management Program Policy - tcm38 323799

    Uploaded by

    IT Samuel
    7 views3 pages
    This 3 sentence summary provides the key details about the Information Security and Risk Management Program Policy document: The policy establishes the Office of MN.IT Services' responsibility to set statewide information security policies and oversee executive branch IT security according to Minnesota law. It creates a comprehensive security program headed by a CISO to develop, monitor, and enforce security policies and standards to protect state data and systems from risks and address compliance obligations. The policy applies to all Minnesota executive branch agencies and defines roles and responsibilities for employees, vendors, management, IT and security staff to ensure compliance with security policies.

    Original Description:

    Original Title

    enterprise-information-security-risk-management-program-policy_tcm38-323799

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This 3 sentence summary provides the key details about the Information Security and Risk Management Program Policy document: The policy establishes the Office of MN.IT Services' responsibility to set statewide information security policies and oversee executive branch IT security according to Minnesota law. It creates a comprehensive security program headed by a CISO to develop, monitor, and enforce security policies and standards to protect state data and systems from risks and address compliance obligations. The policy applies to all Minnesota executive branch agencies and defines roles and responsibilities for employees, vendors, management, IT and security staff to ensure compliance with security policies.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    7 views3 pages

    Enterprise Information Security Risk Management Program Policy - tcm38 323799

    Uploaded by

    IT Samuel
    This 3 sentence summary provides the key details about the Information Security and Risk Management Program Policy document: The policy establishes the Office of MN.IT Services' responsibility to set statewide information security policies and oversee executive branch IT security according to Minnesota law. It creates a comprehensive security program headed by a CISO to develop, monitor, and enforce security policies and standards to protect state data and systems from risks and address compliance obligations. The policy applies to all Minnesota executive branch agencies and defines roles and responsibilities for employees, vendors, management, IT and security staff to ensure compliance with security policies.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    Information Security and Risk Management Program Policy

    From the Office of the Chief Information Officer, State of Minnesota

    Version: 1.5
    Effective Date: 1/1/2016
    Revised: 10/1/2022

    Policy Statement
    The Office of MN.IT Services is responsible, according to Minnesota Statutes, chapter 16E, for setting
    information security policies and standards and overseeing the security of the State’s executive branch
    information and telecommunications technology systems and services. As required by Minnesota Statutes,
    section 16E.03, subdivision 7, the Office of MN.IT Services will consult with agency heads and other compliance
    officials in state agencies to ensure that all federal information security requirements are incorporated into the
    policies and standards that govern the security of State data. To fulfill this responsibility a comprehensive
    information security program, headed by the Chief Information Security Officer (CISO) is in place to create,
    monitor and enforce state-wide information security policies and standards, identify and address vulnerabilities
    and risks and manage security incidents.

    Reason for the Policy


    A comprehensive information security program is necessary to ensure the State adequately protects the data
    and services entrusted to it by the public and addresses regulatory and compliance obligations. By setting a
    consistent set of requirements that everyone in the executive branch must follow and by establishing methods
    to monitor, assess and enforce those requirements, the State can better protect data and services.

    Roles & Responsibilities


    • Employees, Vendors, and Contractors
    o Be aware of and follow relevant information security policies, standards, and procedures.
    o Ensure information security is incorporated into processes and procedures.
    o Ensure contract language with contractors and vendors includes required information security
    controls.
    o Consult with information security staff on the purchase and procurement of information
    technology systems or services.

    Information Security and Risk Management Program Policy 1


    o Contact information security staff or email GRC@state.mn.us with questions about the
    information security policies, standards, or procedures.
    • Supervisors and Managers
    o Ensure employees and contractors are proficient in the information security policies,
    standards and procedures that are relevant to their role.
    o Hold employees accountable for following the information security policies, standards, and
    procedures.
    • Information Technology Personnel
    o Apply appropriate controls to the design, operation and maintenance of systems, processes,
    and procedures in conformance with the information security policies, standards, and
    procedures.
    • Information Security Personnel
    o Develop, maintain, and assess compliance with the information security policies, standards,
    and procedures.
    o Develop, maintain, and implement a comprehensive information security program.
    o Provide training on information security policies, standards, and procedures.
    o Assist agencies and personnel with understanding and implementing information security
    policies, standards, and procedures.
    o Notify appropriate personnel of applicable threats, vulnerabilities and risks to State data or
    systems.
    • Agency Data Practices Personnel
    o Assist agencies and personnel with questions on proper data use, collection, storage,
    destruction, and disclosure.

    Applicability
    This policy applies to all departments, agencies, offices, councils, boards, commissions, and other entities in the
    executive branch of Minnesota State Government.

    Related Information
    Minnesota State Statutes Chapter 16E

    Minnesota State Statutes Chapter 13

    Information Security Program Standard

    Data Protection Categorization Standard

    Information Security Risk Management Standard

    State Standards and Authoritative Source Cross Mapping

    Information Security and Risk Management Program Policy 2


    Glossary of Information Security Terms

    History
    Version Description Date

    1.0 Initial Release 4/21/2015

    1.1 Added Compliance Enforcement Date 12/29/2015

    1.2 Updated Compliance Enforcement Date and Template 12/20/2016

    1.3 Updated Compliance Enforcement Date 10/4/2017

    1.4 Modified document title and minor edits 3/10/2020

    1.5 Remove Compliance Enforcement Date and grammatical corrections 10/1/2022

    Contact
    GRC@state.mn.us

    Information Security and Risk Management Program Policy 3

    You might also like