INFORMATION SECURITY
Information security in the Office of the Chief Information Officer (OCIO) is one of strategy, governance, oversight and management of information technology risks focused at the County level, not one of providing information security operations. Under the direction of the Chief Information Security Officer (CISO) Departmental Information Security Officers (DISOs) perform the same functions at the department level through information security governance. The distributed environment within LA County places authority and responsibility for information security operations within the 37 individual departments.
Who We Are
Ralph Johnson
Chief Information Security Officer
Jeff Aguilar
Deputy Chief Information Security Officer
Chris Paltao
Deputy Chief Information Security Officer
Vacant
Deputy Chief Information Security Officer
Vacant
DISO as a Service
Information Security Vision, Mission & Philosophy
VISION
Establish Los Angeles County as a model and national leader in the protection of information assets.
Mission
Promote and facilitate effective information security and privacy.
Philosophy
Ensure a high degree of information security and privacy in the daily activities of Los Angeles County departments, agencies, commissions, workforce members and partners (private and public) while supporting their business operations.
Information Security Guiding Principles
Guiding principles serve as our highest-level guidance to ensure decisions best support business direction. They are primarily used as a metric to gauge organizational progress over time on how decisions are increasingly aligned with business direction, assist in proactively making decisions to more efficiently deliver results and factors in deciding between proposed design options, proposed standards, vendor and product selection, go-no-go decisions, and others.
The Risk Management Principle
Risk cannot be eliminated; therefore, risk tolerance should be matched to the potential benefits of implementing controls. Risk should be identified and assessed early and mitigation taken where possible.
The Educated Workforce Principle
Employees should understand information security threats, risks and how their actions can impact the protection of the information with which they interact.
The Policy Driven Principle
Security policies and standards will be implemented consistently across all systems, Departments, agencies and commissions.
The Defense-in-Depth Principle
Use multiple layers of security controls whenever possible.
The Least Privileges Principle
Only allow access to what is needed to do the job.
The Separation of Duties Principle
A single person or work unit should not be responsible for an entire process (end-to-end) when there is a risk of loss.
The Timeliness Principle
Coordinated response to incidents involving threats to information assets should receive priority over other activities.
The Accountability Principle
Information security accountability and responsibility must be clearly defined as part of a security management structure and be acknowledged by management and staff.
The Confirm Compliance Principle
Compliance internal and external expectations will be evaluated regularly.
INFORMATION SECURITY REFERENCE ARCHITECTURE
The Information Security Reference Architecture is currently in development. It will be posted here upon completion.
How We Innovate
Information Security is an enabler of innovation for it provides the “security guardrails” for technology projects in the form of security policies, directives, controls, platforms, architecture, and assessments.