INFORMATION SECURITY
Information security in the Office of the Chief Information Officer (OCIO) is one of strategy, governance, oversight and management of information technology risks focused at the County level, not one of providing information security operations. Under the direction of the Chief Information Security Officer (CISO) Departmental Information Security Officers (DISOs) perform the same functions at the department level through information security governance. The distributed environment within LA County places authority and responsibility for information security operations within the 37 individual departments.
Overview
Information Security Guiding Principles
Guiding principles serve as our highest-level guidance to ensure decisions best support business direction. They are primarily used as a metric to gauge organizational progress over time on how decisions are increasingly aligned with business direction, assist in proactively making decisions to more efficiently deliver results and factors in deciding between proposed design options, proposed standards, vendor and product selection, go-no-go decisions, and others.
The Risk Management Principle
Risk cannot be eliminated; therefore, risk tolerance should be matched to the potential benefits of implementing controls. Risk should be identified and assessed early and mitigation taken where possible.
The Educated Workforce Principle
Employees should understand information security threats, risks and how their actions can impact the protection of the information with which they interact.
The Policy Driven Principle
Security policies and standards will be implemented consistently across all systems, Departments, agencies and commissions.
The Defense-in-Depth Principle
Use multiple layers of security controls whenever possible.
The Least Privileges Principle
Only allow access to what is needed to do the job.
The Separation of Duties Principle
A single person or work unit should not be responsible for an entire process (end-to-end) when there is a risk of loss.
The Timeliness Principle
Coordinated response to incidents involving threats to information assets should receive priority over other activities.
The Accountability Principle
Information security accountability and responsibility must be clearly defined as part of a security management structure and be acknowledged by management and staff.
The Confirm Compliance Principle
Compliance internal and external expectations will be evaluated regularly.