Embed Size (px)
Citation preview
Information TechnologySecurity Policy
Table of Contents
Introduction……………………………..…………………..………………..2User Domain & Classification……………….……….........………...…….3-4Workstation Domain & Compliance……………..…………………….…5-7Remote Access Domain……......…………………………………………...8-9Virtual Private Network…….……………………………………….….10-11Risk Assessment & Risk Management.……………………………….…...12Acceptable Use Policy………………………………..………………….13-15Backup and Storage Security Policy …………………….………………...16Penalty for Security Violation ………………………..........…………...….17
Approval Date: 01/01/2016 SUBJECT: IntroductionRevised Date: 12/01/2015 Review: Annually (As Needed) Effective Date: 07/08/2007 Authorizing Signature:
A.1 Definition
Our goal as KayJay Technologies, is to create a well-defined and detailed security policy for the State Government’s information resources for an enterprise network of systems.
B.1 Summary
KayJay Technologies will provide a layered security policy that focuses on the confidentiality, integrity, and availability of the State Government’s systems and information. KayJay Technologies will implement a multiple layer approach to ensure security to avoid interruption and unauthorized access. If it were to occur, other layers were put in place to compensate and maintain security of all sensitive information. In exchange, each layer will have controls to be implemented to keep confidentiality, integrity, and availability of the information. The more critical controls will be providing system configuration hardening, file integrity monitoring, log management, quarterly training and raising awareness to all employees/end users.
C.1 Goals and Objectives
The goals and objectives of the State Government are as follows:• All desktop computing systems, servers, data storage devices, communication systems,
firewalls, router, switches, hubs, personal digital assistants (PDAs) and mobile devices (computing platforms) owned by the State where lawfully permitted.
• All data, information, knowledge, documents, presentations, databases or other information resource stored on the State’s computing platforms and/or transferred by the State’s enterprise network.
• Any computing platforms, operating system software, middleware or application software under the control of third parties that connect in any way to the State enterprise computing or telecommunications network.
2
State Government
Regulations and Security PoliciesRSP A.1 – C.1
• This document applies to all full-time and part-time employees of the State, all third parties, contractors or vendors who work on State premises or remotely connect their computing platforms to the State’s computing platforms.
Approval Date: 01/01/2016 SUBJECT: User Domain & ClassificationRevised Date: 11/28/2015 Review: Quarterly (as needed) AnnuallyEffective Date: 07/08/2007 Authorizing Signature:
D.1. User Domain Security Policy
OverviewAll employees of the State government are authorized users of the State’s IT infrastructure. Users must conform to the readings of the information systems security policies, State’s AUP, and the signing of the right of use agreement document.
PurposeThe purpose of this policy is to implement how users are to understand and apply the acceptable use of systems as well as the network within the State Government. These rules and regulations are to be taken serious in order to protect all users and the State Government’s information. Any misuse of the computer equipment that can cause unauthorized guest intrusion and compromise of the network systems and services will result in disciplinary action and/or legal issues.
ScopeThis policy will ensure that confidentially, integrity, and availability of all information. Network resources and devices (desktop, laptop, and cellular) that are distributed to all employees/end users by the State Government shall understand the proper use of the systems given. This policy will also cover network login credentials and the importance of password use.
PolicyAll employees/end users are to use all government equipment whether internal or external devices should only utilized those devices for business use only. This will ensure that non-related job responsibilities shall not take place on the State’s enterprise network. If the user engages in such activities that are considered to be prohibited shall understand that disciplinary actions will take place accordingly (See Policy: M.1). Employees/End Users will be issued login credentials and a temporary password upon hiring stages. Login credentials are a part of a security feature to ensure confidentiality of State Government information and data.
Login credentials will have the last 6 letters or less of the user’s last name, first and middle initial will follow (For example: Kapricia J. Morris - morriskj and Jennifer D. Ward - wardjd).
3
State Government
Regulations and Security PoliciesRSP D.1 – E.1.1
The user will be given a temporary password and must create/change that password using the following requirements:
Consist of at least eight characters At least one capital letter At least one number Optional: Special symbol (#, %, !, _, -) Cannot use the previous (8) passwords
All devices given must remain secure at all times with a password protected screensaver. End users must lock the computer or log off when not in use, if they are not in the same area or will be away for a long period of time.
E.1 Classification of Information
All information resources and any information system owned by the State shall be classified as either confidential or non-confidential which is constantly monitored against unauthorized guest users, modification or destruction of the State’s information in a manner that is determined the appropriate level of security to best protect it. (See Policy: E.1.2)
E.1.1 Classification of Computer Systems
Security Code
RED ORANGE BLUE WHITE
Description
This system contains confidential information – information that cannot be
revealed to personnel outside of the company or
within the company. Access to this information is provided on a “need to
know” basis.
The system provides mission-critical services vital to the operation of the business. Failure of
this system may have life threatening consequences
and/or an adverse financial impact on the
business of the company.
This system does not contain
confidential information or perform critical services, but it provides the
ability to access RED systems through the
network.
This system is not externally accessible. It
is on an isolated LAN
segment, unable to
access RED or Orange
systems. It does not contain
sensitive information or
perform critical
services.
This system is externally
accessible. It is isolated from
RED or Orange systems by a
firewall. While it performs important services, it does not contain
confidential information.
Operations Server containing confidential data and other department information on
databases. Network routers and firewalls
containing confidential
User department PCs used to
access Server and
application(s). Management
A test system used by system
designers and programmers
to develop
A public Web server with
non-sensitive information.
4
routing tables and security information.
workstations used by systems
and network administrators.
new computer systems.
Approval Date: 01/01/2016 SUBJECT: Workstation Domain & ComplianceRevised Date: 12/01/2015 Review: Quarterly (as needed) AnnuallyEffective Date: 07/08/2007 Authorizing Signature:
F.1 Workstation Domain Security Policy
Overview
All employees of the State Government are authorized users of the State’s IT infrastructure. Users must read and understand the rules and regulations of the document listed below of the State Government workstation policies.
Purpose
The purpose of this policy is to provide management and security over the State Government workstations in order to ensure that the information on the workstation is limited to whom may have authorized access. Additionally, the policy provides management to ensure the requirements of the HIPAA Security Rule “Workstation Security” Standard 164.310 that are to be met.
Scope
This policy applies to all State Government employees, contractors, workforce members, vendors and standalone agents with a State Government owned or personal workstation connected to the State Government Enterprise Network.
Policy
To ensure confidentiality, integrity, and availability of sensitive information, including protection over health information (PHI); appropriate measures must be taken when in case of misuse of State’s workstations and systems. Only System Administrators can restrict access to sensitive information and grant authorization to trusted users.
Workforce members using workstations should be mindful that the information that is being accessed is considered highly sensitive, including health information (PHI). While devices are
5
State Government
Regulations and Security PoliciesRSP F.1 – F.1.1
within the end user’s care, they are to use safety measures to lessen the chance of a possibility that unauthorized access can and will compromise this vital information if not cautious. The State Government has put in place appropriate measures to ensure physical and technical precautions for all workstations that access electronic protected health information (ePHI).
Those appropriate measures are as follows:
• Only authorized personnel have been granted restricted physical access to workstations.• In preventing unauthorized access to workstations, all users must be sure to lock or
logout prior to leaving the work area• As the State Government Policy states that enabling a password-protected screen saver
with a short timeout period will secure workstations that were left unsecured• Users are to comply with the password policies and procedures. See State Government
Password Policy (See Policy: D.1)
• Workstations are to be used for authorized business purposes only
• Unauthorized software are not to be installed State Government workstations
• Backup and store all confidential information including protected health information (PHI) on State’s enterprise network servers
• To avoid accidental incidents to all devices and systems, users must abstain from eating food and drinking liquids near workstations.
• Laptops and other mobile devices containing software and sensitive information should be secured in a key or a form of secure mechanisms such as the keypad lock.
• To ensure overnight updates of the workstations, users are only to log off at the end of their workday.
• Users are to close/exit applications that are not in use to prevent data exposure.
• To protect all workstations from surges due to power outages, all workstations must be on a surge protector (not just a power strip) or a UPS (battery backup).
• When using a wireless connection to access the State’s network, ensure that the access is secure. Read Remote Access Domain Security Policy (See Policy: G.1)
###
6
F.1.1 Compliance Policy
Compliance
The State Government Security Team will verify compliance by using a number of methods to ensure that all users are periodically monitored by internal and external audits. Identifying, detecting, preventing and defending are a few ways to ensure compliance while protecting the enterprise network. Compliance and risk management goes hand in hand with ways to ensure regulations are met of the policies and rules.
The initial breakdown of steps that will be taken in consideration:
Compliance (Internal & External Audit) Risk ManagementDefine Processes of a risk Identify the risk(s)Document Processes of a risk Categorize the risk(s)Define Controls Assess the risk(s)Document Controls Report the risk(s)Remediate the risk(s) Mitigate the risk(s)
Exceptions
The State Government Security Team are to approve any exceptions needed for approval.
Non-Compliance
Any employee/user that has been identified of violating this policy may be subject to disciplinary action, up to and including termination of employment. (See Policy: M.1)
***
7
Approval Date: 01/01/2016 SUBJECT: Remote Access Domain Revised Date: 12/01/2015 Review: Quarterly (as needed) AnnuallyEffective Date: 07/08/2007 Authorizing Signature:
G.1 Remote Access Domain Security Policy
Overview
The State’s enterprise network views remote access as an important feature to the network. Therefore, it ensures that employees are able to perform their job duties efficiently despite their location. However, when remote access is in use, other networks may not have the security measures to protect against intrusion in which makes those networks vulnerable. With this being the case, this is not within the State Government control and this requires to have mitigations in place for external risks that may occur.
Purpose
The purpose of this policy is to make sure when connecting to the State’s enterprise network, all rules and requirements are defined by the host. The State Government restricts and protects against unauthorized use of their resources to avoid potential exposure to damages which are designed in the rules and requirements. Sensitive data and intellectual property can be lost or damaged as well as the internal systems. With result of these losses, can bring about the outcome of fines or other liabilities.
Scope
The State Government allows personally owned computers or workstations on the network, which are to abide by the policies that were put in place for employees, contractors, vendors, and/or agents alike. The remote access connection used to perform job duties on behalf of the State, will make sure the policy applies to reading and sending email also with viewing intranet web resources. This policy will cover all technical and the physical pertaining to remote access.
Policy
8
State Government
Regulations and Security PoliciesRSP G.1 – G.1.2
Remote access privileges for the State’s enterprise network is to ensure that the user is given the same consideration as if they were to be on-site. This policy pertains to all users that is an employee, contractor, vendor, and/or agent of the State.
Employees, contractors, vendors, and authorized users have a strict limit for the general access to the internet for recreational use. When authorized users gains access to the State’s network from a remote location, it is their responsibility to prevent access to any computer resource or data by non-authorized users. When using remote access to the network, performing illegal activities are prohibited. Authorized users will not use the State’s enterprise network to access the Internet for outside business interests.
G.1.1 Remote Access
Virtual Private Network allows for users to have remote access to the State’s enterprise network, however, you must be an authorized person which is granted from the Systems Administrator and Security Team. Authorized users are given secure login credentials to enable remote connections to the internal network. When the VPN connection has been created, the authorized users are able to exchange information, copy files or programs, and access computers remotely.
G.1.2 Unauthorized Remote Access
When connecting to the Local Area Network, you must have permission from the State’s system administrator and security team. When providing remote control to any workstation, users may not install personal software, in which this is also prohibited against State policies. Remote access has been a highly secure method of all internal networks, however, still poses a threat to the security of the entire network.
***
9
Approval Date: 01/01/2016 SUBJECT: Virtual Private Network Revised Date: 12/01/2015 Review: Quarterly (as needed) AnnuallyEffective Date: 07/08/2007 Authorizing Signature:
H.1 Virtual Private Network (VPN) Security Policy
Purpose
The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the State Government enterprise network.
Scope
This policy applies to all State Government employees, contractors, consultants, temporaries, and other workers including all personnel affiliated with third parties utilizing VPNs to access the State’s enterprise network. This policy applies to implementations of VPN that are directed through an IPSec Concentrator.
Policy
Approved State Government employees and authorized third parties (customers, vendors, etc.) may utilize the benefits of VPNs, which are a "user managed" service. This means that the user is responsible for selecting an Internet Service Provider (ISP), coordinating installation, installing any required software, and paying associated fees. Further details may be found in the Remote Access Policy. (See Policy: G.1)
1. It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to State’s internal networks.
2. VPN use is to be controlled using either a one-time password authentication such as a token device or a public/private key system with a strong passphrase.
3. When actively connected to the corporate network, VPNs will force all traffic to and from the workstation over the VPN tunnel: all other traffic will be dropped.
10
State Government
Regulations and Security PoliciesRSP H.1
4. Dual (split) tunneling is NOT permitted; only one network connection is allowed.
5. VPN gateways will be set up and managed by the State Government enterprise network operational groups.
6. All computers connected to State’s internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software); this includes personal computers.
7. VPN users will be automatically disconnected from State’s enterprise network after thirty minutes of inactivity. The user must then logon again to reconnect to the network. Pings or other simulated network processes are not to be used to keep the connection open.
8. The VPN concentrator is limited to an absolute connection time of 24 hours.
9. Users of computers that are not State Government owned equipment must configure the equipment to comply with State Government’s VPN and Network policies.
10. Only State Government-approved VPN clients may be used.
11. By using VPN technology with personal equipment, users must understand that their machines are a de facto extension of State’s enterprise network, and as such are subject to the same rules and regulations that apply to the State-Government owned equipment, i.e., their machines must be configured to comply with the State Government’s Security Policies.
***
11
Approval Date: 01/01/2016 SUBJECT: Risk Assessment & Risk ManagementRevised Date: 12/01/2015 Review: Quarterly (as needed) AnnuallyEffective Date: 07/08/2007 Authorizing Signature:
I.1 Risk Assessment
The purpose of an Information Security Risk Assessment is to determine areas of vulnerability, and for the State’s security team to implement the appropriate mediation/mitigation of each risk.
Risk Assessments can be determined by factors based on production, funds, availability of information or external factors. The State Governments’ Risk Assessment will cover all systems, along with the network, its servers and applications and who will administrate and/or maintain the systems through processes or procedures.
To successfully develop and implement a remediation and mitigation plan, there will be an expectation that all employees will fully cooperate with any Risk Assessment that is to be implemented. With the understanding, all employees are to be aware of all RAs, because this mainly affects all personnel and they will be held responsible.
Risk Level Risk Factor Risk DeterminationEXTREME 16-20 In event of a risk occurring, it will have a severe impact on
production causing critical downtime on production and funds.HIGH 11-15 In event of a risk occurring, it will have a high impact on production
and productions are under its acceptable limits.MEDIUM 6-10 In event of a risk occurring, it will have minor impact on production
but productions are well within acceptable limits. LOW 1-5 In event of a risk occurring, it will have little to no impact on
production. The risk is acceptable, production is not interrupted.
J.1 Risk Management
Risk Management is one of the most critical and beneficial elements of any information security program. This breaks down individual vulnerabilities and risks that may affect or deprive the State’s enterprise network of confidentiality, integrity, and availability that is identified, analyzed, and maintained at acceptable levels.
***
12
State Government
Regulations and Security PoliciesRSP I.1 – J.1
Approval Date: 01/01/2016 SUBJECT: Acceptable Use PolicyRevised Date: 12/01/2015 Review: Monthly (as needed) AnnuallyEffective Date: 07/08/2007 Authorizing Signature:
K.1 Acceptable Use Policy
Personal activities are forbidden on computer devices. User accounts on computer devices can only be used for business use. If a user violates this it can be against the law and looked at like theft and can be punishable by law. When a user does something unauthorized the State Government can prosecute civilly or criminally.
All confidential information used and/or stored on users accounts are their responsibly to make sure they are protected. Example of some information needing to be protected are the users logon IDs and their passwords. Users are prohibited on making unauthorized copies of confidential information and/or distributing it to people outside the company.
User cannot be involved in activities with knowing they will harass others, degrade the performance of the system; use system resources as their own; or gain access to the State’s systems that they do not have authorization for.
Users must have authorization from the manager and/or the IT department that they will not attach any devices to their PCs or workstations. Users are not allowed to download unauthorized software from the Internet onto their PCs or workstation. Users must report any unauthorized use and any incidents of misuse or any violations of the policy and it must be reported to immediate supervisor.
K.1.1 Monitoring Internet Use
Employees and contractors accessing the internal network for business needs shall be given permission. The Security Administrator provides these permissions for any file request to all personnel.
The most important tool that will be utilized is the Internet. End users can only use that for business related opportunities like: communicating through email with suppliers and business partners, getting useful information that is relevant to technical and business topics.
The Internet service cannot be used to transmit, gather or store any communications of discriminatory or harassing ways or which are derogatory to any one person or groups. Also, obscene or pornographic, or defamatory or threatening in anyway such as chain letters or any other activity that is illegal or has personal gain.
13
State Government
Regulations and Security PoliciesRSP K.1 – K.1.6
K.1.2 Monitoring Use of Systems
According to State policies, the state has the right to monitor any electronic device or information created and/or communicated from a person using the State’s enterprise network systems and networks which includes email messages and usage of the Internet. The State’s security team does not want to frequently monitor users on the workstations or other users of the company computer systems and network all the time. Users should know that the State’s security team can monitor usage, including but not limited to patterns of usage of the Internet. For example it can be site accessed, on-line length, or time of day. All employees and their electronic files, messages, as well as electronic communications will be used and make sure they are in compliance with the law and state policy.
K.1.3 System Administrator Access
Host systems, routers, hubs, and firewalls are only to be accessed by system administrators, network administrators, and security administrators, which are utilized to fulfill job related duties. When an employee is terminated, resigned, or leaves abruptly, the employment all system administrator passwords will be deleted immediately.
K.1.4 Special Access
Temporary individuals will need special access to perform job duties but the system administrator will have to give special privileges to their access account. The users must get permission from the State’s IT manager for the accounts that are monitored by the State’s security team. When wanting to monitor a special access account the users entered into a specific group and starts to generate reports to management to show who has access at that moment, for what and when it expires.
K.1.5 Connecting to Third-Party Networks
The required electronic exchange information with the State Government is established in the policy and ensures a secure method of connectivity that has to be provided between the State’s enterprise network and all third part companies and other entities.
Third parties consists of vendors, consultants, business partners doing business with the State Government, and other partners that have to exchange information with the company. A third party network connection can only be used by employees of the third party and only for business purposes. The State Government may often connect with third parties and will ensure that only authorized users will be allowed to access information on the state’s enterprise network. They will allow Internet traffic or other private network traffic to flow into the network. The network connection is defined as one the following connectivity’s in the third party options:
The network connection will be terminated on a certain day and the third party will be subject to standard company authentication rules.
14
When dealing with all third party connection requests and any existing third party connections the policy will apply to them. The third party connection that does not meet the full requirements in the outline of the document will be re-designed immediately or when needed.
When dealing with a third party connection all request need to be submitted in written request and be approved by the company.
K.1.6 Connecting Devices to the Network
All devices such as PCs and workstations owned by the company must comply with the guidelines of the company in order to allow devices to be connected to the State Government’s network. Devices used for network management and monitoring must to authorized device include in the network infrastructure.
Users will not attach to the network on non-company devices that aren’t authorized, owned, or controlled by the company. Users will be prohibited to go to unauthorized sites.
***
15
Approval Date: 01/01/2016 SUBJECT: Backup and Storage Security PolicyRevised Date: 12/01/2015 Review: Quarterly (as needed) AnnuallyEffective Date: 07/08/2007 Authorizing Signature:
L.1 Backup of Information and Programs
All sensitive information and documents are to be scheduled for daily backups and stored on a secured and updated server. While all vital information is being stored, data should be encrypted with encrypting methods to ensure confidentiality.
L.1.1 Persons Responsible for Periodic Backups
The understanding of backing up information that is redeeming important to the State Government. With this understanding, system administrators are responsible for periodic backups, as far as scheduling backups in increments and in full. This is to ensure that vital or confidential data is backed up, and it must be stored on network servers on site and off site. All users are too responsible for backing up the information stored on their local computers.
In case of any malfunction, downtime, loss of service to data access, department directors or managers are initially responsible for restoring service for all users who were affected by the incident. To avoid any delay in restoring service for all, the IT department is responsible for preparing, testing and periodically updating the State’s enterprise network business contingency plans.
***
16
State Government
Regulations and Security PoliciesRSP L.1 – L.1.1
Approval Date: 01/01/2016 SUBJECT: Penalty for Security ViolationRevised Date: 12/01/2015 Review: Quarterly (as needed) AnnuallyEffective Date: 07/08/2007 Authorizing Signature:
M.1 Penalty for Security Violation
The State Government have rules and regulations in place to train and educate their employees on how to acknowledge and utilize Government systems. Security Teams are implementing awareness of the many risks that are currently among the IT world and employees are always to remain cautious of the information and use of the workstations.
If employees are intentionally or unintentionally violating the use of the network systems and information resources of the State must understand that they can be disciplined if they violate this policy. Upon violation of this policy, an employee of the State Government may be subject to disciplinary actions and/or termination. Disciplinary actions are determined by a taking into consideration the nature and severity of the violation of the Security Policy, previous violations of the policy committed by the individual, state and federal laws and all other relevant information.
Non-employees who are in the case of being in violation of this policy are being succumbed to the State’s designee(s). The State’s designee(s) may consult with law enforcement agencies and/or prosecutors for consideration as to whether criminal charges should be filed against the alleged violator(s).
***
17
State Government
Regulations and Security PoliciesRSP M.1
