ENT-201: Enterprise Security Controls and Best …

[Pages:56]Commonwealth of Kentucky Office of the Chief Information Officer

Enterprise Controls

ENT-201: Enterprise Security Controls

and Best Practices

Office of the Chief Information Security Officer Commonwealth Office of Technology 500 Mero St Frankfort KY 40601

Version 2020-2 6/25/2020

Document Revision History

Version

Date

Change Description / Notes

1.0 2/28/2019 Document creation; incorporated AC controls family.

2.0 7/30/2019 Added Security Planning (PL) family.

3.0

9/3/2019 Added CP, MA, PE, PS, SA, SC and SI families.

3.1 9/16/2019 Updated title page to reflect new naming/format conventions.

3.2 10/18/2019 Added Audit and Accountability (AU) family.

3.2.1 10/25/2019 Added content to AC-17 ? Remote Access (lead section), #2.

3.3 11/7/2019 Added AT and CA families.

3.4 2/25/2020 Added Identification and Authentication (IA) family.

3.5 6/25/2020 Added Configuration Management (CM) family.

Author/Editor John Barnes John Barnes John Barnes Tom Walters John Barnes John Barnes John Barnes John Barnes Tom Walters

Contents

Definitions and Acronyms (document-wide) ........................................................................................................... 6 Purpose of this Document ...................................................................................................................................... 7 Applicability ............................................................................................................................................................ 7 CIO-072 IT Access Control and User Access Management .................................................................................. 9

Account Management Controls .......................................................................................................................... 9 AC-2 ? Account Management............................................................................................................................ 9 AC-3 ? Access Enforcement............................................................................................................................ 11 AC-4 ? Information Flow Enforcement ............................................................................................................. 11 AC-5 ? Separation of Duties ............................................................................................................................ 11 AC-6 ? Least Privilege..................................................................................................................................... 12 AC-7 ? Unsuccessful Logon Attempts.............................................................................................................. 13 AC-8 ? System Use Notifications ..................................................................................................................... 14 AC-11 ? Session Lock..................................................................................................................................... 14 AC-12 ? Session Termination .......................................................................................................................... 15 AC-14 ? Permitted Actions without Identification or Authentication ................................................................... 15 AC-17 ? Remote Access ................................................................................................................................. 15 AC-18 ? Wireless Access ................................................................................................................................ 17 AC-19 ? Access Control for Mobile Devices..................................................................................................... 17 AC-20 ? Use of External Information Systems ................................................................................................. 18 AC-21 ? Information Sharing ........................................................................................................................... 18 AC-22 ? Publicly Accessible Content ............................................................................................................... 18

IT Access Control and User Access Management Best Practices.................................................................. 19 CIO-104 Configuration Management .................................................................................................................... 20

Page 2 of 56

Configuration Management Controls ............................................................................................................... 20 CM-2 ? Baseline Configuration ........................................................................................................................ 20 CM-3 ? Configuration Change Control ............................................................................................................. 21 CM-4 ? Security Impact Analysis ..................................................................................................................... 21 CM-5 ? Access Restrictions for Change........................................................................................................... 21 CM-6 ? Configuration Settings......................................................................................................................... 21 CM-7 ? Least Functionality .............................................................................................................................. 21 CM-8 ? Information System Component Inventory ........................................................................................... 21 CM-9 ? Configuration Management Plan ......................................................................................................... 22 CM-10 ? Software Usage Restrictions ............................................................................................................. 22 CM-11 ? User-Installed Software ..................................................................................................................... 22

Configuration Management Best Practices ..................................................................................................... 22 CIO-105 System and Information Integrity ........................................................................................................... 23

System and Information Integrity Controls ...................................................................................................... 23 SI-2 ? Flaw Remediation ................................................................................................................................. 23 SI-3 ? Malicious Code Protection..................................................................................................................... 24 SI-4 ? Information System Monitoring .............................................................................................................. 24 SI-5 ? Security Alerts, Advisories, and Directives ............................................................................................. 25 SI-7 ? Software, Firmware, and Information Integrity........................................................................................ 25 SI-8 ? Spam Protection ................................................................................................................................... 25 SI-10 ? Information Input Validation ................................................................................................................. 25 SI-11 ? Error Handling..................................................................................................................................... 25 SI-12 ? Information Handling and Retention..................................................................................................... 26 SI-16 ? Memory Protection .............................................................................................................................. 26

System and Information Integrity Best Practices ............................................................................................ 26 CIO-112 Security Planning.................................................................................................................................... 27

Security Planning Controls............................................................................................................................... 27 PL-2 ? System Security Plan ........................................................................................................................... 27 PL-4 ? Rules of Behavior................................................................................................................................. 27 PL-8 ? Information Security Architecture.......................................................................................................... 28

Security Planning Best Practices ..................................................................................................................... 28 CIO-113 Contingency Planning ............................................................................................................................ 29

Contingency Planning Controls ....................................................................................................................... 29 CP-2 ? Contingency Plan ................................................................................................................................ 29 CP-3 ? Contingency Training........................................................................................................................... 30 CP-4 ? Contingency Plan Testing .................................................................................................................... 30 CP-6 ? Alternate Storage Site.......................................................................................................................... 30 CP-7 ? Alternate Processing Site..................................................................................................................... 30 CP-8 ? Telecommunication Services ............................................................................................................... 31 CP-9 ? Information System Backup ................................................................................................................. 31 CP-10 ? Information System Recovery and Reconstitution .............................................................................. 31

Page 3 of 56

Contingency Planning Best Practices.............................................................................................................. 31 CIO-114 System Maintenance............................................................................................................................... 32

System Maintenance Controls.......................................................................................................................... 32 MA-2 ? Controlled Maintenance ...................................................................................................................... 32 MA-3 ? Maintenance Tools.............................................................................................................................. 33 MA-4 ? Nonlocal Maintenance......................................................................................................................... 33 MA-5 ? Maintenance Personnel....................................................................................................................... 33 MA-6 ? Timely Maintenance ............................................................................................................................ 33

System Maintenance Best Practices ................................................................................................................ 34 CIO-115 Physical and Environmental Protection................................................................................................. 35

Physical and Environmental Protection Controls............................................................................................ 35 PE-2 ? Physical Access Authorizations............................................................................................................ 35 PE-3 ? Physical Access Control ...................................................................................................................... 35 PE-4 ? Access Control for Transmission Medium............................................................................................. 36 PE-5 ? Access Control for Output Devices....................................................................................................... 36 PE-6 ? Monitoring Physical Access ................................................................................................................. 36 PE-8 ? Visitor Access Records ........................................................................................................................ 36 PE-9 ? Power Equipment and Cabling ............................................................................................................. 36 PE-10 ? Emergency Shutoff ............................................................................................................................ 36 PE-11 ? Emergency Power ............................................................................................................................. 36 PE-12 ? Emergency Lighting ........................................................................................................................... 36 PE-13 ? Fire Protection ................................................................................................................................... 37 PE-14 ? Temperature and Humidity Controls ................................................................................................... 37 PE-15 ? Water Damage Protection.................................................................................................................. 37 PE-16 ? Delivery and Removal........................................................................................................................ 37 PE-17 ? Alternate Work Site............................................................................................................................ 37

Physical and Environmental Protection Best Practices .................................................................................. 37 CIO-116 Personnel Security ................................................................................................................................. 38

Personnel Security Controls ............................................................................................................................ 38 PS-2 ? Position Risk Designation .................................................................................................................... 38 PS-3 ? Personnel Screening ........................................................................................................................... 38 PS-4 ? Personnel Termination......................................................................................................................... 38 PS-5 ? Personnel Transfer .............................................................................................................................. 39 PS-6 ? Access Agreements ............................................................................................................................. 39 PS-7 ? Third-Party Personnel Security ............................................................................................................ 39 PS-8 ? Personnel Sanctions............................................................................................................................ 39

Personnel Security Best Practices ................................................................................................................... 39 CIO-117 System and Services Acquisition .......................................................................................................... 40

System and Services Acquisition Controls ..................................................................................................... 40 SA-2 ? Allocation of Resources ....................................................................................................................... 40 SA-3 ? System Development Life Cycle........................................................................................................... 40

Page 4 of 56

SA-4 ? Acquisition Process ............................................................................................................................. 40 SA-5 ? Information System Documentation...................................................................................................... 41 SA-8 ? Security Engineering Principles............................................................................................................ 41 SA-9 ? External Information System Services .................................................................................................. 41 SA-10 ? Developer Configuration Management ............................................................................................... 42 SA-11 ? Developer Security Testing and Evaluation ........................................................................................ 42 System and Services Acquisition Best Practices............................................................................................ 42 CIO-118 System and Communications Protection .............................................................................................. 43 System and Communications Protection Controls ......................................................................................... 43 SC-2 ? Application Partitioning ........................................................................................................................ 43 SC-4 ? Information in Shared Resources ......................................................................................................... 43 SC-5 ? Denial of Service Protection................................................................................................................. 43 SC-7 ? Boundary Protection ............................................................................................................................ 43 SC-8 ? Transmission Confidentiality and Integrity ............................................................................................ 44 SC-10 ? Network Disconnect........................................................................................................................... 44 SC-12 ? Cryptographic Key Establishment and Management .......................................................................... 44 SC-13 ? Cryptographic Protection ................................................................................................................... 44 SC-15 ? Collaborative Computing Devices ...................................................................................................... 44 SC-17 ? Public Key Infrastructure Certificates.................................................................................................. 44 SC-18 ? Mobile Code ...................................................................................................................................... 44 SC-19 ? Voice over Internet Protocol............................................................................................................... 44 SC-20 ? Secure Name / Address Resolution Service (Authoritative Source) .................................................... 45 SC-21 ? Secure Name / Address Resolution Service (Recursive or Caching Resolver) .................................... 45 SC-22 ? Architecture and Provisioning for Name / Address Resolution Service ................................................ 45 SC-23 ? Session Authenticity .......................................................................................................................... 45 SC-28 ? Protection of Information at Rest ........................................................................................................ 45 SC-39 ? Process Isolation ............................................................................................................................... 45 System and Communications Protection Best Practices................................................................................ 45 CIO-119 Audit and Accountability ........................................................................................................................ 46 Audit and Accountability Controls ................................................................................................................... 46 AU-1 ? Audit and Accountability Policy and Procedures ................................................................................... 46 AU-2 ? Audit Events ........................................................................................................................................ 46 AU-3 ? Content of Audit Records..................................................................................................................... 46 AU-4 ? Audit Storage Capacity ........................................................................................................................ 47 AU-5 ? Response to Audit Processing Failures................................................................................................ 47 AU-6 ? Audit Review, Analysis, and Reporting................................................................................................. 47 AU-7 ? Audit Reduction and Report Generation............................................................................................... 47 AU-8 ? Time Stamps ....................................................................................................................................... 47 AU-9 ? Protection of Audit Information............................................................................................................. 47 AU-11 ? Audit Record Retention...................................................................................................................... 47

Page 5 of 56

AU-12 ? Audit Generation................................................................................................................................ 47 AU-13 ? Monitoring for Information Disclosure ................................................................................................. 47 AU-14 ? Session Audit .................................................................................................................................... 47 AU-15 ? Alternate Audit Capability................................................................................................................... 48 AU-16 ? Cross-Organization Auditing .............................................................................................................. 48 Audit and Accountability Best Practices ......................................................................................................... 48 CIO-120 Security Assessment and Authorization ............................................................................................... 49 Security Assessment and Authorization Controls .......................................................................................... 49 CA-2 ? Security Assessments ......................................................................................................................... 49 CA-3 ? System Interconnections...................................................................................................................... 49 CA-5 ? Plan of Action and Milestones .............................................................................................................. 50 CA-6 ? Security Authorization.......................................................................................................................... 50 CA-7 ? Continuous Monitoring......................................................................................................................... 50 Security Assessment and Authorization Best Practices ................................................................................. 50 CIO-121 Security Awareness and Training .......................................................................................................... 51 Security Awareness and Training Controls ..................................................................................................... 51 AT-2 ? Security Awareness Training................................................................................................................ 51 AT-3 ? Role-Based Security Training............................................................................................................... 51 AT-4 ? Security Training Records .................................................................................................................... 51 Security Awareness and Training Best Practices............................................................................................ 51 CIO-123 Identification and Authentication ........................................................................................................... 52 Identification and Authentication Controls ...................................................................................................... 52 IA-2 ? Identification and Authentication (Organizational Users) ........................................................................ 52 IA-3 ? Device Identification and Authentication ................................................................................................ 54 IA-4 ? Identifier Management........................................................................................................................... 54 IA-5 ? Authenticator Management ................................................................................................................... 54 IA-6 ? Authenticator Feedback ........................................................................................................................ 55 IA-7 ? Cryptographic Module Authentication .................................................................................................... 55 IA-8 ? Identification and Authentication (Non-Organizational Users)................................................................. 55

Identification and Authentication Best Practices ................................................................ 56

Definitions and Acronyms (document-wide)

CISO: Chief Information Security Officer COT: Commonwealth Office of Technology DBA: Database Administrator FIPS: Federal Information Processing Standard Publication, specifically FIPS 140-2, the U.S. government computer security standard used to approve cryptographic modules. NIST: National Institute of Standards and Technology (U.S. Department of Commerce) NIST Special Publication 800-53 Rev.4: NIST Special Publication 800-53 (Rev.4), Security and Privacy Controls for Federal Information Systems and Organizations. This document provides an

Page 6 of 56

online cross-reference between Control Families and Security Controls ranked as Low-Impact, Moderate Impact, and High-Impact. Service Provider: An outsourced or third party vendor that provides IT services to the organization.

Note: "Outsourced" is relative to COT or the agency. Since we leverage the Information Technology Infrastructure Library (ITIL) framework, there are three types of service providers:

Type I = Internal service provider Type II = Shared service provider Type III = External service provider. SSP: System Security Plan

Note: Other definitions and acronyms specific to individual controls are provided within their sections.

Purpose of this Document

This document details the security controls that COT's Office of the CISO requires for information systems and activities for the Commonwealth of Kentucky. COT aligned the Commonwealth's security program with the framework outlined in the NIST Special Publication 800-53 (Rev 4), Security and Privacy Controls for Federal Information Systems and Organizations. COT established the Commonwealth's security framework using the moderate-level controls outlined in the NIST publication. Specifically, the Commonwealth's security program addresses the following families in NIST:

AC Access Control AT Awareness and Training AU Audit and Accountability CA Security Assessment and Authentication CM Configuration Management CP Contingency Planning IA Identification and Authentication IR Incident Response MA Maintenance MP Media Protection PE Physical and Environmental Protection PL Planning PM Program Management PS Personnel Security RA Risk Assessment SA System and Services Acquisition SC System and Communications Protection SI System and Information Integrity

Applicability

The security controls outlined in this document apply to all systems under the authority of the Commonwealth of Kentucky. These controls reference the appropriate policies and require the same compliance as the originating policy. As COT continues to update and develop policies, this document will continue to reflect those changes with the addition and modification of these security controls.

Page 7 of 56

Commonwealth agencies, users, and associated entities such as vendors shall adhere to the most current, published version of the policies and their associated controls in this document. Each version of this document supersedes the previous ones. COT recommends reviewing this document for changes at least annually, or when managing information systems for significant changes. Review the most up-to-date official Commonwealth of Kentucky Enterprise IT Policies.

Page 8 of 56

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download