Information Security Standards - California State University



[pic]

(This Page Intentionally Left Blank.)

Table of Contents

Introduction 5

Background 5

Information Security Program Manual Objective & Intent 5

Information Security Program Standards Applicability & Scope 6

SCO Information and Information Technologies 6

SCO Facilities and Physical Property 6

The Principles of Due Care & Due Diligence 6

Manual Alignment with Information Security Best Practices 6

Manual Maintenance 7

Information Security Standards 7

Roles and Responsibilities 7

Standards for Information Asset Users 7

100 User Compliance 7

101 User Activity Monitoring Notice 7

102 User Security Acknowledgement 7

103 User Information Security Incident Reporting 8

104 Physical Access / ID Badges 8

105 Prohibited Activities 8

106 Personally Owned Equipment and Software 8

107 Laptop / Portable Information Storage Device Use 8

108 User Authentication Credential Security 9

109 Password Use 9

110 User Password Rules 9

Standards for Owners of Information Assets 10

120 Owner Compliance 10

121 Information Asset Classification 10

122 Risk Assessment 10

123 Security Management 10

124 Owner Acceptable Use Policy 10

125 Owner Authorization Approval 10

126 Access Authorization Reviews 10

127 Access and Use Agreements 10

Standards for Custodians of Information 11

130 Security Compliance 11

Management Security Standards 12

200 Information Classification 12

201 Critical Application Classification 12

202 Security and Privacy Assessment 12

203 Project System Security Plans 12

204 Security Certification and Accreditation 12

205 Security Vulnerability Scanning 13

206 System Interconnectivity / Information Sharing 13

207 System Inventory 13

208 Information Security Standard Violation Disciplinary Action 13

Operational Security Standards 14

300 Pre-Employment Screening 14

301 Separation of Duties 14

302 Least Privilege 14

303 Security Education and Awareness 14

304 Personnel Separation 15

305 Physical Security 15

306 Physical Access Control 15

307 Visitors to SCO Facilities 16

308 Information Protection in the Work Area 16

309 Sanitization and Disposal of Information 16

310 Information Exchange via Portable Information Storage Devices 16

311 Information Asset Transport / Shipping 17

312 Workstations 17

313 Laptops and Portable Computing Devices 17

314 Backup Data 17

315 Business Continuity Planning 17

316 Disaster Recovery Planning 17

317 Information Security Incident Reporting 18

Technical Security Standards 19

400 Access Control 19

401 User Identification 19

402 User Authentication Techniques 19

403 Password Standards 19

404 Automatic Session Timeout 20

405 Use Warning Banner 20

406 Audit Trails 20

407 Secure Communications 21

408 Secure Storage 21

409 Encryption Standard 21

410 Network Boundary Security 21

411 Firewall Standard 21

412 Controlled Pathways (Gateways) 21

413 Malicious Code Protection 21

414 Remote Access 21

415 Product Assurance (System Hardening) 22

416 Patch Management 22

417 System-to-System Interconnection (Node Authentication) 22

418 Wireless Local Area Network Security Standard 22

Privacy Standards 24

500 Privacy Standards 24

Glossary of Terms 26

Appendix A: Information Security Incident Categories and Reporting Timeframes 28

Introduction

Background

The State Controller is the Chief Fiscal Officer of California, the eighth largest economy in the world. As the state’s independent fiscal watchdog, the Controller provides sound fiscal control over more than $100 billion in annual receipts and disbursements of public funds. The Controller uses audit authority to uncover fraud and abuse of taxpayer dollars and provides fiscal guidance to local governments. The Controller helps administer $400 billion in state pension funds. Among many other duties, the Controller serves on 76 state boards and commissions, with responsibilities ranging from protecting the California coastline to helping build new hospitals. In support of these responsibilities, the Controller’s Office administers numerous programs that handle information and physical property, which must be protected.

Information Security Program Manual Objective & Intent

The Information Security Program Standards Manual objective is to establish minimal organizational information security standards for the State Controller’s Office (SCO) that specify how information assets are safeguarded. Information security standards facilitate SCO compliance with applicable state and federal government statutes, regulations, and directives (policies). These standards assist the SCO in the appropriate information and its technology classification, appropriate security controls implementation, and recommended business security actions and operational measures to protect SCO information assets. The SCO is committed to creating and maintaining an environment that protects SCO information assets from accidental or intentional unauthorized use, modification, disclosure, destruction, or theft. Adherence to information security standards will safeguard the confidentiality, integrity, and availability of SCO information assets and will protect the interests of the SCO, its personnel and contractors, business partners, and the general public.

This manual’s intent is to create and implement an environment that:

1. Protects information and technologies critical to the SCO.

2. Protects information as mandated by state and federal statutes, regulations, and administrative requirements.

3. Protects confidential and sensitive information.

4. Reinforces SCO’s reputation as an institution deserving of trust.

5. Complies with due diligence standards for the protection of information and technologies.

6. Assigns responsibilities to relevant SCO officers, executives, managers, personnel, contractors, and business partners.

7. Protects SCO physical resources and those physical resources entrusted to the SCO.

Information Security Program Standards Applicability & Scope

SCO Information and Information Technologies

The standards contained in this manual are applicable to all SCO information, in any form, related to SCO business activities, personnel, contractors, business partners and customers that are created, acquired, or disseminated using SCO owned or leased resources or funding. This manual is applicable to all information technologies associated with the creation, collection, processing, storage, transmission, analysis, and disposal of SCO information. This manual is applicable to all facilities, information media, information systems, infrastructure, applications, products, services, telecommunications networks, computer-controlled mail or print processing equipment, and related resources, which are sponsored by, leased or owned by, operated on behalf of, or developed for the benefit of, the SCO.

For the purposes of this manual, technologies and the information they contain are collectively known as information assets.

SCO Facilities and Physical Property

This manual’s contents are applicable to all SCO owned or leased facilities and physical property entrusted to the SCO.

The Principles of Due Care & Due Diligence

The need for the SCO to keep pace with the ever-changing statutory landscape and technology environment is essential in maintaining information security and business viability. Due care and due diligence practices must be ingrained into the SCO’s culture in order to facilitate the constant self re-evaluation and assessment necessary for statutory and technology industry best practices compliance validation and to initiate necessary changes and seek enhancement opportunities.

The terms “due care” and “due diligence” are used in the fields of finance, securities, and law. These terms describe the “reasonable and prudent person” rule. A prudent person takes due care to insure that everything necessary is done to operate the business by sound business principles and in a legal ethical manner. A prudent person is also diligent (i.e., mindful, attentive, and ongoing) in their due care of the business. In the business world, stockholders, customers, business partners, and government regulators have the expectation that corporate officers will run the business in accordance with accepted business practices and in compliance with laws and other regulatory requirements. In the public sector, constituents and political leaders hold the same expectations of government agency officers. In addition to these expectations being a motivating force for officers, Federal Sentencing Guidelines and State Statutes now make it possible to hold both private and public sector organization officers liable for failing to exercise due care and due diligence in the management of their information privacy/security practices.

The importance of demonstrating “due care” and “due diligence” cannot be expressed enough in government. “Due care” and “due diligence” activities are the foundation for establishing and maintaining the trust of constituents. The SCO Information Security Program Standards Manual’s content aligns with industry standards and complies with statutory and administrative requirements are “due care” and “due diligence” activities.

Manual Alignment with Information Security Best Practices

The SCO Information Security Program Standards Manual is constructed to align with the intent and spirit of the following information security public and private sector best practices for information security controls and management:

• International Organization for Standardization and International Electrotechnical Commission (ISO/IEC®) 27002: International Standards for Information Technology – Security Techniques – Code of practice for Information Security Management

• Federal Information Processing Standards (FIPS) and National Institute of Standards and Technology (NIST) Special Publications

Manual Maintenance

The SCO Information Security Program Standards Manual reflects the framework and objectives of the SCO Information Security Program. Standard changes or updates should be submitted to the SCO Chief Information Security Officer. Standards will be reviewed annually by the SCO Information Security Office to ensure continued relevance in assuring information security and SCO business objectives.

Information Security Standards

Roles and Responsibilities

Standards for Information Asset Users

These standards are applicable to all SCO functional organizations and personnel, including SCO employees, contractors, and vendors authorized to use SCO information assets.

For the purposes of these standards, the above entities are collectively known as Information Asset Users. This definition of “information asset user” excludes the general public whose only access is through publicly available services, such as the public websites of the SCO.

100. User Compliance: Users shall abide by California State Controller’s Office (SCO), State, and Federal (when applicable) policies, laws, rules, regulations, standards, and procedures pertaining to information security, confidentiality, and privacy when handling information assets by or entrusted to the SCO. Users shall comply with defined business use criteria established by the owner of information for each information asset they utilize. Additionally, users shall comply with SCO Administrative Policy Section 3.300-Incompatible Activities and Internet/E-mail Policy when utilizing SCO information assets.

101. User Activity Monitoring Notice: As stated in the SCO Internet/E-mail Policy, the SCO reserves the right to monitor and filter the use of its information assets. Users shall have no expectation of privacy unless expressly granted by SCO executive management.

102. User Security Acknowledgement: Users shall annually, or when beginning employment, read, acknowledge, and sign the SCO Information Security Acknowledgement form (ISO-004).

103. User Information Security Incident Reporting: Users shall report any reportable suspected or actual information security incidents to the SCO Information Security Office, owner of information, and custodian of information. (See Operational Security Standard 317 and Appendix A: Information Security Incident Categories and Reporting Timeframes.)

104. Physical Access / ID Badges: SCO employees and contractors shall wear physical access / ID badges issued by the SCO ISO at all times when within a facility owned or leased by the SCO.

a. Physical access / ID badges shall be worn in such a manner as to be readily visible.

b. Physical access / ID badges assigned to individuals shall not be shared or loaned to another person.

c. The loss or theft of a physical access / ID badge shall be immediately reported to the applicable Division Physical Security Representative and SCO Information Security Office.

105. Prohibited Activities: Users shall not disable, remove, install with intent to bypass, or otherwise alter SCO systems, networks, or security and administrative settings or components designed to protect or administer the SCO’s information assets.

a. Users shall not download or install unapproved software on SCO information assets (e.g., PCs, IT systems, or networks).

b. Users shall not connect unapproved hardware to SCO information assets (e.g., PCs, IT systems, or networks).

(The SCO Information Systems Division maintains the approved software and hardware lists. See SCO PC Hardware and Software Standards; and Enterprise Architecture Standards.)

106. Personally Owned Equipment and Software: The use of personally owned or non-SCO equipment and software to process, access, or store SCO confidential or sensitive information is prohibited. Personally owned or non-SCO equipment and software includes, but is not limited to, personal computers and related equipment and software, Internet service providers, personal e-mail providers (e.g., Yahoo, Hotmail), personal library resources, handheld and Personal Digital Assistant (PDA) devices, cellular phones, cameras, facsimile machines, wireless systems, and photocopiers. Such personally owned equipment and software shall not be used to process, access, or store SCO confidential or sensitive information, or be connected to SCO systems or networks, without the written authorization from the appropriate SCO owner and custodian of information and the SCO Chief Information Security Officer.

107. Laptop / Portable Information Storage Device Use: Users shall not store any information classified as confidential or sensitive on laptop computers or other portable information storage devices (e.g., USB/Flash Drives, PDA’s, CD-ROMs, DVDs, Tape, etc.) unless:

a. The device is owned or leased by the SCO.

b. The device is password/PIN protected.

c. The information is secured using an approved encryption technology.

d. The user is authorized to have access to the confidential or sensitive information by the applicable owner. Access to information must be for business purposes only.

108. User Authentication Credential Security: Users shall be continuously aware that all credentials (e.g., the combination of User IDs, passwords, and/or access tokens) that allow access to SCO information assets are explicitly the property of the SCO. SCO credentials are classified as confidential information and must be handled and protected as such.

Each user is responsible for protecting the credentials assigned to them and shall not share these credentials with anyone else. If credentials are compromised, lost, or stolen, the user shall immediately report this to a supervisor and to the appropriate authentication system administrator to avoid unauthorized access or misuse. Credentials may be shared with system maintainers but the password must be immediately changed after maintenance or repair is complete.

Note: An information security best practice for protecting a password is to avoid writing passwords down or storing them electronically unless password protected and encrypted. Passwords should not be inserted into email messages or other forms of electronic communication without password protect and information encryption. Conveying a password in a telephone call should only be done when the receiving party is positively identified. No mobile phones should be utilized to convey a password. Commit passwords to memory!

109. Password Use: Users may use the same password on internal systems, network devices, or applications, but shall not use their internal password for external systems, such as for accounts on an external web site, as these web sites may not protect passwords in an acceptable manner.

110. User Password Rules: Users shall compose their own passwords. Users shall abide by the following standards when composing their password:

a. Passwords shall consist of a minimum of eight (8) characters.

b. Passwords shall consist of a combination of case sensitive alphabetic characters and either one (1) numeric or special character. The only special characters that should be utilized are @, #, or $.

Note: When composing a password, do not use dictionary words or obvious combinations of letters and numbers in passwords. Obvious combinations of letters and numbers include first names, last names, initials, pet names, user accounts spelled backwards, repeating characters, consecutive numbers, consecutive letters, and other predictable combinations and permutations.

c. Passwords shall be changed, at a maximum, every ninety (90) days.

d. Users shall not re-use his or her last six (6) passwords.

Standards for Owners of Information Assets

SCO Divisions are owners of the information assets they utilize to conduct the business of the SCO. Owners of information have the following responsibilities.

120. Owner Compliance: SCO Division management shall abide by, and ensure their staff comply with SCO, State, and Federal (when applicable) policies, laws, rules, regulations, standards, and procedures pertaining to information security, confidentiality, and privacy when handling information assets by or entrusted to the SCO.

121. Information Asset Classification: SCO Divisions shall ensure the SCO information and applications for which they are responsible are appropriately classified. (Reference: Management Security Standards 200 and 201.)

122. Risk Assessment: SCO Divisions shall determine, in coordination with the SCO Information Security Office and custodian(s) of information, appropriate security controls (i.e., safeguards or countermeasures) for the information assets for which they are responsible and shall identify the resources needed to implement those controls. (Reference: Management Security Standard 202.)

123. Security Management: SCO Divisions shall ensure information security is planned for, documented, and integrated into the system life cycle (SLC) for all information technology projects that involve the processing, transport, or retention of information that is classified as confidential or sensitive, and for business critical applications and processes. (Reference: Management Security Standards 203 and 204.)

124. Owner Acceptable Use Policy: SCO Divisions shall develop information user “acceptable use” and “rules of behavior” for information assets for which they are responsible.

125. Owner Authorization Approval: SCO Divisions shall authorize access to, and use of, the information assets and facilities for which they are responsible.

126. Access Authorization Reviews: SCO Divisions shall conduct annual reviews of user accounts to validate the continued need for access to and use of the information assets for which they are responsible.

127. Access and Use Agreements: SCO Divisions shall establish and manage agreements with non-SCO state entities and non-state entities for which the division has authorized access to, or use of, an SCO information asset for which they are responsible. Agreements with non-SCO state entities and non-state entities shall, at a minimum, cover:

a. Appropriate levels of confidentiality and privacy for the information based on classification.

b. Standards for transmission and storage of the information, if applicable.

c. Agreements to comply with all divisional requirements, SCO ISPM standards, and state and federal laws regarding the security and use of the information asset.

d. The use of signed confidentiality and non-disclosure user statements.

e. Requirements for the non-SCO state entities and non-state entities to apply security patches and upgrades and to keep virus software up-to-date on all systems on which the information asset may be accessed from or used on.

f. A requirement to notify promptly the division and the SCO Information Security Office if an information security incident involving the information asset occurs.

Standards for Custodians of Information

The SCO Information Systems Division, Division IT Support staff, and any other system/network administrators are custodians of information assets they manage for an SCO owner of information. Custodians of information have the following responsibilities.

130. Security Compliance: Custodians of information shall ensure owner of information security requirements are implemented and enforced. Custodians of information shall continuously monitor security control (i.e., safeguards or countermeasures) operations and effectiveness and immediately report any problems or deficiencies to the appropriate owner of information and the SCO Information Security Office. Custodians of information shall ensure the information security posture of the SCO network and information assets is maintained during all network or information asset maintenance, monitoring activities, installations or upgrades, and throughout day-to-day operations.

Management Security Standards

These standards specify security controls (i.e., safeguards or countermeasures) for information assets that focus on the management of information security risk and the management of the information asset.

200. Information Classification: Owners of information shall classify all information under their control. The criteria set forth in State Administrative Manual (SAM) Section 5320.5 shall be utilized to classify SCO information.

201. Critical Application Classification: For disaster recovery and business continuity planning purposes, owners of information shall determine which information technologies they utilize are critical applications. A critical application is defined as an information technology so important to the SCO’s mission and business that its loss or unavailability is unacceptable. With a critical application, even short-term unavailability of the information or service provided by the application would have a significant negative impact on the health and safety of the public or state workers; on the business, fiscal or legal integrity of SCO or state operations; or on the continuation of essential SCO programs.

202. Security and Privacy Assessment: For all information technology projects that involve the processing of information classified as confidential or sensitive, or result in the development of a critical application, a security assessment must be conducted by the SCO Information Security Office to determine the information security impact level of the project. As part of the assessment, the ISO will provide recommended appropriate information security controls (i.e., safeguards or countermeasures) for inclusion in the Project’s System Security Plan (SSP) to ensure security objectives (e.g., privacy, confidentiality, integrity, and availability).

203. Project System Security Plans: For all information technology projects that involve the processing of information classified as confidential or sensitive, or results in the development of a critical application, the project shall develop and document a System Security Plan (SSP). A SSP provides an overview of the security requirements, approved by the owner of information, for the information system and describes the security controls in place or planned for meeting those requirements. Updates to SSPs should occur once every three years or when significant changes occur to the system.

204. Security Certification and Accreditation: For all information technology projects that involve the processing of information classified as confidential or sensitive, or result in the development of a critical application, the SCO ISO shall conduct a security certification. A security certification is an evaluation of the security control features (i.e., safeguards or countermeasures) of a system. The ISO shall provide the appropriate owner of information with a security certification report for owner production accreditation purposes. Any significant changes occurring to a system or to its physical environment, users, etc., or deviations from SSP specifications, shall require a review of the impact

on the security of the system and shall require re-accreditation. All systems will be re-accredited every three years at a minimum or when a major change occurs.

205. Security Vulnerability Scanning: All SCO web systems and applications, and servers shall undergo quarterly vulnerability scanning or when significant changes are made to the system, application, or server.

206. System Interconnectivity / Information Sharing: Written authorization from the applicable owner of information shall be obtained prior to connecting an information asset with other systems and/or sharing confidential or sensitive information.

207. System Inventory: Owners of information, supported by custodians, shall develop and maintain an inventory of all systems that process confidential or sensitive information, or are critical applications, under their control. Inventories shall be updated annually or when significant changes occur to the system. Copies of the inventory shall be made available to the SCO Information Security Office and Information Systems Division for risk and enterprise management purposes and documentation.

208. Information Security Standard Violation Disciplinary Action: The appropriate appointing authority is responsible for conducting any disciplinary or adverse actions against SCO contractors or personnel who violate SCO ISPM standards.

Operational Security Standards

These standards specify security controls (i.e., safeguards or countermeasures) for information assets that are primarily implemented and executed by people (as opposed to information technologies).

300. Pre-Employment Screening: The prior employment history for potential SCO personnel shall be carefully reviewed to ensure the individual has no privacy or security violation history (i.e., check references and with previous supervisors). Additionally, if permissible and/or appropriate for the duties and responsibilities of the position in question, criminal and/or financial history checks should also be preformed.

301. Separation of Duties: Owners and custodians of information shall ensure the principle of “separation of duties” is enforced in security control (i.e., safeguards or countermeasures) and business operations. Separation of duty, as a security principle, has as its primary objective the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific security process among multiple users and chains of command.

Segregation of duties in security controls ensures no single individual or organization is given too much responsibility -- no entity should be in a position to both perpetrate and conceal irregularities.

Two general categories of security control operations that must be separated are:

• authorization vs. authentication administrative functions

• user vs. administrator functions

302. Least Privilege: Owners and custodians of information shall ensure the principle of “least privilege” is enforced in security control (i.e., safeguards or countermeasures) and business operations. A user, process, or application shall only be allowed to access and use those information assets necessary to conduct authorized business activities.

303. Security Education and Awareness: The SCO Information Security Office (ISO) shall ensure information security is given a high priority in all current and future SCO activities and initiatives. The ISO shall provide regular and relevant information privacy and security education and awareness training to all SCO personnel by various means, which includes but is not limited to the ISO’s S.A.F.E. (Security Awareness for Employees) program. The S.A.F.E. program will consist of the following elements:

a. New SCO personnel’s initial information security presentation at new employee orientation. (This orientation should be received as soon as possible upon hiring but no later that three months after assuming duties.)

b. Electronic notices, briefings, pamphlets, and newsletter postings on the SCO Intranet (i.e., COIN) or delivered via email.

c. Information security awareness tools to enhance awareness and educate personnel on information resource privacy and security threats and the appropriate safeguards.

d. All SCO personnel shall receive annual (refresher) training in security education and awareness as part of the annual SCO Information Security Acknowledgement (ISO-004) process.

304. Personnel Separation: Upon termination or other departure of an employee or contractor, SCO Human Resources, the appropriate SCO manager/supervisor, or the contract manager shall ensure all access and privileges to SCO systems, networks, and facilities are immediately revoked. Physical access badges shall be returned to the SCO Information Security Office immediately.

305. Physical Security: All rooms, work areas/spaces, and facilities leased or owned by the SCO shall implement physical protection measures.

The SCO Information Security Office shall manage all physical protection systems implemented. Physical protection systems include, but are not limited to:

a. Card-controlled gates and doors (administered by the SCO Information Security Office’s C*CURE system).

b. Video cameras, motion detectors, and other intrusion security systems (administered by the SCO Information Security Office’s C*CURE system).

c. Equipping all doors and openings on a security perimeter with alarms as well as devices that close and lock the doors/openings automatically (administered by the SCO Information Security Office’s C*CURE system).

d. Automated alarm notification (from the Information Security Office’s C*CURE system) directly to assigned Information Security Office personnel and appropriate law enforcement agencies, or to a monitoring service who will immediately alert assigned Information Security Office personnel and appropriate law enforcement agencies.

Selection and implementation of physical security protections shall be coordinated among the SCO Information Security Office, Divisions, the Business Services Office, and applicable facility owners. (SCO Division Chiefs shall designate Physical Security Representatives to act on their behalf to plan and implement physical security protections.)

306. Physical Access Control: SCO divisions are responsible for authorizing access into the rooms, work areas/spaces, and facilities they utilize. SCO Division Chiefs shall designate Physical Security Representatives to act on their behalf to authorize physical access to employees, authorized contractors and facilities support staff by submitting a Physical Access Request form (ISO-002) to the Information Security Office. Individuals should be authorized the minimum access necessary to allow them to effectively accomplish their jobs.

a. SCO Division Physical Security Representatives shall annually review access authorizations granted.

b. SCO Division Physical Security Representatives shall immediately notify the ISO when an employee or contractor is terminated or departs, or when an employees job duties change so that access authorization can be revoked or changed appropriately.

c. SCO Division Physical Security Representatives are responsible for returning access badges to the SCO Information Security Office.

307. Visitors to SCO Facilities: SCO divisions shall restrict and control visitor access at all times to rooms, work areas/spaces, and facilities under their control. The division shall maintain records that contain visitor access information.

Visitors shall be escorted and supervised by division or SCO designated employees while within SCO controlled access rooms, work areas/spaces, and facilities.

Unless authorized by the SCO division management, visitors shall not utilize any image, audio, or electronic information recording device within an SCO controlled access room, work area/space, or facility.

308. Information Protection in the Work Area : All electronic, photographic, and hard copy media (e.g., flash drives, disk drives, diskettes, external hard drives, portable devices, photos, microfiche, tapes, and paper documents) containing confidential or sensitive information shall be physically protected from unauthorized use, loss, and theft. All media containing confidential or sensitive information must be secured (e.g., kept in a locked room, drawer, cabinet, or safe) when not in use or unattended. To the extent possible, media containing confidential or sensitive information shall be turned over or shall be put out of sight when visitors or individuals not authorized access to it are present.

309. Sanitization and Disposal of Information: Owners and custodians of information shall ensure sanitization and disposal methods utilized for electronic, photographic, and hard copy media, and other information technology resources (e.g., servers, routers, bizhubs, printers, etc.) render the confidential or sensitive information contained on the media or resource un-readable and un-recoverable. Media sanitization activities shall comply with the recommendations stated in NIST Special Publication 800-88: Guidelines for Media Sanitization.

310. Information Exchange via Portable Information Storage Devices: SCO confidential or sensitive information exchanged or transferred through portable information storage devices (e.g., USB/Flash Drives, PDA’s, CD-ROMs, DVDs, Tape, etc.) shall be protected by password/PIN access control and encryption when transported outside an SCO facility.

311. Information Asset Transport / Shipping: All information assets containing confidential or sensitive information that are transported / shipped to a non-SCO entity or to a destination outside an SCO facility shall, at a minimum, be securely packaged in a double-sealed conveyance (e.g., envelope, box, container, etc.). The second seal should be appropriately marked with the “unauthorized use” notice and the classification of the information contained on the asset. The receipt and delivery of the asset shall be monitored and accounted for to ensure the asset is not lost and the information has not been compromised while in transit.

Information assets being transported / shipped for repair, replacement, or disposal shall have all SCO information sanitized from them prior to leaving an SCO facility. (Reference: Operational Security Standard 309.)

312. Workstations: All SCO workstations, laptops, and portable computing device (e.g., PDAs), if technically feasible, shall implement an inactivity time-out mechanism (e.g., password protected screen saver) that hides the information displayed and locks use until the authorized user re-authenticates. The period of inactivity shall be a maximum of 15 minutes.

If the workstation, laptop, or portable computing device can not technically support an inactivity time-out mechanism, users shall log-off or manually lock the device before leaving it unattended.

313. Laptops and Portable Computing Devices: All SCO laptops and portable computing devices (e.g., PDAs) containing confidential or sensitive information shall have access control (e.g., userID & password protection) and a disk encryption protection mechanism. If technically feasible laptops and portable computing devices shall include firewall and malicious code safeguards.

314. Backup Data: Owners and custodians of information shall implement and enforce proper backup procedures for all system and network information based on the business needs. Backup information shall be stored a safe distance from the primary system and shall not share the same environmental conditions and disruption risks as the primary system.

315. Business Continuity Planning: The SCO Information Security Office (ISO) has primary leadership responsibility for the SCO Business Continuity and Incident Management Plans. SCO Division Chiefs shall designate Business Continuity Coordinators (BCC) to act on behalf of their divisions to collaboratively work with the Information Security Office to ensure that division critical business services and operations are sustained following a disaster or adverse event.

316. Disaster Recovery Planning: The SCO Information Systems Division (ISD) has primary leadership responsibility for the SCO Disaster Recovery Plan (DRP). The DRP identifies, prioritizes, and documents disaster recovery planning requirements and tasks necessary to recover all SCO Division identified critical systems, networks, applications, and other information technology resources. SCO Divisions shall collaboratively work with ISD to ensure that division critical information technologies and the information they contain are recovered and/or restored following a disruption of service, disaster, or adverse event.

317. Information Security Incident Reporting: Information security incidents (as defined in Appendix A: Information Security Incident Categories and Reporting Timeframes) shall be reported to the SCO Information Security Office within the incident category specified timeframe. The SCO Information Security Incident Report form (ISO-10) shall be utilized to document all reportable information security incidents.

Where immediate notification is the incident category specified timeframe, SCO personnel shall report incidents to the SCO ISO by one of the following means:

• Contacting the ISO’s Help Desk at 916-322-8094.

• Using the ISO’s email account: infosec@sco..

• Contacting a member of the ISO staff directly.

After immediate reporting, an ISO-10 shall be submitted as follow-up within two business days.

The SCO Information Security Office, after consultation with Executive Management, shall determine what, if any, outside authorities need to be contacted in regard to confirmed information security incidents in accordance with applicable State and federal laws and procedures.

Information concerning information security incidents is considered confidential. All SCO personnel and contractors contacted directly by the media should inform reporters that it is departmental procedure for all media inquiries and requests to be directed to the SCO Communications Office. All SCO personnel and contractors shall comply with the provision of SCO Information Memorandum 07-07.

SCO personnel shall report equipment thefts to the SCO Information Security Office if the theft occurs within a SCO facility. If the theft occurs outside a facility owned or leased by the SCO, local law enforcement should be contracted first and then the SCO Information Security Office.

Technical Security Standards

These standards specify security controls (i.e., safeguards or countermeasures) for information assets that are primarily implemented and executed by the information asset costodian through mechanisms contained in the hardware, software, or firmware components of the asset.

400. Access Control: Users shall be provided access to SCO confidential or sensitive information, networks, and systems in accordance with a defined standard of access control such as:

• Discretionary access control.

• Mandatory access control.

• Role-based access control.

The SCO default for access is role-based access control.

Access rights of users in the form of read, write, and execute shall be controlled appropriately, and the outputs of those rights shall be seen only by authorized individuals.

401. User Identification: To establish individual accountability for access and use of systems and networks, UserIDs shall be unique to each authorized production environment user.

402. User Authentication Techniques: Authentication techniques for all SCO systems and networks shall be commensurate with the authentication assurance level established by the owner of information based on risk and sensitivity of the system, network, and the information classification. (Reference: NIST Special Publication 800-63: Electronic Authentication Guideline.)

The use of password based authentication (Authentication Assurance Level 2) is the default for the SCO.

403. Password Standards: Passwords used for user authentication shall be system enforced to comply with the following criteria:

a. Passwords shall be a minimum length of eight (8) characters in a combination of case sensitive alphabetic characters and either numeric or special characters. The only special characters that should be utilized are @, #, and $.

b. Password changes for standard and privileged users shall be systematically enforced where possible.

c. Passwords shall be changed every ninety (90) days, at a maximum, for standard user accounts to reduce the risk of compromise through guessing, password cracking, or other attack & penetration methods.

d. Passwords shall be changed every sixty (60) days, at a maximum, for privileged user accounts to reduce the risk of compromise through guessing, password cracking, or other attack and penetration methods.

e. Users shall be prohibited from changing their passwords for at least fifteen (15) days after a recent change. Meaning, the minimum password age limit shall be fifteen (15) days after a recent password change.

f. Privileged users shall be able to override the minimum password age limit for users when necessary to perform required job functions.

g. The authentication system shall routinely prompt users to change their passwords within five to fourteen (5-14) days before such password expires.

h. Passwords shall be systematically disabled after a period of inactivity determined by business requirements or ninety (90) days to reduce the risk of compromise through guessing, password cracking, or other attack and penetration methods.

i. Users shall be prohibited from using, at a minimum, their last six (6) passwords to deter reuse of the same password.

j. A user account lockout feature shall disable the user account after five (5) unsuccessful consecutive login attempts. Account lockout duration shall be permanent until an authorized authentication system administrator reinstates the user account.

k. Clear-text representation of passwords shall be suppressed (blotted out) when entered at the login screen.

404. Automatic Session Timeout: Where technically feasible, all SCO applications shall establish and implement limits of time a session is allowed to remain idle before it is automatically timed out and terminated. The default time-out length is fifteen (15) minutes, but can be configured to meet business needs.

405. Use Warning Banner: All SCO systems and networks shall display the following log-on warning banner at all system access points:

"This is a State of California, Office of the State Controller computer system, which may be accessed and used only for official Government business by authorized personnel.  Unauthorized access or use of the computer system may subject violators to criminal, civil, and/or administrative action.  All information on this computer system may be intercepted, recorded, read, copied, and disclosed by and to authorized personnel for official purposes, including criminal investigations.  Access or use of this computer system by any person whether authorized or unauthorized constitutes consent to these terms."

406. Audit Trails: Based on business requirements, SCO systems and networks shall generate audit logs that show, at a minimum, addition, modification, and/or deletion of confidential or sensitive information.

Audit trails shall establish accountability for activities conducted by users or systems. Audit logs must be protected from unauthorized modification, access, or destruction. Audit trail retention shall be based on business and legal requirement.

407. Secure Communications: An end-to-end encrypted tunnel shall protect SCO confidential or sensitive information communicated through public or shared networks not under the direct control of the SCO. The encryption methodology utilized shall comply with SCO Technical Security Standard 409: Encryption Standard.

408. Secure Storage: SCO confidential or sensitive information shall be encrypted while at rest (stored) within a DMZ or when directly accessible from a public or shared network not under the direct control of the SCO. The encryption methodology utilized shall comply with SCO Technical Security Standard 409: Encryption Standard.

409. Encryption Standard: Encryption technologies utilized by the SCO shall comply with Federal Information Processing Standards (FIPS) and National Institute for Standards and Technology (NIST) guidelines. At a minimum, encryption algorithms shall be at least 128-bit. (References: NIST Special Publications 800-29: A comparison of the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2, 800-53: Recommended Security Controls for Federal Information Systems; 800-111: Guide to Storage Encryption Technologies for End User Devices.)

410. Network Boundary Security: Interfaces between SCO systems and networks and public or shared networks not under the direct control of the SCO shall be protected utilizing the following controls:

a. Port based restrictions on traffic flow.

b. Physical and/or logical segregation by the use of a DMZ (De-Militarized Zone) or Virtual Local Area Network (V-LAN) architecture configuration.

c. Network Address Translation (NAT). (If technically feasible the use of Port Address Translation (PAT) is recommended.)

411. Firewall Standard: All incoming and outgoing connections from SCO systems and networks to public or shared networks not under the direct control of the SCO shall be made through a packet filtering firewall.

412. Controlled Pathways (Gateways): All incoming and outgoing TCP/IP SCO network Application Layer communications shall be conducted via centrally designated gateways.

413. Malicious Code Protection: Malicious code protection software shall be installed, maintained, and utilized on all SCO systems and network components (where technically feasible).

414. Remote Access: Remote user access to SCO network internal systems shall be protected, at a minimum, in the following manner:

a. User systems connecting remotely to SCO network internal systems shall be managed (owned or leased) by the SCO.

b. User systems connecting remotely to SCO network internal systems must have antivirus software installed.

c. User systems connecting remotely to SCO network internal systems shall have the latest operating system and application patches installed.

d. Access to user or internal system diagnostic ports (especially dial-up diagnostic ports) shall be securely controlled and enabled only when needed for authorized diagnostic access.

e. All SCO users and user systems establishing a remote connection to a SCO network internal system shall be authenticated.

f. Inbound and outbound network traffic shall be controlled and limited to only that necessary to accomplish the business need.

g. Inbound and outbound traffic shall be encrypted.

h. Split-tunneling or dual homing shall be prohibited.

415. Product Assurance (System Hardening): All SCO information technologies shall be configured to meet business needs and reduce information security risk. At a minimum, all unnecessary software, services, ports, and drivers shall be disabled, removed, or closed; and default account credentials shall be changed. Additionally, based on business or security requirements, file protections and audit logging shall be enabled.

416. Patch Management: Manufacturer/vendor security patches shall be applied to all SCO systems and networks in a manner that ensures maximum protection against security vulnerabilities and minimum impact on SCO business operations. Custodians of information are responsible for implementing a patch management procedure that contains a systematic process of identifying, prioritizing, acquiring, implementing, testing, and validating security patches necessary for each system or network. A risk-based decision must be documented if security patches are not applied to a system or network.

417. System-to-System Interconnection (Node Authentication): Where non-SCO systems or applications connect to a SCO system or application, or where SCO systems or applications connect to SCO systems or applications via public or shared networks not under the direct control of the SCO, node authentication is required.

418. Wireless Local Area Network Security Standard: Wireless local area network (LAN) technology shall only be deployed if it is not technically or physically feasible to deploy a wired LAN architecture. (Reference: NIST Special Publication 800-48: Guide to Securing Legacy IEEE 802.11 Wireless Networks.)

a. Wireless LANs shall be segregated from SCO networks and systems via a firewall.

b. Wireless LAN access points (AP) shall be physically secured.

c. The Wireless LAN Service Set Identifier (SSID) shall be changed from the default value. The SSID shall not contain characters that indicate the location of the wireless LAN (WLAN) access point, the name of the SCO, or any other identifying name. The SSID broadcast function shall be disabled, except where technology does not permit.

d. All access points shall require a password to access its administrative features. This password shall be stored and transmitted in an encrypted format.

e. The ad hoc mode for IEEE 802.11, also referred to as peer-to-peer mode or Independent Basic Service Set (IBSS), shall be disabled.

f. Wireless LAN communications shall be encrypted. At a minimum, 802.11i (WAPA2) compliant Advanced Encryption Standard (AES) 128 bit encryption shall be utilized.

Privacy Standards

These standards outline the requirements of the SCO pertaining to the collection, maintenance, and dissemination of personally identifiable information.

Privacy Standards

a. Personal information may only be obtained through lawful means.

b. Subjects providing personal information must be informed of the title, business address, telephone number, and electronic mail address, if applicable, of the SCO official responsible for record requests.

c. All personal information may be collected only after specifying at or prior to the time of collection the purposes for which the information is to be used. Any subsequent use of the information shall be limited to, and consistent with, the fulfillment of those purposes previously specified.

d. Any personal information collected or maintained by the SCO may not be disclosed, made available or otherwise used for a purpose other than those specified, except with the written consent of the subject of the information, or as required by law or regulation. Written consent must be obtained not more than 30 days before the anticipated disclosure or in the time limit agreed to in the written consent. To this end, the subject of personal information should always be notified that the SCO might use their private information to contact them for the purposes of receiving their written consent.

e. Personal information shall only be collected for purposes that are relevant to which it is needed.

f. To the greatest extent practicable, personal information shall be obtained directly from the individual who is the subject of the information rather than from another source.

g. The general means by which personal information is protected against loss, unauthorized access, use, modification, or disclosure shall be posted, unless the disclosure of the general means would compromise legitimate SCO security objectives or law enforcement purposes.

REMINDER: All hardcopy and electronic documentation regarding SCO production systems and information related to the implementation and configuration of information security controls and safeguards, and vulnerability information (including security incident information), is classified as “confidential”, and should not be disclosed.

h. Subjects providing personal information should be reminded that any information they submit may become a public record once submitted, and it may be subjected to public inspection and copying if not otherwise protected by federal or state law.

i. Personal information shall never be distributed or sold to any third party without the permission of the subject providing such information except as prescribed by law.

j. Access to personal information by individuals or systems must be limited to those customers, business partners, contractors, or entities specifically authorized by the Division Chief or their designated Information Security Coordinator to access that information in accordance with all relevant statutes and requirements.

Additional special privacy protections for minors:

k. Personal information shall never be requested from or accepted from a minor without the written consent of a parent or guardian.

l. Minors (people under the age of 18) are not eligible to use any SCO service that requires the submission of private information without their parent’s or guardian’s consent.

m. Personal information pertaining to minors will never be provided to third parties.

n. Minors should be advised to seek the consent of their parents or guardians for guidance on this matter.

Glossary of Terms

– A –

Accreditation: Accreditation is the official management decision given by a Division Chief to authorize operation of an information system and to explicitly accept the risk to SCO operations (including mission, functions, image, or reputation), information assets, or individuals, based on the implementation of an agreed upon set of security controls.

– B –

Backup:  A process by which information is copied in some form so as to be available and used if the original information from which it originated is lost, destroyed, or corrupted.

Business Continuity Plan (BCP):  A plan that documents arrangements and procedures to enable an organization to respond to an event that lasts for an unacceptable period of time and return to performing its critical business functions after an interruption.

– C –

Confidential Information: Information maintained by the SCO is exempt from disclosure under the provisions of the California Public Records Act (Government Code Sections 6250-6265) or other applicable state or federal laws. See SAM Section 5320.5.

Critical Application: An application so important to the SCO that its loss or unavailability is unacceptable. With a critical application, even short-term unavailability of the information provided by the application would have a significant negative impact on the health and safety of the public or state workers; on the fiscal or legal integrity of SCO and/or state operations; or on the continuation of essential SCO programs.

Custodian of Information: An employee or organizational unit (such as a SCO’s Information Systems Division and Department of Technology Services) acting as a caretaker of an automated file or data base.

– D –

Disaster Recovery Plan (DRP): The management approved document that defines the resources, actions, tasks and data required to manage the technology recovery effort. 

– H –

Hardening:. A defense strategy to protect against attacks by removing vulnerable and unnecessary services, patching security holes, and securing access controls.

– I –

Information Assets: (1) All categories of hard copy and automated information, including (but not limited to) documents, images, records, files, and data bases; and (2) information technology facilities, equipment (including personal computer systems), and software owned or leased by the SCO.

– N –

Non-State Entity: A business, organization, or individual that is not a State entity, but requires access to SCO information assets in conducting business with the SCO.  (This definition includes, but is not limited to, contractors, researchers, vendors, consultants, and their employees and entities associated with federal and local government and other states.)

– O –

Owner of Information: The SCO Division that prepares, collects, or utilizes an information asset to conduct the business of the SCO.

– R –

Risk Assessment: The process of identifying the vulnerabilities and threats to an organization by assessing the critical functions necessary for an organization to continue business operations, and defining the controls in place to reduce organization exposure and evaluating the cost for such controls.

– S –

Sensitive Information: Information maintained by the SCO that requires special precautions to protect it from unauthorized modification, or deletion. See SAM Section 5320.5.

Appendix A: Information Security Incident Categories and Reporting Timeframes

|Category |Name |Description |Reporting Timeframe Criteria |

|CAT 1 |Unauthorized Disclosure of |An unauthorized deliberate or inadvertent disclosure |Immediately upon discovery / detection. |

| |Confidential or Sensitive |of information classified as “confidential or | |

| |Information |sensitive.” | |

|CAT 2 |Unauthorized Information |A person gains logical and / or physical access |Immediately upon discovery / detection. |

| |Resource Access |without permission to a SCO network, system, | |

| | |application, or other information resource. | |

|CAT 3 |Denial of Service |An attack that prevents or impairs the authorized use|Within one hour of discovery / detection if the|

| | |of SCO networks, systems, or applications by |successful attack is still ongoing and the SCO |

| | |exhausting resources. |or DTS (Department of Technology Services) is |

| | | |unable to successfully mitigate activity. |

|CAT 4 |Malicious Code |A virus, worm, Trojan horse, or other code-based |Immediately upon discovery / detection if the |

| | |malicious entity that infects a host. |attack leads to a CAT 1, 2, or 3 incident; or |

| | | |within one hour if the attack is ongoing and |

| | | |spreading throughout the SCO enterprise and the|

| | | |SCO or DTS (Department of Technology Services) |

| | | |is unable to successfully mitigate activity. |

|CAT 5 |Unauthorized Access to an SCO|A person who is not authorized by the appropriate |Immediately upon discovery / detection. |

| |Facility or Work Area |division enters a secure work area or facility. | |

|CAT 6 |Theft or loss of a SCO |The theft or loss of an SCO information resource |Immediately upon discovery / detection if the |

| |Information Resource |(i.e., PC, laptop, PDA, server, Microfiche, CD-ROM, |violation leads to a CAT 1 or 2, incident; or |

| | |USB Drive, etc.). |within one day upon discovery / detection. |

|CAT 7 |Violation of a SCO |A person who violates any SCO Information Security |Immediately upon discovery / detection if the |

| |Information Security Program |Program Standard without being granted an exception |violation leads to a CAT 1, 2, or 3 incident; |

| |Standard |by an authorized entity. |or within one day upon discovery / detection. |

|CAT 8 |Inappropriate Usage |A person violates SCO and / or SCO Divisional |Immediately upon discovery / detection if the |

| | |acceptable information and / or information resource |violation leads to a CAT 1, 2, or 3 incident; |

| | |use policies. |or within one day upon discovery / detection. |

|CAT 9 |Probes and Reconnaissance |This category includes any activity that seeks to |Monthly; if information resource stores |

| |Scans |access or identify a SCO information resource, open |confidential information or is classified as |

| | |ports, protocols, service, or any combination for |business critical, report within one hour of |

| | |later exploit. This activity does not directly |discovery. |

| | |result in a compromise or denial of service. | |

|CAT 10 |Investigation |Unconfirmed incidents that are potentially malicious |Not Applicable; this category is for SCO use to|

| | |or anomalous activity deemed by the reporting entity |categorize a potential incident that is |

| | |to warrant further review. |currently being investigated. |

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download