Version 1.5 Revised December 2017 | Office of Management and Enterprise Services | Information Services
State of Oklahoma
Information Security
Policy, Information Security Policy, Procedures, Guidelines
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 2 of 94
TABLE OF CONTENTS
PREFACE ..................................................................................................................................................... 6
INFORMATION SECURITY POLICY...................................................................................................... 7
1.0 INTRODUCTION ............................................................................................................................. 9
1.1 BACKGROUND................................................................................................................................ 9
1.2 POLICY, PROCEDURES, GUIDELINES ...................................................................................... 9
1.3 AUDIENCE ..................................................................................................................................... 10
2.0 INFORMATION .............................................................................................................................. 11
2.1 INFORMATION CONFIDENTIALITY .......................................................................................... 11
2.2 INFORMATION CONTENT .......................................................................................................... 12
2.3 INFORMATION ACCESS ............................................................................................................. 12
2.4 INFORMATION SECURITY ......................................................................................................... 13
2.5 INFORMATION AVAILABILITY ................................................................................................... 13
3.0 SECURITY PROGRAM MANAGEMENT .................................................................................... 14
3.1 CENTRAL SECURITY PROGRAM.............................................................................................. 14
3.2 HOSTING AGENCY SECURITY .................................................................................................. 15
3.3 AGENCY SECURITY .................................................................................................................... 15
3.4 INCIDENT MANAGEMENT .......................................................................................................... 15
3.5 EVENT LOGGING AND MONITORING ...................................................................................... 16
4.0 RISK MANAGEMENT ................................................................................................................ 18
4.1 RISK ASSESSMENT .................................................................................................................. 18
4.2 RISK MITIGATION ........................................................................................................................ 19
5.0 PERSONNEL/USER ISSUES ...................................................................................................... 20
5.1 STAFFING ...................................................................................................................................... 20
5.2 AWARENESS/TRAINING ............................................................................................................. 20
5.3 PERSONAL COMPUTER USAGE .............................................................................................. 21
5.4 EMAIL USAGE ............................................................................................................................... 22
5.5 INTERNET/INTRANET SECURITY ............................................................................................. 23
6.0 HELP DESK MANAGEMENT ....................................................................................................... 26
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 3 of 94
6.1 SUPPORT CALLS ......................................................................................................................... 26
6.2 PASSWORD RESETS .................................................................................................................. 27
6.3 VOICE MAIL SECURITY .............................................................................................................. 27
7.0 PHYSICAL AND ENVIRONMENTAL SECURITY ...................................................................... 29
7.1 OPERATIONS CENTER .............................................................................................................. 29
7.2 OPERATIONS MONITORING ...................................................................................................... 29
7.3 BACK-UP OF INFORMATION ...................................................................................................... 30
7.4 ACCESS CONTROL ..................................................................................................................... 31
7.5 NETWORK ..................................................................................................................................... 31
7.6 ELECTRONIC COMMERCE SECURITY ................................................................................... 34
7.7 MOBILE COMPUTING .................................................................................................................. 35
7.8 REMOTE COMPUTING ................................................................................................................ 36
7.9 EXTERNAL FACILITIES .............................................................................................................. 37
7.10 ENCRYPTION ............................................................................................................................... 37
8.0 BUSINESS CONTINUITY ............................................................................................................. 39
8.2 DISASTER RECOVERY PLAN .................................................................................................... 43
8.3 BUSINESS RECOVER STRATEGY ............................................................................................ 45
9.0 DATA CENTER MANAGEMENT ................................................................................................. 47
9.1 OPERATING PROCEDURES ...................................................................................................... 47
9.2 OPERATIONAL CHANGE CONTROL ........................................................................................ 47
9.3 SEGREGATION OF DUTIES ....................................................................................................... 48
9.4 SEPARATION OF DEVELOPMENT AND OPERATIONAL FACILITIES ................................ 48
9.5 SYSTEMS PLANNING AND ACCEPTANCE ............................................................................. 49
9.6 CAPACITY PLANNING ................................................................................................................. 50
9.7 SYESTEMS ACCEPTANCE......................................................................................................... 50
9.8 OPERATIONS AND FAULT LOGGING ...................................................................................... 51
9.9 MANAGEMENT OF REMOVABLE COMPUTER MEDIA .......................................................... 51
9.10 DISPOSAL OF MEDIA .................................................................................................................. 51
9.11 EXCHANGES OF INFORMATION AND SOFTWARE ............................................................... 52
9.12 PUBLICLY AVAILABLE SYSTEMS ............................................................................................. 52
9.13 USE OF SYSTEM UTILITIES ....................................................................................................... 53
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 4 of 94
9.14 MONITORING SYSTEMS ACCESS AND USE .......................................................................... 53
9.15 CONTROL OF OPERATIONAL SOFTWARE ............................................................................ 55
9.16 ACCESS CONTROL TO SOURCE LIBRARY ........................................................................... 55
9.17 CHANGE CONTROL PROCEDURES ........................................................................................ 56
9.18 RESTRICTIONS ON CHANGES TO SOFTWARE .................................................................... 56
9.19 INTRUSION DETECTION SYSTEMS (IDS) ............................................................................... 57
9.20 CONTROLS ON MALICIOUS SOFTWARE ................................................................................ 57
9.21 FIREWALLS ................................................................................................................................... 58
9.22 EXTERNAL FACILITIES MANAGEMENT ................................................................................... 58
10.0 LEGAL REQUIREMENTS ............................................................................................................. 60
10.1 SOFTWARE COPYRIGHT ........................................................................................................... 60
10.2 PROTECTION OF INFORMATION ............................................................................................. 60
10.3 PRIVACY OF PERSONAL INFORMATION ............................................................................ 61
11.0 COMPLIANCE WITH SECURITY POLICY ................................................................................. 62
APPENDIX A: GLOSSARY ..................................................................................................................... 63
APPENDIX B: SAMPLE CRISIS TEAM ORGANIZATION ................................................................... 66
APPENDIX C: RESPONSIBILITY GRID ................................................................................................ 67
APPENDIX D: CONTINGENCY PLAN CONSIDERATIONS ............................................................... 69
APPENDIX E: PROCEDURES AND ACCEPTABLE USE ................................................................... 70
APPENDIX E, SECTION 1. COMPUTER (CYBER) INCIDENT REPORTING PROCEDURES ...... 70
NOTIFICATION ........................................................................................................................................ 71
RESPONSE ACTIONS ............................................................................................................................... 71
AGENCY RESPONSIBILITIES..................................................................................................................... 71
INCIDENT REPORTING FORM ................................................................................................................... 73
APPENDIX E, SECTION 2. INCIDENT MANAGEMENT PROCEDURE................................................ 74
OVERVIEW .............................................................................................................................................. 74
INCIDENT RESPONSE TEAM ORGANIZATION ............................................................................................ 75
INCIDENT RESPONSE PROCEDURES ...................................................................................................... 77
APPENDIX E, SECTION 3. MEDIA SANITIZATION PROCEDURES FOR THE DESTRUCTION
OR DISPOSAL OF ELECTRONIC STORAGE MEDIA ......................................................................... 82
INTRODUCTION ................................................................................................................................... 82
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 5 of 94
POLICY .................................................................................................................................................... 82
PROCEDURES .................................................................................................................................... 82
APPROVED DESTRUCTION OR DISPOSAL METHODS ............................................................... 83
BACKGROUND AND GUIDELINES ........................................................................................................... 85
APPENDIX E SECTION 4. REMOVABLE MEDIA: ACCEPTABLE USE POLICY ........................... 87
SOFTWARE ENCRYPTION ALTERNATIVES (MOBILE COMPUTING AND REMOVABLE MEDIA) ........... 88
HARDWARE ENCRYPTION ALTERNATIVES (USB FLASH DRIVES—OTHERS MAY BE ADDED IF
APPROVED) - CURRENT APPROVED AND VETTED LIST OF DEVICES ................................................... 89
APPENDIX E, SECTION 5. MOBILE COMPUTING DEVICES: ACCEPTABLE USE POLICY
.................................................................................................................................................................... 92
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 6 of 94
PREFACE
The contents of this document include the minimum Information Security Policy, as well as
procedures, guidelines and best practices for the protection of the information assets of the
State of Oklahoma (hereafter referred to as the State). The Policy, as well as the procedures,
guidelines and best practices apply to all state agencies. As such, they apply equally to all
State employees, contractors or any entity that deals with State information.
The Office of Management and Enterprise Services Information Services (OMES IS) will
communicate the Policy, procedures, guidelines and best practices to all state agencies.
In turn, all agencies are required to review the Policy and make all staff members aware
of their responsibility in protecting the information assets of the State. Those agencies that
require additional controls should expand on the content included in this document, but not
compromise the standards set forth.
The Policy and those procedures prefaced by "must" are mandatory as the system involved
will be classified as insecure without adherence. Guidelines and best practices are generally
prefaced with "should" and are considered as mandatory unless limited by functional or
environmental considerations.
It is recognized that some agencies have their own proprietary systems that may not conform
to the Policy, procedures, guidelines and best practices indicated in this document. A plan
for resolution of these system limitations should be created. Any exceptions are to be
documented and be available on request. Other non-system related standards that do not
require system modification should be instituted as soon as possible.
Revisions to this document are maintained collectively in Appendix E: Revisions, which
includes a "Revision Table" describing each addition, change or deletion and the date it was
implemented. All revisions are referenced using this procedure. The original document will
remain intact.
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 7 of 94
STATE OF OKLAHOMA
INFORMATION SECURITY POLICY
Information is a critical State asset. Information is comparable with other assets in that there
is a cost in obtaining it and a value in using it. However, unlike many other assets, the value
of reliable and accurate information appreciates over time as opposed to depreciating.
Shared information is a powerful tool and loss or misuse can be costly, if not illegal. The
intent of this Security Policy is to protect the information assets of the State.
This Security Policy governs all aspects of hardware, software, communications and
information. It covers all State Agencies as well as contractors or other entities who may
be given permission to log in, view or access State information.
Definitions:
â–  Information includes any data or knowledge collected, processed, stored,
managed, transferred or disseminated by any method.
â–  The Owner of the information is the State Agency responsible for producing,
collecting and maintaining the authenticity, integrity and accuracy of information.
â–  The Hosting State Agency has physical and operational control of the hardware,
software, communications and data bases (files) of the owning Agency. The
Hosting Agency can also be an Owner.
The confidentiality of all information created or hosted by a State Agency is the
responsibility of that State Agency. Disclosure is governed by legislation, regulatory
protections and rules as well as policies and procedures of the owning State Agency. The
highest of ethical standards are required to prevent the inappropriate transfer of sensitive or
confidential information.
All information content is owned by the State Agency responsible for collecting and
maintaining the authenticity, integrity and accuracy of the information. The objective of the
owning State Agency is to protect the information from inadvertent or intentional damage,
unauthorized disclosure or use according to the owning Agency's defined classification
standards and procedural guidelines.
Information access is subject to legal restrictions and to the appropriate approval
processes of the owning State Agency. The owning State Agency is responsible for
maintaining current and accurate access authorities and communicating these in an agreed
upon manner to the security function at the State Agency hosting the information. The
hosting State Agency has the responsibility to adhere to procedures and put into effect all
authorized changes received from the owning State Agencies in a timely manner.
Information security – The State Agency Director, whose Agency collects and maintains
(owns) the information, is responsible for interpreting confidentiality restrictions imposed by
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 8 of 94
laws and statutes, establishing information classification and approving information access.
The hosting State Agency will staff a security function whose responsibility will be
operational control and timely implementation of access privileges. This will include access
authorization, termination of access privileges, monitoring of usage and audit of incidents. The
State Agencies that access the systems have the responsibility to protect the confidentiality
of information which they use in the course of their assigned duties.
Information availability is the responsibility of the hosting State Agency. Access to
information will be granted as needed to all State Agencies to support their required
processes, functions and timelines. Proven backup and recovery procedures for all data
elements to cover the possible loss or corruption of system information are the
responsibility of the hosting State Agency.
The hosting State Agency is responsible for securing strategic and operational control of its
hardware, software and telecommunication facilities. Included in this mandate is the
implementation of effective safeguards and firewalls to prevent unauthorized access to
system processes and computing / telecommunication operational centers. Recovery plans
are mandatory and will be periodically tested to ensure the continued availability of services
in the event of loss to any of the facilities.
Development, control and communication of Information Security Policy, Procedures and
Guidelines for the State of Oklahoma are the responsibility of OMES IS. This Policy
represents the minimum requirements for information security at all State Agencies. Individual
agency standards for information security may be more specific than these state-wide
requirements but shall in no case be less than the minimum requirements.
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 9 of 94
1.0 INTRODUCTION
1. This document states the Policy and outlines procedures, guidelines and best
practices required for creating and maintaining a secure environment for the
storage and dissemination of information.
2. It is critical that all agencies and their staff are fully aware of the Policy, procedures,
guidelines and best practices and commit to protecting the information of the
State. Common sense and high ethical standards are required to complement the
security guidelines.
3. The Policy, procedures, guidelines and best practices outlined represent the
minimum security levels required and must be used as a guide in developing a
detailed security plan and additional policies (if required).
1.1 BACKGROUND
1. The information Policy, procedures, guidelines and best practices apply to all
agencies and are inclusive of their hardware facilities, software installations,
communication networks / facilities as well as information.
1.2 POLICY, PROCEDURES, GUIDELINES
1. OMES IS has, among other responsibilities, the mandate to establish minimum
mandatory standards for information security and internal controls as well as
contingency planning and disaster recovery (reference: Oklahoma Statute,
Title 62. Section 34.12(A)(3) Duties of Information Services).
2. In reference to the responsibilities stated above, the Statute reads as follows:
"Such standards shall, upon adoption, be the minimum requirements applicable
to all agencies. These standards shall be compatible with the standards
established for the Oklahoma Government Telecommunications Network.
Individual agency standards may be more specific than statewide
requirements but shall in no case be less than the minimum mandatory
standards. Where standards required of an individual agency of the state by
agencies of the federal government are stricter than the state minimum
standards, such federal requirements shall be applicable."
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 10 of 94
1.3 AUDIENCE
1. The Policy, procedures, guidelines and best practices are for distribution to all
State agencies through their respective Security Representative who will then be
responsible for communicating the details to State employees as well as
contractors or other entities whose position responsibilities include the creation,
maintenance, or access of State information residing on any computer system
or platform. Appendix C assigns the primary responsibility of the procedures,
guidelines and best practices to the User, Owning Agency, or Hosting Agency.
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 11 of 94
2.0 INFORMATION
1. Management of information requires a working set of procedures, guidelines and
best practices that provide guidance and direction with regards to security. The
primary focus is on the confidentiality and integrity of the information required for
delivering information throughout the State.
2.1 INFORMATION CONFIDENTIALITY
1. The overriding premise is that all information hosted or created by a State Agency
is property of the State. As such, this information will be used solely for
performance of position related duties. Any transfers or disclosures are governed
by this rule.
2. The confidentiality of all information created or hosted by a State Agency is the
responsibility of all State Agencies. Disclosure is governed by legislation,
regulatory protections, rules as well as policies and procedures of the State and
of the owning State Agency. The highest of ethical standards are required
to prevent the inappropriate transfer of sensitive or confidential information.
3. Release of information is strictly for job related functions. Confidentiality is
compromised when knowingly or inadvertently, information crosses the
boundaries of job related activities.
4. Users must be required to follow good security practices in the selection and use
of passwords. Passwords provide a means of validating a user's identity and
thereby establish access rights to information processing facilities or services. All
agency staff must be advised to:
(A) keep passwords confidential,
(B) avoid keeping a paper record of passwords, unless this can be stored
securely,
(C) change passwords whenever there is any indication of possible
system or password compromise,
(D) select quality passwords with a minimum length of eight characters which
are:
(i) easy to remember,
(ii) not based on anything somebody else could easily guess or obtain
using person related information, e.g. names, telephone numbers and
dates of birth etc.,
(iii) free of consecutive identical characters or all-numeric or all-
alphabetical groups,
(E) change passwords at regular intervals (passwords for privileged accounts
should be changed more frequently than normal passwords),
(F) avoid reusing or cycling old passwords,
(G) change temporary passwords at the first log-on,
(H) not include passwords in any automated log-on process, e.g. stored in a
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 12 of 94
macro or function key, and
(I) not share individual user passwords.
2.2 INFORMATION CONTENT
1. All information content hosted by a state agency is owned by and is the primary
responsibility of the Agency responsible for collecting and maintaining the
authenticity, integrity and accuracy of information. The objective of the owning
State Agency is to protect the information from inadvertent or intentional damage
as well as unauthorized disclosure or use according to the classification standards
and procedural guidelines of the owning State Agency.
2. The following procedures must be followed by all State Agencies:
(A) All information content must reflect the actual state of affairs of the
respective Agency.
(B) Changes in the status of personnel who have system access are entered
in the system immediately and the appropriate authorization / change form
sent to the hosting agency's Security Administration.
(C) In the event of a dismissal, the respective Agency is to call and notify the
hosting agency's Security Administration immediately.
2.3 INFORMATION ACCESS
1. Information access is subject to legal restrictions and to the appropriate
approval processes of the owning State Agency. The owning State Agency is
responsible for maintaining current and accurate access authorities and
communicating these in an agreed upon manner to the security function at the
State Agency hosting the information.
2. All agencies must designate a security representative whose role includes:
(A) communicating the information security Policy to all their respective
agency's employees,
(B) communicating the appropriate procedures, guidelines and best practices
to the responsible user, owner, or people directly responsible for hosting
activities as indicated in Attachment C,
(C) granting, on behalf of their agency, user access to system functions, and
(D) reporting all deviations to the Policy, procedures, guidelines and best
practices.
3. Procedures for the Security Administration function at the Hosting Agency are:
(A) Confirm set up to the Agency Director and the individual concerned via
email when the set-up is complete for the role of Security Representative.
(B) Confirm set up to the Security Representative and the individual concerned
when the set-up is complete for the use roles assigned. The email
confirmation will include access rights assigned in the system.
(C) A daily report will be run by the hosting agency to list terminations.
Security Administration at the hosting agency will lock the access privileges
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 13 of 94
at the end of day on the effective date. This does not preclude the
responsibility of all agencies to notify the hosting agency of terminations
using agreed upon formal notice or by the phone and/or email in the case of
dismissals.
(D) The hosting agency will run a weekly report of transfers and follow up with
the agencies concerned if a change notification is not received.
(E) Users not using the system for 60 days will be automatically
deactivated. Security Administration at the hosting agency will notify
the respective user agency and will require an email or new activation form
from the user agency's security representative to reactivate the individual.
4. The hosting State Agency has the responsibility to adhere to procedures and put
into effect all authorized changes received from the owning State Agencies in a
timely manner.
2.4 INFORMATION SECURITY
1. The State Agency Director whose Agency collects and maintains (owns) the
information is responsible for interpreting all confidentiality restrictions imposed by
laws and statutes as well as establishing information classification and approving
information access. The hosting State Agency will staff a Security Administration
function whose responsibility will be operational control and timely implementation
of access privileges.
2. System limitations may prevent all of the following procedures to be
implemented, however, when possible, these rules apply:
(A) Passwords will be required to be a minimum of 8 characters long,
containing at least one (1) numeric character.
(B) Passwords will expire in a maximum of 90 days.
(C) Passwords will be deactivated if not used for a period of 60 days.
(D) Passwords for a given user should not be reused in a 12 month period.
3. The State Agencies that access the systems have the responsibility to protect the
confidentiality of information which they use in the course of their assigned duties.
2.5 INFORMATION AVAILABILITY
1. Information availability is the responsibility of the hosting State Agency. Access
to information will be granted as needed to all State Agencies to support their
required processes, functions and timelines. Proven backup and recovery
procedures for all information elements to cover the possible loss or corruption of
system data are the responsibility of the hosting State Agency.
2. Required availability will vary with normal cycles of use (i.e. information is used
constantly throughout the day, but is only periodically accessed during the evening
by a backup process, becomes archival after the backup is complete). The
following asset availability definitions should include a statement detailing over
what time period the definition is accurate for (i.e. Constant during business
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 14 of 94
hours, archival after year-end, etc.):
Availability
Frequency of Use
Loss / Absence Impact
Constant
Accessed at all times
Immediate cessation of supported
business functions
Regular
Accessed intermittently by 1
individual but constantly by
all users as a group (i.e.
email)
Interruption or degradation, but
not cessation, of supported
business functions
Periodic
Accessed intermittently, or on 1
a schedule (i.e. year-end
records)
Delay of supported business
functions
Archival
Not normally accessible
Disruption of business support
objectives
3. The hosting State Agency will be responsible for:
(A) publishing a Service Level Agreement for all users of the system
including response time, hours of availability and all other services
contracted,
(B) ensuring all backups are current, secure and accessible,
(C) ensuring information facilities and data can be recovered, and
(D) ensuring adequate technical support for systems, data base access
and operating systems.
3.0 SECURITY PROGRAM MANAGEMENT
1. Managing information security within the State can be layered into three
components:
2. Central organization (OMES IS) is responsible for direction and leadership in
all aspects of information security.
3. Agencies that host data services are responsible for creating system specific
policies and guidelines to complement, but not contradict those issued by the
central organization.
4. All agencies are required to develop procedures specific to their information and
process flows to protect the integrity of information and guard against misuse or
loss. This is not limited to, but includes computer based information systems.
3.1 CENTRAL SECURITY PROGRAM
1. In regards to information services, OMES IS will develop, maintain and
communicate polices and guidelines for the protection of information assets
including but not limited to hardware, software, information and communications.
The Policy, Procedures, Guidelines and Best Practices will be mandatory for all
agencies and represent the minimum standards that all agencies will adopt.
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 15 of 94
2. Minimum standards will be issued for:
(A) systems planning,
(B) systems development methodology,
(C) documentation,
(D) hardware requirements and compatibility,
(E) operating systems compatibility,
(F) software and hardware acquisition,
(G) information security and internal controls,
(H) data base compatibility, and
(I) contingency planning and disaster recovery.
3.2 HOSTING AGENCY SECURITY
1. Under the boundaries established by the minimum mandatory standards issued by
the OMES IS, agencies hosting information and systems for their own use or for
the use of other agencies will further develop, maintain and communicate
polices and guidelines for the protection of information assets including but not
limited to hardware, software, information and communications.
2. All hosting agencies will:
(A) follow a systems development methodology,
(B) create and maintain adequate documentation,
(C) develop hardware requirements and compatibility for review by the
Office of State Finance,
(D) ensure operating systems compatibility,
(E) expand and apply information security and internal controls,
(F) ensure data base compatibility, and
(G) develop and test contingency planning and disaster recovery.
3.3 AGENCY SECURITY
1. All agencies have the responsibility of protecting their information assets
from disclosure, loss or misuse. As such all agencies are required to adhere to
and have documented procedures for:
(A) security of information flow within their area of control,
(B) information retention,
(C) information disposal (including shredding and deletion of electronic
information), and
(D) communication of information security Policy, procedures, guidelines and
best practices monitoring adherence with polices.
3.4 INCIDENT MANAGEMENT
1. Incident management responsibilities and procedures must be established by
the hosting agency to ensure a quick, effective and orderly response to security
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 16 of 94
incidents. Procedures must be established to cover all potential types of
security incidents, including:
(A) information system failures and loss of service,
(B) denial of service,
(C) errors resulting from incomplete or inaccurate business information, and
(D) breaches of confidentiality.
2. In addition to normal contingency plans (designed to recover systems or services
as quickly as possible), the procedures must also cover:
(A) analysis and identification of the cause of the incident,
(B) planning and implementation of remedies to prevent recurrence, if
necessary,
(C) collection of audit trails and similar evidence,
(D) communication with those affected by or involved with recovery from the
incident, and
(E) reporting the action to the security administration function at the hosting
agency.
3. Audit trails and similar evidence must be collected and secured as appropriate,
for:
(A) internal problem analysis,
(B) use as evidence in relation to a potential breach of contracts,
policies, or regulatory requirements,
(C) use in the event of civil or criminal proceedings, e.g. under computer
misuse or information protection, and
(D) use in negotiating for compensation from software and service suppliers.
4. Action to recover from security breaches and correct system failures should be
carefully and formally controlled. The procedures must ensure that:
(A) only clearly identified and authorized staff are allowed access to live
systems and information,
(B) all emergency actions taken are documented in detail,
(C) emergency action is reported to management and reviewed in an
orderly manner, and
(D) the integrity of business systems and controls is confirmed with minimal
delay.
3.5 EVENT LOGGING AND MONITORING
1. Audit logs recording exceptions and other security-relevant events must be
produced and kept for an agreed period to assist in future investigations and
access control monitoring. Audit logs should include:
(A) user IDs,
(B) dates and times for log-on and log-off,
(C) terminal identity or location if possible,
(D) records of successful and rejected system access attempts, and
(E) records of successful and rejected data and other resource access
attempts.
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 17 of 94
2. Certain audit logs may be required to be archived as part of the record retention
procedures or because of requirements to collect evidence.
3. Procedures for monitoring use of information processing facilities must be
established and the result of the monitoring activities reviewed regularly. Such
procedures are necessary to ensure that users are only performing activities that
have been explicitly authorized. The level of monitoring required for individual
facilities should be determined by a risk assessment. Areas that should be
considered include:
(A) Authorized access, including detail such as:
(i) the user ID,
(ii) the date and time of key events,
(iii) the types of events,
(iv) the files accessed, and
(v) the program/utilities used.
(B) All privileged operations, such as:
(i) use of supervisor account,
(ii) system start-up and stop, and
(iii) I/O device attachment/detachment.
(C) Unauthorized access attempts, such as:
(i) failed attempts,
(ii) access procedure violations and notifications for network gateways
and firewalls, and
(iii) alerts from proprietary intrusion detection systems.
(D) System alerts or failures such as:
(i) console alerts or messages,
(ii) system log exceptions, and
(iii) network management alarms.
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 18 of 94
4.0 RISK MANAGEMENT
1. Risk management encompasses risk assessment, risk mitigation as well as
evaluation and assessment. The risk assessment process includes
identification and evaluation of risks and risk impacts and recommendation
of risk-reducing measures. Risk mitigation refers to prioritizing,
implementing and maintaining the appropriate risk-reducing measures
recommended from the risk assessment process. Through a continual
evaluation process, the hosting agency is responsible for determining
whether the remaining risk is at an acceptable level or whether additional
security controls should be implemented to further reduce or eliminate the
residual risk.
4.1 RISK ASSESSMENT
1. The hosting agency will be responsible for determining the likelihood of
an adverse event, the threats to system resources, the vulnerability of the
system and the impact such an adverse event may have.
2. To determine the likelihood of an adverse event, consider:
(A) Motivation
(B) Nature of the vulnerability
(C) Current controls
3. A threat needs, and cannot exist without a vulnerability. A vulnerability is a
weakness that can be intentionally or accidentally triggered. Threats can be
posed from a lot of sources, some of which are:
(A) System Intruders (hackers)
(B) Criminals
(C) Terrorists
(D) Espionage
(E) Insiders which could be malicious or a result of poor training
4. In identifying the vulnerabilities, consideration must be given to:
(A) Hardware
(B) Software
(C) Network
(D) System Interfaces
(E) Data and information
(F) People who support and use the system
(G) Information sensitivity
5. The impact of an adverse event is the:
(A) Loss of Integrity
(B) Loss of Availability
(C) Loss of Confidentiality
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 19 of 94
4.2 RISK MITIGATION
1. All hosting agencies are responsible for reducing risk to all information assets.
The following are options provided in analyzing the alternatives.
(A) Risk Assumption. To accept the potential risk and continue operating
the IT system or to implement controls to lower the risk to an acceptable
level.
(B) Risk Avoidance. To avoid the risk by eliminating the risk cause
and/or
consequence (e.g., forgo certain functions of the system or shut down the
system
when risks are identified).
(C) Risk Limitation. To limit the risk by implementing controls that
minimizes the adverse impact of a threat exercising a vulnerability (e.g.,
use of supporting, preventive, detective controls).
(D) Risk Planning. To manage risk by developing a risk mitigation plan
that prioritizes, implements and maintains controls.
(E) Research and Acknowledgment. To lower the risk of loss by
acknowledging the vulnerability or flaw and researching controls to correct
the vulnerability.
(F) Risk Transference. To transfer the risk by using other options to
compensate for the loss, such as purchasing insurance.
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 20 of 94
5.0 PERSONNEL/USER ISSUES
1. Personnel awareness of the information security Policy, procedures, guidelines and
best practices is the responsibility of all agencies. Adherence to the Policy,
procedures, guidelines and best practices is the responsibility of all state agencies
on behalf of their employees.
2. Information security must be adopted at all levels as a "norm" of job performance.
Information systems and data are vulnerable. With constant re-enforcement and
monitoring, individuals will accept their responsibility to protect the information
assets of the State and relate their performance in this area to standards of
performance.
3. The IT staff must be alert and trained in offensive and defensive methods to protect
the State information assets. Adequate staffing and key position backup are
essential to run and maintain a secure environment.
5.1 STAFFING
1. Adequate staffing, training and backup are the responsibility of all hosting
agencies. Each agency will be responsible for:
(A) ensuring qualifications meet position requirements,
(B) identifying roles that will impact operations when not filled, i.e. if the
incumbent leaves or cannot perform the function,
(C) ensuring training is in place to keep key individuals current with the
technology available in the marketplace (this is particularly important
with regards to the Internet and data base controls), and
(D) documenting contingency plans if critical functions are not available.
5.2 AWARENESS/TRAINING
1. Awareness is not training. The purpose of awareness presentations are simply to
focus attention on security and are intended to allow individuals to recognize IT
security concerns and respond accordingly. Awareness relies on reaching broad
audiences, whereas training is more formal, having a goal of building
knowledge and skills to facilitate job performance.
2. Effective IT security awareness presentations must be designed. Awareness
presentations must be on-going, creative and motivational, with the objective of
focusing attention so that the learning will be incorporated into conscious decision-
making.
3. The OMES IS will be responsible for:
(A) communicating the minimum standards for all related policies and
procedures,
(B) providing recommendations for best practices in selected areas
related to information security, and
(C) providing all necessary information for the development of an
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 21 of 94
awareness
program by the agencies.
4. All state agencies will:
(A) create and present security awareness sessions for their staff members,
and
(B) ensure all staff members have attended an awareness session.
5. All current employees as well as new employees or contractors when hired that
have access to any information assets must be briefed by the hiring or contracting
agency as follows:
(A) the access requirements of their position or contract,
(B) their responsibilities for safeguarding sensitive information and assets,
(C) all information security policies, procedures, guidelines and best practices,
and
(D) a written document outlining the contents of the briefing and the date,
which should be signed by the individual briefed acknowledging receipt of
its contents.
5.3 PERSONAL COMPUTER USAGE
1. The agency computers of the State are provided for job related activities. To this
end, the hosting agency provides support in networking and information resources
for its computing community.
2. All users are given access to computers for job related duties and this usage
must remain in compliance with State and agency policies as well as all state
and federal laws governing usage and communication of information. Failure to
comply will result in the denial of access privileges and may for employees lead to
disciplinary action up to and including dismissal. For contractors, it may lead
to the cancellation of the contractual agreement. Litigation may ensue.
3. In the effort to protect the integrity of the statewide network and its systems, any
proof of unauthorized or illegal use of any agency computer and/or its accounts
will warrant the immediate access to these files, accounts and/or systems by the
hosting agency's security and information systems staff and appropriate action will
be taken.
4. Information Security Policy for computer usage prohibits the use of its resources
to:
(A) Send email using someone else's identity (Email forgery).
(B) Take any action that knowingly will interfere with the normal operation
of the network, its systems, peripherals and/or access to external networks.
(C) Install any system or software on the network without prior approval.
(D) Install any software systems or hardware that will knowingly install a virus,
Trojan horse, worm or any other known or unknown destructive mechanism.
(E) Attempt IP spoofing.
(F) Attempt the unauthorized downloading, posting or dissemination of
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 22 of 94
copyrighted materials.
(G) Attempt any unauthorized downloading of software from the Internet.
(H) Transmit personal comments or statements in a manner that may be
mistaken as the position of the State.
(I) Access, create, transmit (send or receive), print or download material
that is discriminatory, derogatory, defamatory, obscene, sexually explicit,
offensive or harassing based on gender, race, religion, national
origin, ancestry, age, disability, medical condition, sexual orientation or
any other status protected by state and federal laws.
5. Furthermore, it is the State's position that all messages sent and received,
including personal messages and all information stored on the agency's electronic
mail system, voicemail system or computer systems are State property regardless
of the content. As such, the hosting agency reserves the right to access, inspect
and monitor the usage of all of its technology resources including any files or
messages stored on those resources at any time, in its sole discretion, in order
to determine compliance with its policies, for purposes of legal proceedings, to
investigate misconduct, to locate information or for any other business purpose.
5.4 EMAIL USAGE
1. Electronic mail (email) is a highly efficient form of modern communication media.
Used appropriately, email provides people with a means to communicate thereby
facilitating business contact. However, this convenience also tempts users to
experiment or take advantage of this media, resulting in email of unwelcome
types (collectively known along with other unwelcome activity as Net Abuse). The
improper use of this email technology may jeopardize systems integrity, security
and service levels. Access to email is provided to users to assist them to perform
their work and their use of email must not jeopardize operation of the system or
the reputation and/or integrity of the State.
2. Email accounts are made available to all agency staff that require the service for
the performance of job related functions. The following statements apply:
(A) All email and associated system resources are the property of the State.
Email is subject to the same restrictions on its use and the same review
process as is any other government furnished resource provided for the use
of employees. Its use and content may be monitored.
(B) Email usage must be able to withstand public scrutiny. Users must comply
with all applicable legislation, regulations, policies and standards. This
includes complying with copyright and license provisions with respect to
both programs and data.
(C) While email is provided as a business tool to users, its reasonable,
incidental use for personal purposes is acceptable. This use must not,
however, detrimentally affect employee productivity, disrupt the system
and/or harm the government's reputation.
3. Users may not:
(A) use email for commercial solicitation or for conducting or pursuing their
own business interests or those of another organization,
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 23 of 94
(B) use email to distribute hoaxes, chain letters or advertisements and/or
send rude, obscene, threatening or harassing messages,
(C) use email to distribute pornographic material or hate literature,
(D) use email to harass other staff members,
(E) use email to send executable programs or games,
(F) use email to send potentially offensive material, and
(G) propagate viruses knowingly or maliciously.
4. Users must not send, forward and/or reply to large distribution lists concerning
non-government business. In addition, users must consider the impact on the
network when creating and using large, work-related distribution lists.
5. Email is a record and therefore management of email must comply with existing
legislation, regulations, policies and standards.
6. Alleged inappropriate use of the email technology will be reviewed by the agency
involved as well as the hosting agency on a case by case basis and may lead to
disciplinary action up to and including dismissal. In respect to contractors, it may
lead to cancellation of the contractual arrangement. In any of the cases, it may
lead to litigation.
5.5 INTERNET/INTRANET SECURITY
1. The World Wide Web (WWW) is a system for exchanging information over the
Internet. An Intranet is a proprietary network that is specific for an entity, such as
the State.
2. At the most basic level, the Web can be divided in two principal components:
Web servers, which are applications that make information available over the
Internet (in essence publish information) and Web browsers (clients), which are
used to access and display the information stored on the Web servers. The Web
server is the most targeted and attacked host on most organizations' network. As
a result, it is essential to secure Web servers and the network infrastructure that
supports them.
3. The specific security threats to Web servers generally fall into one of the following
categories:
(A) Malicious entities may exploit software bugs in the Web server,
underlying operating system or active content to gain unauthorized
access to the Web server. Examples of unauthorized access are gaining
access to files or folders that were not meant to be publicly accessible or
executing privileged commands and/or installing software on the Web
server.
(B) Denial of Service attacks may be directed to the Web server denying valid
users an ability to use the Web server for the duration of the attack.
(C) Sensitive information on the Web server may be distributed to
unauthorized individuals.
(D) Sensitive information that is not encrypted when transmitted between the
Web server and the browser may be intercepted.
(E) Information on the Web server may be changed for malicious purposes.
Web site defacement is a commonly reported example of this threat.
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 24 of 94
(F) Malicious entities may gain unauthorized access to resources elsewhere
in the organization's computer network via a successful attack on the Web
server.
(G) Malicious entities may attack external organizations from a compromised
Web server, concealing their actual identities and perhaps making the
organization from which the attack was launched liable for damages.
(H) The server may be used as a distribution point for illegal copies software
attack tools, or pornography, perhaps making the organization liable for
damages.
4. The hosting agency is responsible for the Web server. Some examples of controls
to protect from unauthorized access or modification are:
(A) install or enable only necessary services,
(B) install Web content on a dedicated hard drive or logical partition,
(C) limit uploads to directories that are not readable by the Web server,
(D) define a single directory for all external scripts or programs executed as
part of Web content,
(E) disable the use of hard or symbolic links,
(F) define a complete Web content access matrix that identifies which folders
and files within the Web server document directory are restricted and
which are accessible (and by whom), and
(G) use host-based intrusion detection systems and/or file integrity
checkers to detect intrusions and verify Web content.
5. Maintaining a secure Web server is the responsibility of the hosting agency and
involves the following steps:
(A) configuring, protecting and analyzing log files,
(B) backing up critical information frequently,
(C) maintaining a protected authoritative copy of the organization's Web
content,
(D) establishing and following procedures for recovering from compromise,
(E) testing and applying patches in a timely manner, and
(F) testing security periodically.
6. A firewall environment must be employed to perform the following general
functions:
(A) filter packets and protocols,
(B) perform inspection of connections,
(C) perform proxy operations or selected applications,
(D) monitor traffic allowed or denied by the firewall, and
(E) provide authentication to users using a form of authentication that does not
rely on static, reusable passwords that can be sniffed.
7. The hosting agency responsible for Internet security will:
(A) Keep operational systems and applications software up to date.
Because software systems are so complex, it is common for security-
related problems to be discovered only after the software has been in
widespread use. Although most vendors try to address known security
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 25 of 94
flaws in a timely manner, there is normally a gap from the time the
problem is publicly known, the time the vendor requires to prepare
corrections and the time you install the update. This gap gives potential
intruders an opportunity to take advantage of this flow and mount an attack
on computers and networks. To keep this time interval as short as
possible, it is required to stay aware of:
(i) announcements of security-related problems that may apply,
(ii) immediate actions to reduce exposure to the vulnerability, such as
disabling the affected software and
(iii) permanent fixes from vendors.
(B) Restrict only essential network services and operating system on the host
server.
(i) Ensure that only the required set of services and applications are
installed on the host server. Either do not install unnecessary
services or turn the services off and remove the corresponding
files (and any other unnecessary files) from the host.
(C) Configure computers for file backup.
(D) Protect computers from viruses and programmed threats.
(E) Allow only appropriate physical access to computers.
(F) Design, implement and monitor an effective firewall system.
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 26 of 94
6.0 HELP DESK MANAGEMENT
1. A world class Help Desk is characterized by responsiveness, knowledge, feedback
and improvement. The speed at which issues are resolved, the number of requests
handled by the first level in support, the follow-up with the user community on
status, security and the monitoring of performance with the goal of continuous
improvement are the characteristics that separate a progressive, secure, mission
critical operation from the ordinary, reactive operation.
2. The mandate of the help desk function should include:
(A) Adherence to all policies and procedures as published.
(B) Recommendation of new and/or changes to policies and procedures.
(C) Ownership of all the calls until reassigned or routed.
(D) Performance of all front line tasks such as password resets, printer resets,
etc.
(E) Routing of system or technical queries to the knowledge expert responsible.
(F) Reporting on and monitor calls.
(G) Reporting and escalation of all incidents of suspicious activity or
violations of security.
3. The following is a list of suggested reports required for managing the Help Desk.
(A) Incident Report - Content: all known information, status.
Schedule: Immediately. Distribution: Security Administration at
hosting Agency.
(B) Call Activity - Content: calls by type agency, severity average
resolution time. Schedule: Monthly. Distribution: Management.
(C) Open Calls - Content: calls by user agency, severity, ranked by oldest
time open. Schedule: Weekly. Distribution: Help Desk,
Knowledge Experts.
(D) Daily Activity - Content: calls received by time of day. Schedule:
Daily. Distribution: Help Desk.
(E) Repeat Calls - Content: number of calls ranked by user (over 3) showing
Agency, type. Schedule: Monthly. Distribution: Knowledge Expert and
Director of the agency generating the calls.
6.1 SUPPORT CALLS
1. Call handling and routing is the responsibility of the hosting agency's help desk
function. This function should present a standard front to all users of their services
including telephone calls, emails and voice mails. Information on all calls will be
logged and violations in security or suspicious activity will be reported
immediately to the appropriate designated authority. The help desk function will
verify the identity of the caller by:
(A) Obtaining their name.
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 27 of 94
(B) Verifying a question and answer submitted on a Systems Access
Authorization Request.
(C) Requesting additional information, such as:
(i) User ID (interchangeable with Log-on ID)
(ii) Agency
(iii) Phone number
6.2 PASSWORD RESETS
1. Password resets are the responsibility of the hosting state agency's help desk
function. Identities of requestors will be verified by the help desk, logged and
confirmed back to the user at the respective State Agency.
2. It is the responsibility of the requestor from all State Agencies, in requesting a
password reset, to confirm their identity. This may be accomplished by:
(A) Providing their name.
(B) Answering a unique question and answer submitted on sign up, such as:
place of birth, mother's maiden name, etc.).
(C) Providing additional information as may be requested, such as:
(i) Agency
(ii) Phone number
3. The responsibility of the host agency's Help Desk is to:
(A) Confirm the identity of the requestor.
(B) Report all suspicious activity to the security Administrator
immediately. Discrepancies in answers, inability to provide the correct
User ID, frequent requests for changes to the same User ID, or
obvious password sharing constitute security breaches and will be
reported.
(C) Reset the password.
(D) Log details of the call.
(E) Confirm the password reset to the user registered to the User ID via email.
(F) Report activity monthly to each State Agency involved.
6.3 VOICE MAIL SECURITY
1. The voice mail feature of many PBXs can be a particularly vulnerable feature. This
is because voice mail is typically used to let someone store voice messages at a
central location by calling in from any inside or outside line and then retrieve the
messages from any inside or outside line. It also grants the general public access
to the PBX system.
2. In retrieving messages, the target extension and a password are usually required to
gain access to the messages. Since the target extension is usually easy to
determine, the only significant restriction to an adversary is the password.
Once an adversary determines a target user's password all messages left for the
target user are accessible to the adversary. The adversary could also delete
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 28 of 94
messages from the target user's mailbox to prevent an important message from
getting to the target user. Some guidelines to secure the contents of voice mail
include the following:
(A) Default and obvious passwords must be changed at initial log-in. The
target user's extension is easily known. Default passwords
established at system initialization time may never have been changed.
Fixed length passwords are more vulnerable than variable length
passwords. Variable length passwords can be terminated by a special key
such as the # or * key. If not, the passwords would probably be of fixed
length and it reduces the number of random combinations that may be
tried before a correct password is found.
(B) Non-terminated password entry should be avoided. Some systems
accept a continuous string of digits, granting entry when the correct
password sequence is entered. By not requiring a password entry to be
terminated, the length of the average sequence needed to guess a four-
digit password is reduced by a factor of five.
(C) A complete password must be entered before an incorrect password is
rejected. If it is rejected on the first incorrect digit, sequential guessing
becomes much more practical. For example, on such a system that has a
fixed password length of four and uses the digits 0-9, it would take at most
40 sequential attempts to guess a password. On a system that required all
four digits to be entered at most 10,000 guesses would be required.
(D) Disallow access to external lines via the Voice Mail system.
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 29 of 94
7.0 PHYSICAL AND ENVIRONMENTAL SECURITY
1. The hosting agency has the responsibility for documentation, execution, monitoring
and testing of a physical security plan for both computer and telecommunication
assets. This physical security plan would evaluate the risks from potential losses
due to:
(A) physical destruction or theft of physical assets,
(B) loss or destruction of information and program files,
(C) theft of information,
(D) theft of indirect assets, and
(E) delay or prevention of computer processing.
2. Included in the plan would be measures for reducing the possibility of a loss and
must address:
(A) changes in the environment to reduce exposure,
(B) measures to reduce the effect of a threat,
(C) improved control procedures,
(D) early detection, and
(E) contingency plans.
7.1 OPERATIONS CENTER
1. The following are guidelines of the action items for establishing, implementing and
maintaining a physical security program at the hosting agency:
(A) conduct a risk analysis (refer to section 4),
(B) determine local natural disaster probabilities,
(C) protect supporting utilities
(D) ensure computer reliability,
(E) provide physical protection
(F) implement procedural security,
(G) plan for contingencies,
(H) develop security awareness, and
(I) validate the program.
7.2 OPERATIONS MONITORING
1. Hosting agencies can monitor security effectiveness by comparing performance to
the metrics in a service level agreement and incidents that occur in violation of
security policies, procedures, guidelines and best practices.
2. Guidelines for hosting agencies in establishing a service level agreement are:
(A) hours of system availability,
(B) hours of application system support,
(C) hours of technical support,
(D) off hours support,
(E) average system response time, and
(F) other metrics as suitable for agency specific applications.
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 30 of 94
3. Hosting agencies should have a goal of achieving 99.9%+ of the metrics
established in the service level agreement. Failure to achieve these targets could
be an indication of security breaches.
4. Insofar as incidents are concerned, both offensive and defensive actions to protect
the security of physical assets should be considered routine. Examples of offensive
actions include:
(A) routine changes of passwords,
(B) develop an escalation procedure of incidents,
(C) routine changes of locks or combinations to the facilities,
(D) have more than one person knowledgeable for critical functions,
(E) rotate shifts or people between functions,
(F) monitor all incursion attempts,
(G) install latest versions of firewall software,
(H) maintain 24x7 vendor contact list,
(I) routine backups,
(J) off-site storage of system information and programs,
(K) redundant components, lines for critical systems, and
(L) testing of recovery procedures.
5. Examples of defensive actions include:
(A) report and action all deviations to security policies, procedures, guidelines
and best practices,
(B) shut down any infected machine immediately,
(C) disconnect any problem areas from the network,
(D) revoke privileges of users violating policies,
(E) assign severity to an issue and escalate, and
(F) acquire knowledgeable resources.
7.3 BACK-UP OF INFORMATION
1. Back-up copies of essential business information and software must be taken
regularly. Adequate backup facilities should be provided to ensure that all essential
business information and software can be recovered following a disaster or media
failure. Backup arrangements for individual systems should be regularly tested to
ensure that they meet the requirements of business continuity plans. The following
controls must be considered:
(A) A minimum level of back-up information, together with accurate and
complete records of the back-up copies and documented restoration
procedures, should be stored in a remote location at a sufficient distance
to escape any damage from a disaster at the main site. At least three
generations or cycles of back-up information should be retained for
important business applications.
(B) Back-up information should be given an appropriate level of physical
and environmental protection consistent with the standards applied at the
main site. The controls applied to media at the main site should be
extended to cover the back-up site.
(C) Back-up media should be regularly tested, where practicable, to ensure that
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 31 of 94
they can be relied upon for emergency use when necessary.
(D) Restoration procedures should be regularly checked and tested to ensure
that they are effective and that they can be completed within the time
allotted in the operational procedures for recovery.
(E) The retention period for essential business information and also any
requirement for archive copies to be permanently retained should be
determined.
7.4 ACCESS CONTROL
1. Logical and physical access controls are required to ensure the integrity of
the information and physical assets.
2. The following guidelines for controlling logical access should be implemented
by all state hosting agencies:
(A) document and adhere to procedures for granting, modifying and revoking
access,
(B) ensure segregation of duties for access
(C) install detection mechanisms for unauthorized access attempts,
(D) timeout a session after 15 minutes of inactivity, and
(E) revoke access after an inactivity period of 60 days.
3. Physical access control guidelines for all agencies include:
(A) all telecommunication and computer related equipment are to be in a
secured, locked environment,
(B) access codes for secure environments must be changed at least every 60
days or in the event of an individual departing that previously had access,
(C) account for all keys issued for those facilities using this method and
replace locking mechanism when a key is missing,
(D) when the system permits, log all accesses and retain, and
(E) secure all peripherals such as air conditioning, generators, etc.
(F) segregation of duties must be implemented to prevent unauthorized access
to systems or data
7.5 NETWORK
1. Unsecured connections to network services can affect the whole organization.
Users must only have direct access to the services that they have been specifically
authorized to use. This control is particularly important for network connections
to sensitive or critical business applications or to users in high-risk locations, e.g.
public or external areas that are outside the organization's security management
and control.
2. Procedures concerning the use of networks and network services should cover:
(A) the networks and network services which are allowed to be accessed,
(B) authorization procedures for determining who is allowed to access
which networks and networked services, and
(C) management controls and procedures to protect the access to
Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 32 of 94
network connections and network services.
3. The path from the user terminal to the computer service must be controlled.
Networks are designed to allow maximum scope for a sharing of resources
and flexibility of routing. These features may also provide opportunities for
unauthorized access to business applications, or unauthorized use of
information facilities. Incorporating controls that restrict the route between a
user terminal and the computer services its user is authorized to access, e.g.
creating an enforced path can reduce such risks. The objective of an enforced
path is to prevent any users selecting routes outside the route between the user
terminal and the services that the user is authorized to access. This usually
requires the implementation of a number of controls at different points in the
route. The principle is to limit the routing options at each point in the network,
through predefined choices.
4. The following methods should be implemented to limit the path to a service:
(A) allocating dedicated lines or telephone numbers,
(B) automatically connecting ports to specified application systems or
security gateways,
(C) limiting menu and submenu options for individual users,
(D) preventing unlimited network roaming,
(E) enforcing the use of specified application systems and/or security
gateways for external network users,
(F) actively controlling allowed source to destination communications via
security gateways, e.g. firewalls, and
(G) restricting network access by setting up separate logical domains, e.g.
virtual private networks, for user groups within the organization.
5. External connections provide a potential for unauthorized access to business
information, e.g. access by dial-up methods. Therefore, access by remote users
must be subject to authentication. There are different types of authentication
method, some of these provide a greater level of protection than others, e.g.
methods based on the use of cryptographic techniques can provide strong
authentication. It is important to determine from a risk assessment the level of
protection