CPIT Aoraki ICT Asset and Media Security Standard

Transcription

1 CPIT Araki Crprate Services Divisin: ICT This security standard refers t CPIT, which is the current legal name fr the new rganisatin established 1 January 2016 bringing tgether CPIT and Araki Plytechnic. Knwn as CPIT Araki the new rganisatin will trade under this name until rebranded during CPIT Araki ICT Asset and Media Security Standard Crprate Plicies & Prcedures Sectin 1: General Administratin Dcument 121d Principles Infrmatin Cmmunicatin Technlgy Divisin Security Plicy Security Standard, aligned with Security Standards Guidelines and Prcedures AS/NZS ISO/IEC 27001: 2006 fr Infrmatin Security Management

2 CPIT Araki Crprate Services Divisin: ICT Cntents 1 INTRODUCTION COLLECTING AND RECORDING ICT ASSET INFORMATION ICT HARDWARE ICT Hardware Standards ICT MEDIA STANDARDS Strage and Transprting Restricted Media Dispsal and Media Sanitisatin Standards ICT Asset and Media Security Standard Page 2 f 13

3 CPIT Araki Crprate Services Divisin: ICT ICT Asset and Media Security Standard Purpse This standard defines the recmmended security practices fr Asset and Media Management. It includes prcesses fr mnitring security n ICT assets, recrding f ICT asset infrmatin and mnitring f assets. In additin it cntains recmmended security measures fr all ICT equipment and media. This standard applies t all ICT assets and services prvided acrss CPIT sites. Authrised By: Dcument Owner ICT Directr Service Desk and Prcurement Manager Date f Issue: 15 March 2012 Review date: Nvember 2014 Versin: 2.2 References: This dcument shuld be read in cnjunctin with the ICT Security Plicy. In additin it shuld be read in cnjunctin with the fllwing ICT Security Standards: 1. Physical and Envirnmental Security Standard 2. Human Resurces ICT Security Standard 3. Cmmunicatins and Operatins Management Standard 4. Access Cntrl Security Standard 5. Infrmatin Systems Acquisitin, Develpment and Maintenance Security Standard ICT Asset and Media Security Standard Page 3 f 13

4 CPIT Araki Crprate Services Divisin: ICT 1 INTRODUCTION ICT equipment supprts the business prcesses and prvides business functinality at the Institutin. It is essential that the ICT equipment that prvides these services is well managed and prtected thrugh the apprpriate security standards and prcesses that fllw recmmended ICT best practices. The bjective f this security standard is t define the recmmended prcess fr the ICT asset lifecycle management. The standard includes references t ICT best practices including the IT Infrastructure Library (ITIL). ITIL is a series f prcess and practices fr IT, t aid the implementatin f an IT Service Management framewrk. The fllwing tpics are cvered: Asset Management ICT Equipment ICT Media ICT Dispsal Standards t cntrl access t ICT services and particularly manage access t ICT secure facilities. Standards fr ICT equipment prcurement and cnfiguratin t maintain the integrity and availability f ICT services. Standards fr the strage and transprtatin f ICT media t prtect the integrity f infrmatin held n data strage within the Institutin. Standards fr dispsal, t ensure apprpriate prcesses are fllwed fr sensitive infrmatin cntained n ICT media. ICT Asset and Media Security Standard Page 4 f 13

5 CPIT Araki Crprate Services Divisin: ICT 2 COLLECTING AND RECORDING ICT ASSET INFORMATION ICT Asset Lifecycle Management refers t the cradle t grave prcess f infrmatin n ICT hardware, sftware and assciated peripherals, prcured, managed and dispsed f. Asset infrmatin is an imprtant inventry t maintain. Asset inventries can be used fr audits n ICT assets, recrd details fr legal r regulatry returns and t supprt asset replacement prcesses. As part f the wider service management prgramme it is imprtant t identify and recrd ICT assets which can be referenced during r fllwing a security incident. Fr example: theft f an ICT asset r t determine the risk acrss assets when a security weakness has been identified. This standard recmmends fllwing the ITIL best practice guidelines fr asset infrmatin cllectin and recrding. ICT assets include but are nt limited t: cmputers, sftware, tablet devices, telephny devices, cmmunicatins equipment (ruters, switches), assciated ICT hardware (including racks, wiring frames, UPS) and specialist ICT equipment (like GPS units, pltters, CAD equipment) nrmally purchased thrugh the ICT prcurement prcess. Excluded are CPIT telephny devices and lw cst peripheral devices where nt practicable. The fllwing standards are recmmended: All ICT assets are t be recrded within ICT Asset Registers. These registers will be the authritative recrd f ICT assets and asset infrmatin. All ICT assets issued by CPIT are t remain the prperty f CPIT with an asset wner defined within the Asset Register. The Asset Register shuld cntain: Asset details including a unique asset number which has been allcated. Ideally a nnremvable asset label will be attached t each asset recrding the asset number. Hardware asset details including: type f hardware, serial numbers, characteristics f hardware (drives, cnfiguratin, etc) and s n. Why have an asset register? As infrmatin systems equipment becme increasingly distributed it becmes mre imprtant t have the details recrded centrally. The asset register recrds specific details f individual cmpnents and this is useful when equipment has t be returned fr repair under warranty, when leases expire and fr accunting purpses. The annual inventry verifies that the infrmatin in the asset register is crrect. Maintaining an asset register is the nly flprf way f managing a diverse and extensive ICT envirnment. Sftware asset details including: versin number, purchase details, type f license (retail/educatinal/shareware), supprt details, serial number, deplyment infrmatin and purpse f sftware. Details f the lcatin f the asset, asset wner and cntact details f the asset wner r nminated asset wner. It is imprtant that financial infrmatin is recrded in the register. This includes when the asset was purchased and the value f the asset. Retirement date fr replacing the asset r the date fr upgrading the asset (if knwn). Classificatin f the ICT asset fllwing the classificatin standards defined within the data gvernance standards. The Assets Register must be prtected with apprpriate access cntrl, t prevent asset details being altered r remved. Details f any changes made t the Asset register are t be recrded with the details f what changes have been made. ICT Asset and Media Security Standard Page 5 f 13

6 CPIT Araki Crprate Services Divisin: ICT It is recmmended that the fllwing Assets Management Reprts are available t be prduced as requested: Ref Asset Reprts 1 Management r Faculty Asset Reprt Reprt t indicate what ICT assets have been allcated t bth the individuals in that divisin r faculty. Management will need t validate the assets recrded within the reprt. 2 Sftware Asset Reprt Reprt t indicate what sftware licenses are used acrss CPIT. 3 Security Investigatin Reprt Reprt t prvide details f an asset including the details within the Asset Register 4 Cessatin Reprt. Reprt t list what assets have been recrded against an individual Asset Registers are t be reviewed regularly. The recmmended review perid is 12 mnths. Peridic reviews are recmmended f the sftware installed acrss the CPIT netwrk t identify sftware assets and indicate the number f licenses in use and the installatin f unauthrised sftware. Autmated tls, like SCCM, may be used t streamline the cllectin prcess. ICT Asset and Media Security Standard Page 6 f 13

7 CPIT Araki Crprate Services Divisin: ICT 3 ICT HARDWARE ICT hardware used at the Institutin needs t be installed and maintained t an agreed security standard t safeguard the integrity f CPIT s infrmatin retained n the hardware and the supprting infrastructure. T safeguard CPIT infrmatin and services a defence in depth apprach will be fllwed. This requires security cntrls t be applied acrss ICT systems that cnnect t Internet, systems n the netwrk and systems that access the netwrk. This sectin defines the security standards t prtect ICT equipment at CPIT and recmmends the security cntrls t be implemented t fllw the principles f defence in depth. Defence in Depth A defence in depth principle supprts multiple f layers f security cntrls t prtect infrmatin and services acrss CPIT. If ne f the layers is cmprmised ther layers in defence still apply t safeguard infrmatin. The last layer in the defence f depth principle is the physical cmputers, hand held devices and assciated peripherals. These devices als need t be prtected and security cntrls applied. 3.1 ICT Hardware Standards Defining standards n ICT equipment, including the prcurement and prtectin f these devices, is an imprtant prcess fr maintaining the integrity and availability f ICT services. A prly cnfigured ICT system may result in ICT services being cmprmised r a service being adversely impacted due t a failing device. The bjective f adpting these standards is t ensure that ICT equipment perates as intended is available when required and integrates within the current envirnment, reducing the ptential fr a service being cmprmised. Standards t be fllwed include: Warranty and Maintenance ICT hardware shuld be cvered by a warranty r maintenance agreement t maintain the physical equipment. ICT Staff shuld have access t warranty r maintenance agreement infrmatin pertaining t the ICT asset and the prcedure t cntact third parties in the event f a fault. All cmputers returned frm repair, r transferred t a new user, will be reimaged t the latest build standards befre they are redeplyed r returned t custmers. All hardware sent away fr repair shuld be cleansed f institutin-sensitive infrmatin befre being dispatched where pssible. There are circumstances where the lcal cmputer administratr credentials are prvided t the repair agents t aid with replicating the prblem within the envirnment (image n the cmputer). In such situatins, an arrangement and agreement must be made that nne f this infrmatin is disclsed ther than fr the purpse f replicating the fault and repairing the faulty equipment. Build Standards ICT hardware is t be cnfigured t the technical cnfiguratin that ICT sets. This includes the ICT perating system, apprved applicatin sftware and cmmunicatins sftware. It is recgnised that apprved staff at CPIT may install sftware fr the benefits f academic research and persnal develpment. Sftware installed by staff needs t be apprpriately licensed and nt cmprmise the security f infrmatin r ICT services at CPIT. The ICT Security Plicy stipulates: ICT Asset and Media Security Standard Page 7 f 13

8 CPIT Araki Crprate Services Divisin: ICT ICT staff can remve unauthrised sftware and return ICT hardware t its riginal build status. ICT staff, are als authrised t install and cnfigure sftware and hardware and make changes t ICT services prvided at CPIT. Only apprved sftware is t be installed in the prductin envirnment. ICT Hardware Prtectin All ICT hardware will be installed with an enterprise managed malware prtectin tls t prtect against malicius sftware (this includes cmputer viruses, wrms, Trjan hrses, spyware, adware, malicius mbile cde and the like). Only servers and apprved repsitries fr infrmatin strage will be backed up fllwing the standards defined within the Cmmunicatins and Operatins Standard. Only apprved web brwsers are t be installed. IT Service Desk can advise n the apprved internet brwsers and if a nn-apprved web brwser is deemed t be interfering with the apprved brwser it may be remved by ICT staff. Prtected BIOS passwrds as a standard n all cmputers t prevent changes in bt-up pririty. CPIT cmputers are als cnfigured such that the remval f the exterir case will prmpt the entry f the BIOS passwrd n next start-up. The cmputer will nt prceed until a valid BIOS passwrd is entered. ICT will implement restrictins n cmputers t prevent users frm re-setting r changing security cntrls, this is typically cntrlled thrugh grup plicies acrss netwrk cnnected ICT equipment. Disabled r restricted access f the fllwing services t prtect netwrk cnnected ICT Hardware: Cmmunicatin services that are inherently susceptible t abuse r nt deemed suitable business services. Including peer t peer cmmunicatins sftware and VPN cnnects that directly cnnects cmputers and bypasses security cntrls. Cmmunicatin prtcls that are inherently susceptible t abuse. Including FTP sftware frm within the netwrk. Disabling prts that are nt required fr CPIT business activities. Administratin utilities like windws registry r cntrl panel. Run cmmands r cmmand prcessrs. Disabling accunts such as guest accunt r equivalent in ther perating systems. The recmmended settings abve will be reviewed regularly t ensure that security cntrls prvide sufficient prtectin against current vulnerabilities. ICT will install remte mnitring sftware t integrate cmputers and gather infrmatin fr audits r cmplete assistance t users at CPIT. Keep yur imprtant data away frm the internet ICT Asset and Media Security Standard Page 8 f 13

9 CPIT Araki Crprate Services Divisin: ICT Internet facing r Web Server Build Standards Increased security risks are assciated with servers that directly cnnect t the internet. External internet facing web servers shuld meet the fllwing standards: Segregated frm the internal netwrk and untrusted netwrks within a secure envirnment (r cmmnly referred t as DMZ - Demilitarised Zne). Imprtant infrmatin (particularly if it is the nly cpy) must be kept away frm an internet facing web server where it culd be mdified r deleted by unauthrised parties. Infrmatin shuld be stred n internal machines that are prtected by firewalls r ther security barriers. The mre sensitive the infrmatin the mre layers f defence need t be built t prtect the infrmatin. Operate n a dedicated cmputer ideally (i.e. the server des nt prvide ther services like prcessing, databases, FTP r ther business applicatins) t minimise the security risk by islating the web server and minimise any impact if the web server is cmprmised. Supprt the peratin f web applicatins with minimal privilege, i.e. run as a standard user and nt as administratr. This is critical as high privileged accunts shuld never be used n internet facing web servers. Prevented frm making direct Internet cnnectins (thrugh the server being lcked-dwn, r firewall rules preventing access t the Internet t minimise the risk f inapprpriate sftware being installed nt the web server by accident r intentinally). Cnfigured t cllect lg files and retained fr the recmmend standard. Ensure the web servers' files and directries are nt able t be indexed and that the nly results frm a search engine are the user cntent. Back-ffice systems (applicatin and database servers) are islated thrugh the use f a firewall r private netwrk t minimise the risk f internal access. Supprt mutual authenticatin, tw cmputers verifying each ther s identity befre exchanging data. Netwrk Segregatin T cntrl access acrss the CPIT netwrk and t safeguard internal ICT systems frm external threats, netwrk segregatin will be used at CPIT. The netwrk perimeter is t be secured thrugh the segregatin f the internal netwrk frm the external internet. ICT will use a firewall t achieve this segregatin between the tw netwrks. Firewalls n laptp cmputers are t be cnfigured t prtect laptps when they are away frm the ffice. The firewall service will: Be managed by ICT and all changes t the firewall will fllw the change management prcess and require apprval befre changes are made. Firewall will perate n a separate dedicated cmputer and nt be used fr prviding any ther ICT service. Firewall alerts are t be sent t the ICT Service Desk (r cnslidated within Micrsft System Centre) and technical staff within the Infrastructure team. Details f third parties managing the firewall service are t be available t ICT Service Desk and cntact details t cntact in the event f a security incident. Netwrk segregatin is als recmmended fr cmputers perating sensitive infrmatin (like financial r student persnal infrmatin), sftware develpment cmputers and system administratin cmputers. Decisin t use netwrk segmentatin is t be agreed n a case by case basis. ICT Asset and Media Security Standard Page 9 f 13

10 CPIT Araki Crprate Services Divisin: ICT Encryptin T prtect the cnfidentiality f data stred n ICT hardware the recmmended security cntrl is t use encryptin. Encryptin must be used t encrypt data where the risk f lss thrugh theft r interceptin is high, where there is the ptential fr a majr security breach shuld that data get int the hands f unauthrised persns and where the lss f the data wuld have a majr impact n CPIT. Care and Lss Staff at CPIT that have been issued with ICT hardware are expected t act with due care and diligence in prtecting it frm theft r damage. ICT Service Desk can prvide advice and guidance n precautins t take when travelling with prtable ICT hardware. If ICT hardware is lst, stlen, r damaged then staff members are t cntact the ICT Service Desk immediately. ICT Asset and Media Security Standard Page 10 f 13

11 CPIT Araki Crprate Services Divisin: ICT 4 ICT MEDIA STANDARDS ICT media refers t: magnetic tape, USB keys, prtable drives and disks in use at CPIT. T safeguard media against crruptin, lss r disclsure the security cntrls defined within this standard are t be fllwed. 4.1 Strage and Transprting Restricted Media ICT media that cntains restricted infrmatin is t be stred in a physically secure lcatin like a lcked filing cabinet, lcked rm r a fireprf safe. ICT media that is classified as restricted is t be labelled t indicate its sensitivity and the infrmatin classificatin (restricted access, cnfidential etc). ICT media that is sensitive is t be encrypted befre being transmitted r transprted. ICT hardware that has been used t stre restricted media needs t have the strage media remved befre being sent t a third party. Alternatively, a service engineer shuld attend CPIT, this is preferable t sending equipment ff-site that may cntain restricted infrmatin. Restricted Data? With reference t the CPIT data gvernance standards, Restricted data is data cntaining sensitive r cnfidential infrmatin that if cmprmised culd have a material adverse effect n CPIT interests, the peratins f the Institutin and the privacy t which individuals are entitled. The ther data classificatin standards are: Prtected data t be used by individuals wh require it fr their jbs; Institutinal internal use infrmatin and nt fr external distributin and, finally, Public available t the general public. We need a new sub-sectin arund strage f crprate data in the clud, and the sharing f it? File cllabratin amng staff/students can be a challenge fr CPIT. Cumbersme legacy enterprise cntent management slutins ften dn t cut it, and file cllabratin by presents a myriad f challenges, such as lack f versining and inapprpriate use f expensive media ptimised fr perfrmance rather than strage/archival purpses. Staff are demanding file sharing slutins that are as easy t use as cnsumer-riented prducts like Drpbx. ICT has n cntrl ver what staff stre n their persnal CPIT clud strage, s ICT/LTU needs t prvides staff with a clear understanding f hw they are t stre CPIT wrk files in the clud, in that a cpy must always be stred n a CPIT netwrked drive fr backup. Preference is given t OneDrive and Bx ver ther clud strage prviders as ICT s recmmended prviders have terms and cnditins that are aligned with that f CPIT s standards and plicies. With and intrductin f Office365 and Adbe Creative Clud fr staff, there needs t be a clearer Institutinal plicy and guiding dcument t supprt and steer apprpriate use f such services by CPIT Staff. 4.2 Dispsal and Media Sanitisatin Standards Infrmatin may be accessed by unauthrised individuals thrugh careless dispsal f cmputer media r by nt cleaning media that is re-issued t anther staff member. Infrmatin Leak? Infrmatin leak refers t infrmatin ICT Asset and Media Security Standard Page 11 f 13

12 CPIT Araki Crprate Services Divisin: ICT As the use f sphisticated encryptin prevents access t infrmatin attackers are lking fr alternative ways t access infrmatin. One avenue f attack is the recvery f deleted data frm ICT media. This is increasingly becming a significant risk as infrmatin can be stred n a variety f prtable devices, like smart phnes and tablet devices, which all need t be sanitised when nt lnger needed r transferred t anther user. Sanitisatin refers t remving data frm the strage device t a pint whereby anyne accessing the strage device cannt retrieve r recnstruct the data. being disclsed t a third party. Whether this is hard cpies f infrmatin fund by dumpster diving r electrnic infrmatin fund n an ld cmpute t a smart phne discarded imprperly. A disclsure culd lead t an embarrassing disclsure f infrmatin r t a majr security incident. The dispsal r re-use f ICT media is further cmplicated by the high number f devices and strage mediums than can stre infrmatin. Equally there is a risk that sensitive infrmatin may als be expsed thrugh dcuments being dispsed f inapprpriately. T reduce the risk f an infrmatin leak the fllwing standards apply fr bth sft and hard ICT media: Hard Cpy ICT Media Fr example: restricted dcuments r cnfidential reprts. All hard ICT media that cntains restricted infrmatin is t be dispsed f after crss-cut shredding r placed in secure bins fr prcessing by an apprved dcument destructin service. Sft Cpy ICT Media Fr example: electrnic media are the bits and bytes cntained in hard drives, randm access memry (RAM), read nly memry (ROM), disks, memry devices, phnes, mbile cmputing devices, netwrking equipment. Fr sft media that is a standalne device (like a DVD r USB key) r integrated within ICT hardware (hard disk r smart phne) the fllwing standards apply: Data Classificatin f data stred n Sft Media Erase and Dispsal Standard PUBLIC Device t be re-used: re-frmat the disk using standard perating sftware prcesses r fllw device specific erasure prcesses. Where applicable (e.g. smartphnes/tablets), adequate system recvery prcedures are carried ut t cmplete wipe the device and restre it t factry defaults. Device n lnger required: dispse thrugh standard prcesses at CPIT, n additinal steps necessary. PROTECTED, INSTITUTIONAL Device t be re-used: use a sanitisatin sftware prduct t re-frmat the media including any free spaces n the disk drives r fllw the manufactures specific guidance n wiping the data. Where applicable (e.g. smartphnes/tablets), adequate system recvery prcedures are carried ut t cmplete wipe the device and restre it t factry defaults. Device n lnger required: physically destry (fr ICT Asset and Media Security Standard Page 12 f 13

13 CPIT Araki Crprate Services Divisin: ICT Data Classificatin f data stred n Sft Media Erase and Dispsal Standard example breaking a DVD) and dispse lcally. RESTRICTED Device t be re-used: use a sanitisatin sftware prduct t re-frmat the media including any free spaces n the disk drives r fllw the manufactures specific guidance n wiping the data. Where applicable (e.g. smartphnes/tablets), adequate system recvery prcedures are carried ut t cmplete wipe the device and restre it t factry defaults. Device n lnger required: destry by crushing the item r placing in a furnace t physically make the device unreadable. Nte: changes in media technlgy have changed the sanitisatin best practices; riginally multiple verwriting was necessary t sanitise sftware media. This has changed and a single pass is adequate t prtect the media frm being expsed. It is imprtant hwever that the entire disk is verwritten nt just the used space. Devices that d nt fall with the abve classificatins must be physically destryed. ICT will perfrm the erasure prcess and recrd that the prcess has been fllwed. Details will be maintained with the Assets Register (refer t Sectin 2) including the erasure standard used. This is the end f the ICT Asset and Media Security Standard. This standard is ne f six standards that prvide advice and guidance n the best practices t fllw when using and accessing ICT services. The ther standards are available n the CPIT ICT intranet. ICT Asset and Media Security Standard Page 13 f 13