State of North Carolina. Statewide Information Security Manual. Prepared by the Enterprise Security and Risk Management Office

Transcription

1 State f Nrth Carlina Statewide Infrmatin Security Manual Prepared by the Enterprise Security and Risk Management Office Publicatin Date: January

2 This page intentinally left blank 2

3 TABLE OF CONTENTS INTRODUCTION... 1 CHAPTER 1 CLASSIFYING DATA AND LEGAL REQUIREMENTS... 2 CHAPTER 2 SECURING THE END USER... 8 CHAPTER 3 SECURING THE NETWORK CHAPTER 4 SECURING SYSTEMS CHAPTER 5 PHYSICAL SECURITY CHAPTER 6 CYBER SECURITY INCIDENT RESPONSE CHAPTER 7 BUSINESS CONTINUITY AND RISK MANAGEMENT

4 This page intentinally left blank 4

5 Intrductin The Statewide Infrmatin Security Manual is the fundatin fr infrmatin technlgy security in Nrth Carlina. It sets ut the statewide infrmatin security standards required by N.C.G.S , which directs the State Chief Infrmatin Officer (State CIO) t establish a statewide set f standards fr infrmatin technlgy security t maximize the functinality, security, and interperability f the State s distributed infrmatin technlgy assets. These standards apply t all executive branch agencies, their agents r designees subject t Article 3D f N.C.G.S Use by lcal gvernments, lcal educatin agencies (LEAs), cmmunity clleges, cnstituent institutins f the University f Nrth Carlina (UNC) and ther executive branch agencies is encuraged t the extent allwed by law. The Manual is based n industry best practices and fllws the Internatinal Organizatin fr Standardizatin Standard (ISO 27002) fr infrmatin technlgy security framewrk. The manual als incrprates references t the Natinal Institute f Standards and Technlgy (NIST) and ther relevant standards. The statewide infrmatin security standards have been extensively reviewed by representatives f each agency within the executive branch f state gvernment and are cntinuusly reviewed as technlgy and security needs change. The Manual sets frth the basic infrmatin technlgy security requirements fr state gvernment. Standing alne, it prvides each executive branch agency with a basic infrmatin security manual. Sme agencies may need t supplement the manual with mre detailed plicies and standards that relate t their specific peratins and any applicable statutry requirements, such as the Health Insurance Prtability and Accuntability Act (HIPAA), the Internal Revenue Cde, and the Payment Card Industry Data Security Standard (PCI DSS). The Enterprise Security and Risk Management Office (ESRMO) staff is available t answer any questins related t the Statewide Infrmatin Security Manual and t assist agencies in meeting their unique needs. Implementatin and Management While this Manual is the fundatin fr infrmatin technlgy security in state gvernment and is required fr all executive branch agencies t fllw in rder t cmply with statewide infrmatin security standards, simply cmplying with these standards will nt prvide a cmprehensive security prgram. Agency management shuld emphasize the imprtance f infrmatin security thrughut their rganizatins with applicable agency specific security plicies, nging training and sufficient persnnel, resurces and supprt. When cnsidering the specific cntrls that are t be used t cmply with the statewide infrmatin security standards, agencies shuld refer t statewide and industry security practices related t infrmatin technlgy implementatin. Agencies shuld als cnsider peridic internal and external reviews f their infrmatin security prgram. The reviews may be staggered but shuld cllectively include technical security cntrls, such as devices and netwrks, and nn-technical security cntrls, which include plicies, prcesses, and self-reviews. Independent infrmatin security reviews shuld be cnsidered when there are significant changes t the agency s infrmatin security psture because f a technlgy verhaul, significant change in business case r infrmatin prtectin needs Management cmmitment t infrmatin security Infrmatin security crdinatin Allcatin f infrmatin security respnsibilities Independent review f infrmatin security 1

6 Chapter 1 Classifying Data and Legal Requirements Sectin 01 Classifying and String Infrmatin Classifying Infrmatin Purpse: T prperly classify the State s infrmatin. Infrmatin includes all data, regardless f physical frm r characteristics, made r received in cnnectin with the transactin f public business by any agency f State gvernment. The State s infrmatin shall be handled in a manner that prtects the infrmatin frm unauthrized r accidental disclsure, mdificatin r lss. 1. All agency infrmatin and data shall be classified as t its cnfidentiality, its value and its criticality. 2. Agencies shall establish prcedures fr evaluating infrmatin and data t ensure that they are classified apprpriately. Agency custdians f data and their designees are respnsible fr agency data and shall establish prcedures fr apprpriate data handling. 3. All agency data shall be labeled t reflect its cnfidentiality, its value, and its criticality. All data must be clearly labeled s that all users are aware f the custdian, classificatin and value f the data. 4. Cnfidentiality is t be determined in accrdance with N.C.G.S. Chapter Public Recrds Law - and all ther applicable legal and regulatry requirements. Data, files, and sftware shall be clearly marked in such a way that identifies the prcess by which such infrmatin is t be made available r accessible. 5. All agencies shall maintain a cmprehensive and up-t-date inventry f their infrmatin assets and peridically review the inventry t ensure that it is cmplete and accurate. 6. All agencies are required t prtect and secure the infrmatin assets under their cntrl. The basic infrmatin requirements include but are nt limited t, the fllwing: Determine the vulnerability, risk level, and rganizatinal value f infrmatin assets t the agency and the business prcesses they supprt. Prvide the level f prtectin fr infrmatin assets the agency deems apprpriate in accrdance with applicable laws and standards based upn their vulnerability, risk level, and rganizatinal value. Cmply with applicable federal and state laws, such as the Health Insurance Prtability and Accuntability Act f 1996 (HIPAA) and all applicable standards, such as the Payment Card Industry Data Security Standard (PCI DSS), and the Department f Hmeland Security (DHS) Prtective Critical Infrastructure Infrmatin (PCII) Inventry f assets Ownership f assets 7.2 Infrmatin classificatin Classificatin guidelines Infrmatin labeling and handling String and Handling Infrmatin Purpse: T prtect the State s infrmatin thrugh the establishment f prper cntrls. 2

7 The State s infrmatin, data and dcuments shall be handled in a manner that will prtect the infrmatin, data and dcuments frm unauthrized r accidental disclsure, mdificatin r lss. All infrmatin, data and dcuments must be prcessed and stred in accrdance with the classificatin levels assigned t thse data in rder t prtect their integrity, availability, and cnfidentiality. The degree f prtectin required shall be cmmensurate with the nature f the infrmatin, the perating envirnment, and the ptential expsures resulting frm lss, misuse r unauthrized access t r mdificatin f the data. 1. If infrmatin includes bth cnfidential data and nn-cnfidential data, the classificatin level shall default t cnfidential. 2. Electrnic media brught int r remved frm State-maintained premises shall be apprpriately cntrlled. 3. Strage areas and facilities fr media cntaining cnfidential data shall be secured. Filing cabinets used fr the strage f cnfidential infrmatin shall have lcking devices. 4. When cnfidential infrmatin is shipped, the agency shall determine the steps necessary t ensure the delivery is verified. If technically pssible, cnfidential data shall be encrypted accrding t the minimum requirements fr encrypting data in plicy Using Encryptin Techniques. 5. An agency that btains cnfidential infrmatin frm anther agency shall bserve and maintain all cnfidentiality cnditins impsed by the prviding agency. Special prtectin and handling shall be prvided fr infrmatin that is cvered by statutes that address, fr example, the cnfidentiality f financial recrds, taxpayer infrmatin, and persnally identifiable infrmatin (PII). 6. The State CIO shall manage and prtect cnfidential infrmatin technlgy security recrds that agencies prvide t the SCIO s ffice and the Office f Infrmatin Technlgy Services (OITS). Recrds including cnfidential infrmatin submitted t the State CIO r OITS shall be labeled. Such recrds that include infrmatin technlgy security features shall be labeled by affixing the fllwing statement n each page f the dcument: Cnfidential per N.C.G.S (c). 7. Cnfidential infrmatin shall be prvided nly t agencies and their designated representatives when necessary t perfrm their jb functins. 8. Cnfidential infrmatin shall nt be transmitted electrnically ver public 1 netwrks, such as FTP r electrnic mail, unless encrypted while in transit. See plicy Using Encryptin Techniques fr the minimum requirement fr encrypting data. 9. All State and agency data, cnfidential and nn-cnfidential, shall be encrypted when stred n a laptp. Cnfidential data shall be encrypted when stred n ther mbile cmputing devices and prtable strage devices, including nn-state wned devices authrized fr use. See plicy Using Encryptin Techniques fr the minimum requirement fr encrypting data. 10. Federally prtected cnfidential data shall nt be stred n nn-state wned/managed devices withut prper apprval. 11. Agencies shall ensure that legal and business risks assciated with cntractrs access are determined, assessed, and apprpriate measures are taken such as thrugh nn-disclsure agreements, cntracts, and indemnities. 1. An apprpriate set f plicies and prcedures shuld be defined fr infrmatin labeling and handling in accrdance with the classificatin scheme adpted by the agency. The prcedures shuld cver 1 Fr the purpse f this standard, a public netwrk includes the State Netwrk. It des nt apply t internal agency netwrks. 3

8 infrmatin assets in bth physical and electrnic frmats. Fr each classificatin, handling prcedures shuld be defined t cver the fllwing types f infrmatin-prcessing activity: Cpying Strage Transmissin by pst, fax, and electrnic mail Transmissin by spken wrd, including mbile phne, vice mail, and answering machines 2. Where apprpriate, physical assets shuld be labeled. Sme infrmatin assets, such as dcuments in electrnic frm, cannt be physically labeled and electrnic means f labeling need t be used. In ther cases, such as with tapes, a physical label is apprpriate fr the utside f the tape in additin t electrnic labeling f dcuments cntained n the tape. 3. Dcuments that cntain cnfidential infrmatin shuld be restricted t authrized persnnel using cntrls such as passwrds t augment ther technical and administrative cntrls. Any persn wh prints r phtcpies cnfidential data shuld label and cntrl the riginal and cpied dcument in accrdance with all applicable plicies, statutes and regulatins. Prper retentin, archive and dispsal prcedures fr such dcuments shuld be bserved. State emplyees shuld cnsider using dcument headers and fters t ntify readers f files classified as cnfidential Infrmatin labeling and handling Infrmatin handling prcedures Sensitive system islatin 15.1 Cmpliance with legal requirements Sectin 02 Cmplying with Legal Obligatins Being Aware f Legal Obligatins Purpse: T ensure that emplyees are familiar with the laws that gvern use f infrmatin technlgy systems and the data cntained within thse systems and that agencies cmply with such laws. State agencies are subject t Federal, State and lcal laws gverning the use f infrmatin technlgy systems and the data cntained in thse systems. 1. Agencies shall cmply with all applicable laws and take measures t prtect the infrmatin technlgy systems and the data cntained within infrmatin systems. 2. Agencies shall ensure that all emplyees and cntractrs are aware f legal and regulatry requirements that address the use f infrmatin technlgy systems and the data that reside n thse systems. 3. Agencies shall ensure that each public emplyee and ther State Netwrk user is prvided with a summary f the legal and regulatry requirements. Examples f laws that affect cmputer and telecmmunicatins use in Nrth Carlina are as fllws: Federal 18 U.S.C Fraud and related activity in cnnectin with cmputers. 18 U.S.C et seq. Stred Cmmunicatins Act. 17 U.S.C. 500 and 506. Cpyright infringements and remedies. Nrth Carlina N.C.G.S Department heads t reprt pssible misuse f state prperty t the SBI. 4

9 N.C.G.S Using prfane, indecent r threatening language t any persn ver the telephne; annying r harassing by repeated telephning r making false statements ver telephne. The statute includes the sending by cmputer mdem f any false language cncerning death, injury, illness, disfigurement, indecent cnduct r criminal cnduct f the persn receiving the infrmatin r any clse family member. N.C.G.S Accessing cmputers. N.C.G.S Damaging cmputers, cmputer systems, cmputer netwrks, and resurces. N.C.G.S Cmputer trespass; penalty. N.C.G.S Unauthrized cnnectins with telephne r telegraph. Examples f laws that affect data residing n State infrmatin technlgy systems are as fllws: Federal 26 U.S.C. 6103, 7213, 7213A, 7431, Internal Revenue Cde. Public Law , 104th Cngress, Health Insurance Prtability and Accuntability Act f U.S.C. 552a, as amended. Privacy Act f Nrth Carlina N.C.G.S. Chapter 132. Public recrds law. N.C.G.S Secrecy required f fficials (tax infrmatin). N.C.G.S. 122C-52. Client rights t cnfidentiality (disability clients). Laws that relate t cnfidential recrds held by Nrth Carlina gvernment are summarized in the fllwing dcument: Terms and cnditins f emplyment Identificatin f applicable legislatin Data prtectin and privacy f persnal infrmatin Cmplying with General Cpyright Laws Purpse: T ensure that agencies cmply with laws that address cpyright prtectin. 1. Agencies shall prvide emplyees, cntractrs and ther third parties with guidelines fr beying sftware licensing agreements and shall nt permit the installatin f unauthrized cpies f sftware n technlgy devices that cnnect t the State Netwrk. The guidelines shall infrm emplyees, cntractrs and ther third parties f the fllwing: Persns invlved in the illegal reprductin f sftware can be subject t civil damages and criminal penalties. Emplyees, cntractrs and ther third parties shall bey licensing agreements and shall nt install unauthrized cpies f sftware n State agency technlgy devices. Emplyees, cntractrs and ther third parties wh make, acquire r use unauthrized cpies f sftware shall be disciplined as apprpriate. Such discipline may include terminatin. 2. Agencies shall infrm their users f any prprietary rights in databases r similar cmpilatins and the apprpriate use f such data. 5

10 3. Agencies shall infrm users f any sanctins that may arise frm inapprpriate use f databases r similar cmpilatins. 4. Agencies shall define plicies and prcedures t cmply with legal and regulatry requirements in regards t the prtectin f intellectual prperty. 5. Each agency shall establish prcedures fr sftware use, distributin and remval within the agency t ensure that agency use f sftware meets all cpyright and licensing requirements. The prcedures shall include the develpment f internal cntrls t mnitr the number f licenses available and the number f cpies in use Identificatin f applicable legislatin Intellectual prperty rights (IPR) Legal Safeguards against Cmputer Misuse Purpse: T disclse t users f State infrmatin systems the legal plicy requirements fr using State infrmatin technlgy resurces as well as any methds an agency may use t mnitr usage. 1. Agencies shall prvide users f infrmatin technlgy services with the legal plicy requirements that apply t use f State infrmatin technlgy systems and, where practical and apprpriate, agencies shall prvide ntice t users f State infrmatin technlgy systems that they are using gvernment cmputer systems. 2. If an agency mnitrs cmputer users, it shall prvide ntice t cmputer users that their activities n State infrmatin technlgy systems may be mnitred and disclsed t third parties. The ntice may take many frms, such as a privacy statement n an Internet Web page r a mnitring ntice affixed t a cmputer mnitr. 3. Where practical and apprpriate, sign-n warning banners shall be psted n State infrmatin technlgy systems t appear just befre r just after lgin n all systems that are cnnected t the State Netwrk. This gives ntice t users that they are accessing State resurces and that their actins while using these resurces are being mnitred and are subject t disclsure t third parties, including law enfrcement persnnel. Examples f warning banners: WARNING: This is a gvernment cmputer system, which may be accessed and used nly fr authrized business by authrized persnnel. Unauthrized access r use f this cmputer system may subject vilatrs t criminal, civil and/r administrative actin. All infrmatin n this cmputer system may be intercepted, recrded, read, cpied and disclsed by and t authrized persnnel fr fficial purpses, including criminal investigatins. Such infrmatin includes data encrypted t cmply with cnfidentiality and privacy requirements. Access r use f this cmputer system by any persn, whether authrized r unauthrized, cnstitutes cnsent t these terms. There is n right f privacy in this system. NOTICE: This system is the prperty f the State f Nrth Carlina and is fr authrized use nly. Unauthrized access is a vilatin f federal and State law. All sftware, data transactins and electrnic cmmunicatins are subject t mnitring. This is a gvernment system restricted t authrized use and subject t being mnitred at any time. Anyne using this system expressly cnsents t such mnitring and t any evidence f unauthrized access, use r mdificatin being used fr criminal prsecutin and civil litigatin. 6

11 Ntice t Users: This is a gvernment cmputer system and is the prperty f the State f Nrth Carlina. It is fr authrized use nly. Users (authrized r unauthrized) have n explicit r implicit expectatin f privacy. Any r all uses f this system and all files n this system may be intercepted, mnitred, recrded, cpied, audited, inspected and disclsed t law enfrcement persnnel, as well as t authrized fficials f ther agencies. By using this system, the user cnsents t such interceptin, mnitring, recrding, cpying, auditing, inspectin and disclsure at the discretin f the agency. Unauthrized r imprper use f this system may result in administrative disciplinary actin and civil and criminal penalties. By cntinuing t use this system, yu indicate yur awareness f and cnsent t these terms and cnditins f use. LOG OFF IMMEDIATELY if yu d nt agree t the cnditins stated in this warning Preventin f misuse f infrmatin prcessing facilities 7

12 Chapter 2 Securing the End User Sectin 01 Cntrlling Access t Infrmatin and Systems Managing Access Cntrl Standards Purpse: T establish requirements fr cntrlling access t State infrmatin assets. Access t State infrmatin technlgy assets shall be cntrlled and managed t ensure that nly authrized devices/persns have apprpriate access in accrdance with an agency s business needs. 1. All cmputers that are permanently r intermittently cnnected t an agency s netwrk shall have an apprved credentials-based access cntrl system. Access shall be cntrlled by the fllwing: User prfiles that define rles and access. Dcumented review f standard users rights. Dcumented review f administratr user accunts every 3 mnths. Revcatin upn terminatin f emplyment. 2. Regardless f the netwrk cnnectins, all systems handling the State s cnfidential data shall emply apprved authenticatin credentials-based access cntrl systems and encryptin fr data in transit. Fr the State s encryptin plicy, see Using Encryptin Techniques. 3. Only authrized users shall be granted access t the State s infrmatin systems, and the principle f least privilege shall be used and enfrced. 4. Assignment f privileges shall be based n an individual s jb classificatin, jb functin, and the persn s authrity t access infrmatin. Jb duties shall be separated as apprpriate t prevent any single persn r user frm having any access nt required by their jb functin. 5. Default access fr systems cntaining cnfidential infrmatin shall be deny-all Access cntrl plicy Review f user access rights Limitatin f cnnectin time Managing User Access Purpse: T prevent unauthrized access t agency netwrks. 1. Agencies shall establish plicies and prcedures fr managing access rights fr use f their netwrks thrughut the life cycle f the user s credentials, such as user IDs, ID cards, tkens, r bimetrics. 2. There shall be a dcumented apprval prcess whereby authrized parties create user accunts and specify required privileges fr user access t systems and data. 3. Agencies shall cmmunicate user accunt plicies and prcedures including authenticatin prcedures and requirements t all users f an infrmatin system. 8

13 4. Agencies shall identify a backup system administratr t assist with user accunt management when the primary system administratr is unavailable. 5. Users shall be respnsible fr maintaining the security f their user authenticatin credentials. 6. User credentials shall be individually assigned and unique in rder t maintain accuntability. 7. User credentials shall nt be shared but nly used by the individual assigned t the accunt, wh is respnsible fr every actin initiated by the accunt linked t that credential. 8. Where supprted, the system shall display (after successful lgin) the date and time f last use f the individual s accunt s that unauthrized use may be detected. 9. Default/generic credentials shall be disabled r changed prir t a system being put int prductin. 10. User credentials shall be disabled immediately upn the accunt wner s terminatin frm wrk fr the State r when the accunt wner n lnger needs access t the system r applicatin. 11. Access rights f users in the frm f read, write and execute shall be cntrlled apprpriately and the utputs f thse rights shall be seen nly by authrized individuals. 12. The default access methd fr files and dcuments is rle-based access cntrl (RBAC), hwever, ther methds t securely access files and dcuments may be used. 13. Access t cnfidential infrmatin shall be restricted t authrized individuals wh require access t the infrmatin as part f their jb respnsibilities. 14. An agency may change, restrict r eliminate user access privileges at any time. 15. Agencies shall mdify an individual s access t a State infrmatin technlgy asset upn a change f emplyment r change in authrizatin, such as terminatin, a leave f absence r temprary reassignment. 16. Where pssible, an infrmatin system shall limit unsuccessful lgn attempts t three (3) befre the user s accunt is disabled. The lcked ut duratin shall be at least thirty (30) minutes, unless the end user successfully unlcks the accunt thrugh a challenge questin scenari r an administratr reenables the user s accunt. 17. User credentials that are inactive fr a maximum f ninety (90) days must be disabled, except as specifically exempted by the security administratr. 18. All accunts that have been disabled fr greater than 365 days shall be deleted. 19. Only authrized system r security administratrs r an authrized service desk staff shall be allwed t enable r re-enable a user credential except in situatins where a user can d s autmatically thrugh challenge/respnse questins r ther user self-service mechanisms. 20. All user credential creatin, deletin and change activity perfrmed by system administratrs and thers with privileged access shall be securely lgged and reviewed n a regular basis. 21. Fr thse systems and applicatins that enfrce a maximum number f cncurrent cnnectins fr an individual user credential, the number f cncurrent cnnectins must be set t tw (2). 22. User credentials established fr a nn-emplyee/cntractr must have a specified expiratin date unless a user credential withut a specified expiratin date is apprved in writing by the agency security liaisn. If an expiratin date is nt prvided, a default f thirty (30) days must be used. 23. Access cntrl may need t be mdified in respnse t the cnfidentiality, integrity r availability f infrmatin stred n the system, if existing access cntrls pse a risk t that infrmatin. 24. In rder t facilitate intrusin detectin, infrmatin shall be retained n all lgn attempts until the agency determines the infrmatin is n lnger valuable, r as required by law r the standards f this Security Manual. 9

14 11.2 User access management Review f user access rights Infrmatin access restrictin Access cntrl plicy Securing Unattended Wrk Statins Purpse: T prevent unauthrized system access. Machines that access a State r agency system shall be safeguarded frm unauthrized access especially when left unattended. Agencies shall infrm persnnel f the risks invlved in leaving cnfidential wrk n their cmputer screens while away frm their desks. 1. Each agency shall be respnsible fr cnfiguring all wrkstatins t require a passwrd-prtected screen saver after a maximum f thirty (30) minutes f inactivity. 2. Users shall nt disable the passwrd-prtected cnfiguratin established by their agency. 3. Users shall lck their wrkstatins when leaving them unattended. 4. When nt in use fr an extended perid f time, as defined by the agency, users shall lg ff frm their wrkstatin(s). 5. Persnnel shall lad nly sftware, including screen savers, which have been apprved by their agencies. Agencies shall train their emplyees n the risks f acquiring malware such as viruses, spyware and Trjan hrses by dwnlading and installing unauthrized sftware. 6. Persnnel shall transmit cnfidential data t printers residing in cmmn areas nly when there is a persn authrized t receive the infrmatin present t prtect the cnfidentiality f the printed material. Persnnel shall clear all printers and fax machines f cnfidential printuts. Agencies shuld cnsider requiring all persnnel t shutdwn/pwer ff cmputers when they are nt in use fr an extended perid f time, as defined by the agency Media handling 11.2 User management Unattended user equipment Clear desk and clear screen plicy Managing Netwrk Access Cntrls Purpse: T establish requirements fr the access and use f the State Netwrk and agency netwrks. Access t netwrks perated by State agencies, including the State Netwrk, shall be cntrlled t prevent unauthrized access and t prevent malicius attacks n the netwrks. Access t all agency cmputing and infrmatin systems shall be restricted unless explicitly authrized. 1. When end users n the agency netwrks access State r agency resurces, they shall cmply with all state and agency acceptable use plicies. 2. Users shall nt extend r retransmit netwrk services withut apprpriate management apprval. 10

15 3. Users shall nt install netwrk hardware r sftware that prvides netwrk services, such as ruters, switches, hubs and wireless access pints, withut apprpriate management apprval. 4. Nn-State f Nrth Carlina cmputer systems that require cnnectivity t the State Netwrk shall cnfrm t statewide infrmatin security standards. 5. Nn-State f Nrth Carlina cmputer systems that require cnnectivity t agency netwrks shall cnfrm t agency infrmatin security standards. 6. Users shall nt dwnlad, install r run security prgrams r utilities, such as passwrd-cracking prgrams, packet sniffers, netwrk-mapping tls r prt scanners, that: a) Reveal weaknesses in the State Netwrk withut prir written apprval frm the State CIO; r b) Reveal weaknesses f agency netwrks withut apprpriate agency management apprval. 7. Users shall nt be permitted t alter netwrk hardware in any way Netwrk access cntrl Cntrlling Access t Operating System Sftware Purpse: T limit access t perating system administrative sftware t thse individuals authrized t perfrm system administratin/management functins. Only thse individuals designated as system administratrs shall have access t perating system administrative cmmands and prgrams. 1. Internal netwrk cnfiguratin and ther system design infrmatin shall be limited t nly thse individuals wh require access in the perfrmance f tasks r services essential t the fulfillment f a wrk assignment, cntract r prgram. 2. State agencies shall maintain a list f administrative cntacts fr their systems. 3. All authrized users f administrative-access accunts shall receive apprpriate training n the use f thse accunts. 4. Each individual wh uses an administrative-access accunt shall use the accunt nly fr administrative duties. Fr ther wrk being perfrmed, the individual shall use a regular user accunt. 5. When special-access accunts are needed fr internal r external audit, sftware develpment, sftware installatin, r ther defined need, they shall be: a) Authrized in advance by agency management; b) Have a specific expiratin date; and c) Be remved when the wrk is cmpleted. 6. Administrative-access accunts must cnnect in a secure manner at all times and their activity must be lgged Operating System Access Cntrl 11

16 Managing Passwrds Purpse: T prevent unauthrized access and t establish user accuntability when using IDs and passwrds t access State infrmatin systems. The cmbinatin f a unique user credential and a valid passwrd shall be the minimum requirement fr granting access t an infrmatin system when IDs and passwrds are used as the methd f perfrming identificatin and authenticatin. If passwrds are used, agencies shall manage passwrds t ensure that all users are prperly identified and authenticated befre being allwed t access a State resurce. Passwrd Management Standards 1. Where technically feasible, passwrds shall be at least eight (8) characters lng fr access t all systems and applicatins. 2. Passwrds shall be cmpsed f a variety f letters, numbers and symbls 2 with n spaces in between. 3. Passwrds shall be randm characters frm the required categries f letters, numbers and symbls. 4. Passwrds shall nt cntain dictinary wrds r abbreviatins. 5. Passwrds shall nt cntain number r character substitutes t create dictinary wrds (e.g., d33psl33p fr deep sleep 3 ). 6. Passwrds fr internal State resurces shall be different frm passwrds fr external, nn-state resurces. 7. Agency apprved passwrd generatrs that create randm passwrds shall be allwed. 8. Applicatin r system features that allw users t maintain passwrd lists and/r autmate passwrd inputs shall be prhibited, except fr simplified/single sign-n systems apprved by the State CIO. 9. Passwrds shall nt be revealed t anyne, including supervisrs, help desk persnnel, security administratrs, family members r c-wrkers. 10. Users shall enter passwrds manually fr each applicatin r system, except fr simplified/single signn systems that have been apprved by the State CIO. 11. Passwrds shall nt be stred in clear text n hard drives, diskettes, r ther electrnic media. If stred, passwrds shall be stred in encrypted frmat. 12. Passwrds shall nt be displayed in clear text during the lgn prcess r ther prcesses. 13. All typical user passwrds (e.g., UNIX, Windws, persnal cmputing, RACF, applicatins, etc.) shall be changed at least every ninety (90) days. This includes Gvernment emplyee and cntractr passwrds (e.g., , Web and calendar) used t access systems and applicatins. Passwrds shall nt be reused until six additinal passwrds have been created. 14. Passwrds fr citizens and business users d nt need t be changed; use f strng passwrds and peridic passwrd changes, hwever, are recmmended. 15. Passwrds shall nt be inserted int messages r ther frms f electrnic cmmunicatin withut prper encryptin. Attempts t gain access t a user s passwrd thrugh these scial engineering means must be reprted t the agency security administratr. 2 Fr Resurce Access Cntrl Facility (RACF), valid symbls $, #, and _, and the first character f a passwrd must be a letter and the passwrd must cntain a number. 3 Other examples f numbers/symbls fr letters are 0 fr, $ r 5 fr S, 1 fr i, and 1 fr l, as in capta1n k1rk r mr5pck. 12

17 16. Where technically pssible, access t passwrd-prtected systems shall be timed ut after an inactivity perid f thirty (30) minutes r less, r as required by law, regulatin, r industry standard. 17. Passwrds shall be changed whenever there is a chance the passwrd r system is cmprmised. 18. There shall be an agency apprved prcess fr validating the identity f an end user wh requests a passwrd reset. Initial passwrds and subsequent passwrd resets shall utilize a unique passwrd fr each user accunt. Passwrd Management Standards System Administratin 1. Passwrds fr administrative accunts, including any user accunts with mre privileges than thse f a typical user, shall be changed at least every thirty (30) days whenever pssible but must nt exceed every sixty (60) days. 2. Credentials with administrative privileges, mre privileges than a typical user accunt, r prgrams with elevated access shall have a different passwrd frm all ther accunts held by that user. 3. Passwrd files shall be retrievable nly by the system administratr r ther designated persnnel. 4. The passwrd fr a shared administrative-access accunt shall change when any individual wh knws the passwrd leaves the agency that wns the accunt r when jb respnsibilities change. 5. All systems shuld have mre than ne administratr. In situatins where a system has nly ne administratr, agencies shall establish a passwrd escrw prcedure s that, in the absence f the administratr, smene can gain access t the administratr accunt. Passwrd Management Standards Service Accunts 1. As used in this plicy, a service accunt is an accunt created by system administratrs fr autmated use by an applicatin, perating system r netwrk device fr their business purpse. 2. Service accunts must be dedicated slely t their business purpse. 3. Service accunts shall be separate frm any ther accunts. 4. Agency apprved cntrls must be in place t prevent misuse f a service accunt. 5. All service accunts must have apprpriate lgging as specified by the agency f accunt activity. The applicatin/device wner must audit the service accunt usage at least every 30 days. 6. All service accunt passwrds must meet system administratr passwrd cmplexity standards. 7. Whenever pssible, service accunt passwrds must have change intervals apprpriate t the level f risk psed by a ptential cmprmise f the system. At a minimum, change intervals shall nt exceed 180 days (6 mnths). 8. In the special case where an applicatin r ther cntrl sftware is specifically designed fr service accunts t use nn-expiring passwrds t cmplete their business purpse, these accunts must be preapprved by agency management and the agency s security liaisn. Agency apprved cntrls, plicies, and prcedures must be in place t clsely mnitr and mitigate the risk f nn-expiring passwrds. 9. A service accunt passwrd must be changed immediately after any ptential cmprmise r any individual wh knws the passwrd leaves the agency r changes rles within the agency User passwrd management Passwrd use Secure lg-n prcedures User identificatin and authenticatin Passwrd management system 13

18 Mnitring System Access and Use Purpse: T establish requirements and guidelines fr mnitring user activity. Agencies shall have the right and ability t mnitr use f infrmatin systems by emplyee and third-party cntractr users. Agencies that mnitr the use f their systems shall d the fllwing: 1. Examine the relevant infrmatin technlgy prcesses and determine all instances in which individually identifiable infrmatin is cllected when an emplyee r third-party cntractr uses agency infrmatin resurces. 2. Establish plicies that prvide adequate ntice t all system users f the scpe and manner f mnitring fr any infrmatin system and never exceed the scpe f any written mnitring statement in the absence f any clearly stated exceptin. The plicies shall als state that users shall have n expectatin f privacy unless expressly granted by an agency. 3. Obtain a written receipt frm State emplyees and third-party cntractrs acknwledging that they have received, read and understd the agency s mnitring plicies. End users n the State and agency netwrks shuld have n expectatin f privacy. 4. Infrm State emplyees and third-party cntractrs f any activities that are prhibited when using the agency s infrmatin systems Mnitring system use Cntrlling Remte User Access Purpse: T require users f State infrmatin technlgy systems wh access agency infrmatin technlgy systems remtely t d s in a secure manner. Where there is a business need and prir agency management apprval, authrized users f agency cmputer systems, the State Netwrk and data repsitries shall be permitted t remtely cnnect t thse systems, netwrks and data repsitries t cnduct State-related business thrugh secure, authenticated and carefully managed agency apprved access methds. 1. Access t the State Netwrk and agency internal netwrks via external cnnectins frm lcal r remte lcatins including hmes, htel rms, wireless devices and ff-site ffices shall nt be autmatically granted with netwrk r system access. Systems shall be available fr n- r ff-site remte access nly after an explicit request is made by the user and apprved by the manager fr the system in questin. 2. Access shall be permitted thrugh an agency-managed secure tunnel such as a Virtual Private Netwrk (VPN) r Internet Prtcl Security (IPSec) that prvides encryptin and secure authenticatin. Virtual private netwrks (VPNs) shall require user authenticatin and encryptin strength cmpliant with the statewide encryptin plicy, Using Encryptin Techniques. Authenticatin 1. Access shall require authenticatin and authrizatin t access needed resurces, and access rights shall be regularly reviewed. The authenticatin and authrizatin system fr remte access shall be managed by the agency. Agencies that need centralized netwrk infrastructure services shall use the state-wide authenticatin and authrizatin service knwn as NCID. 14

19 2. Each user wh remtely accesses an internal netwrk r system shall be uniquely identifiable. Accunt passwrds shall nt traverse the netwrk in clear text and must meet minimum requirements f the statewide passwrd management standards. 3. All users wishing t establish a remte cnnectin via the Internet t the agency s internal netwrk must first authenticate themselves at a firewall r security device. Users 1. User Credentials: All users wh require remte access privileges shall be respnsible fr the activity perfrmed with their user credentials. User credentials shall never be shared with thse nt authrized t use the credential. User credentials shall nt be utilized by anyne but the individuals t whm they have been issued. Similarly, users shall be frbidden t perfrm any activity with user credentials belnging t thers. 2. Revcatin/Mdificatin: Remte access shall be revked at any time fr reasns including nncmpliance with security plicies, request by the user's supervisr r negative impact n verall netwrk perfrmance attributable t remte cnnectins. Remte access privileges shall be terminated upn an emplyee s r cntractr s terminatin frm service. Remte access privileges shall be reviewed upn an emplyee s r cntractr s change f assignments and in cnjunctin with ther regularly scheduled user accunt reviews. 3. Annymus Interactin: With the exceptin f Web servers r ther systems where regular users are annymus, users are prhibited frm remtely lgging int any state cmputer system r netwrk annymusly (fr example, using guest accunts). If users emply system facilities that allw them t change the active user ID t gain certain privileges, such as the switch user (su) cmmand in Unix/Linux, they must have initially lgged in with a user ID that clearly indicates their identity. Cnfiguratin 1. Default t Denial: If an agency cmputer r netwrk access cntrl system is nt functining prperly, it shall default t denial f access privileges t users. If access cntrl systems are malfunctining, the systems they supprt must remain unavailable until such time as the prblem has been rectified. 2. Privilege Access Cntrls: All cmputers permanently r intermittently cnnected t external netwrks must perate with privilege access cntrls apprved by the agency. Multi-user systems must emply user credentials unique t each user, as well as user privilege restrictin mechanisms, including directry and file access permissins. 3. Antivirus and Firewall Prtectin: External cmputers r netwrks making remte cnnectin t internal agency cmputers r netwrks shall utilize an agency-apprved active virus scanning and repair prgram and an agency-apprved persnal firewall system (hardware r sftware). The agency shall ensure that updates t virus scanning sftware and firewall systems are available t users. External cmputers r netwrks making a remte cnnectin t a public Web server are exempted. 4. Time-ut: Netwrk-cnnected single-user systems, such as laptps and PCs, shall emply agencyapprved hardware r sftware mechanisms that cntrl system bting and that include a time-utafter-n-activity (fr example, a screen saver). T the extent pssible, all systems accepting remte cnnectins frm public-netwrk-cnnected users, such as users cnnected thrugh dial-up phne mdems, dial-up Internet service prviders, DSL r cable mdems, shall include a time-ut system. This time-ut system must terminate all sessins that have had n activity fr a perid f thirty (30) minutes r less. Fr sme higher risk infrmatin systems, the requirement fr a sessin idle timeut may be mre stringent as determined by agency plicy, industry standard (e.g., PCI DSS) r ther regulatins. An abslute time-ut shall ccur after twenty-fur (24) hurs f cntinuus cnnectin and shall require recnnectin and authenticatin t re-enter the State Netwrk. In additin, all user 15

20 credentials registered t netwrks r cmputers with external access facilities shall be autmatically suspended after a perid f ninety (90) days f inactivity. Agencies shall cnduct a risk assessment and determine the apprpriate system time-ut perid fr hand-held devices, (e.g., smart phnes, tablets, etc.), that cnnect t the State Netwrk. The risk assessment shall balance the business needs fr immediate access t the hand held device against the security risks assciated with the lss f the device. Agencies shall als cmply with any legal and regulatry requirements assciated with the infrmatin that may be cntained n the device, such as requirements fr cnfidentiality, security and recrd retentin. 5. Failure t authenticate: T the extent pssible, all systems accepting remte cnnectins frm publicnetwrk-cnnected users shall temprarily terminate the cnnectin r time ut the user credential fllwing three (3) unsuccessful attempts t lg in. Fr example, if an incrrect passwrd is prvided three (3) cnsecutive times, remte access systems shall drp the cnnectin. 6. Mdems: Dial-up mdems shall be disabled by remving the mdem device r uninstalling the mdem device driver and disabling the mdem within the perating system, unless agency management has apprved their use and the cmmunicatins sftware used with them. If used, dial-up mdems shall nt be left in aut-answer mde. 7. Fr client-t-server/gateway VPN slutins with split tunneling ptins, the agency must evaluate the assciated risks and implement mitigating cntrls befre enabling the split tunneling ptin t permit netwrk bridging. Agencies that decide t use split tunneling must take respnsibility fr the security f their endpints, implementing apprpriate mechanisms (such as access cntrls, firewalls, antivirus, etc.) t enfrce standards that will reduce risk such as data lss and malware due t bridging the netwrks t which they are cnnected when the VPN is active. Access t Single-Hst Systems 1. Remte access t single-equipment hsts (e.g., agency servers, Web-hsting equipment) shall be permitted prvided the equipment requires authenticated access, is apprpriately prtected by a VPN, and prevents nward cnnectin t the State netwrk. 2. Management cnsles and ther special needs: Users requiring telecmmunicatins access, such as dial-up mdem access, fr ut f band management r special needs must btain agency management apprval as set frth in agency plicy and prcedures. Any dial-up server that grants netwrk access must authenticate each user, minimally, by a unique identificatin with passwrd and shall encrypt the data stream. All calls must be lgged, and lgs f access shall be retained fr ninety (90) days. At the cmpletin f each dial-up sessin t a server, the accessing wrkstatin shall be secured via passwrd. Miscellaneus 1. Administratrs shall take all precautins necessary t ensure that administrative activities perfrmed remtely cannt be intercepted r spfed by thers, such as cnfiguring timestamps, using encryptin, and/r dial-back mechanisms. 2. Disclsure f systems infrmatin: The internal addresses, cnfiguratins, dial-up mdem numbers, and related system design infrmatin fr agency cmputers and netwrks shall be kept cnfidential and shall nt be disclsed t the public. Likewise, the security measures emplyed t prtect agency cmputers and netwrks shall be kept cnfidential and shall be similarly prtected. 3. Systems shall lg all remte access ccurrences, including bth plicy user and administratr activity (user credential, date/time, and duratin f cnnectin at a minimum). 4. Access t diagnstic and cnfiguratin prts (especially dial-up diagnstic prts) shall be securely cntrlled and enabled nly when needed fr authrized diagnstic access. 16

21 User authenticatin fr external cnnectins Cntracting with External Suppliers/Other Service Prviders Purpse: T address infrmatin security issues invlving third parties wh prvide services t the State. Each agency shall ensure that third parties wh prvide infrmatin technlgy services agree t fllw the agency s infrmatin technlgy security plicies when prviding services t the agency. 1. Third parties are nn-state emplyees, such as vendrs, suppliers, individuals, interns, cntractrs and cnsultants, respnsible fr prviding gds r services t the State. In rder t perfrm the requested services, a third party might need t use agency infrmatin technlgy assets and access agency infrmatin determined t be valuable t peratins and/r classified as nn-public r restricted by law. 2. Access must be granted t third-party users nly when required fr perfrming wrk and with the full knwledge and prir apprval f the infrmatin asset wner. 3. Third parties shall be fully accuntable t the State fr any actins taken while cmpleting their agency assignments. 4. Agency staff verseeing the wrk f third parties shall be respnsible fr cmmunicating and enfrcing applicable laws, as well as State and agency security plicies, and prcedures. 5. Agency peratinal and/r restricted infrmatin must nt be released t third parties withut prperly executed cntracts and cnfidentiality agreements. These cntracts must specify cnditins f use and security requirements and the access, rles and respnsibilities f the third party befre access is granted Allcatin f Infrmatin Security respnsibilities Cnfidentiality agreements Sectin 02 Persnnel Infrmatin Security Respnsibilities Accessing State Resurces in an Acceptable Way Purpse: T establish a plicy pertaining t the acceptable use f the State Netwrk and the glbal Internet by state emplyees and ther State Netwrk users. 1. Agencies shall develp Acceptable Use Plicies (AUPs) fr staff, custmers and third parties t fllw. 2. AUPs shall define the prper use f infrmatin assets and shall include critical technlgies such as remte access technlgies, remvable electrnic media, laptps, tablets, smartphnes, usage and Internet usage. 3. While perfrming wrk-related functins, while n the jb, r while using publicly wned r publicly prvided infrmatin prcessing resurces, state emplyees and ther State Netwrk users shall be expected t use the State Netwrk and the Internet respnsibly and prfessinally and shall make n intentinal use f these services in an illegal, malicius r bscene manner. 4. Each agency shall determine the extent f persnal use its emplyees and ther State Netwrk users, under its cntrl, may make f the State Netwrk and the Internet. 17

22 5. Agencies that use the State Netwrk shall prhibit users frm the dwnlad and installatin f unapprved sftware as defined by each agency s IT plicies. 6. It shall be the respnsibility f public emplyees and State Netwrk users t help prevent the intrductin r prpagatin f cmputer viruses. All files dwnladed frm a surce external t the State Netwrk, including all data received n a diskette, cmpact disc (CD), USB flash drive, r any ther electrnic medium, shall be scanned fr malicius sftware such as viruses, Trjan hrses, wrms r ther destructive cde. This includes files btained as attachments and thrugh any ther file transfer mechanism. All files dwnladed frm a surce external t the State Netwrk shall cme frm a knwn, trusted surce. 7. All agencies shall ensure that they have currently supprted and patched sftware n their netwrks in rder t mitigate vulnerabilities and reduce the risk f malicius activity. 8. State emplyees and ther State Netwrk users shall nt access r attempt t gain access t any cmputer accunt which they are nt authrized t access. They shall nt access r attempt t access any prtins f the State Netwrk t which they are nt authrized t have access. 9. Public emplyees and ther State Netwrk users shall nt intercept r attempt t intercept data transmissins f any kind that they are nt authrized t access. 10. State emplyees and ther State Netwrk users shall nt use state cmputers and netwrks fr the circumventin f cpyright prtectins r the illegal sharing f cpyrighted material. Users wh receive that they cnsider t be unacceptable accrding t this plicy can frward the riginal message (including all headers) t the apprpriate abuse@<hst dmain name> accunt. 1. Agencies may want t address ther acceptable use issues in their wn internal plicies n subjects such as use f instant messaging, scial netwrking, and persnal use f state cmputers, servers, and Lcal Area Netwrk (LAN). 2. Additinally, agencies shuld develp internal plicies cncerning the strage f persnal files such as music, images and ther files unrelated t the emplyees assigned duties Acceptable use f assets Disciplinary prcess Cntrls against malicius cde Preventin f misuse f infrmatin prcessing facilities Sectin 03 Training and Awareness Delivering Awareness Prgrams t Staff Purpse: T prvide awareness prgrams that ensure emplyees are familiar with infrmatin technlgy security plicies, standards and prcedures. The senir management f each agency shall lead by example by ensuring that infrmatin security is given a high pririty. Agency senir management shall ensure that infrmatin security cmmunicatins are given pririty by staff and shall supprt infrmatin security awareness prgrams. All agencies shall prvide new emplyees and cntractrs with mandatry infrmatin security training as part f jb 18