INFORMATION SECURITY MODEL AND GUIDELINES FOR RDSI-FUNDED DATA STORAGE NODES AND INSTITUTIONS

Transcription

1 INFORMATION SECURITY MODEL AND GUIDELINES FOR RDSI-FUNDED DATA STORAGE NODES AND INSTITUTIONS EXECUTIVE SUMMARY In line with the RDSI Annual Business Plan 1, this document details RDSI s initial recommendations for an information security policy model and associated guidelines for use by RDSI-funded Storage Nodes and partner Institutions. This document encompasses the following deliverables for the DaSh Programme: Develop security policy guidelines for Nodes and Institutions; Develop Security Policy Model for Nodes; and Develop Security Policy Model for Institutions. Acknowledging the close relationships between Nodes and Institutions, it is important for both parties to understand their individual as well as their joint responsibilities. To better facilitate this understanding and improve ease of use, information for Nodes and Institutions has been collated into this single document. Nodes are encouraged to reach out to their partner and host institutions to establish workable security solutions to suit their particular environments by sharing the learnings and guidelines in this document as part of their discussions. The example policy guidelines detailed in this document are designed to highlight areas with the greatest initial impact to RDSI-funded Node Operators and partner Institutions with regards to data collection, storage and access. Tailoring this advice further to assist Nodes from an individual site perspective, RDSI conducted a series of technical workshops throughout 2014 to highlight Node-specific issues by discussing use-cases and security scenarios with personnel at each of the current Nodes. The guidelines in this document incorporate the information gleaned at those workshops. Many RDSI-funded Nodes and partner Institutions have existing (or draft) site-specific information security policies for standard security operations, information management and data protection. This document focuses on addressing the components of the security model required to build a complete security policy solution for RDSI-funded Nodes. It includes references to ISO standards and other best practice industry information sources. Nodes may choose to adapt and integrate this material into their existing information security policies or they may choose to use this model as the basis for developing a customised information security policy solution of their own December Printed copies are uncontrolled. RDSI Page 1 of 83

2 Document history Version Who Reason for update Date issued V0.1 Mark McPherson RDSI Security Policy Manager and Loretta Davis RDSI Solutions Specialist (Co-Authors) V0.2 Mark McPherson RDSI Security Policy Manager and Loretta Davis RDSI Solutions Specialist (Co-Authors) V1.0 Mark McPherson RDSI Security Policy Manager and Loretta Davis RDSI Solutions Specialist (Co-Authors) V1.1 Mark McPherson RDSI Security Policy Manager and Loretta Davis RDSI Solutions Specialist (Co-Authors) V1.3 Mark McPherson RDSI Security Policy Manager and Loretta Davis RDSI Solutions Specialist (Co-Authors) V1.5 Mark McPherson RDSI Security Policy Manager and Loretta Davis RDSI Solutions Specialist (Co-Authors) V1.6 Mark McPherson RDSI Security Policy Manager and Loretta Davis RDSI Solutions Specialist (Co-Authors) V1.7 Mark McPherson RDSI Security Policy Manager and Loretta Davis RDSI Solutions Specialist (Co-Authors) V2.0 Mark McPherson RDSI Security Policy Manager and Loretta Davis RDSI Solutions Specialist (Co-Authors) Initial document creation. Technical and editorial review. First version Added Appendix A Security Streams and Sub-Streams Incorporated Appendix A into main body and expanded definitions of Model including Aspects Updates to for Aspects in various Streams in the section: Example Policy ASPECTS of the RDSI-Policy Model Updates/additions to for Aspects in all Streams in the section: Example Policy ASPECTS of the RDSI-Policy Model Amalgamation of additional content derived from findings from Node security workshops and workshops and outcomes. Editorial pre-flight for final technical content review prior to publishing. Final release. 22-Feb Feb Feb Mar Aug Oct Nov Dec Dec December Printed copies are uncontrolled. RDSI Page 2 of 83

3 CONTENTS Executive Summary... 1 Policy Model... 5 How to use this document... 5 Model Streams and Sub-streams... 6 Aspects... 7 The Streams... 8 Stream 1 Policy, Planning and Governance:... 9 Stream 2 Asset Management: Stream 3 Human Resources Management: Stream 4 Physical and Environmental Management: Stream 5 Communications and Operations Management: Stream 6 Access Management: Stream 7 System Acquisition, Development and Management: Stream 8 Incident Management: Stream 9 Business Continuity Management: Stream 10 Compliance Management: Selected Policy Aspects of the RDSI-Policy Model Security Stream 1 Policy, planning and governance Information security policy Information security plan Internal governance External governance Security Stream 2 Asset Management Asset protection responsibility Information security classification Security Stream 3 Human Resources Management Pre-employment During employment Post employment December Printed copies are uncontrolled. RDSI Page 3 of 83

4 Security Stream 4 - Physical and Environmental Management Building controls and secure areas Equipment Security Stream 5 Communications and operations Management Operaitonal proceduresa and responsibilities Protection from malware Backup Logging and monitoring Control of operational software Technical vulnerability management Information systems audit Security Stream 6 Access Management Business requirements of access control User acces management USer responsibilties System and application access control Security Stream 7 System Acquisition, Development and Management Security requirements for information systems Security in development and support processes Test data Information security in supplier relationships Security Stream 8 - Incident Management Management of information scurity incidents and improvements Security Stream 9 Business Continuity Management Information security Redundancies Security Stream 10 Compliance Management Compliance with legal and contractual requirements Information security reviews December Printed copies are uncontrolled. RDSI Page 4 of 83

5 POLICY MODEL This document presents an information security policy model for use by Nodes and Institutions and is based on the reference control objectives outlined in ISO27001: Information technology Security techniques Information security management systems Requirements and the practices outlined in ISO27002: Information technology -- Security techniques -- Code of practice for information security controls. Although not intended to specifically support certification against the standard, this document supports the implementation of security best practices and policy development undertaken by the Nodes using the elements of the standard deemed most relevant to the goals of the RDSI-storage project. This document also references the National Institute of Standards and Technology (NIST) publications Framework for Improving Critical Infrastructure Cybersecurity (Feb 2014), 4 and Security and Privacy Controls for Federal Information Systems and Organizations 5 ; the Australian Government s Protective Security Policy Framework 6 ; and Information Shield s Information Security Policies Made Easy (v10) 7. ISO identifies multiple information security areas. For ease of use, the model used in this document groups these into the following 10 information security policy streams : Security Stream 1 Policy Planning and Governance Security Stream 2 Asset Management Security Stream 3 Human Resources Management Security Stream 4 - Physical and Environmental Management Security Stream 5 Communications and Operations Management Security Stream 6 Access Management Security Stream 7 System Acquisition, Development and Management Security Stream 8 Incident Management Security Stream 9 Business Continuity Management Security Stream 10 Compliance Management HOW TO USE THIS DOCUMENT The first section of this document entitled Model streams and sub-streams outlines the components of each of the 10 streams in the model. The model s 10 streams are further broken down into one or more substreams. Each sub-stream covers a potential area of policy development. The second section entitled Selected Policy Aspects of the RDSI-Policy Model, provides guidelines on creating specific policies on issues RDSI-funded Nodes may face in establishing a complete security policy statement. The second part of the document is an exploration of possible Node security policy requirements based on the RDSI s own research and experience and observations made by the RDSI team during the Node workshop series conducted in 2014, as a guideline for Nodes to implement their own security policy December Printed copies are uncontrolled. RDSI Page 5 of 83

6 MODEL STREAMS AND SUB-STREAMS Each security policy Stream in the model can be further broken down into one or more Security Sub- Streams. For example, Stream 1 - Policy, Planning and Governance, contains the following Sub-Streams: Information Security Policy Information Security Internal Governance External Party Governance Each Sub-Stream can be further broken down into one or more Security Aspects. Aspects are specific usecases or scenarios used to guide policy development to target specific issues. 27 December Printed copies are uncontrolled. RDSI Page 6 of 83

7 ASPECTS Along with the Stream and Sub-stream model, we will use the following information template to target specific issues within each security sub-stream using Aspects. The information contained in these templates can be used to directly derive the elements of security policy which many need to be written to cover the issues explored in that Aspect. Sub-stream: Sub-stream name - Aspect: Aspect name Objective Information security purpose as defined by ISO General information regarding implementing the security objective. This information is summarised from ISO Specific RDSI policy statement that provides high level only. This does not prescribe nor recommend operational solutions as these are at the discretion of the Nodes/Institutions. Important information that should be considered by Nodes and Institutions when implementing the RDSI information security policy. In some cases this will require implementation of combined information security mechanisms and controls by both the Nodes and Institutions. Also includes useful information to assist with implementing the RDSI information security policy statements. from the standard that should be considered when implementing this item. NOTE: Links to supporting information sources. These may be included as direct URLS or may be accessed via downloaded documents in the corresponding SECURITY LINKS archive. This information is provided for information purposes only and does not infer any recommendation or endorsement of any companies, organisations or products. 27 December Printed copies are uncontrolled. RDSI Page 7 of 83

8 THE STREAMS The ten streams of the security model (listed in the graphic below) break-down logically into sub-streams (or focus areas) for policy development. Stream 1 - Policy, Planning and Governance Stream 6 - Access Management Stream 2 - Asset Management Stream 7 - System Acquisition, Development and Management Stream 3 - Human Resources Management Stream 8 - Incident Management Stream 4 - Communications and Operations Management Stream 9 - Business Continuity Management Stream 5 - Physical and Environmental Management Stream 10 - Compliance Management There is no significance to the numbering scheme of the model, nor do the stream groupings represent any strict bonds or relationships between the sub-streams, other than to track and order policy documents. Policy areas are grouped by sub-streams of similar subject, but there may be many cross-relationships or sharing of policy material between vastly different sub-streams and streams; depending on the needs of the organisation. The following pages further break-down the model into streams and sub-streams. Following this, the section entitled Example Policy ASPECTS of the RDSI-Policy Model (selected streams) is an exploration of possible security policy requirements based on observations made by the RDSI team, as a guideline for RDSI-funded Nodes. 27 December Printed copies are uncontrolled. RDSI Page 8 of 83

9 STREAM 1 POLICY, PLANNING AND GOVERNANCE: Information Security Policy Information Security Plan Internal Governance External Party Governance 1.1 The Information Security Policy sub-stream represents the overarching security policy posture for the entire organisation. It is generally one concise document detailing the intent and wishes of management in the pursuit of a safe, secure environment within the organisation. This root security document makes philosophical statements about the aims of the organisation in regard to security but defers the details to subsequent focussed policy statements detailed in other streams and sub-streams. Primary objective of this sub-stream: Define a set of policies for information security, approved by management, published and communicated to employess and to relevant external parties. 1.2 The Information Security Plan sub-stream represents an organisation s preparedness to mitigate security threats, handle incidents of security breach and allocate resources (often on an ad-hoc basis) to enhancing the organisations security posture in the aftermath of a security breach or following new threat information. Primary objective of this sub-stream: Establish a management framework to implement controls to enforce the organisation s information security policies. 27 December Printed copies are uncontrolled. RDSI Page 9 of 83

10 1.3 The Internal Governance sub-stream represents the stance taken by the organisation in managing security threats and mitigation within the organisation. It usually includes a statement of policy of acceptable use of organisational resources with regard to maintaining the desired security posture, and may detail an overall level of recommended security awareness for staff. Primary objective of this sub-stream: Establish a management framework to initiate and control the implementation and operation of information security within the organisation. 1.4 The External Party Governance sub-stream covers how the organisation deals with security issues caused by parties external to the organisation (partner organisations and suppliers as opposed to clients) and usually mentions mitigations and recommends penalties in the case of security breaches for inclusion in third-party service contracts. Primary objective of this sub-stream: Establish a set of procedures that specify how the organisation mitigating the security risks associated with engaging external parties including partner organisations (e.g. a Node s host institution), legal authorities, outsourcers and suppliers. Aspects of this sub-stream are also related to elements discussed in the following streams: Security Stream 7 System Acquisition, Development and Management Security Stream 9 Business Continuity Management Security Stream 10 Compliance Management 27 December Printed copies are uncontrolled. RDSI Page 10 of 83

11 STREAM 2 ASSET MANAGEMENT: Asset Protection Responsibility Information Security Classification 2.1 The Asset Protection Responsibility sub-stream represents an organisation s protective responsibilities for its ICT and information assets. It usually indicates the way in which assets will be inventoried including details of the protective responsibility of assets owners. Primary objective of this sub-stream: Identify organisational assets and define appropriate protection responsibilities. Aspects: Inventory of assets, Ownership of assets, Acceptable use of assets, Return of assets 2.2 The Information Security Classification sub-stream details the ways in which an organisation rates the importance of an asset where it relates to the protection of that asset. Primary objective of this sub-stream: Adequately protect information based on its importance to the organisation. Aspects: Classification of information, Labelling of information, Handling of assets 27 December Printed copies are uncontrolled. RDSI Page 11 of 83

12 STREAM 3 HUMAN RESOURCES MANAGEMENT: Pre-employment During Employment Post-employment 3.1 The Pre-Employment sub-stream represents an organisation s due-diligence prior to employment that the candidate is suitable for their role. Primary objective of this sub-stream: Ensure employees and contractors understand their responsibilities and are suitable for the role for which they are considered. Aspects: Screening, Employment terms and conditions 3.2- During employment Primary objective of this sub-stream: Ensure employees and contractors are aware of and fulfil their information security responsibilities. Aspects: Management responsibilities, Information security awareness, education and training, Disciplinary process 3.3- Post-employment Primary objective of this sub-stream: Protect the organisation's interests as part of the process of changing or terminating employment. Aspects: Termination, Change of employment responsibilities 27 December Printed copies are uncontrolled. RDSI Page 12 of 83

13 STREAM 4 PHYSICAL AND ENVIRONMENTAL MANAGEMENT: Building Controls and Secure Areas Equipment 4.1- Building Controls and Secure Areas Aspects: Physical security perimeter, Physical entry controls; Securing offices, rooms and facilities; Protecting against external and environmental threats; Working in secure areas, Delivery and loading areas 4.2 Equipment Aspects: Equipment siting and protection; Supporting utilities; Cabling security; Equipment maintenance; Removal of assets; Security of equipment and assets off-premises; Secure disposal or re-use of equipment, clear desk; Clear desk and clear screen policy 27 December Printed copies are uncontrolled. RDSI Page 13 of 83

14 STREAM 5 COMMUNICATIONS AND OPERATIONS MANAGEMENT: Operational Procedures and Responsibilities Technical Vulnerability Management Information Systems Protection from Malware Audit Considerations Building Controls and Secure Areas Backup Logging and Monitoring Equipment Control of Operational Software Operational Procedures and Responsibilities Aspects: Documented operating procedures, Change management, Capacity management, Separation of development, testing and operational environments 5.2 Protection from Malware Aspects: Controls against malware 5.3 Backup Aspects: Information and Systems backup 5.4 Logging and monitoring Aspects: Event logging, Protection of log information, Administrator and operator logs, Clock synchronisation 5.5 Control of Operational Software Aspects: Installation of software on operational systems 5.6 Technical Vulnerability Management Aspects: Management of technical vulnerabilities, Restriction on software installation 5.7 Information Systems Audit Considerations Aspects: Information systems audit controls 27 December Printed copies are uncontrolled. RDSI Page 14 of 83

15 STREAM 6 ACCESS MANAGEMENT: Business Requirements of Access Control User Access Management User Responsibilities System and Application Access Control Business Requirements of Access Control Primary objective of this sub-stream: Limit access to information and information processing facilities. Aspects: Access control policy, Access to networks and network services User Access Management Primary objective of this sub-stream: Ensure authorised user access and to prevent unauthorised access to systems and services. Aspects: User registration and de-registration, User access provisioning, Management of privileged access rights, Management of secret authentication information of users, Review of user access rights, Removal or adjustment of access rights User Responsibilities Primary objective of this sub-stream: Make users accountable for safeguarding their authentication information. Aspects: Use of secret authentication information System and Application Access Control Primary objective of this sub-stream: Prevent unauthorised access to systems and applications. Aspects: Information access restrictions, Secure log-on procedures, Password management systems, Use of privileged utility programs, Access control to program source code, Mobile devices and teleworking 27 December Printed copies are uncontrolled. RDSI Page 15 of 83

16 STREAM 7 SYSTEM ACQUISITION, DEVELOPMENT AND MANAGEMENT: Security Requirements for Information Systems Security in Development and Support Processes Test Data Information Security in Supplier Relationships Security Requirements for Information Systems Aspects: Information security requirements analysis and specification, Securing application services on public networks, Protecting application services transactions Security in Development and Support Processes Aspects: Secure development policy, System change control procedures, Technical review of applications after operating platform changes, Restrictions on changes to software packages, Secure system engineering principles, Secure development environment, Outsourced development, System security testing, System acceptance testing 7.3 Test Data Aspects: Protection of Test Data 7.4 Information Security in Supplier Relationships. Aspects: Information security policy for supplier relationships, Addressing security within supplier agreements, Information and communication technology supply chain 27 December Printed copies are uncontrolled. RDSI Page 16 of 83

17 STREAM 8 INCIDENT MANAGEMENT: Management of Information Security Incidents and Improvements Management of Information Security Incidents and Improvements Primary objective of this sub-stream: Ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. Aspects: Responsibilities and procedures, Reporting information security events, Reporting information security weaknesses, Assessment and detection of information security events, Response to information security incidents, Learning from information security incidents, Collection of evidence 27 December Printed copies are uncontrolled. RDSI Page 17 of 83

18 STREAM 9 BUSINESS CONTINUITY MANAGEMENT: Information Security Continuity Redundancies Information Security Continuity Primary objective of this sub-stream: Information security continuity shall be embedded in the organisation's business continuity management systems. Aspects: Planning information security continuity; Implementing information security ; Verify, review and evaluate information security continuity Redundancies Primary objective of this sub-stream: Ensure availability of information processing facilities. Aspects: Availability of information processing facilities 27 December Printed copies are uncontrolled. RDSI Page 18 of 83

19 STREAM 10 COMPLIANCE MANAGEMENT: Compliance with Legal and Contractual Requirements Information Security Reviews Compliance with Legal and Contractual Requirements Primary objective of this sub-stream: Avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. Aspects: Identification of applicable legislation and contractual requirements, Intellectual property rights, Protection of records, Privacy and protection of personally identifiable information. Regulation of cryptographic controls Information Security Reviews Primary objective of this sub-stream: Ensure that information security is implemented and operated in accordance with the organisational policies and procedures. Aspects: Independent review of information security, Compliance with security policies and standards, Technical compliance review. 27 December Printed copies are uncontrolled. RDSI Page 19 of 83

20 SELECTED POLICY ASPECTS OF THE RDSI-POLICY MODEL This section details selected Aspects of each sub-stream that are designed to highlight areas with the greatest initial impact to RDSI-funded Node Operators and partner Institutions with regards to data collection, storage and access. This document details guidelines for policies on Aspects from within the following information security policy streams: Security Stream 1 Policy Planning and Governance; Security Stream 2 Asset Management; Security Stream 3 Human Resources Management; Security Stream 4 Physical and Environmental Management; Security Stream 5 Communications and Operations Management; Security Stream 6 Access Management; Security Stream 7 System Acquisition, Development and Management; Security Stream 8 Incident Management; Security Stream 9 Business Continuity Management; and Security Stream 10 Compliance Management. RDSI anticipates that a coordinated approach between RDSI-funded Nodes and partner Institutions will be required to facilitate the integrated implementation of a coordinated operational solution. This will require acknowledgement and understanding of researcher requirements and sensitivities. 27 December Printed copies are uncontrolled. RDSI Page 20 of 83

21 SECURITY STREAM 1 POLICY, PLANNING AND GOVERNANCE Stream objectives: Information Security Policy (aka Management direction for information security) - Provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. Information Security Plan - Establish a management framework to implement controls to enforce the organisation s information security policies. Internal Governance - Establish a management framework to initiate and control the implementation and operation of information security within the organisation. External Governance - Establish a set of procedures that specify how the organisation mitigating the security risks associated with engaging external parties including partner organisations (e.g. a Node s host institution), legal authorities, outsourcers and suppliers. Stream references: Information Shield, Information Security Policies Made Easy (v10) Information Classification. 8 NIST, SP r4 - Security and Privacy Controls for Federal Information Systems and Organizations - SC-4 INFORMATION IN SHARED RESOURCES 9 Australian Government, Protective Security Policy Framework Information security management guidelines - Management of aggregated information Managing Aggregated Information. 10 Additional references are included in the SECURITY LINKS archive document. 1.1 INFORMATION SECURITY POLICY Sub-stream: 1.1 Information security policy Define a set of policies for information security, approved by management, published and communicated to employess and relevant to external parties. Clearly identify the differences between data collection management and Business a-as-usual operational activities as it relates to the security posture of the organisation. Define a Privacy Officer role and publish contact details for the current incumbent. Ensure adequate coverage of the role and include succession planning. For organisations with existing security policies, ensure that all policies are aligned with the host organisation policy. Where no policy currently exists, the default position is to adopt the host organisation policy. Ensure a balanced approach between collection availability and access. Must form an integral part of continuous improvement activities. Publish approved and endorsed security policy (e.g. via website) for access. Restrict release of information as required to ensure confidentiality regarding information security practices. Approved by management, published and communicated. Business strategy, current and projected threat environment, information security objectives, roles and responsibilities, deviations and exceptions December Printed copies are uncontrolled. RDSI Page 21 of 83

22 1.2 INFORMATION SECURITY PLAN Sub-stream: 1.2 Information security plan Implement control s and assign ownerships to roles (defined by the organisation s Internal Governance policies Security Sub-stream 1.3) to enforce the organisation s information security policies. Ensure plan accommodates the needs and requirements for both external and internal information security practices. Ensure policy is aligned with the organisation s formal documented risk management methodology. Aspects of this sub-stream are also related to elements discussed in Security Stream 8 Incident Management. 1.3 INTERNAL GOVERNANCE Sub-stream: 1.3 Internal governance Information security responsibilities should be defined and allocated. Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorised or unintentional modification or misuse of the organisation s assets. Aspects of this sub-stream are also related to elements discussed in the following streams: Security Stream 9 Business Continuity Management Security Stream 10 Compliance Management 1.4 EXTERNAL GOVERNANCE Sub-stream: 1.4 External governance Appropriate contacts with relevant authorities should be maintained and contacts with research communities, specialist security forums, professional associations and suppliers and outsourcers should be maintained. Raise awareness for researchers of the existence of the ARC code of conduct for responsible research Where there is potential for conflict with Node and host organisation security policies, flag all overrides and exceptions and seek advice from by legal representatives. Clearly communicate policy precedence to all relevant parties (including researchers). Communicate research data management policy including identifying the scope (e.g. collaborating institutions, postgraduate students, individual researchers, etc.). Aspects of this sub-stream are also related to elements discussed in the following streams: Security Stream 7 System Acquisition, Development and Management Security Stream 9 Business Continuity Management Security Stream 10 Compliance Management 27 December Printed copies are uncontrolled. RDSI Page 22 of 83

23 SECURITY STREAM 2 ASSET MANAGEMENT Stream objectives: Responsibility for assets - identify organisational assets and define appropriate protection responsibilities. Information classification - ensure that information received an appropriate level of protection in accordance with its importance to the organisation. Media handling - prevent unauthorised disclosure, modification, removal or destruction of information stored in media. Stream references: Information Shield, Information Security Policies Made Easy (v10) Information Classification. 11 NIST, SP r4 - Security and Privacy Controls for Federal Information Systems and Organizations - SC-4 INFORMATION IN SHARED RESOURCES 12 Australian Government, Protective Security Policy Framework Information security management guidelines - Management of aggregated information Managing Aggregated Information. 13 Additional references are included in the SECURITY LINKS archive document. 2.1 ASSET PROTECTION RESPONSIBILITY Sub-stream: 2.1 Asset protection responsibility Aspect: Inventory of assets Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained. Maintain an asset register including both production and business assets. Identify virtual infrastructure as assets regardless of hosting mechanism. Clearly define the data holding capability (i.e. whether the organisation holds a primary copy or secondary copies only). Understand relationships between Nodes replicating data. For organisations acting as secondary hosts only, identify special and actions required for primary data sources hosted outside Australia. Permit potential delegation of responsibly by Data Custodians to eresearch Assistants as required. Capture Data Custodian and Data Owner information and technical contacts at point of data ingest. Inventory drawn up and maintained, ownership and classification, ISO/IEC27005 asset examples December Printed copies are uncontrolled. RDSI Page 23 of 83

24 Sub-stream: 2.1 Asset protection responsibility Aspect: Ownership of assets Assets maintained in the inventory should be owned. For assets located across multiple sites, identify the precedence of site policies. Where operational or business requirements mandate alternate policies, specifically detail any caveats or overrides to these policies. Manage data requirements by developing and implementing a research data management plan for all projects. Identify a Data Custodian (and proxy) for each collection. Assign access to others as required. Identify relationship between owner and institution. Comply with the data acquisition and disposal processes of the host organisation that owns the asset. Manage non-responsive custodians via incident management process to maintain audit trail of information (e.g. support tickets to identify and assign new custodian). Incorporate data custodian responsibilities into legal terms and conditions information. Asset owners, inventories, classification and protection, periodically reviewed, disposal Sub-stream: 2.1 Asset protection responsibility Aspect: Acceptable use of assets Rules for the acceptable use of information and assets associated with information and information processing facilities should be identified, documented and implemented. Manage data lifecycle based on research community requirements and good practice (e.g. deleting medical data after prescribed periods). Adopt a responsibility model by partnering with researchers regarding responsibility for managing security and access of collections. Provide a mechanism for Principle Investigators to determine data access requirements and detail specific conditions and restrictions (e.g Read-Only/Read- Write, etc.). Define policy for managing data storage and associated resources and equipment. Implement access control methodologies at both host and user levels. Plan for future data access requirements (e.g. encrypting medical data containing identifiable patient information). Ensure embargoed data is managed appropriately. Acknowledge that data management plans are currently mandatory for funding proposals (e.g. ARC grants). Information security requirements, responsible use 27 December Printed copies are uncontrolled. RDSI Page 24 of 83

25 Sub-stream: 2.1 Asset protection responsibility Aspect: Return of assets All employees and external party users should return all of the organisational assets in their possession upon termination of their employment, contract or agreement. As Nodes do not own collections, clearly identify the collection owner and associated processes regarding asset return. State the proposed process for managing orphan data collections including access (e.g. host organisations may choose to make orphan data collections publicly available). Intellectual property 27 December Printed copies are uncontrolled. RDSI Page 25 of 83

26 2.2 INFORMATION SECURITY CLASSIFICATION Sub-stream: 2.2 Information security classification Aspect: Classification of information To ensure that information receives an appropriate level of protection in accordance with its importance to the organization. Clearly articulate classification scheme and use consistently adhere to usage guidelines. Classification terminology is clearly understood by both Nodes and Institutions. Mechanisms for converting between different classification terminologies. Periodically review of classification scheme and usage. Adopt and clearly communicate the information classification system in use. The classification system must accommodate varying access requirements. Acknowledge that similar terms may have different meanings across Nodes (e.g. Sensitive, Public, de-identified, encrypted, embargoed, etc.). Cater for hosting government data where the source of the data must appear as a non-government system. Determine alignment of classifications across Nodes as required. Identify requirements related to hosting high security, commercially-sensitive or government data. Classify assets including information assets and non-information assets (e.g. equipment). Ascertain the need for an embargoed data classification. Although it is envisaged that most RDSI-funded Nodes will not be storing Governmentclassified data collections, collections with national significance (as identified by the REDS allocation process) identifies them as valuable data collections. Protection of these data collections may be managed using an information labelling system similar to the Australian Government security classification system*(e.g SECRET, CONFIDENTIAL, PRIVATE, and UNCLASSIFIED). (* Legal requirements, value, criticality, sensitivity, unauthorised disclosure, business needs, legal requirements, classification reviews, confidentiality, integrity, availability, consistently applied, disclosure 27 December Printed copies are uncontrolled. RDSI Page 26 of 83

27 Sub-stream: 2.2 Information security classification Aspect: Labelling of information An appropriate set of procedures for information labelling should be developed and implemented in accordance with the information classification scheme adopted by the organisation. Classify and label all information assets. Label all data collections hosted by the Node according to a security or sensitivity classification model [as defined by the Node; or as a result of a formal information classification agreement with a third-party which could include other Nodes, the Australian Government or Institutions- so that appropriate procedures can be defined to prevent the unauthorized information transfer of information between different information classification (labelling) levels or [Node defined] security categories. Physical and electronic formats, labelling procedures, output from systems, physical labels, metadata Sub-stream: 2.2 Information security classification Aspect: Handling of assets Procedures for handling assets should be developed and implemented in accordance with the information classification scheme adopted by the organisation. Implement a process for transitioning embargoed data (i.e. data that must remain private until a specific time or period of time has elapsed). Cater for long embargo periods (e.g. security, patents, etc.). Consider the use of an automated portal to manage this process to potentially reduce the likelihood of inaccurate manual processing. Implement role-based information access and consider controlling access automatically (e.g. via LDAP, etc.). Procedures, access restrictions, temporary/permanent copies of information, IT asset storage, agreements with other organisations 27 December Printed copies are uncontrolled. RDSI Page 27 of 83

28 SECURITY STREAM 3 HUMAN RESOURCES MANAGEMENT Stream objectives: Prior to employment - ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered. During employment - ensure that employees and contractors are aware of and fulfil their information security responsibilities. Termination and change of employment - protect the organisation s interests as part of the process of changing or terminating employment. Stream references: ISO27002:2013 Information technology -- Security techniques -- Code of practice for information security controls. Incident Response Management Additional references are included in the SECURITY LINKS archive document. 3.1 PRE-EMPLOYMENT Sub-stream: 3.1 Pre-employment Aspect: Screening Background verification checks on all candidates for employment should be carried out in accordance with the relevant laws, regulations and ethics and should be proportional to the business requirements, classification of the information to be accessed and the perceived risks. Based on host HR policies, conduct police checks and screening for incoming employees. Based on host HR policies, commission federal police reports where required. References, verification, CV, qualifications, independent identity verification, competence, trust, confidential information, screening process, employment T&Cs, confidentiality and non-disclosure, legal responsibilities, copyright, code of conduct December Printed copies are uncontrolled. RDSI Page 28 of 83

29 Sub-stream: 3.1 Pre-employment Aspect: Employment terms and conditions The contractual agreements with employees and contractors should state their and the organisation s responsibilities for information security. Manage Human Resources activities via a formal processes in conjunction with the host organisation. Incorporate data management activities in induction processes (e.g. overview of eresearch space, NDAs, acceptable use, etc.). Identify HR relationships between the host organisation and Node (e.g. Node staff employed via or seconded from host organisations). Confidentiality agreement, non-disclosure agreement, legal rights and responsibilities, copyright laws, data protection legislation, information classification, information security roles and responsibilities, code of conduct 27 December Printed copies are uncontrolled. RDSI Page 29 of 83

30 3.2 DURING EMPLOYMENT Sub-stream: 3.2 During employment Aspect: Management responsibilities Management should require all employees and contractors to apply information security in accordance with the established policies and procedures of the organisation. Incorporate implications of any contractual obligations specifically stated in host organisation employment agreements for staff seconded to the Node. Employment T&Cs, information security briefings, guidelines and expectations, ongoing education and training, whistleblowing Sub-stream: 3.2 During employment Aspect: Information security awareness and training Al employees of the organisation, and where relevant, contractors, should receive appropriate awareness education and training and regular updates n organisational policies and procedures as relevant for their job function. Manage Human Resources activities (such security awareness and cyber safety training) via a formal processes in conjunction with the host organisation. Manage Human Resources activities (such as host organisation inductions, OH&S training) via a formal processes in conjunction with the host organisation. Periodic and on-going education and training, regular updates, awareness program, management commitment, rules and obligations, baseline controls, contact points and resources, assessment, knowledge transfer 27 December Printed copies are uncontrolled. RDSI Page 30 of 83

31 Sub-stream: 3.2 During employment Aspect: Disciplinary process There should be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach. Manage Human Resources activities via a formal processes in conjunction with the host organisation. Formal and communicated process, prior verification, correct and fair treatment, nature and gravity of breach, impact on business, first/repeat offence, deterrent, deliberate breaches 27 December Printed copies are uncontrolled. RDSI Page 31 of 83

32 3.3 POST EMPLOYMENT Sub-stream: 3.3 Post Employment Aspect: Termination and change of employment responsibilities To protect the organisation s interests as part of the process of changing or terminating employment. As part of staff termination process, partner Institutions must ensure that all RDSIbased group membership access to collections is revoked (or at least suspended) as a Researcher leaves their organisation, even if they are leaving to join another partner Institution with similar collection access rights and privileges. If the staff member is a Data Custodian, the Node should be informed prior to the staff members change in employment so that the question of ongoing Custodianship can be properly managed see Security Stream 6 - Business requirements of access control data custodianship. Manage Human Resources activities (such as Termination) via a formal processes in conjunction with the host organisation. Manage Human Resources activities (such as account suspensions) via a formal processes in conjunction with the host organisation. Although the confidentiality and availability of data collections can be protected by the RDSI-funded Node, the integrity of ingested collections (especially those in collection development storage) can come under threat from the data owners and the owner s colleagues themselves. Damage to and loss of data can result when a legitimate user with authority to access the data either intentionally or maliciously modifies or deletes data from the collection. Confidentiality agreement, employees contracted via external parties, changes of operating arrangements 27 December Printed copies are uncontrolled. RDSI Page 32 of 83

33 SECURITY STREAM 4 - PHYSICAL AND ENVIRONMENTAL MANAGEMENT Stream objectives: Secure areas to prevent unauthorised physical access, damage and interference to the organisation s information and information processing facilities Equipment to prevent loss, damage, theft or compromise of assets and interruption to the organisation s operations. Stream references: Information Shield, Information Security Policies Made Easy (v10) Physical Entry Controls. 15 Australian Government, Protective Security Policy Framework Information security management guidelines Management of aggregated information Physical security 16 Australian Government, Information Security Manual (ISM) 17 Additional references are included in the SECURITY LINKS archive document. 4.1 BUILDING CONTROLS AND SECURE AREAS Sub-stream: 4.1 Building controls and secure areas Aspect: Physical security perimeter Security perimeters should be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. Utilise physical network separation to balance business and performance needs (e.g. protect sensitive information, locate data close to compute). Determine whether RDSI-hosted storage is suitable for hosting sensitive data. Assess the risks of existing (e.g. host) machine room infrastructure on RDSI storage solutions. Ensure publicly accessible data is only presented in Read Only form. Bars, alarms, locks, manned reception area, physical barriers, fire doors, intruder detection systems, geographic separation, multiple barriers, December Printed copies are uncontrolled. RDSI Page 33 of 83

34 Sub-stream: 4.1 Building controls and secure areas Aspect: Physical entry controls Secure areas should be protected by appropriate entry controls to ensure only authorised personnel are allowed access. Establish additional security compliance guidelines with outsourcing facility operators (i.e. equipment not housed at Nodes). Determine suitable control levels for physical access (e.g. RFID scanning, smart card/code access). Log all entry attempts, visitors, two-factor authentication, audit trail/log book, visible identification, personnel escorts, regular review 27 December Printed copies are uncontrolled. RDSI Page 34 of 83

35 Sub-stream: 4.1 Building controls and secure areas Aspect: Securing offices, rooms and facilities Physical security for offices, rooms and facilities should be designed and applied. Additional information Based on the existing Physical Security policy (and with the approval of the senior manager in charge of the facility) physically limit/restrict access to all offices, computer rooms, and work areas containing sensitive information to those people with a need to know. Authorised systems administrators and technical staff with a requirement to access sensitive areas must adhere to a policy of logged entry access times. Perform regular spot-checks and regular monitoring logs should be made by a nominated officer to ensure that all relevant and related polices are being followed. Raise any discrepancies or anomalies in the log with the security manager or senior manager in charge. Review any failings of the logging system and rectify as soon as possible. Maintain audit trail of machine room access. The location and protection of RDSI-funded Node data storage equipment is important because collections of national significance will be stored on that equipment. Although it is unlikely that classified Government data will be stored on Node systems, the value of nationally-significant collections should be considered when defining controls to promote physical security. Systems including manual (sign-in/sign-out), video-entry surveillance, keypad access or security pass swipe access on security entries to rooms (or perimeters) within which sensitive information is located may be used to monitor ingress/egress. The definition of sensitive information must be determined and agreed by Node management based on a risk assessment and with knowledge of the operational impact any physical security measures will have before implementation. Co-location: If RDSI-funded data storage equipment is co-located with other organisations equipment, it should either: Be physically separate to systems operated from other organisations equipment; or Logging and surveillance of physical access of the Node s actual equipment should be implemented. For example, 24-hour video surveillance of management console locations (though not positioned so that they record any actual on-screen activity) and/or the physical space where sensitive information or systems is housed can provide a real-time log of physical activity. Public access, electromagnetic shielding 27 December Printed copies are uncontrolled. RDSI Page 35 of 83