HHS Enterprise. Information Security Standards and Guidelines EISSG v5.1

Transcription

1 HHS Enterprise Information Security Standards and Guidelines EISSG v5.1 March, 2013

2 Table of Contents Table of Contents... 2 Document History... 5 Revision History:... 5 Reviews... 6 Purpose... 7 Information Security Policies Scope... 7 Information Security Policies Compliance... 7 Information Security Policies Ownership... 7 HHS Information Security Roles and Responsibilities... 8 HHS Data Classification Acceptable Use HHS Information Security Program Policies Management Policies Security Assessment and Authorization (CA) Security Assessments Plan of Action and Milestones Security Authorization Continuous Monitoring Planning (PL) Exceptions Program Management (PM) Enterprise Architecture Information Security Resources Risk Assessment (RA) Vulnerability and Risk Assessment System Services and Acquisition (SA) Systems Development Operational Policies Awareness and Training (AT) Security Training Configuration Management (CM) Change Management Contingency Planning (CP) Back-up and Disaster Recovery Incident Response (IR) HHS EISSG v.5.1 Page 2 of 75

3 9.1. Incident Management Maintenance (MA) Controlled Maintenance Media Protection (MP) Media Access and storage Removable Media Physical and Environmental Protection (PE) Physical Access Personnel Security (PS) Third-Party Personnel Security System and Information Integrity (SI) Anti-Spam System Configuration Hardening / Patch Management Malicious Code Operating Systems Technical Policies Access Control (AC) Account Management Administrative and Special Access Imaging Devices Network Access Network Configuration Portable/Remote Computing Vendor Access Virtual Private Network (VPN) Wireless Computing Audit and Accountability (AU) Audit Logging Security Monitoring Identification and Authentication (IA) Passwords System and Communications Protection (SC) Electronic File Transfers Intrusion Detection / Prevention Mobile Code Privacy Policies Privacy Standards Supporting Security Controls and Procedures Security Policies Exceptions Laws, Regulations, and Guidance HHS EISSG v.5.1 Page 3 of 75

4 Federal State Industry Organization Appendices Appendix A HHS Information Systems Security Controls Catalog Appendix B - HHS Data Classification Appendix C - Recommended Events for Logging Appendix D - Exception Request Form (Template) Appendix E - Acronyms and Glossary Appendix F - Security References HHS EISSG v.5.1 Page 4 of 75

5 Document History Revision History: Numbering convention: Version. Revision as n.xx. Pre-publication drafts are 0.xx; first published version is 1.00; for minor revisions to a published document, increment the decimal number (ex. 1.01); for major content upgrades to a published document, increment the leading whole number (ex.2.00). Revision Date Description Initial document distributed by Enterprise Security Management (ESM) Updates based on review by: Information Security Officer (ISO)s and Information Resource Manager (IRMs) Updates based on management review by: Chief Information Officer (CIO) First Published Draft of Security Standards and Guidelines Updates to incorporate Federal Security Requirements sent for review to ISOs and IRMs Updates to incorporate Federal Security Requirements sent for review by: CIO Second Published Draft of Security Standards and Guidelines Updates to incorporate changes to physical security and address secure file transfer requirements sent for review to IM&O, ISO s and IRM s Updates to incorporate changes to physical security, secure file transfer, remote access, and security plan requirements sent for review to ISO s, IRMs and other agency management Updates to incorporate changes to Wireless Computing, and Privacy sections. Included section for data classification. Updates for addition of Electronic Transfer Section and final review by ISO, IRM, CIO, TARB and EOB. Third Published Draft of Security Standards and Guidelines. (Revisions to the numerous sections) Minor revision to incorporate changes to Portable/Remote Computing Section 1.23, Removable Media Section 1.25 and Wireless Computing Section 1.33 Fourth published draft of the Security Standards and Guidelines. (Revisions to the numerous sections based on the Audit of Confidential Data Transfers) Minor revision to incorporate changes to Acceptable Use Section 1.1, Incidental Use/Limited Use Section Revision to incorporate changes to Incident Management Section Major Revision to EISSG by HHSC Office of the Chief Information Security Officer (CISO) Identified an agency security program framework that aligns with State, Federal, Local and agency compliance requirements. Major Revision to EISSG by HHSC Office of the Chief Information Security Officer (CISO) to include the HHS Security Controls Catalog (Appendix A.),HHS Data Classification Guidelines (Appendix B) etc. HHS EISSG v.5.1 Page 5 of 75

6 Reviews To satisfy the requirements of the Information Systems Security Program, a formal review of this document is mandatory annually. Date Reviewer Department Job Title 06/28/12 Brian Engle Information Security Office Chief Information Security Officer 09/25/12 Brian Engle Information Security Office Chief Information Security Officer 03/11/13 Brian Engle Information Security Office Chief Information Security Officer HHS EISSG v.5.1 Page 6 of 75

7 Purpose The Title 1, Texas Administrative Code (TAC), Chapter 202, RULE Security Standards Policy, Item (2), requires that all state agencies have an information security program consistent with the standards defined in the TAC 202. The Texas Health and Human Services (HHS) HHS Circular C-021 HHS Enterprise Information Security Policy establishes an information security program for the health and human services (HHS) enterprise that is consistent with the TAC Chapter 202, Information Security Standards. The HHS CISO is committed to the protection of information and computing assets within the HHS environment and the fulfillment of the TAC 202 RULE Security Standards Policy requirement, and the HHS Circular C- 021 HHS Enterprise Information Security Policy. This EISSG document incorporates the requirements of public laws, federal, state, and HHSC regulations documents, as listed in Appendix F. It is also designed to be consistent with, and an enabler of Privacy Protection Principles as found in the Texas Business and Commerce Code section 521, Health and Safety Code and other state data stewardship guidance s. The EISSG establishes a set of comprehensive rules and practices that regulate access to information systems within the HHS environment and the information processed, stored, and transmitted by them. Comprehensive security policies protect not only information and systems, but also the HHS organization as a whole. As such, the EISSG represents the HHS commitment to information systems security. Information Security Policies Scope All HHS employees, contractors, and third party users, and all HHS physical, software, and information assets (whether standalone or attached to the HHS local and wide area networks) that store, process, or transmit HHS digital data, as well as all services that support or otherwise handle those physical, software, and information assets, are required to comply with the security policies contained within this document. Information Security Policies Compliance Compliance with the security policies contained within this security policies document is mandatory. Reviews to ensure compliance are undertaken at established intervals using authorized methods. Information Security Policies Ownership The HHS CISO is the sponsor and issuing authority for this HHS information security document. HHS EISSG v.5.1 Page 7 of 75

8 HHS Information Security Roles and Responsibilities Regardless of position or job classification, every employee and contractor that works in the HHS environment plays an important role in safeguarding the confidentiality, integrity, and availability of the systems and the data maintained by HHS. It is important that each individual fully understands his or her role and its associated responsibilities as designated by the HHS information security program and abides by the security policies, security controls, and procedures set forth by HHS CISO. Role HHS Chief Information Security Officer (CISO) Agency Information Security Officer (ISO) Responsibility The HHS CISO has the overall responsibility for the implementation of an IS Security Program for the HHS environment. Provides Enterprise information security protections commensurate with this policy, the HHS information security program and federal regulations; Develop Enterprise policies, procedures, and guidelines to ensure the protection of information resources; Recommend information security strategies for the HHS Agencies Communicates information regarding the overall state of the HHS Information Security Program and risks to information resources within the HHS Enterprise, and overall ; Ensures that there are appropriate technologies and processes available and implemented to provide the security level required; and Ensures that HHS has trained personnel sufficient to assist HHS in complying with the requirements of this policy and related security controls and procedures. Administer the agency Information Security Program. Develop and recommend agency specific polices, standards and guidelines where required to ensure the security of information resources within their organization. Establish and recommend procedures and practices to ensure the security of information resources. Ensure that security policies, procedures, standards, and guidelines are implemented to protect agency s information resources. Establish procedures for assessing and ensuring compliance with information security policies through inspections, reviews, and evaluations. Develop and implement a comprehensive information security training and awareness program. Monitor the effectiveness of defined controls for mission-critical information. Report on the status and effectiveness of information resources security controls. Serve as agency s internal and external point of contact for all information security matters. Assists the HHSC Chief Information Systems Officer (CISO) in ensuring the information systems in the HHS environment adheres to federal, state laws, executive orders, directives, regulations, policies, standards, and HHSC information system security program requirements; Serves as the primary point of contact in the HHS for information systems security issues; Develops, evaluates, and provides information about the HHS Information Security Program implementation within the associated agency, and communicates HHS Information Security Program requirements and concerns to HHSC management and personnel; Ensures that the System Security Plan (SSP) is developed, reviewed, implemented, and revised; Maintains documentation that establishes systems security level designations for all SSPs within HHS ; Ensures that information system risk assessments (RA) are developed, reviewed, and implemented for the SSP process; Provides leadership and participates in information system incident response and reporting in accordance with reporting procedures developed and implemented by the agency. HHS EISSG v.5.1 Page 8 of 75

9 Role Responsibility System Owner Assesses the risk to the information and information systems for which they have responsibility; Ensures through security assessments/audits that the HHS information system for which they have responsibility are developed, implemented, operated, and documented according to the requirements of this policy; Verifies that the HHS information system fully complies with HHS security requirements; and Ensures appropriate security measures and supporting documentation are maintained. Application, Server, Database, Network Administrators Verifies that server, database, and network security requirements are being met; Establishes and communicates the security safeguards required for protecting server, database, and network security based on the sensitivity levels of the information; and Periodically reviews and verifies that all users of their servers, databases, and network resources are authorized and are using the required systems security safeguards, in compliance with the policies contained within this document and all related security controls and procedures requirements. System Developers Develops and implements the HHS information security requirements throughout the System Development Life Cycle (SDLC); and Plans and implements for the on-going maintenance of the information system, including updates, upgrades, and patches in accordance with the SDLC and security policies within this document. Service Providers, Vendors, and Contractor Employees Users HHS service providers, vendors, and contract employees have the responsibility to ensure the protection of HHS information (data) and information systems by: Complying with the information security requirements maintained in this policy. Complying with the HHSC information security policy requirements Users have the responsibility to ensure the protection of HHS information (data) and the information system by: Complying with the HHSC information security policy requirements HHS EISSG v.5.1 Page 9 of 75

10 HHS Data Classification Data Classification provides a framework for managing data assets based on value and associated risks and for applying the appropriate levels of protection as required by state and federal law as well as proprietary, ethical, operational, and privacy considerations. All HHS data, whether electronic or printed, must be classified. The data owner should consult with legal counsel on the classification of data as Confidential, Agency-Sensitive, or Public. Consistent use of data classification reinforces with users the expected level of protection of HHS data assets in accordance with HHS security policies. The HHS Data Classification Standard applies equally to all individuals who use or handle any HHS Information Resource. HHS data created, sent, printed, received, or stored on systems owned, leased, administered, or authorized by the HHS agency are the property of the HHS agency and its protection is the responsibility of the HHS owners, designated custodians, and users. Data shall be classified as follows from highest level sensitivity to the lowest: 1. Restricted which includes IRS FTI and Verified SSA Data that is subject to specific federal or state regulatory requirements and must a) remain encrypted at all times while at rest, in use or during transmission, b) be comprehensively monitored for access/distribution and c) provide for comprehensive access, distribution and audit controls. For more information on what constitutes Restricted, see Appendix B HHS Data Classification. 2. Confidential which includes SPI, PI, PII, PHI or LEA Data that is subject to specific federal or state regulatory requirements and must a) be encrypted during transmission to an outside agent or when stored on a mobile device, b) be monitored and c) provide strong access, distribution and audit controls. For more information on what constitutes Confidential, see Appendix B - HHS Data Classification. 3. Agency Internal Data that is not is subject to specific regulatory or other external requirements but is considered HHS sensitive. For more information on what constitutes Agency Internal, see Appendix B - HHS Data Classification. 4. Public Information intended or required for public release as described in the Texas Public Information Act Information owned or under the control of the United States Government must comply with the federal classification authority and federal protection requirements. Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of HHS Information Resources access privileges, and to civil and criminal prosecution. More detailed information on data classification is located in Appendix B - HHS Data Classification. HHS EISSG v.5.1 Page 10 of 75

11 Acceptable Use All electronic data, hardware, and software residing on HHS networks are considered state property (assets). All information passing through the HHS networks, which has not been specifically identified as the property of other parties, will be treated as an HHS asset. Unauthorized access, disclosure, duplication, modification, diversion, destruction, loss, misuse, or theft of these resources is prohibited. All User activity on HHS IR is subject to logging and review. Every information system privilege that has not been explicitly authorized is prohibited. Such privileges will not be authorized for any HHS business purpose until approved by the information Owner, or designee, in writing or by electronic acknowledgement. Information entrusted to HHS will be protected in a manner consistent with data classification and in accordance with all applicable standards, agreements, and laws. Any person or entity granted access to HHS IR, including HHS employees, volunteers, interns, private providers of services, contractors, vendors, and representatives of other agencies of state government must comply with the standards set forth in this document. For purposes of this document, the term User refers specifically to an HHS IR User. 1. Users may not attempt to access any data, program, or system for which they do not have authorization or explicit consent. 2. Users must not disclose confidential or sensitive data or confidential or sensitive agency system or network information. 3. Any User who becomes aware of or suspects an actual or possible incident of unauthorized access of confidential information must report such to the agency Information Security Officer (ISO) and agency Privacy Officer or designees upon discovery, immediately and no later than 24 hours. Additional documentation may also be required. For example: the agency Privacy Office will have a worksheet for potentially reporting loss of Protected Health Information (PHI) to the Centers for Medicare & Medicaid Services. 4. Upon discovery of a possible unauthorized inspection or disclosure of Internal Revenue Service (IRS) Federal Tax Information (FTI) including breaches and security incidents, the individual making the observation or receiving the information should contact HHSC IRS Coordinator, at ( ). If you are unable to reach the HHSC IRS Coordinator by phone, send a secure to HHSC IRS FTI at IRS_FTI_Safeguards@hhsc.state.tx.us The HHSC IRS Coordinator will report the incident by contacting the office of the appropriate Special Agent-in-Charge, Treasury Inspector General for Tax Administration (TIGTA) and the IRS Office of Safeguards as directed in Section 10.2 of Publication Users must not share their account identifiers, passwords, Personal Identification Numbers (PINS), Security/Access Tokens (e.g., Smartcards), or any other information or device used for identification, authentication, authorization, or access purposes. 6. Any User who becomes aware of or suspects an actual or possible computer security incident, weakness, misuse or violation of any policy related to the security and protection of those resources must report such to the agency Information Security Officer (ISO) or designee upon discovery immediately, no later than 24 hours. 7. Software installed or run within the HHS systems and/or networks must be approved by the Custodian responsible for that area. 8. Users must not download/operate a peer-to-peer (P2P) file sharing system such as LimeWire, KaZaA, BitTorrent, Morpheus or Gnutella etc., available to the general public to transfer files (including music or video files). Risks associated with P2P use include the following: a. By running a peer-to-peer (P2P) application, you may be sharing confidential HHS information, consuming excessive network bandwidth, inadvertently sharing personal information and/or making HHS EISSG v.5.1 Page 11 of 75

12 your computer vulnerable. b. Viruses and Trojans are easily spread using P2P applications. Many P2P applications include Malware in the download, so you may be unintentionally infecting your HHS computer. c. If you copy and distribute copyrighted material without the permission required by law, you may be violating civil or criminal copyright infringement laws. Civil penalties for Federal Copyright infringement range from $750 per song to $150,000 in damages for each willful act. Criminal penalties can run up to five years in prison and $250,000 in fines. 9. Before leaving their computers unattended, Users must either lock access to their workstations or logoff. 10. Users of HHS information resources must not engage in any act that would violate the purposes and goals of HHS as specified in its governing documents, rules, regulations, and procedures. 11. Users must not intentionally access, create, store, or transmit any material that may be offensive, indecent, or obscene. Materials required for research projects and explicitly approved by HHS are excluded from this prohibition 12. A user may not engage in any activity that is harassing, threatening or abusive, degrades the performance of IR, deprives or reduces an authorized User s access to resources, or otherwise circumvents any security measure or policy. 13. A User shall not use any HHS IR to gain personal benefit. 14. Users must use appropriate safeguards to protect IR from damage, loss, or theft. 15. Any User of HHS owned or leased equipment who takes the resource off-site to an environment out of the authority of HHS must follow the same information security policies, standards, and guidelines to protect the resource as required when in use at an HHS location. 16. Any User of HHS owned or leased equipment used in an environment out of the authority of HHS must protect that equipment from theft, use or abuse by non-hhs approved Users. 17. Violation of the data classification policy (located above) may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of HHS Information Resources access privileges, and to civil and criminal prosecution. 18. All users must sign or electronically acknowledge the HHS Enterprise Computer Use Agreement ( CUA, Form HR0314) indicating they have read, understand and agree to comply with the rules of behavior and this must be on file before any access is granted. (See Account Management Section 15.1) Use The growth of use and the increase in vulnerabilities related to electronic communications has seen a corresponding increase in the need for policies governing the use of, and protections directed to, those communications. This Standard applies to all Users of HHS systems. 19. The following activities are prohibited: a. Sending that is intimidating or harassing, b. Using to gain personal benefit, c. Using for purposes of political lobbying or campaigning, d. Violating copyright laws by inappropriately distributing protected works, e. Posing as anyone other than oneself when sending , except when authorized to send messages for another when serving in an administrative support role, f. The use of unauthorized software, HHS EISSG v.5.1 Page 12 of 75

13 g. Sending or forwarding chain letters, h. Sending unsolicited messages to large groups except as required to conduct department business, i. Sending or forwarding that is likely to contain malicious code, and j. Using stationery in . These are backgrounds that are available through most commercial software products. These take up excessive disk space, and therefore their use is prohibited on HHS networks. 20. Any data that is classified as Restricted or Confidential must be encrypted or otherwise protected as required by rule, regulation or law. Section (18.1 Electronic File Transfers). 21. All User activity on HHS IR assets is subject to logging and review. HHS Users shall have no expectation of privacy Users must not give the impression that they are representing, giving opinions, or otherwise making statements on behalf of any HHS agency or any unit of an HHS agency unless appropriately authorized (explicitly or implicitly) to do so. 23. Individuals must not send, forward, or receive confidential HHS information through non-hhs accounts, such as Yahoo, Hotmail, or Gmail accounts. 24. Individuals must not send, forward, or store confidential HHS electronic information utilizing non-state owned or leased mobile devices without the prior written permission of the data Owner. These devices include, but are not limited to, laptop/notebook computers, personal data assistants or other hand-held devices, two-way pagers or digital/cellular telephones. 25. Refer to Chapter 4 of the HHS Human Resources Manual for more information about use. Incidental Use/Limited Use Incidental and Limited personal use of HHS IR by Users is permitted. 26. Limited personal use of and Internet access is allowed for employees and other approved Users only. This use does not extend to visiting friends or relatives of the approved User. 27. Limited use must not result in any additional direct costs to HHS. 28. Limited use must not interfere with the normal performance of the Users' duties. 29. Storage of personal , voic , files, and/or any other document by the approved User must be kept to a minimum. 30. All messages, files, and/or documents located on any HHS IR are owned by HHS and may be accessed by appropriate HHS staff without notice to the User. Such documents may be subject to open records requests. This includes any personal messages, files, and/or documents. 31. Incidental personal use of Internet access is permitted, but must not inhibit or interfere with the use and/or functionality of network resources for business purposes. 32. Incidental use of Instant Messaging (IM), social networking sites such as Facebook, Orkut, MySpace, and Twitter, and video-hosting/sharing sites such as YouTube are prohibited. Exceptions for use of IM or social networking sites for approved HHS business purposes must be approved by the agency IRM, or the HHS Chief Information Officer (CIO) if there is no designated agency IRM, using the exception process in Section, 2.1 Exceptions of the EISSG. Prior to approval, a business justification is required. The Social Networking Justification and Approval Process document can be found here: Internet/Intranet/Extranet Use For the purpose of this standard, the term Internet shall include Intranet and/or Extranet. 33. Software for browsing the Internet is provided to Users for business and research purposes, and is allowed for incidental/limited personal use only. HHS EISSG v.5.1 Page 13 of 75

14 34. Incidental use must not interfere with the normal performance of an employee s work duties. 35. Incidental use must not result in any direct costs to HHS. 36. All software used to access the Internet must be part of the HHS standard software suite, or approved for use by the appropriate HHS authority. 37. All software used to access the Internet must incorporate vendor provided security patches. 38. All files downloaded from the Internet must be scanned for viruses using the approved current HHS virus detection software. 39. All files downloaded from the Internet must fall within the defined download parameters allowed by the HHS Enterprise Information Security Policy. 40. All software used to access the Internet shall be configured to provide the highest level of protection appropriate to the risk to HHS systems and networks. 41. All content on HHS Internet sites must comply with the HHS Enterprise Acceptable Use Standard and other sets of guidelines and standards developed in the management of Internet content, such as accessibility standards. 42. No offensive or harassing materials may be linked through or posted to any HHS Internet site. 43. Internet access provided by HHS may not be used for personal solicitation or gain. (a) Confidential HHS data or sensitive personal information; to include but not limited to PII, PHI, FTI, transmitted over external network connections must be appropriately encrypted. To see more information on HHS Data Classification, reference Appendix B. Cloud Computing Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. There are three service models: Software as a Service (SaaS). The capability provided to the consumer is to use the provider s applications running on a cloud infrastructure2. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. Requirements: To utilize a cloud computing model that receives, processes, stores, or transmits HHS data, the agency must meet the following requirements: 1. A service level agreement (SLA) is required that has established security policies and procedures that demonstrate how HHS data is stored, handled, and accessed inside the cloud though a legally binding contract or service level agreement with their third party provider. 2. Data isolation must be in place within the cloud environment so that tenants sharing physical space cannot access their neighbor s physically co-located data and applications. HHS EISSG v.5.1 Page 14 of 75

15 3. HHS data must be encrypted when in transit and\or at rest within the cloud environment. All mechanisms used to encrypt HHS data must be FIPS compliant, and operate utilizing the FIPS compliant module. This requirement must be included in the SLA. 4. Any security control implementation claims made by the cloud providers must be validated through a security plan and security control assessments. HHS EISSG v.5.1 Page 15 of 75

16 HHS Information Security Program Policies Management Policies The Management program class of controls (safeguards or countermeasures) for an information system is focused on the management of risk and management of information system security. 1. Security Assessment and Authorization (CA) The HHS requires that (i) an initial assessment of the security controls for key information systems is performed to determine if the controls are effective in their application; (ii) controls are monitored on an ongoing basis to ensure their continued effectiveness; (iii) information systems containing potential vulnerabilities due to deficiencies in their controls are documented and acknowledged by the HHS CISO and/or the appointed designee and (iv) plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities are developed and implemented Security Assessments HHS utilizes the Information System Security Plan template to assesses the security controls in an information system as part of: (i) security assessments; (ii) meeting Federal, State, Local and agency requirements for periodic assessments; (iii) continuous monitoring; and (iv) testing/evaluation of the information system as part of the system development life cycle process. Develops a security assessment plan that describes the scope of the assessment including: Security controls and control enhancements under assessment; Assessment procedures to be used to determine security control effectiveness; and Assessment environment, assessment team, and assessment roles and responsibilities; Assesses the security controls in the information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system; Produces a security assessment report that documents the results of the assessment; and Provides the results of the security control assessment, in writing, to the authorizing official or authorizing official designated representative Plan of Action and Milestones The plan of action and milestones (POA&M) is a key document in the security authorization package; HHS will ensure that a POA&M is developed for those key mission critical information systems requiring one Develops a plan of action and milestones for the information system to document HHS planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system Updates existing plan of action and milestones based on findings from security control assessments and continuous monitoring activities Security Authorization Security authorization is the official management decision given by a senior organizational official or executive (i.e., authorizing official) to authorize operation of an information system and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, based on the implementation of an agreedupon set of security controls Assigns a senior-level executive or manager to the role of authorizing official for the information system; Ensures that the authorizing official authorizes the information system for processing before commencing operations; HHS EISSG v.5.1 Page 16 of 75

17 Through the employment of a comprehensive continuous monitoring process, the critical information contained in the authorization package shall provide the authorizing official an up-to-date status of the security state of the information system Continuous Monitoring HHS must establish a continuous monitoring program, which allows HHS to maintain the security authorization of key mission critical information system over time in a highly dynamic environment of operation with changing threats, vulnerabilities, technologies, and missions/business processes Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; The continuous monitoring program is to provide updates to the security plan, the security assessment report and the plan of action and milestones report. 2. Planning (PL) The HHS requires the development, documentation, periodic update, and implementation of security plans for information systems within the HHS environment. HHS CISO ensures that those security plans describe the security controls in place or planned for the information systems and the rules of behavior for individuals accessing the information systems Exceptions It is the intent of HHS Enterprise that all Owners, Custodians, and Users of HHS IR comply with all HHS information security standards. However, there will be situations where the strict application of an information security standard would significantly impair the functionality of a service. The exception standard provides a method for documenting an exception to compliance with a published HHS standard Only temporary exceptions, where immediate compliance would disrupt critical operations, may be granted. The security exception template, reference Appendix D is to be utilized to request an exception If the Owner believes the exception should be granted, the Owner must then submit the exception request to the agency IRM or the HHS Chief Information Officer (CIO) if there is no designated agency IRM The HHS CISO may, at his/her discretion, modify the agency IRM s decision in order to align with current HHS information security initiatives. 3. Program Management (PM) The HHS CISO employs information security requirements that are independent of any particular information system and considered essential for managing the HHS information security program Enterprise Architecture HHS develops an enterprise information security architecture that is aligned with Federal, State, Local and agency data security and privacy requirements. The integration of information security requirements and associated security controls into the HHS enterprise information security architecture helps to ensure that security considerations are addressed by HHS early in the system development life cycle and are directly and explicitly related to HHS mission/business processes HHS develops enterprise security architecture with consideration for information security and the resulting risk to HHS operations, assets, individuals, and other agencies Information Security Resources HHS must provide oversight for the information security-related aspects of the capital planning and investment control process HHS ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement; HHS EISSG v.5.1 Page 17 of 75

18 4. Risk Assessment (RA) The HHS CISO requires that risks to HHS operations (including its mission, functions, image, or reputation), HHS assets, and individuals, resulting from the operation of HHS information systems and the associated processing, storage, or transmission of HHS information, are assessed Vulnerability and Risk Assessment The HHS Vulnerability Assessment Standard establishes the rules necessary to identify and inventory various exposures to the HHS network(s) while validating compliance with or deviations from the HHS Enterprise Information Security Policy The Agency IRM, or the CIO if no agency IRM exists, shall ensure that internal vulnerability assessments of IR shall be performed and documented annually Risk assessment should be conducted for the information system based on the agency defined methodology and documented that includes the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, modification, or destruction of the information system and the information it processes, stores, or transmits Documents risk assessment results in accordance in a risk assessment report Reviews risk assessment results annually; and Updates the risk assessment annually or whenever there are significant changes to HHS information systems or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security or authorization state of the system Vulnerability reports and similar information shall be documented and presented to the agency head, or designated representative, at least once annually Vulnerability assessments that focus on specific areas shall be based on the results of a security risk assessment The inherent risk and frequency of the security risk analysis will be ranked, at a minimum, as either High, Medium, or Low Risk assessments shall identify business owners and custodians and defined respective roles and responsibilities Risk assessments must be updated to account for significant changes in the agency information systems, assets, operations, personnel, and supporting facilities The scope of the inventory of various exposures shall include asset identification and location identification Risk assessment shall include an analysis or evaluation of security controls, corrective actions for each weakness or finding, and a response for each finding or a mitigation strategy for the acceptance of risk. 5. System Services and Acquisition (SA) The HHS (i) requires sufficient allocation of resources to adequately protect HHS information systems; (ii) employs system development life cycle processes that incorporate information security considerations; (iii) employs software usage and installation restrictions; and (iv) ensures that third-party providers employ adequate security measures to protect information, applications, and/or services outsourced from HHS Systems Development The purpose of the Systems Development Standard is to ensure the development and implementation of new software meets the requirements necessary to assure the security of HHS network(s) and systems Systems development projects shall adhere to the Systems Development Life Cycle in force at the beginning of the development process Production systems must have a designated Owner and Custodian Production systems must have an access control system to restrict access to the system as well as restrict the privileges available to Users Confidential data must be protected during SDLC phases. HHS EISSG v.5.1 Page 18 of 75

19 A risk assessment must be performed to identify inherent and control risk. It must be signed by the designated Owner to document that management accepts the level of risk identified Application program-based access paths other than the formal User access paths, such as hardcoded backdoors, must be deleted or disabled prior to the software being moved into production Procedures must be established to restrict access to systems and software for purposes of testing and revision to only authorized personnel Development and implementation of new software or systems must include adequate documentation of the information system and its key security components. Information system documentation must be readily available adequately protected and only distributed to authorized personnel All high risk systems must undergo an annual Security Risk Assessment using the DIR ISAAC Risk Assessment template. (See Section 4.2 Vulnerability and Risk Assessment) Any IR project that includes a modification, enhancement, new development, or any other changes to systems, interfaces, or batch processes developed as a requirement for the following programs must complete a security plan. (Use either the optional Security Plan template available from HHSC Office of the CISO or an equivalent.) a. Temporary Assistance for Needy Families b. Medicaid c. Supplemental Nutrition Assistance Program d. Any State program administered under a plan approved under title I, X, or XIV, or title XVI of the Social Security Act. e. Any IR Project that meets the definition of a Major Information Resource Project under the guidance of the Quality Assurance Team (QAT) Data files, system interfaces and batch processes with Confidential HHS material or individuals names in conjunction with their sensitive PII and PHI must be encrypted or otherwise protected as required by rule, regulation or law during all data transmissions outside of the HHS Local Area Network (LAN). Examples of confidential or sensitive PII or PHI information includes: social security numbers, federal tax return information or other medical records When cryptography is employed in the information system, agencies must ensure the information system executes all cryptographic operations using FIPS validated cryptographic modules with approved modes of operation All environments that contain copies of Confidential production data must meet all security control requirements defined in the HHS Enterprise Information Security Standards and Guidelines. Controls must be re-evaluated at least annually as part of the defined risk assessment and risk management processes. As part of the annual risk assessment process, both of the following must be documented: Responsible HHS custodian assertion that the test environment continues to meet all security control requirements in the HHS Enterprise Information Security Standards and Guidelines for the use of the confidential data. Data owner assertion that (a) the use of confidential data in the test environment is still required and (b) all personnel including, but not limited to, state and independent contractor employees provided access to the test environment are still authorized to access the confidential data. If risk assessment results determine that all control requirements are not met or the identified risks cannot otherwise be mitigated, the confidential data must be declassified or removed from the test environment Non production functions shall be kept either physically or logically separate from production functions. Non production environments containing Confidential data (See Appendix B :HHS Data Classification) require that all personnel including, but not limited to, state and independent contractor employees provided access to those environments are authorized to access the confidential data. Access will be provided and managed through individually assigned accounts. Data owners must provide explicit authorization for access to confidential data contained within test environments and manage the access in accordance with the HHS Enterprise Information Security Standards and Guidelines. HHS EISSG v.5.1 Page 19 of 75

20 If confidential production data is needed for testing purposes in an environment that cannot meet all security control requirements defined in the HHS Enterprise Information Security Standards and Guidelines AND the information cannot be de-classified/de-identified, the use and protection of the confidential production data will be documented, justified, and approved by the HHS data owner and the data custodian. Confidential production data will be removed from the non-production environment immediately upon completion of the required testing. HHS EISSG v.5.1 Page 20 of 75