National Information Systems And Network Security Standards & Guidelines

Transcription

1 National Information Systems And Network Security Standards & Guidelines Version 3.0 Published by National Information Technology Development Agency (NITDA)

2 January 2013 Table of Contents Section One Preamble Authority Scope Application...4 Section Two:...4 Part 1: Standards for the Categorization of Information for Security Management Purpose Information Security Categorization Standards Security Objectives Data Categorization Tasks Data Security Measures...6 Part 2: Guidelines for the Categorization of Information for Security Management Security Categorization Guidelines Classification of Potential Impact of Security Breach on Organizations and Individuals Security Categorization Applied to Information Types Security Categorization Applied to Information Systems...10 Section Three...12 Part 1: Minimum Security Requirements for National Information And Information Systems Purpose Information System Impact Levels Minimum Security Requirements Security Control Selection Actionable Tasks and Policies for the MDAs Server Security General server Configuration Guidelines Monitoring The Acceptable System Use Policy The Password Policy:...17 Part 2: Guidelines for Minimum Security Requirements for National Information and Information Systems Specifications for Minimum Security Requirements (Metrics of Security) General Password Construction Guidelines Password Protection Standards...20 Section Four:...21 Part 1: Standards for Intrusion Detection And Prevention Systems (IDPS) Purpose...21 Part 2: Guidelines for Intrusion Detection and Prevention Types of Intrusion Detection and Prevention System (IDPS) General Incident Reporting guideline/policy

3 Section Five:...25 Part 1: Standard for Protecting the Confidentiality of Object Identifiable Information (OII) Purpose Introduction and Identification of OII The Potential Impact of Inappropriate Access To OII Methods for Protecting the Confidentiality of OII and Factors for Determining OII Confidentiality Impact Levels Overview Distinguishability Aggregation and Data Field Sensitivity Obligation to Protect Confidentiality Access to and Location of the OII General Protection Measures...27 Part 2: Guidelines for Protecting the Confidentiality of Object Identifiable Information (OII) Introduction and Identification of OII Examples of OII Data OII and Fair Information Practices The potential impact of inappropriate access to OII Impact Level Definitions Methods for protecting the confidentiality of OII and Factors for Determining OII...33 Confidentiality Impact Levels Overview Distinguishability Aggregation and Data Field Sensitivity Context of Use Obligation to Protect Confidentiality Access to and Location of the OII OII Confidentiality Impact Level Examples Education, Training, and Awareness De-Identifying Information Anonymous Information Security Controls Recommendations for developing an incident response plan for breaches involving OII Preparation Detection and Analysis Containment, Eradication, and Recovery Post-Incident Activity...40 Section Six...42 Part 1: Standards on Securing Public Web Server Purpose Web Server Policy Web Server Risk General Configuration Standard...43 Part 2: Guidelines on Securing Public Web Server Guidelines Deployment of Public Web Server

4 6.6 Web Application implementation guidelines Application Service Provider Guidelines The Internet DMZ Equipment Guidelines GENERAL SECURITY CONCEPT...48 Section Seven...50 Part 1: Standards on Firewalls and Firewall Policy Purpose The Placement of the Firewalls within the Network Architecture with Multiple Layers of Firewalls Policies Based on IP Addresses and Protocols IP Addresses and Other IP Characteristics TCP and UDP IPsec Protocols Policies Based on Applications Virtual Private Network (VPN) Policy Policy Malicious Application and Virus Policy and Guidelines...53 Part 2: Guidelines on Firewalls and Firewall Policy General Guidelines and introduction on Firewalls and Firewall Policy...54 Section Eight...55 Part 1: Cyber Forensic Standards Purpose Overall Action Plan for Implementation of Cyber Forensic...55 Part 2: Cyber Forensic Guidelines General Guidelines and Overview of Cyber Forensic The Tool Capabilities and Features: Handling of Retained Data The Data Handover Interface The Security framework Data exchange techniques Backward and Update Compatibility Guidelines and Policy for Acceptable Encryption Definition of Terms

5 Section One 1.1 Preamble The National Information Technology Development Agency (NITDA) is mandated by the NITDA Act of 2007 to develop Information Technology in Nigeria through regulatory policies, guidelines, standards, and incentives. Part of that mandate is to ensure the safety of the Nigerian cyberspace and a successful implementation of an electronic government program. Many establishments have migrated their businesses to the online environment. Information networks in both the private and public sectors now drive service delivery in the country. These networks have thus become critical information infrastructure which must be safeguarded. This document provides government wide Standards and Guidelines on National Information Systems and Network Security. It contains eight sections, section two to section eight are in two parts. Part 1 contains the Standards while Part 2 contains the Guidelines. Several International Standards documents were reviewed during the development of this Standards and Guidelines which include: 1. ISO ISO/IEC 27001, 27002, 27005, OFCOM Guidance on Network Security 4. EU Network Security Framework 5. Information Technology Security Guidelines (ITSG-38) Canada 6. NIST Guideline. What has been has been put together in this document is what stakeholders consider suitable for the Nigerian environment. 1.2 Authority National Information Systems and Network Security Standards and Guidelines are issued by the National Information Technology Development Agency (NITDA) in accordance with NITDA Act They are specifically issued pursuant to sections 6 and 17 of the National Information Technology Development Agency Act 2007 and 5

6 are subject to periodic review by NITDA. A breach of the guidelines shall be deemed to be a breach of the Act. These standards are mandatory for Federal, State and Local Government Agencies and institutions as well as private sector organizations which own, use or deploy critical information infrastructure of the Federal Republic of Nigeria. They serve as reference for systems auditors, network administrators and security personnel, among others. Additional security guidelines may be developed and used at Agency discretion in accordance with these standards. MDAs are mandated to use the reporting documents in the appendix to report compliance to NITDA on quarterly basis. 1.3 Scope This document prescribes minimum standards on 7 primary areas of network security and cyber forensic: 1. Categorization of information 2. Minimum security requirements 3. Intrusion detection and protection 4. Protection of OII 5. Securing public web server 6. System firewall 7. Cyber forensic 1.4 Application The standards contained herein shall apply to: Public Sector organizations, including: Federal and State Ministries Federal and State Departments, Federal and State Agencies Local Governments Private Sector Organizations and Companies Non-Governmental Organizations (NGOs) 6

7 Section Two: Part 1: Standards for the Categorization of Information for Security Management 2.1 Purpose This section of the document: A. Sets minimum standards for the categorization of all information collected, processed and stored using ICT systems based on the objectives of providing required levels of information security according to risk levels, threat thresholds, and impact in order to guarantee : Confidentiality Integrity Availability, and Survivability and continuity of business processes and information systems in Nigeria. B. Provides guidelines on information security control areas within each category. C. Prescribes minimum information security requirements for the management, operation, and technical controls for information in each category. 2.2 Information Security Categorization Standards This document establishes security categories for both information and information systems. The security categories are based on the potential impact on an organization should certain events occur which jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals Security Objectives The five security objectives of information and information systems specified in these standards are: 7

8 1) Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information. 2) Integrity: Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information. 3) Availability: Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system. 4) Survivability: Ensuring that services continue and those business operations survive a security breach. Survivability is lost in a case of complete disruption of operations and discontinuation of services 5) Authenticity This means that the data (source), security level, user, time and location are required to be authenticated Data Categorization Tasks These standards and guidelines apply to all MDAs data categories and to all user-developed data sets and systems that may access these data, regardless of the environment where the data reside (including cloud systems, servers, personal computers, mobile devices, etc.). The standards apply regardless of the media on which data reside (including electronic, microfiche, printouts, CD, etc.) or the form they may take (text, graphics, video, voice, etc.). All MDAs are required to maintain data in a secure, accurate, and reliable manner as specified in and be readily available for authorized use. Data security measures must be implemented commensurate with data sensitivity and risk. I. Data should be classified into one of the following categories: a. Restricted the disclosure of which to any unauthorized persons would be unlawful. b. Public data to which the general public may be granted access in accordance with the available laws. II. Data in both categories require security measures to the degree of which the loss or corruption of the data would impair the business or service functions of the MDA, result in financial loss, 8

9 or violate law, standards and guidelines. Security measures for data must be set by the data custodian, working in cooperation with the data stewards, as defined below. The following roles and responsibilities must be established for enforcing data standards and guidelines: a. Data Trustee: Data trustees are senior MDA officials (or their designees) who have planning responsibility for data within their functional areas and management responsibilities for defined segments of institutional data. Responsibilities include assigning data stewards, participating in establishing policies, and promoting data resource management for the good of the entire MDA. (Director/CIO) b. Data Steward: Data stewards must be MDA officials having direct operational-level responsibility for information management - usually Deputy Directors/ Assistant Directors. Data stewards are responsible for data access and policy implementation issues. c. Data Custodian: Information Technology Services/Department (ITS) is the data custodian. The custodian is responsible for providing a secure infrastructure in support of the data, including, but not limited to, providing physical security, backup and recovery processes, granting access privileges to system users as authorized by data trustees or their designees (usually the data stewards), and implementing and administering controls over the information. (Chiefs) d. Data User: Data users are individuals who need and use MDA data as part of their assigned duties or in fulfillment of assigned roles or functions within the organization. Individuals who are given access to sensitive data have a position of special trust and as such are responsible for protecting the security and integrity of those data Data Security Measures All MDAs are required to adopt measures for data security as stated by the data-classification level. Required measures include the following: 9

10 I. Encryption requirements II. Data protection and access control III. Documented backup and recovery procedures IV. Change control and process review V. Data-retention requirements VI. Data disposal VII. Audit controls VIII. Storage locations 10

11 Part 2: Guidelines for the Categorization of Information for Security Management 2.3 Security Categorization Guidelines The following are various levels and types of Information categorization as envisioned in the STANDARD s part for categorization of information for security management: i. Information shall be categorized according to its information type. An information type is a specific category of information (e.g., private, confidential, secret) as defined by an organization or, in some instances, by a specific law, Executive Order, directive, policy, or regulation. ii. Information shall be also categorized according to value, owner, types of access, custodian, retention, user, and etc. iii. Information must also be classified according to the level of impact of adverse effects should the threats materialize (High, Moderate, Low, Not Applicable) iv. System information (e.g. network routing tables, password files, and cryptographic key management information) must be protected at a level commensurate with the most critical or sensitive user information being processed, stored, or transmitted by the information system to ensure confidentiality, integrity, availability and survivability. v. The potential impact value of not applicable only applies to the security objective of confidentiality. vi. System processing functions (i.e., Programs in execution within an information system such as system processes that facilitate the processing, storage, and transmission of information and are necessary for the organization to conduct its essential mission-related 11

12 functions and operations) shall be subjected to security categorization. vii. Storage location based shall be subjected to classification. viii. In general security matrix has at least five dimensions: a. Information Type b. Sensitiveness: Public, Secret, Confidential, c. Action: Creation, Modification, Keep, d. Transfer, Purge, Duplicate, Read, Process e. User: The categories of users of Info. System. f. Time: When the data is accessible, nights, holidays? g. Location: Where can I KEEP (act) on information? Note for Example: A chunk of information is in level A; means it is top secret. It can be created only by level H staff, Carried by level G staff, Never Duplicated by anybody, purged only by level G staff. Level G staff cannot read it. Level G staff can keep it at most for 5 hours during the working hours of working days. This web site could only be accessed within the governmental premises etc. 2.4 Classification of Potential Impact of Security Breach on Organizations and Individuals This Publication defines three levels of potential impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability). The application of these definitions must take place within the context of each organization and the overall national interest The potential impact shall be classified as LOW if: The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. A limited adverse effect means for instance that the loss of confidentiality, 12

13 integrity, or availability might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals The potential impact shall be classified as MODERATE if: The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. A serious adverse effect means for instance that the loss of confidentiality, integrity, or availability might: (i) (ii) (iii) (iv) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; result in significant damage to organizational assets; result in significant financial loss; or result in significant harm to individuals that does not involve loss of life or serious life threatening injuries The potential impact shall be classified as HIGH if: The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic effect on organizational operations, organizational assets, or individuals. A severe or catastrophic effect means for instance that the loss of confidentiality, integrity, or availability might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; 13

14 (ii) (iii) (iv) result in major damage to organizational assets; result in major financial loss; or result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries. 2.5 Security Categorization Applied to Information Types The security category of an information type may be associated with both user information and system information and can be applicable to information in either electronic or non-electronic form. It must also be used as input in considering the required security category (SC) of an information system (see description of security categories for information systems below). Establishing a required security category of an information type shall be based on the potential impact for each security objective associated with the particular information type. The format for expressing the security category, SC, of an information type is: SC information type: {(confidentiality, impact), (integrity, impact), (availability, impact)} where the acceptable values for potential impact are LOW, MODERATE, HIGH, or NOT APPLICABLE. EXAMPLE 2.1: If an organization managing public information on its web server determines that there is no potential impact from a loss of confidentiality (i.e., confidentiality requirements are not applicable), a moderate potential impact from a loss of integrity, and a moderate potential impact from a loss of availability. The resulting security category, SC, of this information type is expressed as: SC public information = {(confidentiality, NOT APPLICABLE), (integrity, MODERATE), (availability, MODERATE)}. EXAMPLE 2.2: If a law enforcement organization managing extremely sensitive investigative information determines that the potential impact from a loss of confidentiality is high, the potential impact from a loss of integrity is moderate, and the 14

15 potential impact from a loss of availability is moderate. The resulting security category, SC, of this information type is expressed as: SC investigative information = {(confidentiality, HIGH), (integrity, MODERATE), (availability, MODERATE)}. EXAMPLE 2.3: If a financial organization managing routine administrative information (not privacy-related information) determines that the potential impact from a loss of confidentiality is low, the potential impact from a loss of integrity is low, and the potential impact from a loss of availability is low, the resulting security category, SC, of this information type shall be expressed as: SC administrative information = {(confidentiality, LOW), (integrity, LOW), (availability, LOW)}. 2.6 Security Categorization Applied to Information Systems In determining the security category of an information system consideration must be given to the security categories of all information types resident on the information system. For an information system, the potential impact values assigned to the respective security objectives (confidentiality, integrity, availability) shall be the highest values (i.e., high water mark) from among those security categories that have been determined for each type of information resident on the information system. The format for expressing the security category, SC, of an information system is: SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)} where the acceptable values for potential impact are LOW, MODERATE, or HIGH. Under this section the value of not applicable cannot be assigned to any security objective in the context of establishing a security category for an information system. This is in 15

16 recognition that there is a low minimum potential impact (i.e., low water mark) on the loss of confidentiality, integrity, and availability for an information system due to the fundamental requirement to protect the system-level processing functions and information critical to the operation of the information system. EXAMPLE 2.4: An information system used for large acquisitions in a contracting organization contains both sensitive, presolicitation phase contract information and routine administrative information, if the management within the contracting organization determines that: (i) (ii) for the sensitive contract information, the potential impact from a loss of confidentiality is moderate, the potential impact from a loss of integrity is moderate, and the potential impact from a loss of availability is low; and for the routine administrative information (nonprivacy-related information), the potential impact from a loss of confidentiality is low, the potential impact from a loss of integrity is low, and the potential impact from a loss of availability is low, the resulting security categories, SC, of these information types shall be expressed as: SC contract information = {(confidentiality, MODERATE), (integrity, MODERATE), (availability, LOW)}, and SC administrative information = {(confidentiality, LOW), (integrity, LOW), (availability, LOW)}. The resulting security category of the information system is expressed as: SC acquisition system = {(confidentiality, MODERATE), (integrity, MODERATE), (availability, LOW)}, representing the high water mark or maximum potential impact values for each security objective 16

17 from the information types resident on the acquisition system. EXAMPLE 2.5: Where a power plant contains a SCADA (supervisory control and data acquisition) system controlling the distribution of electric power for a large military installation, where also the SCADA system contains both real-time sensor data and routine administrative information, and where the management at that power plant determines that: (i) for the sensor data being acquired by the SCADA system, there is no potential impact from a loss of confidentiality, a high potential impact from a loss of integrity, and a high potential impact from a loss of availability; and (ii) for the administrative information being processed by the system, there is a low potential impact from a loss of confidentiality, a low potential impact from a loss of integrity, and a low potential impact from a loss of availability, the resulting security categories, SC, of these information types shall be expressed as: SC sensor data = {(confidentiality, NA), (integrity, HIGH), (availability, HIGH)}, and SC administrative information = {(confidentiality, LOW), (integrity, LOW), (availability, LOW)}. The resulting security category of the information system is initially expressed as: SC SCADA system = {(confidentiality, LOW), (integrity, HIGH), (availability, HIGH)}, representing the high water mark or maximum potential impact values for each security objective from the information types resident on the SCADA system. The management at the power plant chooses to increase the potential impact from a loss of confidentiality from low to moderate reflecting a more realistic view of the potential 17

18 18 impact on the information system should there be a security breach due to the unauthorized disclosure of system-level information or processing functions. The final security category of the information system is expressed as: SC SCADA system = {(confidentiality, MODERATE), (integrity, HIGH), (availability, HIGH)}.

19 Section Three Part 1: Minimum Security Requirements for National Information And Information Systems 3.1 Purpose This section of the document: a) Prescribes Standards on information system impact levels; b) Provides list of minimum information security requirements for the management, operation, and technical controls for information in each category. c) Prescribes actionable and tasked standards on security measures for all MDAs on Network, Server, System acceptable use, Password guidelines, Physical Location and Security policy. 3.2 Information System Impact Levels Organizations are required to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability. The potential impact values assigned to the respective security objectives are the highest values (i.e., high water mark) from among the security categories that have been determined for each type of information resident on those information systems. The generalized format for expressing the security category (SC) of an information system shall be: SC Information System = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable values for potential impact are low, moderate, or high. Explanatory Note: a) For the purpose of this document, an information system is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Information resources include information and related resources, such as personnel, equipment, funds, and information technology. b) The high water mark concept is employed in these Standards 19

20 owing to significant dependencies among the security objectives of confidentiality, integrity, and availability. In most cases, a compromise in one security objective ultimately affects the other security objectives. c) Since the potential impact values for confidentiality, integrity, and availability may not always be the same for a particular information system, the high water mark concept must be used to determine the overall impact level of the information system. Thus, a low-impact system is an information system in which all three of the security objectives are low. A moderate-impact system is an information system in which at least one of the security objectives is moderate and no security objective is greater than moderate. And finally, a high-impact system is an information system in which at least one security objective is high. The determination of information system impact levels must be accomplished prior to the consideration of minimum security requirements and the selection of required security controls for those information systems. 3.3 Minimum Security Requirements The minimum security requirements cover the following securityrelated areas with regard to protecting the confidentiality, integrity, availability and survivability of information systems and the information processed, stored, and transmitted by those systems. The security-related areas include: i. access control, identification and authentication; ii. awareness and training; iii. audit and accountability; iv. certification, accreditation, and security assessments; v. configuration management; vi. contingency planning; vii. incident response; viii. maintenance; ix. media protection; x. physical and environmental protection; xi. planning; xii. personnel security; xiii. risk assessment; 20

21 xiv. systems and services acquisition; xv. system and communications protection; and xvi. System and information integrity. The areas represent a broad-based, balanced information security program that addresses the management, operational, and technical aspects of protecting national information and information systems. Policies and procedures play an important role in the effective implementation of enterprise-wide information security programs within the government/ private systems and the success of the resulting security measures employed to protect national information and information systems. Thus, organizations are required to develop and promulgate formal, documented policies and procedures governing the minimum security requirements set forth in this standard and must ensure their effective implementation. 3.4 Security Control Selection Organizations are required to meet the minimum security requirements in this standard by selecting the required security controls and assurance requirements as described by this document. The process of selecting the required security controls and assurance requirements for organizational information systems to achieve adequate security is a multifaceted, risk-based activity involving management and operational personnel within the organization. Security categorization of information and information systems, as required by this publication is the first step in the risk management process. Subsequent to the security categorization process, organizations must select required set of security controls for their information systems that satisfy the minimum security requirements set forth in this standard. The selected set of security controls must include one of three tailored security control baselines in this document that are associated with the designated impact levels of the organizational information systems as determined during the security categorization process. - For low-impact information systems, organizations must, as a minimum, employ tailored security controls from the low baseline of security controls and must ensure that the minimum assurance requirements associated with the low baseline are satisfied. 21