KEYWORDS: PEAS, MACINTOSH, MACS, LAPTOPS, ENCRYPTION, INVENTORY, APPLE, ASSET

Transcription

1 Standards: IT Asset Management Standards for Apple Macintosh Products (EISS- 8d.1) Business Unit: Information Security and Privacy Office Policy Reference: IT Asset Management Policy (EISP-8.1) Effective Date: 08/01/2015 Last Update: N/A KEYWORDS: PEAS, MACINTOSH, MACS, LAPTOPS, ENCRYPTION, INVENTORY, APPLE, ASSET PURPOSE: In accordance with the Enterprise Information Security Program (EISP-5.1), devices are required to comply with all Enterprise Information Security Policies, applicable Enterprise Security Standards, (e.g. Enterprise IT Acquisition, SDLC and Maintenance Standards and Enterprise IT Asset Management Standards) and Enterprise Security Procedures. Partners Enterprise Apple Support (PEAS) is the standard support model for Apple Macintosh devices within the Partners HealthCare community. This standard applies to Partners HealthCare, its institutions, workforce, employees, researchers and contractors of Partners HealthCare or a Partners HealthCare Institution. Key to this program is the ability to facilitate compliance with federal and state regulations, and Partners HealthCare policies. Requirements have been organized for ease of use into the following areas: 1. Standard Use 2. Standard Environment 3. Standard Access Rights 4. Standards for Data Capture These standards were developed in alignment with the NIST Control Families. STANDARDS: 1. Standard Use 1.1. Partners Enterprise Apple Support (PEAS) is the standard for Apple Macintosh devices within the Partners HealthCare community All institutionally-purchased or owned Apple Macintosh devices must be enrolled in PEAS PEAS is available for personally owned Apple Macintosh devices Any Apple Macintosh device used as their primary work device to conduct Partners HealthCare business must be enrolled in PEAS. NOTE: Any personally owned Apple Macintosh product that connects to Partners network resources is required to comply with Enterprise Information Security Policies, Standards and Procedures. By enrolling personally owned Apple Macintosh products in PEAS, individuals can validate their compliance with all applicable Partners HealthCare Information Security Policies, Standards and Procedures in a simple and standard manner. Pub/Rev: 8/1/2015 Sensitivity: Institutional Page 1 of 5

2 2. Standard Environment 2.1. PEAS standard implementation consists of a client-server infrastructure composed of a central inventory and policy server, and an end-user client. 3. Standard Access Rights are provided as follows: 3.1. PEAS Enterprise Administrators: Access to the full administrative console is restricted to members of the PEAS team. These administrators have visibility to all data and may modify policies according to Institutional guidelines, initiative, or policies PEAS Site Administrators: Access to read and update inventory of only their departments Macs. Site Administrators do not have access to other inventory. Site Administrators have the ability to develop policy specific to their department devices. Only PEAS Enterprise Administrators can implement policies Partners HealthCare Information Security Officers: Read-Only access is granted to inventory and reporting features. This group cannot modify policies Partners Enterprise Research Infrastructure and Services (ERIS): Access to a limited subset of data is granted to ERIS technicians for troubleshooting and inventory purposes. This group has access to view and update inventory data. This group cannot modify policies. 4. Standards for Data Inventory. The following list comprises the current state of collection for data capture. Partners HealthCare may update data elements collected in order to address operational or security initiatives. This document will be updated periodically to reflect changes to data collection practices Device Information captured by PEAS functionality: Computer name PEAS Site (for departmental purposes customizable per department) Last inventory update (based on polling of client) Last check-in date (last time the client contacted the server) IP address Software version (client software version) Managed or Unmanaged (for removing retired systems) Last enrollment date MDM capabilities Software computer ID (ID assigned by server) Asset Tag Bluetooth low energy capable Time Machine encryption status Time since boot 4.2. Hardware information captured by PEAS functionality: Make, Model, Model identifier UDID (unique device ID) Serial number Processor type and number of processors Bus speed Cache size Primary and secondary MAC address Total RAM and available RAM slots Pub/Rev: 8/1/2015 Sensitivity: Institutional Page 2 of 5

3 Battery capacity SMC version (System Management Controller) NIC Speed (Network Interface Controller) Optical drive information, Boot ROM 4.3. Operating System information captured by PEAS functionality: Operating System, OS version, and build number Active Directory status (bound to domain or not) Master password set FileVault users 4.4. Ownership information (populated by PPD and Active directory) captured by PEAS functionality: Partners HealthCare ID (Partners username) Full name address Phone number Job title Department Institution Location (building and room number) 4.5. Purchasing information captured by PEAS functionality Purchased or leased (we do not lease) Purchase order number and date Warranty Expiration date (AppleCare end date) AppleCare ID 4.6. Storage and disk encryption information captured by PEAS functionality: Disk model and revision number Disk serial number Disk drive capacity S.M.A.R.T. status (Self-Monitoring, Analysis and Reporting Technology) Number of disk partitions Partition name(s) and size Percentage of disk in use FileVault 2 state Core storage (Core Storage is a layer between the disk partition and the file system) Partition scheme FileVault 2 partition encryption state Individual recovery key validation Institutional recovery key (if individual recovery key is missing) Disk encryption configuration FileVault 2 enabled users 4.7. Extension Attributes (PEAS custom collected data) captured by PEAS functionality: Adobe Flash Player installed and version number Apple Software updates needed Bash vulnerability patched (ShellShock) Cisco AnyConnect version Current AirPort network (Wifi network) Pub/Rev: 8/1/2015 Sensitivity: Institutional Page 3 of 5

4 EnCase installation (Forensic Client Software) Enterprise Vault installed and version iworm botnet detection Java collection: JRE version, Java Web Plugin and version Patch management enabled (beta program) Patch management group (beta program) PEAS terminator (un-enrollment tool) PGP encryption status and percentage Recovery partition presence Screen-saver timeout SSH Last used date Syncplicity installed and version 4.8. Other information captured by PEAS functionality: Applications - Software collects a list of installed applications in order to provide the correct software through self-service Profiles Example: PEAS pushes a Java VPN hotfix to make VPN work Certificate Inventory No other Keychain Access data is collected User Accounts Local accounts listed on the device (UID, Username, Admin, Admin status, and home directory path) ENFORCEMENT Compliance must be met within 90 days of the effective date of this standard. All Partners HealthCare workforce members and Partners HealthCare Information Systems must comply with enterprise information security policies, standards and procedures unless a variance has been granted per the Information Security Program Policy [EISP-5.1] and supporting standards. In the absence of a Partners HealthCare standard, industry best practices are required. Disregard or failure to comply with Enterprise Information Security and Privacy Policies will be investigated in conformance with established entity procedures. Sanctions will be applied in accordance with Human Resources policies or Medical Staff Bylaws, Rules and Regulations and in accordance with the Breaches of Confidentiality and Information Security Sanctions for Employees and Medical Staff PH-116. REFERENCE: These standards are developed to provide actionable requirements that will reflect compliance with the overarching Enterprise IT Asset Management Policy (EISP-8.1). All Enterprise Information Security Policies, Standards and Procedures are published on Trove. The International Standards Organization (ISO) is a network of the national standards institutes of 148 countries with a Central Secretariat in Geneva, Switzerland, that coordinates the system. More information about ISO can be found at National Institute of Standards and Technology (NIST): Advancing the state-of-the-art in IT in such applications as cyber security and biometrics, the National Institute of Standards and Technology accelerates the development and deployment of systems that are reliable, usable, interoperable, and secure; advances measurement science through innovations in mathematics, statistics, and computer science; and conducts research to develop the measurements and standards infrastructure for emerging information technologies and applications. More information about NIST can be found at Pub/Rev: 8/1/2015 Sensitivity: Institutional Page 4 of 5

5 ATTACHMENTS: There are no attachments to these standards. DEVELOPMENT AND CONSULTATION Enterprise Security Policies are drafted and maintained by Partners Information Security Office and in collaboration with stakeholders including Partners executive management, departmental managers, staff and system owners. Reviewed by: Original Review Date: Revision Approval Dates: Information Security Operating Committee 6/23/2015 Brent Richter, Associate Director Enterprise 6/18/2015 Research Infrastructure and Services (ERIS) Jigar Kadakia, CISPO 7/14/2015 Jim Noga, CIO 7/15/2015 Pub/Rev: 8/1/2015 Sensitivity: Institutional Page 5 of 5