Excerpt of Cyber Security Policy/Standard S Information Security Standards

Transcription

1 Excerpt of Cyber Security Policy/Standard S Information Security Standards Issue Date: April 4, 2005 Publication Date: April 4, 2005 Revision Date: March 30, 2007 William F. Pelgrin Director New York State Office of Cyber Security & Critical Infrastructure Coordination 30 South Pearl Street, Floor P2 Albany, N.Y (Defined terms appear in Italics.) V2.0 March 30,

2 CYBER SECURITY STANDARD Reference: S Related Policy Title: Cyber Security Policy P Standard Title: Information Security Standards Replaces & Supersedes: Issued By: William F. Pelgrin, Director, NYS Office of Cyber Security and Critical Infrastructure Coordination Issue Date: April 4, 2005 Publication Date: April 4, 2005 Revision Date: March 30, 2007 (Defined terms appear in Italics.) V2.0 March 30,

3 Table of Contents PART 5. ASSET CLASSIFICATION AND CONTROL POLICY... 4 Asset Classification and Control Policy... 4 Standard... 4 PART 11. SYSTEMS DEVELOPMENT AND MAINTENANCE POLICY... 6 Cryptographic Controls Policy... 6 Standard... 6 Symmetric Cryptosystem Key Management Policy... 7 Standard... 7 DEFINITIONS... 9 CONTACT INFORMATION (Defined terms appear in Italics.) V2.0 March 30,

4 Part 5. Information Classification and Control Policy Information Classification and Control Policy Information, like other assets, must be properly managed from its creation, through authorized use, to proper disposal. As with other assets, not all information has the same use or value, and therefore information requires different levels of protection. All information will be classified and managed based on its confidentiality, integrity and availability characteristics. All information will have an information owner established within the SE s lines of business who will be responsible for assigning the initial information classification, access privileges of users, and daily decisions regarding information management. Periodic high-level risk assessments will be performed on the information to determine its relative value, risk of compromise, etc. Based on the results of the assessment, information will be classified or reclassified into one of the SE s information classifications. Each classification will have a set or range of controls, designed to provide the appropriate level of protection of the information and its associated software commensurate with the value of the information in that classification. If SE information is stored by a third party, the SE information owner is responsible for ensuring third party compliance with this policy and the associated Information Security Standards. Standard The following minimum controls must be met. Unless otherwise indicated, references to personal, private and sensitive information (PPSI) include PPSI on electronic media and in printed form. A. SE executive management will determine the appropriate level of management approval for access to PPSI. Access to PPSI must be periodically reviewed and updated by the appropriate information owner and the SE ISO. B. Any transportation or storage of electronic PPSI, or any transmission of electronic PPSI outside the SE, requires prior approval as determined by SE executive management. All requests must include a description of the information, the SE information owner, the process of transmitting, transporting or storing the information, the intended use of the information, the location of the information and an end date for the use of the information. C. Electronic PPSI shall only be stored on SE approved storage devices or in approved storage facilities where access is limited to authorized individuals. (Defined terms appear in Italics.) V2.0 March 30,

5 D. Any transmission, transportation or storage of electronic PPSI outside of an approved storage facility must be encrypted using a SE approved encryption methodology. Refer to the Cryptographic Controls Standard, Part 11 of this document, for encryption requirements. E. Transportation of electronic PPSI outside of the agency, including between approved storage facilities, requires special handling controls. Devices and/or media containing PPSI must be hand delivered by an SE employee or shipped using a delivery service that provides receipt confirmation (i.e., OGS courier, UPS, FedEx). In either case, a signature from the recipient is required. Devices and/or media must be double-sealed in appropriate, secure media storage containers, with the inner container marked to identify the classification of the information contained within and the distribution limitations. SEs will take measures to maintain a record of the whereabouts of devices and/or media containing PPSI at all times. F. The information owner s SE will maintain an inventory of all PPSI, including the final disposition of the data, and provide it to the SE ISO. G. Storing of electronic PPSI on devices not issued, owned, controlled or, approved in writing by executive management, upon recommendation of the SE ISO, is prohibited. H. If members of the SE workforce, not approved to store electronic PPSI, are in possession of such information they will be required to permanently wipe that information from the device using SE approved methods. I. If members of the SE workforce have access to PPSI and they are not approved or authorized for access to such information, that access must be terminated. J. Loss, theft or unauthorized access of PPSI should be immediately reported to the appropriate SE manager and the SE ISO. When an individual s electronic private information is involved, SEs are required to follow the Cyber Security Citizens Notification Policy, Part 12 of Cyber Security Policy P K. PPSI must be destroyed when no longer needed, as determined by the SE information owner, subject to the SE s records retention requirements. L. Electronic information used to authenticate the identity of an individual or process (i.e., PIN, password, passphrase, etc.) must be encrypted regardless of where the authentication information is stored, transported or transmitted. This does not include the distribution of a one-time-use PIN, password, passphrase, etc. (e.g., network logon forcing a password change). M. The information owner s SE is responsible for third party compliance with these standards. N. Any exemption to this standard must be processed and approved in writing by SE executive management, upon recommendation of the SE ISO. Exemptions must include (Defined terms appear in Italics.) V2.0 March 30,

6 other appropriate mitigating controls. A record of all approved exemptions shall be maintained by the SE ISO. Each exemption will include a timeframe identifying when it will be reviewed by the SE ISO to ensure that the need is still valid and required and the controls in place are appropriate and current. Part 11. Systems Development and Maintenance Policy Cryptographic Controls Policy Encryption is an important security layer that is used to protect the confidentiality of information. It must be used for the protection of PPSI. Encryption is an effective tool in mitigating the threat of unauthorized access to data. However, there are other threats, such as a hacker gaining access to an authorized user account or process, where more stringent controls and/or the use of multiple encryption levels must be considered. Based on a risk assessment, the required level of protection will be identified taking into account the type and quality of the encryption algorithm used and the length of cryptographic keys employed. In deciding what is best for the SE, the benefits of both individual and enterprise encryption solutions must be considered. Consideration must also be given to the regulations and national restrictions (e.g., import/export controls) that may apply to the use of cryptographic techniques in different parts of the world. Standard Only those encryption methodologies and products approved in writing by the SE ISO can be used by the SE and must incorporate the following minimum standards: A. Encryption products must have Federal Information Processing Standard (FIPS) 140 (Security Requirements for Cryptographic Modules) validation or use a National Institute of Standards and Technologies (NIST) approved encryption algorithm. B. For encryption of data at rest, a minimum key length of 168 bits must be used. It is highly recommended that a longer key length be used. C. For encryption of data in transit, a minimum key length of 128 bits must be used. It is highly recommended that a longer key length be used. D. An SE approved method of communication level encryption must be used for remote access to SE internal networks and when transmitting data over SE closed wireless networks. E. The following minimum encryption methods are required for SE approved storage devices, whether or not they reside in approved storage facilities. (Defined terms appear in Italics.) V2.0 March 30,

7 Laptops - All SE issued laptops, including notebooks, are required to have full disk encryption. Desktops It is recommended that all SE issued desktops have full disk encryption. All newly purchased SE issued desktops are required to have full disk encryption. All newly purchased laptops and desktops must have built in Trusted Platform Module (TPM) chips, version 1.2 or later, which provides another layer of security for cryptographic controls. Servers and mainframes All SE owned servers and mainframes that are not housed in an approved storage facility, are required to have full disk, volume level or folder level encryption. Personal Digital Assistants (PDAs) - All SE issued PDAs are required to have full disk, volume level or file level encryption. Removable Storage Devices It is recommended that all SE issued removable storage devices have full disk, volume level, folder level, file level or field level encryption. Full disk encryption products must include pre-boot authentication and must encrypt the entire hard drive, including system, temporary, hidden, swap and hibernation files. SEs must have a method in place for inventorying storage devices and validating that the encryption product has been appropriately installed. F. Public computers (i.e, those used in training labs, presentation laptops, kiosks, etc.), with no access to or storage of PPSI information, may be excluded on a case by case basis as approved by the SE ISO. A record of all public computer exclusions will be maintained by the SE ISO. Symmetric Cryptosystem Key Management Policy A secured environment must be established to protect the cryptographic keys used to encrypt and decrypt information. Access to these keys must be restricted to only those individuals who have a business need to access the keys. Loss of confidentiality of a cryptographic key would cause all information encrypted with that key to be considered unencrypted. Standard A. Unencrypted encryption keys must not be stored with the data that they encrypt. B. Keys will be randomly generated. (Defined terms appear in Italics.) V2.0 March 30,

8 C. If multifactor protection (i.e., smartcards, tokens, biometrics, etc.) is not employed, keys will be protected with a passphrase of at least 30 characters. D. Keys will be securely distributed and stored. E. SE will have a backup and recovery mechanism for encryption keys in place. F. Loss of a key will require that a new key be generated to continue protection of the encrypted information. (Defined terms appear in Italics.) V2.0 March 30,

9 DEFINITIONS Approved Storage Facilities: Office for Technology (OFT) Data Centers, SE physically secured central servers, and other facilities as approved in writing by SE executive management, upon recommendation of the SE ISO. These facilities include their internal data communication networks. Authentication: The process to establish and prove the validity of a claimed identity. Authorization: The granting of rights, which includes the granting of access based on an authenticated identity. Availability: This is the property of being operational, accessible, functional and usable upon demand by an authorized entity, e.g. a system or user Classification: The designation given to information or a document from a defined category on the basis of its sensitivity. Closed Wireless Network A private wireless network that only authorized users are permitted to access. Communication Level Encryption: Protects data by encrypting data on the move. This includes , web sites, ftp and copying over the network (i.e, VPN, HTTPS, SSL, etc.). Computer: All physical, electronic and other components, types and uses of computers, including but not limited to hardware, software, central processing units, electronic communications and systems, databases, memory, Internet service, information systems, laptops, PDAs and accompanying equipment used to support the use of computers, such as printers, fax machines and copiers, and any updates, revisions, upgrades or replacements thereto. Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes. Controls: Countermeasures or safeguards that are the devices or mechanisms that are needed to meet the requirements of policy. Critical: A condition, vulnerability or threat that could cause danger to data, a system, network, or a component thereof. Cryptography: A method of storing and transmitting data in a form that only those it is intended for can read and process. Data: Any information created, stored (in temporary or permanent form), filed, produced or reproduced, regardless of the form or media. Data may include, but is not limited to personally identifying information, reports, files, folders, memoranda, statements, examinations, transcripts, images, communications, electronic or hard copy. (Defined terms appear in Italics.) V2.0 March 30,

10 Decryption: The reversal of a corresponding reversible encryption to render information intelligible using the appropriate algorithm and key. Encryption: The cryptographic transformation of data to render it unintelligible through an algorithmic process using a cryptographic key. Field Level Encryption: Protects data by encrypting data in certain fields of a database. File Level Encryption: Protects data by encrypting data on a file by file basis. Folder Level Encryption: Protects data by encrypting data on a folder by folder basis. Full Disk Encryption: Protects data by encrypting the entire drive no matter how many partitions it holds. This can be either hardware or software based. Information: Information is defined as the representation of facts, concepts, or instructions in a formalized manner suitable for communication, interpretation, or processing by human or automated means. Information Owner: An individual or a group of individuals that has responsibility for making classification and control decisions regarding use of information. See Part 2 of Cyber Security Policy P03-002, Organizational and Functional Responsibilities. Information Security: The concepts, techniques and measures used to protect information from accidental or intentional unauthorized access, modification, destruction, disclosure or temporary or permanent loss (See Availability). Integrity: The property that data has not been altered or destroyed from its intended form or content in an unintentional or an unauthorized manner. Internet: A system of linked computer networks, international in scope, that facilitate data transmission and exchange, which all use the standard Internet protocol, TCP/IP, to communicate and share data with each other. Intranet: An internal (i.e., non-public) network that uses the same technology and protocols as the Internet. ISO: Information Security Officer. Key Length: A measure of the number of possible keys, specified in bits, which can be used in an encryption algorithm. Multi-User System: Multi-User System refers to computer systems that support two or more simultaneous users. All mainframes, servers and minicomputers are multi-user systems, but most personal computers, laptops and workstations are not. Passphrase A sequence of words or other text used to control access to a computer system, program or data, similar to a password in usage, but generally longer for added security (e.g., betty was smoking tires and playing tuna fish). (Defined terms appear in Italics.) V2.0 March 30,

11 Personal Digital Assistant (PDA): A small portable device, such as a Palm Pilot or Blackberry, that combines computing, telephone/fax, and networking features. Also called palmtop, handheld and pocket computer. Personal, Private and Sensitive Information (PPSI) : 1 Any information where unauthorized access, disclosure, modification, destruction or disruption of access to or use of such information could severely impact the organization, its critical functions, its employees, third party business partners, citizens of New York and/or its customers. This includes but is not limited to: Information concerning a person which, because of name, number, personal mark or other identifier, can be used to identify such person in combination with any one or more of the following data elements: social security number; driver s license number or non-driver identification card number; mother s maiden name; financial services account number or code; savings account number or code; checking account number or code; debit card number or code; automated teller machine number or code; electronic serial number; or any number or code which may be used alone or in conjunction with any other information (i.e., security code, access code, password) to assume the identity of another person or access financial resources or credit of another person. Data that identifies specific structural, operational, or technical information, such as: maps, mechanical or architectural drawings, floor plans, operational plans or procedures, or other detailed information relating to electric, natural gas, steam, water supplies, nuclear or telecommunications systems or infrastructure, including associated facilities; training and security procedures at sensitive facilities and locations as determined by the Office of Homeland Security (OHS); descriptions of technical processes and technical architecture; plans for disaster recovery and business continuity; and reports, logs, surveys, or audits that contain sensitive information. 1 The definition of PPSI incorporates the following: New York State General Business Law, 399-h; New York State Technology Law, 208 as added by Chapters 442 and 491 of the laws of 2005; and January 17,2002 Memorandum from Executive Chamber, State Operations, Subject: Agency Sensitive Information. (Defined terms appear in Italics.) V2.0 March 30,

12 Information used to authenticate the identity of an individual or process (i.e., PIN, password, passphrase, etc.). This does not include the distribution of a one-time-use PIN, password, passphrase, etc.; Other subjects and areas of relevant concern as determined by SE executive management. Private Information: Information concerning a natural person which, because of name, number, personal mark or other identifier, can be used to identify such natural person in combination with any one or more of the following data elements: social security number; or driver s license number or non-driver identification card number; or account number, credit or debit card number, in combination with any required security code, access code, or password which would permit access to an individual s financial account. Private information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. Procedures: Specific operational steps that individuals must take to achieve goals stated in this policy. Risk Assessment: The process of identifying threats to information or information systems, determining the likelihood of occurrence of the threat, and identifying system vulnerabilities that could be exploited by the threat. SE: State Entity for the purpose of this policy, shall include all state agencies, departments, offices, divisions, boards, bureaus, commissions and other entities over which the Governor has executive power, the State University of New York Central Administration, the City University of New York Central Administration and all public benefit corporations the heads of which are appointed by the Governor. Sensitivity: The measurable, harmful impact resulting from disclosure, modification, or destruction of information. Standard: Sets of rules for implementing policy. Standards make specific mention of technologies, methodologies, implementation procedures and other detail factors. State: The State of New York. State Entity(ies): See SE. Storage Device(s): Device used to record and store data, including, but not limited to servers, mainframes, laptops, desktops, tapes, removable drives of any kind, thumb drives or other USB storage devices, PDAs, CDs, diskettes, etc. (Defined terms appear in Italics.) V2.0 March 30,

13 System(s): An interconnected set of information resources under the same direct management control that shares common functionality. A system may include hardware, software, information, data, applications or communications infrastructure. Third Party: Any non-se employee such as a contractor, vendor, consultant, intern, another SE, etc. Threat: A force, organization or person, which seeks to gain access to, or compromise, information. A threat can be assessed in terms of the probability of an attack. Looking at the nature of the threat, its capability and resources, one can assess it, and then determine the likelihood of occurrence, as in risk assessment. Trusted Platform Module (TPM) Chip: A hardware chip embedded on a PC or laptop s motherboard that offers facilities for secure generation of cryptographic keys, the ability to limit the use of keys (to either signing/verification or encryption/decryption), as well as a hardware random number generator. Unauthorized Access Or Privileges: Insider or outsider who gains access to network or computer resources without permission or without valid authorization. User: Any state entity(ies), federal government entity(ies), political subdivision(s), their employees or third party contractor(s) or business associates, or any other individual(s) who are authorized by such entities to access a system for a legitimate government purpose. Value A measure of worth which can be expressed in monetary terms or in terms of importance to the SE. Volume Level Encryption: Protects data by encrypting the entire partition of a disk, or, in the case of a single partition hard drive, the entire drive. VPN: Virtual Private Network. Internet protocol (IP) virtual private networks (VPNs) are a collection of technologies that ensure the privacy of data over a shared unsecured IP network infrastructure. The two key points as to what constitutes an IP VPN are privacy and an IP network. Vulnerability: A weakness of a system or facility holding information which can be exploited to gain access or violate system integrity. Vulnerability can be assessed in terms of the means by which the attack would be successful. Workforce: State employees, and other persons whose conduct, in the performance of work for the SE, is under direct control of the SE, whether or not they are paid by the SE. CONTACT INFORMATION (Defined terms appear in Italics.) V2.0 March 30,

14 Questions concerning these standards may be directed to the New York State Office of Cyber Security and Critical Infrastructure Coordination (CSCIC), (518) (Defined terms appear in Italics.) V2.0 March 30,