Information Security Baseline (minimal measures)

Transcription

1 Information Security Baseline (minimal measures) 1

2 Version management Version September st draft Version September nd draft after review by Erik Adriaens Version October th draft after input from Maritta de Vries Version November th draft after review by information managers and ISSC Version December 2013 Draft after incorporating remarks from Consultation of the Directors of Administration Version February 2014 Adopted by the Board (same as 0.5) 2

3 Executive summary The information security baseline (Minimum Measures) constitutes an elaboration of Leiden University s information security policy and contains measures concerning the organisation and development of information services and the management and maintenance of these services. Additionally, a number of measures are listed that provide a basic level of security for university information systems. With the adoption and introduction of this Baseline, the strategic policy assumptions set forth in the information security policy are given a concrete implementation. Both the information security policy and the baseline concern all individuals, procedures and processes and information and information systems (whether managed by the university or subcontracted). Information systems includes the basic infrastructure (including other networks, workplaces and storage), concern systems (institution-wide systems) and the specific systems of units. The baseline encompasses measures that must be implemented on systems belonging to risk category 3. As for systems belonging to a higher category, such as categories 2 and 1, additional requirements are set, along with supplementary measures. 3

4 Contents 1. Introduction Motivation Vision on security Standards Baseline scope of activity Responsibility for the baseline Baseline objective 6 2. Basic security level The basic security level Supplementary measures 8 3. The baseline (set of minimum measures) 10 4

5 1. Introduction 1.1 Motivation Information security (IS) is a current topic. Every day there are reports in the media concerning things such as botnets, information siphoned off by (foreign) governments, DDoS attacks on banks, educational institutions, viruses that make charges to one s bank account, spam and phishing, etc. This makes it clear that more attention needs to be given to the issue and that countermeasures need to be identified and implemented to ward off such attacks. This Information Security Baseline (Minimal Measures) document constitutes an elaboration of Leiden University s information security policy and contains measures concerning the organisation and development of information services and the management and maintenance thereof. Additionally, a number of measures are listed that provide a basic level of security for university information systems. The adoption and introduction of this Baseline represent the implementation of the strategic policy assumptions established in the information security policy (separate document). 1.2 Vision for security The vision is discussed in the information security policy. In brief, what it boils down to is that Leiden University wants to actively contribute to the security and perceived security of all university employees and students and of all its guests. Not because the environment is currently insecure, but in order to continue to safeguard a secure environment. Security is a precondition for a good academic climate in which those involved can flourish without hindrance. As a research institution, the University also wishes to contribute to the development and improvement of security within society. Summarised in a few points this means: Information security is and will continue to be a responsibility for the line management. The primary assumption for information security continues to be risk management. The classic IS approach, characterised by limiting possibilities, is making way for safe facilitation. The focus is shifting from securing the network to securing data. Responsible and deliberate behaviour on the part of individuals is essential for good information security. Information security requires an integrated approach. 1.3 Standards The framework of standards for the information security policy and the baseline of measures is based on the Information Security Code: NEN 27001:2005 and NEN 27002:

6 1.4 Baseline scope of activity Both the information security policy and the baseline concern all individuals, procedures and processes and information and information systems (whether managed by the university or subcontracted). Information systems includes the basic infrastructure (including other networks, workplaces and storage), concern systems (institution-wide systems) and the specific systems of units. The baseline includes measures that must be implemented on systems belonging to category 3. As for systems belonging to a higher category, such as categories 2 and 1, additional requirements are set, along with supplementary measures. 1.5 Responsibility for the baseline The Executive Board is ultimately responsible for the baseline, and adopted it on [date]. The security manager is responsible for maintaining this baseline. The information or system owner is responsible for applying the baseline. The responsibilities are further elaborated in the information security policy. 1.6 Baseline objective The goal of the baseline is to safeguard the continuity of business operations and to minimise damage by preventing security incidents and minimising possible consequences. 6

7 2. Basic security level 2.1 The basic security level All data in systems to which this information security policy is applicable gets classified. The level of the security measures depends on the category. The category to which information is assigned depends on the data in information systems and is determined on the basis of risk analyses. In this regard the following aspects are significant: a. availability b. integrity c. confidentiality Availability is the degree to which data or functionality is available for users at the appropriate times. Integrity is the degree to which data or functionality are input correctly. Confidentiality is the degree to which access to data or functionality is limited to those who are authorised. Aspects and characteristics of information security and related threats: Aspect Characteristic Threat Examples of threat Availability Timeliness Delay Infrastructure overload Continuity Outage Faulty infrastructure Integrity Correctness Modification Unauthorised changes to data; virus infection; typographical error Completeness Removal Unauthorised deletion of data Addition Unauthorised addition of data Validity Obsolescence Failure to keep data up to date Authenticity Falsification Fraudulent transaction Irrefutability Denial Denying having sent a particular message Confidentiality Exclusivity Disclosure Listening in on the network; hacking Misuse Large-scale private use The basic security level consists of the following: Category Description Measure Level 3 Breach in availability, exclusivity and integrity of the system does not cause a (major) disruption. The system must meet the minimum measures (IS baseline). 7

8 The valuation of the three aspects of IS looks like this: IS aspects Availability Confidentiality Integrity Valuation (Low, Mid, High) L L L The baseline level is the level of basic risk. This means that a risk classification has been carried out and the availability, confidentiality and integrity are at the level of low. For this level, measures have been drawn up which every system must meet. If the system has an increased or high risk, extra (supplementary) measures must be taken. 2.2 Supplementary measures If the data category is designated as level 2 or level 1, a high level of security is necessary. A higher level is needed in situations where, for instance, confidential information is worked with and a higher availability of the system or (high) integrity of information is required. Supplementary measures can also concern protecting privacy. This is the case, for example, when loss or unlawful/careless use of personal information causes additional adverse consequences for the individual involved. The following measures must be taken if the risk analysis makes it apparent that the system has an increased or high risk: IS aspects Availability Confidentiality Integrity Selection from the supplementary measures Redundancy Emergency power supply Fail-over provision Continuous monitoring and follow-up Secure storage of source software Data transport encryption Hard authentication Authorisation according to role Clear desk Monitoring removal Monitoring input Authorisation according to role Training (core) users Licence servers Combating shadow files 8

9 After completion of the risk analysis, the security manager draws up a report with the classification. This report is issued to the system owner so that he/she knows what shape the security of the system is in and what measures should be taken. Recommendations are also made. If the owner deviates from this advice, this must be submitted to the security manager. Each year a check will be made whether any incidents have occurred that call for modifying a risk analysis. 9

10 3. The baseline (set of minimum measures) The standard set of minimum measures below is based on the Information Security Code. The measures are described as an end result that can be tested for. It is the responsibility of either the system owner or the management of the faculty or unit to safeguard the measures. Organisation 1. The various roles as defined in the information security policy are assigned. 2. Nobody in an organisation may have the permissions at operational level to have control over an entire cycle of actions in a critical information system. This is due to the risk that he/she may wrongfully favour him/herself or others, or may inflict damage on the organisations. This applies both to information processing and to management actions. Classification and management of assets 3. An up-to-dated register will be kept of assets (with purpose and owner) that represent an interest for the organisation, such as (collections of) information, software, hardware and services. 4. A responsible line manager will be designated for each business process, application and data collection. 5. Categorisation guidelines have been drawn up for classifying information. 6. All software must be licensed, either by the faculty/unit itself or the ISSC. Illegal software is not allowed. 7. Real Estate is responsible for the blueprints of buildings, with all relevant details. 8. The existence and consequences of the Code of Conduct for ICT facilities and services will be regularly brought to the attention of all users of Leiden University information services, in any case whenever employees are hired and when students begin a degree programme at Leiden University. 9. The system owner will ensure there is an exit procedure whereby access rights to information services can be revoked for staff and students leaving the university/faculty/department. 10. Security measures have been taken concerning (sensitive) equipment and files in a computer area. 10

11 Management of communications and operational processes 11. ISSC has operational procedures that include information about booting up, shutting down, backup and restoration steps, handing errors, managing logs, contact people, emergency procedures and special measures for security. 12. There are logically separate systems for Development, Testing and/or Accepting and Production (DTAP). The systems and applications in these zones do not influence systems and applications in other zones. 13. The ICT services will meet the level of availability agreed upon for the services. 14. Measures have been taken for detection, prevention and restoration to protect against malware (viruses, Trojan horses, spam, etc.) on infrastructure. 15. There is a data backup policy that is defined in service level agreements (SLOs). 16. Back-up media with a storage duration of longer than 1 year will be checked for readability at least once a year. If there are doubts regarding the quality of the media, the media will be duplicated in order to obtain a good-quality copy. 17. At least the monthly backups will be stored off-site. Other backups will be kept in a space that is not located in the vicinity of the computer area(s). 18. When confidential data is exchanged between two systems, whereby a connection is used that is not property of the University, this data must be encrypted prior to being sent. 19. Changes to IT systems will be planned according to ITIL and approved through a change procedure. Access security 20. Formal procedures have been established for registering and deregistering users, for granting and revoking access rights to all information systems and services. 21. Non-employees of the ICT department involved will only be allowed access to server spaces accompanied by an ICT department employee. 22. All default passwords must be replaced with non-default passwords on all systems. Passwords will be stored on a system in unilaterally encrypted form. 23. Networks must be secured against unauthorised access. 24. A password must consist of at least 8 and at most 13 characters, contain at least 1 lower case letter, 1 upper case letter and 1 numeral and be valid for a maximum of 182 days. This part is currently undergoing a change in the new policy. Once the change is determined, this text will be replaced. 25. Encrypted network protocols (HTTPS, IMAPS, POP3S) are always used for the login procedure. 11

12 26. Users will observe good security habits such as not writing down one s passwords, never sharing a password with others, changing one s password if there is a suspicion that it has become known to a third party and locking down one s workspace when absent. 27. There is a policy concerning the use of networks and network services. Users will only be granted access to network services that are necessary for their work. 28. BYOD (or private) devices will only gain access using secured interfaces designed especially for that purpose. 29. If remote access to (critical) applications is granted by the system owner, for (functional) managers this shall take place on the basis of two-factor authentication. 30. Employees mobile devices (such as a handheld computer, tablet, smartphone or laptop) on which business information is stored will be equipped with a password, encryption and anti-malware. Wherever possible, this will be enforced by technical means. Wherever possible, opening business information on mobile devices will take place on the basis of zero footprint (with online access, but with no data on the device). If a zero footprint is not (yet) feasible or is undesirable from a functional standpoint, data will be stored in encrypted form. Upon loss or theft, the relevant passwords will be changed immediately. Development and maintenance of systems 31. All information systems shall have an owner, a functional manager and a technical manager. 32. Before a new information system is introduced, a risk analysis will be used to determine which risk category the information processed by this system belongs to and how this new system impacts the existing environment. The methodology and the three categories basic risk, increased risk and high risk apply here. 33. Systems belonging to the basic risk category must meet the minimum measures. For systems belonging to the increased risk and high risk categories, a supplemental risk analysis will be conducted, which may result in supplemental measures. 34. An information system will only become part of the operational IT environment after being formally approved and accepted by the system owner and the ICT department. 35. For all components in the entire information service a procedure will be put into place that ensures that security updates on systems are applied in a timely and correct fashion. Critical patches (as classified by the software provider such as Microsoft, Oracle (including Sun), etc.) must be installed at least on a monthly basis. Non-critical security patches need to be installed at least on a quarterly basis. 12

13 36. The log files of all workstation, server and network systems will be assembled at a central point and undergo automated checks for irregularities. Irregularities having no clear (innocent) explanation will be designated, registered and investigated as security incidents. All clocks on the network must be synchronised with each other in view of the need to be able to compare the time stamps (log books). 37. Security incidents shall be recorded in a system. A report can be generated upon request that gives an overview of the security incidents. 38. A person has been designated as responsible for the handling these security incidents. 39. There shall be a disaster plan in which activities are described such as preventing the interruption of business activities and protecting critical business processes from the consequences of major disruptions in information systems or disasters and in order to achieve timely restoration. Monitoring and compliance 40. Periodically, at least once per year, the entire ICT (network) environment will be scanned by ISSC to identify weak spots using a vulnerability scanner. The security manager will be informed of the results. 41. The system owner or the security manager can in consultation with the ISSC have penetration tests conducted on the entire ICT (network) environment. 13