Maryland Administrative Office of the Courts Judicial Information Systems Department. Security Policy and Standards

Transcription

1 Maryland Administrative Office of the Courts Judicial Information Systems Department Security Policy and Standards Approved: February 2005 Revised: June 28, 2010

2 TABLE OF CONTENTS Introduction Information Technology Security Policy Definitions Scope Objective Authority Compliance Security Program Maintenance and Review Responsibility Standard Technology Oversight Board (TOB) Executive Director - JIS Data Security Administrators Data Center Operations Judicial Branch Members and Their Agents Information Technology Security Program Standard Security Policies Risk Management Systems Development Life Cycle Methodology Disaster Recovery/Business Continuity Planning Security Awareness, Training and Education Incident Response Process External Connections Review Contracts Projects Nonpublic Information Standard System Sensitivity Designation Access Control Standard Authentication Authorization Audit Trail Violation Log Management and Review Separation of Duties Network Security Standard Remote Access Banner Text Firewalls & Network Devices Intrusion Detection Systems Service Interface Agreement Teleworking Wireless Networks Physical Security Standard Secured IT Areas Storage Media Disposal Revised and Approved by the Maryland Judiciary Technology Oversight Board, June 28,

3 7.3 Media Reuse Storage and Marking Personnel Microcomputer/PC/Laptop Security Standard General Controls Software Licenses and Use Laptop Security and Mobile Computing Personally Owned Data Processing Equipment Encryption Standard Use of Electronic Communication Standard Appendix A Appendix B Appendix C Revised and Approved by the Maryland Judiciary Technology Oversight Board, June 28,

4 Introduction This document provides the policy and supporting standards for information security to protect the information technology assets of the Maryland Judiciary. (Individual security policies are handled under a separate document.) It establishes general requirements and responsibilities for protecting technology systems. The standards establish minimum levels of compliance for current operating platforms. The policy and standards cover such common technologies as computers, data and voice networks, wireless systems, web systems, and many other specialized resources. The policy is necessitated by the use of information technology to help carry out nearly all of its public services and internal operations. The delivery of critical public services depends on availability, reliability and integrity of its information technology systems. A common security approach, based on the State's Department of Information Technology IT Security Policy and Standards and COBIT 1, also supports compatible security solutions, yielding a better return on technology investment. This security policy and standards will evolve and will require annual review. The policy and standards are administered by the Judicial Information Systems, a unit of the Administrative Office of the Courts and subject to the advice and guidance of the Judiciary's Information Technology Oversight Board. Persons with questions or needing further information are encouraged to contact the Director at the Judicial Information Systems ( ). 1 COBIT stands for Control Objectives for Information and related Technologies that serves as the basis for the standards used by the IT Governance Institute. Revised and Approved by the Maryland Judiciary Technology Oversight Board, June 28,

5 1.0 Information Technology Security Policy Judicial information technology and the data contained within its various applications are of critical value to the courts and its public and private constituents. This Policy and its supporting standards are established to protect Judiciary technology assets. 1.1 Definitions Administrative Official: The Chief Deputy Clerks of the appellate and circuit courts; the Chief Clerk and Chief Commissioner, Assistant Chief Clerks and Administrative and County Clerks of the District Court; the State Court Administrator, the Deputy State Court Administrator and directors and deputy directors of the Administrative Office of the Courts; the Director and executive staff of respective units within court-related agencies, as well as offices under the direct authority of the Chief Judge of the Court of Appeals. Employee: Any person employed by the Judiciary (whether regular, contractual, temporary or a volunteer), except a judge and Clerk of Court. 1.2 Scope This Policy applies as specified to anyone provided access to judicial technology assets and to all information that is generated, received, stored, printed, filmed, and typed electronically. The policy encompasses: All courts, units and departments of the Judicial Branch of the State of Maryland that are part of the Judicial Information Systems network; All activities and operations required to ensure data security including facility design, physical security, disaster recovery and business continuity planning, use of hardware and operating systems or application software, data disposal, and protection of copyrights and other intellectual property rights Objective This policy seeks to establish a set of electronic security standards for the Judicial Branch that: Establish a secure environment for the processing of data; Reduce information security risks; and Establish responsibilities for the protection of information. 2 Those courts on county networks shall have a similar policy and standards that demonstrate compliance. Revised and Approved by the Maryland Judiciary Technology Oversight Board, June 28,

6 1.4 Authority The Chief Judge of the Court of Appeals is the establishing authority for this Policy with the advice and guidance of the Judiciary s Information Technology Oversight Board (TOB) in accordance with the Administrative Order as amended on September 9, Compliance The head of each court, unit or department is responsible for adherence to and enforcement of this policy. Under the direction of the State Court Administrator, JIS shall develop and implement an IT Security Program in support of this policy. Additionally, JIS will develop a security awareness training program. The Security Program shall include a timetable and controls for compliance subject to the advice and guidance of the TOB. The controls shall include, but not be limited to the following: Maintenance of the confidentiality, integrity, availability, and accountability of all Judiciary information technology applications and services; Protection of information according to its sensitivity, criticality and value, regardless of the media on which it is stored or automated systems that process it, or the methods by which it is distributed; Assurance that risks to information security are identified and controls implemented to mitigate those risks; Implementation of processes to ensure that all security services meet the minimum requirements set forth in this policy and standards document; Assurance that all Judiciary employees, contractors and users understand and comply with this policy and standards, as well as all applicable laws and regulations, and Implementation of physical security controls to prevent unauthorized and/or illegal access, misuse, destruction or theft of the Judiciary s information technology assets. 1.6 Security Program Maintenance and Review The Judicial Information Systems Department shall review and update the IT Security Program annually to conform to changes within the Judiciary or in the State's IT Security Program issued by the State Department of Information Technology. The results of the annual review shall be provided to the State Court Administrator and the TOB. Any changes to the Judiciary s IT Security Program shall be published immediately. Revised and Approved by the Maryland Judiciary Technology Oversight Board, June 28,

7 2.0 Responsibility Standard Technology Oversight Board Executive Director - JIS Data Security Administrators JIS and Decentralized Security staff, such as: Howard County Police Parole and Probation Montgomery County Sheriff s Office Baltimore City States Attorneys Office Department of Corrections Baltimore City Police Baltimore County Police, and Office of the Public Defender Data Center Operations Judicial Branch Members and Agents 2.1 Technology Oversight Board (TOB) The TOB shall provide advice and guidance to the development and implementation of this security policy and its standards, as well as the IT security program developed by the Judicial Information Systems Department. 2.2 Executive Director - JIS The Judiciary Executive Director of JIS shall: Update and review this policy annually; Develop and implement the Security Program; Recommend any deviations to IT security requirements; Ensure compliance with and enforcement of this policy, including establishing the appropriate measures and remedial actions for non-compliance; Present changes and updates to the Security Policy and Security Program to the State Court Administrator and the TOB annually, and Update the Business Continuity of Operations Plan annually. Revised and Approved by the Maryland Judiciary Technology Oversight Board, June 28,

8 2.3 Data Security Administrators The duties of the JIS Data Security Administrators include but are not limited to the following: Administration and maintenance of the Judiciary Security Program that includes policies, standards, guidelines, best practices, IT disaster recovery planning guidelines, security awareness training, and incident response reporting capability; Identification of security vulnerabilities in Judiciary systems and recommends corrective actions; Development and maintenance of a Judiciary Statewide security architecture; Provision of the appropriate guidance to assist other Judiciary units and/or departments in establishing an IT Security Program in support of compliance with this IT Security Policy and Standards; Assurance that all employees, contractors, auditors, temporary workers and all other users of JIS resources are aware of this Policy; Enforcement of the Judiciary's IT Security Policy; Management of the program and initiation of measures to assure and demonstrate compliance with security requirements; Assurance of the confidentiality, integrity, availability and accountability of all information while it is being processed, stored, and/or transmitted electronically, and the security of the resources associated with the processing functions; Resolution of security and privacy incidents; Establishment and maintenance of a process for the classification of information in accordance with the Administrative Order on Public Access, dated February 9, 2004; Establishment and maintenance of a configuration/change management process in conjunction with the Change Control and Architecture Control Boards is used to maintain the security of the IT systems; Administration of a virus prevention and incident reporting program, and Establishment of separation of duties and assignment of appropriate system permissions and responsibilities for system users. 2.4 Data Center Operations Responsibilities of Data Center Operations include but are not limited to the following: Ensures IT Disaster Recovery/Business Continuity plans for critical IT Systems are developed, implemented and maintained, and that plans are exercised at least annually. Revised and Approved by the Maryland Judiciary Technology Oversight Board, June 28,

9 2.5 Judicial Branch Members and Their Agents Responsibilities of Judicial Branch members and their agents include but are not limited to the following: Awareness of their responsibilities for protecting IT assets of the Judiciary as specified in this Policy; 3 Exercise of due diligence in carrying out the IT Security Policy; Accountability for their actions relating to their use of all IT systems; Use of IT resources only for the intended purposes as defined by policies, laws and regulations of the State; and compliance with this Policy, and Compliance with this Policy. 3 This important information can be found as a link on the JIS web page of Courtnet. Revised and Approved by the Maryland Judiciary Technology Oversight Board, June 28,

10 3.0 Information Technology Security Program Standard The JIS Department is responsible for administering the IT Security Program that includes protecting the Judiciary's communications systems, computer systems, networks, and data in accordance with this Policy. While not exhaustive, the following serves as the minimum requirements for an IT Security Program: Security Policies Risk Management System Development Life Cycle Methodology Disaster Recovery/Business Continuity Planning Security Awareness Training Incident Response Process External Connections Review Contracts Projects 3.1 Security Policies The JIS Executive Director shall develop, implement, and maintain the IT Security Program, with standards, policies and procedures for all system platforms, on-line applications and the network topologies. This program and its standards will be incorporated into the Security Policy software administered at JIS. 3.2 Risk Management A process shall be implemented to assess the acceptable risk to Judiciary IT Systems as part of a risk-based approach used to determine adequate security for the systems. JIS shall analyze threats and vulnerabilities and select appropriate, cost-effective controls to achieve and maintain a level of acceptable risk and document this process. JIS will define a schedule for on-going risk management reviews and evaluations based on the system sensitivity and data classification of the respective system. Refer to NIST Special Publication Risk Management Guide for Information Technology at: for guidance. 3.3 Systems Development Life Cycle Methodology All judicial systems must include IT security as part of the system development life cycle (SDLC) management process. References to the Best Practices in the State of Maryland SDLC Methodology include the following: Implement requirements for ensuring authenticity and protecting message integrity in applications; Revised and Approved by the Maryland Judiciary Technology Oversight Board, June 28,

11 Implement input and output data validation checks to ensure data is correct and appropriate; Implement processes to control the installation of software on operating systems; Implement procedures to select, protect and control test data. Do not use test data in a production environment or use production data in a test environment without careful consideration; Limit access to program source code and place source code in a secure environment, and Implement change/configuration control procedures to minimize the corruption of information systems through approval of the Change Control and/or Architecture Control boards. 3.4 Disaster Recovery/Business Continuity Planning The JIS Department shall develop, implement and test its IT Disaster Recovery/ Business Continuity plan in conjunction with the Judiciary s Continuity of Operations Plan for each critical IT system to ensure that contingency systems will be available in the event of a disaster or outage to the primary production systems. 3.5 Security Awareness, Training and Education The JIS Department shall develop and implement a security awareness, training and education program for all employees, contractors and users to ensure that all employees, contractors and users adhere to the IT Security Policy. 3.6 Incident Response Process The JIS Department shall develop and implement an IT Incident Response process for the purpose of detecting, tracking, logging and reporting security incidents for each platform. 3.7 External Connections Review External network connections, non-networked computers and remote connections shall be managed, reviewed annually and documented as prescribed by the IT Security Program. Results will be reported to the State Court Administrator and the TOB as part of the annual IT security assessment. Revised and Approved by the Maryland Judiciary Technology Oversight Board, June 28,

12 3.8 Contracts Contracts shall contain clauses covering the contractor s adherence to Judiciary IT security policies and related controls. Contract contents should also include the level of system access to be provided to the vendor. The contract should be written to protect Judiciary IT assets if data will be transmitted between the contractor and the Judiciary. In such cases, the IT contract design should endeavor to maintain security at any point between send and receipt. 3.9 Projects Information Technology projects, especially systems development activities, should be managed to ensure that delivered solutions are consistent with this Policy, Standards, Programs and related controls. Plans for executing IT projects should include a general process for addressing IT security and other system controls. The Project Management Office (PMO) within JIS shall ensure that all projects designated as Major IT Development projects, create a Security Plan that addresses the systems development standards within this Policy and that each plan shall be submitted to the JIS Security Officer for review and approval. Revised and Approved by the Maryland Judiciary Technology Oversight Board, June 28,

13 4.0 Nonpublic Information Standard The JIS Department shall establish and document a process that protects nonpublic information from disclosure to unauthorized individuals or entities, including other state or federal agencies in consultation with the Judiciary s Access Rules Advisory Group Committee. The process shall be compliant with the Maryland Rule on Public Access, the Maryland Public Information Act and any applicable federal laws. 4.1 System Sensitivity Designation The JIS Department shall specify corresponding data security classifications and controls that must be in place for the data within the respective systems. When the IT System is shared between State units and/or between state, federal or local units, the highest level of classification will determine the classification of the data or IT System. For example, one agency may categorize the data at a medium level while the second agency may classify the data at a basic level; therefore, the data at both agencies will be at a medium level. All parties sharing the IT System or data must agree to the initial classification and any change in the classification. An IT System shall clearly identify data that is considered Proprietary and/or Protected Information (PPI) and any electronic exchange of data will clearly state that the information is Proprietary and/or Protected Information. Revised and Approved by the Maryland Judiciary Technology Oversight Board, June 28,

14 5.0 Access Control Standard The JIS Department shall ensure that only authorized persons are granted access to its resources, and that these persons use this privilege for appropriate information access. To help accomplish this JIS shall establish at a minimum the following: A process where update access is granted only with the approval of appropriate administrative official; An authentication process to verify the identity of users prior to initiating a session or transaction on the Judiciary IT system; An authorization process that specifically grants access to information ensuring that access is strictly controlled, audited and that it supports the concepts of "least possible privileges" and "need-to-know"; An audit trail process to ensure accountability of system and security-related events for critical applications; A process for ensuring of security audit logs, incident reports and on-line reports are generated at least one (1) time per business day; An investigation process for any unusual or suspicious items that includes reporting and taking necessary actions, if needed; An internal assessment process for verifying compliance with this Policy; The processes to establish, manage and document user-id and password administration within individual court sites; A review process for protecting nonpublic information; A process for explicitly authorizing access to nonpublic information; A process for documenting and escalating all instances of non-compliance with this Policy; A segregation of the functions of system administration and security administration to provide separation of duties; Guidelines prohibiting security personnel from initiating, programming, processing or authorizing business transactions; and Independent audits of the unit's security administrators security transactions with senior management oversight. 5.1 Authentication The following usage requirements shall apply to all users of JIS resources, except those related to public access terminals or inquiry only applications such as CaseSearch: Each user must be uniquely identified; Each user is responsible for all activity performed with their USERID; Group or shared IDs are prohibited unless they are documented as Functional IDs. Revised and Approved by the Maryland Judiciary Technology Oversight Board, June 28,

15 Functional IDs are user accounts associated with a group or role that may be used by multiple individuals (e.g. Emergency Problem/Firecall IDs) or that are associated with a particular job process (e.g. Control-M used by Computer Operations personnel for submitting production job). Passwords associated with Functional IDs are exempt from the password restriction on sharing and change requirements as specified by the following Password Construction Rules and Change Requirements (Mainframe and RS/6000 systems only). 5.2 Authorization The JIS Department must have the following authorization controls implemented: A documented process to ensure that access privileges are verified at least annually by each JIS Security Administrator; An automated process to ensure that individual Novell user sessions either time out or initiate a password protected screen saver after a period of thirty (30) minutes of inactivity; A documented process to ensure that access rights reflect changes in employment and/or contactor status within twenty-four (24) hours of being notified of the change; A documented process to ensure that physical and electronic access is immediately disabled upon a change in employment status where appropriate and notification is received; An automated process to ensure that user-ids are disabled after sixty (60) days of inactivity and deleted after ninety (90) days of inactivity is implemented unless they are extended through the explicit approval of the Data Security Administrator (NOTE: Functional IDs, if justified, may be exempted from this requirement), and A process/system to ensure that access privileges are traceable to a unique user-id. 5.3 Audit Trail The following minimum set of events/actions shall be logged and kept as required by the State and Federal laws/regulations: Additions, changes or deletions to data produced by IT systems; Identification and authentication processes; Actions performed by system operators, system managers, system engineers, technical support, and system administrators; and Emergency actions performed by support personnel and highly privileged system and security resources. Revised and Approved by the Maryland Judiciary Technology Oversight Board, June 28,

16 The audit trails must include at least the following: Date and time of the event; Name and type of access; Failure of the User-id of person performing the action; Type of event; Asset or resource event; and Source (terminal, port, location, and so forth) where technically feasible. In addition, all lapses in audit trails must be immediately investigated and reported upon by the data security administrators and the Data Center Senior Manager and brought to closure within one (1) week. 5.4 Violation Log Management and Review The data security administrators shall review all violations within one (1) business day of a discovered occurrence. At a minimum the following events must be reviewed: Three (3) or more failed attempts per system day to access or modify security files, password tables or security devices; Disabled logging or attempts to disable logging; Three (3) or more failed attempts to access or modify nonpublic information within a week; and Any unauthorized attempts to modify software or to disable hardware configurations. 5.5 Separation of Duties When applied to IT security and control, effective separation of duties should be driven by the activities/tasks of the functional unit and IT staff. There are occasions when the strict separation of duties is not practical to apply to a technical IT unit. In such cases, a compensating control will be established and approved by the Executive Director of the JIS Department to offset the lack of functional unit separation of duties. The following three (3) separate personnel tiers shall be applied to the administration of data security as minimum requirements to ensure IT security accountability on the mainframe platform: An Approver the appropriate administrative official who gives signed approval for the addition and/or change; An Executor the person actually performing the addition or change; and A Reviewer a separate person who will review both the request for addition/change and the implemented result to ensure the two are correct and provide the requested access/resource. Revised and Approved by the Maryland Judiciary Technology Oversight Board, June 28,

17 6.0 Network Security Standard The JIS Department shall ensure that all data networks are protected from unauthorized access at all entry points. To help accomplish this JIS must, at a minimum: Establish a process to protect from unauthorized remote access; Utilize the Judiciary approved banner text (see Section 6.2); Establish a process to ensure that all external Internet Protocol (IP) connections are made through a firewall; Implement and monitor an Intrusion Detection Systems (IDS) 24X7X365; Establish a process to ensure that all Service Interface Agreements (SIAs) are managed in accordance with this policy; Establish a process to ensure that the same level of controls that exist on-site exist for users working remotely; Establish a process to prevent unauthorized mobile code from being loaded onto Judiciary IT equipment; Establish a process to ensure that wireless network connections do not compromise this policy; Network devices shall be configured and maintained so as to not cause network performance degradation and/or excessive, unwarranted traffic flows, and be suitably hardened against network security threats; Devices that are not the property of the Judiciary and/or not under the administrative control of the Judiciary shall not connect to the Judiciary Network without the approval of the Director (or designee) of Judicial Information Systems. Such approval may be contingent upon an inspection of the device; and Procedures for obtaining approval to connect devices to the Judiciary network that are not the property of the Judiciary and/or under the administrative control of the Judiciary are as follows: o Requests internal to the Judiciary are to be coordinated through the Administrative Official of the requesting location. The Administrative Official directs the request to the JIS Executive Director for the appropriate action; o Requests external to the Judiciary are to be directed to the JIS Executive Director for the appropriate action. 6.1 Remote Access The following services require prior approval in writing by the Executive Director of the JIS Department: Use of any type of remote control product (e.g., PC Anywhere or GoToMyPC) Use of RSA (VPN) authentication; and Revised and Approved by the Maryland Judiciary Technology Oversight Board, June 28,

18 Use of any network-monitoring tool In addition, the following controls for remote access users must be implemented: Access privileges must be prohibited to any applications except those expressly required (i.e., cannot grant access to entire network, must be application specific); Annual review of access requirements by the JIS security administrators or designees; and Shall not store data unless the data can be protected from unauthorized access, modification, or destruction. 6.2 Banner Text The following Banner Text shall be displayed at all system entry points and at all access points to servers, subsystems, and etc. where initial user logon occurs: Access to this system is restricted to authorized users only and governed by the Judiciary s Policy on Electronic Communications Systems Usage. By using this system, you expressly consent to the monitoring of all activities. Any unauthorized access or use of this system is prohibited and may be subject to criminal and civil penalties. An automatic pause, slow roll rate, or user acknowledgement is required to ensure that the banner can be read. The banner is: Required for all mainframe, midrange, workstation, personal computer, and network systems, and Must be used in addition to, and is not a substitute for, any default banners or copyright/proprietary notices. 6.3 Firewalls & Network Devices Judiciary networks shall be protected by firewalls at identified points of interface as determined by system sensitivity and data classification. Firewalls should be configured to block all services not required and disable unused ports, hide and prevent direct accessing of trusted network addresses from untrusted networks, maintain comprehensive audit trails, fail in a closed state and operate on a dedicated platform (device). All network devices (e.g., servers, routers) shall have all non-needed services disabled and the security for those devices hardened. All devices shall have updates and patches installed on a timely basis to correct significant security flaws. Default or initial passwords shall be changed upon installation of all firewall and network equipment. 6.4 Intrusion Detection Systems Judiciary networks shall be monitored by an Intrusion Detection System (ID S) Revised and Approved by the Maryland Judiciary Technology Oversight Board, June 28,

19 implemented at critical junctures to provide additional system protection. Host-based, network based, or a combination of both (preferred) may be utilized. IDS must be monitored 24X7X365. JIS shall establish a severity and escalation list based upon anticipated events that include immediate response capability when appropriate. These plans shall be incorporated into the IT Security Program. 6.5 Service Interface Agreement External network connections shall be permitted only after all approvals required by State law are obtained and shall be managed in accordance with a Service Interface Agreement (SIA) that is agreed to by the Executive Director of the JIS Department and the non-state entity (business or contractor). These connections are subject to the Maryland Public Information Act and shall not be part of the ordinary process of doing business. An SIA shall include: Purpose and duration of the connection as stated in the agreement, lease, or contract; Points-of-contact and cognizant officials for both JIS and non-state organizations; Roles and responsibilities of points-of-contact and cognizant officials for both JIS and non-state organizations; Security measures to be implemented by the non-state organization to protect the JIS s IT assets against unauthorized use or exploitation of the external network connection; Requirements for notifying a specified JIS official within a specified period of time of a security incident on the network, with the recommended time within 4 hours of the incident; and A provision allowing JIS to periodically test the ability to penetrate the network through the external network connection or system. 6.6 Teleworking In a telecommuting environment, the JIS Department shall require the same level of security on the microcomputer used at home or offsite as the microcomputer used in the workplace. (Refer to the Human Resources Department policy for guidelines and eligibility on CourtNet.) 6.7 Wireless Networks General Controls Maintain a current, documented diagram of the topology of the wireless network; Label and keep an inventory of the wireless and handheld devices; Perform periodic security testing and assessment of the wireless network; Perform ongoing, randomly timed security audits to monitor and track wireless Revised and Approved by the Maryland Judiciary Technology Oversight Board, June 28,

20 laptop and handheld PDA usage on the network to ensure only authorized users are utilizing the network; Implement configuration/change control and management to ensure that equipment has the latest software release that includes security enhancements and patches for discovered vulnerabilities; Implement standardized configuration to reflect the Wireless Security Plan, to ensure change of default values, and to ensure consistency of operation; Implement security training to raise awareness about the threats and vulnerabilities inherent in the use of wireless technology; Monitor the wireless industry for changes to standards that enhance security features and for the release on new products; Vigilantly monitor wireless technology for new threats and vulnerabilities; Wireless networks must implement some form of cryptographic protocol, examples being secure shell (SSH), Transport-Level Security (TLS), Internet Protocol Security (IPsec), or Virtual Private Network (VPN); and Additional countermeasures such as strategically locating access points, ensuring firewall, blocking, and the installation of antivirus software must be implemented. Wireless Security Plan The wireless Security Plan shall address the following: Identify who may use the technology; Identify whether Internet access is required; Describe who can install access points and other wireless equipment; Provide limitation of the location of and physical security for access points; Describe the type of information that may be sent over wireless links; Describe the conditions under which wireless devices are allowed; Define standard security settings for access points; Describe limitation on how the wireless devices may be used; Describe the hardware and software configuration of all wireless devices; Provide guidelines on reporting losses of wireless devices and security incidents; Provide guidelines for the protection of wireless clients to minimize/reduce theft; and Define the frequency and scope of security assessments to include access point discovery. Access Point Configuration All default passwords must be changed to comply with the State of Maryland password policies before production implementation; Revised and Approved by the Maryland Judiciary Technology Oversight Board, June 28,

21 The Secure Set Identifier (SSID) must be changed from the factory default before production implementation; The beacon interval that announces the existence of a wireless network should be set to its highest value; Change default cryptographic keys; If SNMP is not required, disable it; and Dynamic Host Control Protocol (DHCP) should be disabled and static IP addresses should be used on the wireless network, if feasible, and/or utilize access points with integrated firewalls. Client Authentication All wireless access points shall require clients to provide an encrypted wireless network authentication for access. 6.8 Private Branch Exchange (PBX) If PBX processors require remote vendor maintenance via remote access, the following controls must be in place: A single dedicated telephone line that disables access to the public-switched telephone network; An automated audit trail; and Access controls. Revised and Approved by the Maryland Judiciary Technology Oversight Board, June 28,

22 7.0 Physical Security Standard Physical access to IT information processing, storage areas, and storage devices and its supporting infrastructure (communications, power, and environmental) must be controlled to prevent, detect, and minimize the effects of unauthorized or unintended access to these areas. JIS must: Secure IT areas with controls commensurate to the risk; Ensure the secure destruction of storage media; Ensure secure media reuse; Ensure secure on-site and off-site storage of media; and obtain personnel security clearances where appropriate. 7.1 Secured IT Areas Physical access controls must be in place for the following: Data Centers; Areas containing servers and associated media; Networking cabinets and wiring closets; Power and emergency backup equipment; and Operations and controlled areas. Access to data centers and secured areas shall be granted by the Executive Director of the JIS Department for those employees, contactors, technicians and vendors who have legitimate business responsibilities in those areas. Authorization should be: Based on frequency of need for access; and Approved by the manager responsible for the secured area. Each court, unit and department shall be responsible for: Providing picture id badges to employees/contractors and ensuring that these badges are openly displayed at all times; Ensuring that all portable storage media such as hard drives, diskettes, magnetic tapes, laptops and CDs are physically secured; Ensuring proper environmental and physical controls are established to prevent accidental or unintentional loss of information residing on IT systems; and Ensuring that any physical access controls are auditable. Revised and Approved by the Maryland Judiciary Technology Oversight Board, June 28,

23 7.2 Storage Media Disposal When no longer used all media, such as diskettes, compact disks, and other similar items, shall be destroyed by a NIST approved method such as shredding, incineration, overwriting, or degaussing. All IT equipment shall not be released from the Judiciary s site until the equipment is sanitized and all stored information has been cleared. This requirement applies to all permanent disposal of equipment regardless of the identity of the recipient. This includes equipment transferred to schools, as well as equipment maintenance and repair. 7.3 Media Reuse When no longer required for mission or project completion, all media (such as tapes, disks, hard drives, etc.) to be used by another person within the Judiciary shall be overwritten with software and protected consistent with the data sensitivity at which IT storage media were previously used. The guidelines shall be documented in the IT System Security Plan. 7.4 Storage and Marking Information technology systems and electronic media shall be protected and marked in accordance with the data sensitivity. Users shall not store data on electronic media that cannot be adequately secured against unauthorized access. 7.5 Personnel Security clearances are required for personnel as determined by system sensitivity and data classification designation. The AOC Human Resources Department shall ensure that an appropriate background investigation (e.g., CJIS, State Police) has been completed on personnel as necessary. Revised and Approved by the Maryland Judiciary Technology Oversight Board, June 28,

24 8.0 Microcomputer/PC/Laptop Security Standard The JIS Department shall ensure that all microcomputers, i.e., workstations, desktop computers, laptop computers, PDA s and any other portable devices that process data, are secured against unauthorized access. The level of controls should comport with the Judiciary s Policy on Electronic Communications Systems Usage and be commensurate with the information accessed, stored, or processed on these devices. The JIS Department shall establish at a minimum the following: General controls; Virus protection; Software licensing and use control; Laptop security and mobile computing controls; and Protection from personally owned microcomputer. 8.1 General Controls All microcomputers that store and/or access nonpublic information shall implement the following controls: User-id and password to control access at logon to legacy platforms; Encryption to protect directories, sub-directories, and/or files containing nonpublic information; and Virus protection. Standard virus protection programs shall be installed, updated, and maintained on all microcomputers, LAN servers, and mail servers. These programs shall: Be configured to run checks for viruses at startup and operate in memory-resident mode to check for viruses during normal processing; Be updated as soon as updates are available from the vendor; and Be configured to prevent connection to the network unless the accessing microcomputer has the latest version of the virus product and update installed. 8.2 Software Licenses and Use The JIS Department shall establish guidelines to ensure compliance with State Copyright Policy, and assure that software installed on the Judiciary IT System is incorporated into the Software Development Lifecycle (SDLC) management process. Unless specifically approved by the Executive Director of the JIS Department, an employee s personal or a contractor s business IT equipment shall not have State licensed software installed and shall not be used to process or transmit proprietary and/or protected information (PPI). Only Judiciary owned and authorized computer software is to be used on employee Revised and Approved by the Maryland Judiciary Technology Oversight Board, June 28,

25 stand-alone or networked computer equipment. Authorized software packages for employees are those approved by the Executive Director of the JIS Department. Executable modules cannot be downloaded from the Internet unless authorized by the JIS Executive Director and the Judiciary s network administrator. The Legal Affairs Department in the Administrative Office of the Courts shall be designated as the single point of contact for inquires about copyright violations, pursuant to federal law. 8.3 Laptop Security and Mobile Computing Employee laptops and mobile computing devices are not authorized to process or store nonpublic information unless approved in writing by the Executive Director of the JIS Department. Laptops and mobile computing devices which include personal digital assistants approved for processing PPI information cannot be connected to the Judiciary s networks or systems unless the network or system is certified and accredited for that function. In such cases, the IT Security Program will identify the devices that can be used to access the network or the system, the purposes for the access, and the security controls for the connection. 8.4 Personally Owned Data Processing Equipment Processing or storing PPI on an employee s personal or contractor owned data processing equipment is prohibited unless approved in writing by the Executive Director of the JIS Department. Revised and Approved by the Maryland Judiciary Technology Oversight Board, June 28,

26 9.0 Encryption Standard The JIS Department shall ensure that encryption is utilized to protect any non-public information when it is stored or transmitted through any environment as in the case of financial data transmitted to and from the State Treasurer s system and access through the JIS Virtual Private Network (VPN). Judiciary IT Systems employing encryption must comply with all applicable Federal Information Processing Standards (FIPS) publications and guidelines for encryption (References located at While default cryptographic keys should not be utilized, such keys may be utilized for emergency recovery, system calibration or vendor certification purposes. In such cases, a documented process describing the storage, maintenance, use and destruction of these keys must be in place. Revised and Approved by the Maryland Judiciary Technology Oversight Board, June 28,

27 10.0 Use of Electronic Communication Standard This standard applies to information technology security and comports with the Judiciary s Policy on Electronic Communications Systems Usage. The use of the internet, and other Judiciary computing equipment, networks and communication facilities is provided to Judiciary users as electronic tools to perform their job functions. Information communicated electronically through , the internet or sharing of electronic documents is subject to laws, regulations, Judiciary policies, and other requirements, as is information communicated in other written forms and formats. Revised and Approved by the Maryland Judiciary Technology Oversight Board, June 28,

28 Appendix A STATE OF MARYLAND JUDICIARY POLICY ON ELECTRONIC COMMUNICATIONS SYSTEMS USAGE I. PURPOSE The purpose of this issuance is to establish a policy for the use of the Judiciary's electronic communications systems, including the hardware, software, electronic messaging ( ), Internet, and Intranet (collectively, "JIS system(s)"). These systems are provided to facilitate official business of the Judiciary of Maryland. This policy is to guard against uses, which are illegal or detrimental to the official business of the Judiciary or adversely affect the users performance of their duties for the Judiciary while providing for limited, appropriate personal use. II. DEFINITIONS Administrative Official The Chief Deputy Clerks of the appellate and circuit courts; the Chief Clerk and Chief Commissioner, Assistant Chief Clerks and Administrative and County Clerks of the District Court; the State Court Administrator, the Deputy State Court Administrator and directors and deputy directors of the Administrative Office of the Courts; the Director and executive staff of respective units within court-related agencies as well as offices under the direct authority of the Chief Judge of the Court of Appeals. Employee Any person employed by the Judiciary (whether regular, contractual, temporary or a volunteer), except a judge and Clerk of Court. Personally Identifiable Information Any piece of information that potentially can be used to uniquely identify, contact or locate an individual. III. SCOPE This policy applies to all users of JIS systems. Courts not using JIS-provided systems for their electronic messaging ( ), Internet, Intranet, and online applications are required to have a substantially similar written policy on electronic communications systems usage. IV. POLICY STATEMENT Electronic communications systems, including the Internet, Intranet, and online applications are intended to increase user productivity in the conduct of their Revised and Approved by the Maryland Judiciary Technology Oversight Board, June 28,

29 official duties with the Judiciary. Inappropriate use of information systems or electronic communications, as defined below, is prohibited. Users are advised that electronic communications are not subject to personal privacy and may be disclosed pursuant to public disclosure laws and rules of discovery in the event of lawsuits. V. RESPONSIBILITIES OF USERS A. Permitted Use 1. Each user of JIS systems must exercise individual responsibility and judgment to assure the appropriate use. These systems are designed to afford electronic communications for official judicial business. In using , users must ensure that all messages are courteous, professional and business-like. 2. Incidental personal use is permissible so long as: (a) it does not consume more than a minimal amount of resources; (b) does not interfere with user productivity; and (c) does not preempt any work-related activity. Users should use a non-jis system account for sending and receiving personal on a limited basis due to the risk of malware and/or viruses when downloading a file attachment or opening a web link from personal accounts to judiciary desktop PC. Personal messages sent by employees using a JIS system account must be identified as personal in the subject designation, to avoid any confusion with official judicial business. 3. Users should always use care in addressing messages to make sure that messages inadvertently are not sent to unauthorized persons. When using distribution lists, users should confirm that all addresses are appropriate recipients of the information to avoid distribution to unintended or unauthorized recipients. 4. Users should use the Reply to All feature only when necessary for official purposes and after carefully reviewing the list of included addressees. Any user involved in an dialogue that generates multiple messages, should delete previous messages that are not necessary to the next addressees. Users are advised to save valuable disk space on the server and/or personal computer by deleting unnecessary messages. Revised and Approved by the Maryland Judiciary Technology Oversight Board, June 28,

30 B. Unauthorized Use 1. Users will not use JIS systems for commercial gain, or for any gaming or gambling purpose. Users will not use these systems to harass, intimidate or otherwise annoy another person. Users will not disclose personal information about another person without that person s permission or other authorization. 2. Users will not use JIS systems for unlawful, unethical or unprofessional purposes or to support or assist such purposes. Examples of these impermissible uses may include, but are not limited to, the transmission or interception of violent, threatening, defrauding, obscene or otherwise illegal or unlawful materials, and the use of JIS systems for purposes related to any public election. Users will not use JIS systems, or any part of JIS systems, for any purpose that a. Adversely affects the primary purpose of the JIS systems; b. Causes harm to the JIS systems or any of its components; c. Is illegal or detrimental to the official business of the Judiciary; d. Adversely affects the user s performance of his or her duties for the Judiciary; or e. Is for any political purpose. 3. Users shall be vigilant in guarding against the improper or malicious disclosure of confidential or personally identifiable information. 4. Users will not use JIS systems to disrupt other users, services or equipment. Disruptions include, but are not limited to, distribution of unsolicited advertising, propagation of computer viruses, and sustained high volume network traffic, which substantially hinders others in their use of JIS systems. 5. Confidential information should never be transmitted or forwarded to individuals or companies not authorized to receive that information. Confidential information may be sent or forwarded to other Maryland Judiciary users only as necessary for official purposes. An employee may not subscribe to services provided by a List Server, which automatically redistributes to names on a mailing list, unless related to official or professional purposes. Revised and Approved by the Maryland Judiciary Technology Oversight Board, June 28,