CPIT Aoraki Communications and Operations Management

Transcription

1 This security standard refers t CPIT, which is the current legal name fr the new rganisatin established 1 January 2016 bringing tgether CPIT and Araki Plytechnic. Knwn as CPIT Araki the new rganisatin will trade under this name until rebranded during CPIT Araki Cmmunicatins and Operatins Management Security Standard Crprate Plicies & Prcedures Sectin 1: General Administratin Dcument CPP121b Principles Infrmatin Cmmunicatin Technlgy Divisin Security Plicy Security Standard, aligned with Security Standards Guidelines and Prcedures AS/NZS ISO/IEC 27001: 2006 fr Infrmatin Security Management

2 Cntents 1 INTRODUCTION ICT OPERATIONAL PRACTICES AND PROCESSES Operatinal Prcedures Change Management Standards Patch Management Standards Capacity Management Security Mnitring Standards Backup and Recvery Standard COMMUNICATION STANDARD AND INFORMATION EXCHANGE Standards Internet Standards APPENDIX CPIT Enterprise Data Cmmunicatins and Operatins Security Standard Page 2 f 14

3 Cmmunicatins and Operatins Management Security Standard Purpse: This standard defines the recmmended security practices fr Cmmunicatins and Operatins Management. This standard s bjective is t define the standards t be fllwed fr the crrect and secure peratin f ICT services. This standard and guideline applies t all ICT assets and services prvided acrss CPIT sites. Authrised By: Dcument Owner ICT Directr Infrastructure Manager Date f Issue: 15 March 2012 Review date: Nvember 2014 Versin: 2.3 References: This dcument shuld be read in cnjunctin with the ICT Security Plicy. In additin it shuld be read in cnjunctin with the fllwing ICT Security Standards: 1. ICT Asset and Media Management Standard 2. Human Resurces ICT Security Standard 3. Physical and Envirnmental Security Standard 4. Access Cntrl Security Standard 5. Infrmatin Systems Acquisitin, Develpment and Maintenance Security Standard Cmmunicatins and Operatins Security Standard Page 3 f 14

4 1 INTRODUCTION ICT equipment supprts the academic prcesses and prvides critical functinality t students and staff. It is essential that the ICT assets that prvide these services are well managed and prtected thrugh the apprpriate adptin f security standards and prcesses that fllw recmmended ICT best practices. Standards and prcesses are required fr Infrmatin Cmmunicatin Technlgy (ICT) t minimise the risk f systems failure, safeguard the integrity f the institutin s sftware and data and maintain the integrity and availability f infrmatin services. The bjective f this security standard is t define the recmmended prcess fr the ICT divisin t fllw t prevent interruptins t business activities and ensure the crrect and secure peratin f cmputer facilities. The standard includes references t IT best practices, including Infrmatin Technlgy Infrastructure Library (ITIL) as this is regarded as the leading best practice fr IT peratins. The fllwing standards are detailed within this standard: Operatinal Prcedures Change Management Patch Management Capacity Management Security Mnitring Backup & Recvery Infrmatin Exchange Rules f Use Standards are t be fllwed during the preparatin f dcumentatin and prcedures t ensure the crrect and secure peratin f ICT secure facilities. Standards fr intrducing change int the Institutin t mitigate any risks impacting prductin services. Standards t update ICT services and mitigate the risk f a security vulnerability r change impacting services. Standards t fllw t prepare the ICT envirnment and minimise the risk f system verlad and services nt being available t meet the required perfrmance. Standards t mnitr ICT services t reduce the risk f a service failing r a security incident, impacting n the services at CPIT. In additin this includes standards fr Security Audits t regularly review the level f security prvided t the Institutin. Standards t maintain suitable backup and recvery services t ensure the availability f ICT services at the Institutin. Acceptable and unacceptable infrmatin exchange thrugh and nline services t ensure apprpriate standards are fllwed t safeguard infrmatin integrity and cnfidentiality. Standards fr accessing and using the Internet including sftware dwnlading, inapprpriate sites and services that are nt permitted when using the Internet. Cmmunicatins and Operatins Security Standard Page 4 f 14

5 2 ICT OPERATIONAL PRACTICES AND PROCESSES It is widely published that a high prprtin f security incidents ccur due t pr IT practices and administrative errrs. It is imprtant that the services and systems within ICT are managed and fllw apprpriate IT best practices such as thse defined within ITIL. ITIL defines the service management prcesses t maintain a fcus n service delivery, availability f ICT services and the integrity f infrmatin. The purpse f this sectin is t define the key elements f ITIL that the Institutin are utilising, fr the management f ICT systems and services. 2.1 Operatinal Prcedures It is essential that ICT staff prepare detailed perating prcedures n the secure and safe peratin f ICT secure facilities. These prcedures need t be maintained, ICT staff made accuntable fr reviewing and available t ICT staff. The peratinal prcedures recmmended are listed in the checklist belw: Ref Operatinal Prcedure Accuntable fr prcedure 1 ICT Services Start-Up and Clse-dwn Infrastructure Manager and Infrmatin Systems Manager 2 Backup and Recvery Prcesses (See sectin 2.6) 3 Supprt Cntracts and emergency pints f cntact 4 ICT Services netwrk verview and system dependencies (t be used in the event f a system utage) 5 Patch management Prcess fr releasing and rll-back fr patches (See sectin 2.3) Infrastructure Manager and Service Desk Manager Service Desk Manager / ICT Directr Infrastructure Manager and Infrmatin Systems Manager Infrastructure Manager and Supprt Centre Manager Review Cycle Annually 6 mnthly Annually 6 mnthly Annually These peratinal prcedures need t be available t all staff and thrugh the change management practice any changes are t be recrded and as apprpriate authrised. 2.2 Change Management Standards ICT systems need t be updated and patched regularly t imprve functinality and t address security vulnerabilities. As ICT services are intrduced t supprt grwth and t prvide new functinality, these changes need t be tested, reviewed and applied thrugh a Change Management Practice. A Change Management Practice can cver all types f change including: emergency fixes t respnd t security vulnerability, changes t current ICT prcesses, changes t perating prcedures r upgrades t new versins f hardware and sftware. The bjective f the change management prcess is t ensure that changes are applied crrectly and d nt cmprmise the security f an ICT system r result in a service being unavailable. Please refer t the ICT Divisin Change Management Dcumentatin fr further infrmatin n the prcess and standards. Cmmunicatins and Operatins Security Standard Page 5 f 14

6 2.3 Patch Management Standards Patching f sftware r hardware is an inevitable part f ICT peratins. The quantity f systems t patch and maintain has been increasing in respnse t a grwing number f security vulnerabilities and an increase in the number f systems managed by rganisatins. Patch management is integrated with change management and the apprval f updates shuld be integrated within the Change Management prcess. The unfrtunate reality abut security vulnerabilities is that after yu apply a patch tday anther ne will be required tmrrw. T address the threats a Patch Management Practice needs t be defined which details the prcess t fllw t ensure vulnerabilities are addressed, in a timely and cntrlled manner. The fllwing standards are t be fllwed t define the Patch Management Prcess: Autmated detectin and release f patches when desktp r laptp cmputers cnnect t the netwrk and use ICT services. This standard des nt apply fr thse cnnectins that are passed directly thrugh t the internet with n direct access t the institutins ICT services (e.g. nn-cpit laptps that cnnect directly t the Internet (Guest/Public Access): When jining the netwrk they must be scanned fr missing security patches. This includes cmputers that are cnnecting thrugh all cmmunicatins channels. If patches are missing, which have been apprved fr distributin, the missing patches are t be installed autmatically n CPIT wned equipment. The user shuld nt be allwed t stp r delay the installatin f patches. Autmated services (like Windws Update Service) can be used t streamline this prcess. Fr servers a planned netwrk brwn-ut perid will be necessary fr servers t be patched; this will require cnfrmance with the Change Management Standard. Mnitring, assessing and incrprating patches within the change management prcess: If a new patch is released it must be assessed fr relevance t the CPIT s ICT services and the severity that the patch addresses. If the patch is deemed critical r urgent then a fast track prcess thrugh the emergency change management prcess needs t be fllwed t test the patch and release it t the prductin envirnment. If the patch is deemed imprtant r the severity f the vulnerability is a lw risk at the Institutin a standard change management prcess is t be fllwed. The Zer Day Attack Zer day attacks ccur when the vulnerability is explited befre the sftware develper has written the patch. This increases the imprtance that any urgent r critical vulnerabilities are identified and a rbust patch management practice starts immediately. Whilst the zer day attack is a threat delaying urgent patches significantly increases the risk. Assessing the patch shuld include: assess the impact n the prductin envirnment (ideally in a test envirnment that replicates the prductin envirnment), a sample set f cmputers and then fllw the release management prcess. T supprt bth prcesses a rll-back and backup prcess must be agreed. As part f the sftware selectin prcess the Patch Management Practice shuld be evaluated and integrated int the current practices. The rll back prcess must be tested regularly t ensure that ICT staff are familiar with the prcess fr remving a security patch. Cmmunicatins and Operatins Security Standard Page 6 f 14

7 Only authrised system administratin staff are permitted t release patches nce frmal apprval (r emergency apprval) has been made as part f the Change Management Prcess. ICT staff shuld register with Security Advisry Services (fr example t receive an early indicatin f security vulnerabilities. 2.4 Capacity Management The ICT resurces shuld be mnitred, tuned and prjectins made f future capacity requirements t ensure services are available and meet expectatins fr staff and students. The bjective is t cmplete advance planning and preparatin t minimise the risk f a systems failure. The fllwing standards apply: Fr each new and current ICT service the capacity requirements shuld be identified. This includes determining if ICT services have the capacity t meet high demands during peaks in user activity, fr example: student enrlment. ICT services need t be mnitred t identify trends in capacity that may impact n system perfrmance at a later date. ICT shuld engage with the institutin s apprpriate Senir Staff members t identify ptential future demands; recmmend this activity is cmpleted annually. ICT need t prepare technlgy radmaps t identify when replacement sftware and hardware will be available t meet rganisatinal demand fr ICT services. Particular attentin given t sftware r hardware that has a lng prcurement time. It is acknwledged that academics are respnsible fr determining the requirements fr IT sftware used t deliver training and curses. 2.5 Security Mnitring Standards ICT systems need t be mnitred cntinuusly and reviewed t assess perfrmance, reduce the likelihd f system verlad and detect ptential r actual malicius intrusin. This includes capturing and recrding security event details which can be used t detect unauthrised activity r can be used as part f a security incident investigatin. The fllwing standards are recmmended fr mnitring the security and health f ICT systems: Security related event lgging shuld be enabled at all times and prtected frm deliberate r accidental verwriting. A centralised mnitring slutin may be used t capture ICT systems perfrmance and security metrics. This system shuld: Be capable and scaled t retain infrmatin lng enugh t meet legal and regulatry requirements. Be restricted t thse individuals wh require access and nt enabled s security lgs can be verwritten (allwing netwrk penetratin t be hidden). Reprt exceptins and plt lng term perfrmance r metrics ver a perid f time. This will allw detectin f lng running vulnerability scanning, peridic passwrd cracking attempts and reprt n security attacks and any increases bth in general terms and targeting f specific services. ICT staff wh are respnsible fr the mnitring r security scanning must be familiar with the prcess f reviewing and interpreting security lgs, either lcally n cmputers r thrugh a centralised system. Cmmunicatins and Operatins Security Standard Page 7 f 14

8 Practive system mnitring may be cnducted by apprved ICT staff t assess the current perating envirnment and identify any security risks. System mnitring activities shuld include the fllwing checks at the frequency indicated: Ref Security Scans Frequency 1 Scanning f ICT hst systems t assess any knwn vulnerabilities (cmmercial and pen surce tls are available t perfrm scans autmatically). Bi-mnthly 2 Scanning fr unauthrised wireless netwrks. 6 mnths 3 Scanning the ICT netwrk fr unauthrised activity (scanning f services) and unauthrised ICT equipment. 4 Security Infrmatin Event Management (SIEM) Detectin f unauthrised changes t high risk services thrugh integrity mnitring systems. (this is typically implemented n services that are directly facing internet cnnectins r within a security cntrlled envirnment like the DMZ) Bi-mnthly Implement a standard reprt and exceptin reprt Server audits recrding user activities, exceptins and infrmatin security events need t be cnfigured fr ICT services that are critical. Other security mnitring and practive audits shuld be decided n a case by case basis. This may include: Cnducting external penetratin testing t review external access and security visibility acrss the internet. Implementing services like Intrusin Preventin and Intrusin Detectin t prvide an early warning f a security incident. Security audit cllectin and assessment tls are available t assist with the autmatin f this prcess but staff will still need t assess security reprts r lgs files. 2.6 Backup and Recvery Standard Backup and Recvery standards will ensure that business data and sftware is recverable fllwing an unscheduled cmputer utage r media failure. It is essential that apprpriate standards are fllwed t maintain the availability f ICT services at CPIT. Backup and Recvery falls within the wider business cntinuity and disaster recvery requirements. N single standard can be defined t cver all ICT data surces; rather the standard will differ dependent upn the acceptable time t recver data in the event f lss r crruptin f the riginal data. Different standards are required fr data that is critical t the peratin f CPIT business. Nevertheless, it is essential t maintain the integrity and availability f ICT services that an ver arching backup and recvery standard is necessary fr taking backup cpies f data, timely restratin and prtecting the data. Cmmunicatins and Operatins Security Standard Page 8 f 14

9 The fllwing standards apply: Backup Standards Backups f essential infrmatin and sftware used must be perfrmed n a regular basis fllwing a defined cycle. This will ensure that infrmatin deemed essential t the peratin f CPIT is available fllwing a security incident. It is imprtant that enterprise data, as defined in Appendix A, is backed up and can be restred within an acceptable timeframe as agreed as part f the Business Cntinuity and Disaster Recvery Plans. Dcumented standards must be defined and agreed by CPIT staff n which infrmatin is t be backed-up, the back-up cycles, agreed perids f reduced backup (e.g. ver weekends r statutry hlidays) and recvery times as indicated with the Business Service Catalgue. If the backup schedule includes incremental backups then a full backup is required weekly. In situatins where Restricted Data is backed up; the backup shuld be prtected by means f encryptin r backups prtected thrugh a passwrd. Detailed peratinal prcedures must be maintained t ensure ICT staff understand the backup prcess undertaken and the steps invlved t restre infrmatin. Backup strategies that include a backup t disk shuld als include a backup t ther media t prvide a secnd cpy f data and mitigate the reliance n backups kept n disk. Restricted Data? With reference t the CPIT data gvernance standards, restricted data is data cntaining sensitive r cnfidential infrmatin that if cmprmised culd have a material adverse effect n Institutinal interests, the peratins f CPIT and the privacy t which individuals are entitled. Encrypting this data will incur additinal time t perfrm the backup but is best practice t prtect data frm unauthrised access. The Backup strategy shuld include backups at cntrlled time intervals, referred t as snap shts r time stamps. If the data is frequently changing and it is deemed unacceptable t the institutin t rely n restred infrmatin frm the previus day mre frequent r nline backup strategies may be necessary. This will be agreed thrugh the Disaster Recvery prcess but it is recmmended that the apprach taken is reviewed annually with the Institutin data wners. Backups must be verified as part f the backup prcess (r a sub-set f backups shuld be verified). Backups must be retained fr a perid f time. Typically this is three generatins f backup cycles. Backup Media Backup tapes shuld be regularly recycled fllwing the manufacturers recmmended shelf life fr the media. Als nte the dispsal f backup media shuld fllw the dispsal standards defined within the Asset Management Standard. Backup tapes shuld be stred in a readily accessible lcatin (ideally in a cmputer media fire prf safe) t enable the restratin prcess t start quickly. ICT staff must be familiar with the prcess t find and retrieve backup tapes. Test yur backups Backup media deterirates ver time and it is imprtant that ICT staff check that backups are recverable and the data recvered is readable. T many times a security incident ccurs due t faulty media, pr backup prcesses being fllwed r hardware faults. Backup tapes shuld als be lcated in a facility that is envirnmentally friendly t the media and is restricted t ICT staff. Cmmunicatins and Operatins Security Standard Page 9 f 14

10 Backup cpies that are sent ff-site must be stred fr Disaster Recvery purpses and nt the daily backups as this will increase the time t restre data whilst the media is returned nsite. Backup tapes that are sent ff-site need t be transprted in a secure manner t reduce the risk f backup tapes being lst r cmprmised. Backup tapes must be labelled t fllw an agreed prcess and s that they are clearly identifiable. Tapes shuld be prtected frm accidental verwriting and be subjective t the same level f prtectin as live infrmatin. Backup Restratin and Testing Backup data must be regularly tested fr readability. Restratin prcedures shuld be reviewed quarterly t ensure that they are effective and can be cmpleted within the time alltted in the Business Service Catalgue. Recvery f critical business applicatins shuld be tested annually, hwever, peratinal requests may mitigate this requirement. Cmmunicatins and Operatins Security Standard Page 10 f 14

11 3 COMMUNICATION STANDARD AND INFORMATION EXCHANGE This sectin f the Security Standard defines the standard n cmmunicatin and infrmatin exchange. The bjective is t establish standards t prtect the exchange f infrmatin thrugh all types f cmmunicatin facilities Standards is nw cnsidered a critical mechanism fr business cmmunicatins. CPIT emplyees are encuraged t exchange infrmatin thrugh where the infrmatin exchange r transactin meets the acceptable use defined within the ICT Security Plicy. The fllwing standards apply: CPIT emplyees are encuraged t use t further the gals and bjectives f the Institutin. The institutin fllws the address frmat f [email protected] fr all new accunts. This standard applies fr all accunts. Bradcast s t all CPIT staff are t be kept t a minimum and are acceptable nly fr apprved business purpses. Individuals authrised t send bradcast s must be apprved by the ICT Directr. Opening s frm an unknwn r un-trusted surce is a significant risk. The risks are s that may cntain a virus r cntain a link t a website then when accessed will install a virus n the cmputer. There are als phishing s which lure users t part with private infrmatin. Whilst technlgy is installed at CPIT t blck these s it is recmmended that all users receive training t identify the threat and understand what t d when they receive s frm un-trusted surces. The ICT Security Plicy defines the fllwing plicies fr using Phishing Attacks Phishing attacks are increasing and pse a significant risk t a business. Phishing typically invlves an that tries t lure users t part with their credit card details r username and passwrd. Mre recently phishing attacks have been fcussed n key staff rather than sending a general . These attacks are referred t as spear phishing and can be very cnvincing when the attack is persnalised and targeted. Besides using technlgy t blck these attacks it is imprtant that users are trained t identify a phishing attack and understand when unsure t cntact the help desk. messages within the bunds f CPIT s service are the prperty f the institutin. The permanent re-directing f institutin s t a private accunt (fr example, Yah, Htmail r Gmail), rather than using remte access t is unacceptable practice. access will be terminated when the emplyee r third party terminates their assciatin with CPIT, unless an extensin has been agreed by the line manager. is nt t be used fr unslicited mass mailings, plitical campaigning, disseminatin f chain letters, and use by nn-emplyees sending chain s, malicius data (viruses), slicitatin s r any ffensive material. accunts are prvided fr emplyee s sle use, it is nt apprpriate t send, reply r mdify anther emplyee s accunt withut the authrity f the line Manager. Cnfidential r sensitive messages are nt t be sent utside f the institutin withut authrity f the riginatr r wner f the infrmatin cntained within the . Permissin is required, frm the riginatr f the message, t frward attachments that cntain sensitive r cnfidential material. Cmmunicatins and Operatins Security Standard Page 11 f 14

12 3.2 Internet Standards The ICT Security Plicy defines what acceptable and unacceptable practice is when visiting internet sites. The types f activities that are encuraged and cnsidered acceptable practice when using the internet are advised in the ICT Security Plicy: Access t the internet and brwsing web sites is t cmply with the Acceptable Use Plicy defined in sectin 2 f the ICT Security Plicy. CPIT allws limited persnal use f the Internet s lng as it des nt interfere with staff prductivity, cnsume sustained high vlume traffic r hinder thers in their use f the Internet. Emplyees must nt transmit sensitive institutin infrmatin r infrmatin that is classified as restricted (within the data gvernance standards) thrugh the Internet unless the infrmatin is encrypted t reduce the risk f data being cmprmised. The ICT Directr has the right t blck Internet sites that d nt cmply with the Acceptable Use Plicy in the ICT Security Plicy. The fllwing standards need t be cnsidered t supprt the ICT Security Plicy: ICT t ensure that all CPIT staff and students are aware f the ICT Security Plicy s requirements and the acceptable use f the internet. It is recmmended that the ICT inductin prcess clearly defines what is acceptable and nt acceptable when using the internet. ICT t prvide CPIT with clear guidance n what internet services have been blcked as the use f these services may result in the excessive use f the Internet (whereby use f the Internet hinders thers accessing the Internet) r they are cnsidered nn-business related sites. Make recmmendatins n internet sites t be blcked t the ICT Directr wh is authrised t blck these sites n a case by case basis. This is the end f the Cmmunicatins and Operatins Management Standard. This standard is ne f six standards that prvide advice and guidance n the best practices t fllw when using and accessing ICT services. The ther standards are available n the CPIT ICT intranet. Cmmunicatins and Operatins Security Standard Page 12 f 14

13 4 APPENDIX 4.1 CPIT Enterprise Data Reference CPIT s data gvernance architecture. Enterprise data is the term used when defining business data frm a crss-functinal prcess, services, and cntrls pint f view. It fcuses n the creatin f accurate, cnsistent and transparent data cntent. There is emphasis n data precisin, granularity and meaning and is cncerned with hw the cntent is integrated int business applicatins as well as hw it is passed alng frm ne business prcess t anther. Treating data in this way brings clarity and cnsistency t system integratin prjects, data warehuses, service-riented architectures, and ther prjects. CPIT s Enterprise data is held in cre databases defined in the table belw. HR + Payrll Talent2 Alesc Staff emplyment and payrll SMS Tribal Student enquiries, Applicatins and Enrlments, Curriculum, Timetable, Assessment Finance Kypera P&L, GL Data Warehuse MS SQLServer BI, Reprting Time Tabling Tribal Timetable, Rm Bking Asset Management BEIMS Assets, Maintenance LMS Mdle, Equella, Mahara Teaching material, Student/Tutr interactin, Student Materials CMS CMS Web Cntent Management Prgramme & Curse Repsitry Prgramme dcuments Dcument Management SharePint Cmmunicatins and Operatins Security Standard Page 13 f 14

14 Cmmunicatins and Operatins Security Standard Page 14 f 14