National Information Systems And Network Security Standards & Guidelines. Version 3.0. The National Information Technology Development Agency (NITDA)

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "National Information Systems And Network Security Standards & Guidelines. Version 3.0. The National Information Technology Development Agency (NITDA)"

Transcription

1 National Information Systems And Network Security Standards & Guidelines Version 3.0 Published by The National Information Technology Development Agency (NITDA) January 2013

2 Table of Contents Section One Preamble Authority Scope Application...7 Section Two:... 8 Part 1:... Standards for the Categorization Of Information for Security Management Purpose Information Security Categorization Standards Security Objectives Data Categorization Tasks Data Security Measures Part 2:... Guidelines for the Categorization of Information for Security Management Security Categorization Guideline Classification of Potential Impact of Security Breach on Organizations and Individuals The potential impact shall be classified as LOW if: The potential impact is HIGH if: Security Categorization Applied to Information Types Security Categorization Applied to Information Systems Section Three Part 1:... Minimum Security Requirements For National Information And Information Systems Purpose Information System Impact Levels Minimum Security Requirements SECURITY CONTROL SELECTION Actionable Tasks and Policies for the MDA s Server Security General server Configuration Guidelines Monitoring The Acceptable System Use Policy The Password Policy: Part 2:... Guidelines for Minimum Security Requirements for National Information and Information Systems

3 3.6 Specifications for Minimum Security Requirements (Metrics of Security) General Password Construction Guidelines Password Protection Standards Section Four: Part 1: Standards for Intrusion Detection And Prevention Systems (IDPS) Purpose Part 2:... Guidelines for Intrusion Detection and Prevention Types of Intrusion Detection and Prevention System (IDPS) General Incident Reporting guideline/policy Section Five: Part 1:... Standard for Protecting the Confidentiality of Object Identifiable Information (OII) Purpose Introduction and Identification of OII The Potential Impact Of Inappropriate Access To OII Methods For Protecting The Confidentiality Of Oii And Factors For Determining Oii Confidentiality Impact Levels Overview Distinguish ability Aggregation and Data Field Sensitivity Obligation to Protect Confidentiality Access to and Location of the OII General Protection Measures Part 2:... Guidelines for Protecting the Confidentiality of Object Identifiable Information (OII) Introduction and Identification of OII Examples of OII Data OII and Fair Information Practices The potential impact of inappropriate access to OII Impact Level Definitions Methods for protecting the confidentiality of OII and Factors for Determining OII Confidentiality Impact Levels Overview Distinguish ability Aggregation and Data Field Sensitivity Context of Use

4 6.0 Obligation to Protect Confidentiality Access to and Location of the OII OII Confidentiality Impact Level Examples Education, Training, and Awareness De-Identifying Information Anonymous Information Security Controls Recommendations for developing an incident response plan for breaches involving OII Preparation Detection and Analysis Containment, Eradication, and Recovery Post-Incident Activity Section Six Part 1:... Standards On Securing Public Web Server Purpose Web Server Policy Web Server Risk General Configuration Standard Part 2:... Guidelines on Securing Public Web Server Guidelines Deployment Of A Public Web Server Organizations must implement required security management practices and controls when maintaining and operating a secure Web server Organizations must ensure that Web server operating systems are deployed, configured, and managed to meet the security requirements of the organization Organizations must ensure that the Web server application is deployed, configured, and managed to meet the security requirements of the organization Organizations must take steps to ensure that only required content is published on a Web site Organizations must ensure that required steps are taken to protect Web content from unauthorized access or modification Organizations must use active content judiciously after balancing the benefits gained against the associated risks Organizations must use authentication and cryptographic technologies as required to protect any sensitive data Organizations must employ their network infrastructure to help protect their public Web servers

5 Organizations must commit to the continuous maintenance of the security of public Web servers to ensure continued security Web Application implementation guideline and policy Application Service Provider guideline The Internet DMZ Equipment Guidelines GENERAL SECURITY CONCEPT Section Seven Part 1:... Standards on Firewalls and Firewall Policy Purpose The Placement of the Firewalls within the Network Architecture with Multiple Layers of Firewalls Policies Based on IP Addresses and Protocols IP Addresses and Other IP Characteristics TCP and UDP IPsec Protocols Policies Based on Applications Virtual Private Network (VPN) Policy Policy Malicious Application and Virus Policy and Guidelines Part 2:... Guidelines on Firewalls and Firewall Policy General Guidelines and introduction on Firewalls and Firewall Policy Create a firewall policy that specifies how firewalls should handle network traffic Identify all requirements that should be considered when determining which firewall to implement Create rulesets that implement the organization s firewall policy while supporting firewall performance Manage firewall architectures, policies, software, and other components throughout the life of the firewall solutions Types of Firewall Host-Based Firewalls and Personal Firewalls Personal Firewall Appliances Distributed Firewalling Function-Specific Firewalls PBX Firewall XML Firewall Firewall Section Eight

6 Part 1:... Cyber Forensic Standards Purpose OVERALL ACTION PLAN FOR IMPLEMENTATION OF CYBER FORENSIC Part 2:... Cyber Forensic Guidelines General Guideline and Overview of Cyber Forensic The Tool Capabilities and Features: Handling of Retained Data The Data Handover Interface The Security framework Data exchange techniques Backward and Update Compatibility Guideline and Policy for Acceptable Encryption

7 Section One 1.1 Preamble The National Information Technology Development Agency (NITDA) is mandated by the NITDA Act of 2007 to develop Information Technology in Nigeria through regulatory policies, guidelines, standards, and incentives. Part of that mandate is to ensure the safety of the Nigerian cyberspace and a successful implementation of an electronic government program. Many establishments have migrated their businesses to the online environment. Information networks in both the private and public sectors now drive service delivery in the country. These networks have thus become critical information infrastructure which must be safeguarded. This document provides: Clear statement of government wide directives concerning National Information Systems and Network Security Standards and Guidelines. Coordination of National Information Systems and Network Security Standards and Guidelines across branches of government. Assist Ministries Departments and Agencies in the development, maintenance and administration of National Information Systems and Network Security Standards and Guidelines. Standards and Guideline to ease the tasks of support personnel Standards and Guidelines for deployment of Information networks that are secured The document contains eight sections, section two to section eight are in two parts. Part 1 contains the Standards while Part 2 contains the Guidelines. 1.2 Authority National Information Systems and Network Security Standards and Guidelines are issued by the National Information Technology Development Agency (NITDA) in accordance with NITDA Act A breach of these standards shall be deemed to be a breach of the Act. These standards are mandatory for Federal, State and Local Government Agencies and institutions as well as private sector organizations which own, use or deploy critical information infrastructure of the Federal Republic of Nigeria. They serve as reference for systems auditors, network administrators and security personnel, among others. Additional security guidelines may be developed and used at Agency discretion in accordance with these standards. 6

8 MDA s are mandated to use the reporting documents in the appendix to report compliance to NITDA on quarterly basis. 1.3 Scope This document prescribes minimum standards on 7 primary areas of network security and cyber forensic: 1. Categorization of information 2. Minimum security requirements 3. Intrusion detection and protection 4. Protection of OII 5. Securing public web server 6. System firewall 7. Cyber forensic It is issued pursuant to sections 6 and 17 of the National Information Technology Development Agency Act 2007 and is subject to periodic review by NITDA. 1.4 Application The standards contained herein shall apply to: Public Sector organizations, including: Federal and State Ministries Federal and State Departments, Federal and State Agencies Local Governments Private Sector Organizations and Companies Non-Governmental Organizations (NGOs) 7

9 Section Two: Part 1: Standards for the Categorization Of Information for Security Management 2.1 Purpose This section of the document: A. Sets minimum standards to be adopted by all organizations that do business in Nigeria for the categorization of all information collected, processed and stored using ICT systems based on the objectives of providing required levels of information security according to risk levels, threat thresholds, and impact in order to guarantee : Confidentiality Integrity Availability, and Survivability and continuity business processes and information systems in Nigeria. B. Provides guidelines on information security control areas within each category. C. Prescribes minimum information security requirements for the management operation, and technical controls for information in each category. 2.2 Information Security Categorization Standards This document establishes security categories for both information and information systems. The security categories are based on the potential impact on an organization should certain events occur which jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals Security Objectives The five security objectives of information and information systems specified in these standards are: 1) Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information. 8

10 2) Integrity: Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information. 3) Availability: Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system. 4) Survivability: Ensuring that services continue and those business operations survive a security breach. Survivability is lost in a case of complete disruption of operations and discontinuation of services 5) Authenticity This means that the data (source), security level, user, time and location are required to be authenticated Data Categorization Tasks These standard and guideline applies to all MDA s data categories and to all user-developed data sets and systems that may access these data, regardless of the environment where the data reside (including cloud systems, servers, personal computers, mobile devices, etc.). The standards applies regardless of the media on which data reside (including electronic, microfiche, printouts, CD, etc.) or the form they may take (text, graphics, video, voice, etc.). All MDA s are required to maintain data in a secure, accurate, and reliable manner as specified in and be readily available for authorized use. Data security measures must be implemented commensurate with data sensitivity and risk. I. Data should be classified into one of the following categories: a. Restricted the disclosure of which to unauthorized persons would be a violation of federal or state laws and contracts. b. Public data to which the general public may be granted access in accordance with the available laws. II. Data in both categories require security measures to the degree of which the loss or corruption of the data would impair the business or service functions of the MDA, result in financial loss, or violate law, standards and guidelines. Security measures for data must be set by the data custodian, working in cooperation with the data stewards, as defined below. The following roles and responsibilities must be established for enforcing data standards and guidelines: a. Data Trustee: Data trustees are senior MDA officials (or their designees) who have planning and policy-level responsibility for data within their functional areas and management responsibilities for defined segments of institutional data. Responsibilities include assigning data stewards, participating in establishing policies, and promoting data resource management for the good of the entire MDA. 9

11 b. Data Steward: Data stewards must be MDA officials having direct operational-level responsibility for information management - usually department directors. Data stewards are responsible for data access and policy implementation issues. c. Data Custodian: Information Technology Services/Department (ITS) is the data custodian. The custodian is responsible for providing a secure infrastructure in support of the data, including, but not limited to, providing physical security, backup and recovery processes, granting access privileges to system users as authorized by data trustees or their designees (usually the data stewards), and implementing and administering controls over the information. d. Data User: Data users are individuals who need and use MDA data as part of their assigned duties or in fulfillment of assigned roles or functions within the organization. Individuals who are given access to sensitive data have a position of special trust and as such are responsible for protecting the security and integrity of those data Data Security Measures All MDA s are required to adopt measures for data security as stated by the data-classification level. Required measures includes the following: I. Encryption requirements II. III. IV. Data protection and access control Documented backup and recovery procedures Change control and process review V. Data-retention requirements VI. VII. VIII. Data disposal Audit controls Storage locations 10

12 Part 2: Guidelines for the Categorization of Information for Security Management 2.3 Security Categorization Guideline The following are various levels and types of Information categorization as envisioned in the STANDARD s part for categorization of information for security management: i. Information is categorized according to its information type. An information type is a specific category of information (e.g., private, confidential, secrete) as defined by an organization or, in some instances, by a specific law, Executive Order, directive, policy, or regulation. ii. Information is also categorized according to value, owner, types of access, custodian, retention, user, and etc. iii. Information must also be classified according to the level of impact of adverse effects should the threats materialize (High, Moderate, Low, Not Applicable) iv. System information (e.g. network routing tables, password files, and cryptographic key management information) must be protected at a level commensurate with the most critical or sensitive user information being processed, stored, or transmitted by the information system to ensure confidentiality, integrity, availability and survivability. v. The potential impact value of not applicable only applies to the security objective of confidentiality. vi. It is recognized that information systems are composed of both programs and information. Programs in execution within an information system (i.e., system processes) facilitate the processing, storage, and transmission of information and are necessary for the organization to conduct its essential mission-related functions and operations. These system processing functions also require protection and are subject to security categorization as well. vii. Location based classification; the same issue is required also for the location. Information is secure when kept in a special location. viii. In general security matrix has at least five dimensions: a. Information Type b. Sensitiveness: Public, Secret, Confidential, c. Action: Creation, Modification, Keep, d. Transfer, Purge, Duplicate, Read, Process e. User: The categories of users of Info. System. f. Time: When the data is accessible, nights, holidays? 11

13 g. Location: Where can I KEEP (Act) on information? Note for Example: A chunk of information is in level A; means it is top secret. It can be created only by level H staff, Carried by level G staff, Never Duplicated by anybody, urged only by level G staff. Level G staff cannot read it. Level G staff can keep it at most for 5 hours during the working hours of working days. This web site could only be accessed within the governmental premises etc. 2.4 Classification of Potential Impact of Security Breach on Organizations and Individuals This Publication defines three levels of potential impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability). The application of these definitions must take place within the context of each organization and the overall national interest The potential impact shall be classified as LOW if: The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. A limited adverse effect means for instance that the loss of confidentiality, integrity, or availability might: (i) (ii) (iii) (iv) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; result in minor damage to organizational assets; result in minor financial loss; or result in minor harm to individuals The potential impact is MODERATE if: The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. A serious adverse effect means for instance that the loss of confidentiality, integrity, or availability might: (i) (ii) (iii) (iv) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; result in significant damage to organizational assets; result in significant financial loss; or result in significant harm to individuals that does not involve loss of life or serious life threatening injuries. 12

14 2.4.3 The potential impact is HIGH if: The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic effect on organizational operations, organizational assets, or individuals. A severe or catastrophic effect means for instance that the loss of confidentiality, integrity, or availability might: (i) (ii) (iii) (iv) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; result in major damage to organizational assets; result in major financial loss; or result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries. 2.5 Security Categorization Applied to Information Types The security category of an information type may be associated with both user information and system information and can be applicable to information in either electronic or non-electronic form. It must also be used as input in considering the required security category (SC) of an information system (see description of security categories for information systems below). Establishing a required security category of an information type shall be based on the potential impact for each security objective associated with the particular information type. The format for expressing the security category, SC, of an information type is: SC information type: {(confidentiality, impact), (integrity, impact), (availability, impact)} where the acceptable values for potential impact are LOW, MODERATE, HIGH, or NOT APPLICABLE. EXAMPLE 2.1: If an organization managing public information on its web server determines that there is no potential impact from a loss of confidentiality (i.e., confidentiality requirements are not applicable), a moderate potential impact from a loss of integrity, and a moderate potential impact from a loss of availability. The resulting security category, SC, of this information type is expressed as: SC public information = {(confidentiality, NOT APPLICABLE), (integrity, MODERATE), (availability, MODERATE)}. EXAMPLE 2.2: If a law enforcement organization managing extremely sensitive investigative information determines that the potential impact from a loss of confidentiality is high, the potential impact from a loss of integrity is moderate, and the 13

15 potential impact from a loss of availability is moderate. The resulting security category, SC, of this information type is expressed as: SC investigative information = {(confidentiality, HIGH), (integrity, MODERATE), (availability, MODERATE)}. EXAMPLE 2.3: If a financial organization managing routine administrative information (not privacy-related information) determines that the potential impact from a loss of confidentiality is low, the potential impact from a loss of integrity is low, and the potential impact from a loss of availability is low, the resulting security category, SC, of this information type shall be expressed as: SC administrative information = {(confidentiality, LOW), (integrity, LOW), (availability, LOW)}. 2.6 Security Categorization Applied to Information Systems In determining the security category of an information system consideration must be given to the security categories of all information types resident on the information system. For an information system, the potential impact values assigned to the respective security objectives (confidentiality, integrity, availability) shall be the highest values (i.e., high water mark) from among those security categories that have been determined for each type of information resident on the information system. The format for expressing the security category, SC, of an information system is: SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)} where the acceptable values for potential impact are LOW, MODERATE, or HIGH. Under this section the value of not applicable cannot be assigned to any security objective in the context of establishing a security category for an information system. This is in recognition that there is a low minimum potential impact (i.e., low water mark) on the loss of confidentiality, integrity, and availability for an information system due to the fundamental requirement to protect the system-level processing functions and information critical to the operation of the information system. EXAMPLE 2.4: An information system used for large acquisitions in a contracting organization contains both sensitive, pre-solicitation phase contract information and routine administrative information, if the management within the contracting organization determines that: (i) for the sensitive contract information, the potential impact from a loss of confidentiality is moderate, the potential impact from a loss of integrity is moderate, and the potential impact from a loss of availability is low; and 14

16 (ii) for the routine administrative information (non-privacy-related information), the potential impact from a loss of confidentiality is low, the potential impact from a loss of integrity is low, and the potential impact from a loss of availability is low, the resulting security categories, SC, of these information types shall be expressed as: SC contract information = {(confidentiality, MODERATE), (integrity, MODERATE), (availability, LOW)}, and SC administrative information = {(confidentiality, LOW), (integrity, LOW), (availability, LOW)}. The resulting security category of the information system is expressed as: SC acquisition system = {(confidentiality, MODERATE), (integrity, MODERATE), (availability, LOW)}, representing the high water mark or maximum potential impact values for each security objective from the information types resident on the acquisition system. EXAMPLE 2.5: Where a power plant contains a SCADA (supervisory control and data acquisition) system controlling the distribution of electric power for a large military installation, where also the SCADA system contains both real-time sensor data and routine administrative information, and where the management at that power plant determines that: (i) (ii) for the sensor data being acquired by the SCADA system, there is no potential impact from a loss of confidentiality, a high potential impact from a loss of integrity, and a high potential impact from a loss of availability; and for the administrative information being processed by the system, there is a low potential impact from a loss of confidentiality, a low potential impact from a loss of integrity, and a low potential impact from a loss of availability, the resulting security categories, SC, of these information types shall be expressed as: SC sensor data = {(confidentiality, NA), (integrity, HIGH), (availability, HIGH)}, and SC administrative information = {(confidentiality, LOW), (integrity, LOW), (availability, LOW)}. The resulting security category of the information system is initially expressed as: SC SCADA system = {(confidentiality, LOW), (integrity, HIGH), (availability, HIGH)}, representing the high water mark or maximum potential impact values for each security objective from the information types resident on the SCADA system. The management at the power plant chooses to increase the potential impact from a loss of confidentiality from low to moderate reflecting a more realistic view of the potential 15

17 impact on the information system should there be a security breach due to the unauthorized disclosure of system-level information or processing functions. The final security category of the information system is expressed as: SC SCADA system = {(confidentiality, MODERATE), (integrity, HIGH), (availability, HIGH)}. 16

18 Section Three Part 1: Minimum Security Requirements For National Information And Information Systems 3.1 Purpose This section of the document: a) Provides Standards on information system impact levels; b) Prescribes list of minimum information security requirements for the management, operation, and technical controls for information in each category. c) Provides actionable and tasked standards on security measures for all MDA s on Network, Server, System acceptable use, Password guidelines, Physical Location and Security policy. 3.2 Information System Impact Levels Organizations are required to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability. The potential impact values assigned to the respective security objectives are the highest values (i.e., high water mark) from among the security categories that have been determined for each type of information resident on those information systems. The generalized format for expressing the security category (SC) of an information system shall be: SC Information System = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable values for potential impact are low, moderate, or high. Explanatory Note: a) For the purpose of this document, an information system is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Information resources include information and related resources, such as personnel, equipment, funds, and information technology. b) The high water mark concept is employed in these Standards owing to significant dependencies among the security objectives of confidentiality, integrity, and availability. In most cases, a compromise in one security objective ultimately affects the other security objectives. c) Since the potential impact values for confidentiality, integrity, and availability may not always be the same for a particular information system, the high water mark concept must be used to determine the overall impact level of the information system. Thus, a low-impact system is an information system in which all three of the security objectives are low. A moderate-impact system is an information system in which at least one of the security objectives is moderate and no security objective is greater than moderate. And finally, a high-impact system is an information system in which at least one security objective is high. The determination of 17

19 information system impact levels must be accomplished prior to the consideration of minimum security requirements and the selection of required security controls for those information systems. 3.3 Minimum Security Requirements The minimum security requirements cover the following security-related areas with regard to protecting the confidentiality, integrity, availability and survivability of information systems and the information processed, stored, and transmitted by those systems. The security-related areas include: i. access control, identification and authentication; ii. iii. iv. awareness and training; audit and accountability; certification, accreditation, and security assessments; v. configuration management; vi. vii. viii. ix. contingency planning; incident response; maintenance; media protection; x. physical and environmental protection; xi. xii. xiii. xiv. xv. xvi. planning; personnel security; risk assessment; systems and services acquisition; system and communications protection; and System and information integrity. The areas represent a broad-based, balanced information security program that addresses the management, operational, and technical aspects of protecting federal information and information systems. Policies and procedures play an important role in the effective implementation of enterprise-wide information security programs within the government/ private systems and the success of the resulting security measures employed to protect federal information and information systems. Thus, organizations are required to develop and promulgate formal, documented policies and procedures governing the minimum security requirements set forth in this standard and must ensure their effective implementation. 18

20 3.4 SECURITY CONTROL SELECTION Organizations are required to meet the minimum security requirements in this standard by selecting the required security controls and assurance requirements as described by NITDA. The process of selecting the required security controls and assurance requirements for organizational information systems to achieve adequate security is a multifaceted, risk-based activity involving management and operational personnel within the organization. Security categorization of information and information systems, as required by NITDA Publication is the first step in the risk management process. Subsequent to the security categorization process, organizations must select required set of security controls for their information systems that satisfy the minimum security requirements set forth in this standard. The selected set of security controls must include one of three tailored security control baselines from NITDA that are associated with the designated impact levels of the organizational information systems as determined during the security categorization process. - For low-impact information systems, organizations must, as a minimum, employ tailored security controls from the low baseline of security controls and must ensure that the minimum assurance requirements associated with the low baseline are satisfied. - For moderate-impact information systems, organizations must, as a minimum, employ tailored security controls from the moderate baseline of security controls defined and must ensure that the minimum assurance requirements associated with the moderate baseline are satisfied. - For high-impact information systems, organizations must, as a minimum, employ tailored security controls from the high baseline of security controls defined and must ensure that the minimum assurance requirements associated with the high baseline are satisfied. Organizations must employ all security controls in the respective security control baselines. Security categorization must be accomplished as an enterprise-wide activity with the involvement of senior-level organizational officials including, but not limited to, chief information officers, senior Organizations information security officers, authorizing officials (a.k.a. accreditation authorities), information system owners, and information owners. To ensure a cost-effective, risk-based approach to achieving adequate security across the organization, security control baseline tailoring activities must be coordinated with and approved by required organizational officials (e.g., chief information officers, senior Organizations information security officers, authorizing officials, or authorizing officials designated representatives). The resulting set of security controls must be documented in the security plan for the information system. 19

21 3.5 Actionable Tasks and Policies for the MDA s Server Security This policy applies to server equipment owned and/or operated by the MDA and to servers registered under any MDA owned internal network domain. This policy is specifically for equipment on the internal MDA network. All internal servers deployed at MDA must be owned by an operational group that is responsible for system administration. Approved server configuration guides must be established and maintained by each operational group, based on business needs and approved by management. Operational groups should monitor configuration compliance and implement an exception policy tailored to their environment. Each operational group must establish a process for changing the configuration guides, which includes reviews. Servers must be registered within the corporate enterprise management system. At a minimum, the following information is required to positively identify the point of contact: Server contact(s) and location, and a backup contact Hardware and Operating System/Version Main functions and applications, if applicable Information in the corporate enterprise management system must be kept up-to-date. Configuration changes for production servers must follow the required change management procedures of the organization General server Configuration Guidelines Operating System configuration should be in accordance with approved NITDA guidelines. Services and applications that will not be used must be disabled where practicable. Access to services should be logged and/or protected through access-control methods such as TCP Wrappers. The most recent security patches must be installed on the system as soon as practicable, the only exception being when immediate application would interfere with business requirements. Trust relationships between systems are a security risk, and their use should be avoided. Do not use a trust relationship when some other method of communication will do. Always use standard security principles of least required access to perform a function. Do not use root when a non-privileged account will do. If a methodology for secure channel connection is available (i.e., technically feasible), privileged access must be performed over secure channels, (e.g., encrypted network connections using SSH or IPSec). Servers should be physically located in an access-controlled environment. Servers are specifically prohibited from operating from uncontrolled cubicle areas. 20

22 3.5.3 Monitoring All security-related events on critical or sensitive systems must be logged and audit trails saved as follows: i. All security related logs will be kept online for a minimum of 1 week. ii. iii. iv. Daily incremental tape backups will be retained for at least 1 month. Weekly full backups of logs will be retained for at least 1 month. Monthly full backups will be retained for a minimum of 2 years. Security-related events will be reported to Operation group, who will review logs and report incidents to IT management. Corrective measures will be prescribed as needed. Security-related events include, but are not limited to: Port-scan attacks i. Evidence of unauthorized access to privileged accounts ii. Anomalous occurrences that are not related to specific applications on the host The Acceptable System Use Policy The purpose of this standrad is to outline the acceptable use of computer equipment at MDAs. These rules must be put in place to protect the employee and MDA. Inappropriate use exposes MDA to risks including virus attacks, compromise of network systems and services, and legal issues. This policy applies to employees, contractors, consultants, temporaries, and other workers at MDA, including all personnel affiliated with third parties. This policy applies to all General Use and Ownership i. While MDA s network administration desires to provide a reasonable level of privacy, users must be aware that the data they create on the corporate systems remains the property of the MDA. Because of the need to protect MDA s network, management cannot guarantee the confidentiality of information stored on any network device belonging to MDA. ii. Employees must be responsible to exercise good judgment regarding the reasonableness of personal use. Individual departments must responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by departmental policies on personal use, and if there is any uncertainty, employees should consult their supervisor or manager iii. NITDA recommends that any information that users consider sensitive or vulnerable be encrypted. 21

23 iv. For security and network maintenance purposes, authorized individuals within MDA should monitor equipment, systems and network traffic at any time. v. MDA reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy Security and Proprietary Information a) The user interface for information contained on Internet/Intranet/Extranet-related systems should be classified as either confidential or not confidential, as defined by corporate confidentiality guidelines. Examples of confidential information include but are not limited to: organization private details, corporate strategies, competitor sensitive details, trade secrets, specifications, customer lists, and research data. Employees should take all necessary steps to prevent unauthorized access to this information. b) Passwords must be kept secured and not shared. Authorized users must be responsible for the security of their passwords and accounts. System level passwords should be changed quarterly; user level passwords should be changed every six months. c) All PCs, laptops and workstations must be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off (control-alt-delete for Win2K users) when the host will be unattended. d) Must use encryption of information in compliance with International standard Acceptable Encryption Use policy. e) Because information contained on portable computers is especially vulnerable, special care must be exercised. Protect laptops in accordance with the Laptop Security Tips. f) Postings by employees from a MDA address to newsgroups must contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of MDA, unless posting is in the course of business duties. 22

24 g) All hosts used by the employees for official business must be connected to the MDA Internet/Intranet/Extranet, whether owned by the employee or MDA, shall be continually executing approved virus-scanning software with a current virus database. h) Employees must use extreme caution when opening attachments received from unknown senders, which may contain viruses, bombs, or Trojan horse code. i) To deter SPAM and Spoofing, MDA s must use any of the three authentication systems: 1. Sender policy framework (SPF) 2. Sender ID 3. Domain Keys Identified Mail (DKIM) Unacceptable Use The following activities are, in general, prohibited. Employees may be exempted from these restrictions: during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services). Under no circumstances is an employee of MDA authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing MDA-owned resources The Password Policy: Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of MDA s entire corporate network. As such, all MDA employees (including contractors and vendors with access to MDA systems) must be responsible for taking the required steps, as outlined below, to select and secure their passwords. The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change. The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any MDA facility, has access to the MDA network, or stores any non-public MDA information Operational Practice a. All system-level passwords (e.g., root, enable, OS admin, application administration accounts, etc.) must be changed on at least a quarterly basis. 23

25 b. All production system-level passwords must be part of the enterprise administered global password management database. c. All user-level passwords (e.g., , web, desktop computer, etc.) must be changed at least every six months. The recommended change interval is every four months. d. User accounts that have system-level privileges granted through group memberships or programs must have a unique password from all other accounts held by that user. e. Passwords must not be inserted into messages or other forms of electronic communication. f. Where SNMP is used, the community strings must be defined as something other than the standard defaults of "public," "private" and "system" and must be different from the passwords used to log in interactively. 24

26 Part 2: Guidelines for Minimum Security Requirements for National Information and Information Systems This section of the document: a. Provides guidelines on information system impact levels; b. Prescribes list of minimum information security requirements for the management, operation, and technical controls for information in each category. c. Provides actionable and tasked policy on security measures for all MDA s on Network, Server, System acceptable use, Password guidelines, Physical Location and Security policy. 3.6 Specifications for Minimum Security Requirements (Metrics of Security) Access Control (AC): Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. Access Control implementations must include Administrative Safeguards (i.e. Personnel Security (PS) Due care in delegating authority), Technical Safeguards (i.e. Identification and Authentication (IA)) and Physical Safeguards (i.e. Physical and Environmental Protection (PE)): 1. Personnel Security (PS): Organizations must: (i) ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures. 2. Identification and Authentication (IA): Organizations must identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. 3. Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide required environmental controls in facilities containing 25

27 information systems. 4. Awareness and Training (AT): Organizations must: (i) ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures related to the security of organizational information systems; and (ii) ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities. 5. Audit and Accountability (AU): Organizations must: (i) store, protect, and retain both content and Non content information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions; (iii) store and keep such audit records in accordance with subsisting legislation; (iv) must ensure that such stored logs are secured and must only be retrieved for analysis upon compelled to do so in the course investigations. 6. Certification, Accreditation, and Security Assessments (CA): Organizations must: (i) periodically assess the security controls in organizational information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems; (iii) authorize the operation of organizational information systems and any associated information system connections; and (iv) monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls. 7. Configuration Management (CM): Organizations must: (i) establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establish and enforce security configuration settings for information technology products employed in organizational information systems. 8. Contingency Planning (CP): Organizations must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in emergency situations. 9. Incident Response (IR): Organizations must: (i) establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and (ii) track, document, and report incidents to required organizational officials and/or authorities. 10. Maintenance (MA): Organizations must: (i) perform periodic and timely maintenance on organizational information systems; and (ii) provide effective 26

National Information Systems And Network Security Standards & Guidelines

National Information Systems And Network Security Standards & Guidelines National Information Systems And Network Security Standards & Guidelines Version 3.0 Published by National Information Technology Development Agency (NITDA) January 2013 Table of Contents Section One...

More information

National Information Systems And Network Security Standards & Guidelines

National Information Systems And Network Security Standards & Guidelines National Information Systems And Network Security Standards & Guidelines Version 3.0 Published by National Information Technology Development Agency (NITDA) January 2013 Table of Contents Section One...3

More information

Minimum Security Requirements for Federal Information and Information Systems

Minimum Security Requirements for Federal Information and Information Systems FIPS PUB 200 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Minimum Security Requirements for Federal Information and Information Systems Computer Security Division Information Technology Laboratory

More information

Standards for Security Categorization of Federal Information and Information Systems

Standards for Security Categorization of Federal Information and Information Systems FIPS PUB 199 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Standards for Security Categorization of Federal Information and Information Systems Computer Security Division Information Technology

More information

REGION 19 HEAD START. Acceptable Use Policy

REGION 19 HEAD START. Acceptable Use Policy REGION 19 HEAD START Acceptable Use Policy 1.0 Overview Research, Evaluation, Assessment and Information Systems (R.E.A.I.S.) intentions for publishing an Acceptable Use Policy are not to impose restrictions

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

AASTMT Acceptable Use Policy

AASTMT Acceptable Use Policy AASTMT Acceptable Use Policy Classification Information Security Version 1.0 Status Not Active Prepared Department Computer Networks and Data Center Approved Authority AASTMT Presidency Release Date 19/4/2015

More information

1.0 Overview. 4.0 Policy 4.1 General Use and Ownership

1.0 Overview. 4.0 Policy 4.1 General Use and Ownership 1.0 Overview Keuka College provides access to modern information technology in support of its mission to promote excellence and achievement across its mission areas of instruction, research, and service.

More information

(i.e., the user name and password) and any functions, routines, or methods that will be used to access the credentials.

(i.e., the user name and password) and any functions, routines, or methods that will be used to access the credentials. 1. Credential Policy General In order to maintain the security of MOD Mission Critical internal databases, access by software programs must be granted only after authentication with credentials. The credentials

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

ORANGE REGIONAL MEDICAL CENTER Hospital Wide Policy/Procedure

ORANGE REGIONAL MEDICAL CENTER Hospital Wide Policy/Procedure ORANGE REGIONAL MEDICAL CENTER Hospital Wide Policy/Procedure MANUAL: Hospital Wide SECTION: Information Technology SUBJECT: Acceptable Use of Information Systems Policy IMPLEMENTATION: 01/2011 CONCURRENCE:

More information

Acceptable Use Policy

Acceptable Use Policy 1. Overview The Information Technology (IT) department s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to Quincy College s established culture of openness,

More information

Acceptable Use Policy

Acceptable Use Policy Acceptable Use Policy Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is

More information

Information Security Program Management Standard

Information Security Program Management Standard State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES

More information

Network Security Policy

Network Security Policy Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus

More information

United Tribes Technical College Acceptable Use Policies for United Tribes Computer System

United Tribes Technical College Acceptable Use Policies for United Tribes Computer System United Tribes Technical College Acceptable Use Policies for United Tribes Computer System 1.0 Policy The purpose of this policy is to outline the acceptable use of computer equipment at United Tribes Technical

More information

Get Confidence in Mission Security with IV&V Information Assurance

Get Confidence in Mission Security with IV&V Information Assurance Get Confidence in Mission Security with IV&V Information Assurance September 10, 2014 Threat Landscape Regulatory Framework Life-cycles IV&V Rigor and Independence Threat Landscape Continuously evolving

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE 5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE 5 FAH-11 H-510 GENERAL (Office of Origin: IRM/IA) 5 FAH-11 H-511 INTRODUCTION 5 FAH-11 H-511.1 Purpose a. This subchapter implements the policy

More information

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129 Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

Guidelines on Data Protection. Draft. Version 3.1. Published by

Guidelines on Data Protection. Draft. Version 3.1. Published by Guidelines on Data Protection Draft Version 3.1 Published by National Information Technology Development Agency (NITDA) September 2013 Table of Contents Section One... 2 1.1 Preamble... 2 1.2 Authority...

More information

Information Resources Security Guidelines

Information Resources Security Guidelines Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive

More information

Dr. Ron Ross National Institute of Standards and Technology

Dr. Ron Ross National Institute of Standards and Technology Managing Enterprise Risk in Today s World of Sophisticated Threats A Framework for Developing Broad-Based, Cost-Effective Information Security Programs Dr. Ron Ross National Institute of Standards and

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

Acceptable Use Policy

Acceptable Use Policy Acceptable Use Policy 1. Overview Nicholas Financial Inc. s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to Nicholas Financial s established culture

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal

More information

Information Security Policy

Information Security Policy Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems

More information

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR 17.00 Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28,

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

DATA SECURITY AGREEMENT. Addendum # to Contract #

DATA SECURITY AGREEMENT. Addendum # to Contract # DATA SECURITY AGREEMENT Addendum # to Contract # This Data Security Agreement (Agreement) is incorporated in and attached to that certain Agreement titled/numbered and dated (Contract) by and between the

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,

More information

Information Technology Acceptable Use Policy

Information Technology Acceptable Use Policy Information Technology Acceptable Use Policy Overview The information technology resources of Providence College are owned and maintained by Providence College. Use of this technology is a privilege, not

More information

Information Technology Cyber Security Policy

Information Technology Cyber Security Policy Information Technology Cyber Security Policy (Insert Name of Organization) SAMPLE TEMPLATE Organizations are encouraged to develop their own policy and procedures from the information enclosed. Please

More information

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

CTR System Report - 2008 FISMA

CTR System Report - 2008 FISMA CTR System Report - 2008 FISMA February 27, 2009 TABLE of CONTENTS BACKGROUND AND OBJECTIVES... 5 BACKGROUND... 5 OBJECTIVES... 6 Classes and Families of Security Controls... 6 Control Classes... 7 Control

More information

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security

More information

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance

More information

Office 365 Data Processing Agreement with Model Clauses

Office 365 Data Processing Agreement with Model Clauses Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081

More information

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS TABLE OF CONTENTS General Topics Purpose and Authorities Roles and Responsibilities Policy and Program Waiver Process Contact Abbreviated Sections/Questions 7.1 What is the purpose of this chapter? 7.2

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

E-mail Policy Of Government of India

E-mail Policy Of Government of India E-mail Policy Of Government of India October 2014 Version 1.0 Department of Electronics and Information Technology Ministry of Communications and Information Technology Government of India New Delhi -

More information

California State University, Sacramento INFORMATION SECURITY PROGRAM

California State University, Sacramento INFORMATION SECURITY PROGRAM California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...

More information

Legislative Language

Legislative Language Legislative Language SEC. 1. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) IN GENERAL. Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting

More information

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

IT Security Management Risk Analysis and Controls

IT Security Management Risk Analysis and Controls IT Security Management Risk Analysis and Controls Steven Gordon Document No: Revision 770 3 December 2013 1 Introduction This document summarises several steps of an IT security risk analysis and subsequent

More information

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10 Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

NIST 800-53A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich

NIST 800-53A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich NIST 800-53A: Guide for Assessing the Security Controls in Federal Information Systems Samuel R. Ashmore Margarita Castillo Barry Gavrich CS589 Information & Risk Management New Mexico Tech Spring 2007

More information

Central Agency for Information Technology

Central Agency for Information Technology Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage

More information

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11 Delphi Information 3 rd Party Security Requirements Summary Classified: Public 5/17/2012 Page 1 of 11 Contents Introduction... 3 Summary for All Users... 4 Vendor Assessment Considerations... 7 Page 2

More information

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8. micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5

More information

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for

More information

Virginia Commonwealth University School of Medicine Information Security Standard

Virginia Commonwealth University School of Medicine Information Security Standard Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval

More information

ASIA/PAC AERONAUTICAL TELECOMMUNICATION NETWORK SECURITY GUIDANCE DOCUMENT

ASIA/PAC AERONAUTICAL TELECOMMUNICATION NETWORK SECURITY GUIDANCE DOCUMENT INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA AND PACIFIC OFFICE ASIA/PAC AERONAUTICAL TELECOMMUNICATION NETWORK SECURITY GUIDANCE DOCUMENT DRAFT Second Edition June 2010 3.4H - 1 TABLE OF CONTENTS 1.

More information

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix Governance IT Governance Policy Mergers and Acquisitions Policy Terms and Definitions Policy 164.308 12.4 12.5 EDM01 EDM02 EDM03 Information Security Privacy Policy Securing Information Systems Policy

More information

Subject: Computers & Electronic Records. Responsible Party: Part C Coordinator

Subject: Computers & Electronic Records. Responsible Party: Part C Coordinator POLICIES AND PROCEDURES NEW JERSEY EARLY INTERVENTION SYSTEM No: NJEIS-17 Subject: Computers & Electronic Records Effective Date: May 1, 2011 Responsible Party: Part C Coordinator I. Purpose To protect

More information

Recommended Security Controls for Federal Information Systems and Organizations

Recommended Security Controls for Federal Information Systems and Organizations NIST Special Publication 800-53 Revision 3 Recommended Security Controls for Federal Information Systems and Organizations JOINT TASK FORCE TRANSFORMATION INITIATIVE I N F O R M A T I O N S E C U R I T

More information

R345, Information Technology Resource Security 1

R345, Information Technology Resource Security 1 R345, Information Technology Resource Security 1 R345-1. Purpose: To provide policy to secure the private sensitive information of faculty, staff, patients, students, and others affiliated with USHE institutions,

More information

NIST Special Publication 800-60 Version 2.0 Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories

NIST Special Publication 800-60 Version 2.0 Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories NIST Special Publication 800-60 Version 2.0 Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories William C. Barker I N F O R M A T I O N S E C U R I T Y Computer

More information

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 -------------- w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------

More information

Network & Information Security Policy

Network & Information Security Policy Policy Version: 2.1 Approved: 02/20/2015 Effective: 03/02/2015 Table of Contents I. Purpose................... 1 II. Scope.................... 1 III. Roles and Responsibilities............. 1 IV. Risk

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

APHIS INTERNET USE AND SECURITY POLICY

APHIS INTERNET USE AND SECURITY POLICY United States Department of Agriculture Marketing and Regulatory Programs Animal and Plant Health Inspection Service Directive APHIS 3140.3 5/26/2000 APHIS INTERNET USE AND SECURITY POLICY 1. PURPOSE This

More information

Policy on the Security of Informational Assets

Policy on the Security of Informational Assets Policy on the Security of Informational Assets Policy on the Security of Informational Assets 1 1. Context Canam Group Inc. recognizes that it depends on a certain number of strategic information resources

More information

POSTAL REGULATORY COMMISSION

POSTAL REGULATORY COMMISSION POSTAL REGULATORY COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT INFORMATION SECURITY MANAGEMENT AND ACCESS CONTROL POLICIES Audit Report December 17, 2010 Table of Contents INTRODUCTION... 1 Background...1

More information

Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template)

Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template) Below you will find the following sample policies: Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template) *Log in to erisk Hub for

More information

Ohio Supercomputer Center

Ohio Supercomputer Center Ohio Supercomputer Center Intrusion Prevention and Detection No: Effective: OSC-12 5/21/09 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original

More information

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc. INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc. Copyright 2016 Table of Contents INSTRUCTIONS TO VENDORS 3 VENDOR COMPLIANCE PROGRAM OVERVIEW 4 VENDOR COMPLIANCE

More information

Information Technology Branch Access Control Technical Standard

Information Technology Branch Access Control Technical Standard Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,

More information

Policy No: TITLE: EFFECTIVE DATE: CANCELLATION: REVIEW DATE:

Policy No: TITLE: EFFECTIVE DATE: CANCELLATION: REVIEW DATE: Policy No: TITLE: AP-AA-17.2 Data Classification and Data Security ADMINISTERED BY: Office of Vice President for Academic Affairs PURPOSE EFFECTIVE DATE: CANCELLATION: REVIEW DATE: August 8, 2005 Fall

More information

Network Security Policy

Network Security Policy Network Security Policy Policy Contents I. POLICY STATEMENT II. REASON FOR POLICY III. SCOPE IV. AUDIENCE V. POLICY TEXT VI. PROCEDURES VII. RELATED INFORMATION VIII. DEFINITIONS IX. FREQUENTLY ASKED QUESTIONS

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

Summary of CIP Version 5 Standards

Summary of CIP Version 5 Standards Summary of CIP Version 5 Standards In Version 5 of the Critical Infrastructure Protection ( CIP ) Reliability Standards ( CIP Version 5 Standards ), the existing versions of CIP-002 through CIP-009 have

More information

FSIS DIRECTIVE 1306.3

FSIS DIRECTIVE 1306.3 UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC FSIS DIRECTIVE 1306.3 REVISION 1 12/13/12 CONFIGURATION MANAGEMENT (CM) OF SECURITY CONTROLS FOR INFORMATION SYSTEMS

More information

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control Requirements Cyber Security For Suppliers Categorised as High Cyber Risk Cyber Security Requirement Description Why this is important 1. Asset Protection and System Configuration

More information

Wellesley College Written Information Security Program

Wellesley College Written Information Security Program Wellesley College Written Information Security Program Introduction and Purpose Wellesley College developed this Written Information Security Program (the Program ) to protect Personal Information, as

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan SAMPLE TEMPLATE Massachusetts Written Information Security Plan Developed by: Jamy B. Madeja, Esq. Erik Rexford 617-227-8410 jmadeja@buchananassociates.com Each business is required by Massachusetts law

More information

Sample Information Security Policies

Sample Information Security Policies Sample Information Security Policies Sample Information Security Policies May 31, 2011 1 13740 Research Blvd Suite 2, Building T Austin, TX 78750 512.351.3700 www.aboundresources.com Boston Austin Atlanta

More information

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances -

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances - 45 min Webinar: November 14th, 2014 The Cloud in Regulatory Affairs - Validation, Risk Management and Chances - www.cunesoft.com Rainer Schwarz Cunesoft Holger Spalt ivigilance 2014 Cunesoft GmbH PART

More information

Information Technology Security Policy for IBTS

Information Technology Security Policy for IBTS Information Technology Security Policy for IBTS Pakistan Stock Exchange Limited Table of contents Information Technology Security Policy for IBTS 1- INTRODUCTION AND SCOPE... 3 2- CHARTER OF THE DOCUMENT...

More information

Western Oregon University Information Security Manual v1.6

Western Oregon University Information Security Manual v1.6 Table of Contents: 000 Introductory Material 001 Introduction Western Oregon University v1.6 Please direct comments to: Bill Kernan, Chief Information Security Officer 100 Information Security Roles and

More information

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security COMPLIANCE Checklist For Employers Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

More information

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY Information Security Section: General Operations Title: Information Security Number: 56.350 Index POLICY.100 POLICY STATEMENT.110 POLICY RATIONALE.120 AUTHORITY.130 APPROVAL AND EFFECTIVE DATE OF POLICY.140

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

THE UNIVERSITY OF IOWA INFORMATION SECURITY PLAN

THE UNIVERSITY OF IOWA INFORMATION SECURITY PLAN THE UNIVERSITY OF IOWA INFORMATION SECURITY PLAN This document is a compilation of resources, policy information and descriptions encompassing the overall (enterprise) information security environment

More information

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template University of California, Riverside Computing and Communications IS3 Local Campus Overview Departmental Planning Template Last Updated April 21 st, 2011 Table of Contents: Introduction Security Plan Administrative

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

REMOTE ACCESS POLICY OCIO-6005-09 TABLE OF CONTENTS

REMOTE ACCESS POLICY OCIO-6005-09 TABLE OF CONTENTS OFFICE OF THE CHIEF INFORMATION OFFICER REMOTE ACCESS POLICY OCIO-6005-09 Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: TABLE OF CONTENTS Section I. PURPOSE II. AUTHORITY III.

More information

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10) MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...

More information

Odessa College Use of Computer Resources Policy Policy Date: November 2010

Odessa College Use of Computer Resources Policy Policy Date: November 2010 Odessa College Use of Computer Resources Policy Policy Date: November 2010 1.0 Overview Odessa College acquires, develops, and utilizes computer resources as an important part of its physical and educational

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information