Central Agency for Information Technology

Transcription

1 Central Agency for Information Technology Kuwait National IT Governance Framework Information Security

2 Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage security services policy 4 Access management procedure Page 2

3 Objective and scope Objective Establish a basic minimum set of requirements that should be adopted by all Kuwait government ministries to better protect their information assets Scope All IT services being managed by the IT departments of government ministries Page 3

4 Roles and responsibilities Role Senior Management of government ministries Management Forum/Steering Committee Information Security Manager (ISM) Information Security Task Force (ISTF) Audit Committee Human Resource department Responsibility Shall be responsible to ensure that commitment towards best practices and processes are adopted and sustained towards managing the ISMS. Shall be responsible for establishing, implementing, operating, monitoring, reviewing, maintaining and improving the ISMS. The committee shall be the owner of this policy. The owner shall be responsible for maintaining and reviewing the applicability of the policy based on a defined review mechanism. Shall be responsible for the initiation, implementation and follow up of all measures related to information security within IT department. ISM shall ensure adherence to this policy within the IT department. ISM shall provide security advice and analyze, review and resolve all issues related to information security. ISM will give direction and manage the processes related to information security management. Shall assist the ISM for the smooth implementation and functioning of the ISMS. Shall be responsible for scheduling and conducting independent internal audits. Independence and confidentiality shall be maintained by auditors irrespective nature of their jobs. Shall be responsible for skill development, and providing training and awareness for end users, IT personnel, vendors and third party employees as per their job requirements. Page 4

5 Information security management system Policy An ISMS policy shall be defined supported and authorized by senior management. Roles and responsibilities shall be defined and communicated to all stakeholders. Page 5

6 Risk management Policy Risk Management shall be performed periodically in high risk areas and risk treatment plan shall be developed. Page 6

7 Risk management (contd) Introduction Risk Management includes task and activities associated with assessing, mitigating and preventing threats to the organization. A systematic approach to information security risk management is necessary to identify organizational needs regarding information security requirements and to create an effective information security management system Approach The Information Security Risk Management comprises of following stages: Risk identification Risk estimation and analysis Risk treatment Risk communication Risk review Page 7

8 Risk management process flow Establish Context Risk Identification Risk Analysis Risk Evaluation Risk Assessment Is Risk Assessment completed? No Yes Risk Monitoring, Review and Communication Risk Reduction Risk Avoidance Risk Transfer No Is Risk Treatment Completed? Yes Risk Accepatance Risk Treatment Page 8

9 Monitor and review ISMS Policy Execute monitoring and reviewing procedures and other control to determine whether the actions taken to resolve a breach of security were effective. Page 9

10 Manage Security Services Protection against malware Manage network and connectivity security Manage endpoint security Manage user identity and logical access Manage physical access to IT assets Manage sensitive documents and output devices Audit logging and monitoring Cryptography and digital signature security Password reset procedure Media handling Page 10

11 Protection against malware Policy Establish protection tools against all form of malware, control their proper function, train users on appropriate behaviour. Procedure Regular system patching of the network devices, servers and all workstations Servers, networks and systems should be installed with anti-virus to detect malicious software and file attachments Real-time scanning to be enabled on all system and servers/workstations and network devices to detect malicious software during non-peak traffic hours Page 11

12 Manage network and connectivity security Policy Design, establish and operate the network in a way that it prohibits unauthorized access and provides the necessary provisions against external attacks. Procedure General Network Security Virtual Private Network Security Network Routing Security Remote Access Security Router, Switch and Firewall Security Mobile Computing Security Page 12

13 General network security The network configuration details should be restricted to authorized personnel only Computers and network devices should be protected by password protected User ID's based on business needs, and role requirements All network services including privileges required for access must be reviewed on a periodic basis A network service job function matrix is maintained in which types of privileges are mapped with the functions of personnel Page 13

14 Virtual private network security All VPN traffic shall be protected using strong encryption and all VPN users will authenticate to the VPN server using their ID and password VPN access should be given to vendors, only after obtaining sufficient approval VPN clients systems should be protected from unauthorized access Page 14

15 Network routing security Access Control Lists (ACL) should be configured to ensure only legitimate inbound and outbound network traffic are enabled and also to prevent unauthorized access of resources Firewall or routers should be used for external routing to hide internal IP addresses Capabilities of Layer3 switch should be used to route traffic between all logical subnet networks Remote access accounts should be reviewed on a monthly basis and disable accounts which are inactive for more than 90 days Page 15

16 Router, switch and firewall security Physical access to network room should be properly restricted Routers, switches and firewalls should be configured to use AAA to control access to these devices Ensure that version of OS/firmware loaded on all devices are latest and stable Network devices should be tested for proper operation after upgrade before being put to production environment Session timeout should be set on all network devices Logs on network devices should be examined on a weekly basis Device software, configuration data, database files, etc., should be backed up frequently Page 16

17 Manage endpoint security Policy Establish the necessary endpoint security on all devices, implement appropriate deployment processes and control effective operation of endpoint security tools. Page 17

18 Manage endpoint security procedure Ensure endpoint security solution is updated for latest definitions Install and configure end-point security solution to enable encryption Ensure strong encryption algorithms are used for encrypting data Page 18

19 Manage user identity and logical access Policy Manage access of all users based on need-to-know principles and control adherence to access control policies. Sub-processes under identity and access management User ID Management Session Time-out User ID Nomenclature User ID Management Privileged User ID maintenance Procedure Information access restriction Secure Log-on Procedures Sensitive system isolation Use of System Utilities Limitation of Connection Time Page 19

20 User ID Management Disable accounts if inactive more than 90 days Issue unique User Id and restrict sharing Revoke user IDs of resigned employees Default accounts must be renamed Temporary user IDs should be disabled after stipulated time Page 20

21 User ID Nomenclature User ID creation shall follow a defined nomenclature Provision to distinguish contractor and temporary user IDs Page 21

22 Privileged user ID maintenance procedure Administrator accounts shall not be used for normal daily activities Privileged user IDs should be restricted Requests for privileged user ID creation and modification shall follow approval process Privileged user ID passwords should be changed every 45 day Page 22

23 Secure log-on procedures Display proper login banner Hide previous logged-on user information All login information must be logged Implement lock-out for more than 3 successive login failures Passwords should not be displayed or transmitted over network Page 23

24 Use of system utilities Segregate system utilities from application software Unnecessary system utilities should be removed Limit number of systems from which system utilities may be run Page 24

25 Manage user identity and logical access Limitation of connection time Users are allowed to connect to sensitive/high risk applications only during certain period User are also forced to re authenticate at certain intervals to prevent users from holding sessions Session time-out An idle session to an information system should be terminated after 10 minutes of user inactivity Password protected screen saver should be activated after 10 minutes of inactivity Page 25

26 Information access restriction Access to system functions restricted via Menu and interface structure design Set up security groups based on user role and access to data Applications should only access production and configuration data Audit log access should be restricted to respective application administrators Page 26

27 Sensitive system isolation Sensitive system should operate in a separate environment from operational systems Page 27

28 Manage physical access to IT assets Policy Put physical controls in place to ensure that access to premises is restricted to the authorized persons, manage access tokens and control and monitor physical access. Procedure Identification Card (ID card) issuance to permanent staff Reissuing Identification Card (ID card) to existing staff/lost card Access card issuance to permanent and temporary staff Reissuing access card to existing staff/lost card Access card issuance to new third party contract staff and service providers Reissuing of access card to existing third party contract staff and service providers staff/lost card Page 28

29 Manage sensitive documents and output devices Policy Establish procedures to identify sensitive documents and media and enforce the application of suitable protection mechanisms to these documents and media. Sub-processes under sensitive document management Information identification, classification, and labelling Handling and storage of information Distribution of information Disposal of information Downgrading/declassification of information Page 29

30 Audit logging and monitoring Policy Deploy the necessary system capabilities to log security events, collect event information and perform proper analysis. Sub-processes under Audit logging & monitoring Audit logging Protection of log information Administrator and operator logs Fault logging Clock synchronization Page 30

31 Audit logging and monitoring (contd) Audit logging Monitoring should be enabled for applications/systems Audit logs and system logs should be reviewed and kept for an agreed period Protection of log information Access to log files should be restricted to authorized users Log files should be backed up regularly and retained for a period of time Page 31

32 Clock synchronization A network time server should be implemented The network time server should be synchronized with a trusted internet time server (e.g., time.windows.com) Page 32

33 Cryptography and digital signature security Use encryption and digital signature where appropriate Policy Protect cryptographic material against unauthorized access and perform any cryptographic functions only in line with legal regulations. Sub-processes under Cryptography & digital signature General cryptography and digital signature Key management Data-in-transit Data-at-rest Asymmetric key lifetime Page 33

34 General cryptography and digital signature Access to encryption software should be given to personnel who handle confidential information Secret information in and password must be encrypted when data is in rest or transmitted over network Must deploy unique digital certificates to transfer information in all internet commerce servers Information systems should support symmetric and asymmetric key encryption Page 34

35 Key management All symmetric cryptographic keys must be randomly generated When symmetric encryption is used, policies will be applied depending on whether the data-in-transit versus data-at-rest Page 35

36 Data-in-transit Master keys must be changed once a year 128-bit encryption standard must be used Key-encrypting keys must be changed once a fortnight Data encrypting keys must be changed per session Page 36

37 Data-at-rest Key-encrypting keys must be changed every six months Master keys must be changed every year Data encrypting keys must be changed every year Master keys for In-active data must be changed every two years Page 37

38 Asymmetric key lifetime Cryptographic keys must be encrypted or stored on security token The lifetime of asymmetric keys dictated by certificate policy document Encryption keys must be strictly protected from unauthorized access Key associated with archived data must be archived Inactive cryptographic keys must be deleted or destroyed Page 38

39 Password policy Ensure that passwords are used securely. Only strong passwords are used and passwords are only known to the respective user Automatic tools are used to the extent possible to enforce usage of strong passwords Page 39

40 Password reset procedure Password reset request initiation Request recording Request acceptance and user verification Request execution Request closure Page 40

41 Password reset procedure (contd) Password reset request initiation The User must initiate the password reset request by contacting the Service Desk via /phone/in person Request recording The Service Desk must record the password reset request and note the requestor details Request acceptance and user verification The Service Desk must verify the details of the user based on user factors like data verification, voice recognition and employee ID validation Page 41

42 Media handling Policy Electronic and paper based information storage media need to be handled according to established procedures. Storage facilities which are intended for this purpose shall be used. Appropriate media disposal procedures need to be followed. Sub-processes under media handling Management of removable media Disposal of media Security of system documentation Page 42

43 Media handling (contd) Management of removal media Removable media should be identified, classified, labelled, stored and handled according to asset management procedure document Disposal of media Media should be disposed safely and securely as per Asset Management Procedure document Security of system documentation System documentation should be classified, labelled, and stored as per Asset Management Procedure document Page 43

44 Access management procedure

45 Objective and scope Objective The objective of this procedure is to establish security requirements to have a controlled access to information resources and access rights granted to users are limited to their business roles Scope Applies to all access granting, monitoring and revoking requests that are applicable to the IT environment Page 45

46 Other key policy statements

47 Other key policy statements Security awareness Basic security awareness training shall be provided to all information system users including third party users and contractors Compliance management Comply with regulatory, contractual, and statutory requirements by using technical controls, system audits, and legal awareness. Data protection and privacy of personal information Appropriate measures shall be implemented to protect personal information as per the relevant legislation, regulation, and contractual requirements Page 47

48 Other key policy statements (contd) Human resources security Reduce risks that are inherent in human interaction by screening employees, defining roles and responsibilities, training employees properly, and documenting the ramifications of not meeting expectations Third party service delivery management Controls must be in place to ensure all third party services shall comply with the agreed service level agreements. Government Ministry shall ensure that all the security controls, service definitions, and delivery levels included in the third party service provider s contracts are implemented, operated, and maintained by the service provider Clear screen and clear desk Screens and desks shall not unveil any confidential information when unattended. It s the users responsibility to prohibit unauthorized persons to look at screens, etc. Page 48

49 Metrics Metrics serve to provide transparency on the compliance with security policies Example metrics are: Number of security related incidents reported, logged, tracked and resolved on timely manner Number of identified vulnerabilities or threats not adequately addressed in the previous risk assessment report Number of internal audit conducted and the results discussed during management review meetings Number of management review meeting executed against planned as per policy Page 49

50 Critical success factors Commitment and support from senior management Adequate financial and human resources for success Distribution of guidance on information security policy and standards to all managers, employees and other parties Roles and responsibilities for ISMS are allocated and clearly communicated Periodic risk assessment carried out as planned and/or prior to any change Implementation of controls in line with risk treatment plan/security plan. Proactive management approach towards security awareness to all end users, employees, third party users, vendors and contractors Page 50

51 Thank you