INFORMATION SYSTEMS. Revised: August 2013

Transcription

1 Revised: August 2013 INFORMATION SYSTEMS In November 2011, The University of North Carolina Information Technology Security Council [ITSC] recommended the adoption of ISO/IEC Information technology - Security techniques - Code of practice for information security management [ISO 27002] as the common security framework baseline to be used by the campuses of the University of North Carolina system to develop their individual institutional information technology security policies. The referenced implementation standards are the NC IT Security Manual, the Control Objectives for Information and related Technology (COBIT), and the National Institute of Standards and Technology (NIST). These standards are recognized nationally and within NC by the NC Office of State Auditors and the NC Office of the CIO. The ITSC will also supplement this crosswalk table with specific UNC campus implementation examples as those are made available to the ITSC by the campus security officer. Each campus is strongly encouraged to consider these implementation standards when developing their specific IT security policies. At UNC Charlotte, these standards apply to all software and hardware systems. ITS is accountable for meeting the established standards for software and hardware under ITS control. Departments, colleges and divisions that independently manage software and hardware outside ITS control are accountable to meet the same standards as ITS. Applicable external policies or procedures: ISO/IEC Information Technology - Security Techniques University policies or procedures: Policy Statement # 302, World Wide Web Policy Statement # 303, Network Security Policy Statement # 304, Electronic Communication Systems Policy Statement # 307, Responsible Use of University Computing and Electronic Communication Resources Policy Statement # 311, Data and Information Access and Security Policy Statement Peer-to-Peer File Sharing Regularion Policy Statement # , Proprietary Software 1

2 05.0 Security Policy Information security Information security policy document policy Review of the information security policy 07.0 Asset Responsibility for Inventory of assets assets Ownership of assets Acceptable use of assets Information Classification guidelines classification Information labeling and handling 08.0 Human Prior to employment Roles and responsibilities Resource Security Screening Terms and conditions of employment 09.0 Physical and Environmental Security During employment Termination or change of employment Secure areas responsibilities Information security awareness, education, and training Disciplinary process Termination responsibilities Return of assets Removal of access rights Physical security perimeter Physical entry controls Securing offices, rooms, and facilities Equipment security Protecting against external and environmental threats Working in secure areas Public access, delivery, and loading areas Equipment siting and protection Supporting utilities Cabling security Equipment maintenance Security of equipment off-premises 10.0 Communications and Operations Operational procedures and responsibilities Third party service delivery management System planning and acceptance Protection against malicious and mobile code Secure disposal or re-use of equipment Removal of property Documented operating procedures Change management Segregation of duties Separation of development, test, and operational facilities Service delivery Monitoring and review of third party Managing changes to third party Capacity management System acceptance Controls against malicious code 1 of 4 Pages

3 IS Chapter Section Protection against Control Applicable to malicious and mobile code Controls against mobile code Back-up Information back-up Network security Network controls management Security of network Media handling of removable media Disposal of media Information handling procedures Security of system documentation Exchange of Information exchange policies and information procedures Exchange agreements Physical media in transit Electronic messaging Business information systems Electronic commerce Electronic commerce On-Line Transactions Publicly available information Monitoring Audit logging Monitoring system use Protection of log information Administrator and operator logs Fault logging Clock synchronization 11.0 Access Control Business requirement Access control policy for access control User access management User responsibilities Network access control User registration Privilege management User password management Review of user access rights Password use Unattended user equipment Clear desk and clear screen policy Policy on use of network User authentication for external connections Equipment identification in networks Operating system access control Application and information access control Remote diagnostic and configuration port protection Segregation in networks Network connection control Network routing control Secure log-on procedures User identification and authentication Password management system Use of system utilities Session time-out Limitation of connection time Information access restriction Sensitive system isolation 2 of 4 Pages

4 11.07 Mobile computing and Mobile computing and teleworking communications Teleworking 12.0 Information Systems Acquisition, Development and Maintenance Security requirements of information systems Correct processing in applications Cryptographic controls Security of system files Security in development and support processes Security requirements analysis and specification Input data validation Control of internal processing Message integrity Output data validation Policy on the use of cryptographic controls Key management Control of operational software Protection of system test data Access control to program source code Change control procedures Technical review of applications after operating system changes Restrictions on changes to software packages Information leakage Outsourced software development Technical Vulnerability Control of technical vulnerabilities 13.0 Information Security Incident 14.0 Business Continuity Reporting information security events and weaknesses of information security incidents and improvements Information security aspects of business continuity management Reporting information security events Reporting security weaknesses Responsibilities and procedures Learning from information security incidents Collection of evidence Including information security in the business continuity management process Business continuity and risk assessment Developing and implementing continuity plans including information security Business continuity planning framework Testing, maintaining and re-assessing business continuity plans 3 of 4 Pages

5 15.0 Compliance Compliance with legal Identification of applicable legislation requirements Intellectual property rights (IPR) Protection of organizational records Data protection and privacy of personal information Prevention of misuse of information processing facilities Regulation of cryptographic controls Compliance with security policies and standards, and technical Information systems audit considerations Compliance with security policies and standards Technical compliance checking Information systems audit controls Protection of information systems audit tools 4 of 4 Pages