Security Compliance Assessment Checklist

Transcription

1 Security Compliance Assessment Checklist ITO Security Services January 2011 V0.2

2 Intro This checklist is used to evaluate project compliance with the Government of Saskatchewan IT Security Standards The purpose is to assist project teams in ensuring compliance, and to report on compliance to ministry security officers and ITO management. A score is not assigned based on the results, but rather a report on compliance is provided as an output from this checklist. Usage All questions are to be answered as yes, no, or not applicable. Any questions resulting in a no are to include details as to why compliance was not achieved. Completion The completed checklist is to be completed by the assigned Security Architect.. 1

3 Table of Contents Intro... 1 Usage... 1 Completion ORGANIZING INFORMATION SECURITY Internal Organization External Parties ASSET MANAGEMENT Responsibility for Assets Information Classification HUMAN RESOURCES SECURITY Prior to Employment During Employment Termination or Change of Employment PHYSICAL AND ENVIRONMENTAL SECURITY Secured Areas Equipment Security COMMUNICATIONS AND OPERATIONS MANAGEMENT Operational Procedures and Responsibilities Third Party Service Delivery Management System Planning and Acceptance Protection against Malicious and Mobile Code Back-up Network Security Management Media Handling Exchange of Information Electronic Commerce Services Monitoring ACCESS CONTROL Access Control Policy User Access Management User responsibilities Network Access Control Operating System Access Control Application and Information Access Control Mobile computing and teleworking INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT, AND MAINTENANCE Security requirements of information systems Correct processing in applications Cryptographic controls Security of system files Security in development and support processes Technical vulnerability management INFORMATION SECURITY INCIDENT MANAGEMENT

4 13.1 Reporting Information Security Events and Weaknesses BUSINESS CONTINUITY MANAGEMENT Information Security Aspects of Business Continuity Management Compliance Compliance with Legal Requirements Compliance with Security Policies and Standards, and Technical Compliance Information System Audit Considerations

5 6 ORGANIZING INFORMATION SECURITY 6.1 Internal Organization The Government of Saskatchewan has established a framework to initiate and control the implementation of information security within the organization. The Government of Saskatchewan has approved the information security policies, assigned security roles and will coordinate and review the implementation of security across the organization. A source of specialist information and security advice has been established and made available within the organization. Contacts with external security specialists and groups, including relevant authorities, has been developed to keep up with industrial trends, monitor standards and assessment methods, and provide suitable liaison points when handling information security incidents. A multi-disciplinary approach to information security has been encouraged Is the solution being hosted at an approved information processing facility? Have confidentiality clauses been included in vendor contracts? 6.2 External Parties The security of the Government of Saskatchewan information and information processing facilities will not be reduced by the introduction of external party products or services. Any access to the Government of Saskatchewan information processing facilities and processing and communication of information by external parties will be controlled. Where there is a business need for working with external parties that may require access to the organization s information and information processing facilities, or in obtaining or providing a product and service from or to an external party, a risk assessment will be carried out to determine security implications and control requirements. Controls will be agreed to and defined in a written agreement with the third party Was a risk assessment carries out prior to providing contractor access to government assets or data? Does a written agreement exist to provide vendor or contractor access to government assets or data? 4

6 7 ASSET MANAGEMENT 7.1 Responsibility for Assets The Government of Saskatchewan ensures all assets are accounted for and have a nominated owner. Owners are identified for all assets and the responsibility for the maintenance of appropriate controls is assigned. The implementation of specific controls may be delegated by the owner as appropriate but the owner remains responsible for the proper protection of the assets Have the following been defined for the project: All information necessary to recover from a disaster The ownership of the asset (owner is responsible for asset classification and review) The classification of the information The business value of the asset (or group of related assets) For physical assets, which employee has signed out the asset for use (via an asset sign-out agreement) if leaving an approved government facility 7.2 Information Classification Information is classified to indicate the need, priorities and expected degree of protection when handling the information. Information has varying degrees of sensitivity and criticality. Some items may require an additional level of protection or special handling. An information classification scheme is used to define an appropriate set of protection levels and communicate the need for special handling measures Has the data within the solution been classified? Do agreements with external parties or organizations that include information sharing include clauses governing the classification of shared information and mapping external classifications to Government of Saskatchewan classifications? 5

7 8 HUMAN RESOURCES SECURITY 8.1 Prior to Employment To reduce the risk of theft, fraud, or misuse of facilities, ministries ensure that employees, contractors and third party users understand their responsibilities and are suitable for the roles they are assigned. Security responsibilities are identified in job descriptions and in the terms and conditions of employment prior to employment. All candidates for employment, contractors, and third party users are adequately screened, especially for sensitive jobs. Employees, contractors and third party users of information processing facilities sign an agreement on their security roles and responsibilities. (Explanation: The word employment covers all the following situations: employment of people (temporary and otherwise), appointment of job roles, change of job roles, assignment of contracts, and the termination of any of these arrangements) Have specific roles for security been defined for the project? Have background checks been performed for all project staff with access to government data or assets? Have all relevant terms and conditions been included in employment contracts for project staff? 8.2 During Employment Each ministry s Security Officer ensures that employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error. Management responsibilities are defined to ensure that security is applied throughout an individual s employment within the organization. An adequate level of awareness, education, and training in security procedures and the correct use of information processing facilities are provided to all employees, contractors and third party users to minimize possible security risks. A formal disciplinary process for handling security breaches has been established Have all project staff been provided with a copy of the security policies, standards, and specifications? Have all project staff been provided with relevant security training? 6

8 8.3 Termination or Change of Employment Each ministry s Security Officer ensures that employees, contractors and third party users exit an organization or change employment in an orderly manner. Responsibilities are in place to ensure employees, contractors, or third party users exit from the organization is managed, and that the return of all equipment and the removal of all access rights are completed. Change of responsibilities and employments within an organization is managed as the termination of the previous position or employment in line with Objective 8.3 Termination or change of employment, and any new position or employment is managed as described in Objective 8.1 Prior to Employment Have processes been implemented to properly remove project staff access to data and assets? 9 PHYSICAL AND ENVIRONMENTAL SECURITY 9.1 Secured Areas The Government of Saskatchewan has implemented security measures to prevent unauthorized access, damage, and interference to premises and information. Additionally, critical or sensitive information processing facilities are housed in secure areas, protected by defined security perimeters, with appropriate security barriers and entry controls. They are physically protected from unauthorized access, damage, and interference. The protection provided is commensurate with the identified risks as determined by a formal security assessment Have physical security measures been implemented to deter access to areas containing sensitive information or physical assets? 9.2 Equipment Security Equipment is protected from physical and environmental threats. Protection of equipment, including equipment siting and disposal, (including that used off-site, and the removal of property) is necessary to reduce the risk of unauthorized access to information and to protect against loss or damage. Special controls are required to protect against physical threats, and to safeguard information processing facilities, including the electrical supply and cabling infrastructure a Have mobile devices been physically secured? b Have project staff been provided with the Mobile Device Policy? 7

9 Is all cabling secured and not routed through publically accessible area s? Have project staff been provided with the Government of Saskatchewan Disposal Guidelines? 10 COMMUNICATIONS AND OPERATIONS MANAGEMENT 10.1 Operational Procedures and Responsibilities Responsibilities and appropriate operating procedures for the management and operation of all information processing facilities are established. Segregation of duties is implemented, where appropriate, to reduce the risk of negligent or deliberate system misuse Has access to project operating procedures been restricted to only the required project staff? Does the project follow the approved change management process? Does the project ensure the separation of duties? Does the project ensure the separation of development, testing, and production facilities and data? 8

10 10.2 Third Party Service Delivery Management The Government of Saskatchewan checks the implementation of agreements, monitors compliance with the agreements and manages changes to ensure that the services delivered meet all requirements agreed with the third party Do third party service delivery agreements include: Security arrangements Service definitions Aspects of service management that relate to business continuity A transition plan to internal delivery (where appropriate) Has an owner for third party service delivery management been defined? 10.3 System Planning and Acceptance As availability is understood to be a corner stone of the Information Security (Confidentiality, Integrity, Availability), the Government of Saskatchewan ensures advance planning and preparations are made to ensure the availability of adequate capacity and resources to deliver the required system performance. In addition, projections of future capacity requirements are made to reduce the risk of system overload. The operational requirements of new systems are established, documented and tested prior to their acceptance and use Has a plan been developed to monitor for utilization and make periodic capacity requirement projections? Has appropriate acceptance testing been carried out in accordance with the criteria documented in the operating procedures? 10.4 Protection against Malicious and Mobile Code The Government of Saskatchewan ensures users are aware of the dangers of malicious code. The Government of Saskatchewan, where appropriate, has introduced controls to prevent, detect, and remove malicious code and control mobile code Has the project considered actions to prevent against malicious code. 9

11 10.5 Back-up The Government of Saskatchewan has procedures established for taking back-up copies of data and rehearsing their timely restoration Has a plan been developed to backup the solution that meets the requirements of the business continuity plan? 10.6 Network Security Management The Government of Saskatchewan ensures the protection of information in networks and the protection of the supporting infrastructure. To ensure the secure management of networks, which may span organizational boundaries, ITO provides careful consideration to dataflow, legal implications, monitoring, and protection. The Government of Saskatchewan provides additional controls required to protect sensitive information passing over public networks a Has a project implemented logical network zones that organize nodes based on function, data services offered, and ownership of information? b Is access restricted based upon defined rules that restrict connections to only the ports and services required to perform the business function? c Are all devices connected to the ITO network authorized according to defined procedures? 10.7 Media Handling The Government of Saskatchewan prevents unauthorized disclosure, modification, removal or destruction of assets, and interruption to business activities, caused by inappropriate media handling or failure. Media is controlled and physically protected. Appropriate operating procedures are established to protect documents, computer media (e.g. tapes, disks), input/output data, and system documentation for unauthorized disclosure, modification, removal, and destruction a Does the project use any removable media such as backup tapes or USB thumb drives? 10

12 b If removable media is used, does it meet the following requirements: If no longer required, the contents of any re-usable media that are to be removed from the organization must be made unrecoverable Where necessary (as defined by the information classification of the data contained on the media) and practical, authorization must be required for media removed from the organization and a record of such removals must be kept in order to maintain an audit trail All media must be stored in a safe, secure environment, in accordance with manufacturers specifications Information stored on media that needs to be available longer than the media lifetime (in accordance with the manufacturers specifications) should be also stored elsewhere to avoid information loss due to media deterioration Removable media drives should only be enabled if there is a business reason for doing so Removable media drives should not be relied upon for primary storage, it should be used for backup or transport purposes only Sensitive or confidential documents are not to be stored on removable media unless encrypted Has media that is no longer required been disposed of in accordance with the SPM Disposal Policy? 11

13 10.8 Exchange of Information The Government of Saskatchewan maintains the security of information and software exchanged within an organization and with any external entity. Exchanges of information and software between organizations are based on a formal exchange policy, carried out in line with exchange agreements, and are compliant with any relevant legislation (see also the Compliance chapter). The Government of Saskatchewan has established procedures and standards to protect information and physical media containing information in transit Have all electronic exchanges of information been implemented in compliance with Government of Saskatchewan Information Exchange specifications outlined below: Procedures to protect exchanged information from interception, copying, modification, misrouting, and destruction Use of cryptographic techniques, for example to protect the confidentiality, integrity and authenticity of information as per objective 12.3 of [ISO27002] Cryptographic controls Controls and restrictions associated with the forwarding of communications facilities (for example, automatic forwarding of electronic mail to external mail addresses) Have procedures been implemented to ensure that physical media containing sensitive information is protected against unauthorized access, misuse, or corruption while in transit outside of ITO-secured physical boundaries that include: Encryption requirements for electronic data protection Authorized couriers or approved reliable transport methods Confirmation of identification for couriers Where necessary, hand-delivery of packages Sufficiently protective packaging to prevent physical damage Sufficiently protective packaging to detect tampering or, where necessary, physically prevent unauthorized disclosure (locked containers, etc) In exceptional cases, splitting the consignment into more than one delivery and dispatch by different means 12

14 Have procedures been implemented to ensures that information exchanged with external parties via electronic messaging is appropriately protected and includes: Protecting messages from unauthorized access, modification, or denial of service Ensuring correct addressing and transport of the message Obtaining approval prior to using external public services such as instant messaging or file sharing Stronger levels of authentication controlling access from publicly accessible networks 10.9 Electronic Commerce Services The ministry ensures the security of electronic commerce services, and their secure use. The security implications associated with using electronic commerce services, including the on-line transactions, and the requirements for controls, should be considered. The integrity and availability of information electronically published through publicly available systems should also be considered Has the project team considered the following security requirements for electronic commerce and addresses some of these through the application of security controls: The level of confidence in the identity of each party required Authorization processes for price setting and the issuing and signing of key trading documents Fully informing commerce partners of their authorizations and agreed terms of commerce in a documented agreement The level of protection required to maintain the confidentiality and integrity of any order transactions, payment information, delivery address details, confirmation of receipts, and any other sensitive data or information Degree of verification appropriate to check payment information Guard against fraud with the appropriate settlement form of payment Avoidance of loss or duplication of transaction information Fraudulent transaction liability Legal, regulatory, and insurance requirements Resilience to attack of the host(s) The security implications of any network interconnection 13

15 Has the project team ensured electronic commerce services include the following technical security considerations for on-line transactions: Electronic signatures User credential verification Confidentiality Privacy Encryption Secured protocols Information storage medium Physical and logical security of stored transaction information When using a trusted authority, integrate and embed security throughout the entire process Adopt controls commensurate with the level of the risk Legal and regulatory compliance Has a plan been developed to test the publicly accessible system for weaknesses and failures prior to the information being made available? Monitoring The Government of Saskatchewan has implemented processes to detect unauthorized information processing activities. Systems are monitored and information security events are recorded. Operator logs and fault logging are used to ensure information system problems are identified. The Government of Saskatchewan complies with all relevant legal and policy requirements applicable to its monitoring and logging activities. System monitoring is used to check the effectiveness of controls adopted and to verify conformity to an access policy model a Has the project team ensured audit logs recording user activities, exceptions, and information security events are produced for all supported information systems? b Has a procedure been implemented to ensure audit logs are retained for a period of time specified by the [SaskArch], and the audit logging process is reviewed annually? 14

16 c Do audit logs include, where relevant: User IDs Dates, times, and details of key events Terminal identity or location Records of successful and rejected system access attempts Records of successful and rejected data and other resource access attempts Changes to system configuration Use of elevated privileges Use of system utilities and applications Files accessed and the kind of access Network addresses and protocols Alarms raised by the access control system Activation and de-activation of protection systems, such as anti-virus systems and intrusion detection systems d Audit logs may contain confidential information that would be of value to potential intruders. Have audit logs been inventoried and classified, and has a formal approval process been developed before information in logs is made publically available? Have privacy measures been implemented to protect log file integrity and confidentiality? Have procedure for monitoring system use been developed and the following criteria been evaluated: Authorized access, including details such as: user ID, date and time of key events, types of events, files accessed, programs or utilities used Privileged operations, such as: o Use of privileged accounts (for example: supervisor, root, administrator) o System start-up and shut-down o I/O device attachment and detachment Unauthorized access attempts, such as: o Failed or rejected user actions o Failed or rejected actions involving data and other resources o Access specification violations and notifications for network gateways and firewalls o Alerts from intrusion detection systems 15

17 System alerts or failures, especially on the monitoring system itself, such as: o Console alerts or messages o System log exceptions o Network management system alarms o Alarms raised by the access control system o Changes to, or attempts to change, system security settings and controls Have procedures been developed to ensure that logging facilities and log information are protected against tampering and unauthorized access? Does the project ensure system administrator and system operator activities are logged congruent with the classification of the computing asset and data residing on the computing asset and the log will at a minimum include: A timestamp showing when an event occurred Information about the event or error Which account and which administrator was involved Which applications were involved Details of what was accessed during a session Details of what was denied during a session Has the project ensured, where enabled by the underlying technology, all information processing systems with the same security domain are synchronized with an agreed accurate time source? 16

18 11 ACCESS CONTROL 11.1 Access Control Policy Ministries control access to information and business processes are controlled on the basis of business and security requirements. The Government of Saskatchewan controls access to information processing facilities and equipment. Access control rules take into account policies for information dissemination and authorization a Has the project team been provided with the GOS Access Control specification? b Has the project been implemented in compliance with the GOS Access Control Specification? 11.2 User Access Management Ministries, in cooperation with the ITO, have processes to ensure authorized user access and prevent unauthorized access to information systems. Ministries, in cooperation with the ITO, have formal procedures in place to control the allocation of access rights to information systems and services. The procedures cover all stages in the life-cycle of user access, from the initial registration of new users to the final de-registration of users who no longer require access to information systems and services. Special attention is given, where appropriate, to the need to control the allocation of privileged access rights, which allow users to override system controls Has the project developed procedures for, or referenced existing procedures for, the registration and de-registration of access privileges for all information systems and services that include: Approval process Unique identity Minimal privileges necessary to meet business requirements are issued Authorization and level of access must be driven by a business purpose Users should receive a written statement describing their access privileges Registration and de-registration actions must be recorded 17

19 Has the project been implemented in compliance with the GOS Password Specification? Has a procedure been developed to periodically, and upon change in employment status of a user, review the access rights? 11.3 User responsibilities The Government of Saskatchewan has implemented procedures to prevent unauthorized user access, and compromise or theft of information and information processing facilities. The co-operation of authorized users is essential for effective security as such users are made aware of their responsibilities for maintaining effective access controls, particularly regarding the use of passwords and the security of user equipment. A clear desk and clear screen policy has been implemented to reduce the risk of unauthorized access or damage to papers, media, and information processing facilities a Does the project ensure that end-users are required to follow the password specification by using technologies that enforce strong passwords? b Has the project provided the Service Desk with documented methods to assist GOS staff with password problems in a secure fashion? Has the project provided procedures and (where necessary) supporting physical security equipment to ensure that mobile devices and equipment have appropriate protection? Has the project team and any third party service providers been advised of the active and approved document that defines a clear desk and clear screen policy? 18

20 11.4 Network Access Control The Government of Saskatchewan prevents unauthorized access to networked services. The Government of Saskatchewan ensures access to networks and related network services do not compromise the security of the network by ensuring appropriate interfaces are in place between the organization s network and networks operated by other organizations, public networks, and that authentication mechanisms are applied for users and equipment with control of user access to information services enforced Does the project implement technological controls to ensure only authorized services are provided with access to the network, following the principle of least privilege, and that those services have been specifically authorized to use by the privilege management section of [AccessPol] and/or the firewall change management process? Does the project ensure that authentication technology solutions are highly secure to provide reliable confidence in authentication credentials which, at a minimum, will: Use multi-factor authentication methods for remote users Utilize secure encryption methods for data passed in the authentication process a Has the project identified, by risk assessment, networks required for segregation and their associated information assets and services, especially wireless networks? b Does the project ensure that Network access controls between domains are implemented, appropriate to the level of risk, value of the information assets, and performance requirements within the domain? 19

21 11.5 Operating System Access Control The Government of Saskatchewan prevents unauthorized access to operating systems.security facilities are used to restrict operating systems access to authorized users. The facilities are capable of the following: Authenticating authorized users, in accordance with a defined access control policy; Recording successful and failed system authentication attempts; Recording the use of special system privileges; Issuing alarms when system security policies are breached; Providing appropriate means for authentication; Where appropriate, restricting the connection time of users Does the project use the provided password management system or implement a password management system able to enforce specific password standards. The password management system, at a minimum, enforces: Unique IDs for users The ability of users to choose their own password The use of high-quality passwords (determined by length, complexity of character set used, and resistance to dictionary attacks) Periodic changing of passwords, including the prevention of password re-use for a period of time The storage and transmission of passwords in a protected form (including display when typing) and separated from application system data Does the project, where made possible by the technology in use, implemented the use of automatic log-out or screen locking for sessions that exceed a reasonable period of inactivity? ( Technologies that do not permit session time-outs should be used only where no feasible alternative exists) a Has the project, where made possible by the technology in use, implemented the use of connection time limitations (such as time-of-day and session duration) for sensitive applications in high-risk locations? b Has the project formally considered re-authentication at timed intervals for sensitive applications in high-risk locations? 20

22 11.6 Application and Information Access Control The Government of Saskatchewan prevents unauthorized access to information held in application systems. Security facilities are used to restrict access to authorized users. Application systems: Control user access to information and application system functions. Provide protection from unauthorized access by any utility, operating system software, and malicious software that is capable of overriding or bypassing system or application controls; Do not compromise other systems with which information resources are shared Does the project ensure that methods to bypass access control restrictions are removed or disabled from applications? Has the project provide considered, on a per asset basis, physically or logically isolating information processing assets that are identified as sensitive? Has the project, for environments that must be shared, performed a risk assessment and implemented appropriate controls to reduce risk to shared environments? 11.7 Mobile computing and teleworking The Government of Saskatchewan ensures information security when using mobile computing and teleworking facilities. The protection required is commensurate with the risks these specific ways of working cause. When using mobile computing the risks of working in an unprotected environment are considered and appropriate protection applied. In the case of teleworking ITO applies protection to the teleworking site and ensures that suitable arrangements are in place for this way of working Has the project developed procedures, authorization processes, and operational documents to support teleworking activities that at a minimum consider: The use of non-ito equipment such as home networking equipment or computers, including support considerations and insurance Any legislation or other regulations preventing ITO from performing intrusive security assessments on non-ito equipment Software licensing Business use requirements to determine teleworking access, and revocation of teleworking access when no longer required 21

23 12 INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT, AND MAINTENANCE 12.1 Security requirements of information systems The Government of Saskatchewan ensures that security is an integral part of information systems. Information systems include operating systems, infrastructure, business applications, off-the-shelf, products, services, and ITO developed applications. The design and implementation of the information system supporting the business process can be crucial for security. Security requirements are identified and agreed prior to the development and/or implementation of information systems. All security requirements are identified at the requirements phase of a project and justified, agreed, and documented as part of the overall business case for an information system a Has the project formally assessed the risk and considered additional controls where security requirements cannot be satisfied? b Was a formal testing and acquisition process followed and security requirements identified, prior to purchasing technology products, to include in the contract with the supplier? (Security resources must be consulted throughout the process of any acquisition which may affect the security posture of the organization) 12.2 Correct processing in applications The Government of Saskatchewan prevents errors, loss, unauthorized modification or misuse of information in applications. Appropriate controls are designed into applications, including ITO developed applications to ensure correct processing. These controls include the validation of input data, internal processing, and output data. The Government of Saskatchewan implements additional controls as required, based on security requirements and risk assessments, for systems that process, or have an impact on, sensitive, valuable, or critical information a Has the project ensured data input validation has be applied to: Business transactions Standing data Parameter tables 22

24 b Has the project formally consider the following data input validation checks: Out-of-range values Invalid characters or data type in data fields Missing or incomplete data Exceeding upper and lower data volume limits Unauthorized or inconsistent control data Error messages are appropriate for the type of error encountered c Has the project, when developing, modifying, or acquiring applications, assessed the business impact of corrupt data when incorporating internal processing controls to minimize the loss of data integrity? d Has the project formally consider these specific areas to minimize processing failures: Use add, modify, and delete functions to change data Procedures to ensure programs run at the correct time, prevent programs running in the wrong order, and running after failure of prior processing Use of appropriate programs to recover from failures Protection against buffer overrun/overflow attacks Reconciliation of data file balances after transaction updates Validation of system-generated input data Integrity checks on uploaded/downloaded data and software Totals of records and files Logging processing activities Has the project, when developing, modifying or acquiring applications, conducts assessments of security risks to determine if protecting message integrity in applications is required and whether cryptographic techniques (message authentication) or other method should be utilized? (Message authentication is concerned with protecting the integrity of the message, validating the identity of the originator, and non-repudiation) 23

25 Has the project, when developing or modifying applications, included the following application data output validation: Define the responsibilities of all personnel involved in the data output process Plausibility checks Reconciliation control counts Provide information to determine the accuracy, completeness, precision, and classification of the information Procedures for responding to output validation test failures or errors Log data output validation activities 12.3 Cryptographic controls The Government of Saskatchewan protects the confidentiality, authenticity, and integrity of sensitive information by cryptographic means. A policy has been developed on the use of cryptographic controls. Cryptographic key management of has been formally considered to support the use of cryptographic techniques a Has the project utilized encryption and has the key management system been based on an agreed set of standards, procedures, and secure methods for: Generating keys for different cryptographic systems and different applications Generating and obtaining public key certificates obtaining, revoking, withdrawing, expiration, destroying, and archiving keys Rules for key changes and updates Distribution, activation, storing (including physical protection of equipment used to generate, store and archive keys), Compromised key Recovering lost or corrupted keys Logging key management activities keys will have an activation and expiration date b Has the project used a certification authority to ensure the authenticity of public keys that addresses liability, reliability of services, and response times in the contract? 24

26 c Has the project utilized one of the two approved types of cryptographic techniques: Secret key techniques Public key techniques 12.4 Security of system files The Government of Saskatchewan ensures the security of system files by controlling access to system files and program source code. IT projects and support activities are conducted in a secure manner. Care is taken to avoid exposure of sensitive data in test environments a Has the project followed these guidelines to control the installation of software on operational systems: Management will authorize a release manager to coordinate the install and update of software, applications, and program libraries Production systems will not contain development code or compilers User acceptance testing will be extensively and successfully tested on a separate system prior to production implementation A rollback strategy will be in place and previous versions of application software will be retained Old versions of software will be archived including configuration details and system documentation Program library updates will be logged b Has the project ensured vendor software will be maintained at the supported level, and vendor access will be authorized and monitored? c Has the project ensured security software patches have been applied as recommended by the vendor? d Has the project ensured operating systems will only be upgraded when there is a requirement to do so? 25

27 Has the project used production data for user acceptance testing, and where the following requirements met: The data is modified beyond recognition before use The production access control procedures are applied in the user acceptance testing environment Authorization is required every time data is copied from production to a user acceptance testing environment When testing is complete, the data has been erased 12.5 Security in development and support processes The Government of Saskatchewan maintains the security of application system software and information. Project and support environments are strictly controlled.the Government of Saskatchewan managers, responsible for application systems, are responsible for the security of the project or support environment. They must ensure that all proposed system changes are reviewed to ensure that they do not compromise the security of either the system or the operating environment. Ministry application owners will be notified of security issues a Has the project tested new software (including patches, service packs, and other updates) in an environment that is segregated from the development and production environments? (Automated updates will not be used on critical systems) b Has the project, when introducing new systems and major changes to existing systems, ensured that it: Follows a formal process of: o Documentation o Specification o Testing o Quality control o Approval o A formally managed implementation Includes: o A risk assessment o An analysis of the impacts of changes o Specifications of security controls o Ensure that existing security and control procedures are not compromised o Obtaining a formal agreement and approval for any change 26

28 a Has the project implemented a process for technical review of application control and integrity procedures which will test the impact of operating system changes on business critical applications that at minimum, formally considers the following: Notification of operating system changes Business continuity plans must be updated to reflect related changes b Has the project ensured a specific group or individual has been given responsibility for monitoring vulnerabilities and vendors releases of patches and fixes? Has the project formally considered the following when outsourcing software development: Licensing arrangements Code ownership Intellectual property rights Audit and certification of the quality and accuracy of the development Escrow arrangements Quality and security contractual requirements Testing for malicious code 27

29 12.6 Technical vulnerability management The Government of Saskatchewan reduces risks resulting from exploitation of published technical vulnerabilities. Technical vulnerability management has been implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness. These considerations include operating systems, and any other applications in use Has the project established and documented effective management procedures for technical vulnerabilities using the following guidelines: Define and establish the roles and responsibilities for: o Vulnerability monitoring o Vulnerability risk assessment o Patching o Asset tracking o Coordination Information resources that identify and maintain awareness about relevant technical vulnerabilities Define timelines for notification reactions Identify associated risks and the actions to be taken for potential technical vulnerability If possible, follow change management or information security incident response procedures Assess risks associated with patch installation compared to risks associated with the vulnerability Formally consider these controls: o Test, evaluate, then install patch o Turn off services or capabilities o Adapting or adding access controls o Increase monitoring o Raise awareness Log all procedures undertaken Regularly monitor and evaluate the technical vulnerability management process Address high risk systems first 28

30 13 INFORMATION SECURITY INCIDENT MANAGEMENT 13.1 Reporting Information Security Events and Weaknesses The Government of Saskatchewan ensures information security events and weaknesses associated with information security are communicated in a manner allowing timely corrective action to be taken. Formal event reporting and escalation procedures are in place. All employees, contractors and third party users are made aware of the procedures for reporting the different types of event and weakness that might have an impact on the security of organizational assets. They are required to report any information security events and weaknesses as quickly as possible to the ITO Service Desk Has the project communicated to employees, contractors and third party users of information systems and services that they are required to report any suspicious events to the service desk? Has the project notified employees, contractors and third party users not to attempt to validate suspected weaknesses without specific management approval? 14 BUSINESS CONTINUITY MANAGEMENT 14.1 Information Security Aspects of Business Continuity Management Business continuity management includes controls to, in addition to the general risks assessment process, identify and reduce risks in order to limit the consequences of damaging incidents, and ensure that information required for business processes is readily available. The Government of Saskatchewan counteracts interruptions to business activities to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption. A business continuity management process is implemented to minimize the impact on the organization and recover from the loss of information assets (which may be the result of, but not limited to, natural disasters, accidents, equipment failures, and deliberate actions) to an acceptable level through a combination of preventive and recovery controls. This process identifies the critical business processes and information security management requirements of business continuity along with other continuity requirements relating to areas such as operations, staffing, materials, transport and facilities. The consequences of disasters, security failures, loss of service, and service availability are subject to a business impact analysis. Business continuity plans are developed and implemented to ensure timely resumption of essential operations. Information security is an integral part of the overall business continuity process, and other management processes within the organization Has the project provided documentation to identify and provide for the continued availability of: Critical systems, applications, assets, employees, documents, and project information Other services and assets when warranted and identified by a threat and risk analysis 29

31 Has the project provided documentation to support a testing plan for the business continuity that: Ensures that key personnel understand the documented recovery procedures and have the document available to them Educates all members of the recovery teams, and their backups, of their roles in the event of a disaster Provides verification of the recovery strategy Performing annual testing and review Identify any flaws or lack of documentation in all sections of the plan Verify that critical business functions may be recovered while simulating disaster scenarios Update existing plans to encompass new requirements due to business, systems, networks, legal or contractual requirement, or personnel changes Test all components of the plan, including hardware, software, personnel, data, supplier facilities and services, communications, procedures, forms, documentation, alternate site locations Make modifications based on test results If a backup hot site is adopted, a parallel test should be performed. Otherwise a simulation test should be completed 15 Compliance 15.1 Compliance with Legal Requirements The design, operation, use, and management of information systems are subject to statutory, regulatory, and contractual security requirements. The Government of Saskatchewan has procedures in place to avoid breaches of any legal, statutory, regulatory, or contractual obligations, and of any security requirements. Advice on specific legal requirements is sought from the Ministry of Justice, or suitably qualified legal practitioners. Legislative requirements vary from country to country and may vary for information created in one country that is transmitted to or through another country (i.e. trans-border data flow) Has the project received approval from the ministry compliance owner (tasked with defining, documenting, and keeping updated all relevant legal, regulatory, and contractual requirements for each information system identified as critical) that the project meets the following compliance criteria: The organizational approach meets all requirements The specific controls and individual responsibilities meet all requirements 30

32 Has the project classified records and complied with the Records Act (2004) which details the retention period? Has the project communicated the data protection and privacy specification to all personnel processing personal information? Has the project ensured all users are made aware of the precise scope of their permitted access and of the monitoring in place to detect unauthorized use through the signing of written authorizations? 15.2 Compliance with Security Policies and Standards, and Technical Compliance The Government of Saskatchewan ensures the compliance of systems with organizational security policies and standards that are regularly reviewed. Such reviews are performed against the appropriate security policies and the technical platforms and information systems are audited for compliance with applicable security implementation standards and documented security controls Has the project ensured all information processing facilities have been assessed for compliance with appropriate security policies, standards, and any other security requirements, and ITO Security Services has a record of the assessment? a Has the project ensured penetration tests or vulnerability assessments are planned, documented, and repeatable, and caution is exercised (as such activities can lead to a compromise of the security of the system)? b Has the project ensured information gathered from security testing is analyzed and recommendations are made based on the results? 31