Transcription

1

2

3

4

5

6

7

8

9

10

11

12 Corporate Policy TITLE: Acceptable Use POLICY TITLE Acceptable Use Information Technology Services Division Introduction IT resources under the custody and control of the California Lottery (Lottery) are the property and responsibility of the Lottery. Managing the appropriate use of information assets advances the protection of the Lottery, its employees, and partners from illegal or damaging activities. Policy This policy establishes the acceptable use of Lottery IT resources. Lottery employees are permitted to use the Lottery s IT resources in the performance of their job-related duties. Minimal incidental personal use of these resources is permitted, but is restricted to Lotteryapproved users only. Users must take precautions to ensure that IT resources remain protected at all times, and must take proactive measures to prevent the unauthorized use of their authentication (e.g., login and password) information. The Lottery reserves the right to monitor and log all usage of Lottery IT resources at any time. Unacceptable Use The following are examples of unacceptable use of Lottery IT resources: Any activity that: interferes with the normal performance of an employee s work duties violates regulations is illegal under local, state, federal, or international law causes the harassment of others creates a hostile workplace Any activity that results in: repeated unwelcome contacts Personal (non-lottery) use of IT Resources for: monetary gain political or religious purposes unsolicited advertising unauthorized fund raising activity that results in direct costs to the Lottery Any incidental use activity that: significantly reduces the performance or availability of Lottery information technology resources 1/2

13 Acceptable Use Information Technology Services Division Unacceptable Use (continued) Users must not purposely access, create, display, store, or transmit information containing material that is: defamatory abusive obscene pornographic indecent profane sexually oriented threatening racially offensive discriminatory Applicability This policy applies to all Lottery employees and IT resources. Policy Owner/ Stakeholder(s) ITSD is responsible for maintaining this policy. The is a stakeholder. Definitions Information Technology (IT) Resource Any related IT equipment (e.g., computers, servers, network equipment, imaging devices, removable media, peripherals, copiers, printers, mobile or telecommunication devices including telephones and mobile phones) or IT service (e.g., electronic mail, web sites, shared folders, applications, print queues, or operating systems). Approval 04/02/2013 Robert T. O Neill, Director Date Revisions Review Date Action Date Action Section(s) Revised Effective Date Approval Initial Publication /2

14 Corporate Policy TITLE: Access Control POLICY TITLE Access Control Version Introduction The purpose of this policy is to provide access control requirements to all authorized users of California Lottery (Lottery) information systems to ensure the confidentiality, integrity and availability of Lottery information assets in accordance with the Lottery Policy. Policy It is the Lottery s policy that access to Lottery information systems and resources must be authorized, reviewed, and granted in a controlled manner with the least level of privilege required to carry out responsibilities. The following statements pertain to this policy. Access must comply with the principle of separation of duties. Access must conform to the Lottery s Data Classification Policy. Data Owners must authorize access for which they are responsible. Data Owners may delegate some operational responsibilities, but will retain their accountability. Access authorization requests and denials must be documented via the Information Technology Services Division s access request process. Application owners must ensure that user access rights are removed when access to the information is no longer required. User access accounts must be unique and consist of at least a user ID and password set. Access passwords must conform to the Lottery s Password Policy. Service accounts must be used only by the intended application or service. Support personnel requiring equivalent access must use their user accounts. Privileged access must be restricted, controlled, provided to users only on a need-toknow basis and must be audited on a periodic basis. Privileged access must only be used for system administrative purposes and should be kept separate from the standard user account. User access must time out after a period of inactivity. Access to application and Lottery information systems must be logged. The access logs must be reviewed periodically for unauthorized activities. Application and system developers must not be given access to both development and production environments of the systems or applications. User access rights must be reviewed periodically by their direct supervisor and recertified by the information system s Data Owners. 1/3

15 Access Control Version Policy (continued) User accounts which have been inactive for 60 days or more must be suspended unless otherwise instructed by the Data Owner. User accounts which have not been reactivated within a 12-month period must be deleted unless otherwise instructed by the Data Owner. Compliance with the Access Control Policy must be monitored. Applicability This policy applies to all Lottery information systems and to all persons who perform work for the Lottery and have access to Lottery information resources, including but not limited to: rs Employees Temporary staff Contractors, consultants, and third parties Definitions Least Level of Privilege The principle of having each subject granted the most restrictive set of privileges needed for the performance of authorized tasks. Separation of Duties The principle of not allowing one person to be responsible for completing or controlling a task, or set of tasks, from beginning to end when the potential for fraud, abuse or other harm exists. Service Account An account that is used solely for the purpose of running an application or service. Once configured, service accounts do not require day-to-day human intervention. Policy Owner / Stakeholders r As the policy owner, is responsible for the maintenance of, overall compliance with, and enterprise monitoring of this Policy. Division Deputy Directors As the Data Owners, are responsible for enforcing and ensuring compliance with this policy within their respective divisions. Distribution Clearance Sensitive. Exceptions Exceptions to this policy must be requested through a Risk Assessment as detailed in the Risk Assessment procedure and approved by the appropriate level of management. 2/3

16 Access Control Version References Policy Data Classification Policy Password Policy Approval 5/5/2014 Paula D. LaBrie, Acting Director Date Revisions Review Date Action Date Action Section(s) Revised Effective Date Approval Applicability; Removed Enforcement Section; References Final QA Initial Publication /3

17 Corporate Policy TITLE: Social Media POLICY TITLE Social Media Corporate Communications Division Introduction Social media is changing the way we work, communicate, and engage with the world. Social media channels, such as Twitter, YouTube, and Facebook, provide unique opportunities for the California Lottery (Lottery) to interact with the public. This policy sets forth guidelines for the use of social media that will help protect both our employees and the Lottery. Policy When engaging in social media activities the following information and guidelines are applicable: You are not permitted to publish any content or express any opinions on behalf of the Lottery on any social media networks or websites, including but not limited to the Lottery s official social media websites or accounts, without prior written authorization from our Corporate Communications Deputy Director; If part of your duties includes communicating through social media on behalf of the Lottery, your communications should be consistent with Lottery policies and standards for professional conduct; You are individually responsible for the content you post online, and could be subject to disciplinary action for content or commentary that is confidential or proprietary to the Lottery or its contractors or vendors; Never reveal information that is deemed sensitive or confidential by the Lottery; if you are unsure whether information is sensitive or confidential, please refer to the Lottery s Data Privacy and Confidentiality Policy and consult with your manager. If necessary, our Corporate Communications Deputy Director or can provide further direction; Please refer any player complaints, including but not limited to those related to player accounts or claims, to the Lottery s Customer Service staff; Any questions from the media regarding official Lottery communications or information should be directed to the Lottery s Corporate Communications Division; When your connection to the Lottery is apparent but you are not acting with prior authorization on behalf of the Lottery, please make it clear that any information or opinions that you express are your own and do not necessarily reflect the views of the Lottery; You are responsible for ensuring that any content you post on behalf of the Lottery is not in violation of law, including intellectual property law and the California Labor Code; You are not permitted to discuss competitors, customers/players, and Lottery partners without the prior approval of your manager and our Corporate Communications Deputy Director; Nothing in this policy is intended to interfere with your rights as a state employee. 1/2

18 Social Media Corporate Communications Division Definitions Social Media Websites and applications that enable users to create and share content or to participate in social networking. Examples of social media websites/applications include but are not limited to: Facebook, Twitter, YouTube, Instagram, LinkedIn, Google+, Pinterest, Wikis, blogs, messages boards, webinars, and content sharing sites. Social Media/Web Content Text, visual, audio or experiential content that is published online or across digital devices. These may include, among other things, text, images, sounds, interactive experiences, videos, games, and animations. Confidential Information maintained by the Lottery that is exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws. This information is limited to use by defined authorized personnel only and considered critical to ongoing operations. This includes, but is not limited to, personally identifiable information, protected health information, personal financial information/payment card information, gaming system data, electronic player information, and communications subject to attorney-client privilege. Applicability This policy applies to all Lottery officers, employees, and contractors. Policy Owner / Stakeholders The Corporate Communications Division is responsible for maintaining this policy. Additional stakeholders include Information Technology Services Division and. References Lottery Policies: Acceptable Use Code of Conduct for Responsible Gaming Data Privacy and Confidentiality Employee Conduct and Appearance Incompatible Activities and Ethical Conduct Standards Data Classification Approval 06/04/2015 Paula D. LaBrie, Acting Director Date Revisions Review Date Action Date Action Section(s) Revised Effective Date Approval Initial Publication /2

19 Corporate Policy TITLE: Securing Visible Sensitive and Confidential Information POLICY TITLE Securing Visible Sensitive and Confidential Information Introduction The purpose of this policy is to reduce the risks of unauthorized access to, loss of, or damage to California Lottery (Lottery) information, especially at times when work areas are left unattended. Policy It is the Lottery s policy that work environments must be properly maintained to prevent the unauthorized disclosure and/or alteration of sensitive and confidential information. The following statements pertain to this policy: Secured Desk Whenever away from a designated work area, sensitive working documents, digital media such as CDROM, DVD, or USB drives, and portable computing devices should be stored in a secure manner. Avoid writing sensitive information such as user IDs, passwords, account numbers, etc. on Post-It or on other handwritten notes. Use the shredding bins for sensitive documents when they are no longer needed in accordance with Lottery Records Retention policies. Common Areas Special attention should be given to reception desks and reception areas since they can be particularly vulnerable to visitors. These areas must be kept clear and not allow for visitors to reach or have sight of sensitive documents, media, and devices. Printed and faxed documents with sensitive information should be cleared as soon as they are printed. Where possible, apply a PIN when printing restricted information. Incoming and outgoing mail collection should be protected so that letters cannot be stolen or lost. 1/3

20 Securing Visible Sensitive and Confidential Information Policy (continued) Secured Screen Ensure that the password-protected screen saver is enabled in your computer and that it activates when the computer is not in use for a short period of time. Contact the ITSD Service Desk if this setting is not enabled. Always activate the password-protected screen lock or completely logoff from your computer when leaving the computer unattended. Computer screens should be protected from unauthorized viewing. If necessary, position screens away from direct view or use a privacy screen filter. When visitors are present and a computer screen is in direct view, activate the password-protected screen lock. Applicability This policy applies to all Lottery information systems and to all persons who perform work for the Lottery and have access to Lottery information resources, including, but not limited to: Employees Temporary staff Contractors, consultants, and third parties. Policy Owner / Stakeholders r As the policy owner, is responsible for maintaining, monitoring, and overall compliance with this policy. Division Deputy Directors As the Data Owners, are responsible for enforcing and ensuring compliance with this policy within their respective divisions. Distribution Clearance Public. Exceptions Exceptions to this policy must be requested through a Risk Assessment as detailed in the Risk Assessment procedure and approved by the appropriate level of management. References Policy 2/3

21 Securing Visible Sensitive and Confidential Information Approval 5/9/2014 Paula D. LaBrie, Acting Director Date Revisions Review Date Action Date Action Section(s) Revised Effective Date Approval Initial Publication 3/3

22 Corporate Policy TITLE: Physical and Environmental Security POLICY TITLE Physical and Environmental Security Introduction The purpose of this policy is to provide Physical and Environmental Security requirements in order to ensure the confidentiality, integrity and availability of California Lottery (Lottery) information assets. Policy It is the Lottery s policy that information resource facilities must be physically protected from loss, destruction, damage and that access to such facilities must be controlled, monitored and protected against unauthorized and unlawful access. The following statement pertains to this policy: Access Control All Lottery physical locations must have the appropriate level of controls to protect against unauthorized access. Physical access to all information processing facilities must be controlled. Doors must be locked at all times and access can be provided after gaining the required approval. Physical locations that are designated Restricted Access Area must be protected with an additional layer of protection against compromise of the primary security control. Delivery and loading areas must be adequately separated from information processing facilities. Environmental Protection Power protection must be provided to support both personnel safety and to ensure the availability of critical information systems. All servers, computer equipment and other critical hardware must be housed in an environment equipped to control, detect, prevent, and suppress environmental hazards including fire, water, temperature and humidity. Uninterruptible Power Supplies (UPS) must be used on equipment supporting critical business operations to allow turning off of the systems in an orderly fashion or to allow systems to continue running. 1/3

23 Physical and Environmental Security Policy (continued) Monitoring General A formal inventory of information processing assets (hardware, software and applications) must be maintained. A review of the inventory must be performed on an annual basis. Rooms containing wiring or communications equipment (wiring closets, PBX rooms, etc.) must be locked at all times with access restricted to authorized personnel only. Wiring closets and equipment rooms must not have signage which identifies the room as containing such equipment. Any Lottery information processing equipment that is to be disposed of, or reused, must undergo a cleansing process before its disposal or reuse. Definitions Restricted Access Area Physical location that has been designated by the Deputy Director of SLED as critical to the operation of the Lottery. Applicability This policy applies to all Lottery facilities including but not limited to the Lottery Headquarters, District s, Distribution Centers, Backup Facilities and Off-Site Storage Facilities. Policy Owner / Stakeholders r As the policy owner, they are responsible for the maintenance, overall compliance with, and enterprise monitoring of this corporate policy. Division Deputy Directors As the Data Owners, are responsible for enforcing and ensuring compliance with this policy within their respective divisions. Distribution Clearance Sensitive Exceptions Exceptions to this policy must be requested through a Risk Assessment as detailed in the Risk Assessment procedure and approved by the appropriate level of management. 2/3

24 Physical and Environmental Security References Policy Information Media Protection and Destruction Policy Access Control Badge Changes, Contractor, Issuance, Operational Recovery, Recovered, Separations Access to Employee Work Locations Approval 5/5/2014 Paula D. LaBrie, Acting Director Date Revisions Review Date Action Date Action Section(s) Revised Effective Date Approval Initial Publication 3/3

25 Corporate Policy TITLE: Password POLICY TITLE Password Version Introduction The purpose of this policy is to provide the password requirements for all California Lottery (Lottery) information systems and users to ensure the confidentiality, integrity, and availability of Lottery information assets. Policy It is the Lottery s policy that passwords used to authenticate to Lottery information systems must be protected from unauthorized access and must comply with the following: Password Storage Passwords are restricted information and must not be shared with anyone (including system administrators). Passwords must not be written down. Where technology permits, passwords must not be stored in clear text. The highest possible encryption must be given to stored passwords. Password Controls Passwords must not be transmitted in clear text over networks, including internal networks. The highest possible encryption must be given to all passwords transmitted. Irreversible encryption/hashing techniques are recommended. Passwords must be changed at least every 60 calendar days. Reuse of 12 previous passwords is not allowed. The user account must lock out after 8 unsuccessful password attempts. Passwords must contain at least 8 characters. Passwords must not contain the username or user ID. Passwords must contain any three of the four following classes of characters in any order: Uppercase letters Lowercase letters Numerals Non-alphanumeric special characters Service Accounts Service accounts cannot be used for vendor access to Lottery systems. Service accounts must be used only by the intended application or service. Support personnel requiring equivalent access must use their user credentials. 1/3

26 Password Version Policy (continued) General Service accounts must also implement the following controls to mitigate the risk of account compromise: Use a complex password that has a minimum of 12 characters. Limit access to the service account password to only those personnel who have an operational need. Change the password when a person who knows the password leaves their position or when it is suspected that the password has been compromised. Set up the account as a local server account rather than a global domain account. Give the account the least amount of access needed to run the service or process. This includes User Rights and File and Share permissions. Compliance with the Password Policy will be monitored. Definitions Service Account Account that is used solely for the purpose of running an application or service. Service accounts, once configured, do not require day-to-day human intervention. Authenticate To verify the identity of a user or the authenticity of an application or service. Applicability This policy applies to all Lottery information systems, applications, operating systems, network devices, and any other entity that uses passwords. This also applies to all persons who perform work for the Lottery and have access to Lottery information resources, including, but not limited to: rs Employees Temporary staff Contractors, consultants, and third parties. 2/3

27 Password Version Policy Owner / Stakeholders r As the policy owner, is responsible for the maintenance, overall compliance with, and enterprise monitoring of this information security policy. Division Deputy Directors As the Data Owners, are responsible for enforcing and ensuring compliance with this policy within their respective divisions. Distribution Clearance Sensitive Exceptions Exceptions to this policy must be requested through a Risk Assessment as detailed in the Risk Assessment procedure and approved by the appropriate level of management. References Policy Access Control Policy Encryption Policy Approval 5/5/2014 Paula D. LaBrie, Acting Director Date Revisions Review Date Action Date Action Section(s) Revised Effective Date Approval Applicability; Authority changed to Policy Owner/Stakeholders; Removed Enforcement Section Final QA Initial Publication /3

28 Corporate Policy TITLE: Operating System Security POLICY TITLE Operating System Security Introduction The purpose of this policy is to provide operating system requirements to ensure the confidentiality, integrity, and availability of California Lottery (Lottery) applications and information assets. Policy It is the Lottery s policy that operating systems must be protected and configured to prevent unauthorized access. The following statements pertain to this policy: User Access Operating system users must be authenticated before access is allowed. All users must have a unique user ID. User IDs must not be shared. Operating systems must display a standard message approved by the Lottery Legal upon log on. The user ID of the last individual logged on must not be displayed to the next user that attempts to log on. Operating systems must store and send passwords in encrypted form. Non-essential user IDs must be deleted. Temporary user IDs must be deleted immediately after use. Password Management Operating systems must conform to the Lottery s Password Policy. Auditing, Logging and Monitoring Logging must be enabled for user ID management, log on, log off, privilege changes and system activities. All log files must be kept in a secure manner. Logs must be reviewed periodically. File System Access and Management All permissions to folder and file shares must be based on need-to-know and least level privilege principles. All access to restricted files must be logged and monitored. Operating systems must use the most secured file system applicable. 1/3

29 Operating System Security Policy (continued) Services and Networking Secure alternatives for unsecured services must be used wherever possible. All services or programs that are not essential for the functioning of the system must be disabled. Security Tools and Updates Documentation Access control lists must be used to protect business-critical systems. Wherever possible, all updates must be tested on a non-production environment before being deployed to production. Security settings for each operating system must be documented in respective operating system procedures. General Application owners must include operating system secure configuration documents as part of application installation and configuration documentation. Compliance with the Lottery s Operating System Security Policy will be monitored. Definitions Authenticate To verify the identity of a user or the authenticity of an application or service. Least Level Privilege The principle of having each subject granted the most restrictive set of privileges needed for the performance of authorized tasks. Need To Know The determination by an authorized holder of sensitive information that access to the information is required by another appropriately cleared individual to perform official duties. Applicability This policy applies to all Lottery information systems and operating systems. This also applies to all persons who perform work for the Lottery and have access to Lottery information resources, including, but not limited to: rs Employees Temporary staff Contractors, consultants, and third parties. 2/3

30 Operating System Security Policy Owner / Stakeholders r As the policy owner, is responsible for the maintenance, overall compliance with, and enterprise monitoring of this information security policy. Division Deputy Directors As the Data Owners, are responsible for enforcing and ensuring compliance with this policy within their respective divisions. Distribution Clearance Sensitive Exceptions Exceptions to this policy must be requested through a Risk Assessment as detailed in the Risk Assessment procedure and approved by the appropriate level of management. References Policy Access Control Policy Password Policy Application Security Policy Approval 5/5/2014 Paula D. LaBrie, Acting Director Date Revisions Review Date Action Date Action Section(s) Revised Effective Date Approval Initial Publication 3/3

31 Corporate Policy TITLE: POLICY TITLE Version Introduction This policy supports the California Lottery s commitment to: Protect the confidentiality, integrity and availability of its information assets. Comply with regulatory and legal requirements related to. Policy California Lottery (Lottery) information and applications must be protected in a manner commensurate with their sensitivity, value, and criticality. It is the Lottery s policy that information security management must be used to systematically integrate information security into management and work practices at all levels so that missions are accomplished while appropriately protecting Lottery information and applications. Users of Lottery Information System: Must review the Lottery s Acceptable Use Policy annually and attest to compliance with its terms and provisions. Must adhere to all applicable legal, statutory, regulatory and contractual requirements. Must adhere to security and privacy policies and procedures. Must report information security incidents to the upon discovery. Lottery information system refers to an integrated set of information technology components that is used by the Lottery to collect, store and to process data that are used to deliver information, knowledge, and digital products. Infrastructure: The Lottery information system and network infrastructure must be designed and implemented to protect Lottery information and third party information for which the Lottery is responsible. Computer Hardware, Software, and Equipment: Only authorized hardware, software, and supporting equipment is allowed for use on Lottery systems. Authorized hardware, software, and supporting equipment purchased or obtained by the Lottery must be used only in accordance with the Lottery Acceptable Use Policy. Awareness: Communications will be issued periodically to the organization to enhance information security awareness. Such communications will address both best practices and unsafe practices, and reinforce information security policies, procedures, and information system user responsibilities. 1/3

32 Version Applicability This policy applies to all persons that perform any work for the Lottery and have access to Lottery information resources, including, but not limited to: rs Employees Temporary staff Contractors, consultants, and third parties Each individual will be required to sign an annual statement, confirming that they have read and understood the Acceptable Use Policy and the Lottery s Incompatible Activities and Ethical Conduct Standards. Policy Owner / Stakeholders r As the policy owner, the is responsible for the maintenance, overall compliance with, and enterprise monitoring of this corporate policy. Division Deputy Directors As the Data Owners, Deputy Directors are responsible for enforcing and ensuring compliance with this policy within their respective divisions. Distribution Clearance Sensitive Exceptions Exceptions to this policy must be requested through a Risk Assessment as detailed in the Risk Assessment procedure and approved by the appropriate level of management. References Acceptable Use Policy Incompatible Activities and Ethical Conduct Standards Data Classification Policy Privacy and Confidentiality Policy 2/3

33 TITLE Version Approval Paula D. LaBrie, Acting Director Revisions Date Review Date Action Date Action Section(s) Revised Effective Date Approval Policy; Authority changed to Policy Owner/Stakeholders; Removed Enforcement Section 5/5/ Final QA Initial Publication /3

34 Corporate Policy TITLE: Compliance Review POLICY TITLE Compliance Review Introduction This policy sets forth compliance review requirements for the California Lottery s (Lottery) information security policies in order to ensure the confidentiality, integrity, and availability of Lottery information assets. Policy It is the Lottery s policy that continued compliance with information security policies must be ensured. General The Lottery s operating environment, including but not limited to information technology security, physical and environmental security, and human resources security, will be subject to continued and periodic reviews and assessments to ensure compliance with Lottery security policies. The (ISO) will periodically conduct information security policy compliance checks. Information security compliance checks must be properly planned and executed. This includes but is not limited to the following: Communicating the activities, objectives, and scope to management. Identification of proper resources and skills for support. Documentation of all activities, findings made, and recommendations suggested. Applicability This policy applies to Lottery information systems and to all persons who perform work for the Lottery and have access to Lottery information resources, including but not limited to: rs Employees Temporary staff Contractors, consultants, and third parties. 1/2

35 Compliance Review Policy Owner / Stakeholders r As the policy owner, is responsible for the maintenance, overall compliance with, and enterprise monitoring of this information security policy. Division Deputy Directors As the Data Owners, are responsible for enforcing and ensuring compliance with this policy within their respective divisions. Distribution Clearance Sensitive Exceptions Exceptions to this policy must be requested through a Risk Assessment as detailed in the Risk Assessment procedure and approved by the appropriate level of management. References Policy Approval 5/7/2014 Paula D. LaBrie, Acting Director Date Revisions Review Date Action Date Action Section(s) Revised Effective Date Approval Initial Publication 2/2

36 Corporate Policy TITLE: Information Media Protection and Destruction POLICY TITLE Information Media Protection and Destruction Version Introduction The purpose of this policy is to provide information media protection and destruction requirements in order to ensure the confidentiality, integrity, and availability of California Lottery (Lottery) information assets. Policy It is the Lottery s policy that information media and the sensitive data contained therein must be protected through the application of security controls and proper handling procedures. The following statements pertain to this policy: Data Classification Data Owners are responsible for labeling and classifying their information assets based on the Lottery s Data Classification Policy. Information media must be secured in a manner commensurate with the level of sensitivity of the information. Access to Media Information media that is classified as confidential, restricted, or private must be stored securely, e.g. in locked drawers, cabinets, or rooms specifically designated for that purpose and accessible only by authorized personnel. Recipients of the information media must have the need to know as verified by the Data Owner. Information classified as confidential, restricted, private, or sensitive must not be read or discussed in public places. Media handlers must not take non-public media out of the country without prior written authorization from the Data Owner. Media Duplication Duplication of non-public information must not take place without advance written permission by the Data Owner. Information media must only be duplicated to the extent necessary to support business operations. Printers and fax machines must not be left unattended if non-public information is being printed or faxed. 1/5

37 Information Media Protection and Destruction Version Policy (continued) Third Party A signed non-disclosure agreement (NDA) must be in place before sending any nonpublic information to a third party. Trusted courier or traceable mail must be used to deliver non-public hardcopy information and other non-public media. Intended recipients must provide acknowledgment of the delivery of non-public information. Faxing restricted or private information must be avoided. In the event that faxing is the only practical alternative, the sender must confirm with the recipient that the receiving fax machine is in a secured location. Third-party Contracts and Agreements Third-party contracts must address Lottery confidentiality and NDA requirements. Third-party contracts must include a Right to Audit clause. Encryption All confidential, restricted, or private information must have controls such as encryption, restricted physical access, and secure storage in place to protect the information while in transit and at rest. All confidential, restricted, or private information must be encrypted at rest. All non-public information must be encrypted when it is outside the Lottery environment. Logging Access to non-public media must be logged and traceable to an individual. Logs must be maintained in a manner that prevents modification, erasure, or destruction by unauthorized personnel. Information protection controls must be audited on a regular basis to ensure effectiveness. Compliance with this policy must be monitored. 2/5

38 Information Media Protection and Destruction Version Policy (continued) Media Destruction Lottery information media that may contain non-public information must be destroyed or securely erased before any reuse, transfer, disposal, or surplus occurs. Data Owners must determine the retention and destruction schedule for information media based on business needs and applicable law and regulations. Information media must not be retained beyond the retention requirements as determined by the Data Owner. Destruction or erasure of information media must occur when the media is obsolete, has exceeded the required retention schedule, or cannot be repaired and must be replaced. Electronic information media that contain non-public information must be erased or destroyed by degaussing, overwriting all addressable locations sufficient to preclude recognition or reconstruction of the non-public information, or physically destroyed by companies that have contracted with the Lottery to provide secured destruction services. Hardcopy information media that may contain non-public information must be destroyed by crosscut shredding, mutilated to preclude recognition or reconstruction of the non-public information, or deposited in locked containers from companies that have contracted with the Lottery to provide secured destruction services. Training Data Owners must ensure that personnel assigned as media handlers or custodians of records are adequately trained in proper handling and destruction procedures. Definitions Non-public Information that is classified as confidential, restricted, private, or sensitive as defined in the Lottery s Data Classification Guidelines. Third-party Someone who may be indirectly involved but is not a principal party to an arrangement, contract, or transaction. 3/5

39 Information Media Protection and Destruction Version Applicability This policy applies to all Lottery information media. Information media includes, but is not limited to, hardcopy and removable electronic media and devices such as , electronic files, floppy disks, Compact Discs, DVDs, optical drives, ZIP and USB drives, memory tokens/sticks, magnetic tapes and cartridges, embedded memory systems, mobile devices, PDAs, BlackBerrys, tablets, smart cards, key fobs, and hard drives within laptops, desktops, and servers. This policy also applies to all persons who perform work for the Lottery and have access to Lottery information resources, including, but not limited to: rs Employees Temporary staff Contractors, consultants, and third parties. Policy Owner / Stakeholders r As the policy owner, is responsible for the maintenance, overall compliance with, and enterprise monitoring of this corporate policy. Division Deputy Directors As the Data Owners, are responsible for enforcing and ensuring compliance with this policy within their respective divisions. Distribution Clearance Sensitive Exceptions Exceptions to this policy must be requested through a Risk Assessment as detailed in the Risk Assessment procedure and approved by the appropriate level of management. References Policy Data Classification Guidelines Encryption Policy Clean Desk and Clear Screen Policy 4/5

40 Information Media Protection and Destruction Version Approval Paula D. LaBrie, Acting Director Revisions Date Review Date Action Date Action Section(s) Revised Effective Date Approval Applicability; Authority changed to Policy Owner/Stakeholders; Removed Enforcement Section 5/5/ Final QA Initial Publication /5

41 Corporate Policy TITLE: Information Backup POLICY TITLE Information Backup Introduction The purpose of this policy is to safeguard Lottery information and services from loss. Policy A backup and recovery strategy must be established to ensure information and services can be recovered in the event of an equipment failure or interruption, intentional or inadvertent destruction of data, a malware attack, or physical disaster. Storage The backups should be stored in a secure off-site location, at a sufficient distance to escape any damage from a disaster at the main site; Backup locations should be given an appropriate level of physical and environmental protection as stated in the Lottery s Physical and Environmental Security Policy; The retention period for backups should adhere to the Lottery s Record Retention Schedule and Retention Policy. Backups Backup plans and procedures should identify the extent (e.g. full, incremental, or differential backup) and frequency of backups, identify the applications and data dependencies, and reflect the business requirements of the organization; Where technology permits, backups must be protected by means of encryption; Accurate records of the backup copies must be maintained; Operational procedures should monitor the execution of backups and address failures of scheduled backups to ensure completeness of backups. Recovery Recovery plans and procedures should identify enough information (e.g., the amount of data loss that can be tolerated, how long it takes to become operational, data synchronization, and order of recovery) to meet business operational requirements; As part of recovery planning, Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO) must be established; Recovery plans must be tested periodically and restoration procedures must be checked against the established RPO and RTO; Restoration of backups must require specific and appropriate authorization; and Reliability of backup media must be regularly tested to ensure recovery is possible. 1/2

42 Information Backup Exceptions Exceptions to this policy must be requested through a Risk Assessment as detailed in the Risk Assessment procedure and approved by the appropriate level of management. Applicability This policy applies to all Lottery information systems and to all persons who perform work for the Lottery and have access to Lottery information resources, including, but not limited to: rs Employees Temporary staff Contractors, consultants, and third parties. Policy Owner / Stakeholders r As the policy custodian, is responsible for maintenance, overall compliance guidelines, and enterprise monitoring of this information security policy. Information Technology Services Division Deputy Director As the implementer of this policy, is responsible for ensuring compliance with this policy. Division Deputy Directors As the Data Owners, are responsible for enforcing and ensuring compliance with this policy. Distribution Clearance Sensitive Approval 5/5/2014 Paula D. LaBrie, Acting Director Date Revisions Review Date Action Date Action Section(s) Revised Effective Date Approval Initial Publication 2/2

43 Corporate Policy TITLE: Incident Management POLICY TITLE Incident Management Introduction The purpose of this policy is to provide Incident Management direction and requirements for identifying, reporting, and responding to information security related incidents, in order to ensure the confidentiality, integrity, and availability of Lottery information assets. Information security incidents involve loss, damage, misuse, unauthorized use of information assets, and improper dissemination of information. Policy It is the Lottery s policy that information security incidents must be reported promptly to the IT Service Desk. When deemed appropriate, the may, in coordination with the affected Division, direct the incident response. The Director and r or the Deputy Director of the Security and Law Enforcement Division, has the authority to take any action deemed appropriate to mitigate the risk posed by any information security incident. Applicability This policy applies to Lottery information systems and to all persons who perform any work for the Lottery and have access to Lottery information resources. Policy Owner / Stakeholders r As the policy owner, they are responsible for the maintenance, overall compliance with, and enterprise monitoring of this information security policy. Division Deputy Directors As the Data Owners, are responsible for enforcing and ensuring compliance with this policy within their respective divisions. Distribution Clearance Sensitive Exceptions Exceptions to this policy must be requested through a Risk Assessment as detailed in the Risk Assessment procedure and approved by the appropriate level of management. 1/2

44 Incident Management References Policy Data Classification Policy Approval Paula D. LaBrie, Acting Director Date 5/5/2014 Revisions Review Date Action Date Action Section(s) Revised Effective Date Approval Initial Publication 2/2

45 Corporate Policy TITLE: Encryption POLICY TITLE Encryption Version Introduction The purpose of this policy is to specify the encryption requirements for California Lottery (Lottery) information, while at rest or in transit, in order to ensure the confidentiality, integrity, and availability of the Lottery information. Policy It is the Lottery s policy that all cryptographic technologies used for the transmission or storage of electronic data conform to those that have been reviewed and authorized for use by the Lottery. Encryption The Lottery s r (ISO) sets the minimum encryption requirements for Lottery data. The ISO establishes the Encryption Standard document. The use of proprietary encryption algorithms is not allowed for any purpose, unless reviewed by qualified experts outside of the vendor in question and approved as described under Exceptions. When technology permits, confidential, restricted, or private data (including passwords) must be encrypted at rest and in transit. Web servers processing confidential, restricted, or private information must use Secure Sockets Layer (SSL) protocol. Encryption must be used, regardless of classification of data, in a communication environment where any of the following conditions exist: Integrity of the communication is required (wherein no data may be arbitrarily added, deleted or modified); The requested service is granted only to authenticated users; Non-repudiation of communication is required (in which the sender of data and the receiver cannot deny having processed the data); and Encryption is required by regulation. Key Management Appropriate key management must be implemented to ensure secure key generation, use, storage, and destruction. Key management must be fully automated. Keys in storage and in transit must be encrypted. 1/3

46 Encryption Version Policy (continued) Authentication (including but not limited to password, tokens, etc.) must be required in order to gain access to keys. Access to keys must be restricted to authorized personnel only. Separation of duties and least privilege must be enforced in the management of keys. Considerations must be made to support the recovery of encrypted data if a key is inadvertently disclosed, destroyed, or becomes unavailable. Keys must be physically secured and backed up. Definitions Key Unless otherwise noted, refers to non-public cryptographic key. Least Privilege The principle of having each subject granted the most restrictive set of privileges needed for the performance of authorized tasks. Separation of Duties The principle of not allowing one person to be responsible for completing or controlling a task, or set of tasks, from beginning to end when it involves the potential for fraud, abuse or other harm. Applicability This policy applies to all Lottery information systems and to all persons who perform work for the Lottery and have access to Lottery information resources, including, but not limited to: rs Employees Temporary staff Contractors, consultants, and third parties Policy Owner / Stakeholders r As the policy owner, is responsible for the maintenance, overall compliance with, and enterprise monitoring of this information security policy. Division Deputy Directors As the Data Owners, are responsible for enforcing and ensuring compliance with this policy within their respective divisions. Distribution Clearance Sensitive 2/3

47 Encryption Version Exceptions Exceptions to this policy must be requested through a Risk Assessment as detailed in the Risk Assessment procedure and approved by the appropriate level of management. References Policy Data Classification Policy Information Media Protection and Destruction Approval 5/5/2014 Paula D. LaBrie, Acting Director Date Revisions Review Date Action Date Action Section(s) Revised Effective Date Approval Policy; Applicability; Authority changed to Policy Owner/Stakeholders; Removed Enforcement Section Final QA Initial Publication /3

48 Corporate Policy TITLE: Data Privacy and Confidentiality POLICY TITLE Data Privacy and Confidentiality Introduction To further its mission, the Lottery accesses, creates, and collects confidential and private information regarding players, retailers, and third parties. As an employer, the Lottery also maintains confidential and private information regarding its employees. This policy presents the organization s standards governing the collection, access, use, and treatment of confidential and private information. Policy The Lottery handles personally identifiable information of individuals, which in many cases is confidential and protected by privacy laws. The Lottery also handles sensitive commercial information about its retailers and business partners. This information may also be confidential and subject to protection by the Lottery. The Lottery has established appropriate policies and procedures to protect confidential and private information. Lottery Workforce The disclosure of confidential and private information regarding players, retailers, and employees must be prevented. The information should: Be collected only when such collection is permitted by law and necessary to accomplish the intended purpose. Only be released to authorized persons, and then its disclosure must be limited to only the information required to accomplish the intended purpose. Handling Player, Retailer, Employee, and Third Party Restricted/Private Information Data Destruction As soon as reasonably practicable and in a manner consistent with the Lottery s record retention schedule, confidential and private information must be destroyed unless there is a legitimate purpose for retaining such information or retention of the information is required by law. Data sets that are used on a limited basis must be destroyed or returned to the Data Owner when projects for which they are obtained are completed. Use of Data Linked Information If confidential or private information is used for data linkage, the linked data set must be stripped of personal identifiers and all identifiers must be destroyed unless there is a legitimate, authorized purpose for retaining such identifiers. 1/3