Ohio Supercomputer Center



Similar documents
Ohio Supercomputer Center

Ohio Supercomputer Center

HIPAA Security Alert

This policy applies to all DRC employees, contractors, volunteers, interns and other agents of the state.

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

State of Ohio IT Policy

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

UF IT Risk Assessment Standard

Information Security Program Management Standard

Responsible Access and Use of Information Technology Resources and Services Policy

FINAL May Guideline on Security Systems for Safeguarding Customer Information

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Newcastle University Information Security Procedures Version 3

ADM:49 DPS POLICY MANUAL Page 1 of 5

Information Security and Electronic Communications Acceptable Use Policy (AUP)

INFORMATION TECHNOLOGY SECURITY STANDARDS

Supplier Information Security Addendum for GE Restricted Data

Miami University. Payment Card Data Security Policy

Information Resources Security Guidelines

Information Technology Branch Access Control Technical Standard

SERVER, DESKTOP AND PORTABLE SECURITY. September Version 3.0

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Central Agency for Information Technology

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

Estate Agents Authority

Supplier Security Assessment Questionnaire

COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name

Information Technology Security Procedures

PCI Data Security and Classification Standards Summary

State of South Carolina Policy Guidance and Training

System Security Plan University of Texas Health Science Center School of Public Health

ISO Controls and Objectives

HIPAA Security. assistance with implementation of the. security standards. This series aims to

Client Security Risk Assessment Questionnaire

Draft Information Technology Policy

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Course: Information Security Management in e-governance

Information Security Plan effective March 1, 2010

Cyber Self Assessment

Montclair State University. HIPAA Security Policy

Rule 4-004G Payment Card Industry (PCI) Remote and Mobile Access Security (proposed)

PII Compliance Guidelines

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

Chapter 84. Information Security Rules for Street Hail Livery Technology System Providers. Table of Contents

MOBILE DEVICE SECURITY POLICY

How To Protect Decd Information From Harm

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

Ixion Group Policy & Procedure. Remote Working

ICANWK406A Install, configure and test network security

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

MCOLES Information and Tracking Network. Security Policy. Version 2.0

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

PCI DSS Requirements - Security Controls and Processes

Information Security Awareness Training Gramm-Leach-Bliley Act (GLB Act)

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

University of Cincinnati Limited HIPAA Glossary

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

Network Security Policy

Data Management Policies. Sage ERP Online

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

LSE PCI-DSS Cardholder Data Environments Information Security Policy

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

HMIS SECURITY PLAN of the PHILADELPHIA CONTINUUM OF CARE

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

STATE OF OHIO I. AUTHORITY

University of Cincinnati HIPAA Administrative, Physical and Technical Safeguards

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Department of Homeland Security Management Directive System MD Number: 4900 INDIVIDUAL USE AND OPERATION OF DHS INFORMATION SYSTEMS/ COMPUTERS

Payment Card Industry Compliance

HIPAA Security Training Manual

R345, Information Technology Resource Security 1

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

Music Recording Studio Security Program Security Assessment Version 1.1

NHSnet SyOP 9.2 NHSnet Portable Security Policy V1. NHSnet : PORTABLE COMPUTER SECURITY POLICY. 9.2 Introduction

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

DHHS Information Technology (IT) Access Control Standard

1B1 SECURITY RESPONSIBILITY

Department of Information Technology Remote Access Audit Final Report. January promoting efficient & effective local government

Procedure Title: TennDent HIPAA Security Awareness and Training

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

Transcription:

Ohio Supercomputer Center Portable Security Computing No: Effective: OSC-09 05/27/09 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original Publication Date: TBD 1. Purpose This policy addresses information technology (IT) security concerns with portable computing devices and provides direction for their use, management and control. This policy includes security concerns with the physical device itself, as well as its applications and data. 2. Scope Pursuant to Ohio IT Policy ITP-A.1, Authority of the State Chief Information Officer to Establish Policy Regarding the Acquisition and Use of Computer and Telecommunications Products and Services, this policy applies to all systems under the control of the Ohio Supercomputer Center. The scope of this information technology policy includes OSC computer and telecommunications systems and the employees, contractors, temporary personnel and other agents of the state who use and administer such systems. 3. Background A deliberate decision needs to be made on whether or not portable computing devices should be allowed and, if so, to what degree the devices would be supported. It is essential to address the use and maintenance of state-owned and privately-owned portable devices, protection of sensitive data, adherence to legal requirements, and the safeguarding of system assets. Portable computing devices are increasingly becoming an integral tool for government agencies and businesses. Through the use of portable computing devices, users are able to access university computer and telecommunications systems so that they can work remotely outside of traditional business hours and while traveling. One consequence of this ability has been the co-mingling of business and personal computing assets, particularly portable computing devices such as notebook computers and personal digital assistants. Government agencies need to ensure that the appropriate

safeguards are in place to protect against the intentional or inadvertent corruption or destruction of system assets. 4. References This Policy is based on the following State of Ohio Policies: 4.1. Ohio IT Policy ITP-A.1, Authority of the State Chief Information Officer to Establish Policy Regarding the Acquisition and Use of Computer and Telecommunications Products and Services, defines the authority of the state chief information officer to establish State of Ohio IT policies as they relate to state agencies acquisition and use of information technology, including, but not limited to, hardware, software, technology services and security. 4.2. Ohio IT Policy ITP-B.1, Information Security Framework, is the overarching security policy for state information and services. Ohio IT Policy ITP-B.9, Portable Computing Security, is one of several subpolicies. These security policies should be considered collectively rather than as separate or unrelated policies. Attachment 1 illustrates the interrelationship of state technology security policies. 4.3. Ohio IT Policy ITP-B.2, Boundary Security, requires that state agencies implement and operate a robust network perimeter defense capability. Users of state electronic services must be provided with secure and reliable access to resources and communications. Unauthorized users must be detected and denied access. 4.4. Ohio IT Policy ITP-B.3, Password and Personal Identification Number Security, establishes minimum requirements regarding the proper selection, use and management of passwords and personal identification numbers. 4.5. Ohio IT Policy ITP-B.4, Malicious Code, requires state agencies to implement and operate a malicious code security program. The program should help to ensure that adequate protective measures are in place against introduction of malicious code into state-controlled information systems and that computer system users are able to maintain a high degree of malicious code awareness. 4.6. Ohio IT Policy ITP-B.5, Remote Access, requires state agencies to implement and operate security measures wherever a remote access capability is provided to state systems so that inherent vulnerabilities in such services may be compensated. 4.7. Ohio IT Policy ITP-B.6, Internet Security, requires agencies to implement and operate security protections for Internet, extranet and intranet use, and provide Internet security awareness training to employees, contractors, temporary personnel and other agents of the state. 4.8. Ohio IT Policy ITP-B.8, Security Education and Awareness, requires state agencies to provide information technology security education and awareness to employees and other agents of the state. OSC-9 Page 2 of 9

4.9. Ohio IT Policy ITP-E.1, Disposal, Servicing and Transfer of IT Equipment, establishes agency requirements for the disposal, servicing or transfer of state agency IT equipment with regard to state data, licensed software and intellectual property, and rechargeable batteries and other hazardous materials. 4.10. Ohio IT Bulletin ITB-2007.02, Data Encryption and Securing Sensitive Data, effective July 25, 2007, outlines the requirements for the encryption of sensitive data as well as requirements for securing portable devices and media, backups, sensitive data in transmission, and sensitive data at rest. The bulletin also outlines restrictions for sensitive data, physical security considerations, public servant acknowledgement requirements, and incident response. 5. Policy This policy is not intended to address the use of portable devices by the general population to access electronic OSC services. In addition to state-owned portable computing devices, the policy shall address privatelyowned and contractor-owned portable computing devices authorized for university use by the agency or as an agent of the university. OSC policy shall address the following: 5.1. Physical Security. OSC and users shall protect university-owned and universityauthorized portable computing devices, removable storage components and removable computer media from unauthorized access. Physical security measures shall incorporate at a minimum the practices listed below in 5.1.1 through 5.1.4. 5.1.1. Portable computing devices, computer media and removable components, such as disk drives and network cards, shall be stored in a secure environment. Devices shall not be left unattended without employing adequate safeguards, such as cable locks, restricted access environments or lockable cabinets. 5.1.2. When possible, portable computing devices, computer media and removable components shall remain under visual control while traveling. If visual control cannot be maintained, then necessary safeguards shall be employed to protect the physical device, computer media and removable components. 5.1.3. Safeguards shall be taken in public or common areas to avoid unauthorized viewing of sensitive or confidential data. 5.1.4. OSC will maintain an inventory for all university, privately-owned and contractorowned portable devices authorized for work use with university systems. The inventory shall include the device make, model, serial number, date introduced into service and party responsible for the device. 5.2. Operation and Maintenance. OSC shall establishes and implements IT security procedures for the secure operation and maintenance of portable computing devices. OSC-9 Page 3 of 9

5.2.1. Anti-virus software. Portable computing devices shall be equipped with anti-virus software in accordance with OSC Policy OSC-4, Malicious Code Security. 5.2.2. System configuration. Mandatory system configurations, settings and software for either university-owned or authorized non-university owned devices shall not be modified without prior authorization by designated OSC personnel. Device operating systems shall be maintained with appropriate vendor security patches and updates. 5.2.3. Portable computing devices shall not be equipped with remote system or application administrator privileges unless authorized. Portable computing devices equipped with remote system administrator capabilities shall be assigned higher levels of security in accordance with the increased risk of an IT security breach or loss of the device, pursuant to OSC Policy OSC-3, Information Security Framework. 5.2.4. OSC or university data, applications and other system resources stored on portable computing devices shall be secured in accordance with the OSC risk assessment as defined in OSC Policy OSC-3, Information Security Framework. Methods for securing information maintained on portable devices may include as applicable, but not be limited to: Personal firewalls BIOS passwords Data/application encryption Hard drive encryption Screen locking Screen timeout Security tokens 5.2.5. The transmission of university data via infrared, bluetooth, 802.11x or other wireless technologies shall be in compliance with OSC Policy OSC-5, Remote Access Security. 5.2.6. Regular system and data back-ups will be preformed as frequently as needed based on the risk assessment of the information maintained on the portable device, in accordance with OSC Policy OSC-3, Information Security Framework. Backups shall be safeguarded and retained for a period commensurate with the value and criticality of the information. 5.2.7. University-owned Devices. OSC will provide designated personnel a computer to assist in the completion of their duties. At the end of their employment or association with OSC, or no longer need the equipment to carry out their duty, all equipment will be returned to the supervisor or designate. 5.2.8. Personal software and data is allowed on the computer system, as long as the software or data is legally owned or controlled by the user. OSC-9 Page 4 of 9

5.2.9. When a device is removed from service, OSC shall sanitize the IT equipment to remove information. 5.2.10. Privately-owned Devices. All OSC owned or licensed data or software on a personal owned or contractor-owned portable computing devices shall be removed, or recovered when no longer used or when the user s employment or contract terminates or when the portable computing device is no longer authorized for official OSC business. 5.2.11. Data Synchronization (Syncing). OSC has no legal liability for the loss of non- OSC data or the confidentially of data synchronized (synced) to university-owned or operated devices. 5.3. Identification and Authentication (I&A) Control. Portable computing devices shall accommodate I&A controls in accordance with OSC Policy OSC-8, Password and PIN. If available, I&A controls shall be used to prevent unauthorized modifications of system settings. 5.4. Internet Connectivity. Portable computing devices connected to the Internet shall be in compliance with Ohio IT Policy ITP-B.6, Internet Security, and OSC Policy, OSC-5, Remote Access Security. At a minimum, users shall not establish a separate Internet connection while simultaneously connected to an agency network through the use of multiple network cards, modems or other access techniques. 5.5. Inventory and Audit. OSC shall conduct inventory and security audits of portable computing devices on a regular and random basis. 5.6. Lost and Stolen Devices. In the event of a lost or stolen device, the person responsible for the equipment, including contractor and personal owned equipment with state software or data, shall notify their immediate supervisor or contract manager, and the OSC IT security contact within 1 business day. Information required in the report includes: 5.6.1. Date of loss, OSC data on the device and its sensitivity level, security on the device (encrpption levels) and other details relevant to the loss. 5.7. Privately-Owned and Contractor-Owned Portable Computing Devices. Privately-owned or contractor-owned devices are authorized for official university use. A privately-owned or contractor-owned portable computing device is used, the device shall meet the following additional requirements: 5.7.1. The device owner or contractor is responsible for obtaining, installing and maintaining malicious code security software in compliance with OSC Policy, OSC - 4, Malicious Code Security. 5.7.2. The device owner or contractor is responsible for obtaining, installing and maintaining personal firewalls in compliance with Ohio IT Policy ITP-B.2, Boundary Security. OSC-9 Page 5 of 9

5.7.3. OSC accepts no liability for the safeguarding or maintenance of nonuniversity or non-osc data on portable computing devices used in support of official OSC business or while acting as an agent of OSC. The users of privatelyowned devices used for OSC work shall not have any expectation of personal privacy regarding the device and that such devices may be confiscated as evidence in civil or criminal proceedings. 5.7.4. No network access certification is needed. 6. References 6.1. Ohio IT Policy ITP-A.1, Authority of the State Chief Information Officer to Establish Policy Regarding the Acquisition and Use of Computer and Telecommunications Products and Services, defines the authority of the state chief information officer to establish State of Ohio IT policies as they relate to state agencies acquisition and use of information technology, including, but not limited to, hardware, software, technology services and security. 6.2. Ohio IT Policy ITP-B.1, Information Security Framework, is the overarching security policy for state information and services. Ohio IT Policy ITP-B.9, Portable Computing Security, is one of several subpolicies. These security policies should be considered collectively rather than as separate or unrelated policies. Attachment 1 illustrates the interrelationship of state technology security policies. 6.3. Ohio IT Policy ITP-B.2, Boundary Security, requires that state agencies implement and operate a robust network perimeter defense capability. Users of state electronic services must be provided with secure and reliable access to resources and communications. Unauthorized users must be detected and denied access. 6.4. Ohio IT Policy ITP-B.3, Password and Personal Identification Number Security, establishes minimum requirements regarding the proper selection, use and management of passwords and personal identification numbers. 6.5. Ohio IT Policy ITP-B.4, Malicious Code, requires state agencies to implement and operate a malicious code security program. The program should help to ensure that adequate protective measures are in place against introduction of malicious code into state-controlled information systems and that computer system users are able to maintain a high degree of malicious code awareness. 6.6. Ohio IT Policy ITP-B.5, Remote Access, requires state agencies to implement and operate security measures wherever a remote access capability is provided to state systems so that inherent vulnerabilities in such services may be compensated. 6.7. Ohio IT Policy ITP-B.6, Internet Security, requires agencies to implement and operate security protections for Internet, extranet and intranet use, and provide Internet security awareness training to employees, contractors, temporary personnel and other agents of the state. OSC-9 Page 6 of 9

6.8. Ohio IT Policy ITP-B.8, Security Education and Awareness, requires state agencies to provide information technology security education and awareness to employees and other agents of the state. 6.9. Ohio IT Policy ITP-E.1, Disposal, Servicing and Transfer of IT Equipment, establishes agency requirements for the disposal, servicing or transfer of state agency IT equipment with regard to state data, licensed software and intellectual property, and rechargeable batteries and other hazardous materials. 6.10. Ohio IT Bulletin ITB-2007.02, Data Encryption and Securing Sensitive Data, effective July 25, 2007, outlines the requirements for the encryption of sensitive data as well as requirements for securing portable devices and media, backups, sensitive data in transmission, and sensitive data at rest. The bulletin also outlines restrictions for sensitive data, physical security considerations, public servant acknowledgement requirements, and incident response. 7. Procedures None. 8. Implementation This policy is effective immediately. 9. Revision History 10. Definitions Date Description of Change 6/1/2009 Original policy. Administrator Privileges. Ability to modify computer system settings, including access permissions associated with computer resources and data. Computer Media. Computer readable or writeable permanent or temporary storage, such as CDs, DVDs, flash memory cards and diskettes. Data. Coded representation of quantities, objects and actions. The word, data, is often used interchangeably with the word, information, in common usage and in this policy. Data Synchronization (Syncing). The practice of updating data on two systems so that the data sets are identical. Disk Drives. Magnetic and optical devices used by a computer to store and obtain data. Examples include hard drives, floppy disks, diskettes, CDs and DVDs. OSC-9 Page 7 of 9

Firewall. Either software or a combination of hardware and software, that implements security policy governing traffic between two or more networks or network segments. Firewalls are used to protect internal networks, servers and workstations from unauthorized users or processes. Firewalls have various configurations, from standalone servers to software on a notebook computer, and must be configured properly to enable protection. Identification and Authentication (I&A). The verification of the identity of a requesting entity (a person, computer, system or process). Once it is determined who may have access to a system, the identification and authentication (I&A) process helps to enforce access control to the system by verifying the identity of the requesting entity. Systems may use a variety of techniques or combinations of techniques, such as user ID, password, personal identification number, digital certificates, security tokens or biometrics, to enforce I&A, depending upon the level of access control required to protect a particular system. Internet. A worldwide system of computer networks a network of networks in which computer users can get information and access services from other computers. The Internet is generally considered to be public, untrusted and outside the boundary of the state of Ohio enterprise network. Portable Computing Device. Computer or device designed for mobile use. Examples include laptops, personal digital assistants and mobile data collection devices. Screen Locking. Mechanism to hide data on a visual display while the computer continues to operate. A screen lock requires authentication to access the data. Screen locks can be activated manually or in response to rules. Screen Timeout. Mechanism to turn off a device or end a session when the device has not been used for a specified time period. Security Tokens. A portable, physical device that enables pre-approved access to data or systems. An example is a security-enabled key fob. Service Level Agreement. De f i n e s t h e s e r v i c e s t o b e d e l i v e r e d, t e c h n i c a l s u p p o r t a n d o t h e r p a r a m e t e r s t h a t, b y c o n t r a c t, a b u s i n e s s o r s u p p o r t i n g a c t i v i t y i s r e q u i r e d t o d e l i v e r. T h e s e r v i c e l e v e l a g r e e m e n t s h o u l d d e s c r i b e p e r f o r m a n c e m e a s u r e s a s w e l l a s p e n a l t i e s f o r f a i l u r e t o p e r f o r m i n OSC-9 Page 8 of 9

a c c o r d a n c e w i t h t h e s e r v i c e l e v e l a g r e e m e n t. System Assets. Information, hardware, software and services required to support the business of the agency, and identified during the risk assessment process as assets that need to be protected in accordance with Ohio IT Policy ITP-B.1, Information Security Framework. Terms and Conditions. Language included in a contract that describes limits and expectations related to performance under the contract. Users. For the purposes of this policy, users are defined as employees, contractors, temporary personnel and other agents of the state who administer or use privatelyowned (if authorized) or state-owned computer and telecommunication systems on behalf of the state. Wireless. Use of various electromagnetic spectrum frequencies, such as radio and infrared, to communicate services, such as data and voice, without relying on a hardwired connection, such as twisted pair, coaxial or fiber optic cable. 11. Related Resources 12. Inquiries Direct inquiries about this policy to: Director of Supercomputer Operations 1224 Kinnear Rd. Columbus, OH 43212 Telephone: 614-292-9248 OSC IT Policies can be found on the Internet at: www.osc.edu/policies OSC-9 Page 9 of 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information