CMS Operational Policy for Separation of Duties for System Security Administration and Auditing



Similar documents
CMS Operational Policy for Infrastructure Router Security

CMS Operational Policy for Firewall Administration

CMS Operational Policy for VPN Access to 3-Zone Admin and Development /Validation Segments

DFW Backup Software. Whitepaper DFW Backup Agent

Zoner Online Backup. Whitepaper Zoner Backup Agent

Ahsay Backup Software. Whitepaper Ahsay Backup Agent

Blaze Vault Online Backup. Whitepaper Blaze Vault Online Backup Agent

CMS SYSTEM SECURITY PLAN (SSP) PROCEDURE

CMS REPORTING PROCEDURE FOR INFORMATION SECURITY (IS) ASSESSMENTS

DataTrust Backup Software. Whitepaper DataTrust Backup Agent. Version 6.3

CMS Policy for Capability Maturity Model Integration (CMMI)

BKDconnect Security Overview

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Teleran PCI Customer Case Study

Module 5 Introduction to Processes and Controls

CMS Operational Policy for Data Access Management

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

DAS ETS Policy Option Packages - Support Base IT Operations

Cybersecurity Health Check At A Glance

Information System Audit. Arkansas Administrative Statewide Information System (AASIS) General Controls

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Security Audit Principles and Practices. Configuring Logging. Overview

UNITED STATES PATENT AND TRADEMARK OFFICE. AGENCY ADMINISTRATIVE ORDER Agency Administrative Order Series. Secure Baseline Attachment

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

TERMS OF REFERENCE (TORs) OF CONSULTANTS - (EAG) 1. Reporting Function. The Applications Consultant reports directly to the CIO

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management

ARS v2.0. Solution Brief. ARS v2.0. EventTracker Enterprise v7.x. Publication Date: July 22, 2014

CYBER SECURITY POLICY For Managers of Drinking Water Systems

How IT Can Aid Sarbanes Oxley Compliance

CMS INFORMATION SECURITY (IS) CERTIFICATION & ACCREDITATION (C&A) PACKAGE GUIDE

Complying with the Federal Information Security Management Act. Parallels with Sarbanes-Oxley Compliance

OFFICE OF THE STATE AUDITOR General Controls Review Questionnaire

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

Axos BackUp Pro Secure online backup for businesses with a 1 million data restoration guarantee

Practical Guidance for Auditing IT General Controls. September 2, 2009

INFORMATION SYSTEMS. Revised: August 2013

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

How To Audit The Mint'S Information Technology

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

CMS Policy for Configuration Management

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

Appendix 10 IT Security Implementation Guide. For. Information Management and Communication Support (IMCS)

Guideline on Auditing and Log Management

HP Security Assessment Services

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Managing internet security

AVALANCHE MC 5.3 AND DATABASE MANAGEMENT SYSTEMS

State of Wisconsin Database Hosting Services Roles and Responsibilities

IBM QRadar Security Intelligence April 2013

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard (PCI / DSS)

Standard: Event Monitoring

CimTrak Technical Summary. DETECT All changes across your IT environment. NOTIFY Receive instant notification that a change has occurred

The IDG 9074 Remote Access Controller

Australian Computer Society ANZSCO ICT Code descriptions v Further updates will be issued in

Security management solutions White paper. IBM Tivoli and Consul: Facilitating security audit and compliance for heterogeneous environments.

Introduction to Change

Network Infrastructure - General Support System (NI-GSS) Privacy Impact Assessment (PIA)

Test du CISM. Attention, les questions, comme l'examen, ne sont disponibles qu'en anglais.

Using Debug Commands

Enterprise PrivaProtector 9.0

BUDGET LETTER PEER-TO-PEER FILE SHARING , , EXECUTIVE ORDER S-16-04

Achieving PCI Compliance for: Privileged Password Management & Remote Vendor Access

Four Top Emagined Security Services

PCI DSS Best Practices with Snare Enterprise Agents PCI DSS Best Practices with Snare Enterprise Agents

Event Log Management & Compliance Best Practices: For Government & Healthcare Industry Sectors. By Ipswitch, Inc. Network Managment Division

TOSM Server Backup Service

IRONSHORE SPECIALTY INSURANCE COMPANY 75 Federal St. Boston, MA Toll Free: (877) IRON411

DOT.Comm Oversight Committee Policy

REASON FOR LOG RETENTION MANAGEMENT

Page 1 of 5

Looking at the SANS 20 Critical Security Controls

Enforcive /Cross-Platform Audit

Log Management Best Practices: The Benefits of Automated Log Management

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet

Database Security and Auditing

Circular to All Licensed Corporations on Information Technology Management

How To Write An Ets Request For Proposal (Rfp)

Transcription:

Chief Information Officer Office of Information Services Centers for Medicare & Medicaid Services CMS Operational Policy for Separation of Duties for System Security Administration and Auditing March 2006 Document Number: CMS-CIO-POL-INF07-01

TABLE OF CONTENTS 1. PURPOSE...1 2. BACKGROUND...1 3. SCOPE...1 4. OPERATIONAL POLICY...2 5. ROLES AND RESPONSIBILITIES...2 5.A. IT INFRASTRUCTURE SYSTEM ADMINISTRATORS... 2 5.B. IT INFRASTRUCTURE SECURITY ADMINISTRATORS... 3 5.C. CMS SECURITY AUDITORS... 3 6. APPLICABLE LAWS/GUIDANCE...3 7. EFFECTIVE DATES...4 8. INFORMATION AND ASSISTANCE...4 9. APPROVED...4 10. ATTACHMENTS...4 i

1. PURPOSE This document establishes an operational policy for the separation of duties among the personnel responsible for security administration, system administration, database administration, system operation, and auditing of CMS security management infrastructure. 2. BACKGROUND CMS operates and maintains a complex, distributed security management infrastructure. The security management infrastructure encompasses mainframe security (e.g., z/os), server security (e.g., Windows and UNIX), database security (e.g., Oracle, DB2, and SQL), firewall security, router security, and other security devices maintained within the CMS and the Medicare Data Communication Network (MDCN) infrastructures. The control and management of CMS security management infrastructure necessitates a separation of duties among the key administrative components, such as: System administration of the physical devices (including the operating systems and all components running under the operating systems); Database administration of development, test, and production database systems; Security administration of distributed security management devices; and Auditing of security management devices and administrative activities. Separation of job duties and responsibilities ensures that no one person has the authority and the ability to circumvent normal checks and balances. Separation of duties can help prevent malicious actions from occurring and help catch those that do occur. For example, the separation of administrative duties from auditing functions is necessary in order to prevent possible tampering of critical system log files. 3. SCOPE This operational policy applies to all CMS infrastructure devices, systems, and databases controlled and operated by CMS or its designated IT Infrastructure Implementation Agent(s) or Contractor(s) at all Central and Regional Office locations (includes CMS Single Site, Lord Baltimore, Building 7111, Enterprise Data Centers, and other offsite facilities). This policy also applies to system security devices controlled and maintained by the MDCN Contractor (i.e., Ashburn, Koll, and other MDCN Contractor and Subcontractor sites that support the Medicare network). Security devices, systems, and databases controlled and operated by other CMS contractors not previously designated are not covered by this policy. 1

4. OPERATIONAL POLICY Separate and distinct responsibilities and privileges must be associated with distinct securityrelevant operations. Security personnel must, however, work closely with all system and database administration personnel to maximize system performance and security. Security administration is an independent responsibility and shall not be assigned to a system/ application programmer, database administrator, system administrator, system operator, or security auditor. Functions performed by security administrators shall be entirely separated from the functions performed by system/application programmers, database administrators, system administrators, system operators, and security auditors. Functions performed by security administrators shall be separated from the functions performed by personnel charged with auditing the security of CMS infrastructure, systems, and databases to reduce the likelihood of fraudulent actions being taken, not detected, and/or not reported. Security auditors shall have full administrative control over all security audit and log files. These personnel, however, will not have data altering capability for security devices, security management devices, audit and security logs, or CMS infrastructure devices. 5. ROLES AND RESPONSIBILITIES The following entities have responsibilities related to the implementation of this operational policy: 5.A. IT Infrastructure System Administrators IT Infrastructure System Administrators are responsible for the following activities: Daily operation of the CMS data and security systems, including administration of infrastructure operating systems; Designing, testing, installing, maintaining, and upgrading CMS infrastructure devices (hardware and software); Performing setup and configuration of audit system and security log files; On a daily basis, ensuring that the system job that collects security and system log audit data from all CMS system devices are transferred to one of the following central collection points: Kiwi Syslog Server, Net Forensic Server, or other defined collection point); Maintaining and generating reports and journals on all audit reviews; Configuring and scheduling daily audit log runs, including the backup of all security log data based on the current backup and archiving strategy; 2

Restoring security audit data at the request of the Office of Information Services (OIS) / Technology Management Group (TMG) Information System Security Officer (ISSO) or other security entities; and Reviewing system log and security audit files for anomalies on a daily basis, and reporting all identified anomalies as appropriate. 5.B. IT Infrastructure Security Administrators IT Infrastructure Security Administrators are responsible for the following activities: Managing all CMS distributed security management devices; Reviewing system logs and security audit files for anomalies on a daily basis, and reporting all identified anomalies as appropriate; and Maintaining and generating reports and journals on all audit reviews. 5.C. CMS Security Auditors CMS Security Auditors are responsible for the following activities: Defining and maintaining procedures for auditing infrastructure and contractormaintained systems and security management log and audit files; Performing continuous in-depth security audits and penetration tests on all CMS systems and infrastructure devices; Controlling access to all CMS security audit and log file systems and devices; Reviewing security audit logs on an ongoing basis to ensure that security processes are followed and security anomalies are identified, reported, and corrected; Ensuring that security log data are properly retained and archived; Maintaining and generating reports and journals on all audit reviews; Researching all identified security anomalies or vulnerabilities, and generating associated CAPs as appropriate; and Recording all security audit findings and maintaining their associated CAPs in the CISS Database. 6. APPLICABLE LAWS/GUIDANCE The following laws and guidance are applicable to this operational policy: Office of Management and Budget (OMB) Circular A-130 CMS Policy for the Information Security Program, May 2005 3

7. EFFECTIVE DATES This operational policy becomes effective on the date that CMS Chief Information Officer (CIO) signs it and remains in effect until officially superseded or cancelled by the CIO. 8. INFORMATION AND ASSISTANCE Contact the Director of the Technology Management Group (TMG) within the Office of Information Services (OIS) for further information regarding this operational policy. 9. APPROVED /s/ 3/31/06 D. Dean Mesterharm Date of Issuance CMS Chief Information Officer and Director, Office of Information Services 10. ATTACHMENTS There are no documents that currently augment this operational policy. 4

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information