State of South Carolina Policy Guidance and Training

Similar documents
Information Technology Branch Access Control Technical Standard

State of South Carolina Policy Guidance and Training

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

DIVISION OF INFORMATION SECURITY (DIS)

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Estate Agents Authority

Introduction. PCI DSS Overview

Central Agency for Information Technology

Information Systems Access Policy

DHHS Information Technology (IT) Access Control Standard

Supplier Information Security Addendum for GE Restricted Data

POSTAL REGULATORY COMMISSION

March

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

Automate PCI Compliance Monitoring, Investigation & Reporting

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

The City of New York

GE Measurement & Control. Cyber Security for NEI 08-09

Information Technology General Controls And Best Practices

Walton Centre. Document History Date Version Author Changes 01/10/ A Cobain L Wyatt 31/03/ L Wyatt Update to procedure

05.0 Application Development

e-governance Password Management Guidelines Draft 0.1

Password Expiration Passwords require a maximum expiration age of 60 days. Previously used passwords may not be reused.

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

Security Control Standards Catalog

ADMINISTRATIVE POLICY # (2014) Remote Access. Policy Number: ADMINISTRATIVE POLICY # (2014) Remote Access

Access Control Policy

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

AIR FORCE ASSOCIATION S CYBERPATRIOT NATIONAL YOUTH CYBER EDUCATION PROGRAM UNIT FIVE. Microsoft Windows Security.

Corporate and Payment Card Industry (PCI) compliance

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Department of Information Technology Remote Access Audit Final Report. January promoting efficient & effective local government

MUSC Information Security Policy Compliance Checklist for System Owners Instructions

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

SonicWALL PCI 1.1 Implementation Guide

Standard: Network Security

Security Self-Assessment Tool

Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

IT ACCESS CONTROL POLICY

Identification and Authentication on FCC Computer Systems

FileCloud Security FAQ

mbank Introduces Personal Security Image MFA* for Consumer on-line banking *Multi-Factor Authentication

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Newcastle University Information Security Procedures Version 3

Information Technology Security Procedures

Data Management Policies. Sage ERP Online

GFI White Paper PCI-DSS compliance and GFI Software products

Security Controls for the Autodesk 360 Managed Services

Vendor Questionnaire

Intel Enhanced Data Security Assessment Form

Procedure Title: TennDent HIPAA Security Awareness and Training

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

OWA/2-Factor Authentication VPN FAQ. Outlook Web Access (OWA) QUESTIONS

Hang Seng HSBCnet Security. May 2016

ICT Password Protection Policy

How To Manage Security On A Networked Computer System

User Management Guide

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Windows Operating Systems. Basic Security

Catapult PCI Compliance

Client Security Risk Assessment Questionnaire

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Account Management Standards

Appendix A CMSR High Impact Level Data

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Objectives. At the end of this chapter students should be able to:

Mac OS X Security Checklist:

E Security Assurance Framework:

2: Do not use vendor-supplied defaults for system passwords and other security parameters

Columbia University Web Security Standards and Practices. Objective and Scope

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

Controls and Safeguards

Information Technology Internal Controls Part 2

Network and Security Controls

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Consensus Policy Resource Community. Lab Security Policy

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

Implementing HIPAA Compliance with ScriptLogic

NERC CIP VERSION 5 COMPLIANCE

Section 12 MUST BE COMPLETED BY: 4/22

Transcription:

State of South Carolina Policy Guidance and Training Policy Workshop All Agency Access Control Policy April 2014

Agenda Questions & Follow-Up Policy Overview: Access Control Policy Risk Assessment Framework & Access Control Policy Next Steps 2

Questions & Follow-Up For Discussion Purposes Only

Policy Workshop Q&As The following questions were raised during the Data Protection and Privacy policy workshop for All Agencies: Question #1: Does each Agency need to develop an internal Master Policy? Or, are the Agencies to utilize the current State Master Policy and develop internal procedures to align with this policy? Answer #1: DIS does not require agencies to develop a "Master Policy." As previously stated: Agencies may choose any method which documents and implements secure processes that align with DIS Policies. This should include the review of current process documentation for inclusion of security provisions, and potentially creation of additional process documentation where secure processes are not otherwise described. Replication of the entire DIS Policy framework at the agency level is not required. Question #2: When will the Data Inventory tool be provided by DIS? Can additional training be provided to agencies in scope? Answer #2: Data inventory tool will be ready by April 18, 2014. Additional training (open to all State Agencies) will be provided in late April-early May. Training dates and invitations will be communicated by DIS. 4

Policy Workshop Q&As (Cont d) The following questions were raised during the Data Protection and Privacy policy workshop for All Agencies: Question #3 Would it be possible to get the draft procedures from the data inventory training before the inventory tool is finalized? Answer #3: Procedures will be finalized by April 18, 2014 and communicated to the Agencies by DIS. 5

Policy Overview: Access Control Policy

Access Control: Key Requirements Access Management - Account Management Agency shall establish, document and implement access control policy and related controls. Agency shall require that business/data owners Approve user access requests Perform periodic user access review of user accounts Agency shall identify account types (e.g., individual, group, system, application, guest/anonymous, and temporary) and establish group membership requirements. 7

Access Control: Key Requirements Access Management - Account Management (Cont d) Agency s relevant personnel (e.g. system administrators) shall remove/deactivate access due to transfer, termination or access rights changes. Agency shall review information system accounts every 180 days and require annual certification. Agency privileged accounts shall be issued based on business need, approved by information security officer, controlled, monitored and reported periodically. 8

Access Control: Key Requirements Access Management - Account Management (Cont d) Agency shall define system access security requirements for vendors, contractors and partners. Agency shall implement access authorization controls to ensure separation of duties (e.g. divide information system testing and production functions). Agency shall ensure that authorized individuals have strictly controlled, audited access in accordance with the concept of least privilege. Access Enforcement Agency systems shall enforce a limit of unsuccessful logon commensurate with type of data hosted, processed or transferred. attempts 10

Access Control: Access Management START Create Account Types Agency establishes account types (e.g., individual, group, etc.) and establishes group membership requirements Business / data owner makes system access request for User END Notify manager of the removal of access for deprovisioned employee Access Deprovisioning Business/data owners initiate process to revoke a User s access System administrators revoke access based on the request Access Management Lifecycle Access Request Access is requested by user or manager via access request form Access Review Review access on a periodic basis defined by the Agency Access Approval Business or Data owner approves access request Make access modifications based on review Retain access request documentation, including approvals Permissions System administrator sets access rights based on business needs and roles/responsibilities identified on access request form 10

Access Control: Key Requirements Access Management - Session Lock Agency shall time out sessions or require re-authentication process after (30) minutes of inactivity System Use Notification Agency shall display a warning message before granting system access.. 11

Access Control: Key Requirements Network Access Management - Remote Access Agency shall document allowed methods, monitor access to the network and information systems. and control remote Agency shall use Virtual Private Network (VPN) or equivalent encryption technology to establish remote connections. For Restricted Data and/or system admins: Agency shall ensure employees and authorized third parties use two-factor authentication (2FA) technology for remote access. Users VPN Tunnel Two Factor Proxy Internal Network 12 For Restricted Data

Access Control: Key Requirements Network Access Management - Wireless Access Agency shall establish usage restrictions, configuration / connection requirements, and implementation guidance for wireless access. Agency shall only use wireless networking technology that enforces user authentication. Agency shall not allow wireless access points to be installed independently by users. Use of External Information Systems Agency shall establish terms and conditions for use of the authorized external information systems 13

Access Control: Key Requirements Network Access Management - Boundary Protection Agency shall physically or logically segregate critical publicly available networks. information from Agency shall minimize the network access points. Boundary Protection External Users Inbound / Outbound Communications Internal Network Firewall 14

Access Control: Key Requirements Identity Management - Identification and Authentication Agency shall implement unique user IDs for all employees regardless of role. Agency shall allow group IDs for business or operational reasons only. If group IDs are permitted, Agency must have user authenticate using their unique user account before using the group ID. Agency shall minimize the use of a system, application and service accounts Document, approve and designate an owner for each account used within the Agency. Verify identification and location of each authorized user. 15

Access Control: Key Requirements Authentication Agency shall use multifactor authentication for external / remote, vendor, VPN, and administrative access. Agency shall track unsuccessful and failed login attempts. Agency shall define and implement the following elements: Maximum number of invalid attempts Disable users exceeding the number of invalid attempts allowed Keep user locked out for predetermined amount of time 16

Access Control: Key Requirements Emergency Access Agency shall implement the following emergency procedures: Only authorized personnel can receive access to the system and data All actions are explicitly documented / recorded Emergency action is reported and reviewed by management Access granted shall be terminated within 24 hours. 17

Access Control: Key Requirements Password Policy Agency shall implement password-based authentication for the following: All users shall change passwords every ninety (90) days; sixty (60) days if the user handles restricted data or is a system administrator; one hundred eighty (180) days for system accounts. Password complexity shall consist of at least eight (8) alphanumeric (i.e., upper and lowercase letters and numbers) and/or special characters. A minimum number of character shall be enforced when changing passwords (for restricted data, a minimum of four (4) characters is suggested). Passwords shall not be the same as the last six (6) generations. For FTI data, change or refresh authenticators every 90 days; 60 days for privileged users 18

Access Control: Password Management Policy Enforce Password History Maximum Password Age Minimum Password Age Minimum Password Length Complexity Account Lockout Threshold Reset Account Lockout Counter After Password Requirements Policy Setting 6 passwords remembered 60 days administrator accounts 90 days user accounts 180 days service/system accounts 1 days 8 characters Enabled - (i.e., upper and lowercase letters, and numbers) and/or special characters) Agency Dependent (i.e., 3 failed logon attempts) Agency Dependent (i.e., 30 minutes) 20

Access Control: Key Requirements Password Policy Agency users shall not share passwords. Agency shall not allow use of common words as passwords. Agency shall change system passwords immediately upon termination and resignation of a privileged user. Agency shall suspend user accounts after a specified number of days of inactivity. 20

Access Control: Key Requirements Password Administration Agency users shall sign an acknowledgement of understanding password requirements and responsibilities prior to allowing access to network or information systems. Agency shall establish a process to assign unique user IDs and enforce authentication for non-agency users (e.g., vendors, third parties, and contractors. Agency shall establish a procedure to manage new or removed privileged account passwords. 21

Access Control: Key Requirements Password Administration Agency shall set first-time passwords to a unique value per user and changed immediately after first use. Agency shall not allow default passwords for network and remote applications. Agency shall obscure feedback of authentication information to protect exploitation and unauthorized access. 22

Risk Assessment Framework & Access Control Policy

Risk Assessment Framework The Risk Assessment Framework, based on the National Institute of Standards and Technology (NIST 800-53), was used as the basis to assess risk across the State Agencies using the fifteen (15) security domains (noted below): 24

Access Control Policy: Risks & Remediation Strategies Risk assessments conducted with State Agencies uncovered a number of risks in environments with inadequately implemented Access Control Policy and procedures. Remediation strategies were created to help Agencies address gaps and implement necessary safeguards. Examples Overall Risks Identified Gaps Remediation Strategies Misuse of IT resources Loss of reputation/ public image Lack of accountability with improper access provisioning Agencies lack the presence of a twofactor authentication solution for remote access Group administrative accounts have been established for administrator groups Periodic user access reviews are not performed Many Agencies have not established a Role Based Access Control (RBAC) framework Deploy a two-factor authentication for users authenticating through the Virtual Private Network (VPN) Establish individual user accounts for administrator access Define and implement a procedure to perform periodic user access reviews Develop an RBAC framework to be used for user provisioning 25

Access Control Policy: Risks & Remediation Strategies (Cont d) Risk assessments conducted with State Agencies uncovered a number of risks in environments with inadequately implemented Access Control Policy and procedures. Remediation strategies were created to help Agencies address gaps and implement necessary safeguards. Examples Overall Risks Identified Gaps Remediation Strategies Absence of Segregation of Duties to prevent fraud or error Lack of remote access controls (e.g. VPN, 2FA, etc.) Agencies have not established privileged access policy and procedures Agencies have not established a formal process around the lifecycle management of privileged access Agencies do not undertake Segregation of Duties (SoD) reviews or assessments for critical applications Develop formalized privileged access policy and procedures for assigning privileged access rights. Define a process for the lifecycle management of privileged access Implement a review and assessment process around SoD for critical applications and systems 26

Access Control Policy: Challenges & Remediation Strategies for All Agencies Sample Challenges Examples Potential Solutions Access level assignment and approval Managing access for transferred employees within Agency 27 Implement a process for system access request and approval within the Agency Utilize the data inventory tool to identify critical business processes, critical systems and business/data owners Implement a Role Based Access Control (RBAC) framework Manager will assign and approve proper application/information system/data level of access to employees, vendors, partners utilizing the System administrator grant access following authorization from the manager If necessary, assign read-only access to confidential or restricted data Establish process for access removal for the employee/contractor Obtain necessary approvals from employee s manager to remove application/system access Obtain new access request and approvals from the employee s new manager Determine if access removal is immediate and affects all application/systems If necessary, perform data wiping and sanitization on employee s equipment

Access Control Policy: Challenges & Remediation Strategies for All Agencies (Cont d) Sample Challenges Managing file shared drives Controls over Remote Users Examples Potential Solutions Document the data inventory tool showcasing critical business processes, business process owners and critical data residing within applications, systems and files Scan the file shared drive and keep an inventory of sensitive data residing in that location Determine whether data should remain on the shared drive Determine if access should be altered to restrict users and assign appropriate users and levels of access Provide awareness and training to employees for what can be uploaded and how to maintain proper levels of security around confidential or restricted data. Establish remote access policies and procedures Provide guidance to managers and employees on remote access requirements Deploy tools (i.e. VPN, 2FA) to protect inbound and outbound flow of sensitive data Train personnel on proper usage of remote access to the Agency s network and information systems (e.g. avoid saving critical information locally (i.e. personal PC), unless remotely accessing the desktop) Limit remote access to users based on business need 28

Next Steps For Discussion Purposes Only

Next Steps 1. Develop or update Agency s InfoSec policies to align with published State policies 2. Conduct Policy Gap Analysis 3. Develop Policy Implementation Plan of Action 4. Develop processes to enable the implementation of InfoSec Policies 5. Promote Agency-wide InfoSec policies awareness 6. Coordinate with DIS on training and guidance 31

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information