BUDGET LETTER 05-03 PEER-TO-PEER FILE SHARING 4841.1, 4841.2, EXECUTIVE ORDER S-16-04



Similar documents
Information Security Program Management Standard

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

INFORMATION SECURITY Humboldt State University

INFORMATION SECURITY California Maritime Academy

Data Management Policies. Sage ERP Online

Specific observations and recommendations that were discussed with campus management are presented in detail below.

TABLE OF CONTENTS Information Systems Security Handbook Information Systems Security program elements. 7

Responsible Access and Use of Information Technology Resources and Services Policy

Data Security Incident Response Plan. [Insert Organization Name]

UTMB INFORMATION RESOURCES PRACTICE STANDARD

Information Resources Security Guidelines

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Hengtian Information Security White Paper

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

DATA SECURITY AGREEMENT. Addendum # to Contract #

ELECTRONIC INFORMATION SECURITY A.R.

Information Security and Electronic Communications Acceptable Use Policy (AUP)

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Enterprise K12 Network Security Policy

Marist College. Information Security Policy

Network Security Policy

Department of Homeland Security Management Directives System MD Number: Issue Date: 03/01/2003 DHS USAGE

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Server Protection Policy 1 1. Rationale 1.1. Compliance with this policy will help protect the privacy and integrity of data created by and relating

BALTIMORE CITY COMMUNITY COLLEGE INFORMATION TECHNOLOGY SECURITY PLAN

Information Technology Acceptable Use Policy

Excerpt of Cyber Security Policy/Standard S Information Security Standards

APHIS INTERNET USE AND SECURITY POLICY

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

How To Use A College Computer System Safely

Information Security Policy

United Tribes Technical College Acceptable Use Policies for United Tribes Computer System

B. Privacy. Users have no expectation of privacy in their use of the CPS Network and Computer Resources.

Information Security Plan May 24, 2011

Ohio Supercomputer Center

R345, Information Technology Resource Security 1

REGION 19 HEAD START. Acceptable Use Policy

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

ORANGE REGIONAL MEDICAL CENTER Hospital Wide Policy/Procedure

Guide for the Role and Responsibilities of an Information Security Officer Within State Government

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Information Security Program

INFORMATION SYSTEM GENERAL USAGE POLICY

INFORMATION TECHNOLOGY ENGINEER V

Guide to Vulnerability Management for Small Companies

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11

Responsible Administrative Unit: Computing, Communications & Information Technologies. Information Technology Appropriate Use Policy

INFORMATION TECHNOLOGY Policy 8400 (Regulation 8400) Data Security

Encryption Security Standard

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Information Technology Cyber Security Policy

Draft Information Technology Policy

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

The Protection Mission a constant endeavor

Acceptable Use Policy

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Delaware State University Policy

CNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

Data Loss Prevention Program

HIPAA Security COMPLIANCE Checklist For Employers

Computer Use Policy Approved by the Ohio Wesleyan University Faculty: March 24, 2014

INFORMATION TECHNOLOGY SECURITY POLICY

SUPREME COURT OF COLORADO OFFICE OF THE CHIEF JUSTICE

The Internet and 2 Acceptable use 2 Unacceptable use 2 Downloads 3 Copyrights 3 Monitoring 3. Computer Viruses 3

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Information Security for Managers

ICANWK406A Install, configure and test network security

Acceptable Use Policy

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Cisco Advanced Services for Network Security

HHS Information System Security Controls Catalog V 1.0

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 14 Risk Mitigation

University of Pittsburgh Security Assessment Questionnaire (v1.5)

California State University, Sacramento INFORMATION SECURITY PROGRAM

FRESNO COUNTY EMPLOYEES' RETIREMENT ASSOCIATION INTERNET AND USAGE POLICY

Information Security Policy Manual

CHIS, Inc. Privacy General Guidelines

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

System and Network Security Policy Internet User Guidelines and Policy. North Coast Council West Canal Road Valley View, Ohio 44125

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

Stellenbosch University. Information Security Regulations

Transcription:

BUDGET LETTER SUBJECT: PEER-TO-PEER FILE SHARING REFERENCES: STATE ADMINISTRATIVE MANUAL SECTIONS 4819.2, 4840.4, 4841.1, 4841.2, EXECUTIVE ORDER S-16-04 NUMBER: 05-03 DATE ISSUED: March 7, 2005 SUPERSEDES: TO: Agency Secretaries Department Directors Departmental Budget Officers Departmental Chief Information Officers Departmental Information Security Officers Department of Finance Budget Staff FROM: DEPARTMENT OF FINANCE Note: Budget Officers are requested to forward a copy of this Budget Letter (BL) to your department s Information Security Officers (ISOs) and department s Chief Information Officers (CIOs) even though the Finance State ISO Office will also distribute it separately to the ISOs and CIOs on the current contact list. BACKGROUND The Department of Finance (Finance) is responsible for establishing the framework for the state s information technology (IT) security policies and activities and for IT security oversight. This BL creates new policy regarding the practice of peer-to-peer file sharing to implement the Governor s Executive Order S-16-04. When the word "agency" is used in the peer-to-peer policy and within this BL, the meaning is consistent with the definition in the State Administrative Manual (SAM) Section 4819.2: "When used lower case, (agency) refers to any office, department, board, bureau, commission or other organizational entity within state government." POLICY The following policy and definition are effective immediately. The changes will appear in the next revision of SAM. You may refer to Attachment I, Advance Copy of Changes to SAM Sections 4840.4 and 4841.2 to see the context of this policy change. Definition: Peer-To-Peer File Sharing Program. Computer software, or protocol, other than computer and network operating systems, that has as its primary function the capability to allow the computer on which the software is used to designate files available for transmission to another computer using the software; to transmit files directly to another computer using the software, and to request the transmission of files from another computer using the software. Policy: Each agency must establish a policy to ensure that the use of peer-to-peer technology for any non-business purpose is prohibited. This includes, but is not limited to, transfer of music, movies, software, and other intellectual property. Business use of peer-to-peer technologies must be approved by the agency CIO and ISO. STATE OF CALIFORNIA

The head of each agency is responsible for compliance with the policy described in this section. (See SAM Section 4841.1.) DISCUSSION OF PEER-TO-PEER TECHNOLOGY -2- The technologies associated with peer-to-peer file sharing are varied and continuously evolving. While there are certain specific legitimate business applications for the use of peer-to-peer technologies for the state, it is acknowledged that this same technology is used for a variety of inappropriate or illegal uses such as exchange of copyrighted music. Hence, it is prudent for state organizations to institute reasonable measures to use peer-to-peer technologies appropriately and to prevent inappropriate uses. An agency policy to restrict peer-to-peer file sharing will generally consist of multiple components, and the policy must be regularly reevaluated to ensure its continued effectiveness. In general, policies implemented to restrict peer-to-peer file sharing to legitimate business purposes will include at least some of the following components. Assessment to determine existing legitimate and authorized uses of peer-to-peer technology, if any, within an organization. Configuration of existing operating system, network, and security and application systems to block or restrict unauthorized peer-to-peer activities. Implementation of special-purpose software and hardware products designed to control the use of peer-to-peer technology. Controlling the installation and use of peer-to-peer software and other unauthorized software on workstations and servers. Educating staff and contractors on state and department policy regarding peer-to-peer technology. Careful evaluation, implementation and monitoring of legitimate peer-to-peer applications and systems to ensure that they do not enable illegitimate uses of those capabilities. Regular testing and monitoring activities to ensure that the peer-to-peer restrictions continue to operate effectively. Legitimate use of peer-to-peer technology is typically limited to: A technical data transfer component built into some business applications. A process used by authorized technical staff to transfer business data from one server or mainframe computer to another. Precautions for those departments that use peer-to-peer technology: Know who is using it and for what purpose. Monitor the approved uses for adherence to policy and standards. Watch for evidence of unauthorized use, including: o unusual network traffic o traffic on ports that your department does not typically use o presence of unauthorized software o presence of large and unauthorized files on servers and desktops If unauthorized peer-to-peer activity is detected, take immediate action to stop the activity and perform necessary system checks. Watch for configuration problems, illegal/unapproved software and intellectual property, spyware, and worms and viruses.

-3- CONTACTS AND QUESTIONS You may call the State ISO Office at (916) 445-5239 if you have questions about this BL. /s/ Greg Rogers Greg Rogers Assistant Program Budget Manager Attachment

Advance Copy of Changes to State Administrative Manual Sections 4840.4 and 4841.2 New text is in italics; nothing was deleted. 4840.4 DEFINITIONS BL 05-03 Attachment I Confidential Information. Information maintained by state agencies that is exempt from disclosure under the provisions of the California Public Records Act (Government Code Sections 6250-6265) or other applicable state or federal laws. See SAM Section 4841.3. Critical Application. An application that is so important to the agency that its loss or unavailability is unacceptable. With a critical application, even short-term unavailability of the information provided by the application would have a significant negative impact on the health and safety of the public or state workers; on the fiscal or legal integrity of state operations; or on the continuation of essential agency programs. Custodian of Information. An employee or organizational unit (such as a data center or information processing facility) acting as a caretaker or an automated file or data base. Disaster. A condition in which an information asset is unavailable, as a result of a natural or man-made occurrence, that is of sufficient duration to cause significant disruption in the accomplishment of agency program objectives, as determined by agency management. Hardening. A defense strategy to protect against attacks by removing vulnerable and unnecessary services, patching security holes, and securing access controls. Information Assets. (1) All categories of automated information, including (but not limited to) records, files, and data bases; and (2) information technology facilities, equipment (including personal computer systems), and software owned or leased by state agencies. Information Integrity. The condition in which information or programs are preserved for their intended purpose; including the accuracy and completeness of information systems and the data maintained within those systems. Information Security. The protection of automated information from unauthorized access (accidental or intentional), modification, destruction, or disclosure. Owner of Information. An organizational unit having responsibility for making classification and control decisions regarding an automated file or data base. Peer-To-Peer File Sharing Program. Computer software or protocol, other than computer and network operating systems, that has as its primary function the capability to allow the computer on which the software is used to designate files available for transmission to another computer using the software, to transmit files directly to another computer using the software, and to request the transmission of files from another computer using the software. Physical Security. The protection of information processing equipment from damage, destruction or theft; information processing facilities from damage, destruction or unauthorized entry; and personnel from potentially harmful situations.

Advance Copy of Changes to State Administrative Manual Sections 4840.4 and 4841.2 BL 05-03 Attachment I Privacy. The right of individuals and organizations to control the collection, storage, and dissemination of information about themselves. Public Information. Any information prepared, owned, used, or retained by a state agency and not specifically exempt from the disclosure requirements of the California Public Records Act (Government Code Sections 6250-6265) or other applicable state or federal laws. Risk. The likelihood or probability that a loss of information assets or breach of security will occur. Risk Analysis. The process of evaluating: (a) the vulnerability of information assets to various threats, (b) the costs or impact of potential losses, and (c) the alternative means of removing or limiting risks. Risk Management. The process of taking actions to avoid risk or reduce risk to acceptable levels. Sensitive Information. Information maintained by state agencies that requires special precautions to protect it from unauthorized modification, or deletion. See SAM Section 4841.3. Sensitive information may be either public or confidential (as defined above). User of Information. An individual having specific limited authority from the owner of information to view, change, add to, disseminate or delete such information. 4841.2 INFORMATION INTEGRITY AND SECURITY Each agency must provide for the integrity and security of its information assets by: Identifying all automated files and data bases for which the agency has ownership responsibility (see SAM Section 4841.4); Ensuring that responsibility for each automated file or data base is defined with respect to: a. The designated owner of the information within the agency, b. Custodians of information, and c. Users of the information; d. Ensuring that each automated file or database is identified as to its information class (SAM Section 4841.3) in accordance with law and administrative policy; e. Establishing appropriate policies and procedures for preserving the integrity and security of each automated file or data base including: 1. Identifying computing systems that allow dial-up communication or Internet access to sensitive or confidential information and information necessary for the support of agency critical applications; 2. Periodically changing dial-up access telephone numbers, and

Advance Copy of Changes to State Administrative Manual Sections 4840.4 and 4841.2 3. Responding to losses, misuse, or improper dissemination of information. 2. Establishing appropriate departmental policies and procedures to protect and secure IT infrastructure, including: BL 05-03 Attachment I a. Technology upgrade policy, which includes, but is not limited to, operating system upgrades on servers, routers, and firewalls. The policy must address appropriate planning and testing of upgrades, in addition to departmental criteria for deciding which upgrades to apply. b. Security patches and security upgrade policy, which includes, but is not limited to, servers, routers, and firewalls. The policy must address application and testing of the patches and/or security upgrades, in addition to departmental criteria for deciding which patches and security upgrades must be applied, and how quickly. c. Firewall configuration policy, which must require creation and documentation of a baseline configuration for each firewall, updates of the documentation for all authorized changes, and periodic verification of the configuration to ensure that it has not changed during software modifications or rebooting of the equipment. d. Server configuration policy, which must clearly address all servers that have any interaction with Internet, extranet, or intranet traffic. The policy must require creation and documentation of a baseline configuration for each server, updates of the documentation for all authorized changes, and periodic checking of the configuration to ensure that it has not changed during software modifications or rebooting of the equipment. e. Server hardening policy, which must cover all servers throughout the department, not only those that fall within the jurisdiction of the department's IT area. The policy must include the process for making changes based on newly published vulnerability information as it becomes available. Further, the policy must address, and be consistent with, the department's policy for making security upgrades and security patches. f. Policy to ensure that the practice of peer-to-peer file sharing for any use not related to state business is prohibited and does not take place within the agency. This includes, but is not limited to, transfer of music, movies, software, and other intellectual property. Business use of peer-to-peer file sharing programs must be approved by the agency CIO and ISO. The head of each agency is responsible for compliance with the policy described in this section. (See SAM Section 4841.1.) Each state data center must carry out these responsibilities for those automated files and databases for which it has ownership responsibility. See SAM Sections 4841.4 and 4841.5. Oversight responsibility at the agency level for ensuring the integrity and security of information assets, including automated files and databases, must be vested in the agency Information Security Officer.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information