Information System Security s Catalog V 1.0
Table of Contents DOCUMENT HISTORY... 3 1. Purpose... 4 2. Security s Scope... 4 3. Security s Compliance... 4 4. Security s Catalog Ownership... 4 5. Security Framework... 5 Security Class Areas... 5 Core Principles of Information Security... 8 Defining Potential Impact on Organizations and Individuals... 8 6. Security s... 9 6.1 Management s... 11 6.1.1 (CA) Security Assessment and Authorization Policy and Its s... 11 6.1.2 (PL) Planning Policy and Its s... 14 6.1.3 (PM) Program Management Policy and Its s... 17 6.1.4 (RA) Risk Assessment Policy and Its s... 19 6.1.5 (SA) System and Services Acquisition Policy and Its s... 21 6.2 Operational s... 26 6.2.1 (AT) Awareness and Training Policy and Its s... 26 6.2.2 (CM) Configuration Management Policy and Its s... 27 6.2.3 (CP) Contingency Planning Policy and Its s... 30 6.2.4 (IR) Incident Response Policy and Its s... 34 6.2.5 (MA) Maintenance Policy and Its s... 37 6.2.6 (MP) Media Protection Policy and Its s... 39 6.2.7 (PE) Physical and Environmental Protection Policy and Its s... 41 6.2.8 (PS) Personnel Security Policy and Its s... 44 6.2.9 (SI) System and Information Integrity Policy and Its s... 46 6.3 Technical s... 50 6.3.1 (AC) Access Policy and Its s... 50 6.3.2 (AU) Audit and Accountability Policy and Its s... 60 6.3.3 (IA) Identification and Authentication Policy and Its s... 64 6.3.4 (SC) System and Communications Protection Policy and Its s... 68 6.4 Privacy s... 75 6.4.1 (AP) Authority and Purpose Policy and Its s... 75 6.4.2 (AR) Accountability, Audit, and Risk Management Policy and Its s... 76 6.4.3 (DI) Data Quality and Integrity Policy and Its s... 78 6.4.4 (DM) Data Minimization and Retention Policy and Its s... 79 6.4.5 (IP) Individual Participation and Redress Policy and Its s... 80 6.4.6 (SE) Security Policy and Its s... 81 6.4.7 (TR) Transparency Policy and Its s... 82 6.4.8 (UL) Use Limitation Policy and Its s... 83 7. Security s Catalog Exceptions... 84 Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 2 of 84
DOCUMENT HISTORY Revision History: Numbering convention: Version. Revision as n.xx. Pre-publication drafts are 0.xx; first published version is 1.00; for minor revisions to a published document, increment the decimal number (ex. 1.01); for major content upgrades to a published document, increment the leading whole number (ex.2.00). Revision Date Description 1.0 03-2013 First published version of the document distributed by the Office of the Chief Information Security Officer (CISO). Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 3 of 84
1. Purpose The Security s contained in this document are the safeguards or countermeasures that when implemented and enforced will satisfy the information security requirements defined in the Enterprise Information Security Standards and Guidelines (EISSG v5.1) document. A comprehensive set of security controls protect not only information and systems, but also individual employees and C as a whole. As such, these security controls represent the organizations strong commitment to information systems security. 2. Security s Scope All employees, contractors, and third party users, and all physical, software, and information assets (whether standalone or attached to the local and wide area networks), that store, process, or transmit data, as well as all services that support or otherwise handle those physical, software, and information assets, are required to comply with the information systems security controls contained within this document. 3. Security s Compliance Compliance with the security controls contained within this security controls catalog document is mandatory. Reviews to ensure compliance are undertaken at established intervals using authorized methods. Noncompliance is managed according to published security controls. 4. Security s Catalog Ownership The CISO is the sponsor and issuing authority for this Information Systems Security s Catalog document. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 4 of 84
5. Security Framework Security Class Areas The security program makes extensive use of the information security guidance found in the National Institute of Standards and Technology (NIST) Special Publications (SP) 800-53, Revision 3 and Appendix J document. This guidance has been adapted to the unique environment and provides the fundamental security principles on which this security control framework is built. The security program framework is divided into four program class areas: Management, Operational, Technical, and Privacy. Each program class area is further divided into a set of security families. There are a total of 26 control families each producing a high level security policy. Each family has a two letter identifier that is the prefix of the ; see the column labeled Family in Table 1 on page 5. Management Class Area Focuses on policies that relate to the management of risk and the management of the security program. This class consists of five security policies: Security Assessment and Authorization, Planning, Program Management, Risk Assessment, System Services and Acquisition. Operational Class Area Focuses on policies that are primarily implemented and executed by people, rather than the information system. This class consists of nine security policies: Awareness and Training, Configuration Management, Contingency Planning, Incident Response, Maintenance, Media Protection, Physical and Environmental Protection, Personnel Security, and System and Information Integrity. Technical Class Area Focuses on policies that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system. This class consists of four security policies: Access, Audit and Accountability, Identification and Authentication, and System and Communications Protection. Privacy Class Area Focuses on policies that define the administrative, technical, and physical safeguards employed to protect Restricted and Confidential Information. Each one of the security policies has a number of supporting security controls that when implemented and enforced will satisfy the requirements of the security policy. There are a total of 197 s, including the Security and Privacy s. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 5 of 84
Class Area Item Number Table 1 Organization of Policies and s Family Policy Family Management 1. CA Security Assessment and Authorization (formerly Certification, Accreditation, and Security Assessment) Number of Security s 6 2. PL Planning 5 3. PM Program Management 11 4. RA Risk Assessment 4 5. SA System Services and Acquisitions 11 Operational 6. AT Awareness and Training 4 7. CM Configuration Management 9 8. CP Contingency Planning 9 9. IR Incident Response 8 10. MA Maintenance 6 11. MP Media Protection 6 12. PE Physical and Environmental Protection 18 13. PS Personnel Security 8 14. SI System and information Integrity 11 Technical 15. AC Access 16 16. AU Audit and Accountability 13 17. IA Identification and Authentication 8 18. SC System and Communications Protection 21 Privacy 19. AP Authority and Purpose 2 20. AR Accountability, Audit, and Risk Management 6 21. DI Data Quality and Integrity 2 22. DM Data Minimization and Retention 2 23. IP Individual Participation and Redress 4 24. SE Security 2 25. TR Transparency 2 26. UL Use Limitation 3 TOTAL 197 Table 1: Lists the four program class areas, the security policies families, and the number of controls in each family. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 6 of 84
Figure 1 is a graphical representation of the information in Table 1. Information Security Framework Management Class Area Operational Class Area Technical Class Area Privacy Class Area Security Assessment and Authorization Policy Awareness and Training Policy Access Policy Authority and Purpose Policy CA s - 6 AT s - 4 AC s - 16 AP s - 2 Planning Policy Configuration Management Policy Audit and Accountability Policy Accountability, Audit, and Risk Management Policy PL s - 5 CM s - 9 AU s - 13 AR s - 6 Program Management Policy Contingency Planning Policy Identification and Authentication Policy Data Quality and Integrity Policy PM s - 11 CP s - 9 IA s - 8 DI s - 2 Risk Assessment Policy Incident Response Policy System and Communications Protection Policy Data Minimization and Retention Policy RA s - 4 IR s - 8 SC s - 21 DM s - 2 System Services and Acquisition Policy Maintenance Policy Individual Participation and Redress Policy SA s - 11 MA s - 6 IP s - 4 Media Protection Policy Security Policy MP s - 6 SE s - 2 Physical and Environmental Protection Policy Transparancey Policy PE s -18 TR s - 2 Personnel Security Policy Use Limitation Policy PS s - 8 System and Information Integrity Policy UL s - 3 SI s - 11 Figure 1 Security Framework For the definition of each security control, see Section 5 on page 4. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 7 of 84
Core Principles of Information Security The selection and employment of appropriate security controls for an information system are important tasks that can have major implications on the operations and assets of an organization. Security controls are designed to prevent a breach of security by protecting the core principles of information security: confidentiality, integrity, and availability of the system and its information. Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information [44 U.S.C., Sec. 3542]. A loss of confidentiality is the unauthorized disclosure of information. Integrity Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity [44 U.S.C., Sec. 3542]. A loss of integrity is the unauthorized modification or destruction of information. Availability Ensuring timely and reliable access to and use of information [44 U.S.C., SEC. 3542]. A loss of availability is the disruption of access to or use of information or an information system. Defining Potential Impact on Organizations and Individuals FIPS Publication 199 defines three levels of potential impact on organizations or individuals should there be a breach of security, a loss of confidentiality, integrity, or availability. The application of these definitions takes place within the context of each organization and the overall national interest. The potential impact is: Low When the loss of confidentiality, integrity, or availability is expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. Moderate When the loss of confidentiality, integrity, or availability is expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. High When the loss of confidentiality, integrity, or availability is expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. The security program team, working with the Chief Information Security Officer (CISO), has determined that the information systems operating within the environment are assigned a Security Category of Moderate Impact. The controls defined in this document are the minimum set of controls required to secure moderate impact information systems and are identified as Minimum Baseline Security s for the moderate impact information systems within. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 8 of 84
6. Security s Section 5 lists all of the security controls that could be used to protect the information systems that process, store or transmit data. A subsection contains the controls for each of program class areas: 6.1 Management, 6.2 Operational, 6.3 Technical, and 6.4 Privacy. Table 2 is an example of a control table. Table 3 explains the information in the controls tables. CM-7 (1) Least Functionality Table 2 Example of s Table Description of The organization configures the information systems to provide only essential capabilities and specifically prohibits or restricts the use of functions, ports, protocols, and/or services. (1) Reviews information systems within annually to identify and eliminate unnecessary functions, ports, protocols, and/or services. {i} A list of specifically needed system services, ports, and network protocols should be maintained and documented in the system security plan; all others are disabled. Any functions installed by default that are not required by the information systems are disabled. Services and or software that are not needed should not be present on the server. Column Number/ 1 2 3 4 Description AA Composed Of Table 3 How to Read the s Tables Definition Example from Table 2 Two letter family identifier that specifies the policy that the control belongs to. -# Arbitrary sequential number that makes each unique. (#) One or more control Enhancements that are defined in the Description of column. Not applicable A unique descriptive name for each specific control. through P3 See Table 30. Description The specific criteria for the control that is testable and auditable and when implemented and enforced mitigates the risks and threats to the information system. CM -7 (1) Least Functionality The organization configures the information systems to provide only essential capabilities and specifically prohibits or restricts the use of functions, ports, protocols, and/or services. (#) A control Enhancement that adds (1) Reviews information systems Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 9 of 84
Additional Criteria extra security control criteria to make the control more robust. Provides instructions from authoritative sources to the control owner on how to implement. [i] This is for criteria from IRS Publication 1075. The criteria is preceded by [and Roman numerals and followed by]. {i} This is for criteria from Center for Medicare and Medicaid Services (CMS) The criteria is preceded by {and Roman numerals and followed by}. within annually to identify and eliminate unnecessary functions, ports, protocols, and/or services. {i} A list of specifically needed system services, ports, and network protocols should be maintained and documented in the system security plan; all others are disabled. Any functions installed by default that are not required by the information systems are disabled. Services and or software that are not needed should not be present on the server. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 10 of 84
6.1 Management s The Management program class of controls (safeguards or countermeasures) for an information system is focused on the management of risk and the management of information system security. This class has five control families: Security Assessment and Authorization (CA), Planning (PL), Program Management (PM), Risk Assessment (RA), and System and Services Acquisition (SA). 6.1.1 (CA) Security Assessment and Authorization Policy and Its s Policy: The organization requires that (i) an initial assessment of the security controls for key information systems is performed to determine if the controls are effective in their application; (ii) controls are monitored on an ongoing basis to ensure their continued effectiveness; (iii) information systems containing potential vulnerabilities due to deficiencies in their controls are documented and acknowledged by the CISO and/or his designee and (iv) plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities are developed and implemented. Table 4 lists the Security Assessment and Authorization (CA) controls for moderate impact systems. Table 4 Security Assessment and Authorization s Policy 6.1.1 Description of CA-1 Security Assessment and Authorization Policies and Procedures The organization develops, disseminates, and reviews/updates annually: a. Formal, documented security assessment and authorization policies that address purpose, scope, roles, responsibilities, management commitment, coordination among entities, and compliance; b. Formal, documented procedures to facilitate the implementation of the security assessment and authorization policies and associated security assessment and authorization controls. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 11 of 84
Table 4 Security Assessment and Authorization s Policy 6.1.1 Description of CA-2 (1) Security Assessments a. Develops a security assessment plan that describes the scope of the assessment including: - Security controls and control enhancements under assessment; - Assessment procedures to be used to determine security control effectiveness; - Assessment environment, assessment team, and assessment roles and responsibilities; b. Assesses the security controls in information systems annually to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system; c. Produces a security assessment report that documents the results of the assessment; and; d. Provides the results of the security control assessment in writing to the authorizing official who is responsible for reviewing the assessment documentation. (1) Employs an independent assessor or assessment team to conduct an assessment of the security controls in the information systems. {i} A security assessment of all security controls must be conducted for all newly implemented systems. {ii} The system owner notifies the appropriate personnel as defined within applicable business requirement document and change requests whenever updates are made to system security authorization artifacts or significant role changes occur (e.g.: system developer/maintainer, information system security analyst). CA-3 Information System Connections a. Authorizes connections from the information systems to other information systems outside of the authorization boundary through the use of Data Sharing Agreements; b. Documents for each connection, the interface characteristics, security requirements, and the nature of the information communicated; and; c. Monitors the component connections on an ongoing basis verifying enforcement of security requirements. {i} Record each system interconnection in the Information Systems Security Plan document and the Information Systems Security Risk Assessment document for the component that is connected to the remote location. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 12 of 84
Table 4 Security Assessment and Authorization s Policy 6.1.1 Description of CA-5 Plan of Action and Milestones a. Develops a plan of action and milestones (POA&M) for the information system to document the organization s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and; b. Updates and submits existing POA&M on monthly bases until all the findings are resolved based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. CA-6 Security Authorization a. Identifies the CISO, Agency IRM, Agency ISO s as the approving officials for the environment; b. Ensures that the approving official authorizes the information system for processing before commencing operations; and; c. Updates the security authorization: - At least annually for high risk assets; - When substantial changes are made to the system; - When changes in requirements result in the need to process data of a higher sensitivity; - When changes occur to authorizing legislation or federal/state requirements; - After the occurrence of a serious security violation which raises questions about the validity of an earlier security authorization; and; - Prior to expiration of a previous security authorization. CA-7 Continuous Monitoring The organization establishes a continuous monitoring strategy and implements a continuous monitoring program that includes: a. A configuration management process for and its constituent components; b. A determination of the security impact of changes to information systems and environment of operation; c. Ongoing security control assessments in accordance with the continuous monitoring strategy; and; d. Reporting the security state of the information systems to appropriate organizational officials within annually. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 13 of 84
6.1.2 (PL) Planning Policy and Its s Policy: The organization requires the development, documentation, periodic update, and implementation of security plans for information systems within the environment. organization requires that those security plans describe the security controls in place or planned for the information systems and the rules of behavior for individuals accessing the information systems. Table 5 lists the Planning (PL) controls for moderate impact systems. PL-1 Security Planning Policy and Procedures Table 5 Planning s Policy 6.1.2 Description of organization develops, disseminates, and reviews/updates within annually: a. A formal, documented security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among entities, and compliance; b. Formal, documented procedures to facilitate the implementation of the security planning policy and associated security planning controls. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 14 of 84
PL-2 System Security Plan Table 5 Planning s Policy 6.1.2 Description of a. Develops security plans for information systems that: - Are consistent with s enterprise architecture; - Explicitly define the authorization boundary for the information systems; - Describe the operational context of information systems in terms of missions and business processes; - Provide the security categorization of the information systems including supporting rationale; - Describe the operational environment for information systems; - Describe relationships with or connections to other information systems; - Provide an overview of the security requirements for ; - Describe the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation decisions; and; - Is reviewed and approved by the authorizing official or a designated representative prior to plan implementation. b. Reviews the security plan for information systems within annually; and; c. Updates the plan, minimally every three (3) years, to address current conditions or whenever: - There are significant changes to the information system/environment of operation that affect security; - Problems are identified during plan implementation or security control assessments: - When the data sensitivity level increases; - After a serious security violation due to changes in the threat environment; or; - Before the previous security authorization expires. {iii} (For IRS FTI only) Develop and submit a Safeguard Procedures Report (SPR) that describes the procedures established and used by the organization for ensuring the confidentiality of the information received from the IRS. This report is provided every six years or when significant changes occur in the safeguard program. A Safeguard Activity Report (SAR advises the IRS of minor changes to the procedures or safeguards described in the SPR. It also advises the IRS of future actions that will affect 's current efforts to ensure the confidentiality of IRS FTI, and finally, certifies that is protecting IRS FTI pursuant to IRC Section 6103(p)(4) and 's own security requirements. This report is provided annually by September 30 th. (Reference IRS Publication 1075, sections 7 & 8). PL-4 Rules of Behavior a. Establishes and makes readily available to all users the rules that describe their responsibilities and expected behavior with regard to information, the information system, and network use. (Reference: Acceptable Use Policy (AUP)); and; b. Receives signed acknowledgment from users indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system. (Reference: Computer Use Agreement (CUA)). Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 15 of 84
PL-5 PL-6 Privacy Impact Assessment Security- Related Activity Planning P3 P3 Table 5 Planning s Policy 6.1.2 Description of The organization conducts a privacy impact assessment on information systems in accordance with OMB Memorandum 03-22. The organization plans and coordinates security-related activities affecting the information systems before conducting such activities in order to reduce the impact on operations (e.g.: its mission, functions, image, and reputation), assets, and individuals. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 16 of 84
6.1.3 (PM) Program Management Policy and Its s Policy: The organization employs information security requirements that are independent of any particular information system and considered essential for managing the security program. Table 6 lists the Management (PM) controls for moderate impact systems. Table 6 Program Management s Policy 6.1.3 PM-1 PM-2 PM-3 PM-4 Description of Information Security Program Plan Senior Information Security Officer Information Security Resources Plan of Action and Milestones Process a. Develops and disseminates an organization-wide information system security program plan that: i. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements. ii. Provides sufficient information about the program management controls and common controls (including specification of parameters for any assignment and selection operations either explicitly or by reference) to enable an implementation that is unambiguously compliant with the intent of the plan and a determination of the risk to be incurred if the plan is implemented as intended. iii. Includes roles, responsibilities, management commitment, coordination among organizational entities, and compliance. iv. Is approved by the CISO, Agency IRM, and ISO with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, and individuals. b. Reviews the -wide information security program plan annually; and; c. Revises the plan to address organizational changes and problems identified during plan implementation or security control assessments. The organization appoints a Chief Information Security Officer (CISO) with the mission and resources to coordinate, develop, implement, and maintain a -wide information security program. a. Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement; b. Employs a business case and/or Exhibit 300/Exhibit 53 to record the resources required (Ref: SA-2); and c. Ensures that information security resources are available for expenditure as planned. The organization implements a process for ensuring that plans of action and milestones for the security program and the associated organizational information systems are maintained and documents the remedial information security actions to mitigate risk to organizational operations, assets, and individuals. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 17 of 84
Table 6 Program Management s Policy 6.1.3 PM-5 PM-6 PM-7 PM-8 PM-9 PM-10 PM-11 Description of Information System Inventory Information Security Measures of Performance Enterprise Architecture Critical Infrastructure Plan Risk Management Strategy Security Authorization Process Mission/Business Process Definition P3 P3 The organization develops and maintains inventories of Agency information systems. The organization develops, monitors, and reports on the results of information security measures of performance. The organization develops enterprise architecture with consideration for information security and the resulting risk to operations, assets, and individuals. The organization addresses information security issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan. a. Develops a comprehensive strategy to manage risk to organizational operations and assets, and individuals associated with the operation and use of information systems; and; b. Implements that strategy consistently across the organization. a. Manages (i.e. documents, tracks, and reports) the security state of information systems through security authorization processes; b. Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and; c. Fully integrates the security authorization processes into the -wide risk management program. a. Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, and individuals; and; b. Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs is obtained. [i] (For Federal Tax Information (FTI) only) Organizations are not allowed to make further disclosures of FTI to their agents or to a contractor unless authorized by statute. (See, IRS Publication 1075 Section. 11.1) Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 18 of 84
6.1.4 (RA) Risk Assessment Policy and Its s Policy: The organization requires that risks to operations (including its mission, functions, image, or reputation), assets, and individuals, resulting from the operation of information systems and the associated processing, storage, or transmission of information, are assessed. Table 7 lists the Risk Assessment (RA) controls for moderate impact systems. RA-1 RA-2 RA-3 Risk Assessment Policy and Procedures Security Categorization Risk Assessment Table 7 Risk Assessment s Policy 6.1.4 Description of The organization develops, disseminates, and reviews/updates within annually: a. A formal, documented risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among entities, and compliance; b. Formal, documented procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls. a. Categorizes information and information systems in accordance with applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance; b. Documents the security categorization results (including supporting rationale) in the System security plan for the information system; and; c. Ensures the security categorization decision is reviewed and approved by the approving official or a designated representative. a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information systems and the information it processes, stores, or transmits; b. Documents risk assessment results in accordance in a risk assessment report; c. Reviews risk assessment results annually; and; d. Updates the risk assessment annually or whenever there are significant changes to information systems or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security or authorization state of the system. [i] Risk assessment should be conducted for the information system based on the Agency defined methodology that includes the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, modification, or destruction of the information system and the information it processes, stores, or transmits. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 19 of 84
RA-5 (1) Vulnerability Scanning Table 7 Risk Assessment s Policy 6.1.4 Description of a. Scans for vulnerabilities in environment within every ninety (90) days and when new vulnerabilities potentially affecting the components are identified and reported; b. Employs vulnerability scanning tools and techniques that promote interoperability among tools and automates parts of the vulnerability management process by using standards for: - Enumerating platforms, software flaws, and improper configurations; - Formatting and making transparent checklists and test procedures; - Measuring vulnerability impact; c. Analyzes vulnerability scan reports and results from security control assessments; d. Remediates legitimate vulnerabilities based on the Agency defined risk prioritization in accordance with an organizational assessment of risk; and; e. Shares information obtained from the vulnerability scanning process and security control assessments with designated personnel throughout organization on a "need to know" basis to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). (1) Employs vulnerability scanning tools that include the capability to readily update the list of component vulnerabilities scanned. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 20 of 84
6.1.5 (SA) System and Services Acquisition Policy and Its s Policy: The organization (i) requires sufficient allocation of resources to adequately protect information systems; (ii) employs system development life cycle processes that incorporate information security considerations; (iii) employs software usage and installation restrictions; and (iv) requires that third-party providers employ adequate security measures to protect information, applications, and/or services outsourced from. Table 8 lists the System and Services Acquisition (SA) controls for moderate impact systems. SA-1 SA-2 SA-3 Table 8 System and Services Acquisition s Policy 6.1.5 Description of System and Services Acquisition Policy and Procedures Allocation of Resources Life Cycle Support The organization develops, disseminates, and reviews/updates annually: a. A formal, documented system and services acquisition policy that includes information security considerations and that addresses purpose, scope, roles, responsibilities, management commitment, coordination among entities, and compliance; b. Formal, documented procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls. a. Includes a determination of information security requirements for the information systems in mission/business process planning; b. Determines, documents, and allocates the resources required to protect the information systems as part of its capital planning and investment control process; and; c. Establishes a discrete line item in programming and budgeting documentation for the implementation and management of information systems security. a. Manages the information systems using a system development life cycle methodology that includes information security considerations; b. Defines and documents component security roles and responsibilities throughout the system development life cycle; and; c. Identifies individuals having component security roles and responsibilities. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 21 of 84
SA-4 (1) (4) Table 8 System and Services Acquisition s Policy 6.1.5 Description of Acquisitions The organization includes the following requirements and/or specifications, explicitly or by reference, in component acquisition contracts based on an assessment of risk and in accordance with applicable federal/state laws, executive orders, directives, policies, regulations, and standards: a. Security functional requirements/specifications; b. Security-related documentation requirements; and; c. Developmental and evaluation-related assurance requirements. (1) Requires in acquisition documents that vendors/contractors provide information describing the functional properties of the security controls to be employed within the information system, information system components, or information system services in sufficient detail to permit analysis and testing of the controls. (4) Ensures that each component acquired is explicitly assigned to an information system, and that the owner of the system acknowledges this assignment. {i} Each contract and Statement of Work (SOW) that requires development or access to information includes language requiring adherence to security policies and standards, defines security roles and responsibilities, and receives approval from the CISO, Agency IRM and Agency ISO s. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 22 of 84
SA-5 (1) (3) Table 8 System and Services Acquisition s Policy 6.1.5 Description of Information System Documentation P3 a. Obtains, protects as required, and makes available to authorized personnel, administrator documentation for the information system that describes: - Secure configuration, installation, and operation of the information system; - Effective use and maintenance of security features/functions; and; - Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; b. Obtains, protects as required, and makes available to authorized personnel, user documentation for the information systems that describes: - User-accessible security features/functions and how to effectively use those security features/functions; - Methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and; - User responsibilities in maintaining the security of the information and information system; and; c. Documents attempts to obtain component documentation when such documentation is either unavailable or nonexistent. (1) Obtains, protects as required, and makes available to authorized personnel vendor/manufacturer documentation that describes the functional properties of the security controls employed within information systems with sufficient detail to permit analysis and testing. (3) Obtains, protects as required, and makes available to authorized personnel vendor/manufacturer documentation that describes the high-level design of the information systems in terms of subsystems and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing. {i} Develop and update system documentation as necessary to describe the system and to specify the purpose, technical operation, access, maintenance, and required training for administrators and users. {ii} Update documentation when system functions and processes change and include date and version number on all formal system documentation. {iii} (For Protected Health Information (PHI) only) Retain documentation of policies and procedures relating to HIPAA 164.306 for six (6) years from the date of its creation or the date when it was last in effect, whichever is later. (See: HIPAA 164.316(b). and SP800-66). {iv} (For Federal Tax Information (FTI) only) When FTI is incorporated into a data warehouse, apply the controls described in IRS Pubulication.1075, Exhibit 7, in addition to those specified in other controls. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 23 of 84
SA-6 SA-7 Table 8 System and Services Acquisition s Policy 6.1.5 Description of Software Usage Restrictions User-Installed Software a. Uses software and associated documentation in accordance with contract agreements and copyright laws; b. Employs tracking systems for software and associated documentation protected by quantity licenses to control copying and distribution; and; c. s and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. enforces explicit rules governing the installation of software by users. {i} Prohibits users from downloading or installing software, unless explicitly authorized, in writing, by the Agency IRM, ISO or the CISO or his/her designated representative. If authorized, explicit rules govern the installation of software by users. {ii} If user-installed software is authorized, enforce the documented authorizations and prohibitions. SA-8 Security Engineering Principles The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the networking, operating system, and database components. [i] A documented set of security design principles and coding standards exists and shall be followed by developers. [ii] The documented set of security design principles shall be consistent with NIST SP 800-27. [iii] The design documentation covers many aspects of the design but also documents the minimal security requirements for FTI, external interfaces, roles, access for the roles defined, and any unique security requirements. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 24 of 84
SA-9 Table 8 System and Services Acquisition s Policy 6.1.5 Description of External Information System Services a. Requires that providers of external information system services comply with organizational information security requirements and employ appropriate security controls in accordance with applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance; b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and; c. Monitors security control compliance by external service providers. {i} Prohibits service providers from outsourcing any system function outside the U.S. or its territories for Medicaid Data. {ii}(for Protected Health Information (PHI) only) A covered entity under HIPAA may permit a business associate to create, receive, maintain, or transmit ephi on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with HIPAA regulations. Such assurances must be documented and meet the requirements set forth in HIPAA regulations. (See HIPAA 164.308(b) and 164.314(a).) SA-10 Developer Configuration Management The organization requires that developers/integrators: a. Perform configuration management during information system design, development, implementation, and operation; b. Manage and control changes to information systems; c. Implement only organization-approved changes; d. Document approved changes to information systems; and; e. Track security flaws and flaw resolution. SA-11 Developer Security Testing The organization requires that information system component developers/integrators, in consultation with associated security personnel (including security engineers): a. Create and implement a security test and evaluation plan in accordance with, but not limited to, the current procedures; b. Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the security testing and evaluation process; and; c. Document the results of the security testing/evaluation and flaw remediation processes. ([i]) information systems should be tested for security flaws on a periodic basis using automated vulnerability scanning methods, or manual control testing, or a combination of both. [ii] Test results are documented and security flaws found during the test should be entered into a tracking system and monitored for mitigation. [iii] Agency systems/applications should be tested for security flaws prior to release in production using manual or automated techniques or a combination of both. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 25 of 84
6.2 Operational s The Operational program class of controls (safeguards or countermeasures) for an information system is primarily controls that are implemented and executed by people, as opposed to systems. This class has nine control families: Awareness Training (AT), Configuration Management (CM), Contingency Planning (CP), Incident Response (IR), Maintenance (MA), Media Protection (MP), Personnel Security (PS), Physical and Environmental Protection (PE), and System and Information Integrity (SI). 6.2.1 (AT) Awareness and Training Policy and Its s Policy: The organization(i) requires that users of information systems are made aware of the security risks associated with their activities and of the applicable laws, executive orders, directives, policies, standards, instructions, regulations, or procedures related to the security of information systems; and (ii) requires that personnel are complying with Agency security awareness training requirements. Table 9 lists the Awareness and Training (AT) controls for moderate impact systems. Table 9 Awareness and Training s Policy 6.2.1 Description of AT-1 Security Awareness and Training Policy and Procedures The organization develops, disseminates, and reviews/updates annually: a. A formal, documented security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; b. Formal, documented procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls. AT-2 Security Awareness The organization verifies that users (including managers, senior executives, and contractors) receive basic security awareness training provided by C as part of initial training for new users prior to accessing any system s information, when required by system changes, and annually thereafter. AT-3 Security Training The Organization provides role-based security-related training: (i) before authorizing access to the system or performing assigned duties; (ii) when required by system changes; and (iii) refresher training annually thereafter. AT-4 Security Training Records The Organization: a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and; b. Retains individual training records for three (3) years. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 26 of 84
6.2.2 (CM) Configuration Management Policy and Its s Policy: The organization (i) establishes and maintains baseline configurations and inventories of information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establishes and enforces security configuration settings for information technology products employed in information systems. Table 10 lists the Configuration Management (CM) controls for moderate impact systems. Table 10 Configuration Management s Policy 6.2.2 Description of CM-1 Configuration Management Policy and Procedures The organization develops, disseminates, and reviews/updates annually: a. A formal, documented configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among entities, and compliance; b. Formal, documented procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. CM-2 (1) (3) (4) Baseline Configuration a. Develops, documents, and maintains under configuration control, a current baseline configuration of the information systems. (1) Reviews and updates the baseline configuration of information systems: (a) At least once annually; (b) When required due to major system changes/upgrades and; (c) As an integral part of component installations and upgrades. (3) Retains older versions of baseline configurations as deemed necessary to support rollback. (4) (a) Develops and maintains an Agency-defined list of software programs not authorized (black list) to execute on the information system. (b) Employs an allow-all, deny-by-exception authorization policy to identify software allowed to execute on information security components. CM-3 (2) Configuration Change a. Determines the types of changes to the information systems that are configuration controlled; b. Approves configuration-controlled changes to with explicit consideration for security impact analyses; c. Documents approved configuration-controlled changes to the system; d. Retains and reviews records of configuration-controlled changes to the system; e. Audits activities associated with configuration-controlled changes to the system; and; f. Coordinates and provides oversight for configuration change control activities through change control board that convenes at least monthly or as needed. (2) The organization tests, validates, and documents changes to before implementing the changes on the operational system. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 27 of 84
Table 10 Configuration Management s Policy 6.2.2 Description of CM-4 Security Impact Analysis P3 The organization analyzes changes to the information system components to determine potential security impacts prior to change implementation. CM-5 Access Restrictions for Change The organization defines documents, approves, and enforces physical and logical access restrictions associated with changes to. [i] The configuration management repository access permissions are reviewed at least every three months. [ii]. Records reflecting all such changes are generated, reviewed, and retained. CM-6 (3) Configuration Settings a. Establishes and documents mandatory configuration settings for information technology products employed within the information systems using the latest security configuration guidelines Data Center Services (DCS ) Master System Security Plan (MSSP) technical specification document. b. Implements the configuration settings; c. Identifies, documents, and approves exceptions from the mandatory configuration settings for individual components within information systems based on explicit operational requirements; and; d. Monitors and controls changes to the configuration settings in accordance with policies and procedures. (3) Incorporates detection of unauthorized, security-relevant configuration changes into the incident response capability to ensure that such detected events are tracked, monitored, corrected, and available for historical purposes. [i] The Agency establishes and documents mandatory security configuration settings for information systems. CM-7 (1) Least Functionality a. Configures the information systems to provide only essential capabilities and specifically prohibits or restricts the use of functions, ports, protocols, and/or services. (1)Reviews information systems within annually to identify and eliminate unnecessary functions, ports, protocols, and/or services. {i} A list of specifically needed system services, ports, and network protocols should be maintained and documented in the system security plan; all others are disabled. Any functions installed by default that are not required by the information systems are disabled. Services and or software that are not needed should not be present on the server. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 28 of 84
Table 10 Configuration Management s Policy 6.2.2 Description of CM-8 (1) (5) Information System Component Inventory The organization develops, documents, and maintains an inventory of information systems that: a. Accurately reflects current information system components; (e.g. desktops, laptops, servers, network equipment (routers, switches, firewalls, etc.), printers, storage area networks, voiceover-ip telephones, etc. The inventory of information system components includes detail such as make, model, OS, type, model, serial number, physical location, owner, and machine name). b. Is consistent with the authorization boundary of the organization; c. Is at the level of granularity deemed necessary for tracking and reporting; d. Includes manufacturer, model/type, serial number, version number, location (i.e. physical location and logical position within the architecture, and ownership; and; e. Is available for review and audit by designated officials. (1) Updates the inventory of information systems as an integral part of component installations, removals, and updates. (5) Verifies that all components within the authorization boundary of the organization are either inventoried as a part of the system or recognized by another system as a component within that system. [i] The inventory should be kept current through periodic manual inventory checks or a network monitoring tool automatically maintains the inventory. [ii] The network should be monitored for deviations from the expected inventory of assets on the network, and security and/or operations personnel are alerted when deviations or unauthorized hosts are discovered. CM-9 Configuration Management Plan The organization develops, documents, and implements a configuration management plan for the information systems that: a. Addresses roles, responsibilities, and configuration management processes and procedures; b. Defines the configuration items for and when in the system development life cycle the configuration items are placed under configuration management; and; c. Establishes the means for identifying configuration items throughout the system development life cycle and a process for managing the configuration of the configuration items. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 29 of 84
6.2.3 (CP) Contingency Planning Policy and Its s Policy: The organization establishes, maintains, and effectively implements plans for emergency response, backup operations, and post-disaster recovery for information systems to ensure the availability of critical information resources and continuity of operations in emergency situations. Table 11 lists the Contingency Planning (CP) controls that are for moderate impact systems. CP-1 Table 11 Contingency Planning s Policy 6.2.3 Description of Contingency Planning Policy and Procedures CP-2 (1) Contingency Plan / Continuity of Operations Plan CP-3 Contingency Training P3 The organization develops, disseminates, and reviews/updates annually: a. A formal, documented contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among entities, and compliance; b. Formal, documented procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls. a. Develops a contingency plan (CP) or Continuity of Operations Plan (COOP) for information systems that: - Identifies essential missions and business functions and associated contingency requirements; - Provides recovery objectives, restoration priorities, and metrics; - Addresses contingency roles, responsibilities, assigned individuals with contact information; - Addresses maintaining essential missions and business functions despite a disruption, compromise, or failure; - Addresses eventual, full restoration without deterioration of the security measures originally planned and implemented; and; - Is reviewed and approved by designated officials within the organization; b. Distributes copies of the COOP to key contingency personnel (identified by name and/or by role) and organizational elements; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the COOP for the information systems annually. e. Revises the COOP to address changes to the organization, information systems, or environment of operation and problems encountered during COOP implementation, execution, or testing; and; f. Communicates COOP changes to key contingency personnel (identified by name and/or by role) and others as defined in the COOP. (1) Coordinates contingency plan development with elements responsible for related plans. The organization trains operational and support personnel (including managers and users of ) in their contingency roles and responsibilities with respect to the information systems and provides refresher training within annually. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 30 of 84
Table 11 Contingency Planning s Policy 6.2.3 CP-4 (1) CP-6 (1) (3) CP-7 (1) (2) (3) (5) Description of Contingency Plan Testing and Exercises Alternate Storage Site Alternate Processing Site a. Tests and/or exercises the contingency plan for the mission critical information systems annually using defined tests and/or exercises such as the tabletop test in accordance with the current COOP procedure to determine the plan s effectiveness and s readiness to execute the plan; and; b. Documents and reviews the contingency plan test/exercise results and initiates reasonable and appropriate corrective actions to close or reduce the impact of contingency plan failures and deficiencies. (1) Coordinates contingency plan testing and/or exercises with elements responsible for related plans. a. Establishes an alternate storage site including necessary agreements to permit the storage and recovery of backup information. (1) Identifies an alternate storage site that is separated from the primary storage site so as not to be susceptible to the same hazards. (3) Identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. a. Establishes an alternate processing site including necessary agreements to permit the resumption of operations for essential missions and business functions within an Agency defined period consistent with recovery time objective when the primary processing capabilities are unavailable; and; b. Ensures that equipment and supplies required to resume operations are available at the alternate site or contracts are in place to support delivery to the site in time to support the Agency defined time period for restoration of service. (1) Identifies an alternate processing site that is separated from the primary processing site so as not to be susceptible to the same hazards. (2) Identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. (3) Develops alternate processing site agreements that contain priority-of-service provisions in accordance with s availability requirements. (5) Ensures that the alternate processing site provides information security measures equivalent to that of the primary site. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 31 of 84
Table 11 Contingency Planning s Policy 6.2.3 CP-8 (1) (2) CP-9 (1) Description of Telecommunications Services Information System Backup P3 The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of information systems operations for essential organization missions and business functions within an Agency defined time period when the primary telecommunications capabilities are unavailable. (1) (a) Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with s availability requirements; and; (b) Requests Telecommunications Service (TSP) for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier. (2) Obtains alternate telecommunications services with consideration for reducing the likelihood of sharing a single point of failure with primary telecommunications services. a. Conducts backups of user-level information contained in information systems: full backups weekly, incremental or differential backups daily; b. Conducts backups of system-level information contained in information systems: full backups weekly, incremental or differential backups daily; c. Conducts backups of documentation including securityrelated documentation full backups weekly, incremental or differential backups daily; and; d. Protects the confidentiality and integrity of backup information at the storage location. (1) Tests backup information following each backup to verify media reliability and information integrity. {i} Backups to include user-level and system-level information (including system state information). Three (3) generations of backups (full plus all related incremental or differential backups) are stored off-site. Log off-site and on-site backups with name, date, time and action. {ii} (For ( Restricted and Confidential Information only) Ensure that a current, retrievable, copy of Restricted and Confidential Information is available before movement of servers. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 32 of 84
Table 11 Contingency Planning s Policy 6.2.3 CP-10 (2) (3) Description of Information System Recovery and Reconstitution a. Provides for the recovery and reconstitution of to a known state after a disruption, compromise, or failure. (2) information systems implement transaction recovery for systems that are transaction-based. (3) The organization provides compensating security controls to address circumstances that inhibit recovery and reconstitution to a known state. {i} Recovery and reconstitution for information systems includes, but is not limited to: (a) Resetting all system parameters (either default or organization-established), (b) Reinstalling patches, (c) Reestablishing configuration settings, (d) Reinstalling application and system software, and; (e) Testing the system fully. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 33 of 84
6.2.4 (IR) Incident Response Policy and Its s Policy: The organization (i) establishes an operational incident handling capability for information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and (ii) tracks, documents, and reports incidents to appropriate and C officials and/or authorities. Table 12 lists the Incident Response (IR) controls for moderate impact systems. Table 12 Incident Response s Policy 6.2.4 Description of IR-1 Incident Response Policy and Procedures The organization develops, disseminates, and reviews/updates within annually: a. A formal, documented incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among entities, and compliance; b. Formal, documented procedures to facilitate the implementation of the incident response policy and associated incident response controls. IR-2 Incident Response Training a. Trains personnel in their incident response roles and responsibilities with respect to information systems; and; b. Provides refresher training within annually. IR-3 Incident Response Testing and Exercises The organization tests and/or exercises the incident response capability for the information systems within annually using reviews, analyses, and simulations to determine the incident response effectiveness and documents the results. [i] The Agency defines incident response tests/exercises that contain procedures for the following: - Detecting unauthorized FTI access; - Reporting unauthorized FTI access to IRS, TIGTA, and internal Agency incident response team. [ii]. The Agency tests/exercises the incident response capability for FTI related security violations (e.g. simulated successful unauthorized access to FTI) at least annually. Note: The incident response tests/exercise should be different from any testing activities perform as part of Disaster Recovery or Contingency Planning. [iii] The Agency documents the results of incident response tests/exercises. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 34 of 84
Table 12 Incident Response s Policy 6.2.4 Description of IR-4 (1) Incident Handling a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; b. Coordinates incident handling activities with contingency planning activities; and; c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly. (1) Employs automated mechanisms to support the incident handling process. {i} Document relevant information related to a security incident as outlined in the Security Incident Management Plan. {ii} Identify vulnerability exploited during a security incident. Implement security safeguards to reduce risk and vulnerability exploit exposure. IR-5 Incident Monitoring The organization tracks and documents security incidents for information systems. IR-6 (1) Incident Reporting a. Requires personnel to report suspected security incidents to the organizational incident response capability within the timeframe established in the Security Incident Management Plan; and; b. Reports security incident information to designated authorities. (1) employs automated mechanisms to assist in the reporting of security incidents. IR-7 (1) Incident Response Assistance P3 The organization provides an incident response support resource, integral to organizational incident response capability, which offers advice and assistance to users of the information systems for the handling and reporting of security incidents. (1) Employs automated mechanisms to increase the availability of incident response-related information and support. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 35 of 84
Table 12 Incident Response s Policy 6.2.4 Description of IR-8 Incident Response Plan a. Develops an incident response plan that: - Create a -defined list of incident response personnel (identified by name and/or by role) and element; - Provides with a roadmap for implementing its incident response capability; - Describes the structure and organization of the incident response capability; - Provides a high-level approach for how the incident response capability fits into the overall organization; - Meets the unique requirements of, which relate to mission, size, structure, and functions; - Defines reportable incidents; - Provides metrics for measuring the incident response capability within. - Defines the resources and management support needed to effectively maintain and mature an incident response capability; and; - Is reviewed and approved by designated officials within ; b. Distributes copies of the incident response plan to incident response personnel and organizational elements; c. Reviews the incident response plan within annually; d. Revises the incident response plan to address system/ changes or problems encountered during plan implementation, execution, or testing; and; e. Communicates incident response plan changes to incident response personnel and elements. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 36 of 84
6.2.5 (MA) Maintenance Policy and Its s Policy: The organization requires that (i) periodic and timely maintenance on information systems occur; and (ii) effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance are in place. Table 13 lists the Maintenance (MA) controls for moderate impact systems. Table 13 Maintenance s Policy 6.2.5 Description of MA-1 System Maintenance Policy and Procedures The organization develops, disseminates, and reviews/updates within annually: a. A formal, documented information systems maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among entities, and compliance; b. Formal, documented procedures to facilitate the implementation of maintenance policy and associated system maintenance controls for information systems. MA-2 (1) led Maintenance a. Schedules, performs, documents, and reviews records of maintenance and repairs on information systems in accordance with manufacturer or vendor specifications and/or organization requirements; b. s all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location; c. Requires that a designated official explicitly approve the removal of information systems from facilities for off-site maintenance or repairs; d. Sanitizes equipment to remove all information from associated media prior to removal from facilities for off-site maintenance or repairs; and; e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions. (1) Maintains maintenance records for the information system that include: (a) Date and time of maintenance; (b) of the individual performing the maintenance; (c) of escort, if necessary; (d) Description of the maintenance performed; and; (e) List of equipment removed or replaced (including identification numbers, if applicable). MA-3 (1) (2) Maintenance Tools The organization approves controls, monitors the use of, and maintains on an ongoing basis, the maintenance tools for information systems. (1) Inspects all maintenance tools carried into a facility by maintenance personnel for obvious improper modifications. (2) Checks all media containing diagnostic and test programs for malicious code before the media are used in information systems. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 37 of 84
Table 13 Maintenance s Policy 6.2.5 Description of MA-4 (1) (2) Non-Local Maintenance a. Authorizes, monitors, and controls non-local maintenance and diagnostic activities; b. Allows the use of non-local maintenance and diagnostic tools only as consistent with policy and documented in the specific system security plan; c. Employs strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions; d. Maintains records for non-local maintenance and diagnostic activities; and; e. Terminates all sessions and network connections when non-local maintenance is completed. (1) Audits non-local maintenance and diagnostic sessions and designated personnel review the maintenance records of the sessions. (2) Documents the installation and use of non-local maintenance and diagnostic connections in the system security plan. MA-5 Maintenance Personnel a. Establishes a process for maintenance personnel authorization and maintains a current list of authorized maintenance organizations or personnel; and; b. Ensures that personnel performing maintenance on the information systems have required access authorizations or designates personnel with required access authorizations and technical competence deemed necessary to supervise maintenance when maintenance personnel do not possess the required access authorizations. MA-6 Timely Maintenance P3 The organization obtains maintenance support and/or spare parts for information systems according to contracted SLA s with Agency approved vendors. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 38 of 84
6.2.6 (MP) Media Protection Policy and Its s Policy: The organization (i) requires the protection of digital and non-digital information system media (ii) limits access to information on information system media to authorized users; and (iii) sanitizes or destroys information system media before disposal or release for reuse. Table 14 lists the Media Protection (MP) controls for moderate impact systems. Table 14 Media Protection s Policy 6.2.6 Description of MP-1 Media Protection Policy and Procedures The organization develops, disseminates, and reviews/updates within annually: a. A formal, documented media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among entities, and compliance. b. Formal, documented procedures to facilitate the implementation of the media protection policy and associated media protection controls. [i].conduct semi-annual inventories of magnetic tapes and accounts for any missing tapes and document in the Security Incident Management Plan. MP-2 (1) Media Access The organization restricts access to Restricted, Confidential, or Agency Internal media to authorized individuals using automated mechanisms to control access to media storage areas. (1) Employs automated mechanisms to restrict access to media storage areas and to audit access attempts and access granted. MP-3 Media Marking a. Marks, in accordance with policies and procedures, removable media and output for information systems to indicate the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and; b. Exempts specific types of media or hardware components, if any, from marking, as specified, in writing, by the CISO or his/her designated representative, as long as the exempted items remain within a secure environment. MP-4 Media Storage a. Physically controls and securely stores media within controlled areas using safeguards prescribed for the highest system security level of the information ever recorded on it; b. Protects media until the media are destroyed or sanitized using approved equipment, techniques, and procedures. 1. Desktops, Laptops, Hard Drives, Portable Computing devices needs to be encrypted with Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 39 of 84
Table 14 Media Protection s Policy 6.2.6 Description of MP-5 (2) (4) Media Transport a. Protects and controls media containing Restricted, Confidential, or Agency Internal information during transport outside of controlled areas using cryptography and tamper evident packaging and (i) if hand carried, using securable container (e.g.: locked briefcase) via authorized personnel, or (ii) if shipped, media can be tracked with receipt by commercial carrier; b. Maintains accountability for media during transport outside of controlled areas; and; c. Restricts the activities associated with transport of such media to authorized personnel. (2) Documents activities associated with the transport of media. (4) Employs cryptographic mechanisms to protect the confidentiality and integrity of information stored on media during transport outside of controlled areas. {i} Protect and control Restricted, Confidential, or Agency Internal media during transport outside of controlled areas and restrict the activities associated with transport of such media to authorized personnel. Confidential, or Agency Internal must be in locked cabinets or sealed packing cartons while in transit. MP-6 Media Sanitization a. Sanitizes information systems media, both digital and non digital, prior to disposal, release out of control, or release for reuse; and; b. Employs sanitization mechanisms with strength and integrity commensurate with the classification or sensitivity of the information. {i}. (For IRS Federal Tax Information (FTI) only) FTI must never be disclosed to an Agency's agents or contractors during disposal unless authorized by the Internal Revenue Code. Generally, destruction should be witnessed by an Agency employee. {ii}. (For Confidential, or Agency Internal) Authorized employees of the receiving entity must be responsible for securing magnetic tapes/cartridges before, during, and after processing, and they must ensure that the proper acknowledgment form is signed and returned. Inventory records must be maintained for purposes of control and accountability. Tapes containing Restricted and Confidential Information or any file resulting from the processing of such a tape is recorded in a log that identifies: (a) Date received (b) Reel/cartridge control number contents (c) Number of records, if available (d) Movement, and (e) If disposed of, the date and method of disposition. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 40 of 84
6.2.7 (PE) Physical and Environmental Protection Policy and Its s Policy: The organization coordinates with Texas Facilities Commission (TFC) and/or other owning facility management organizations to (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems. Table 15 lists the Physical and Environmental (PE) controls that are for moderate impact systems. PE-1 PE-2 PE-3 Table 15 Physical and Environmental Protection s Policy 6.2.7 Physical and Environmental Protection Policy and Procedures Physical Access Authorizations Physical Access Description of The organization develops, disseminates, and reviews/updates within annually: a. A formal, documented physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among entities, and compliance; and; b. Formal, documented procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls. a. Develops and keeps current a list of personnel with authorized access to the facility where information systems reside (except for those areas within the facility officially designated as publicly accessible); b. Issues authorization credentials; and; c. Reviews and approves the access list and authorization credentials, at least once every one hundred eighty (180) days, removing personnel no longer requiring access from the list. a. Enforces physical access authorizations for all physical access points (including designated entry/exit points) to the facility where information systems reside excluding those areas within the facility officially designated as publicly accessible; b. Verifies individual access authorizations before granting access to the facility; c. s entry to the facility containing information systems using physical access devices and/or guards; d. s access to areas officially designated as publicly accessible in accordance with s assessment of risk; e. Secures keys, combinations, and other physical access devices; f. Inventories physical access devices within annually; and; g. Changes combinations and keys annually, or whenever keys are lost, combinations are compromised, or individuals who had access to combinations and/or keys are transferred or terminated. Additional Criteria {i}. Require two barriers to access IRS FTI under normal security: secured perimeter/locked container, locked perimeter/secured interior, or locked perimeter/security container. Protected information must be containerized in areas where other than authorized employees may have access afterhours. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 41 of 84
PE-4 PE-5 PE-6 (1) Access for Transmission Medium Access for Output Devices Monitoring Physical Access The organization controls physical access to component distribution and transmission lines within organizational facilities. Additional Criteria {i}. Permit access to telephone closets and component distribution and transmission lines within facilities only to authorized personnel. {ii} Disable any physical ports (e.g.: wiring closets, patch panels, etc.) not in use. The organization controls physical access to component output devices to prevent unauthorized individuals from obtaining the output. a. Monitors physical access to the information system to detect and respond to physical security incidents; b. Reviews physical access logs once a month and; c. Coordinates results of reviews and investigations with s incident response capability. (1) Monitors real-time physical intrusion alarms and surveillance equipment. PE-7 (1) Visitor The organization controls physical access to the information systems by authenticating visitors before authorizing access to the facility where information systems reside, other than areas designated as publicly accessible. (1) Escorts visitors and monitors visitor activity, when required. PE-8 PE-9 PE-10 PE-11 PE-12 Access Records Power Equipment and Power Cabling Emergency Shutoff Emergency Power Emergency Lighting P3 P3 P3 P3 a. Maintains visitor access records to the facility where the information systems reside (except for those areas within the facility officially designated as publicly accessible; and; b. Reviews and closes visitor access records monthly. The organization protects power equipment and power cabling for information systems from damage and destruction. Additional Criteria {i}. Permit only authorized maintenance personnel to access infrastructure assets, including power generators, HVAC systems, cabling, and wiring closets. a. Provides the capability of shutting off power to information systems in emergency situations; b. Places emergency shutoff switches or devices in a location that does not require personnel to approach the equipment to facilitate safe and easy access for personnel; and; c. Protects emergency power shutoff capability from unauthorized activation. The organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of information systems in the event of a primary power source loss. The organization employs and maintains automatic emergency lighting for information systems that activates in the event of a power outage or disruption and covers emergency exits and evacuation routes within the facility. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 42 of 84
PE-13 (1) (2) (3) PE-14 PE-15 PE-16 PE-17 PE-18 Fire Protection Temperature and Humidity s Water Damage Protection Delivery and Removal Alternate Work Site Location of Information System Components P3 P3 P3 The organization employs and maintains fire suppression and detection devices/systems for information systems that are supported by an independent energy source. (1) Employs fire detection devices/systems for information systems that activate automatically and notify appropriate personnel and emergency responders in the event of a fire. (2) Employs fire suppression devices/systems for information systems that provide automatic notification of any activation to appropriate personnel and emergency responders. (3) Employs an automatic fire suppression capability for information systems when the facility is not staffed on a continuous basis. a. Maintains temperature and humidity levels in the facility where information systems reside within acceptable vendor-recommended levels; and; b. Monitors temperature and humidity levels on a daily basis. Additional Criteria {i}. Evaluate the level of alert and follow prescribed guidelines for that alert level. {ii} Alert component management of possible loss of service and/or media. {iii} Report damage and provide remedial action. {iv} Implement contingency plan (COOP), if necessary. The organization protects information systems from damage resulting from water leakage by providing master shutoff valves that are accessible, working properly, and known to key personnel. The organization authorizes, monitors, and controls IT information system components entering and exiting the facility and maintains records of those items. a. Employs appropriate security controls at alternate work sites that include, but are not limited to laptop cable locks, recording serial numbers, and other identification information about laptops, and disconnecting modems; b. Assesses as feasible, the effectiveness of security controls at alternate work sites; and; c. Provides a means for employees to communicate with information security personnel in case of security incidents or problems. The organization positions information systems within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 43 of 84
6.2.8 (PS) Personnel Security Policy and Its s Policy: The organization works with C human resources to (i) ensure that individuals occupying positions of responsibility within (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with security policies and procedures. Table 16 lists the Personnel Security (PS) controls for moderate impact systems. Table 16 Personnel Security s Policy 6.2.8 Description of PS-1 Personnel Security Policy and Procedures The organization develops, disseminates, reviews, and updates annually: a. A formal, documented personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; b. Formal, documented procedures to facilitate the implementation of the personnel security policy and associated personnel security controls. PS-2 Position Categorization a. Assigns a risk designation to all positions; b. Establishes screening criteria for individuals filling those positions; and; c. Reviews and revises position risk designations within annually. PS-3 Personnel Screening a. Screens individuals prior to authorizing access to information systems; and; b. Rescreens individuals within annually, consistent with the criticality/sensitivity rating of the position. PS-4 Personnel Termination The organization, upon termination of individual employment a. Terminates Information System access; b. Conducts exit interviews; c. Retrieves all security-related information system-related property; and; d. Retains access to information and information systems formerly controlled by terminated individual. e. Immediately escorts employees terminated for cause out of the organization. PS-5 Personnel Transfer P3 The organization reviews logical and physical access authorizations to information systems/facilities when personnel are reassigned or transferred to other positions within organization. Additional Criteria {i}. Initiate the following transfer or reassignment actions during the formal transfer process: - Re-issues appropriate property (e.g.: keys, identification cards, building passes); - Closes obsolete accounts and establishes new accounts; and; - Revokes all system access privileges (if applicable). Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 44 of 84
Table 16 Personnel Security s Policy 6.2.8 Description of PS-6 Access Agreements P3 a. Ensures that individuals requiring access to information and information systems sign appropriate access agreements prior to being granted access; and; b. Reviews/updates the access agreements as part of the system security authorization or when a contract is renewed or extended. PS-7 Third-Party Personnel Security a. Establishes personnel security requirements including security roles and responsibilities for third-party providers. b. Documents personnel security requirements; and; c. Monitors provider compliance. [i] Regulate the access provided to contractors and define security requirements for contractors. Contractors must be provided with minimal system and physical access, and must agree to and support the information security requirements. PS-8 Personnel Sanctions P3 The organization employs a formal sanctions process for personnel failing to comply with established information security policies and procedures. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 45 of 84
6.2.9 (SI) System and Information Integrity Policy and Its s Policy: The organization provides oversight to ensure (i) the identification, reporting, and the correction of information system flaws in a timely manner; (ii) protection from malicious code at appropriate locations within information systems; and (iii) the monitoring of information system security alerts and advisories, and execution of appropriate actions. Table 17 lists the System and Information Integrity (SI) controls for moderate impact systems. Table 17 System and Information Integrity s Policy 6.2.9 Description of SI-1 System and Information Integrity Policy and Procedures The organization develops, disseminates, and reviews/updates within annually: a. A formal, documented system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; b. Formal, documented procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls. SI-2 (2) Flaw Remediation a. Identifies, reports, and corrects information system flaws; b. Tests software updates related to flaw remediation for effectiveness and potential side effects on information systems before installation; and; c. Incorporates flaw remediation monthly into the configuration management process. (2) Employs automated mechanisms to determine the state of information systems with regard to flaw remediation. {i} Remediate identified flaws on production equipment in a timeframe based on the National Vulnerability Database (NVD) http://nvd.nist.gov/ vulnerability severity rating of the flaw: flaws rated as high severity within seven (7) calendar days; medium severity within fifteen (15) calendar days; and all others within thirty (30) calendar days. (a) Evaluate system security patches, service packs, and hot fixes in a test bed environment to determine the effectiveness and potential side effects of such changes, and; (b) Manage the flaw remediation process centrally. [ii]procedures are documented for the testing for all patches and upgrades that is required as part of the s configuration management process. [iii] A test plan and procedures are created and updated for each production release. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 46 of 84
Table 17 System and Information Integrity s Policy 6.2.9 Description of SI-3 (1) (2) (3) Malicious Code Protection a. Employs malicious code protection mechanisms at information systems entry and exit points and at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code: - Transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means; or; - Inserted through the exploitation of vulnerabilities; b. Updates malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordance with configuration management policy and procedures; c. Configures malicious code protection mechanisms to: - Perform periodic scans of the information systems every twenty-four (24) hours, during system reboot, and real-time scans of files from external sources as the files are downloaded, opened, or executed in accordance with security policy; and; - Block, quarantine, and send alerts to administrators on an ongoing basis in response to malicious code detection; and; d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of. (1) Centrally manages malicious code protection mechanisms. (2) information systems automatically update malicious code protection mechanisms (including signature definitions). (3) information systems prevent non-privileged users from circumventing malicious code protection capabilities. [i] Virus-protection program Signature definitions updated < = 14 days. [ii] Servers, workstations, and laptops should not be configured to autorun removable media. [iii] Servers, workstations, and laptops should be configured to automatically scan removable media for malware when inserted. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 47 of 84
Table 17 System and Information Integrity s Policy 6.2.9 Description of SI-4 (2) (4) (5) (6) Information System Monitoring a. Monitors events on information systems in accordance with Agency defined Security Operations Procedures and detects attacks; b. Identifies unauthorized use of information systems; c. Deploys monitoring devices: (i) strategically within to collect organization-determined essential information; and; (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Heightens the level of component monitoring activity whenever there is an indication of increased risk to operations and assets, and individuals based on law enforcement information, intelligence information, or other credible sources of information; and; e. Obtains legal opinion with regard to monitoring activities in accordance with applicable federal/state laws, executive orders, directives, policies, or regulations. (2) Employs automated tools to support near real-time analysis of events. (4) information systems monitor inbound and outbound communications for unusual or unauthorized activities or conditions. (5) information systems provide near real-time alerts when the following indications of compromise or potential compromise occur: (a) Presence of malicious code, (b) Unauthorized export of information, (c) Signaling to an external information system, or; (d) Potential intrusions. (6) information systems prevent non-privileged users from circumventing intrusion detection and prevention capabilities. [i] Perimeter monitoring devices should be deployed to monitor traffic on Internet and extranet DMZ systems and networks, and network segments with FTI that look for unusual attack mechanisms and detect compromise of these systems. [ii] The S should be configured to look for attacks from external sources directed at DMZ and internal systems, as well as attacks originating from internal systems against the DMZ or Internet. SI-5 Security Alerts, Advisories, and Directives a. Receives security alerts, advisories, and directives from designated external organizations on an ongoing basis; b. Generates internal security alerts, advisories, and directives as deemed necessary; c. Disseminates security alerts, advisories, and directives to appropriate personnel; and; d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 48 of 84
Table 17 System and Information Integrity s Policy 6.2.9 Description of SI-7 (1) Software and Information Integrity information systems detect unauthorized changes to software and information. (1) Reassesses the integrity of software and information by performing daily integrity scans of information systems. SI-8 Spam Protection a. Employs spam protection mechanisms at information systems entry and exit points and at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, or other common means; and; b. Updates spam protection mechanisms (including signature definitions) when new releases are available in accordance with configuration management policy and procedures. SI-9 Information Input Restrictions P3 The organization restricts the capability to input information to information systems to authorized personnel. [i]. employ restrictions on personnel authorized to input information to information systems to include limitations based on specific operational/project responsibilities. [ii] Documented approval procedures should exist to validate input data before entering the system. SI-10 Information Input Validation For information systems, checks the validity of information inputs. {i} Use automated mechanisms to check the validity of information inputs for accuracy, completeness, validity, and authenticity as close to the point of origin as possible. SI-11 Error Handling P3 information systems: a. Identify potential security-relevant error conditions; b. Generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages that could be exploited by adversaries; and; c. Reveal error messages only to authorized personnel. SI-12 Information Output Handling and Retention P3 The organization handles and retains both information within and output from information systems, in accordance with applicable federal/state laws, executive orders, directives, policies, regulations, standards, and operational requirements. [i] Access to reports is restricted to those users with a legitimate business need for the information. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 49 of 84
6.3 Technical s The Technical program class of controls for an information system is primarily controls that are implemented and executed through mechanisms contained in the hardware, software, or firmware components of the information system. This class has four families: Access (AC), Audit and Accountability (AU), Identification and Authentication (IA), and System and Communication Protection (SC). 6.3.1 (AC) Access Policy and Its s Policy: The organization requires limited access to applications, servers, databases, and network devices in the environment. Access is limited to authorized users, processes acting on behalf of authorized users, or devices. Authorized users are further limited to the types of transactions and functions that they are permitted to exercise. Table 18 lists the Access s (AC) for moderate impact systems. Table 18 Access s Policy 6.3.1 Description of AC-1 Access Policy and Procedures organization develops, disseminates, and reviews/updates annually. a. A formal, documented access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among entities, and compliance; b. Formal, documented procedures to facilitate the implementation of the access control policy and associated access controls. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 50 of 84
Table 18 Access s Policy 6.3.1 Description of AC-2 (1) (2) (3) (4) Account Management The organization manages information systems accounts, including: a. Identifying account types (i.e., individual, group, system, application, guest/anonymous, temporary); b. Establishing conditions for group membership; c. Identifying authorized users and specifying access privileges; d. Requiring appropriate approvals for requests to establish accounts; e. Establishing, activating, modifying, disabling, and removing accounts; f. Specifically authorizing and monitoring the use of guest/anonymous and temporary accounts; g. Notifying account managers when temporary accounts are no longer required and when users are terminated, transferred, or information system usage or need-to-know/need-to-share changes; h. Deactivating: (i) temporary accounts that are no longer required; and (ii) accounts of terminated or transferred users; i. Granting access to the system based on: i. a valid access authorization; ii. intended system usage; and; iii. other attributes as required by or associated missions/business functions; and; j. Reviewing accounts every six months. (1) Employs automated mechanisms to support the management of accounts. (2) information systems automatically terminate emergency accounts within 24 hours and temporary accounts with a fixed duration not to exceed 12 months. (3) information systems disable inactive privileged accounts after sixty (60) days and non-privileged accounts after ninety (90) days. (4) information systems automatically audit account creation, modification, disabling, and termination actions and notify appropriate individuals, as required. {i} Regulate the access provided to contractors and define security requirements for contractors. [ii] Accounts do not have the same user or account name. [iii] Accounts have not been assigned the same uid. [iv] Accounts are locked after 90 days of inactivity. [v] Unused default accounts will be disabled. {vi} Implement centralized control of user access administrator functions. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 51 of 84
Table 18 Access s Policy 6.3.1 Description of AC-3 Access Enforcement The organization enforces approved authorizations for logical access to the system in accordance with applicable policy. {i} If encryption is used as an access control mechanism, it must meet approved (FIPS 140-2 compliant and a NIST-validated module) encryption standards (see SC-13). {ii} Configure operating system controls to disable public "read" and "write" access to files, objects, and directories that may directly impact system functionality and/or performance, or that contain sensitive information (such as FTI or Privacy Act protected information). {iii} Data stored in the information system must be protected with system access controls. AC-4 Information Flow Enforcement The organization enforces approved authorizations for controlling the flow of information within the information systems and between interconnected systems in accordance with applicable policy. AC-5 Separation of Duties a. Separates duties of individuals as necessary, to prevent malevolent activity without collusion; b. Documents separation of duties, and; c. Implements separation of duties through assigned component access authorizations. Additional Criteria {i} Ensure that audit functions are not performed by security personnel responsible for administering access control. {ii}. Ensure that testing functions (i.e., user acceptance, quality assurance, information security) and production functions are divided among separate individuals or groups. {iii} Ensure that an independent entity, not the business owner, system developers/maintainers, or system administrators responsible for the information system, conducts information security testing of the information system. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 52 of 84
Table 18 Access s Policy 6.3.1 Description of AC-6 (1) (2) Least Privilege The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) that are necessary to accomplish assigned tasks in accordance with missions and business functions. (1) Explicitly authorizes access to privileged functions (deployed in hardware, software, and firmware) and security-relevant information is restricted to explicitly authorized individuals. (2) Requires that users of information system accounts, or roles, with access to security functions or security-relevant information, use non-privileged accounts, or roles, when accessing other system functions, and if feasible, audits any use of privileged accounts, or roles, for such functions. {i} Disable all file system access not explicitly required for system, application, and administrator functionality. {ii} Contractors must be provided with minimal system and physical access, and must agree to and support the security requirements. AC-7 Unsuccessful Login Attempts information systems: For Restricted data: a. Enforce a limit of three (3) consecutive invalid access attempts by a user within a fifteen (15) minute period; and; b. Automatically lock the account/node for one (1) hour or until released by an account administrator. The control applies regardless of whether the login occurs via a local or network connection. For other classified systems, enforce the following: a. Account lockout duration of 30 minutes; b. Account lockout threshold after 5 invalid logon attempts, and; c. Reset account lockout counter after 30 minutes of lock out. [i]the login delay between login prompts after a failed login is set to more than four seconds. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 53 of 84
Table 18 Access s Policy 6.3.1 Description of AC-8 System Use Notification information systems will display an approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable Federal, Texas laws, executive orders, directives, policies, regulations, Health and Human Services Commission (C) standards, and guidance and states that: (i) users are accessing a U.S. Government information system; (ii) system usage may be monitored, recorded, and subject to audit; (iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and; (iv) use of the system indicates consent to monitoring and recording; The recommended banner for IRS FTI information resources is: WARNING This system may contain U.S. Government information, which is restricted to authorized users ONLY. Unauthorized access, use, misuse, or modification of this computer system or of the data contained herein or in transit to/from this system constitutes a violation of Title 18, United States Code, Section 1030, and may subject the individual to Criminal and Civil penalties pursuant to Title 26, United States Code, Sections 7213, 7213A (the Taxpayer Browsing Protection Act), and 7431. This system and equipment are subject to monitoring to ensure proper performance of applicable security features or procedures. Such monitoring may result in the acquisition, recording and analysis of all data being communicated, transmitted, processed or stored in this system by a user. If monitoring reveals possible evidence of criminal activity, such evidence may be provided to Law Enforcement Personnel. ANYONE USING THIS SYSTEM EXPRESSLY CONSENTS TO SUCH MONITORING b. Retain the notification message or banner on the screen until users take explicit actions to log on to or further access the information system; and; c. For publicly accessible systems: i. Display the system use information when appropriate, before granting further access; ii. Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and; iii. Include a description of the authorized uses of the system in the notice given to public users of the information system. [i] the system contains US government information; [ii] users actions are monitored and audited; [iii] unauthorized use of the system is prohibited; [iv] unauthorized use of the system is subject to criminal and civil penalties. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 54 of 84
AC-10 Concurrent Session Table 18 Access s Policy 6.3.1 P3 Description of The organization limits the number of concurrent sessions for each system account to one (1) session. {i} The number of concurrent sessions is limited and enforced to the number of sessions expressly required for the performance of job duties and any requirement for more than one (1) concurrent session is documented in the system security plan. AC-11 Session Lock information systems: a. Prevent further access to the system by initiating a session lock after fifteen (15) minutes of inactivity or at request of user, and; b. Retain the session lock until the user reestablishes access using established identification and authentication procedures. [i] Ensure a password protected screen lock mechanism is used. AC-14 (1) Permitted Actions Without Identification or Authentication P3 a. Identifies specific user actions that can be performed on the information system without identification or authentication; and; b. Documents and provides supporting rationale in the specific system security plan for information system, user actions not requiring identification and authentication. Permits actions to be performed without identification and authentication only to the extent necessary to accomplish mission/business objectives. [i] Services that allow interaction without authentication or via anonymous authentication are documented, justified to the CISO, and are properly secured and segregated from other systems that contain services that explicitly require authentication and identity verification. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 55 of 84
Table 18 Access s Policy 6.3.1 Description of AC-17 (1) (2) (3) (4) (5) (7) (8) Remote Access a. Requires that the allowed methods of remote access to information systems are; GoToMyPC; VPN; Outlook Webaccess; The requirements for remote access are two factor authentications. b. Establishes usage restrictions and implementation guidance for each allowed remote access method; c. Monitors for unauthorized remote access; d. Authorizes remote access prior to connection; and; e. Enforces requirements for remote connections. (1) information systems employ automated mechanisms to facilitate the monitoring and control of remote access methods. (2) The organization uses cryptography to protect the confidentiality and integrity of remote access sessions. (3) information systems route all remote accesses through a limited number of managed access control points. (4) The organization authorizes the execution of privileged commands and access to security-relevant information via remote access only for compelling operational needs and documents the rationale for such access and use of commands in the specific system security plan for the information system. (5) The organization monitors for unauthorized remote connections to information systems at least quarterly and takes appropriate action if an unauthorized connection is discovered. (7) The organization requires that remote sessions used for remote administration employ additional security measures (e.g.: Secure Shell [SSH], Virtual Private Networking [VPN] with blocking mode enabled) (see SC-13) and the sessions are audited. (8) The organization disables networking protocols deemed to be nonsecure (such as Bluetooth, peer-to-peer networking) except for explicitly identified components in support of specific operational requirements. [i] No unauthorized remote sessions are allowed. [ii] The administrative password is not passed over a network in clear text form. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 56 of 84
Table 18 Access s Policy 6.3.1 Description of AC-18 (1) Wireless Access a. Establishes usage restrictions and implementation guidance for wireless access; b. Monitors for unauthorized wireless access to information systems; c. Authorizes wireless access to the information system prior to connection; and; d. Enforces requirements for wireless connections to information systems. (1) information systems protect wireless access using authentication and encryption. When deploying wireless access points the following minimum standards shall apply: 1. File sharing on wireless clients shall be disabled. 2. Client NIC and Access Point firmware shall be upgradeable so that security patches may be deployed as they become available. 3. Access Points shall be turned off when they are not in use (e.g., after hours and on weekends). 4. The Access Point s Service Set Identifier, SS, shall be changed from the default setting to an that does not reflect the identity of the Agency, department, and the nature of the work of the physical location where it is installed, and the SS Broadcast shall be disabled. 5. All non-secure and nonessential management protocols on Access Points shall be disabled. 6. All security features of the WLAN product, including the cryptographic authentication feature, shall be enabled. 7. Wi-Fi Protected Access, WPA, security standard or greater shall be implemented. 8. Access Points shall have strong passwords and shall be changed regularly. 9. User authentication shall use an RFC compliant method, such as RADIUS, TACACS, etc. 10. Authentication mechanisms for the management interfaces of the Access Point shall be enabled and management traffic destined for Access Points shall be on a dedicated wired subnet. 11. SNMP settings on Access Points shall be disabled or set for least privilege (i.e., read only), with SNMPv3 or equivalent cryptographically protected protocol in use. 12. Installers shall ensure that new WLAN installations do not interfere with other existing equipment. 13. Physical and remote access to the Access Point Reset Function shall be restricted to authorized administrators only. 14. The default cryptographic key shall be changed from the factory default and shall be changed on a regular basis. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 57 of 84
Table 18 Access s Policy 6.3.1 Description of AC-19 (1) (2) (3) Access for Mobile Devices a. Establishes usage restrictions and implementation guidance for -controlled mobile devices; b. Authorizes connection of mobile devices meeting usage restrictions and implementation guidance to information systems; c. Monitors for unauthorized connections of mobile devices to information systems; d. Enforces requirements for the connection of mobile devices to information systems; e. Disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction; f. Issues specially configured mobile devices to individuals traveling to locations deemed to be of significant risk in accordance with policies and procedures; and; g. Examines the device for signs of physical tampering and purging/reimaging the hard disk drive to mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. (1) Restricts the use of writable, removable media in information systems. (2) Prohibits the use of personally owned, removable media in information systems. (3) Prohibits the use of removable media in information systems when the media has no identifiable owner. AC-20 (1) (2) Use of External Information Systems P3 The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to: a. Access the information system from the external information systems; and; b. Process, store, and/or transmit organization-controlled information using the external information systems. (1) Permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when : (a) Can verify the implementation of required security controls on the external system as specified in information security policy and specific system security plan; or (b) Has approved information system connection or processing agreements with entity hosting the external information system including assessment of third party controls. (2) Limits the use of organization-controlled portable storage media by authorized individuals on external information systems. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 58 of 84
Table 18 Access s Policy 6.3.1 Description of AC-22 Publicly Accessible Content P3 a. Designates individuals authorized to post information on a component that is publicly accessible; b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; c. Reviews the proposed content of publicly accessible information for nonpublic information prior to posting on information systems; d. Reviews the content on the publicly accessible information systems for nonpublic information on a monthly basis; and; e. Removes nonpublic information from the publicly accessible information systems, if discovered. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 59 of 84
6.3.2 (AU) Audit and Accountability Policy and Its s Policy: The organization (i) requires the creation, protection, and retention of information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) requires that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. Table 19 lists the Audit and Accountability (AU) controls for moderate impact systems. Table 19 Audit and Accountability s Policy 6.3.2 Description of AU-1 Audit and Accountability Policy and Procedures The organization develops, disseminates, and reviews/updates within annually: a. A formal, documented audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; b. Formal, documented procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls. AU-2 (3) (4) Auditable Events a. Determines, based on a risk assessment and mission/business needs, that information systems must be capable of auditing the events described in "Appendix C Recommended Events for Logging" b. Coordinates the security audit function with other entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; c. The list of auditable events are deemed to be adequate to support after-the-fact investigations of security incidents based on current threat information and ongoing assessment of risk; and; d. Determines, based on current threat information and ongoing assessment of risk, that the events specified in AU-2a are to be audited at the frequencies specified in the system security plan. (3) Reviews and updates the list of auditable events annually. (4) Includes execution of privileged functions in the list of events to be audited by the information system, including administrator and user account activities, failed and successful log-on, security policy modifications, use of administrator privileges, system shutdowns, reboots, errors, and access authorizations. AU-3 (1) Content of Audit Records information systems shall produce audit records that contain sufficient information to, at a minimum, establish what type of event occurred, date and time the event occurred, where the event occurred, the source of the event, the outcome (success or failure) of the event, and the identity of any user/subject associated with the event. (1) Include the capability to provide more detailed information for audit events identified by type, location, or subject. {i} Record disclosures of sensitive information, including protected health and financial information. Log information type, date, time, receiving party, and releasing party. Verify within every ninety (90) days for each extract that the data is erased or its use is still required. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 60 of 84
Table 19 Audit and Accountability s Policy 6.3.2 Description of AU-4 Audit Storage Capacity The organization allocates audit record storage capacity and configures auditing to reduce the likelihood of such capacity being exceeded. AU-5 Response to Audit Processing Failures information systems: a. Alert designated officials in the event of an audit processing failure; and; b. Take the following additional actions in response to an audit failure or audit storage capacity issue. - Shutdown information system/applications; - Stop generating audit records, or; - Overwrite the oldest records, in the case that storage media is unavailable. AU-6 Audit Review, Analysis, and Reporting (a) Reviews and analyzes audit records for defined key information systems on a daily basis for indications of inappropriate or unusual activity, and reports findings to designated officials; - Excessive logon attempt failures by single or multiple users - Logons at unusual/non-duty hours - Failed attempts to access restricted system or data files indicating a possible pattern of deliberate browsing - Unusual or unauthorized activity by system administrators - Activities (e.g. command-line activity) by a user that should not have that capability - System failures or errors. b. Adjusts the level of audit review, analysis, and reporting within the information systems when there is a change in risk to operations, assets, and individuals based on law enforcement information, intelligence information, or other credible sources of information. {i} Review system records for initialization sequences, log-on s and errors; system processes and performance; and system resource utilization to determine anomalies on demand, but no less than once within a twenty-four (24) hour period. Generate alert notification for technical personnel review and assessment. {ii}review network traffic, bandwidth utilization rates, alert notifications, and border defense devices to determine anomalies on demand but no less than once within a twenty-four (24) hour period. Generate alerts for technical personnel review and assessment. {iii} Use automated utilities to review audit records at least once every seven (7) days for unusual, unexpected, or suspicious behavior. {vi} Inspect administrator groups on demand but at least once every fourteen (14) days to ensure unauthorized administrator accounts have not been created. {v} Perform manual reviews of system audit records randomly on demand but at least once every thirty (30) days. {vi} All requests for return information, including receipt and/or disposal of returns or return information, are maintained in a log. (See IRS Pub. 1075, Section 6.3.1) Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 61 of 84
AU-7 (1) Audit Reduction and Report Generation Table 19 Audit and Accountability s Policy 6.3.2 Description of information systems provide an audit reduction and report generation capability. (1) information systems provide the capability to automatically process audit records for events of interest based on selectable event criteria. AU-8 (1) Time Stamps information systems use internal system clocks to generate time stamps for audit records. - synchronizes internal information system clocks daily and at system boot with either US Naval Observatory NTP servers or the NIST Internet Time Service. AU-9 Protection of Audit Information information systems protect audit information and audit tools from unauthorized access, modification, and deletion. [i] System audit logs are not readable by unauthorized users. [ii] Audit logs are rotated daily. [iii] Log files have appropriate permissions assigned and permissions are not excessive. AU-10 Nonrepudiation P3 information systems protect against an individual falsely denying having performed a particular action. AU-11 Audit Record Retention The organization retains audit records for ninety (90) days and archives old records for one (1) year to provide support for after-thefact investigations of security incidents and to meet regulatory and organization information retention requirements. {i} (For Confidential data only) Audit inspection reports, including a record of corrective actions, shall be retained by the organization for a minimum of three (3) years from the date the inspection was completed. [ii] To support the audit of IRS FTI activities, all organizations must ensure that audit information is archived for six (6) years to enable the recreation of computer-related access to both the operating system and to the application where FTI is stored. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 62 of 84
Table 19 Audit and Accountability s Policy 6.3.2 Description of AU-12 Audit Generation information systems: a. Provide audit record generation capability for the list of auditable events defined in AU-2a for the information systems; b. Allow designated personnel to select which auditable events are to be audited by specific components of the system; and; c. Generate audit records for the list of audited events defined in AU- 2a with the content as defined in AU-3. - All successful and unsuccessful authorization attempts. - All changes to logical access control authorities (for example: rights, permissions). - All system changes with the potential to compromise the integrity of audit policy configurations, security policy configurations and audit record generation services. - The audit trail captures the enabling or disabling of audit report generation services. - The audit trail captures command line changes, batch file changes and queries made to the system (for example: operating system, application, and database). AU-14 Session Audit For information systems, ensure they have the capability to: a. Capture/record and log key content related to a user session; and; b. Remotely view/hear all content related to an established user session in real time. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 63 of 84
6.3.3 (IA) Identification and Authentication Policy and Its s Policy: The organization requires the identification of information system users, processes acting on behalf of users, or devices and authenticates (or verifies) the identities of those users, processes, or devices as a prerequisite to allowing access to information systems. Table 20 lists the Identification and Authentication (IA) controls for moderate impact systems. Table 20 Identification and Authentication s Policy 6.3.3 Description of IA-1 Identification and Authentication Policy and Procedures The organization develops, disseminates, and reviews/updates annually: a. A formal, documented identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and; b. Formal, documented procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls. IA-2 (1) (8) Identification and Authentication ( Users) The information systems: a. Uniquely identify and authenticate users (or processes acting on behalf of users). (1) Use multifactor authentication for access to privileged accounts for Restricted data. (8) Use replay-resistant authentication mechanisms for network access to privileged accounts according to specific system security plan requirements. [i]. All user accounts are unique; there are no duplicate user accounts. [ii]. The new user account creation fails. information systems provide a mechanism to ensure duplicate user account names are not created, e.g., using operating systems functions to manage user accounts. [iii]. The new user account creation fails; a password is required to create an account. [iv] The logon attempt fails; a password is required for identification and authentication to the application. IA-3 Device Identification and Authentication For information systems, the information system uniquely identifies and authenticates Agency-defined list of specific and/or types of devices before establishing a connection. [i] Information systems that are required to authenticate or otherwise identify themselves are using IP, MAC, RADIUS, or other well know authentication and identification methods. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 64 of 84
Table 20 Identification and Authentication s Policy 6.3.3 Description of IA-4 Identifier Management The organization manages information system identifiers for users and devices by: a. Receiving authorization from a designated official to assign a user or device identifier; b. Selecting an identifier that uniquely identifies an individual or device; c. Assigning the user identifier to the intended party or the device identifier to the intended device; d. Preventing reuse of user or device identifiers until all previous access authorizations are removed from the system, including all file accesses for that identifier, but not before a period of at least a year has expired; and; e. Disabling the user identifier after ninety (90) days of inactivity. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 65 of 84
Table 20 Identification and Authentication s Policy 6.3.3 Description of IA-5 (1) (2) (3) Authenticator Management The organization manages the component authenticators for users and devices by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual and/or device receiving the authenticator; b. Establishing initial authenticator content for authenticators defined by the organization; c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators; e. Changing default content of authenticators upon information systems installation; f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators (if appropriate); g. Changing/refreshing authenticators in accordance with the criteria for Enhancement (1) below; h. Protecting authenticator content from unauthorized disclosure and modification; and; i. Requiring users to take and having devices implement specific measures to safeguard authenticators. (1) Password-based authentication for information systems: (a) Enforces minimum password complexity. Each password must contain a minimum of eight (8) and a maximum of sixteen (16) characters with at least one (1) from each of the following categories: - upper case alpha (ABC) - lower case alpha (abc) - number (0 to 9) - special character (@#$%^%*()_+ ~-=\ {}[]: ; <>/); - dictionary names or words are prohibited {b} Enforces a minimum of four (4) changed characters when a new password is created; (c) Encrypts passwords in storage and in transmission; (d) Enforces password lifetime restrictions with a minimum of two (2) days and maximum of sixty (60) days for privileged accounts and ninety (90) days for non-privileged accounts {e} Prohibits password reuse for six (6) generations. [f] Limits password change to once every 15 days. (g) Forces user to change the default password at first logon. [h] Password is disabled after 90 days of inactivity. [i] Prompt user to change password before expiration is set to 14 days or more. (2) PKI-based authentication for information systems: (a) Validates certificates by constructing a certification path with status information to an accepted trust anchor; (b) Enforces authorized access to the corresponding private key; and; (c) Maps the authenticated identity to the user account. (3) Requires that the registration process to receive Agency-defined types of and/or specific authenticators (e.g. hardware tokens) be verified in person by a designated official (e.g.: a supervisor). Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 66 of 84
Table 20 Identification and Authentication s Policy 6.3.3 Description of IA-6 Authenticator Feedback information systems obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. [i] The password is not displayed in clear text; it is blotted by characters, i.e. Asterisks. IA-7 Cryptographic Module Authentication information systems use mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal/state laws, executive orders, directives, policies, regulations, standards, and guidance for such authentication. [i] Authentication mechanism uses a FIPS 140-2 compliant encryption module. IA-8 Identification and Authentication (Non- Users) information systems uniquely identify and authenticate non- users (or processes acting on behalf of non- users). Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 67 of 84
6.3.4 (SC) System and Communications Protection Policy and Its s Policy: The organization (i) requires the monitoring, control, and protection of communications (information transmitted or received by information systems) at the external and key internal boundaries of the information systems; and (ii) employs architectural designs, software development techniques, and systems engineering principles that promote effective information security within information systems. Table 21 lists the System and Communications Protection (SC) controls for moderate impact systems. Table 21 System and Communications Protection s Policy 6.3.4 SC-1 SC-2 Description of System and Communications Protection Policy and Procedures Application Partitioning The organization develops, disseminates, and reviews/updates within annually: a. A formal, documented system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and; b. Formal, documented procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls. information systems: a. Separate user functionality (including user interface services; for example, web services) from management functionality (e.g., database management systems). [i] Separation is accomplished through the use of different computers, different CPUs, different instances of the operating system, different network addresses, or combinations of these methods, or other methods. Note: A separate physical machine is not required but is recommended. [ii] The information system separates user functionality (including user interface services) from information system management functionality. SC-4 Information In Shared Resources P3 information systems prevent unauthorized and unintended information transfer via shared system resources. {i} Ensure that users of shared system resources cannot intentionally or unintentionally access information remnants, including encrypted representations of information, produced by the actions of a prior user or system process acting on behalf of a prior user. {ii} Ensure that system resources shared between two (2) or more users are released back to, and are protected from accidental or purposeful disclosure. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 68 of 84
Table 21 System and Communications Protection s Policy 6.3.4 SC-5 Description of Denial of Service Protection Information Systems protect against or limit the effects of distributed denial of service (DDoS) attacks. [i] Deployment personnel are registered to receive updates to all, e.g. web server, application servers, database servers. Also if update notifications are provided to any custom developed software, deployment personnel should also register for these updates. Ref: Security Incident Management Plan. SC-7 (1) Boundary Protection information systems: a. Monitor and control communications at the external boundary of the system and at key internal boundaries within the system; and; b. Connect to external networks or information systems only through managed interfaces consisting of automated boundary protection devices arranged in accordance with security architecture. (1) The organization physically allocates publicly accessible information systems to separate sub-networks with separate physical network interfaces [i] Publicly accessible components reside in screened subnet (DMZ) architecture to provide boundary protection. [ii] Segmentation limits traffic to systems that receive process, store or transmit FTI to only services needed for business use and to authorized personnel. [iii] The network segment where the systems that receive, store, process and transmit FTI are protected with a firewall to control the traffic into that network. There are multiple layers of protection (defense-in-depth). [iv]. DMZ systems do not contain FTI and internal systems with FTI are not directly accessible from the Internet. [v]. There are no services (e.g. TCP or UDP) allowed except for the documented services. {vi} Ensure that access to all proxies is denied, except for those hosts, ports, and services that are explicitly required. {vii} Utilize stateful inspection/application firewall hardware and software. {viii} Utilize firewalls from at least two (2) different vendors at the various levels within the network to reduce the possibility of compromising the entire network. SC-7 (2) Boundary Protection information systems prevent public access into the organization s internal networks except as appropriately mediated by managed interfaces employing boundary protection devices. SC-7 (3) Boundary Protection The organization limits the number of access points to the information systems (e.g.: prohibiting desktop modems) to allow for more comprehensive monitoring of inbound and outbound communications and network traffic. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 69 of 84
Table 21 System and Communications Protection s Policy 6.3.4 SC-7 (4) SC-7 (5) SC-7-(7) SC-8 (1) Description of Boundary Protection Boundary Protection Boundary Protection Transmission Integrity (a) Implements a managed interface for each external telecommunication service; (b) Establishes a traffic flow policy for each managed interface; (c) Employs security controls as needed to protect the confidentiality and integrity of the information being transmitted; (d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; (e) Reviews exceptions to the traffic flow policy as specified in the system security plan; and; (f) Removes traffic flow policy exceptions that are no longer supported by an explicit mission/business need. At managed interfaces, information systems deny network traffic by default and allow network traffic by exception (i.e., deny all, permit by exception). information systems prevent remote devices that have established a non-remote connection with the system from communicating outside of that communications path with resources in external networks. information systems protect the integrity of transmitted information. (1) The organization employs cryptographic mechanisms (e.g., digital signatures, cryptographic hashes) as required by the system security plan to recognize changes to information during transmission unless otherwise protected by alternative physical measures. The application uses integrity checks (e.g., hash algorithms, checksums) to detect errors in data streams of the application data transmitted over the network. The application supports integrity checking mechanisms for file transmissions. [i] Transmissions are encrypted using a key no less than 128 bits in length, or FIPS 140-2 compliant, whichever is stronger. [ii]. If encryption is not used to transmit data over the WAN, unencrypted cable circuits of copper or fiber optics is an acceptable means of transmitting FTI. If encryption is not used to transmit data over the LAN, the Agency must use other compensating mechanisms (e.g., switched vlan technology, fiber optic medium, etc.) Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 70 of 84
Table 21 System and Communications Protection s Policy 6.3.4 SC-9 (1) Description of Transmission Confidentiality information systems must protect the confidentiality of transmitted information. (1) The organization employs cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures. [i] FTI should not being transmitted or used on the Agency s internal e-mail systems. FTI should not being transmitted outside of the Agency, either in the body of an email or as an attachment. [ii] If transmittal of IRS FTI within the Agency s internal e-mail system is necessary, the following guidelines must be met to protect FTI sent via E-mail: - Do not send IRS FTI unencrypted in any email messages; - The file containing IRS FTI must be attached and encrypted; - Ensure that all messages sent are to the proper address. [ii] If IRS FTI is transmitted over a LAN or WAN it is encrypted with FIPS 140-2 validated encryption, using at least a 128-bit encryption key. {iii} When sending or receiving faxes containing Restricted, Confidential, or Agency Internal data: - Fax machines must be located in a locked room with a trusted staff member having custodial coverage over outgoing and incoming transmissions or fax machines must be located in a secured area; - Accurate broadcast lists and other preset numbers of frequent fax recipients must be maintained; and; - A cover sheet must be used that explicitly provides guidance to the recipient that includes: a notification of the sensitivity of the data and the need for protection, and a notice to unintended recipients to telephone the sender (collect if necessary) to report the disclosure and confirm destruction of the information. SC-10 Network Disconnect information systems automatically terminate the network connection associated with a communications session at the end of the session or: {i} Forcibly de-allocate communications session Dynamic Host Configuration Protocol (DHCP) leases after seven (7) days; and; {ii} Forcibly disconnect inactive VPN connections after thirty (30) minutes of inactivity. SC-11 Trusted Path information systems establish a trusted communications path between the user and, at a minimum, the authentication and re-authentication security functions. {i}. Defined and approved security functions are listed in the system security plan. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 71 of 84
Table 21 System and Communications Protection s Policy 6.3.4 SC-12 SC-13 Description of Cryptographic Key Establishment and Management Use of Cryptography The organization establishes and manages cryptographic keys for required cryptography employed within information systems. information systems implement required cryptographic protections using cryptographic modules that comply with applicable federal/state laws, executive orders, directives, policies, regulations, standards, and guidance. (i) Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules, should be used to specify the security requirements within a security system. [i] Use Secure Socket Layer (SSL) v2 and SSL v3. [ii] SSH is not using v1 compatibility, only v2 connections are accepted. SC-14 Public Access Protections information systems protect the integrity and availability of publicly available information and applications. {i} Ensure that network access controls, operating system file permissions, and application configurations protect the integrity of information stored, processed, and transmitted by publicly accessible systems, as well as the integrity of publicly accessible applications. SC-15 Collaborative Computing Devices P3 information systems: a. Prohibit remote activation of collaborative computing devices for example, networked white boards, cameras, and microphones. Explicit indication of use includes, for example, signals to users when collaborative computing devices are activated. b. Provide an explicit indication of use to users physically present at the devices. [i]. prohibits remote activation of collaborative computing devices unless specific Agency exceptions are in place to allow remote activation. [ii] Procedures are in place that states the process for prohibiting remote activation of collaborative computing devices. [iii] has collaborative computing mechanisms but prohibits remote activation of those mechanisms and provides an explicit indication of use to the local users. SC-17 Public Key Infrastructure Certificates The organization issues public key certificates under an Agency-defined certificate policy or obtains public key certificates under an appropriate certificate policy from an approved service provider. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 72 of 84
Table 21 System and Communications Protection s Policy 6.3.4 Description of SC-18 Mobile Code a. Defines acceptable and unacceptable mobile code and mobile code technologies; Mobile code technologies include, for example, Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and; c. Authorizes, monitors, and controls the use of mobile code within information systems. [i] Mobile code is obtained from a trusted source, and is designated as trusted. The mobile code is digitally signed and the digital signature is properly validated by the client runtime environment prior to the execution. [ii] Unsigned mobile code operating in a constrained environment has no access to local operating system resources and does not attempt to establish network connections to servers other than the application server. SC-19 Voice Over Internet Protocol The organization, if authorized: a. Establishes usage restrictions and implementation guidance for Voice-over-Internet Protocol (VoIP) technologies based on the potential to cause damage to the information systems if used maliciously; and; b. Authorizes, monitors, and controls the use of VoIP within. {i}the organization prohibits the use of Voice over Internet Protocol (VoIP) technologies, unless explicitly authorized, in writing, by the CISO or his/her designated representative. SC-20 (1) Secure /Address Resolution Service (Authoritative Source) P3 information systems provide additional data origin and integrity artifacts along with the authoritative data the system returns in response to name/address resolution queries. (1) information systems, when operating as part of a distributed, hierarchical namespace, provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains. SC-22 Architecture and Provisioning for /Address Resolution Service P3 information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 73 of 84
Table 21 System and Communications Protection s Policy 6.3.4 SC-23 Description of Session Authenticity P3 information systems provide mechanisms to protect the authenticity of communications sessions. Additional Criteria [i] information system provides a capability to protect the authentication of communication session. [ii]. Any service requiring security of communication sessions are being secured with the appropriate security technology (e.g. VPN, TLS, SSH). SC-28 Protection of Information at Rest P3 information systems protect the confidentiality and integrity of information at rest. SC-32 Information System Partitioning The organization partitions into components residing in separate physical domains (or environments) as deemed necessary. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 74 of 84
6.4 Privacy s The Privacy program class of controls for an information system provides administrative, technical, and physical safeguards within an organization to protect Personally Identifiable information ( Restricted and Confidential Information). This class consists of eight security policies: Authority and Purpose (AP), Accountability, Audit, and Risk Management (AR), Data Quality and Integrity (DI), Data Minimization and Retention (DM), Individual Participation and Redress (IP), Security (SE), Transparency (TR), and Use Limitation (UL). 6.4.1 (AP) Authority and Purpose Policy and Its s Policy: The organization requires that (i) identify the legal basis that authorize a particular Restricted and Confidential Information collection or activity that impacts privacy; and (ii) specify the purposes for which they collect Restricted and Confidential Information in their privacy notices. Table 22 lists the Authority and Purpose (AP) controls for moderate impact systems. Table 22 Authority and Purpose s AP-1 Description of Authority to Collect The organization determines the legal authority that permits the collection, use, maintenance, and sharing of Restricted and Confidential information in support of a specific program or information system need. The organization describes the purposes for which Restricted and Confidential information is collected, used, maintained, and shared in its privacy notices. AP-2 Purpose Specification Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 75 of 84
6.4.2 (AR) Accountability, Audit, and Risk Management Policy and Its s Policy: The organization requires that is complying with all applicable privacy protection requirements and minimizing their overall privacy risk. This policy is intended to enhance public confidence through effective governance controls, monitoring controls, risk management, and assessment controls. Table 23 lists the Accountability, Audit, and Risk controls for moderate impact systems. Table 23 Accountability, Audit, and Risk Management s Description of AR-1 Governance and Privacy Program a. Appoints an Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an Agency-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of Restricted and Confidential information by programs and information systems; b. Allocates Agency-defined allocation of budget and staffing resources to implement and operate the organization-wide privacy program; c. Develops, disseminates, and implements privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving Restricted and Confidential Information; d. Develops a privacy plan for implementing applicable privacy controls, policies, and procedures; and; e. Updates the privacy plan, policies, and procedures as defined by the Agency. AR-2 Privacy Impact and Risk Assessment a. Establishes a privacy risk assessment process that assesses privacy risk to individuals resulting from the collection, sharing, storing, transmitting, and use of personally identifiable information; b. Conducts a Privacy Impact Assessment (PIA) for information systems and programs in accordance with Office of Management and Budget (OMB) policy and any existing organizational policies and procedures; and; c. Follows a documented, repeatable process for conducting, reviewing, and approving Privacy Impact Assessments. AR-3 Privacy Requirements for Contractors and Service Providers a. Establishes and monitors compliance of privacy requirements including privacy roles and responsibilities for contractors and service providers; and; b. Includes privacy requirements in contracts and other acquisitionrelated documents. AR-4 Privacy Monitoring and Auditing The organization monitors and audits privacy controls, federal privacy laws and policy and internal privacy policy at and Agencydefined frequency` to ensure effective implementation. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 76 of 84
Table 23 Accountability, Audit, and Risk Management s Description of AR-5 Privacy Awareness and Training a. Develops, implements, and updates (i) a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures; and; b. Ensures that personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements. AR-6 Privacy Reporting P3 The organization develops, disseminates, and updates reports to the Office of Management and Budget (OMB) and Congress to demonstrate accountability with specific statutory and regulatory privacy program mandates, and to senior management and other personnel with responsibility for monitoring privacy program progress and compliance. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 77 of 84
6.4.3 (DI) Data Quality and Integrity Policy and Its s Policy: The organization requires compliance with Section 552a (e)(2) of the Privacy Act of 1974 and enhances public confidence that any Restricted and Confidential Information collected and maintained by the organization is accurate, relevant, timely, and complete for the purpose for which it is to be used, as specified in the public notice. Table 24 lists the Data Quality and Integrity controls for moderate impact systems. Table 24 Data Quality and Integrity s Description of DI-1 Data Quality P3 a. Confirms to the extent feasible upon collection or creation of Restricted and Confidential information, the accuracy, relevance, timeliness, and completeness of that Restricted and Confidential and Agency Internal information; b. Collects Restricted and Confidential information directly from the individual to the greatest extent practicable; c. Checks for, and corrects as necessary, any inaccurate or outdated Restricted and Confidential information used by its programs or systems; and; d. Issues guidelines ensuring and maximizing the quality, utility, objectivity, and integrity of disseminated information. (1) Where feasible, the organization s systems are configured to record the date Restricted and Confidential Information is collected, created, or updated and when Restricted and Confidential and Agency Internal information is to be deleted or archived under an approved record retention schedule. DI-2 Data Integrity P3 a. Documents processes to ensure the integrity of Restricted and Confidential Information through existing security controls; and; b. Establishes a Data Integrity Board when appropriate, to oversee organizational computer matching agreements and to ensure that those agreements comply with the computer matching provisions of the Privacy Act. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 78 of 84
6.4.4 (DM) Data Minimization and Retention Policy and Its s Policy: The organization requires that implements the data minimization and retention elements of the Privacy Act, which requires organizations to collect, use, and retain only Restricted and Confidential Information that is relevant and necessary for the specified purpose for which it was originally collected. The organization retains Restricted and Confidential Information for only as long as necessary to fulfill the specified purposes and in accordance with a National Archives and Records Administration (NARA)-approved record retention schedule. Table 25 lists the Data Minimization and Retention controls for moderate impact systems. Table 25 Data Minimization and Retention s Description of DM-1 Minimization of Personally Identifiable information a. Identifies the minimum Restricted and Confidential and Agency Internal information elements that are relevant and necessary to accomplish the legally authorized purpose of collection; b. Limits the collection and retention of Restricted and Confidential to the minimum elements identified for the purposes described in the notice and for which the individual has provided consent; and; c. Conducts an initial evaluation and performs periodic evaluations of its holdings of Restricted and Confidential information to ensure that only Restricted and Confidential Information and Agency Internal identified in the notice is collected and retained, and that the Restricted and Confidential Information continues to be necessary to accomplish the legally authorized purpose. (1) Where feasible and within the limits of technology, the organization locates and removes or redacts specified Restricted and Confidential Information and/or uses anonymization and deidentification techniques to permit use of the retained information while reducing its sensitivity and reducing the risk resulting from disclosure. DM-2 Data Retention and Disposal a. Retains Restricted and Confidential information for only as long as is necessary to fulfill the purpose(s) identified in the notice or as required by law; b. Appropriately disposes of Restricted and Confidential information when it is no longer necessary to retain it; c. Systematically destroys, erases, and/or anonymizes the Restricted and Confidential information regardless of the method of storage (e.g., electronic, optical media, or paper-based) in accordance with a National Archives and Records Administration (NARA) approved record retention schedule and in a manner that prevents loss, theft, misuse, or unauthorized access; and; d. Uses audits and appropriate technology to ensure secure deletion or destruction of Restricted and Confidential Information (including originals, copies, and archived records). 1. Audit Trail of Restricted Data should be archived for six (6) years. 2. Confidential log data should be archived for six (6) years. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 79 of 84
6.4.5 (IP) Individual Participation and Redress Policy and Its s Policy: The organization requires that individuals are active participants in the decision-making process regarding the collection and use of their Restricted and Confidential Information, as required by the Privacy Act. The controls in this family enhance public confidence in Agency decisions that are based on Restricted and Confidential Information by providing individuals with access to their Restricted and Confidential Information and the ability to have it corrected or amended, as appropriate. Table 26 lists the Individual Participation and Redress controls for moderate impact systems. Table 26 Individual Participation and Redress Description of IP-1 Consent P3 a. Provides means, where feasible and appropriate, for individuals to authorize the collection, use, maintaining, and sharing of Restricted and Confidential Information prior to its collection; b. Provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the collection, use, dissemination and retention of Restricted and Confidential Information ; and; c. Obtains consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected Restricted and Confidential Information. (1) Implements mechanisms to support itemized or tiered consent for specific uses of data. IP-2 Access P3 The organization provides individuals the ability to have access to their Restricted and Confidential Information maintained in its systems of records in order to determine whether to have the Restricted and Confidential Information corrected or amended, as appropriate. IP-3 Redress P3 a. Provides a process for individuals to have inaccurate Restricted and Confidential Information maintained by the organization corrected or amended, as appropriate; and; b. Establishes a process for disseminating corrections or amendments of the Restricted and Confidential Information to other authorized users of the Restricted and Confidential Information, such as external information sharing partners, and, where feasible and appropriate, notifies affected individuals that their information has been corrected or amended. IP-4 Complaint Management The organization implements a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 80 of 84
6.4.6 (SE) Security Policy and Its s Policy: The organization requires administrative, technical, and physical measures are in place to protect Restricted and Confidential Information collected or maintained by agencies against loss, unauthorized access, or disclosure, as required by the Privacy Act, and requires that Agency planning and responses to privacy incidents comply with OMB policies and guidance. The controls in this family are implemented in coordination with information security personnel using the existing NIST Risk Management Framework. Table 27 lists the Individual Participation and Redress controls for moderate impact systems. Table 27 Security s Description of SE-1 Inventory of Personally Identifiable Information a. Establishes, maintains, and regularly updates a Restricted and Confidential Information inventory that contains a listing of all programs and information systems identified as collecting, using, maintaining, or sharing Restricted and Confidential Information; and; b. Provides each update of the Restricted and Confidential Information inventory to the CIO or other information security officials to support the establishment of appropriate information security requirements for all new or modified information systems containing Restricted and Confidential Information. SE-2 Privacy Incident Response a. Develops and implements a Privacy Incident Response Plan; and; b. Provides an organized and effective response to incidents of unauthorized exposure of Agency-controlled Restricted and Confidential Information, in accordance with the Agency Privacy Incident Response Plan. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 81 of 84
6.4.7 (TR) Transparency Policy and Its s Policy: The organization requires that agencies implement Sections 552a (e)(3) and (e)(4) of the Privacy Act and Section 208 of the E-Government Act which requires public notice of an Agency s information practices and the privacy impact of government programs and activities. Table 28 lists the Transparency controls for moderate impact systems. Table 28 Transparency s TR-1 Description of Privacy Notice a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of Restricted and Confidential Information; (ii) authority for collecting Restricted and Confidential Information; (iii) the choices, if any, individuals may have regarding how the organization uses Restricted and Confidential Information and the consequences of exercising or not exercising, and; b. Describes: (i) the Restricted and Confidential Information the organization collects and the purposes for which it collects that information; (ii) how the organization uses Restricted and Confidential Information internally; (iii) whether the organization shares Restricted and Confidential Information with external entities and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of Restricted and Confidential Information and how to exercise any such consent; (v) how individuals may obtain access to Restricted and Confidential Information for the purpose of having it amended or corrected, where appropriate; and; (vi) how the Restricted and Confidential Information will be protected; c. Revises its public notices to reflect changes in practice or policy that affect Restricted and Confidential Information or changes in its activities that impact privacy; and; d. Ensures (e.g., through updated public notice) that individuals are aware of and, where feasible, consent to all uses of Restricted and Confidential Information not initially described in the public notice that was in effect at the time the organization collected the Restricted and Confidential Information (1) Each Agency provides real-time (i.e., at the point of collection) notice when it collects Restricted and Confidential Information. TR-2 Dissemination of Privacy Program information a. Ensures that the public has access to information about its privacy activities and is able to communicate with its privacy officials; and; b. Ensures that its privacy practices are published in Privacy Impact Assessments (PIAs) and System of Records Notices (SORNs) and that all publicly available privacy reports and newsletters are made available either through organizational Web sites or otherwise. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 82 of 84
6.4.8 (UL) Use Limitation Policy and Its s Policy: The organization requires that agencies comply with the Privacy Act, which prohibits uses of Restricted and Confidential Information that are either not specified in notices, incompatible with the specified purposes, or not otherwise permitted by law. Implementation of the controls in this family requires that the scope of Restricted and Confidential Information use is limited accordingly. Table 29 lists the Use Limitation controls for moderate impact systems. Table 29 Use Limitation s UL-1 Description of Use Limitation The organization uses Restricted and Confidential Information internally only for the authorized purpose(s) identified in the Privacy Act and/or in public notices. UL-2 Information Sharing a. Shares Restricted and Confidential Information with third parties, including other public and private sector entities, only for the authorized purposes identified in the Privacy Act and/or described in its notices or in a manner compatible with those purposes; b. Where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically enumerate the purposes for which Restricted and Confidential Information may be used; c. Monitors, audits, and trains its staff on the authorized uses and sharing of Restricted and Confidential Information with third parties; and; d. Establishes and implements a process for evaluating any proposed new instances of sharing Restricted and Confidential Information with third parties to assess whether they are authorized and whether additional or new public notice is required. UL-3 System Design and Development P3 The organization designs information systems to collect, use, maintain, and share Restricted and Confidential Information only for the authorized purposes specified in the Privacy Act and/or organizational public notice(s) or for uses compatible with those purposes. Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 83 of 84
7. Security s Catalog Exceptions Exceptions will be reported to the Deputy Executive Commissioner, Information Technology (DEC-IT). Appendix A- Information Systems Security s Catalog Last Revision Date: 03/11/13 Page 84 of 84