State of South Carolina Policy Guidance and Training

Similar documents
State of South Carolina Policy Guidance and Training

State of South Carolina Policy Guidance and Training

State of South Carolina Policy Guidance and Training

DIVISION OF INFORMATION SECURITY (DIS)

State of South Carolina Policy Guidance and Training

State of South Carolina Policy Guidance and Training

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

State of South Carolina Policy Guidance and Training

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Risk Management Guide for Information Technology Systems. NIST SP Overview

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

State of Oregon. State of Oregon 1

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Human Resource (HR) and Security Awareness v1.0 September 25, 2013

Network Assessment. Prepared For: Prospect Or Customer Prepared By: Your Company Name

FedRAMP Standard Contract Language

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Information Security for Managers

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections

Data Management Policies. Sage ERP Online

How To Manage A Vulnerability Management Program

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

PHASE 5: DESIGN PHASE

Patch Management. Module VMware Inc. All rights reserved

Standard: Web Application Development

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Cybersecurity and internal audit. August 15, 2014

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Infrastructure Information Security Assurance (ISA) Process

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

PII Compliance Guidelines

Information Security. Incident Management Program. What is an Incident Management Program? Why is it needed?

Audit of the Department of State Information Security Program

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Patch Management Procedure. Andrew Marriott PATCH MANAGEMENT PROCEDURE.DOCX Version: 1.1

Integrated Governance, Risk and Compliance (igrc) Approach

External Penetration Assessment and Database Access Review

FSIS DIRECTIVE

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

Building a Security Program that Protects an Organizations Most Critical Assets

How To Implement An Enterprise Resource Planning Program

Publication 805-A Revision: Certification and Accreditation

VISP Vendor Information Security Plan: A tool for IT and Institutions to evaluate third party vendor capacity and technology to protect research data

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget

Continuous Monitoring in a Risk Management Framework. US Census Bureau Oct 2012

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS

Development, Acquisition, Implementation, and Maintenance of Application Systems

Office of Inspector General

From Chaos to Clarity: Embedding Security into the SDLC

BSM for IT Governance, Risk and Compliance: NERC CIP

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

FISMA Compliance: Making the Grade

Submitted by: Christopher Mead, Director, Department of Information Technology

Vulnerability Audit: Why a Vulnerability Scan Isn t Enough. White Paper

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

CTR System Report FISMA

John Essner, CISO Office of Information Technology State of New Jersey

FINAL Version 1.0 June 25, 2014

Information Blue Valley Schools FEBRUARY 2015

Strategic Plan On-Demand Services April 2, 2015

CYBER AND IT SECURITY: CLOUD SECURITY FINAL SESSION. Architecture Framework Advisory Committee November 4, 2014

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Critical Controls for Cyber Security.

Information Security and Continuity Management Information Sharing Portal. Category: Risk Management Initiatives

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Attachment A. Identification of Risks/Cybersecurity Governance

SMITHSONIAN INSTITUTION

Security Testing and Vulnerability Management Process. e-governance

CITY UNIVERSITY OF HONG KONG. Information System Acquisition, PUBLIC Development and Maintenance Standard

CMS Information Security Risk Assessment (RA) Methodology

THE BLUENOSE SECURITY FRAMEWORK

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Services Providers. Ivan Soto

SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK

IT Risk & Security Specialist Position Description

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015

The Value of Vulnerability Management*

STATE OF ARIZONA Department of Revenue

Domain 1 The Process of Auditing Information Systems

Security Language for IT Acquisition Efforts CIO-IT Security-09-48

FREQUENTLY ASKED QUESTIONS

Information Technology General Controls And Best Practices

SIEM Implementation Approach Discussion. April 2012

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Click to edit Master title style. How To Choose The Right MSSP

WHO WE ARE 3/31/2016. Philip Chukwuma, CTO, Securely Yours LLC Jayne Suess, Senior Security Analyst, Erie Insurance

Information Technology Strategic Plan /23/2013

SANS Top 20 Critical Controls for Effective Cyber Defense

SACM Vulnerability Assessment Scenario IETF 94 11/05/2015

Patch and Vulnerability Management Program

NERC CIP VERSION 5 COMPLIANCE

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

CISM ITEM DEVELOPMENT GUIDE

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Transcription:

DRAFT For Discussion Purposes Only State of South Carolina Policy Guidance and Training Policy Workshop All Agencies Information Systems (IS) Acquisitions, Development, and Maintenance Policy April/May 2014

DRAFT For Discussion Purposes Only Agenda Questions & Follow-Up Policy Workshop Overview & Timeline Policy Overview: IS Acquisitions, Maintenance, and Development Policy Risk Assessment Framework & IS Acquisitions, Maintenance, and Development Policy Next Steps 2

Questions & Follow-Up DRAFT For Discussion Purposes Only

DRAFT For Discussion Purposes Only Policy Workshop Q&As The following questions were raised during the Access Control policy workshop for all Agencies: Question #1 For third party hosted systems, does the third party need to be certified (e.g., SSAE 16) or provide reporting back to the Agency? Are there any mandatory requirements from DIS? Answer #1: IS Acquisitions, Maintenance and Development and IT Risk Management policies provide guidance that Agencies need to monitor the third parties on an ongoing basis to ensure compliance with security requirements. Method and approach used is left up to the Agencies discretion. Question #2: Will DIS be recommending an asset management software? Answer #2: DIS has no current recommendations on the asset management software. 4

DRAFT For Discussion Purposes Only Policy Workshop Q&As (continued) The following questions were raised during the Access Control policy workshop for all Agencies: Question #3 When will the DIS InfoSec policies become final? Answer #3: Policy comment period has closed. InfoSec policies are being finalized by the DIS. Agencies should not refrain from making progress as no major or substantial changes will be made based on feedback received. All policies have been posted on the DIS website under the Policies tab (http://dis.sc.gov/policies/pages/default.aspx). Question #4 When will the training materials be posted on DIS website? Answer #4: The training materials and schedules are uploaded on the DIS website under the Resources tab (http://dis.sc.gov/policies/pages/default.aspx). 5

DRAFT For Discussion Purposes Only Policy Workshops Overview & Timeline

Activities Agencies TO DOs DRAFT For Discussion Purposes Only Policy Workshop: Timeline Objective: Conduct bi-weekly policy workshops with selected agencies to review information security policies, address implementation challenges, risks and assist on gap analysis and action plans with the Agency-designated policy champions. March April May June July August Policy: Policies: Policies: Policies: Policies: Policy: Asset Management Data Protection & Privacy Access Control Information System Acquisition, Development, Maintenance Threat and Vulnerability Management Business Continuity Management IT Risk Strategy Mobile Security HR & Security Awareness Physical & Environmental Security Facilitate bi-weekly Agency group workshops Review statewide policies Address key policy implementation challenges Conduct mini-gap analysis Discuss policy implementation plans Review Statewide policies and conduct mini-gap analysis Actively participate in breakout groups to discuss gaps and implementation challenges Identify remediation strategies and policy implementation plans 7

DRAFT For Discussion Purposes Only Policy Overview: IS Acquisitions, Development, and Maintenance Policy

DRAFT For Discussion Purposes Only IS Acquisitions Development and Maintenance: Key Requirements Change Management Configuration Change Control Agency shall incorporate the following recommendations for the change control process: Determine the impact on the system and its functionality through change requests; Implement a process to categorize, prioritize and authorize changes to the information system; Formally manage changes to production environment Review and test information systems after major changes to operating systems Obtain management approvals Perform post-implementation reviews 9

DRAFT For Discussion Purposes Only IS Acquisitions Development and Maintenance: Configuration Change Control The process below provides a graphic representation of Configuration Change Control Change Requested through change request process Postimplementation review conducted Change categorized, prioritized & authorized Change initiated Obtain management approval for change Change reviewed & tested 10

IS Acquisitions Development and Maintenance: Key Requirements (Cont d) DRAFT For Discussion Purposes Only Configuration Management Baseline Configuration Agency shall manage changes to baseline configurations prior to implementing changes through: Identification Review Security impact analysis Testing Approval. Agency shall establish and maintain a central repository of all baseline configurations and restrict access to prevent unauthorized changes. Agency shall retain older versions of baseline configurations. Agency shall review and update baseline configurations periodically. 11

DRAFT For Discussion Purposes Only IS Acquisitions Development and Maintenance: Baseline Configuration Management The process below provides a graphic representation of a Baseline Configuration Management Formally Approve Baseline Configurations Manage Changes to Baseline Configurations Maintain Central Repository of All Baseline Configurations Retain Older Versions of Baseline Configurations Review and Update Baseline Configurations 12

IS Acquisitions Development and Maintenance: Key Requirements (Cont d) DRAFT For Discussion Purposes Only System Development and Maintenance System Security Plan (SSP) Agency shall ONLY document SSPs for: 1) Mission Critical enterprise information systems, or 2) Systems under development An SSP shall describe the controls for the system life cycle: development, testing, review, approval, etc. (NIST template can be accessed at http://csrc.nist.gov/publications/nistpubs/800-18-rev1/sp800-18-rev1- final.pdf) If a qualifying system is modified, the documentation shall be updated accordingly. Vulnerability Scanning Agency shall perform vulnerability assessments on information systems undergoing significant changes prior to being moved into production. 13

IS Acquisitions Development and Maintenance: Key Requirements (Cont d) DRAFT For Discussion Purposes Only System Development and Maintenance Vulnerability Scanning (cont d) Agency shall establish remediation measures to address the findings of vulnerability assessments. Agency shall assess, monitor and address information system-related vulnerability notifications from vendors System and Services Acquisition Policy and Procedures Agency shall ensure that all IT procurement contracts interest. protect State s System Development Life Cycle Agency shall implement security controls at all stages of the information system development life cycle. 14

IS Acquisitions Development and Maintenance: Key Requirements (Cont d) DRAFT For Discussion Purposes Only System Development and Maintenance External Information System Services Agency shall monitor outsourced (i.e. third party) software development. Developer Security Testing and Evaluation Agency shall establish separate development, environments. testing, and production Agency shall only use sanitized production data for testing purposes. When production data is temporarily used in testing Agency shall: Obtain management approval Remove post-test data Document related activities environment, the 15

IS Acquisitions Development and Maintenance: Key Requirements (Cont d) DRAFT For Discussion Purposes Only System Development and Maintenance Flaw Remediation Agency shall ensure correct processing of user-developed applications and information systems data. Agency shall apply software patches to remove or reduce security weaknesses. Security Alerts, Advisories, and Directives Agency shall collect patch alerts, advisories, and directives on an ongoing basis (frequency will be determined by the Agency). Agency shall designate personnel to monitor vulnerabilities and vendors patches and fixes. 16

IS Acquisitions Development and Maintenance: Key Requirements (Cont d) DRAFT For Discussion Purposes Only System Development and Maintenance Software, Firmware, and Information Integrity Agency s upgrades to information systems due to new releases shall be based on: Business requirements for the change; Security of the release (e.g., the number and severity of security problems affecting this version). Agency shall test critical operating system (OS) changes and updates in the test environment ONLY. Information Input Validation Agency shall test the validity of information inputs and outputs. Agency shall detect information system processing errors and inadvertent or deliberate activities. 17

IS Acquisitions Development and Maintenance: Key Requirements (Cont d) DRAFT For Discussion Purposes Only System Development and Maintenance Session Authenticity Agency shall identify controls to: Ensure session authenticity; Protect message integrity in applications; and Protect information transmission to and from information systems. Release Management Allocation of Resources Agency shall ensure that production-ready release packages have been deployed using the release management lifecycle. 18

IS Acquisitions Development and Maintenance: Key Requirements (Cont d) DRAFT For Discussion Purposes Only Release Management Allocation of Resources Agency s release planning process shall include: Resources required to deploy release; Pass / fail criteria; Build and test plans prior to implementation; Pilot and deployment plans; and Develop requirements for the release. Deploy Test Pilot Plan Release Management Cycle Build Prepare 19

IS Acquisitions Development and Maintenance: Key Requirements (Cont d) DRAFT For Discussion Purposes Only Release Management Information System Documentation Agency shall document processes for management of IT release lifecycle and release prioritization. Agency shall ensure that release designs are aligned with the requirements and identifying risks and potential issues. Security Engineering Principles Agency shall use the change request process to deploy releases into production. 20

Risk Assessment Framework & IS Acquisitions, Maintenance, and Development Policy DRAFT For Discussion Purposes Only

DRAFT For Discussion Purposes Only Risk Assessment Framework The Risk Assessment Framework, based on the National Institute of Standards and Technology (NIST 800-53), was used as the basis to assess risk across the State Agencies using the fifteen (15) security domains (noted below): 22

DRAFT For Discussion Purposes Only IS Acquisitions, Development, and Maintenance Policy: Risks & Remediation Strategies Risk assessments conducted with State Agencies uncovered a number of risks in environments with inadequately implemented Access Control Policy and procedures. Remediation strategies were created to help Agencies address gaps and implement necessary safeguards. Examples Overall Risks Identified Gaps Remediation Strategies Sensitive data exposure during code testing Technical risk to security posture of Agency Lack of developer training leads to sub-standard code development 23 Agencies do not conduct code reviews and peer reviews prior to making changes to the production environment Agencies have not established an enterprise-wide Systems Develop Life Cycle (SDLC) Production data is copied into development environments without proper security considerations Developers are not provided information security trainings such as secure coding practices or secure development standards Establish code review and peer review procedures in the system development life cycle Establish a enterprise-wide SDLC Establish three environments - production, test and development to conduct code testing Provide code developers with training related to industry best practices related to secure coding practices and development standards

DRAFT For Discussion Purposes Only IS Acquisitions, Development, and Maintenance Policy: Challenges & Remediation Strategies for all Agencies Sample Challenges Examples Potential Solutions Collecting Performance Metrics Lack of a structured communications process Develop a process to collect software metrics and which is approved by management Request end-user participation in the collection of metrics Establish a structured communication process to solicit inputs from end users Encourage period debriefs between the developer community and the end user. Segregation of Duties Establish separate roles for code development and code review Securing code post approval, however, prior to implementation in the production environment Emergency changes to production software Code ready for production could be secured in a test server prior to its release to production Access to this server can be restricted only to authorized personnel Develop an emergency change management process involving only the required number of authorized personnel. Ensure all such changes are reviewed and approved by a member of the security team (i.e., information security officer or equivalent) and approved by an authorized individual (i.e., IT director or equivalent) 24

Next Steps DRAFT For Discussion Purposes Only

DRAFT For Discussion Purposes Only Next Steps 1. Develop or update Agency s InfoSec policies to align with published State policies 2. Conduct Policy Gap Analysis 3. Develop Policy Implementation Plan of Action 4. Develop processes to enable the implementation of InfoSec Policies 5. Promote Agency-wide InfoSec policies awareness 6. Coordinate with DIS on training and guidance 26

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information