1.0 Purpose and Benefits

This policy defines the mandatory minimum information security requirements for the entity as defined below inSection 3.0 Scope. Any entity may, based on its individual business needs and specific legal and federal requirements, exceed the security requirements put forth in this document, but must, at a minimum, achieve the security levels required by this policy.

This policy acts as an umbrella document to all other security policies and associated standards. This policy defines the responsibility to:

• protect and maintain the confidentiality, integrity and availability of information and related infrastructure assets;
• manage the risk of security exposure or compromise;
• assure a secure and stable information technology (IT) environment;
• identify and respond to events involving information asset misuse, loss or unauthorized disclosure;
• monitor systems for anomalies that might indicate compromise; and
• promote and increase the awareness of information security.

Failure to secure and protect the confidentiality, integrity and availability of information assets in today's highly networked environment can damage or shut down systems that operate critical infrastructure, financial and business transactions and vital government functions; compromise data; and result in legal and regulatory non-compliance.

This policy benefits entities by defining a framework that will assure appropriate measures are in place to protect the confidentiality, integrity and availability of data; and assure staff and all other affiliates understand their role and responsibilities, have adequate knowledge of security policy, procedures and practices and know how to protect information.

2.0 Authority

3.0 Scope

This policy encompasses all systems, automated and manual, for which the entity has administrative responsibility, including systems managed or hosted by third parties on behalf of the entity. It addresses all information, regardless of the form or format, which is created or used in support of business activities.

4.0 Information Statement

Organizational Security

Information security requires both an information risk management function and an information technology security function. Depending on the structure of the entity, an individual or group can serve in both roles or a separate individual or group can be designated for each role. It is recommended that these functions be performed by a high-level executive or a group that includes high level executives.

Each entity must designate an individual or group to be responsible for the risk management function assuring that:

• risk-related considerations for information assets and individual information systems, including authorization decisions, are viewed as an enterprise with regard to the overall strategic goals and objectives of carrying out its core missions and business functions; and
• the management of information assets and information system-related security risks is consistent, reflects the risk tolerance, and is considered along with other types of risks, to ensure mission/business success.

Each entity must designate an individual or group to be responsible for the technical information security function. For purposes of clarity and readability, this policy will refer to the individual, or group, designated as the Information Security Officer (ISO)/designated security representative. This function will be responsible for evaluating and advising on information security risks.

Information security risk decisions must be made through consultation with both function areas described in a. above.

Although the technical information security function may be outsourced to third parties, each entity retains overall responsibility for the security of the information that it owns.

Functional Responsibilities

Executive management is responsible for:

• evaluating and accepting risk on behalf of the entity;
• identifying information security responsibilities and goals and integrating them into relevant processes;
• supporting the consistent implementation of information security policies and standards;
• supporting security through clear direction and demonstrated commitment of appropriate resources;
• promoting awareness of information security best practices through the regular dissemination of materials provided by the ISO/designated security representative;
• implementing the process for determining information classification and categorization, based on industry recommended practices, organization directives, and legal and regulatory requirements, to determine the appropriate levels of protection for that information;
• implementing the process for information asset identification, handling, use, transmission, and disposal based on information classification and categorization;
• determining who will be assigned and serve as information owners while maintaining ultimate responsibility for the confidentiality, integrity, and availability of the data;
• participating in the response to security incidents;
• complying with notification requirements in the event of a breach of private information;
• adhering to specific legal and regulatory requirements related to information security;
• communicating legal and regulatory requirements to the ISO/designated security representative; and
• communicating requirements of this policy and the associated standards, including the consequences of non-compliance, to the workforce and third parties, and addressing adherence in third party agreements.

The ISO/designated security representative is responsible for:

• maintaining familiarity with business functions and requirements;
• maintaining an adequate level of current knowledge and proficiency in information security through annual Continuing Professional Education (CPE) credits directly related to information security;
• assessing compliance with information security policies and legal and regulatory information security requirements;
• evaluating and understanding information security risks and how to appropriately manage those risks;
• representing and assuring security architecture considerations are addressed;
• advising on security issues related to procurement of products and services;
• escalating security concerns that are not being adequately addressed according to the applicable reporting and escalation procedures;
• disseminating threat information to appropriate parties;
• participating in the response to potential security incidents;
• participating in the development of enterprise policies and standards that considers the entity's needs; and
• promoting information security awareness.

IT management is responsible for:

• supporting security by providing clear direction and consideration of security controls in the data processing infrastructure and computing network(s) which support the information owners;
• providing resources needed to maintain a level of information security control consistent with this policy;
• identifying and implementing all processes, policies and controls relative to security requirements defined by the business and this policy;
• implementing the proper controls for information owned based on the classification designations;
• providing training to appropriate technical staff on secure operations (e.g., secure coding, secure configuration);
• fostering the participation of information security and technical staff in protecting information assets, and in identifying, selecting and implementing appropriate and cost-effective security controls and procedures; and
• implementing business continuity and disaster recovery plans.

The workforce is responsible for:

• understanding the baseline information security controls necessary to protect the confidentiality, integrity and availability of information entrusted;
• protecting information and resources from unauthorized use or disclosure;
• protecting personal, private, sensitive information from unauthorized use or disclosure;
• abiding by Acceptable Use of Information Technology Resources Policy
• reporting suspected information security incidents or weaknesses to the appropriate manager and ISO/designated security representative.

The CISO is responsible for:

• providing in-house expertise as security consultants as needed;
• developing the security program and strategy, including measures of effectiveness;
• establishing and maintaining enterprise information security policy and standards;
• assessing compliance with security policies and standards;
• advising on secure system engineering;
• providing incident response coordination and expertise;
• monitoring networks for anomalies;
• monitoring external sources for indications of data breaches, defacements, etc.
• maintaining ongoing contact with security groups/associations and relevant authorities;
• providing timely notification of current threats and vulnerabilities; and
• providing awareness materials and training resources.

Separation of Duties

To reduce the risk of accidental or deliberate system misuse, separation of duties and areas of responsibility must be implemented where appropriate.

Whenever separation of duties is not technically feasible, other compensatory controls must be implemented, such as monitoring of activities, audit trails and management supervision.

The audit and approval of security controls must always remain independent and segregated from the implementation of security controls.

Information Risk Management

Any system or process that supports business functions must be appropriately managed for information risk and undergo information risk assessments, at a minimum annually, as part of a secure system development life cycle.

Information security risk assessments are required for new projects, implementations of new technologies, significant changes to the operating environment, or in response to the discovery of a significant vulnerability.

Entities are responsible for selecting the risk assessment approach they will use based on their needs and any applicable laws, regulations, and policies.

Risk assessment results, and the decisions made based on these results, must be documented.

Associated Standard: Information Security Risk Management Standard; Secure System Development Lifecycle (SSDLC) Standard

Information Classification and Handling

• All information, which is created, acquired or used in support of business activities, must only be used for its intended business purpose.
• All information assets must have an information owner established within the lines of business.
• Information must be properly managed from its creation, through authorized use, to proper disposal.
• All information must be classified on an ongoing basis based on its confidentiality, integrity and availability characteristics.
• An information asset must be classified based on the highest level necessitated by its individual data elements.
• If the entity is unable to determine the confidentiality classification of information or the information is personal identifying information (PII) the information must have a high confidentiality classification and, therefore, is subject to high confidentiality controls.
• Merging of information which creates a new information asset or situations that create the potential for merging (e.g., backup tape with multiple files) must be evaluated to determine if a new classification of the merged data is warranted.
• All reproductions of information in its entirety must carry the same confidentiality classification as the original. Partial reproductions need to be evaluated to determine if a new classification is warranted.
• Each classification has an approved set of baseline controls designed to protect these classifications and these controls must be followed.
• The entity must communicate the requirements for secure handling of information to its workforce.
• A written or electronic inventory of all information assets must be maintained.
• Content made available to the general public must be reviewed according to a process that will be defined and approved by the entity. The process must include the review and approval of updates to publicly available content and must consider the type and classification of information posted.
• PPI must not be made available without appropriate safeguards approved by the entity.
• For non-public information to be released outside the entity or shared between other entities, a process must be established that, at a minimum:
  • evaluates and documents the sensitivity of the information to be released or shared;
  • identifies the responsibilities of each party for protecting the information;
  • defines the minimum controls required to transmit and use the information;
  • records the measures that each party has in place to protect the information;
  • defines a method for compliance measurement;
  • provides a signoff procedure for each party to accept responsibilities; and
  • establishes a schedule and procedure for reviewing the controls.

Associated Standards: Information Classification Standard; Sanitization/Secure Disposal Standard

IT Asset Management

• All IT hardware and software assets must be assigned to a designated business unit or individual.
• Entities are required to maintain an inventory of hardware and software assets, including all system components (e.g., network address, machine name, software version) at a level of granularity deemed necessary for tracking and reporting. This inventory must be automated where technically feasible.
• Processes, including regular scanning, must be implemented to identify unauthorized hardware and/or software and notify appropriate staff when discovered.

Associated Standard: Secure Configuration Standard

Personnel Security

• The workforce must receive general security awareness training, to include recognizing and reporting insider threats, within 30 days of hire. Additional training on specific security procedures, if required, must be completed before access is provided to specific entity sensitive information not covered in the general security training. All security training must be reinforced at least annually and must be tracked by the entity.
• An entity must require its workforce to abide by the Acceptable Use of Information Technology Resources Policy, and an auditable process must be in place for users to acknowledge that they agree to abide by the policy's requirements.
• All job positions must be evaluated by the to determine whether they require access to sensitive information and/or sensitive information technology assets.
• For those job positions requiring access to sensitive information and sensitive information technology assets, entities must conduct workforce suitability determinations, unless prohibited from doing so by law, regulation or contract. Depending on the risk level, suitability determinations may include, as appropriate and permissible, evaluation of criminal history record information or other reports from federal, state and private sources that maintain public and non-public records. The suitability determination must provide reasonable grounds for the entity to conclude that an individual will likely be able to perform the required duties and responsibilities of the subject position without undue risk to the entity.
• A process must be established within the entity to repeat or review suitability determinations periodically and upon change of job duties or position.
• Entities are responsible for ensuring all issued property is returned prior to an employee's separation and accounts are disabled and access is removed immediately upon separation.

Associated Standard: Account Management/Access Control Standard

Cyber Incident Management

• Entities must have an incident response plan, consistent standards, to effectively respond to security incidents.
• All observed or suspected information security incidents or weaknesses are to be reported to appropriate management and the ISO/designated security representative as quickly as possible. If a member of the workforce feels that cyber security concerns are not being appropriately addressed, they may confidentially contact the Security Operations Center directly.
• The Security Operations Center must be notified of any cyber incident which may have a significant or severe impact on operations or security, or which involves digital forensics, to follow proper incident response procedures and guarantee coordination and oversight.

Associated Standard: Cyber Incident Response Standard

Physical and Environmental Security

• Information processing and storage facilities must have a defined security perimeter and appropriate security barriers and access controls.
• A periodic risk assessment must be performed for information processing and storage facilities to determine whether existing controls are operating correctly and if additional physical security measures are necessary. These measures must be implemented to mitigate the risks.
• Information technology equipment must be physically protected from security threats and environmental hazards. Special controls may also be necessary to protect supporting infrastructure and facilities such as electrical supply and cabling infrastructure.
• All information technology equipment and information media must be secured to prevent compromise of confidentiality, integrity, or availability in accordance with the classification of information contained therein.
• Visitors to information processing and storage facilities, including maintenance personnel, must be escorted at all times.

Associated Standard: Information Security Risk Management Standard

Account Management and Access Control

• All accounts must have an individual employee or group assigned to be responsible for account management. This may be a combination of the business unit and information technology (IT).
• Except as described in the, Account Management/Access Control Standard, access to systems must be provided through the use of individually assigned unique identifiers, known as user-IDs.
• Associated with each user-ID is an authentication token (e.g., password, key fob, biometric) which must be used to authenticate the identity of the person or system requesting access.
• Automated techniques and controls must be implemented to lock a session and require authentication or re-authentication after a period of inactivity for any system where authentication is required. Information on the screen must be replaced with publicly viewable information (e.g., screen saver, blank screen, clock) during the session lock.
• Automated techniques and controls must be implemented to terminate a session after specific conditions are met as defined in the Account Management/Access Control Standard.
• Tokens used to authenticate a person or process must be treated as confidential and protected appropriately.
• Tokens must not be stored on paper, or in an electronic file, hand-held device or browser, unless they can be stored securely and the method of storing (e.g., password vault) has been approved by the ISO/designated security representative.
• Information owners are responsible for determining who should have access to protected resources within their jurisdiction, and what those access privileges should be (read, update, etc.).
• Access privileges will be granted in accordance with the user's job responsibilities and will be limited only to those necessary to accomplish assigned tasks in accordance with entity missions and business functions (i.e., least privilege).
• Users of privileged accounts must use a separate, non-privileged account when performing normal business transactions (e.g., accessing the Internet, e-mail).
• Logon banners must be implemented on all systems where that feature exists to inform all users that the system is for business or other approved use consistent with policy, and that user activities may be monitored and the user should have no expectation of privacy.
• Advance approval for any remote access connection must be provided by the entity. An assessment must be performed and documented to determine the scope and method of access, the technical and business risks involved and the contractual, process and technical controls required for such connection to take place.
• All remote connections must be made through managed points-of-entry reviewed by the ISO/designated security representative.
• Working from a remote location must be authorized by management and practices which assure the appropriate protection of data in remote environments must be shared with the individual prior to the individual being granted remote access.

Associated Standards: Account Management/Access Control Standard; Authentication Tokens Standard; Remote Access Standard; Security Logging Standard

Systems Security

Systems include but are not limited to servers, platforms, networks, communications, databases and software applications.

• An individual or group must be assigned responsibility for maintenance and administration of any system deployed on behalf of the entity. A list of assigned individuals or groups must be centrally maintained.
• Security must be considered at system inception and documented as part of the decision to create or modify a system.
• All systems must be developed, maintained and decommissioned in accordance with a secure system development lifecycle (SSDLC).
• Each system must have a set of controls commensurate with the classification of any data that is stored on or passes through the system.
• All system clocks must synchronize to a centralized reference time source set to UTC (Coordinated Universal Time) which is itself synchronized to at least three synchronized time sources.
• Environments and test plans must be established to validate the system works as intended prior to deployment in production.
• Separation of environments (e.g., development, test, quality assurance, production) is required, either logically or physically, including separate environmental identifications (e.g., desktop background, labels).
• Formal change control procedures for all systems must be developed, implemented and enforced. At a minimum, any change that may affect the production environment and/or production data must be included.

Databases and Software (including in-house or third party developed and commercial off the shelf (COTS):

• All software written for or deployed on systems must incorporate secure coding practices, to avoid the occurrence of common coding vulnerabilities and to be resilient to high-risk threats, before being deployed in production.
• Once test data is developed, it must be protected and controlled for the life of the testing in accordance with the classification of the data.
• Production data may be used for testing only if a business case is documented and approved in writing by the information owner and the following controls are applied:
  • All security measures, including but not limited to access controls, system configurations and logging requirements for the production data are applied to the test environment and the data is deleted as soon as the testing is completed; or
  • sensitive data is masked or overwritten with fictional information.
• Where technically feasible, development software and tools must not be maintained on production systems.
• Where technically feasible, source code used to generate an application or software must not be stored on the production system running that application or software.
• Scripts must be removed from production systems, except those required for the operation and maintenance of the system.
• Privileged access to production systems by development staff must be restricted.
• Migration processes must be documented and implemented to govern the transfer of software from the development environment up through the production environment.

Network Systems:

• Connections between systems must be authorized by the executive management of all relevant entities and protected by the implementation of appropriate controls.
• All connections and their configurations must be documented and the documentation must be reviewed by the information owner and the ISO/designated security representative annually, at a minimum, to assure:
  • the business case for the connection is still valid and the connection is still required; and
  • the security controls in place (filters, rules, access control lists, etc.) are appropriate and functioning correctly.
• A network architecture must be maintained that includes, at a minimum, tiered network segmentation between:
  • Internet accessible systems and internal systems;
  • systems with high security categorizations (e.g., mission critical, systems containing PII) and other systems; and
  • user and server segments.
• Network management must be performed from a secure, dedicated network.
• Authentication is required for all users connecting to internal systems.
• Network authentication is required for all devices connecting to internal networks.
• Only authorized individuals or business units may capture or monitor network traffic.
• A risk assessment must be performed in consultation with the ISO/designated security representative before the initiation of, or significant change to, any network technology or project, including but not limited to wireless technology.

Associated Standards: Secure System Development Lifecycle Standard; Secure Coding Standard; Security Logging Standard; Secure Configuration Management Standard

Collaborative Computing Devices

Collaborative computing devices must:

• prohibit remote activation; and
• provide users physically present at the devices with an explicit indication of use.

Must provide simple methods to physically disconnect collaborative computing devices.

Vulnerability Management

• All systems must be scanned for vulnerabilities before being installed in production and periodically thereafter.
• All systems are subject to periodic penetration testing.
• Penetration tests are required periodically for all critical environments/systems.
• Where the entity has outsourced a system to another entity or a third party, vulnerability scanning/penetration testing must be coordinated.
• Scanning/testing and mitigation must be included in third party agreements.
• The output of the scans/penetration tests will be reviewed in a timely manner by the system owner. Copies of the scan report/penetration test must be shared with the ISO/designated security representative for evaluation of risk.
• Appropriate action, such as patching or updating the system, must be taken to address discovered vulnerabilities. For any discovered vulnerability, a plan of action and milestones must be created, and updated accordingly, to document the planned remedial actions to mitigate vulnerabilities.
• Any vulnerability scanning/penetration testing must be conducted by individuals who are authorized by the ISO/designated security representative. The CISO must be notified in advance of any such tests. Any other attempts to perform such vulnerability scanning/penetration testing will be deemed an unauthorized access attempt.
• Anyone authorized to perform vulnerability scanning/penetration testing must have a formal process defined, tested and followed at all times to minimize the possibility of disruption.

Associated Standards: Patch Management Standard; Vulnerability Scanning Standard

Operations Security

• All systems and the physical facilities in which they are stored must have documented operating instructions, management processes and formal incident management procedures related to information security matters which define roles and responsibilities of affected individuals who operate or use them.
• System configurations must follow approved configuration standards.
• Advance planning and preparation must be performed to ensure the availability of adequate capacity and resources. System capacity must be monitored on an ongoing basis.
• Where the entity provides a server, application or network service to another entity, operational and management responsibilities must be coordinated by all impacted entities.
• Host based firewalls must be installed and enabled on all workstations to protect from threats and to restrict access to only that which is needed
• Controls must be implemented (e.g., anti-virus, software integrity checkers, web filtering) across systems where technically feasible to prevent and detect the introduction of malicious code or other threats.
• Controls must be implemented to disable automatic execution of content from removable media.
• Controls must be implemented to limit storage of information to authorized locations.
• Controls must be in place to allow only approved software to run on a system and prevent execution of all other software.
• All systems must be maintained at a vendor-supported level to ensure accuracy and integrity.
• All security patches must be reviewed, evaluated and appropriately applied in a timely manner. This process must be automated, where technically possible.
• Systems which can no longer be supported or patched to current versions must be removed.
• Systems and applications must be monitored and analyzed to detect deviation from the access control requirements outlined in this policy and the Security Logging Standard, and record events to provide evidence and to reconstruct lost or damaged data.
• Audit logs recording exceptions and other security-relevant events must be produced, protected and kept consistent with record retention schedules and requirements.
• Monitoring systems must be deployed (e.g., intrusion detection/prevention systems) at strategic locations to monitor inbound, outbound and internal network traffic.
• Monitoring systems must be configured to alert incident response personnel to indications of compromise or potential compromise.
• Contingency plans (e.g., business continuity plans, disaster recovery plans, continuity of operations plans) must be established and tested regularly. At a se
• An evaluation of the criticality of systems used in information processing (including but not limited to software and operating systems, firewalls, switches, routers and other communication equipment).
• Recovery Time Objectives (RTO)/Recovery Point Objectives (RPO) for all critical systems.
• Backup copies of entity information, software, and system images must be taken regularly in accordance with the entity's defined requirements.
• Backups and restoration must be tested regularly. Separation of duties must be applied to these functions.
• Procedures must be established to maintain information security during an adverse event. For those controls that cannot be maintained, compensatory controls must be in place.

Associated Standards: Secure Configuration Management Standard; Security Logging Standard; Cyber Incident Response Standard; Account Management/Access Control Standard

5.0 Compliance

This policy shall take effect upon publication. Compliance is expected with all enterprise policies and standards. Policies and standards may be amended at any time; compliance with amended policies and standards is expected.

If compliance with this standard is not feasible or technically possible, or if deviation from this policy is necessary to support a business function, entities shall request an exception through the Chief Information Security Officer's exception process.

6.0 Definitions of Key Terms

Term

Definition

7.0 Contact Information

8.0 Revision History

This standard shall be subject to periodic review to ensure relevancy.

9.0 Related Documents

• National Institute of Standards and Technology (NIST) Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations
• Internal Revenue Service Publication 1075: Tax Information Security Guidelines for Federal, State and Local Agencies