5 Security Domain *

Introduction *

Components *

ITDQC Principles *

Recommended Best Practices *

5.1 Security Management Component *

Introduction and Background *

Design Principles *

Standards *

Technology Watch *

Products *

Review Cycle *

Appendix - Component Configurations (Buy List) *

5.2 Systems Access Control Component *

Purpose *

Introduction and Background *

Design Principles *

Review Cycle *

Identification and Authentication Subcomponent *

Access Control Subcomponent *

Availability Subcomponent *

Confidentiality Subcomponent *

Data Integrity Subcomponent *

Non-Repudiation Subcomponent *

Appendix - Component Configurations (Buy List) *

5.3 Personnel and Site Security Component *

Purpose *

Introduction and Background *

Design Principles *

Review Cycle *

Physical Site Security Subcomponent *

Personnel Security Subcomponent *

Appendix - Component Configurations (Buy List) *

5.4 Communications and Operations Management Component *

Purpose *

Introduction and Back ground *

Design Principles *

Review Cycle *

Operational Procedures and Responsibilities Subcomponent *

System Planning and Acceptance Subcomponent *

Protection against Malicious Software Subcomponent *

Housekeeping Subcomponent *

Network Management Subcomponent *

Media Handling Security Subcomponent *

Exchanges of Information and Software Subcomponent *

Appendix - Component Configurations (Buy List) *

5.5 Systems Development and Maintenance Component *

Purpose *

Introduction and Background *

Design Principles *

Review Cycle *

Application Systems Security Subcomponent *

Cryptographic Controls Subcomponent *

Systems Files Security Subcomponent *

Development and Support Processes Subcomponent *

Appendix - Component Configurations (Buy List) *

5.6 Business Continuity Component *

Purpose *

Introduction and Background *

Design Principles *

Standards *

Technology Watch *

Products *

Review Cycle *

Appendix - Component Configurations (Buy List) *

5.7 Asset Classification and Control Component *

Purpose *

Introduction and Background *

Design Principles *

Review Cycle *

Inventory of information Subcomponent *

Information Classification Subcomponent *

Labeling and Handling Subcomponent *

Appendix - Component Configurations (Buy List) *

Annex A BS 7799-1:1999 BRITISH STANDARD *

Annex B Comparison of British Standard 7799-1:1999 with Architecture Security Domain *

  1. Security Domain

The Security Architecture manages and controls access to the enterprise infrastructure, applications and data. Security is a set of services that ensures the enterprise data is fully protected and accessible to authorized users. Enterprise security consists of technical architecture, standards, products, policies, processes, education and monitoring. The Security Domain identifies the technical architecture, products and many of the standards for enterprise security. It encompasses all information technology (IT) security-related services in the enterprise.

The emphasis the enterprise has on security, sufficient to have its own domain, is based on various security audits the organization has undergone that have pointed out many deficiencies. The latest of these from IBM was an audit based on the internationally accepted British Standard 7799. The latest update of this standard was May 1999. The update reflects the latest security concerns or requirements for information technology. This domain reflects that standard.

Introduction

Information is an important business asset, having value to the enterprise and needs to be suitably protected. Information security protects information from as many threats as economically feasible, in order to ensure business continuity, minimize business damage and maximize return on investments and business opportunities within government, and for management of the organization's programs,. Information security, confidentiality and adherence to privacy laws are essential.

Information exists in many forms, printed or written on paper, stored electronically, transmitted by mail or using electronic means, shown on films, or spoken in conversation. Whatever form the information takes, or means by which it is shared or stored, it must always be appropriately protected.

The goals of information security are to achieve:

Information security is achieved by implementing a set of controls, which are a combination of policies, practices, procedures, organizational structures and software functions. These controls need to be established and enforced to ensure that the specific security objectives of the organization are met.

Increasingly, organizations and their information systems and networks are faced with security threats from a wide range of sources, including computer-assisted fraud, espionage, sabotage, vandalism, fire or flood. Sources of damage such as computer viruses, computer hacking and denial of service attacks have become more common, more ambitious and increasingly sophisticated.

Increasing dependence on information systems and services means the enterprise is more vulnerable to security threats. The interconnecting of public and private networks and sharing of information resources increases the difficulty of achieving absolute access control. The trend toward distributed computing has increased information security vulnerabilities.

In the past many information systems have not been designed to be secure. Security was installed as an afterthought. The security that can be achieved through technical means is limited, and must be supported by appropriate management and procedures. Security needs, as a minimum, participation by all employees in the organization. It may also require participation from suppliers, customers and other stakeholders.

Information security controls are more efficient and effective if incorporated though out the systems development life cycle especially at the requirements specification and design stage rather than retrofitted during post implementation.

Security expenditure needs to be balanced against the business harm likely to result from security failures. Risk assessment techniques can be applied to the whole organization, or only parts of it, as well as to individual information systems, specific system components or services where this is practicable, realistic and helpful. There are certain risks that are easily identified and applicable to this enterprise as well as others.

The results of a risk assessment will help guide and determine the appropriate management action and priorities for managing information security risks and for implementing controls selected to protect against these risks.

It is important to carry out periodic reviews of security risks and implemented controls to:

Risk assessments are carried out first at a high level, as a means of prioritizing resources in areas of high risk, and then at a more detailed level, to address specific risks.

Once risks have been identified, controls must be selected and implemented to ensure risks are reduced to an acceptable level. The controls in this document are based on the British Standard BS7799-1: 1999. This standard is internationally recognized, has undergone a recent revision and is used by many large international organizations.

New controls that are unique to the enterprise will be documented in this and subsequent revisions of the Security Domain of this architecture.

Controls must be selected based on the cost of implementation in relation to the risks being reduced and the potential losses if a security breach occurs. Non-monetary factors such as loss of reputation needs to be taken into account.

From a legislative point of view, security controls must recognize:

Controls unique to this enterprise include:

It must be noted that although all controls in this document are important, the relevance of any control must be determined in the light of the specific risks an enterprise is facing. This does not replace selection of additional controls based on a risk assessment.

Experience has shown that the following factors are often critical to the successful implementation of information security:

Components

Security Management Component

The Security Management Component is based on specifically three of the British Standard (BS7799) Control Areas as well as the management aspects of the other seven. The four BS7799 control areas are:

  • security policy;
  • security organization; and,
  • Compliance.

Systems Access Control

Systems Access Control consists of those areas of access control necessary for:

  • control access to business information;
  • prevention of unauthorized computer access;
  • prevention of unauthorized access to information held in computer systems;
  • detection of unauthorized activities; and,
  • protection of networked services.

Systems Access Control is made up of the following subcomponents:

  • Identification and Authentication Subcomponent;
  • Access Control Subcomponent
  • Availability Subcomponent;
  • Confidentiality Subcomponent;
  • Data Integrity Subcomponent; and
  • Non-Repudiation Subcomponent.

 

Personnel and Site Security

Personnel and Site Security controls consist of both physical or environmental security and personnel or individual staff security controls.

Personnel and Site Security Controls are made up of the following subcomponents

  • Physical Security
  • Personnel Security

Communications and Operations Management Component

To ensure the correct and secure operation of information processing facilities.

Component is made up of the following subcomponents

  • Operational Procedures and Responsibilities Subcomponent
  • Systems Planning and Acceptance Subcomponent
  • Protection Against Malicious Software Subcomponent
  • Housekeeping Subcomponent
  • Network Management Subcomponent
  • Media Handling Security Subcomponent
  • Exchange of Information and Software Security Subcomponent

Systems Development

To ensure that security is considered and built into all the organization's information systems.

Component is made up of the following subcomponents

  • Security Requirements in Systems Subcomponent
  • Security in Application Systems Subcomponent
  • Cryptographic Controls Subcomponent
  • Security of System Files Subcomponent
  • Security in Development and Support Processes Subcomponent

Business Continuity

To ensure the correct and secure operation of information processing facilities after a major disruption in service. Included in this component is a requirement for developing and testing a comprehensive recovery plan.

Asset Classification and Control

To maintain appropriate protection of he organization assets.

 

ITDQC Principles

A principle is a method, or rule, adopted as the basis for action or conduct that has been set down and agreed upon by the ITDQC.

 

The organization will protect its information assets from loss and unauthorized access, use, modification, destruction and disclosure.

  • The Information Security Office is responsible for the organization's Information Security Program, which includes development and maintenance of: Enterprise Information Security policy(s) and direction, an Information Security Awareness program, and the organization’s Risk Management Program.

     

    Technology implementers (ITB and DIT) are responsible for implementing technology in accordance with the organization’s Information Security Program.

  • Security (including information) is the responsibility of every employee. Trained and knowledgeable staff can prevent security incidents from happening, and detect and mitigate such incidents when they do occur.

     

    Managers specify and monitor the integrity and security of information assets and the use of those assets within their areas of program responsibility. Also, they ensure that program staff and other users of the information are informed of and carry out information security responsibilities.

    Recommended Best Practices

    Best practices are approaches, recommended by META Group’s Enterprise Architecture Service and further developed by the Architecture team, used to demonstrate and support the ITDQC principles.

     

    Management must provide and direct security focus and support.

    Rationale:

    Employees are provided enterprise security direction

     

    Ensure that the organization's security policies are written and universally applied and enforced across the enterprise.

    Rationale:

    • Security awareness reduces security risk.
     

    Utilize a widely accepted standard as the basis for this Domain.

    Rationale:

    • Reduces time to develop the standard.
    • Standard is broadly accepted.
     

    Based on risk management, protect information assets to the proper level for the risk.

    Rationale:

    • Total security is more expensive than desirable.
    • Security is granular to the level required.
     

    Security audits should not be obtrusive or perceived as adversarial but as a planned part of business.

    Rationale:

    • Ensure enterprise wide application of security.
     

    Manage IT security centrally within the enterprise.

    Rationale:

    • Ensure all access can be audited.
    • Ensure enterprise wide application of security.
     

    Support a tested Business Continuity Plan that allows resumption of critical processes while protecting critical business processes from the effects of major failures or disasters.

    Rationale:

    • Enables the Department to continue doing its job.
    • Make participants more aware of potential problems.
    • Works out many resumption problems ahead of need.
    • Provide business continuity.
     

    Utilize security solutions consistently across the enterprise.

    Rationale:

    • Eliminates the need for application unique security solutions.
    • Reduces the number of security solutions.
    • Allows progress toward a single sign-on.
     

    Protect the privacy and confidentiality of our customers and partners data, as required.

    Rationale:

    • Conform to the legal requirements for personal and business information.
     

    Provide secure transmission of confidential and sensitive information.

    Rationale:

    • Allows access to confidential and private data.
    • Enables the organization to do E-commerce to exchange data with customers.
     

    Promote a high level of security awareness to employees and partners, ensuring that users are aware of information security threats, concerns, consequences and are equipped to support organizational security policy in the course of their normal work.

    Rationale:

    • Make all employees aware of adverse consequences of not following good practices.
    • Reduce number and severity of security incidents.
     

    Maintain the security of organizational information processing facilities and information assets accessed by third parties or outsourced.

    Rationale:

    • Work is done by third parties as required by the organization.
    • Contractual obligations are met.
     

    Reduce or eliminate the risks of human error, theft, fraud or misuse of facilities.

    Rationale:

    • Less opportunity for accidental or intentional damage to information assets.
     

    Minimize the damage from security incidents, monitor and learn from such incidents.

    Rationale:

    • Learn from mistakes.
     

    Prevent unauthorized access, theft, damage and interference to business processes, policies and information assets to prevent loss, damage or compromise of assets and interruption to business activities while ensuring the correct and secure operation of information processing facilities, minimizing the risk of systems failures and protecting the integrity of software and information (including hardware, software and data in any form).

    Rationale:

    • Ensure business continuity.
    • Prevent unauthorized use of information assets.
    • Protect information assets.
     

    Maintain the integrity and availability of information processing and communication services while protecting the supporting infrastructure..

    Rationale:

    • Meet the customer's processing need.
    • Continued processing is possible.
     

    Minimize loss, modification or misuse of information exchanged.

    Rationale:

    • The organization depends on accurate information.
     

    Detect unauthorized activities.

    Rationale:

    • Determines who is accessing data inappropriately.
     

    Protect the organization's information assets regardless of location (i.e. teleworking) by making teleworkers and mobile computer users aware of the vulnerabilities of theft, loss, misuse or physical damage.

    Rationale:

    • Organization assets need protection regardless of locations.
    • Staff is aware of consequences of working "offsite".
     

    Ensure that security is designed and built into information systems at the early stages of development.

    Rationale:

    • Security requirements are less expensive and more comprehensive if designed early in the life cycle.
     

    Prevent loss, modification or misuse of information assets while protecting the confidentiality and authenticity and integrity of the information.

    Rationale:

    • Data is an enterprise resource required for on-going business.
     

    Ensure compliance with organizational security policies and standards.

    Rationale:

    • Assures that staff will follow the rules.

      1. Security Management Component

    Introduction and Background

    The Security Management Component is based on specifically three of the British Standard (BS7799) Control Areas as well as the management aspects of the other seven. The three BS7799 control areas are:

    to provide management direction and support for information security.

    to manage information security within the organization;

    to maintain the security of organizational IT facilities and information assets accessed by third parties;

    and,

    to detect breaches of any statutory, criminal or civil obligations and any of security requirements;

    to ensure compliance of systems with organizational security policies.

    Design Principles

    Management must set a clear policy direction and demonstrate support for, and commitment to, information security through the issuance and maintenance of an information security policy for the enterprise.

     

    A management framework must be established to initiate and control the implementation of information security within the organization.

     

    Suitable management, with management leadership must be established to approve the information security policy, assign security roles and coordinate the implementation of security across the organization.

     

    Contacts with external security specialists must be developed to keep up with industrial trends, monitor standards and assessment methods and provide suitable liaison points when dealing with security incidents.

     

    A multi-disciplinary approach to information security must be encouraged; e.g., involving the cooperation and collaboration of managers, users, administrators, application designers, auditors and security staff, and specialist skills in areas such as insurance and risk management

     

    Access to the organization's information processing facilities by (non-organizational) third parties must be controlled.

     

    Where there is a business need for third party access, a risk assessment must be carried out to determine security implications and control requirements

     

    Controls must be agreed to and defined in a contract with the third party. Contracts conferring third party access must include allowance for designation of other eligible participants and conditions for their access.

     

    Arrangements must address the risks, security controls and procedures for information systems (and associated data), networks and/or desk top environments in the contract between the parties.

     

    The design, operation, use and management of information systems may be subject to statutory, regulatory and contractual security requirements.

     

    Advice on specific legal requirements must be sought from the organization's legal advisers, or suitably qualified legal practitioners.

     

    The security of information systems must be regularly reviewed and audited for compliance with security implementation standards against the appropriate security policies, the technical platforms, and the information systems while safeguarding operational systems and audit tools during system audits.

     

    Protection is also required to safeguard the integrity and prevent misuse of audit tools.

     

    The compliance process must be implemented to ensure compliance with organization security.

     

    The security of IT systems and IT system development efforts must be reviewed and approved by appropriate management and disciplines, such as audit.

     

    Noncompliance with security policies and standards will incur adverse consequences.

     

    When incidents are identified and reported, an appropriate evidence trail will be secured and retained.

     

    IT system development and maintenance must incorporate processes to ensure compliance to security policies , as well as audibility.

     

    Standards

    Component

    Description

    Standard

    Security Management

    Compliance - Legal Requirements

    The specific controls and individual responsibilities

    to meet relevant statutory, regulatory and contractual requirements will be explicitly defined and documented for each information system.

       

    Appropriate procedures will be implemented to ensure compliance with legal restrictions on the use of material such as proprietary software products, copyright, and design rights or trade marks.

     

    Compliance - Organizational Records

    Records of an organization will be protected from loss, destruction and falsification.

       

    Data storage systems will accommodate, where necessary, required data retrieval formats that are acceptable to a court of law.

       

    Procedures will ensure data protection and privacy of personal information.

       

    Any use of information processing facilities for non-business or unauthorized purposes, without management approval, will be regarded as improper use of the facilities.

       

    If improper use of the facilities is identified, it will be brought to the attention of the manager for appropriate disciplinary action.

     

    Compliance - Cryptographic Controls

    When applicable, legal advice will be sought to ensure compliance with cryptographic law.

     

    Compliance - Evidence Collection

    Evidential material must be secured, maintained and retained according to the published standard or code of practice for the production, availability, and integrity of admissible evidence.

       

    Records of whom found eveidence, where it was found, when it was found and who witnessed the discovery will be documented and non-tampered originals will be ensured.

     

    Compliance

    Managers and staff will ensure that all security procedures within their area of responsibility are carried out correctly.

       

    Audit requirements and operational systems review activities will be adequately authorized and, to minimize disruptions to business processes, carefully planned as follows.

  • Appropriate management will authorize audit requirements.
  • The audit scope will be authorized and controlled.
  • Audits will be limited to read-only access to software and data except for isolated copies of system files, which will be erased when the audit is completed.
  • IT resources required for performing the audits will be identified and made available.
  • Requirements for special or additional audit steps will be identified and authorized.
  • All access will be monitored and logged to produce a reference trail.
  • All procedures, requirements and responsibilities will be documented.
  •  

    As part of the system development life cycle, audibility and compliance will be considered.

    System audit will be proactively considered during system development.

    Security Policies

    Enterprise information security policies will be issued across the organization.

       

    Coordinate information security measures through a cross-functional forum.

       

    The risks associated with access to organizational IT facilities by third parties must be assessed and appropriate security controls implemented.

       

    Contracts with third parties involving access to organizational IT facilities must specify security conditions.

       

    A written policy document must be available to all employees responsible for information security.

     

    Management Framework

    A management framework will be established to initiate and control the implementation of information security within the organization.

       

    Responsibilities and procedures for the management and operation of all computers and networks must be established.

     

    Information Owner

    Designate an owner and custodian for all information assets (SAM 4841.2 requires a data owner and custodian for all data files and databases).

     

    Information Custodian

    Designate a custodian for all information assets (SAM 4841.2 requires a custodian for all data files and databases).

     

    Security Classification (refer to Asset Classification and Control Component)

    Information owners define access, security and integrity controls based on security classification and risk assessment.

       

    Designated owner classifies information in accordance with law and administrative policy (SAM 4841.3).

       

    Designated owner classifies information in accordance with the need to control access to information, security and integrity (SAM 4841.5).

       

    Designated owner classifies information as described in the Organization's External Customer Access Policy.

     

    Employee/User

    Security must be addressed during an employee's entire employment period, or contractor's engagement.

       

    Responsibilities for the protection of individual assets and for carrying out specific security processes must be explicitly defined.

       

    Users must be trained in security procedures and the correct use of IT facilities.

       

    Users should be formally authorized in writing about the scope of their access rights and restrictions.

       

    Use information assets only for State approved purposes.

       

    Comply with applicable laws and with Administrative, Departmental and Program policies, procedures, and standards.

     

    Security Incidents

    Incidents affecting security must be reported immediately upon detection to management and to the ISO.

       

    IT assets will be monitored for potential or actual security incidents or breaches.

       

    When security incidents or breaches occur, appropriate/corrective actions will be taken as soon as possible.

     

    Monitoring, Logging and Audit Mechanism:

    The security of IT systems must be regularly audited.

       

    IT systems must have controls to safeguard operational systems and audit trails to assist during system audits.

       

    Monitoring, logging and auditing must be accounted for in the design stages of the system.

       

    Appropriate log archives as identified in the security requirements must be collected and maintained for a period of time consistent with the legal and business needs of the organization.

       

    Monitor logs and alerts regularly for deviations from the norm and take appropriate action.

       

    To detect unauthorized activities, systems must be monitored to ensure conformity to access policy.

    Technology Watch

    BS7799

    DOIT Policies

    Federal and State Privacy Legislation

    Products

    Review Cycle

    Initial review 6 months, subsequent reviews in conjunction with the ISO policies or 12 months which ever occurs first.

    Appendix - Component Configurations (Buy List)

      1. Systems Access Control Component

    Purpose

    Introduction and Background

    Systems Access Control consists of those areas of access control necessary for:

    Systems Access Control is made up of the following subcomponents:

    Verifies the identity of people, applications and systems seeking to use an information system, network or application.

    Defined and described by the kind and degree of access authorized to people, applications and systems that are granted accesses to a system resource including data.

    Answers the question "Can the people, applications and systems get to the data?"

    The protection of information assets from disclosure to unauthorized people.

    The data is uncorrupted.

    A manner to guarantee that the transmitted information was unmodified from the time sent to the time received.

    Design Principles

    Identification and Authentication

     

    Ensure that "Password" rules are sufficiently strong and enforced to protect the information and system.

     

    Ensure that the authentication mechanisms are properly administered.

     

    Restrict and control the use of special privileges.

    Prevent proliferation of User IDs and passwords.

    Control and secure the allocation of user passwords.

    Enforce the users follow good security practices in the selection and use of passwords.

     

    Ensure management processes for network computers that span organizational boundaries are addressed.

     

    There will be a formal user registration and de-registration procedure for access to all multi-user IT services.

     

    Connections by remote users via public (or non-organization) to the enterprise networks will be authenticated.

    Access Control Subcomponent

     

    Ensure the safeguarding of information in networks and protection of the supporting infrastructure.

     

    Secure all enterprise IT resources and data through access controls.

     

    Define and maintain employee access controls for each job function.

  • Trace computer activities to individuals.

     

    Access to computer services and data are controlled on the basis of business requirements.

     

    Access to computer facilities is controlled.

     

    Systems are monitored to ensure conformity to access policy and standards.

     

    Access to IT services must be via an effective, secure logon process.

    Availability Subcomponent

     

    Control and physically protect computer media.

     

    Perform risk assessment and identify the critical processes

     

    Connections to networked services are monitored.

     

    Administer internal networks with security policies designed for the information they carry.

     

    Protect internal networks so they may not create exposure to other networks that might have different needs.

     

    Limit the number of public accessible servers, placing them in an independent network.

     

    Ensure that alternative processing facilities are available to handle situations requiring the activation of the enterprise’s business continuity plans.

     

    Control connections to the organization's computing and network services.

    Confidentiality Subcomponent

     

    Use logical access controls to control access to application systems and data.

     

    Develop procedures for the allocation of access rights to IT services.

     

    Safeguard all private data and data communications.

    Data Integrity Subcomponent

     

    Ensure special measures are in place to protect sensitive information over the public networks

     

    Record and change data only under business application control.

     

    Manage all enterprise data for back-up and fast recovery.

    Non-Repudiation Subcomponent

     

    Non-repudiation services must be used where it might be necessary to resolve disputes about occurrence or non-occurrence of an event or action; e.g., a dispute involving use of a digital signature on an electronic contract or payment.

    .

    Review Cycle

    Initial review 6 months, subsequent reviews in conjunction with the ISO policies or 12 months which ever occurs first.

     

    Identification and Authentication Subcomponent

    Identification and Authentication (I&A) verifies the identity of people, applications and systems seeking to use an information system, network, or application. I&A establishes a user's identity (User ID) based on one or more of the following:

    Introduction

    Traditional password mechanisms require error-free administration and due diligence to be effective. Persistent passwords are a reasonable means for authenticating users before access is granted to any of the enterprise resources. Authentication is the first line of defense and mandatory for effective compliance measures. Because the enterprise’s networks and systems are interconnected with implied trust between all systems, a person who bypasses or subverts an authentication mechanism on any system is likely to be easily able to access confidential or critical information elsewhere in the enterprise without being detected. Most external intrusion attacks first attempt to exploit failures in traditional password mechanisms.

    Authentication mechanisms are not the same for all systems and applications. In the organization, Authentication and Identification Standards are different for internal customers (employees, partners and contractors) and external customers (employers and clients). Although legacy systems may not comply with all of these new standards, new systems and applications must comply with the following standards.

    Standards

    Sub-component

    Description

    Standard

    Identification & Authentication -Internal Customer

    User IDs

    No shared accounts

    No guest accounts

    The user should have the same User ID for all systems. The systems administrators will resolve conflicts.

    Disable the User ID after failed (enter number) logon attempts.

    User IDs will:
    - be up to 8 characters long

    - in the format of first initial, last name with a numeric qualifier to make the User ID unique in the eighth position if necessary.

    User IDs will be based on (from high to low desirability) enterprise NT User ID, EMC2 ID and Office Vision (PROFS) ID.

    Revoke/cancel User IDs and collect ID cards, keys and electronic access devices when an employee leaves their cost center on their last working day.

    Service account User IDs are prefixed with #

    Training account User IDs are prefixed with !

    Special User IDs will have limited authorized accesses.

    Passwords

    Strong Passwords are required:

    Keep password confidential - do not loan, share or borrow passwords.

    Do not write down your password.

    Change compromised passwords immediately.

    Do not include passwords in any programmed logon process (e.g. stored in a macro or function key, etc.).

    Passwords not changed after 90 days will be disabled.

    Passwords must a combination of alphabetic and numeric or special characters.

    Passwords must be six (6) characters minimum

    Passwords will be disabled after 45 days of inactivity.

    New passwords must be different than the prior six passwords.

    Temporary passwords are good only for one use.

    Allow password changes no more than once daily.

    Do not display passwords.

    Encrypt stored passwords and password files.

    Enforce password standards for remote access devices.

    A trusted third party authentication infrastructure with strictly enforced password rules must be provided for users who typically require access to more than one system for "normal" business activities.

    Verify the identity of staff before resetting or providing a temporary password.

    Access requestor

    Verify the identity and authority of the requester before granting new or revoking existing access.

    Logoff

    Terminate active sessions when leaving your work area or when finished unless an appropriate lock (i.e. screen saver password) or time-out features can secure the session.

    Audit trails

    System must be set to log all denied access attempts.

    Track up to six passwords not allowing use of any of the prior five.

    Administration

    It is the manager's responsibility to ensure the user has a Confidentiality Statement (DE7410) on file before granting access to information classified as confidential or sensitive.

    Authentication

    Applications that do not access sensitive or confidential information do not require authentication.

    Logging on to a network will require, at a minimum, a user ID and password combination.

    Connections by remote computer systems will be authenticated.

    Identification & Authentication -External Customer

    Security requirements from the organization's External Customer Access Policy:

    Public Information

    Identification and Authentication are not required for access to public information.

    Sensitive Information

    Access to "sensitive" information is not allowed.

    Confidential Information

    The system must uniquely identify the requester and the establish authority to grant access.

    The system must provide a method for the verification of the individual accessing the system by using a Personal Identification Number (PIN), smart card or biometrics.

    Identification Standards

    Ensure a unique identifier is used for each constituent group and no duplicate identifier exists between any two groups. (?How does this reconcile with the first standard?) Question for ITDQC

    Technology Watch

    Public-key infrastructure (PKI) is the combination of software, encryption technologies, and services that enables enterprises to protect the security of their communications and business transactions on the Internet

    Smart tokens, biometrics

    Directory Services

    Single Sign-On

    Products

    RACF - Mainframe access

    NT Domain - LAN Access

    Access Control Subcomponent

    Purpose Statement

    Access control is defined and described by the kind and degree of access authorized to people, applications, and systems that are granted access to a system resource including data. Access controls define what users can access and specifies what type of access each user is permitted for a particular resource. Types of permitted accesses include, for example, create, read, update, delete (CRUD) and execute. Security labels classify resources according to an organization's security policy definitions, such as "proprietary", "unclassified", etc. To gain access to a resource, the user's authority must to match the security label contents of the particular resource.

    Introduction

    The organization's environment must be administered with access controls consistent with the level of information contained within it. Other computing environments outside the organization that are evaluated as having controls that are not sufficiently strong based on the organization’s requirements, must be isolated by access control mechanisms maintained by the organization. Individuals who require access to the organization from these other environments must use identification and authentication mechanisms deemed appropriate by the organization before access is granted.

    The organization's strategy includes extending its reach and making the organization much more accessible to off-site employees, to remote government agencies and citizens. One important aspect of this strategy is the exploitation of the Internet. Because the Internet is simply a transmission medium whose sole responsibility is to deliver packets of information reliably to its intended destination, security is the responsibility of users and service providers. The internet does not provide the necessary security services as defined in this document.

    Standards

    Subcomponent

    Description

    Standard

    Access Control

    Firewalls

    Mechanisms such as firewalls must

    be used for all external connections to/from the organization and the Internet, to/from systems belonging to other organizations and on both sides of any Web Servers that are connected to both the organization's network and the Internet

       

    Implement necessary services on the firewall.

       

    Firewalls will be used to protect the intranet from the Internet and access from other non-the organization organizations.

       

    All unnecessary network services will be disabled e.g. FTP or News.

       

    All security related TCP/IP stack patches will be installed upon identification and testing of those patches.

       

    Firewall must not allow IP address spoofing, i.e. faking the sending address of a transmission in order to gain illegal entry into a secure system.

       

    Firewall must log all relevant data.

       

    Firewall must generate an alert if there is a sign of a security breach or an attempted breach.

       

    Limit and monitor the amount and type of traffic passing through the firewall in either direction.

     

    Firewall Policy

    A network protection policy (i.e. firewall policy) must be defined and periodically reviewed.

       

    Audit firewall against firewall policy.

       

    The firewall policy must cause the check for:

    • List of permitted services
    • Configuration of firewall with list of services
    • All security patches have been applied and unnecessary services disabled
    • Scan of firewalls for active services
    • Probe of the host that should be protected by the firewall
    • Check of maintenance procedures and who checks the daily logs
       

    Firewalls and possibly physical separation must be used to segregate the organization's internal networks into subnets that can be administered with security policies designed for the information they carry without exposing other domains that might have different needs.

       

    Limit the number of public accessible servers, placing them in an independent network subnet.

       

    TCP/IP hosts will be protected on isolated sub nets.

       

    Any network traffic that is not specifically allowed, is forbidden

       

    Where appropriate, separate services on different computers or in a DMZ so that a successful attack on a service will not result in total access.

     

    Subnets

    Network domains containing confidential organization information must be isolated from all inbound traffic initiated from other network domains.

     

    Access

    Access to computer services and data must be controlled on the basis of business requirements.

       

    Access control mechanisms must default to disallow all unauthorized users from any access rights to organization information.

       

    A logon banner must exist to warn the user that the system is for official use only and an unauthorized user may be subject to prosecution.

     

    Remote Access

    Remote access is restricted to approved access paths only (i.e. RAS, through the Internet, or WAN).

       

    All external connections to/from the organization are untrusted and must be allowed only through approved the organization controls.

       

    Untrusted internal network domains must be isolated from the organization's trusted internal network domains using approved the organization controls.

     

    Physical location

    IT resources (systems, network components, peripheral devices and media) supporting the organization's confidential business information must be housed in secure areas with access limited to authorized personnel.

       

    No workstation or multi-user system must allow access to its information by any unauthorized person.

       

    The use of special privileges must be restricted and controlled.

       

    Business requirements for access control will be defined and documented.

       

    The route from the user terminal to the computer service needs to be controlled (access closets).

     

    Other

    Access to diagnostic ports will be securely controlled.

       

    Shared networks require individual network routing and access controls.

       

    Inactive terminals in high risk locations, or serving high risk systems, will be set to time out, to prevent access by unauthorized users.

       

    Restrictions on access or connection times are required to limit access of hackers.

       

    Access to system utilities will be securely controlled and will not be accessible by the general staff.

       

    Access to all libraries will be restricted to a need for access.

       

    Sensitive systems and data require a dedicated (isolated) computing environment.

       

    All security related releases of network operating systems will be kept up-to-date to insure that all the latest security issues have been addressed.

    Electronic Commerce

    Controls for electronic commerce must be applied to protect the access and interchange of information between business partners, customers, and other enterprise users to protect from unauthorized access, disclosure or modification of information.

     

    Assigning access rights

    Establish formal procedures to control allocation of access rights to systems and data through all stages in the life cycle.

     

    Mobile Computing

    When using mobile computing or teleworking, special precautions must be taken to minimize the risk of unauthorized access and use.

       

    Dial up users will be subject to strong password use.

       

    Sensitive local data on the hard drive will be protected in a manner that if the computer is stolen, the information is useless to the thief.

       

    The designated owner authorizes access to the organization’s informational resources based on information classification and business need (SAM 4841.5) .

       

    Phone numbers and procedures for mobile computing access must be treated as sensitive.

    Technology Watch

    Products

    Availability Subcomponent

    Introduction

    Availability simply means, "Can the enterprise get to the data?" Secure data is of little value if it is unavailable when customers and employees need it. Users and customers alike are left empty-handed, business operations come to a halt and dramatic loss of productivity start adding up when one thinks of lost business opportunities, business transactions, maintenance costs, data integrity check-point costs, not to mention the impact on the customer's impression of the enterprise.

    For customer services and many more areas computer downtime is no longer acceptable.

    For the success and survival of the enterprise, the information system must ensure that equipment, data and applications are available, all the time, with no loss or corruption, for the benefit of staff and customers alike. Availability solutions mean business continuity, reducing downtime to a few minutes a year, with virtual invisibility to users. This is achieved through the right mix of planning, software, hardware and services, integrated together to deliver best-in-class solutions.

    Availability of any component of the system is effected by:

    A system should be decomposed to components and an evaluation of each of those components should occur based on the system requirements for availability.

    Criticality (or risk) of any system component failure is directly linked to:

    Determination of risk re-mediation depends on balancing the degree of risk, the value of the resources and the cost of the re-mediation.

    Any system deemed to be critical should have a set of procedures indicating how to keep the data flowing.

    Standards

    Subcomponent

    Description

    Standard

    Availability

    Data

    Enterprise data must be recoverable within the timeframes set by Service Level Agreements (SLAs) and the procedures established in the Business Continuity Plan.

    Enterprise critical or confidential data must be stored on a production environment network server.

    Backup of essential business data and software must be taken regularly.

    Recovery must be tested regularly.

    If a production system or software version installation fails, the appropriate data for the prior version must be available.

     

    Planning

    Business continuity plans must be available to protect critical business processes from the effects of major failures or disasters.

       

    The business continuity plan and processes in place will be regularly tested and updated where appropriate.

       

    New versions of software, must have a complete, tested, back-out recovery plan prior to installation

     

    Equipment

    All equipment components of the physical system must consider the availability and confidentiality of the data and visibility of failure (degree of risk) during systems design.

     

    Network

    Large networks must be divided into separate sub networks or segments to insure controllability, security and recoverability.

       

    Highly critical circuits must have a degree of redundancy that is in accordance with the criticality of the data carried on that circuit.

       

    The risks associated with the use of network services will be established.

     

    Software

    Software versions must be recoverable, e.g., if a version of software installed in production fails, the prior version must be recoverable.

       

    Software fixes, both off the shelf and operating system must be installed expeditiously.

       

    Software must be fully operational before being implemented (i.e., tested),

    Technology Watch

    Because of the integration of Availability Subcomponent of the Systems Access Component of the Security Domain into the entire Architecture, there is no specific technology watch items for this subcomponent.

    Products

    TBD

     

    Confidentiality Subcomponent

    Introduction

    Confidentiality is the protection of information assets from disclosure to unauthorized people. Access controls can provide confidentiality in trusted and controlled environments. In an untrusted network environment, access controls are not effective against interception attacks such as wiretapping. In this situation, the best data confidentiality service would be encryption. Encryption services can provide protection of information in both the data storage and transmission functions.

    All of the organization's confidential information should be protected at all times from unauthorized disclosure, alteration or destruction. Encryption should be used to protect confidential information whenever that information is transported, backed up or stored on a machine that is physically or logically accessible to individuals not specifically authorized to access the classified information on it.

    Information owners must determine the sensitivity of their information in terms of the organization's business requirements. In some cases, such as Electronic Data Interchange (EDI) or Electronic Funds Transfers (EFT), the primary protection required might be to ensure that the information in the transaction does not change (integrity). Protection of that information from disclosure (confidentiality) might not be required.

    If a system that stores confidential information is sufficiently well protected by access control mechanisms (physical and logical), then the confidential information would only need the added protection of encryption when it was removed from the "trusted" environment. If the confidential information is being transported over a public network, it should be encrypted. If the new location is not sufficiently trusted or the network does not have an encryption service, then the application should encrypt the confidential information before transmitting it. To do this, the application should use confidentiality and data integrity services provided by the underlying operating system or application development platform. Encryption is a highly specialized area. The effective protection of enciphered data depends completely on the control of cryptographic objects such as keys. Reference should be made to the Cryptographic Controls Subcomponent of the Systems Development Component.

    Standards

    Subcomponent

    Description

    Standard

    Confidentiality

    Data Storage

    Confidential the organization data stored on media in an area which is not trusted must be encrypted based on the risk management plan (i.e. data stored on laptops, back-up files stored at disaster recovery sites, etc.).

    Enterprise critical or confidential data must be stored in a secure production environment.

    Computers containing sensitive or confidential information must not be accessible to unauthorized people, applications and systems.

    Data Transmission

    Movement of confidential the organization data on a public network must be protected by encryption mechanisms.

     

    Data Destruction

    Sensitive or confidential data must be destroyed in a timely and appropriate manner. This includes data stored on hard drives, tapes, floppy disks, CD-ROMs, and hardcopy printouts.

       

    Within a "trusted" environment, movement of confidential the organization data must be protected by appropriate access control mechanisms.

     

    Transit Points

    Telephone and data closets must not be accessible to other than authorized staff or contractors.

     

    Computers

    Access to network enabled computers will require proper identification and authorization.

     

    Technology Watch

    As the department integrates the Confidentiality Subcomponent into the Systems Access Control Component of the Security Domain into the entire Architecture), here are the specific technology watch items for this subcomponent:

    SSL (Secure Socket Layer) – developed by Netscape to provide security and privacy over the Internet. Supports server and client authentication and maintains the security and integrity of the transmission channel. Operates at the transport layer and mimics the "sockets library", allowing it to be application independent. Encrypts the entire communication channel and does not support digital signature at the message level.

    Products

    To Be Determined

     

    Data Integrity Subcomponent

    Introduction

    Data integrity means that the data accused is uncorrupted. The data inputted yesterday has not been modified by accident or unauthorized persons or programs.

    As access to information proliferates, the risks of data corruption and contamination increase. Data contamination can take the form of accidental modification or malicious intent. Accidental information modifications would occur when a staff person, or an entity such as an organization or a hardware device, manually updates the wrong information to a file or executes a job that updates the wrong data file or table. Malicious modification of information takes two basic forms: passive and active. In the passive form, an entity will introduce a program that is intended to attack the computer system. These programs have various names: virus, worm, Trojan horse, bomb, etc. Once into the system, these programs will do one of the following: leave a message, change the content of one or more files or erase all the information on the system. At the time of this writing there are approximately 50,000 forms of viruses. The numbers are growing daily. In the active form, an entity will attempt to "crack" the system’s access methods. This can be done with a password-guessing program or by using "social engineering" (e.g., knowing family or pet names or a favorite football team) to guess passwords. Once into the system, the entity will either try to deface or destroy information or attempt to steal the information for other uses.

    Although there are several ways to stop an attack before damage has been done, only the interception and recovery methods are discussed here. For preventive measures, see the Identification/Authentication subcomponent.

    The methods for intercepting and recovering from an attack are:

    Maintain some form of continuous virus checking.

    Standards

    Subcomponent

    Description

    Standard

    Data Integrity

    Data

    Data defined as enterprise data will be backed-up on a regular basis.

    Data integrity should be checked using concepts such as checksums.

    A plan to backup and recover data must be developed and tested for all critical data.

    Enterprise data is always stored on a network server.

    Data will be stored "off-site" for those systems deemed critical.

    Off-site storage will be in a secure area.

    Recovery of data must be tested.

    Limit the number of access paths (ports) to data and monitor those access ports.

    Implement controls to prevent and detect introduction of unauthorized and malicious software.

    Only authorized modifications may be made to systems, public or private.

    Special care should be taken on publicly available systems to ensure the integrity of electronic information to prevent unauthorized modification that may harm the reputation of the organization.

    Update virus definitions monthly across all platforms or more often as needed from a reliable source.

       

    Virus attacks will be reported upon detection to the Information Security Office (ISO).

       

    Detection of hacking attempts will be reported immediately to the ISO.

       

    Take immediate action to notify, contain, cleanse and protect affected and at risk computing platforms and data.

    Technology Watch

    Because of the integration of Data Integrity Subcomponent of the Systems Access Component of the Security Domain into the entire Architecture, there is no specific technology watch items for this subcomponent.

    Products

    RAID (file back-up)

    Norton Anti-Virus

    Inter-Scan Virus Wall - protects Exchange Servers

    Non-Repudiation Subcomponent

    Introduction

    For electronic commerce applications, non-repudiation services are used to "guarantee" that transmitted information was unmodified from the time it was "signed" and stored to the time it was received and subsequently used for some business transaction. Using public key technology, the originator cannot deny "signing" the document nor can the recipient deny having received the original, unmodified contents. Non-repudiation services address various electronic message risks, including:

    Techniques used to sign messages may be forged if the essential components of the process are not themselves secured.

    By using non-repudiation services, the recipient of data is provided proof of the origin of data, which protects against attempts by a sender to falsely deny sending the data or its contents. The sender is provided with proof of delivery of the data and is protected against attempts by the recipient to falsely deny receiving the data or its contents.

    Non-repudiation services depend upon cryptography and keys to ensure authenticity, confidentiality and integrity of messages and data. A common mechanism used for electronic non-repudiation is a digital signature which is constructed by using a high strength public key cryptographic algorithm; digital signatures are assured by public key certificates issued by a certification authority. This technology enables the enterprise, when doing electronic commerce applications, to positively identify the user associated with each electronic transaction.

    The legal presumptions involved in relying on a properly verified digital signature are that the message is presumed not to have been altered since sent, and that the signature is presumed to be that of the named signer. Furthermore, a digitally signed electronic message meets all "in writing" and signature formalities, and is considered to be the original.

    Standards

    Component

    Description

    Standard

    Non-Repudiation

    Recipient

    Ensure the authenticity and integrity of the electronically sent document; i.e., the ability to verify the identity of the sender, as well as the ability to verify that a document has not been altered since it was sent by using PKI.

    Control interactive access to the electronic sending system via a user authentication process.

    Generate a positive acknowledgment to the sender indicating that the document has been received.

    Employ cryptographic techniques to generate unique electronic or digital signatures that can be decrypted to prove the origin of a message.

    Sender

    If appropriate, ensure that digital signatures are appended to messages received from another party, whether requests or responses.

    Submit in a designated electronic file format and retain in the electronic format in which submitted.

    Include the identity of the receiver, date and time of the document's receipt (as part of the positive acknowledgment) and an assign a document reference number.

    For applications requiring non-repudiation, digital signature will be used. Encryption methodology and key management will depend on the hardware and software solution selected.

    Digital Signatures - California Code of Regulations

    Digital Signatures are acceptable for the organization's purposes as per California Code of Regulations §22001 through §22003.

    Uniform Electronic Transactions Act (effective Jan1, 2000).

    The signer of electronic messages must protect their private key form compromise.

    Upon separation from the organization the private key must be revoked.

    The Certificate Authority (CA) must revoke a certificate and place on a Certification Revocation List (CRL) upon notification of a compromised certificate.

    Reliant parties must actually verify the digital signature and check its validity against the current CRL maintained by the online repository.

     

    Technology Watch

    DOIT Task Force on E-commerce

    Senate Bill 820: Electronic transfers

    Assembly Bill 374: Insurance: digital signatures

    California Secretary of State regulations

    Federal and State Legislation affecting e-commerce and non-repudiation

    Products

    United States Postal Service

    Veri-sign

    Intrusion detection

    GTE

    DES and RSA algorithms

    Pretty Good Privacy (PGP)

     

    Appendix - Component Configurations (Buy List)

    Identification and Authentication

    RACF - Mainframe access

    NT Domain - LAN Access

    Access Control Subcomponent

    Global Security

    RACF

    Availability Subcomponent

    TBD

    Confidentiality Subcomponent

    RACF - Mainframe access

    Data Integrity Subcomponent

    Symantec Norton Antivirus 5.0

    Non-Repudiation Subcomponent

    TBD

      1. Personnel and Site Security Component

    Purpose

    Introduction and Background

    Personnel and Site Security controls consist of both physical or environmental security and personnel or individual staff security controls.

    Personnel and Site Security Controls are made up of the following subcomponents:

    IT facilities supporting critical or sensitive business activities should be housed in secure areas.

    IT Security should be addressed at the recruitment stage, including in job descriptions, contracts and proposals, and monitored during an individual's employment.

    Design Principles

     

    Security incidents will be reported to management on a periodic basis.

     

    Management will participate in the resolution of security incident patterns.

    Physical Security Subcomponent

     

    Management will ensure that equipment is secured.

     

    Sensitive and confidential documents will be safeguarded.

     

    Management will ensure that staff is apprised of current physical security policies.

     

    Management will ensure that staff is apprised of changes to existing physical security policies in a timely fashion.

     

    Secure facility areas will have controlled access.

    Personnel Security Subcomponent

     

    Recruitment announcements and contract Requests for Proposals will be security informative, and references will be checked.

     

    Employees will be familiarized with security requirements.

     

    Users must be trained in security procedures and the correct use of information processing facilities to minimize possible security risks.

     

    All employees and contractors will be made aware of the procedures for reporting the different types of incident (security breach, threat, weakness or malfunction) that might have an impact on the security of organizational assets.

     

    All employees and contractors will be required to report any observed or suspected incidents as quickly as possible to the designated point of contact.

     

    All employees will be expected to participate in initial, and ongoing, security programs.

     

    All employees and contractors will comply with security-related laws, policies and guidelines.

     

    Managers and supervisors will address reported incidents.

     

    There will be established, well communicated, disciplinary processes for dealing with security breaches will be referred to HRSD.

     

    Instances of security breaches will be dealt with by established, well communicated, disciplinary processes.

    Review Cycle

    Initial review 6 months, subsequent reviews in conjunction with the ISO policies or 12 months which ever occurs first.

    Physical Site Security Subcomponent

    Definition

    Architecture physical security is the protection of information processing equipment from damage, destruction or theft; information processing facilities from damage, destruction or unauthorized entry; and personnel from potentially harmful situations.

    Introduction

    Architecture physical security at the organization encompasses all aspects of the physical environment. Sensitive and confidential information, whether in an electronic or other form, must be physically protected from damage; physical security provides this function. Because information can take various forms, electronic or other mediums, physical security ensures these media are protected from damage or violation. Electronic media include main frames, mid-range servers, PCs, laptops, PDA or the room where these items reside. Physical security also ensures documents, microfiche, microfilm and phone information are protected. Anywhere data can be seen or stored should be physically secured.

    Physical security is the responsibility of everyone in the organization. All the organization staff needs to be constantly aware of the classification of the information they are using and its proper handling and storage requirements.

    Standards

    Sub-component

    Description

    Standard

    Physical Security

    Equipment

    Equipment will be physically protected from security threats and environmental hazards.

    IT infrastructure supporting critical or sensitive business activities will be housed in a secure area and manner.

    Secure areas will be protected by appropriate entry controls.

    Critical systems will be designed to survive power interruptions and failures.

    the organization utilized power and telecommunication cabling will be protected from interception or damage.

    Data will be permanently erased from equipment prior to disposal.

    the organization’s equipment will be secured when it is outside the work site.

    Clear Desk Policy

    Confidential and sensitive information will be secured when unattended.

    Facilities

    IT facilities supporting critical or sensitive business activities must be housed in secure areas.

    Technology Watch

    Products

     

    Personnel Security Subcomponent

    Purpose Statement

    Personnel Security is an important aspect of an effective information protection program and is crucial for assuring the integrity, availability and confidentiality of the organization’s information assets. Developing, implementing and maintaining personnel security controls, whether legislatively mandated or managerially required, are essential to the management of these assets.

    Introduction

    Personnel security failures, or "incidents" must be reported through management channels as quickly as possible and tracked to both minimize the damage and learn from such incidents and malfunctions. Incidents affecting security should be reported through management channels as quickly as possible, and if it is determined that staff are responsible for a security breach, a disciplinary process should be established, communicated and implemented. In addition to personnel security failures, suspected security weaknesses and software malfunctions should be reported.

    Standards

    Sub-component

    Description

    Standard

    Personnel Security

    Recruitment

    Job descriptions and/or Requests for Proposal (RFP) will define security roles and responsibilities.

    Applications for employment will be screened if the job involves access to the organization's sensitive information To the extent possible as allowed by the organizations human resources organization and regulations.

    Workforce

    the organization staff will sign a confidentiality agreement.

    Staff will be trained in security procedures and the correct use of the organization IT systems and facilities.

    Staff will be trained in information security threats and the consequences for not following policy or procedure.

    Staff and contractors will be trained in security procedures and the correct use of the organization IT systems and facilities.

    Staff will be given adequate security education and technical training.

    Reporting (Incidents)

    Incidents affecting security will be reported through management channels as quickly as possible.

    Security incidents will be investigated and, if possible, responsibility localized.

    Suspected security weaknesses will be reported.

    Security failures will be investigated as a top priority.

    Enforcement

    An established, well communicated, disciplinary process will be implemented for dealing with security breaches.

    Staff responsible for security breaches, will be disciplined.

    Technology Watch

    Products

    TBD

     

    Appendix - Component Configurations (Buy List)

    Physical Security Subcomponent

    TBD

    Personnel Security Subcomponent

    TBD

      1. Communications and Operations Management Component

    Purpose

    To ensure the correct and secure operation of information processing facilities.

    Introduction and Back ground

    Component is made up of the following subcomponents:

    Operational Procedures and Responsibilities Subcomponent

    Systems Planning and Acceptance Subcomponent

    Protection Against Malicous Software Subcomponent

    Housekeeping Subcomponent

    Network Management Subcomponent

    Media Handling Security Subcomponent

    Exchange of Information and Software Security Subcomponent

    Design Principles

    Operational Procedures and Responsibilities Subcomponent

     

    Responsibilities and procedures for the management and operation of all information processing facilities must be established including the development of appropriate operating instructions and incident response procedures.

     

    Segregation of duties must be implemented, where appropriate, to reduce the risk of negligent or deliberate system misuse.

    Systems Planning and Acceptance Subcomponent

     

    Advance planning and preparation are required to ensure the availability of adequate computing and storage capacity and resources.

     

    Projections of future capacity requirements must be made, to reduce the risk of system overload and potential failure.

     

    The operational requirements of new systems must be established, documented and tested prior to their acceptance and use.

    Protection against Malicious Software Subcomponent

     

    Software should be from a trusted source.

     

    Software should be tested for validity periodically to prevent unauthorized modification of that software.

    Housekeeping Subcomponent

     

    Routine procedures must be established for carrying out the agreed back-up strategy taking back-up copies of data and rehearsing their timely restoration, logging events and faults and, where appropriate, monitoring the equipment environment.

    Network Management Subcomponent

     

    Additional controls are required to protect sensitive data passing over public networks.

     

    Network access points (remote access or dialup) will have access controls to the same level as a person who is accessing the computer from within the network boundaries.

     

    Firewalls will be used to detect and report unauthorized intruders on the network.

    Media Handling Security Subcomponent

     

    Appropriate operating procedures must be established to protect documents, computer media (tapes, disks, cassettes), input/output data and system documentation from damage, theft and unauthorized access.

    Exchange of Information and Software Security Subcomponent

     

    Exchanges of information and software between organizations must be controlled, and must be compliant with any relevant legislation, state policy and regulations.

     

    Procedures and standards to protect information and media in transit must be established.

     

    The business and security implications associated with electronic data interchange, electronic commerce and electronic mail and the requirements for controls must be ensured.

     

    Exchanges must be carried out on the basis of formal written agreements.

    Review Cycle

    Initial review 6 months, subsequent reviews in conjunction with the ISO policies or 12 months which ever occurs first.

     

    Operational Procedures and Responsibilities Subcomponent

    Introduction

    Documented operating procedures

    The operating procedures identified by the security architecture and policy should be documented and maintained. Operating procedures should be treated as formal documents and changes authorized by management.

    Operational change control

    Changes to information processing facilities and systems should be controlled. Inadequate control of changes to information processing facilities and systems is a common cause of system or security failures. Formal management responsibilities and procedures should be in place to ensure satisfactory control of all changes to equipment, software or procedures. Operational programs should be subject to strict change control. When programs are changed, an audit log containing all relevant information should be retained. Changes to the operational environment can impact on applications. Wherever practicable, operational and application change control procedures should be integrated.

    Incident management procedures

    Incident management responsibilities and procedures should be established to ensure a quick, effective and orderly response to security incidents

    Segregation of duties

    Segregation of duties is a method for reducing the risk of accidental or deliberate system misuse. Separating the management or execution of certain duties or areas of responsibility, in order to reduce opportunities for unauthorized modification or misuse of information or services, should be considered.

    Separation of development and operational facilities

    Separating development, test and operational facilities is important to achieve segregation of the roles involved. Rules for the transfer of software from development to operational status should be defined and documented.

    Development and test activities can cause serious problems; e.g., unwanted modification of files or system environment, or of system failure. The level of separation that is necessary, between operational, test and development environments, to prevent operational problems should be considered. A similar separation should also be implemented between development and test functions. In this case, there is a need to maintain a known and stable environment in which to perform meaningful testing and to prevent inappropriate developer access.

    Where development and test staff have access to the operational system and its information, they may be able to introduce unauthorized and untested code or alter operational data. On some systems this capability could be misused to commit fraud, or introduce untested or malicious code. Untested or malicious code can cause serious operational problems. Developers and testers also pose a threat to the confidentiality of operational information. Development and testing activities may cause unintended changes to software and information if they share the same computing environment. Separating development, test and operational facilities is therefore desirable to reduce the risk of accidental change or unauthorized access to operational software and business data

    External facilities management

    The use of an external contractor to manage information-processing facilities may introduce potential security exposures, such as the possibility of compromise, damage, or loss of data at the contractor's site. These risks should be identified in advance, and appropriate controls agreed with the contractor and incorporated into the contract.

    Standards

    Sub-component

    Description

    Standard

    Operational procedures and responsibilities

    General

    The operating procedures identified by the security policy must be documented and maintained.

    Operating procedures must be treated as formal documents and changes authorized by management.

    The procedures must specify the instructions for the detailed execution of each job.

    Documented procedures must also be prepared for system housekeeping activities associated with information processing and communication facilities, such as computer start-up and shutdown procedures, back up, equipment maintenance, computer room and mail handling management and safety.

     

    Operational change control

    Changes to information processing facilities and systems must be controlled.

    Formal management responsibilities and procedures must be in place to ensure satisfactory control of all changes to equipment, software or procedures.

    Operational programs must be subject to strict change control.

     

    Operational change control (continued)

    When programs are changed, an audit log containing all relevant information must be retained.

    Changes to the operational environment has impacts on applications. Wherever practicable, operational and application change control procedures must be integrated.

     

    Incident management procedures

    Incident management responsibilities and procedures must be established to ensure a quick, effective and orderly response to security incidents.

    Procedures must be established to cover all potential types of security incident.

    Audit trails and similar evidence must be collected and secured, as appropriate.

    Action to recover from security breaches and correct system failures must be carefully and formally controlled.

     

    Segregation of duties

    Separate the management or execution of certain duties or areas of responsibility, in order to reduce opportunities for unauthorized modification or misuse of information or services.

    Whenever it is difficult to segregate, other controls such as monitoring of activities, audit trails and management supervision will be considered.

    Security audit will remain independent.

    Ensure that no single person can perpetrate fraud in areas of single responsibility without being detected.

    The initiation of an event must be separated from its authorization.

     

    Separation of development and operational facilities

    Separating development, test and operational facilities is required to achieve segregation of the roles involved.

    Rules for the transfer of software from development to operational status must be defined and documented.

     

    Separation of development and operational facilities (continued)

    All code will be tested prior to implementation.

    Development and testing activities will be separated from the production environment

    Only authorized staff has access to testing, development and production environments.

    Development and operational software will run on different computer processors, or in different domains or directories.

    Development and testing activities must be separated.

    Compilers, editors and other system utilities must not be accessible from operational systems.

    Different log-on procedures must be used for operational and test systems.

    Development staff must only have access to operational passwords where controls are in place for issuing passwords for the support of operational systems.

       

    Controls must ensure that such passwords are changed after use.

     

    External facilities management

    Risks associated with the use of an external contractor must be identified in advance, and appropriate controls agreed with the contractor and incorporated into the contract.

    Technology Watch

    Products

     

    System Planning and Acceptance Subcomponent

    Introduction

    Capacity planning

    Capacity demands should be monitored and projections of future capacity requirements made to ensure that adequate processing power and storage are available. These projections should take account of new business and system requirements and current and projected trends in the organization's information processing.

    Mainframe computers require particular attention, because of the much greater cost and lead time for procurement of new capacity. Managers of mainframe services should monitor the utilization of key system resources, including processors, main storage, file storage, printers and other output devices, and communications systems. They should identify trends in usage, particularly in relation to business applications or management information system tools.

    Internet web and application servers also require particular attention where levels of access are either unknown or of high or increasing volumes. Additional servers may become necessary on a relative short timeframe.

    Managers should use this information to identity and avoid potential bottlenecks that might present a threat to system security or user services, and plan appropriate remedial action.

    System acceptance

    Acceptance criteria for new information systems, upgrades and new versions should be established and suitable tests of the system carried out prior to acceptance. Managers should ensure that the requirements and criteria for acceptance of new Systems are clearly defined, agreed, documented and tested.

    Standards

    Sub-component

    Description

    Standard

    System planning and acceptance

    General

    All new systems will be monitored during startup.

       

    All critical systems will be monitored on a ongoing basis and will be subject to a SLA.

       

    All network devices, circuits and segments will be monitored.

       

    All new systems will be monitored during acceptance test to establish system-wide operational requirements.

     

    Capacity planning

    Capacity demands must be monitored and projections of future capacity requirements made.

    Mainframe services must monitored the utilization of key system resources, including processors, main storage, file storage, printers and other output devices, and communications systems identifying identify trends in usage.

    Capacity information will be used to identity and avoid potential bottlenecks that might present a threat to system security or user services.

    Plan appropriate remedial action to resolve capacity issues.

     

    System acceptance

    Acceptance criteria for new information systems, upgrades and new versions must be established and suitable tests of the system carried out prior to acceptance.

    Requirements and criteria for acceptance of new systems will be clearly defined, agreed, documented and tested.

    The operations organization and users must be consulted at all stages in the development process to ensure the operational efficiency of the proposed system design

    Appropriate tests must be carried out to confirm that all acceptance criteria are fully satisfied.

    Technology Watch

    Products

     

    Protection against Malicious Software Subcomponent

    Purpose Statement

    Introduction

    Controls against malicious software

    Detection and prevention controls to protect against malicious software and appropriate user awareness procedures should be implemented. Protection against malicious software should be based on security awareness, appropriate system access and change management controls.

    Standards

    Subcomponent

    Description

    Standard

    Protection against malicious software

    Controls against malicious software

    Implement detection and prevention controls to protect against malicious software.

    Implement appropriate user awareness procedures regarding malicious software.

    Base protection against malicious software on security awareness, appropriate system access and change management controls.

    Comply with software licenses and prohibit the use of unauthorized software.

    determine what protective measures must be taken for software from non-traditional sources.

    Install and regularly update of anti-virus detection and repair software to scan computers and media on a routine basis.

    Conduct reviews of the software and data content of systems supporting critical business processes for unauthorized changes.

    Report and formally investigate any unapproved files or unauthorized amendments as a security incident.

    Check any files on electronic media of uncertain or unauthorized origin, or files received over untrusted networks, for viruses before use

    Check any electronic mail attachments and downloads for malicious software before use.

    Protection against malicious software

    Controls against malicious software (continued)

    Develop management procedures and responsibilities to deal with the virus protection on systems, training in their use, reporting and recovering from virus attacks.

    Develop appropriate business continuity plans for recovering from virus attacks, including all necessary data and software back-up and recovery arrangements.

    Develop procedures to verify all information relating to malicious software, and ensure that warning bulletins are accurate and informative.

    Ensure that qualified sources; e.g., reputable journals, reliable Internet sites or anti-virus software suppliers, are used to differentiate between hoaxes and what to do on receipt of them and real viruses.

    Staff must be made aware of the problem of hoaxes.

    Staff must be made aware of virus infection and remediation as early as possible.

    "

     

    Virus software must be upgraded as new viruses appear.

    "

     

    Virus must be reported upon detection.

    "

     

    Periodic virus updates from a reliable source must be done.

    Technology Watch

    Products

     

    Housekeeping Subcomponent

    Introduction

    Information back-up

    Back-up copies of essential business information and software should be taken regularly. Adequate back-up facilities should be provided to ensure that all essential business information and software can be recovered following a disaster or media failure. Back-up arrangements for individual systems should be regularly tested to ensure that they meet the requirements of business continuity plans.

    Operator logs

    Operator logs are used to track processes that occur on a daily basis and are used to reconstruct any security incident that may occur.

    Fault logging

    Any report of a exception or a fault reported by users can be useful in developing a complete picture and assist in refining any reports of security related incidents.

    Standards

    Subcomponent

    Description

    Standard

    Housekeeping

    Information back-up

    Back-up copies of essential business information and software must be taken regularly.

    Adequate back-up facilities must be provided to ensure that all essential business information and software can be recovered following a disaster or media failure.

    Back-up arrangements for individual systems must be regularly tested to ensure that they meet the requirements of business continuity plans

    A minimum level of back-up information, together with accurate and complete records of the back-up copies and documented restoration procedures, must be stored in a remote location, at a sufficient distance to escape any damage from a disaster at the main site.

    Maintain at least three generations or cycles of back-up information for important business applications.

     

    Information back-up (continued)

    Back-up information must be given an appropriate level of physical and environmental protection consistent with the standards applied at the main site.

    The security controls applied to media at the main site must be extended to cover the back-up site.

    Back-up media must be regularly tested, where practicable, to ensure that they can be relied upon for emergency use when necessary.

    Restoration procedures must be regularly checked and tested to ensure that they are effective and that they can be completed within the time allotted in the operational procedures for recovery.

    The retention period for essential business information, and also any requirement for archive copies to be permanently retained, must be determined.

    Operator logs

    Operational staff must maintain a log of their activities.

    Logs must include, as a minimum:

    • system starting and finishing times;
    • system errors and corrective action taken;
    • confirmation of the correct handling of data files and computer output;
    • the name of the person making the log entry. Operator logs must be subject to regular, independent checks against operating procedures.

    Fault logging

    Faults must be reported and corrective action taken.

    Faults reported by users regarding problems with information processing or communications systems must be logged.

    There must be clear rules for handling reported faults.

    Technology Watch

    Products

     

    Network Management Subcomponent

    Introduction

    Network controls

    A range of controls is required to achieve and maintain security in computer networks. Network managers should implement controls to ensure the security of data in networks, and the protection of connected services from unauthorized access.

    Standards

    Subcomponent

    Description

    Standard

    Network controls

     

    Network managers must implement controls to ensure the security of data in networks, and the protection of connected services from unauthorized access.

    Operational responsibility for networks must be separated from computer operations where appropriate.

    Responsibilities and procedures for the management of remote equipment, including equipment in user areas, must be established.

    Controls must be established to safeguard the confidentiality and integrity of data passing over public networks, and to protect the connected systems.

    Special controls will also be required to maintain the availability of the network services and computers connected to the network.

    Ensure that controls are consistently applied across the information-processing infrastructure to optimize the service to the business.

       

    Controls to access points of the network must be established and enforced.

       

    All network devices connected to the infrastructure must be fully tested prior to implementation on the production network.

     

    Public Accessible Servers

    Public accessible servers must be carefully monitored and controlled to ensure their content is appropriate and authorized.

       

    Public access server data content will be separated from operation data content.

       

    Protect all data on the private network from public access.

     

    Technology Watch

    Products

     

    Media Handling Security Subcomponent

    Introduction

    Management of removable computer media

    There should be procedures for the management of removable computer media, such as tapes, disks, and cassettes and printed reports.

    Disposal of media

    Media should be disposed of securely and safely when no longer required. Sensitive information could be leaked to outside persons through careless disposal of media. Formal procedures for the secure disposal of media should be established to minimize this risk.

    Information handling procedures

    Procedures for the handling and storage of information should be established in order to protect such information from unauthorized disclosure or misuse. Procedures should be drawn up for handling information consistent with its classification in documents, computing systems, networks, mobile computing, mobile communications, mail, voice mail, voice communications in general, multimedia, postal services/facilities, use of fax machines and any other sensitive items; e.g., blank checks, invoices.

    Security of system documentation

    System documentation may contain a range of sensitive information; e.g., descriptions of applications processes, procedures, data structures, authorization processes.

    Standards

    Subcomponent

    Description

    Standard

    Media handling and security

    Management of removable computer media

    Establish procedures for the management of removable computer media, such as tapes, disks, cassettes and printed reports.

    The previous contents of any reusable media that are to be removed from the organization must be erased.

    Authorization must be required for all media removed from the organization and a record of all such removals to maintain an audit trail must be kept.

    All media must be stored in a safe, secure environment, in accordance with manufacturers' specifications.

       

    All procedures and authorization levels must be clearly documented.

     

    Disposal of media

    Dispose of media securely and safely when no longer required.

    Media must be emptied of data before use by another application within the organization.

    Establish formal procedures for the secure disposal of media to minimize the risk of misuse of sensitive information.

    Media containing sensitive information must be stored and disposed of securely and safely; e.g., by incineration or shredding, or

    A contractor offering collection and disposal services must have adequate controls and experience.

    Disposal of sensitive items must be logged in order to maintain an audit trail.

    Dispose of media often, a large quantity of unclassified information contains sensitive information, often more than a small quantity of classified information.

     

    Information handling procedures

    Establish procedures for the handling and storage of information in order to protect such information from unauthorized disclosure or misuse.

    Develop procedures for handling information consistent with its classification in documents, computing systems, networks, mobile computing, mobile communications, mail, voice mail, voice communications in general, multimedia, postal services/facilities, use of fax machines and any other sensitive items; e.g., blank checks, invoices.

     

    Security of system

    System documentation must be stored securely.

    The access list for system documentation must be kept to a minimum and authorized by the application owner.

    System documentation held on a public network, or supplied via a public network, must be appropriately protected.

    "

     

    Computer media should be controlled and physically protected.

    Technology Watch

    Products

     

    Exchanges of Information and Software Subcomponent

    Introduction

    Information and software exchange agreements

    Agreements, some of which may be formal, including software escrow agreements when appropriate, should be established for the exchange of information and software (whether electronic or manual) between organizations. The security content of such an agreement should reflect the sensitivity of the business information involved.

    Security of media in transit

    Information can be vulnerable to unauthorized access, misuse or corruption during physical transport; e.g., when sending media via the postal service or via courier.

    Electronic commerce security

    Electronic commerce can involve the use of electronic data interchange (EDI), electronic mail and on-line transactions across public networks such as the Internet. Electronic commerce is vulnerable to a number of network threats, which may result in fraudulent activity, contract dispute and disclosure, or modification of information. Controls should be applied to protect electronic commerce from such threats.

    Security of electronic mail

    Security risks

    Electronic mail is being used for business communications, replacing traditional forms of communication such as telex and letters. Electronic mail differs from traditional forms of business communications by, for example, its speed, message structure, degree of informality and vulnerability to unauthorized actions. Consideration should be given to the need for controls to reduce security risks created by electronic mail.

    Policy on electronic mail

    Organizations should have a clear policy regarding the use of electronic mail.

    Security of electronic office systems

    Policies and guidelines should be prepared and implemented to control the business and security risks associated with electronic office systems. These provide opportunities for faster dissemination and sharing of business information using a combination of: documents, computers, mobile computing, mobile communications, mail, voice mail, voice communications in general, multimedia, postal services/facilities and fax machines.

    Publicly available systems

    Care should be taken to protect the integrity of electronically published information to prevent unauthorized modification that could harm the reputation of the publishing organization. Information on a publicly available system; e.g., information on a Web server accessible via the Internet, now need to comply with laws, rules and regulations in the jurisdiction in which the system is located or where trade is taking place.

    Other forms of information exchange

    Procedures and controls should be in place to protect the exchange of information through the use of voice, facsimile and video communications facilities. Information could be compromised due to lack of awareness, policy or procedures on the use of such facilities; e.g., being overheard on a mobile phone in a public place, answering machines being overheard, unauthorized access to dial-in voice-mail systems or accidentally sending facsimiles to the wrong person using facsimile equipment. Information could also be compromised if unauthorized users access these.

    Standards

    Subcomponent

    Description

    Standard

    Exchanges of information and software

    Information and software exchange agreements

    Develop formal software escrow agreements when appropriate. Establish formal agreements for the exchange of information and software (whether electronic or manual) between organizations.

    Agreements must reflect the sensitivity of the business information involved

     

    Security of media in transit

    Use reliable transport.

    Develop a list of authorized couriers.

    Develop a procedure to check the identification of couriers implemented.

    Packaging must be sufficient to protect the contents from any physical damage likely to arise during transit and in accordance with manufacturers' specifications.

    Special controls must be adopted, where necessary, to protect sensitive information from unauthorized disclosure or modification.

     

    Electronic commerce security -

    Develop electronic commerce agreements between trading partners which commits both parties to the agreed terms of trading, including details of authorization, authentication and non-repudiation.

     

    Security of electronic mail Security risks

    Develop controls to reduce security risks created by electronic mail.

     

    Policy on electronic mail

    Organizations must draw up a clear policy regarding the use of electronic mail.

     

    Security of electronic office systems

    Develop and implement policies and guidelines to control the business and security risks associated with electronic office.

     

    Publicly available systems

    Develop processes and procedures to protect the integrity of electronically published information. preventing unauthorized modification that could harm the reputation of the publishing organization. Comply with laws, rules and regulations in the jurisdiction in which the system is located or where trade is taking place.

    Have a formal authorization process before information is made publicly available.

    Protect by appropriate mechanisms, software, data and other information requiring a high level of integrity, and/or made available on a publicly available system.

    Electronic publishing systems, especially those that permit feedback and direct entering of information, must be carefully controlled.

     

    Other forms of information exchange

    Develop and implement a policy statement of the procedures staff are expected to follow in using voice, facsimile and video communications.

       

    Develop and implement security controls and policies the staff will be expected to follow prior to the public dissemination of any information.

    Technology Watch

    Products

     

    Appendix - Component Configurations (Buy List)

    Operational Procedures and Responsibilities Subcomponent

    Systems Planning and Acceptance Subcomponent

    Protection against Malicious Software Subcomponent

    Housekeeping Subcomponent

    Network Management Subcomponent

    Media Handling Security Subcomponent

      1. Systems Development and Maintenance Component

    Purpose

    The purpose of the Systems Development and Maintenance component is to ensure that security is considered and built into all the organization information systems. Also, through the proper change process, all application and systems changes are appropriately considered and tested, thereby not increasing any unreasonable risks to the organization information assets.

    Introduction and Background

    A key security objective of the systems development and maintenance component are to ensure that security issues are properly addressed at all appropriate times in the systems development life cycle. With today’s increasing use of client/server and web based technologies, it is imperative security be considered up-front, and designed into the application at the beginning of the development cycle.

    Both the computing platforms and the tools used to develop software have changed significantly over the past five years. the organization is no longer just a mainframe centric organization. Network solutions are increasingly using the Internet as a communications media. With this come much greater risks and vulnerabilities. It is essential that applications be developed or procured that have security requirements defined early in the process to ensure they are implemented with security in place.

    The other key objective is to ensure that all changes to the organization systems, whether application or systems software, be evaluated and validated so these changes do not put the organization information assets at a risk that could jeopardize their availability, integrity, or confidentiality.

    The component is made up of the following subcomponents:

    Design Principles

    Security Requirements in Systems Subcomponent

     

    Application and network systems include all infrastructure, business applications and user-developed applications required to operate that system.

     

    All security requirements, including the need for fallback arrangements, must be identified at the requirements phase of a project and justified, agreed to, and documented as part of the overall business case for an information system.

     

    The design and implementation of the business processes supporting the application or service can be crucial for security.

     

    Security requirements must be identified and agreed to prior to the development of information systems.

     

    The design and implementation of security administration processes are crucial to ensuring application security.

     

    Any security requirement for new login processes must be integrated into existing processes.

    Security in Application Systems Subcomponent

     

    Appropriate controls and audit trails or activity logs must be designed into application systems, including user written applications.

     

    Include the validation of input data, internal processing and output data to insure data integrity.

     

    Additional controls may be required for systems that process, or have an impact on, sensitive, valuable or critical organizational assets, based on risk to those assets.

     

    Controls must be determined on the basis of security requirements and risk assessment.

    Cryptographic Controls Subcomponent

     

    Cryptographic systems and techniques must be used for the protection of information that is considered at risk and for which no other controls would provide adequate protection.

     

    Cryptographic controls must be applied for sensitive and personal data transferred through the Internet.

     

    Cryptographic data storage should be used for the most sensitive data, such as storage of individuals personal identifiers (PINs).

    Security of System Files Subcomponent

     

    Access to system files must be controlled.

     

    Maintaining system integrity must be the responsibility of the business owner or development group to whom the application system or software belongs.

    Security in Development and Support Processes Subcomponent

     

    Project and support environments must be strictly controlled.

     

    Managers responsible for application systems must also be responsible for the security of the project or support environment. Ensuring that all proposed system changes are reviewed to check that they do not compromise the security of either the system or the operating environment.

    Review Cycle

    Initial review 6 months, subsequent reviews in conjunction with the ISO policies or 12 months which ever occurs first.

     

    Application Systems Security Subcomponent

    Introduction

    Input Data Validation

    Data input to application systems should be validated to ensure that it has integrity (i.e., is correct and appropriate). Checks should be applied to the input of business transactions, standing data (names and addresses, credit limits, customer reference numbers) and parameter tables (sales prices, currency conversion rates, tax rates).

    Control of Internal Processing

    Data that has been correctly entered can be corrupted by processing errors or through deliberate acts. Validation checks should be incorporated into systems to detect such corruption. The design of applications should ensure that restrictions are implemented to minimize the risk of processing failures leading to a loss of data integrity.

    Message Authentication

    Message authentication is a technique used to detect unauthorized changes to, or corruption of, the contents of a transmitted electronic message. It can be implemented in hardware or software supporting a physical message authentication device or a software algorithm.

    Message authentication should be considered for applications where there is a security requirement to protect the integrity of the message content; e.g., electronic funds transfers or other similar electronic data exchanges. An assessment of security risks should be carried out to determine if message authentication is required and to identity the most appropriate method of implementation.

    Message authentication is not designed to protect the contents of a message from unauthorized disclosure. Cryptographic techniques can be used as an appropriate means of implementing message authentication.

    Output Data Validation

    Data output from an application system should be validated to ensure that the processing of stored information is correct and appropriate to the circumstances. Typically, systems are constructed on the premise that having undertaken appropriate validation, verification and testing the output will always be correct. This is not always the case.

    Standards

    Subcomponent

    Description

    Standard

    Application Systems Security

    Input data validation

    Check input to detect the following errors:

    • out-of-range values;
    • invalid characters in data fields;
    • missing or incomplete data;
    • exceeding upper and lower data value and volume limits;
    • unauthorized or inconsistent control data.
    • wrong input data file utilized.

    Review the content of key fields or data files to confirm their validity and integrity.

    Inspect hardcopy input documents for any unauthorized changes to input data (all changes to input documents should be authorized).

    Establish procedures for responding to validation errors.

    Establish procedures for testing the plausibility of the input data.

    Test all procedures using mockup data, prior to testing with real data.

    Define the responsibilities of all personnel involved in the data input process.

    Control of internal processing

    Establish session or batch controls to reconcile data file balances alter transaction updates.

    Use balancing controls to check opening balances against previous closing balances, namely:

    • run-to-run controls;
    • file update totals;
    • program-to-program controls.

    Validate the integrity of data or software downloaded, or uploaded, between central and remote computers.

    Create and use hash totals of records and files, as appropriate.

    Validate that application programs are run at the correct time and in the correct order using correct files.

    Insure processing is halted if programs terminate En case of a failure, until the problem is resolved.

    Output data validation

    Output validation includes:

    • plausibility checks to test whether the output data is reasonable;
    • reconciliation control counts to ensure processing of all data;
    • providing sufficient information for a reader or subsequent processing system to determine the accuracy, completeness, precision and classification of the information;
    • procedures for responding to output validation tests;
    • defining the responsibilities of all personnel involved in the data output process.
    • arrival of key information from different processes.

    Technology Watch

    Products

     

    Cryptographic Controls Subcomponent

    Introduction

    Cryptography – the art and science of creating messages that have some combination of being private, signed, unmodified, with non-repudiation. The conversion of data into a secret code for transmission over a public network. The original text, or plain text, is converted into a coded equivalent called cipher text via an encryption algorithm. The cipher text is decoded (decrypted) at the receiving end and turned back into plain text.

    Purpose Statement

    Determining if a cryptographic solution is appropriate is part of a wider process of assessing risks and selecting controls. This assessment should be used to determine whether a cryptographic control is appropriate, what type of control should be applied and for what purpose and business processes.

    Specialist advice should be sought to identity the appropriate level of protection, to select suitable products that will provide the required protection and the implementation of a secure system of key management. In addition, legal advice should be sought the laws and regulations that might apply to the organization's intended use of encryption.

    Encryption

    Encryption is a cryptographic technique that can be used to protect the confidentiality of information. It should be considered for the protection of sensitive or critical information.

    Digital signatures

    Digital signatures provide a means of protecting the authenticity and integrity of electronic documents. For example, they can be used in electronic commerce where there is a need to verify who signed an electronic document and check whether the contents of the signed document have been changed.

    Digital signatures can be applied to any form of document being processed electronically; e.g., they can be used to sign electronic payments, funds transfers, contracts and agreements. Digital signatures can be implemented using a cryptographic technique based on a uniquely related pair of keys where one key is used to create a signature (the private key) and the other to check the signature (the public key).

    Non-repudiation services

    Non-repudiation services should be used where it might be necessary to resolve disputes about occurrence or non-occurrence of an event or action; e.g., a dispute involving the use of a digital signature on an electronic contract or payment. They can help establish evidence to substantiate whether a particular event or action has taken place; e.g., denial of sending a digitally signed instruction using electronic mail. These services are based on the use of encryption and digital signature techniques

    Key management

    The management of cryptographic keys is essential to the effective use of cryptographic techniques. Any compromise or loss of cryptographic keys may lead to a serious compromise of the confidentiality, authenticity and/or integrity of the organization information.

     

    Standards

    Subcomponent

    Description

    Standard

    Cryptographic Controls

    Policy on the use of cryptographic controls

    Develop a policy on the use of cryptographic controls for protection of its information. The cryptographic control policy must consider:

    • the management approach towards the use of cryptographic controls across the organization, including the general principles under which business information should be protected;
    • the approach to management of keys, including methods to deal with the recovery of encrypted information in the case of lost, compromised or damaged keys;
    • roles and responsibilities; e.g., who is responsible for:
    1. the implementation of the policy;
    2. the management of keys;
    3. how the appropriate level of cryptographic protection is to be determined;
    4. the standards to be adopted for the effective implementation throughout the organization (which solution is used for which business processes).
     

    Encryption

    Identify the required level of protection, taking into account the type and quality of the encryption algorithm used and the length of cryptographic keys to be used.

     

    Digital signatures

    Protect the confidentiality of private keys.

    Provide public key security by the use of a public key certificate.

    Cryptographic keys used for digital signatures must be different from those used for encryption.

    Designers must be knowledgeable about legislation that describes the conditions under which a digital signature is legally binding.

    It may be necessary to have binding contracts or other agreements to support the use of digital signatures.

    Legal advice should be sought regarding the laws and regulations that might apply to the organization's intended use of digital signatures.

     

    Non-repudiation services

    Non-repudiation services must be used where it might be necessary to resolve disputes about occurrence or non-occurrence of an event or action; e.g., a dispute involving use of a digital signature on an electronic contract or payment.

     

    Protection of cryptographic keys

    All keys should be protected against modification and destruction.

    Secret and private keys need protection against unauthorized disclosure.

    Physical protection should be used to protect equipment used to generate, store and archive keys.

     

    Key Management

    Base the key management system on an agreed set of standards, procedures and secure methods for:

    • generating keys for different cryptographic systems and different applications;
    • generating and obtaining public key certificates;
    • distributing keys to intended users, including how keys should be activated when received;
    • storing keys, including how authorized users obtain access to keys;
    • changing or updating keys including rules on when keys should be changed and how this will be done;
    • dealing with compromised keys;
    • revoking keys including how keys should be withdrawn or deactivated; e.g., when keys have been compromised or when a user leaves an organization (in which case keys should also be archived);
    • recovering keys that are lost or corrupted as part of business continuity management; e.g., for recovery of encrypted information;
    • archiving keys; e.g., for information archived or backed up;
    • destroying keys;
    • logging and auditing of key management related activities.
     

    Standards, procedures and methods

    Keys must have defined activation and deactivation dates so they can only be used for a limited period of time.

    Procedures need to be considered for handling legal requests for access to cryptographic keys; e.g., the encrypted information may need to be made available in an unencrypted form as evidence in a court case.

    Public keys must be protected by the use of a public key certificate. Use certificates that uniquely binds information related to the owner of the public/private key pair to the public key.

    The contents of service level agreements or contracts with external suppliers of cryptographic services; e.g., with a certification authority, will cover issues of liability, reliability of services and response times for the provision of services.

    Technology Watch

    Cryptographic Management System

    Products

    Systems Files Security Subcomponent

    Introduction

    System files are those files necessary to operate a program, or that contain information that controls a program; e.g., processing date, validation ranges, reusable called modules or the files that actually make up the program.

    Control of operational software

    Control should be provided for the implementation of software and software upgrades and changes on operational systems.

    Protection of system test data

    System and acceptance testing usually requires substantial volumes of test data that are as close as possible to operational data.

    Access control to program source library

    In order to reduce the potential for corruption of computer programs, strict control should be maintained over access to program source libraries.

    Standards

    Subcomponent

    Description

    Standard

    Systems Files Security

    Control of operational software

    The updating of the operational program libraries must only be performed by the nominated librarian upon appropriate management authorization.

    Operational systems must only hold executable code.

    Executable code must not be implemented on an operational system until evidence of successful testing and user acceptance is obtained, and the corresponding program source libraries have been updated.

    An audit log must be maintained of all updates to operational program libraries.

    Previous versions of software must be retained as a contingency measure.

    Vendor supplied software used in operational systems must be maintained at a level supported by the supplier.

    Any decision to upgrade to a new release should take into account the security of the release; i.e., the introduction of new security functionality or the number and severity of security problems affecting this version.

    Software patches must be applied when they can help to remove or reduce security weaknesses.

    Physical or logical access will be given to suppliers for support purposes when necessary, and with management approval.

    Supplier's activities should be monitored.

    Protection of system test data

    Test data will be protected and controlled.

    The use of operational databases containing personal information should be avoided as test data.

    Depersonalize test data before use.

    The following controls should be applied to protect operational data, when used for testing purposes.

    • The access control procedures, which apply to operational application systems, will also apply to test application systems.
    • There will be separate authorization each time operational information is copied to a test application system.
    • Operational information will be erased from a test application system immediately after the testing is complete.
    • The copying and use of operational information will be logged to provide an audit trail.

    Access control to program source library

    Program source libraries will not be held in operational systems, but in secure libraries which protect that code.

    A program librarian will be appointed or each application.

    IT support staff will not have unrestricted access to program source libraries.

    Programs under development or maintenance will not be held in operational program source libraries.

    The updating of program source libraries and the issuing of program sources to programmers will only be performed by the librarian upon authorization from the IT support manager for the application.

    Program listings will be treated as containing sensitive information.

    An audit log will be maintained of all accesses to program source libraries.

    Old versions of source programs will be archived, with a clear indication of the precise dates and times when they were operational, together with all supporting software, job control, data definitions and procedures.

    Maintenance and copying of program source libraries will be subject to strict change control procedures.

    Technology Watch

    Products

     

    Development and Support Processes Subcomponent

    Introduction

    Change control procedures

    In order to minimize the corruption of information systems, there should be strict control over the implementation of changes. Using formal change control procedures, ensures that security and control procedures are not compromised. Changing application software can impact the operational environment. Wherever practicable, application and operational change control procedures should be integrated.

    Technical review of operating system changes

    Periodically it is necessary to change the operating system; e.g., to install a newly supplied software release or patches. When changes occur, the application systems should be reviewed and tested to ensure that there is no adverse impact on operation or security.

    Restrictions on changes to software packages

    Modifications to vendor software packages should be discouraged. As far as possible, and practicable, vendor-supplied software packages should be used without modification. Generally, if modifications are made, the vendor is reluctant to support that code.

    Prevention of Covert channels and Trojan code

    A covert channel (back door) can expose information by some indirect and obscure means. It may be activated by changing a parameter accessible by both secure and insecure elements of a computing system, or by embedding information into a data stream. Trojan code is designed to affect a system in a way that is not authorized and not readily noticed and not required by the recipient or user of the program. Covert channels and Trojan code rarely occur by accident.

    Outsourced software development

    Where software development is outsourced, the following points should be considered:

    Standards

    Subcomponent

    Description

    Standard

    Development and Support Processes

    Change control procedures

    Maintain a record of agreed authorization levels.

    Ensure changes are submitted by authorized users.

    Review controls and integrity procedures to ensure that they will not be compromised by the changes.

    Identify all computer software, information, database entities and hardware that require amendment.

    Obtain formal approval for detailed proposals before work commences.

    Ensure that the authorized user accepts changes prior to any implementation.

    Ensure that implementation is carried out to minimize business disruption.

    Ensure that the system documentation set is updated on the completion of each change and that old documentation is archived.

    Maintain a version control for all software updates.

    Maintain an audit trail of all change requests.

    Ensure that operating documentation (and user procedures are changed as necessary to be appropriate.

    Ensure that the implementation of changes takes place at the right time and is not disturbing the business processes involved.

    Maintain an environment in which users test new software , segregated from development and production environments.

    Technical review of operating system changes

    Review application control and integrity procedures to ensure that they have not been compromised by the operating system changes.

    The annual support plan and budget will cover reviews and system testing resulting from operating system changes.

    Allow time for appropriate reviews to take place before implementation.

    Changes are made to the business continuity plan as needed on a timely basis.

    Restrictions on changes to vendor software packages

    The original software must be retained and the changes applied to a clearly identified copy.

    All changes must be fully tested and documented, so that they can be reapplied if necessary to future software upgrades.

    Prevention of Covert channels and Trojan code

    Buy programs only from a reputable source.

    Buy programs in source code so the code may be verified.

    Use evaluated products.

    Inspect all source code before operational use.

    Control access to, and modification of, code once installed.

    Use staff of proven trust to work on key systems.

    Outsourced software development

    Contract only with a reputable source.

    Source code must be furnished so the code may be verified.

    Use highly recommended vendors.

    Inspect all source code before operational use.

    Control access to, and modification of, code once installed.

    Verify references of any vendor.

     

    Systems Development

    Security requirements (including security controls and audit trails) must be identified and agreed to during systems requirements development.

       

    Designers for applications must include the appropriate level of security as defined by the security requirements of the system.

       

    Access to system test files, project and control environments, must be designed into the system requirements.

       

    The design, operation and use of IT systems (both internal and external) and data is subject to statutory and contractual security requirements.

       

    Project and support environments must be strictly controlled.

     

    Technology Watch

     

    Products

    Appendix - Component Configurations (Buy List)

    Security Requirements in Systems Subcomponent

    Security in Application Systems Subcomponent

    Cryptographic Controls Subcomponent

    Security of System Files Subcomponent

    Security in Development and Support Processes Subcomponent

      1. Business Continuity Component

    Purpose

    All information resources determined by enterprise management to be essential to the enterprise critical mission and functions, the loss of which would have an unacceptable impact, require a Business Continuity process that will provide for the prompt and effective continuation of critical enterprise missions in the event of a disaster.

    The purpose of providing Business Continuity is to provide a road map of predetermined actions which will reduce decision-making during recovery operations, resume critical services quickly, and enable resumption of normal service at the earliest possible time in the most cost-effective manner. Good planning will reduce the number and magnitude of decisions that must be made during the period when exposure to error is at a peak. A plan will establish, organize, and document risk assessments, responsibilities, policies and procedures, and agreements and understandings for internal and external entities.

    Introduction and Background

    The Business Continuity process enables the enterprise to identify maximum acceptable downtimes, which can be incurred in the performance of each of its mission-related functions, and to identify recovery actions accordingly.

    Functions and/or services which must be restored within a short time frame significantly different recovery actions than those which can be delayed a number of weeks. As an example, plans requiring 24-48 hour recovery must include some type of alternate site already equipped to meet the processing requirements of the agency. This can be done either through reciprocal agreements with other agencies or through contracted hot site services with a commercial provider.

    Recovery plans for processing requirements, which can tolerate downtime in excess of some number of weeks (one to many), can probably be centered on use of other facilities.

    Requirements within the enterprise strategic plan will be the cornerstone for its overall service resumption planning requirements. Similarly, for information systems, an enterprise can identify critical assets by analyzing how automation is used strategically in service delivery and administration.

    Risk Management Cycle

    Risk analysis is used to assess potential service disruptions and to determine levels of protection necessary to reinstate vital services through risk assessment and risk management through control and security measures.

    Recent emphasis in the contingency planning discipline in the automated resource environment has shifted toward assuming a worst-case scenario. Traditional contingency planning establishes the statistical probability of one source of disruption versus another. The move toward distributed system architectures requires a more global assessment of risk that takes into account single point and worst case scenarios. As a result, contingency planning will require a definition that encompasses both the logical and physical configuration of the automated resources and that identifies potential single points of failure and step-by-step scripts for any of the possible occurrences.

    Plans should be designed for use whenever necessary, not just in the event of total disaster. The public sector's mission is to provide vital services; the value of those services should be assessed during this planning phase.

    Performance measures for the enterprise may provide information about the cost of services provided and the opportunity cost associated to the possible loss of those services. These values may be used to assist in setting priorities for service resumption.

    Contingency planning for service resumption suggests appropriate policies and priorities to govern responses if services are disrupted. Risk management guidelines issued by the Department of Information Technology (DOIT) will be used to assist in this activity.

    Risk Assessment

    Risk assessment is the comprehensive study of potential disruptions to service continuity, assignment of an occurrence probability, determination of probable effects, and definition of controls that could minimize or eliminate the disruption. There are two components to risk identification: knowing organization assets and identifying possible risks to them.

    Risk Management

    Risk management is balancing the potential service disruption against the costs of reducing or eliminating vulnerability to provide effective coverage for services at a reasonable cost. Risk evaluation can be extensive or cursory. Consider:

    Establish Controls

    A contingency plan contains prevention policies and procedures to control risk. Determining which risks to control is a complex task. Each organization within the enterprise must determine a reasonable cost for controlling risks. Risk management is a dynamic process, since risks and vital assets change frequently. Risk analysis and risk controls should be reviewed annually. In establishing risk exposures, consider:

    Review Security Measures

    Security effectiveness must be reviewed for all major aspects of information resources. Risk analysis data should be reviewed. Potential measures to improve security should be associated with each defined risk.

    Resources and costs associated with the security measures and the risk reduction potential are required to provide a valid perspective of the role improved security measures should play in the risk management program. Costs associated with establishing security include:

    The plan must establish the optimal level of services to restore at an acceptable level of risk while keeping within cost constraints. Establishing this acceptable level of risk is a policy decision, not a technical one.

    Risk Mitigation Cycle

    There are several risk control options, or ways in which to respond to risk:

    Establish System Profiles

    Automated applications should be reviewed in relation to risk. A list of system priorities will aid the Risk Analysis process since information resources are vital assets. Critical applications are determined by ranking potential financial or operational loss if an application were unavailable. Availability of necessary input to the system should be considered while establishing priorities. System priorities should be classified; for example:

    Using these classifications, systems should be examined with the users. Systems identified as absolutely necessary to perform required functions supporting the enterprise mission should be labeled as Class 1 systems.

    Class 1 systems should be ranked from most critical to least critical, repeating the process for other applications. Analysis of the relative criticality of each system should be conveyed to users for consensus concerning the status. The Service Resumption Plan should direct recovery operations toward immediately restoring all Class 1 systems. Class 2 systems and Class 3 systems should resume operations, in order, as full recovery is achieved.

    The ranked list of Class 1 systems defines the emergency production schedule.

    Each area in the enterprise needs an improved awareness of how it uses and depends on information resources technology. Active participation by all users of each application is required to determine systems priorities for service resumption. Each system should be reviewed for its impact on the enterprise mission. Each major user or user group should be consulted. If processing for a critical application depends on another, development of recovery procedures must be coordinated with the other enterprise.

    Analyze and Define Requirements for Recovery

    Once critical applications are identified and ranked, the resources necessary to resume processing should be identified and quantified. Alternate needs range from full redundancy to the capability for interim processing of critical systems for one or two days. Service resumption requirements may encompass:

    Contingency Plans cycle

    A contingency plan for service resumption describes how an agency intends to respond to events that disrupt its normal operations. Disruptions may be minor or may include instances where normal government functions and services cannot be performed and may not be performed for an extended period of time. Service resumption planning minimizes the impact of disruption while maximizing resources available to resume normal operations.

    Design the Program for Recovery Operations

    Pre-planned processes and trained personnel will significantly reduce the cost and time necessary to achieve full recovery and resume normal service operations.

    Recovery Teams

    A full-scale recovery requires distribution of responsibilities to several teams, the exact number of which will vary by agency size and structure. Teams will have a leader and address specific responsibilities. An overall recovery director, a recovery command center and a recovery coordinator are suggested to manage several teams.

    Recovery Procedures

    At this point in the business resumption planning process, most data collection is complete and risk management programs addressed. The service resumption process should now be defined. Step-by-step, definitive procedures for each team should provide guidance and responsibilities for recovery

    Normally, the recovery teams will perform development of these procedures. In developing procedures, highlight the differences between normal and recovery operations. Incomplete information will deter a smooth recovery.

    The Recovery Process

    When a disruption occurs, the level and extent of the disruption must be immediately determined and appropriate steps taken to safeguard lives and prevent further destruction or escalation of the problem. When the condition is stabilized, a preliminary damage assessment should be conducted and the situation evaluated.

    Depending on the level of disruption and the results of the initial damage assessment, the affected activities and management should be notified. Based on the situation, it may be appropriate to alert the Recovery Team(s) and conduct a full damage assessment by the recovery team. Following that action, the Recovery Team Lead may elect to activate the Command Center and assemble the Recovery Team(s) for a necessary briefings.

    Once the damage report has been completed, specific assessments will be made. The Lead will initiate recovery processes appropriate to the level of disaster experienced. In a full or partial recovery operation, the objective is to return to normal operation at the earliest possible time.

    By stepping through and describing the recovery process for the multitude of possible variations, many of the details which must be addressed will surface and can be reviewed as a part of the planning process. The thought process involved in developing this disaster recovery operations process will aid in identifying the necessary teams, responsibilities, team composition, recovery organization, command center and the procedures necessary to effect a recovery following a disaster.

    Conduct Service Resumption Training

    Successful execution of a Business Resumption Plan will largely depend on how well participants accept the importance of the plan, the credibility of the plan, and the degree and quality of the training provided.

    Once management approval of the program is obtained, use an awareness program to initiate staff training efforts. Effective cross-training programs greatly assist in restoring vital functions if key personnel are unavailable. Refresher training should be conducted as changes occur in personnel or technology.

    Job descriptions should include business resumption duties.

    All information resources personnel should understand the overall plan and be trained to perform their roles in service resumption processes. Specific team members should receive detailed training regarding special duties.

    Design Principles

    Business Continuity Component

     

    A business continuity management process must be implemented to reduce the disruption caused by disasters and security failures (which may be the result of, for example, natural disasters, accidents, equipment failures, and deliberate actions) to an acceptable level through a combination of preventative and recovery controls.

     

    Plans must be maintained and practiced to become an integral part of all other management processes.

     

    The consequences of disasters, security failures and loss of service must be analyzed.

     

    Business continuity management must include controls to identity and reduce risks, limit the consequences of damaging incidents, and ensure the timely resumption of essential operations.

     

    Contingency plans must be developed, implemented, and tested to ensure that business processes can be restored within the required time-scales.

    Standards

    Component

    Description

    Standard

    Business Continuity

     

    the organization's Business Continuity Plan will be based n a 72-hour recovery period.

    Implement a business continuity management process.

    Analyze the consequences of disasters, security failures and loss of service.

    Develop and implement contingency plans. Plans will be maintained and practiced.

    Plans will include:

    • Controls to identity and reduce risks,
    • Limit the consequences of damaging incidents, ensure the timely resumption of essential operations.
     

    Business continuity management process

    There will be a managed process in place for developing and maintaining business continuity.

    Responsibility for coordinating the plan will be assigned at an appropriate level within the organization.

     

    Business continuity and impact analysis

    The plan will

    • Identify events that can cause interruptions to business processes.
    • Determine the impact of those interruptions in terms of damage scale and recovery period
    • Involve owners of business resources and processes.
    • Assess all business processes (not limited to the information processing facilities).
    • Be developed to determine the overall approach to business continuity.
    • Will be endorsed by management.
     

    Writing and implementing continuity plans

    Develop plans to maintain or restore business operations in the required time scales following interruption to, or failure of, critical business processes.

    The planning process will focus on the required business objectives; e.g., restoring of specific services to customers in an acceptable amount of time.

    The services and resources that will enable this to occur will be considered, including staffing, non-information processing resources, as well as fallback arrangements for information processing facilities

     

    Business continuity planning framework

    A single framework of business continuity plans will be maintained to ensure that all plans are consistent, and to identity priorities for testing and maintenance.

    Each business continuity plan will specify clearly the conditions for its activation, as well as the individuals responsible for executing each component of the plan.

    When new requirements are identified, established emergency procedures; e.g., evacuation plans or any existing failback (or fallback) arrangements, will be amended as appropriate.

    Each plan will have a specific owner.

    Emergency procedures, manual fallback plans and resumption plans will be within the responsibility of the owners of the appropriate business resources or processes involved.

    Fallback arrangements for alternative technical services, such as information processing and communications facilities, will usually be the responsibility of the service providers.

     

    Testing, maintaining business continuity plans -

    Business continuity plans will be tested regularly to ensure that they are up to date and effective.

    Schedule the frequency depending on the success of the prior tests.

    Never exceed a 12-month period between tests.

    Tests will also ensure that all members of the recovery team and other relevant staff are aware of the plans.

    The test schedule for business continuity plan(s) will indicate how and when each element of the plan will be tested.

    Test the individual components of the plan(s) frequently.

     

    Maintaining and re-assessing the plans

    Business continuity plans will be maintained by regular reviews and updates to ensure their continuing effectiveness.

    Procedures will be included within the organization's change management program to ensure that business continuity matters are appropriately addressed.

    Responsibility will be assigned for regular reviews of each business continuity plan; the identification of changes in business arrangements not yet reflected in the business continuity plans will be followed by an appropriate update of the plan.

    This formal change control process will ensure that the updated plans are distributed and reinforced by regular reviews of the complete plan.

     

    Business continuity plans must be developed via a managed process to insure operation and recovery of critical business processes from the effects of major failures or disasters.

       

    Fully implement the Department's mission and DOIT Mission Critical definitions. Reference Department of Information Technology memorandum Dated June 11, 1999 Subject: Definition of Mission Critical

       

    Enterprise prioritization of critical business processes must be included in the recovery plan.

    Technology Watch

    Products

    the organization Business Resumption plan

    Review Cycle

    Initial review 6 months, subsequent reviews in conjunction with the ISO policies or 12 months which ever occurs first.

    Appendix - Component Configurations (Buy List)

      1. Asset Classification and Control Component

    Purpose

    To assure that the enterprise information assets receive an appropriate level of protection.

    Introduction and Background

    Information is a major asset of the enterprise, when considering the value to others as well as the cost to collect, update and maintain, it may be the single most valuable asset of the organization. All major information assets should be identified, accounted for and have a nominated owner who is accountable for that asset. The assignment of accountability for all major assets helps to ensure that appropriate protection is maintained, as well as the maintenance of appropriate controls being assigned and controlled. Responsibility for implementing controls may be delegated, but accountability should remain with the nominated owner of the asset.

    Design Principles

    Asset classification and Control Component

     

    The State’s automated files and databases are an essential public resource that must be given appropriate protection from loss, inappropriate disclosure, and unauthorized modification (SAM 4841.3).

     

    All information does not require the same level of protection.

     

    Al information has a designated owner.

     

    Enterprise information remains the property of the enterprise even if it has been distributed to other individuals or organizations.

    Inventory of information Subcomponent

     

    the organization information regardless of form, should be inventoried.

    Information Classification Subcomponent

     

    the organization information regardless of form, should be classified into at least three categories defined in the the organization External Customer Access Policy:

    • public information,
    • sensitive information, and
    • confidential information.
     

    Information classification is an element of risk assessments.

     

    Collections of information are a greater security risk than single instances.

    Labeling and Handling Subcomponent

     

    Staff handling information should be aware of the classification of that information.

    Review Cycle

    Initial review 6 months, subsequent reviews in conjunction with the ISO policies or 12 months which ever occurs first.

     

    Inventory of information Subcomponent

    Purpose

    Inventories of assets help ensure that effective asset protection takes place, and may also be required for other business purposes, such as health and safety, insurance or financial (asset management) reasons.

    Introduction

    The process of compiling an inventory of assets is an important aspect of risk management. An organization needs to be able to identity its assets and the relative value and importance of these assets. Based on this information an organization can provide levels of protection commensurate with the value and importance of the assets. An inventory should be drawn up and maintained of the important assets associated with each information system.

    Standards

    Subcomponent

    Description

    Standard

    Inventory of information

    Ownership

    Each asset must be clearly identified.

    Designate an owner for each information asset.

    Each asset's current location (important when attempting to recover from loss or damage) must be determined.

     

    Types

    Assets must include:

    • Information assets: databases and data files, system documentation, user manuals, training material, operational or support procedures, continuity plans, fallback arrangements, archived information;
    • Software assets: application software, system software, development tools and utilities;
    • Physical assets: computer equipment (processors, monitors, laptops, modems), communications equipment (routers, PABXs, fax machines, answering machines), magnetic media (tapes and disks), other technical equipment power supplies, air conditioning units), furniture, accommodation; services: computing and communications services, general utilities; e.g., heating, lighting, power, air-conditioning.

     

    Technology Watch

    Products

     

    Information Classification Subcomponent

    Purpose

    To ensure that information assets receive an appropriate level of protection.

    Introduction

    Information should be classified to indicate the need, priorities and degree of protection. Information has varying degrees of sensitivity and criticality. Some items may require an additional level of protection or special handling. An information classification system should be used in conjunction with a risk assessment to define an appropriate set of protection levels, and communicate the need for special handling measures.

    Classification guidelines

    Classifications and associated protective controls for information should take account of business needs for sharing or restricting information, and the business impacts associated with such needs; e.g., unauthorized access or damage to the information. In general, the classification given to information is a shorthand way of determining how this information is to be handled and protected. Information and outputs from systems handling classified data should be labeled in terms of its value and sensitivity to the organization. It may also be appropriate to label information in terms of how critical it is to the organization; e.g., in terms of its integrity and availability.

    Information often ceases to be sensitive or critical after a certain period of time, for example, when the information has been made public. These aspects should be taken into account, as over classification can lead to an unnecessary additional business expense. Classification guidelines should anticipate and allow for the fact that the classification of any given item of information is not necessarily fixed for all time, and may change in accordance with some predetermined policy.

    Consideration should be given to the number of classification categories and the benefits to be gained from their use. Overly complex schemes may become cumbersome and economically infeasible to use or prove impractical. Care should be taken in interpreting classification labels on documents from other organizations that may have different definitions for the same or similarly named labels. The information owner is responsible for classifying an item of information; e.g., for a document, data record, data file or diskette, and for periodically reviewing that classification.

    the organization Classification

    Tier

    Classification

    Example

    Complexity and cost

    Public

    1

    Public Information.

    Information found in the lobby of an enterprise office, pregnancy duration and qualifications.

    Negligible.

    Sensitive

    2

    Sensitive information.

    Policies and procedures.

    Control by hand

    Confidential

    3

    Confidential Information to a person about themselves.

    When their check was mailed.

    Simple

    Confidential

    4

    Confidential record about a person.

    The employment history for the individual.

    Simple

    Confidential

    5

    Confidential record about a person, for update.

    The employment history for the individual.

    Complex

    Confidential

    6

    A group of confidential records.

    The employment history files for one organization

    Highly Complex

    Confidential

    7

    A group of confidential records to be updated

    The employment history file for multiple organizations

    Highly Complex

    Confidential

    8

    A group of files containing confidential information.

    The personnel system

    Very Highly complex

    Figure 1. Example classification of data

    Standards

    Subcomponent

    Description

    Standard

    Information Classification

    Labeling of assets

    Classifications and associated protective controls for information will take account of business needs for sharing or restricting information, and the business impacts associated with such needs.

    Information and outputs from systems handling classified data will be labeled in terms of its value and sensitivity to the organization.

    Label information in terms of how critical it is to the organization.

     

    Asset Security Life

    Information made public is no longer classified

    Classification guidelines will anticipate and allow for the fact that the classification of any given item of information is not necessarily fixed for all time, and may change in accordance with some predetermined policy.

     

    Responsibility

    Classification categories will be limited in number. Overly complex schemes become cumbersome and uneconomic to use or prove impractical.

    Care will be taken in interpreting classification labels on documents from other organizations that may have different definitions for the same or similarly named labels.

    The responsibility for defining the classification of an item of information; e.g., for a document, data record, data file or diskette, and for periodically reviewing that classification, will remain with the originator or nominated owner of the information

    Information Owner

    Designate an owner and custodian for all information assets (SAM 4841.2 requires a data owner and custodian for all data files and databases).

     

    Information Custodian

    Designate a custodian for all information assets (SAM 4841.2 requires a custodian for all data files and databases).

     

    Security Classification

    Information owners define access, security and integrity controls based on security classification and risk assessment.

       

    Designated owner classifies information in accordance with law and administrative policy (SAM 4841.3).

       

    Designated owner classifies information in accordance with the need to control access to information, security and integrity (SAM 4841.5).

       

    Designated owner classifies information as described in the the organization External Customer Access Policy.

    Technology Watch

    Products

     

    Labeling and Handling Subcomponent

    Purpose

    Once a asset is classified, it is necessary to have a label of some type that allows the correct handling of the asset.

    Introduction

    It is important that an appropriate set of procedures are defined for information labeling and handling in accordance with the classification scheme adopted by the organization. These procedures need to cover information assets in physical and electronic formats. For each classification, handling procedures should be defined to cover the following types of information processing activity:

    Output from systems containing information that is classified as being sensitive or confidential should carry an appropriate classification label (in the output). The labeling should reflect the classification according to the rules established in classification system. Items for consideration include printed reports, screen displays, recorded media (tapes, disks, CDs, cassettes), electronic messages and file transfers. Physical labels are generally the most appropriate forms of labeling. However, some information assets, such as documents in electronic form, cannot be physically labeled and electronic means of labeling needs to be used.

    Standards

    Subcomponent

    Description

    Standard

    Labeling and Handling

     

    Output from systems containing information that is classified as being sensitive or confidential will carry an appropriate classification label (in the output).

    The labeling will reflect the classification according to the rules established in the the organization External Customer Access Policy.

    Physical labels will be used if appropriate.

    Information assets, documents in electronic form, will use a electronic means of labeling.

    Technology Watch

    Products

     

    Appendix - Component Configurations (Buy List)

    Inventory of information Subcomponent

    Information Classification Subcomponent

    Labeling and Handling Subcomponent

    Annex A BS 7799-1:1999 BRITISH STANDARD

    Information Security Management-

    Part 1: Code of practice for information security management

    Title

    Objective

    Rationale

    1 Scope

    2 Terms and definitions

    2.1 Information security

    2.2 Risk assessment

    2.3 Risk management

    3 Security policy

    3.1 Information security policy

    To provide management direction and support for information security.

    Management should set a clear policy direction and demonstrate support for, and commitment to, information security by issuing and maintaining of an information security policy throughout the organization.

    4 Security organization

    4.1 Information security infrastructure

    To manage information security within the organization.

    A management framework should be established to initiate and control the implementation of information security within the organization. Suitable management, with management leadership should be established to approve the information security policy, assign security roles and co-ordinate the implementation of security across the organization. If necessary, a source of specialist information security advice should be established and made available within the organization. Contacts with external security specialists should be developed to keep up with industrial trends, monitor standards and assessment methods and provide suitable liaison points when dealing with security incidents. A multi-disciplinary approach to information security should be encouraged;

    e.g., involving the co-operation and collaboration of managers, users, administrators, application designers, auditors and security staff, and specialist skills in areas such as insurance and risk management.

    4.2 Security of third party access

    To maintain the security of organizational information processing facilities and information assets accessed by third parties.

    Access to the organization's information processing facilities by third parties should be controlled. Where there is a business need for such third party access, a risk assessment should be carried out to determine security implications and control requirements. Controls should be agreed and defined in a contract with the third party. Third party access may also involve other participants. Contracts conferring third party access should include allowance for designation of other eligible participants and conditions for their access. This standard could be used as a basis for such contracts and when considering the outsourcing of information processing.

    4.3 Outsourcing

    To maintain the security of information when the responsibility for information processing has been outsourced to another organization.

    Outsourcing arrangements should address the risks, security controls and procedures for information systems, networks and/or desktop environments in the contract between the parties.

    5 Asset classification and control

    5.1 Accountability for assets

    To maintain appropriate protection of organizational assets.

    All major information assets should be accounted for and have a nominated owner. Accountability for assets helps to ensure that appropriate protection is maintained. Owners should be identified for all major assets and the responsibility for the maintenance of appropriate controls should be assigned. Responsibility for implementing controls may be delegated. Accountability should remain with the nominated owner of the asset.

    5.2 Information classification

    To ensure that information assets receive an appropriate level of protection.

    Information should be classified to indicate the need, priorities and degree of protection. Information has varying degrees of sensitivity and criticality. Some items may require an additional level of protection or special handling. An information classification system should be used to define an appropriate set of protection levels, and communicate the need for special handling measures.

    6 Personnel security

    6.1 Security in job definition and resourcing

    To reduce the risks of human error, theft, fraud or misuse of facilities.

    Security responsibilities should be addressed recruitment stage, included in contracts, and monitored during an individual's employment. Potential recruits should be adequately screened (see 6.1.2), especially for sensitive jobs. All employees and third party users of information processing facilities should sign a confidentiality (non-disclosure) agreement.

    6.2 User training

    To ensure that users are aware of information security threats and concerns, and are equipped to support organizational security policy in the course of their normal work.

    Users should be trained in security procedures and the correct use of information processing facilities to minimize possible security risks.

    6.3 Responding to security incidents and malfunctions

    To minimize the damage from security incidents and malfunctions, and to monitor and learn from such incidents.

    Incidents affecting security should be reported through appropriate management channels as quickly as possible. All employees and contractors should be made aware of the procedures for reporting the different types of incident (security breach, threat, weakness or malfunction) that might have an impact on the security of organizational assets. They should be required to report any observed or suspected incidents as quickly as possible to the designated point of contact. The organization should establish a formal disciplinary process for dealing with employees who commit security breaches. To be able to address incidents properly it might be necessary to collect evidence as soon as possible after the occurrence (see 12.1.7).

    7 Physical and environmental security

    7.1 Secure areas

    To prevent unauthorized access, damage and interference to business premises and information.

    Critical or sensitive business information processing facilities should be housed in secure areas, protected by a defined security perimeter, with appropriate security barriers and entry controls. They should be physically protected from unauthorized access, damage and interference. The protection provided should be commensurate with the identified risks. A clear desk and clear screen policy is recommended to reduce the risk of unauthorized access or damage to papers, media and information processing facilities.

    7.2 Equipment security

    To prevent loss, damage or compromise of assets and interruption to business activities.

    Equipment should be physically protected from security threats and environmental hazards. Protection of equipment (including that used off-site) is necessary to reduce the risk of unauthorized access to data and to protect against loss or damage. This should also consider equipment siting and disposal. Special controls may be required to protect against hazards or unauthorized access, and to safeguard supporting facilities, such as the electrical supply and cabling infrastructure.

    7.3 General controls

    To prevent compromise or theft of information and information processing facilities.

    Information and information processing facilities should be protected from disclosure to, modification of or theft by unauthorized persons, and controls should be in place to minimize loss or damage. Handling and storage procedures are considered in 8.6.3.

    8 Communications and operations management

    8.1 Operational procedures and responsibilities

    To ensure the correct and secure operation of information processing facilities.

    Responsibilities and procedures for the management and operation of all information processing facilities should be established. This includes the development of appropriate operating instructions and incident response procedures. Segregation of duties (see 8.1.4) should be implemented, where appropriate, to reduce the risk of negligent or deliberate system misuse.

    8.2 System planning and acceptance

    To minimize the risk of systems failures. Advance planning and preparation are required to ensure the availability of adequate capacity and resources.

    Projections of future capacity requirements should be made, to reduce the risk of system overload. The operational requirements of new systems should be established, documented and tested prior to their acceptance and use.

    8.3 Protection against malicious software

    To protect the integrity of software and information.

    Precautions are required to prevent and detect the introduction of malicious software. Software and information processing facilities are vulnerable to the introduction of malicious software, such as computer viruses, network worms, Trojan horses (see also 10.5.4) and logic bombs. Users should be made aware of the dangers of unauthorized or malicious software, and managers should, where appropriate, introduce special controls to detect or prevent its introduction. In particular, it is essential that precautions be taken to detect and prevent computer viruses on personal computers.

    8.4 Housekeeping

    To maintain the integrity and availability of information processing and communication services.

    Routine procedures should be established for caring out the agreed back-up strategy (see 11.1) taking back-up copies of data and rehearsing their timely restoration, logging events and faults and, where appropriate, monitoring the equipment environment.

    8.5 Network management

    To ensure the safeguarding of information in networks and the protection of the supporting infrastructure.

    The security management of networks that may span organizational boundaries requires attention. Additional controls may also be required to protect sensitive data passing over public networks.

    8.6 Media handling and security

    To prevent damage to assets and interruptions to business activities. Media should be controlled and physically protected.

    Appropriate operating procedures should be established to protect documents, computer media (tapes, disks, cassettes), input/output data and system documentation from damage, theft and unauthorized access.

    8.7 Exchanges of information and software

    To prevent loss, modification or misuse of information exchanged between organizations.

    Exchanges of information and software between organizations should be controlled, and should be compliant with any relevant legislation (see 12). Exchanges should be carried out on the basis of agreements. Procedures and standards to protect information and media in transit should be established. The business and security implications associated with electronic data interchange, electronic commerce and electronic mail and the requirements for controls should be considered.

    9 Access control

    9.1 Business requirement for access control

    To control access to information. Access to information, and business processes should be controlled on the basis of business and security requirements.

    This should take account of policies for information dissemination and authorization.

    9.2 User access management

    To prevent unauthorized access to information systems.

    Formal procedures should be in place to control the allocation of access rights to information systems and services. The procedures should cover all stages in the life-cycle of user access, from the initial registration of new users to the final de-registration of users who no longer require access to information systems and services. Special attention should be given, where appropriate, to the need to control the allocation of privileged access rights, which allow users to override system controls.

    9.3 User responsibilities

    To prevent unauthorized user access. The cooperation of authorized users is essential for effective security.

    Users should be made aware of their responsibilities for maintaining effective access controls, particularly regarding the use of passwords and the security of user equipment.

    9.4 Network access control

    Protection of networked services. Access to both internal and external networked services should be controlled.

    This is necessary to ensure that users who have access to networks and network services do not compromise the security of these network services by ensuring:

    • appropriate interfaces between the organization's network and networks owned by other organizations, or public networks;
    • appropriate authentication mechanisms for users and equipment;
    • control of user access to information services.

    9.5 Operating system access control

    To prevent unauthorized computer access.

    Security facilities at the operating system level should be used to restrict access to computer resources. These facilities should be capable of the following:

    • identifying and verifying the identity, and if necessary the terminal or location of each authorized user;
    • recording successful and failed system accesses;
    • providing appropriate means for authentication; if a password management system is used, it should ensure quality passwords [see 9.3.ld)];
    • where appropriate, restricting the connection times of users.

    Other access control methods, such as challenge-response, are available if these are justified on the basis of business risk.

    9.6 Application access control

    To prevent unauthorized access to information held in information systems. Security facilities should be used to restrict access within application systems.

    Logical access to software and information should be restricted to authorized users. Application systems should:

    • control user access to information and application system functions, in accordance with a defined business access control policy;
    • provide protection from unauthorized access for any utility and operating system software that is capable of overriding system or application controls;
    • not compromise the security of other systems with which information resources are shared;
    • be able to provide access to information to the owner only, other nominated authorized individuals, or defined groups of users.

    9.7 Monitoring system access and use

    To detect unauthorized activities. Systems should be monitored to detect deviation from access control policy and record monitorable events to provide evidence in case of security incidents.

    System monitoring allows the effectiveness of controls adopted to be checked and conformity to an access policy model (see 9.1) to be verified.

    9.8 Mobile computing and teleworking

    To ensure information security when using mobile computing and teleworking facilities.

    The protection required should be commensurate with the risks these specific ways of working cause. When using mobile computing the risks of working in an unprotected environment should be considered and appropriate protection applied. In the case of teleworking the organization should apply protection to the teleworking site and ensure that suitable arrangements are in place for this way of working.

    10 Systems development and maintenance

    10.1 Security requirements of systems

    To ensure that security is built into information systems.

    This will include infrastructure, business applications and user-developed applications. The design and implementation of the business process supporting the application or service can be crucial for security. Security requirements should be identified and agreed prior to the development of information systems. All security requirements, including the need for failback (fallback) arrangements, should be identified at the requirements phase of a project and justified, agreed and documented as part of the overall business case for an information system.

    10.2 Security in application systems

    To prevent loss, modification or misuse of user data in application systems.

    Appropriate controls and audit trails or activity logs should be designed into application systems, including user written applications. These should include the validation of input data, internal processing and output data. Additional controls may be required for systems that process, or have an impact on, sensitive, valuable or critical organizational assets. Such controls should be determined on the basis of security requirements and risk assessment.

    10.3 Cryptographic controls

    To protect the confidentiality, authenticity or integrity of information.

    Cryptographic systems and techniques should be used for the protection of information that is considered at risk and for which other controls do not provide adequate protection.

    10.4 Security of system files

    To ensure that IT projects and support activities are conducted in a secure manner.

    Access to system files should be controlled. Maintaining system integrity should be the responsibility of the user function or development group to whom the application system or software belongs.

    10.5 Security in development and support processes

    To maintain the security of application system software and information.

    Project and support environments should be strictly controlled. Managers responsible for application systems should also be responsible for the security of the project or support environment. They should ensure that all proposed system changes are reviewed to check that they do not compromise the security of either the system or the operating environment.

    11 Business continuity management

    11.1 Aspects of business continuity management

    To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters.

    A business continuity management process should be implemented to reduce the disruption caused by disasters and security failures (which may be the result of, for example, natural disasters, accidents, equipment failures, and deliberate actions) to an acceptable level through a combination of preventative and recovery controls. The consequences of disasters, security failures and loss of service should be analyzed. Contingency plans should be developed and implemented to ensure that business processes can be restored within the required time-scales. Such plans should be maintained and practiced to become an integral part of all other management processes. Business continuity management should include controls to identity and reduce risks, limit the consequences of damaging incidents, and ensure the timely resumption of essential operations.

    12 Compliance

    12.1 Compliance with legal requirements

    To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements.

    The design, operation, use and management of information systems may be subject to statutory, regulatory and contractual security requirements. Advice on specific legal requirements should be sought from the organization's legal advisers, or suitably qualified legal practitioners. Legislative requirements vary from country to country and for information created in one country that is transmitted to another country (i.e. trans-border data flow).

    12.2 Reviews of security policy and technical compliance

    To ensure compliance of systems with organizational security policies and standards.

    The security of information systems should be regularly reviewed. Such reviews should be performed against the appropriate security policies and the technical platforms and information systems should be audited for compliance with security implementation standards.

    12.3 System audit considerations

    To maximize the effectiveness of and to minimize interference to/from the system audit process.

    There should be controls to safeguard operational systems and audit tools during system audits. Protection is also required to safeguard the integrity and prevent misuse of audit tools.

    Annex B Comparison of British Standard 7799-1:1999 with Architecture Security Domain

    .

    Architecture Section (page)

    1999 edition

    BS 7799-1:1999

       

    Introduction

     

    1

    Scope

     

    2

    Terms and definitions

    5.1 (5)

    3

    Security policy

    5.1 (5)

    3.1

    Information security policy

    5.1 (5)

    4

    Security organization

    5.1 (5)

    4.1

    Information security infrastructure

    5.2 (13)

    4.2

    Security of third party access

    5.2 (13)

    4.3

    Outsourcing

    5.7 (78)

    5

    Asset classification and control

    5.1 (9)

    5.1

    Accountability for assets

    5.7 (78)

    5.2

    Information classification

    5.3 (34)

    6

    Personnel security

    5.3 (34)

    6.1

    Security in job definition and resourcing

    5.1 (9)

    6.2

    User training

    5.3 (34)

    6.3

    Responding to security incidents and malfunctions

    5.3 (33)

    7

    Physical and environmental security

    5.3 (33)

    7.1

    Secure areas

    5.3 (33)

    7.2

    Equipment security

    5.3 (33)

    7.3

    General controls

    5.4 (37)

    8

    Communications and operations management

    5.4 (39)

    8.1

    Operational procedures and responsibilities

    5.4 (42)

    8.2

    System planning and acceptance

    5.4 (42)

    8.3

    Protection against malicious software

    5.4 (46)

    8.4

    Housekeeping

    5.4 (48)

    8.5

    Network management

    5.4 (49)

    8.6

    Media handling and security

    5.4 (51)

    8.7

    Exchanges of information and software

    5.2(13)

    9

    Access control

    5.2(13)

    9.1

    Business requirement for access control

    5.2(13)

    9.2

    User access management

    5.2(13)

    9.3

    User responsibilities

    5.2(13)

    9.4

    Network access control

    5.2(13)

    9.5

    Operating system access control

    5.2(13)

    9.6

    Application access control

    5.2(13)

    9.7

    Monitoring System access and use

    5.2(13)

    9.8

    Mobile computing and teleworking

    5.5 (55)

    10

    Systems development and maintenance

    5.5

    10.1

    Security requirements of Systems

    5.5 (57)

    10.2

    Security in application systems

    5.5 (60)

    10.3

    Cryptographic controls

    5.5 (64)

    10.4

    Security of system files

    5.5 (66)

    10.5

    Security in development and support processes

    5.6 (69)

    11

    Business continuity management

    5.6 (69)

    11.1

    Aspects of business continuity management

    5.1 (8)

    12

    Compliance

    5.1 (8)

    12.1

    Compliance with legal requirements

    5.1 (8)

    12.2

    Reviews of security policy and technical compliance

    5.1 (8)

    12.3

    System audit considerations