Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security User Policy Training Business Applications Department October 2009.

Similar presentations


Presentation on theme: "Information Security User Policy Training Business Applications Department October 2009."— Presentation transcript:

1 Information Security User Policy Training Business Applications Department October 2009

2 Purpose Provide acceptable information security principles and practices for all MRC employees and contractors Protect and safeguard information residing within the MRC environment

3 Aligned with COV and State Policies COV ITRM Policy SEC519-00, Information Technology Security Policy COV ITRM Policy SEC519-00, Information Technology Security Policy COV ITRM Standard SEC501-01, Information Technology Security Standard COV ITRM Standard SEC501-01, Information Technology Security Standard DHRM Policy 1.75, Use of Internet and Electronic Communication Systems DHRM Policy 1.75, Use of Internet and Electronic Communication Systems MRC Information Security Program and Continuity of Operations Plan (COOP) MRC Information Security Program and Continuity of Operations Plan (COOP)

4 Scope All MRC employees and contractors have the responsibility to safeguard information All software and hardware used to process electronic information should be protected from unauthorized use, destruction or theft

5 Definitions “PC” refers to both networked, standalone and file server workstations and the data stored on those workstations or computer media IT system users are MRC personnel or contractors that require the access to and use of PC resources managed for the Commission

6 Guiding Principles Commonwealth of Virginia (COV) Data is: A critical asset that shall be protected by the concept of least privilege A critical asset that shall be protected by the concept of least privilege Restricted to authorized personnel for official use Restricted to authorized personnel for official use

7 Guiding Principles Information security must be: A cornerstone of maintaining public trust A cornerstone of maintaining public trust Managed to address both business and technology requirements Managed to address both business and technology requirements Risk-based and cost-effective Risk-based and cost-effective The responsibility of all users of COV IT systems and data The responsibility of all users of COV IT systems and data

8 Key IT Security Roles and Responsibilities Steve Bowman, Commissioner, Agency Head: responsible for the security of the Agency's IT systems and data Erik Barth: Information Security Officer (ISO): develops and manages the Agency’s IT security program Linda Farris: Backup Information Security Officer: assists in implementation of the Agency’s IT security program Jane McCroskey, Privacy Officer: provides guidance on the requirements of state and federal Privacy laws

9 Key IT Security Roles and Responsibilities Agency Division Heads, Data Owners: responsible for the policy and decisions regarding data Erik Barth, System Owner/System Administrator: assists in the day-to-day administration of systems and implements security controls and other requirements Debbie Sparks, Agency Inventory Coordinator: responsible for maintaining accurate records for transfers and returns of hardware and software assets and off-site authorizations

10 Key IT Security Roles and Responsibilities John Bull, FOIA Coordinator, coordinates Freedom of Information Act information requests Rick Lauderman, COOP Coordinator, coordinates Continuity of Operations Planning (Disaster Recovery) Brandy Battle, Records Retention Manager, maintains records retention policies and/or procedures

11 Key IT Security Roles and Responsibilities Data Custodians are individuals in physical or logical possession of data for Data Owners Terri Short, CFLS, Administrative Accounting Systems Terri Short, CFLS, Administrative Accounting Systems Tony Watkinson, HMPTS Tony Watkinson, HMPTS Ben Stagg, OGLS, CAD and GIS Ben Stagg, OGLS, CAD and GIS Warner Rhodes, LEDS Warner Rhodes, LEDS Joe Grist, FDS Joe Grist, FDS Lewis Gillingham, SWFT Lewis Gillingham, SWFT Linda Hancock, HR Linda Hancock, HR Todd Sperling, Agency Web Site Todd Sperling, Agency Web Site

12 Key IT Security Roles and Responsibilities System users include all employees and contractors that have access to Agency PC resources System users’ responsibilities include the following: Read and comply with the User Security Policy Read and comply with the User Security Policy Report breaches of IT security, actual or suspected, to agency management and/or the ISO Report breaches of IT security, actual or suspected, to agency management and/or the ISO Take reasonable and prudent steps to protect the security of IT systems and data to which they have access Take reasonable and prudent steps to protect the security of IT systems and data to which they have access

13 Supervisors All supervisors shall conduct an annual position review of employees with IT roles and responsibilities This annual review should be conducted in alignment with the annual review of all Employee Work Profiles (EWP) in October Security related roles must be described in employee EWPs

14 Risk Management Protects COV IT systems and data based on sensitivity and risk Allows each Agency to determine how these factors apply to IT systems including system availability needs Formal system risk assessments will be conducted at MRC as necessary, but at least every three years

15 Risk Management System users must report any activity they perceive may pose a risk to the security of information managed and accessed by agency PC systems to their supervisor Supervisors shall report in writing any credible risks to the Data Custodian of the affected system and the ISO

16 IT Contingency Planning Defines processes and procedures that plan for and execute recovery and restoration of IT systems and data MRC Contingency Planning documents: MRC IT Business Impact Analysis, Risk Assessment, Contingency Management, and Disaster Recovery Plan MRC IT Business Impact Analysis, Risk Assessment, Contingency Management, and Disaster Recovery Plan MRC Continuity of Operations Plan (COOP) MRC Continuity of Operations Plan (COOP)

17 IT Contingency Planning System users that have been assigned a role in contingency planning must do the following: Read and comply with requirements described by applicable Agency contingency plans Read and comply with requirements described by applicable Agency contingency plans Treat contingency plans as sensitive data Treat contingency plans as sensitive data Store contingency plans at a secure off-site location Store contingency plans at a secure off-site location

18 Continuity of Operations and Disaster Recovery Planning Team The agency’s COOP Coordinator will focus on the following activities: Updating the COOP Report Updating the COOP Report Determining the COOP/DRP team members Determining the COOP/DRP team members Testing the COOP Plan on an annual basis Testing the COOP Plan on an annual basis

19 IT Systems Security Defines the necessary steps for effective protection of Agency IT systems Ensures security in the following areas: System Hardening System Hardening IT Systems Interoperability Security IT Systems Interoperability Security Malicious Code Protection Malicious Code Protection IT Systems Development Life Cycle Security IT Systems Development Life Cycle Security

20 IT Systems Security Systems users or contractors should know and comply with the following standards:  Use systems for state business purposes  Use virus and malware protection/detection software  Ensure that anti-virus and anti-malware software is properly functioning and using up to date signature files  Prevent the use of computer games on all state owned PC resources  Delete or ask for assistance in deleting computer game software on newly purchased PC workstations

21 IT Systems Security All IT system users are prohibited from the following: Intentionally developing or experimenting with malicious programs (e.g., viruses, worms, spyware, keystroke loggers, phishing software, Trojan horses, etc.) Intentionally developing or experimenting with malicious programs (e.g., viruses, worms, spyware, keystroke loggers, phishing software, Trojan horses, etc.) Knowingly propagating malicious programs including opening email attachments from unknown sources Knowingly propagating malicious programs including opening email attachments from unknown sources

22 IT Systems Security Any employee or contractor involved in systems development or systems installation for the Commission must do the following:  Read and comply with the security requirements for systems development life cycle in the MRC Information Security Program

23 Logical Access Control  Defines the steps necessary to protect the confidentiality, integrity, and availability of COV IT systems and data against compromise  Defines requirements in the areas of account management, password management, and remote access

24 Logical Access Control  Commission employees and contractors are prohibited from the following:  Accessing data or systems for which they have not been granted authorization to access  Using guest and shared accounts: please report any existing guest or shared accounts to the Agency ISO

25 Logical Access Control IT system users are required to do the following: Obtain formal authorization and a unique user ID and password prior to using the Agency systems including Citrix remote access capabilities Obtain formal authorization and a unique user ID and password prior to using the Agency systems including Citrix remote access capabilities Prevent unauthorized use of unattended PC workstations when confidential information is accessible Prevent unauthorized use of unattended PC workstations when confidential information is accessible Use screen saver passwords or automatic Windows workstation locking (should not exceed ten minutes) Use screen saver passwords or automatic Windows workstation locking (should not exceed ten minutes)

26 Logical Access Control IT system users are required to keep all passwords confidential: Passwords should not be posted or displayed or stored Passwords are not to be included in any type of script, batch login file or procedure Passwords shall not be transmitted electronically without use of industry accepted encryption standards Immediately change passwords and notify the ISO if suspect their passwords have been compromised

27 All employees and contractors requesting system access accounts should do the following: Complete the Employee System Access form for the creation, modification or deletion of system accounts at the following link: Complete the Employee System Access form for the creation, modification or deletion of system accounts at the following link: http://www.mrc.virginia.gov/hr/ http://www.mrc.virginia.gov/hr/http://www.mrc.virginia.gov/hr/ Provide the following signatures on the form: employee, supervisor, and system owner Provide the following signatures on the form: employee, supervisor, and system owner The IT department will maintain all system access information Logical Access Control

28 Sensitive Systems (CFLS; FSS/FTS; SMS): All employees and contractors that request access to agency sensitive systems must fill out the non-disclosure form at: http://www.mrc.virginia.gov/hr/ **This form requires the following signatures: Employee, Data Custodian, and ISO Employee, Data Custodian, and ISO Logical Access Control

29 Granting Sensitive or Non-Sensitive System Access for External Users The Data Custodian for each sensitive/non-sensitive system will do the following: Grant access for external users Grant access for external users Provide a signed copy of all non-disclosure forms to the ISO Office (as applicable to the sensitive system), or if the system is self-registering, users will electronically accept the terms of usage, including non-disclosure of sensitive information Provide a signed copy of all non-disclosure forms to the ISO Office (as applicable to the sensitive system), or if the system is self-registering, users will electronically accept the terms of usage, including non-disclosure of sensitive information Conduct an annual review, verify and keep on file a listing of active external users requiring access to the sensitive system Conduct an annual review, verify and keep on file a listing of active external users requiring access to the sensitive system Logical Access Control

30 Data Protection Provides security safeguards for the processing and storing of data Includes requirements in the areas of Media Protection and Encryption

31 Data Protection Dataset Creators or Data Custodians are responsible for protecting and identifying stored sensitive data CFLS, FTS/FSS and SMS are the agency systems currently identified as sensitive Sensitive data may not be stored on mobile data storage media, local desktop or laptop computers UNLESS properly encrypted and physically and logically secured in a reasonable manner and authorized in writing by the Agency Head

32 Data Protection Pickup, receipt, transfer, and delivery of all data storage media containing sensitive data is restricted to authorized personnel only Sensitive data may not be transmitted without proper encryption

33 Data Protection Data Custodians shall be responsible for submitting the following authorizations to the ISO: Transporting sensitive data in hardcopy or on mobile storage media Transporting sensitive data in hardcopy or on mobile storage media Storing sensitive data on local desktop or laptop computer Storing sensitive data on local desktop or laptop computer Authorizations should include names and a brief description of the business need Authorizations should include names and a brief description of the business need The ISO shall request written authorization from the agency head and maintain authorization records

34 Data Protection Data storage media must be sanitized prior to disposal or reuse All data destruction shall be done in accordance with ITRM Removal of Commonwealth Data from Surplus Computer Hard Drives and Electronic Media Standard (ITRM Standard SEC2003-02.1)

35 Data Protection Data Custodians shall be responsible for requesting in writing from the ISO the destruction or sanitization of data storage media with sensitive data The ISO or his designee shall be responsible for data destruction or sanitization and the documentation of such

36 Data Protection All personnel with access to sensitive data systems must sign a non-disclosure and security agreement : The agreement makes clear unauthorized disclosure of any sensitive data is prohibited The agreement makes clear unauthorized disclosure of any sensitive data is prohibited For all VITA-NG personnel and contractors the agency will accept non-disclosure and security agreements signed as a condition of their employment with VITA-NG For all VITA-NG personnel and contractors the agency will accept non-disclosure and security agreements signed as a condition of their employment with VITA-NG

37 Data Protection IT system users are required to perform the following data protection measures: Regularly backup data files stored on local drives Regularly backup data files stored on local drives Store backup copies of critical non-network data files offsite Store backup copies of critical non-network data files offsite Be aware that data files stored on network directories will be backed up by the Business Application Department each business day Be aware that data files stored on network directories will be backed up by the Business Application Department each business day Store magnetic media (diskettes, tapes, CD-ROM) in a secure container away from extreme temperature Store magnetic media (diskettes, tapes, CD-ROM) in a secure container away from extreme temperature

38 Facilities Security Requires planning and application of facilities security practices to provide a first line of defense for IT systems against the following: Damage, theft, and unauthorized disclosure of data Damage, theft, and unauthorized disclosure of data Loss of control over system integrity Loss of control over system integrity Interruption of computer services Interruption of computer services

39 Facilities Security All employees are instructed to: Maintain an office environment that employs Maintain an office environment that employs practical, cost efficient safeguards to protect practical, cost efficient safeguards to protect against human, natural and environmental risks against human, natural and environmental risks to Agency information resources to Agency information resources Report immediately any suspicious situations or problems related to facilities such as heating, cooling, water, electrical, fire suppression, security access systems and door locks Report immediately any suspicious situations or problems related to facilities such as heating, cooling, water, electrical, fire suppression, security access systems and door locks

40 Facilities Security Employees must accompany visitors to areas of the Agency that house sensitive data, particularly the First Floor Network Room If visitors are not accompanied by agency personnel they must have proper authorization by the ISO or VITA-NG to be working in those areas

41 Facilities Security Employees and contractors should perform the following steps to protect equipment and data: Lock office areas when departing from an unattended main office suite or field office Lock office areas when departing from an unattended main office suite or field office Keep vaulted rooms locked when not in use to protect sensitive data Keep vaulted rooms locked when not in use to protect sensitive data Lock vehicle, remove equipment and data from vehicles, boats, or planes when not in use Lock vehicle, remove equipment and data from vehicles, boats, or planes when not in use

42 Personnel Security Reduces risk to COV IT systems and data Specifies access determination and control requirements to individuals who require sensitive data and systems as part of their job duties Includes Security Awareness and Training requirements to provide all IT system users with an appropriate understanding of policies

43 Personnel Security All personnel and contractors shall: Complete agency security training at least annually or as soon as practical after starting work for the Commission Complete agency security training at least annually or as soon as practical after starting work for the Commission Adhere to DHRM Policy 1.75 – Use of Internet and Electronic Communication Systems Adhere to DHRM Policy 1.75 – Use of Internet and Electronic Communication Systems Have no expectation of privacy: the Agency and COV reserve the right (with or without cause) to monitor, access, and disclose all data on COV systems Have no expectation of privacy: the Agency and COV reserve the right (with or without cause) to monitor, access, and disclose all data on COV systems

44 Personnel Security Background checks: All new Business Application Systems employees of the Agency, VITA-NG staff, and contractors are required to undergo pre-employment background checks and at least every two years after the initial hire date All new Business Application Systems employees of the Agency, VITA-NG staff, and contractors are required to undergo pre-employment background checks and at least every two years after the initial hire date Individual Agency divisions shall determine the need for background checks of personnel within their area of responsibility who have access to sensitive systems Individual Agency divisions shall determine the need for background checks of personnel within their area of responsibility who have access to sensitive systems

45 Personnel Security It shall be the responsibility of the Human Resources Officer to report, in writing, to the ISO all permanent and temporary employee terminations Agency supervisors shall report, in writing, transfers and request modifications of user access rights The ISO shall maintain a file documenting terminations and associated removal of physical and logical access rights terminations and associated removal of physical and logical access rights

46 Threat Management Addresses protection of COV IT systems and data by preparing for and responding to IT security incidents Includes Threat Detection, Incident Handling, and IT Security Monitoring and Logging

47 Threat Management All system users must report immediately to their supervisors any unauthorized disclosure of data or incidents that potentially could compromise data Users are required to immediately logoff and shutdown their computers Users are required to immediately logoff and shutdown their computers Supervisors must report such incidents immediately to the ISO

48 Threat Management Security Incident Handling and Reporting The agency ISO will report all events within 24 hours that have a real impact on the Commission to the CISO and VITA using the following form: https://www.vita.virginia.gov/security/incident/secureCompIncidentForm/threatReporting.cfm https://www.vita.virginia.gov/security/incident/secureCompIncidentForm/threatReporting.cfmhttps://www.vita.virginia.gov/security/incident/secureCompIncidentForm/threatReporting.cfmhttps://www.vita.virginia.gov/security/incident/secureCompIncidentForm/threatReporting.cfm The agency ISO will keep all documented materials in the IT files

49 IT Asset Management Concerns protection of the components that comprise COV IT systems by managing them in a comprise COV IT systems by managing them in a planned, organized, and secure fashion planned, organized, and secure fashion Includes IT Asset Control, Software License Management, Configuration Management, and Management, Configuration Management, and Change Control Change Control

50 IT Asset Management Installation of software on Agency IT systems is prohibited until approved by the Information Security Officer (ISO) or VITA-NG Unauthorized installation, duplication and/or violation of the software license agreement of copyrighted software is illegal and subject to a Group II Offense under the State Employee Standards of Conduct: "Unauthorized Use or Misuse of State Property or Records"

51 IT Asset Management Only authorized personnel in the Business Applications Department or VITA-NG may procure or dispose of agency hardware and software assets Appropriate property transfer documents containing information on the returns of surplus hardware and software assets should be made to the ISO or when appropriate to VITA-NG personnel All returns (upon employee termination) and transfers of hardware and software assets must be made with the appropriate property transfer documentation and thereby coordinated with the Agency Inventory Coordinator

52 IT Asset Management Personal IT assets, including hardware like laptops and media like personal flash drives or usb hard drives, on Agency facilities are prohibited Removing assets from the agency: Static COV IT assets (desktop PCs and printers), must have written authorization by each employees’ supervisor with notification to the Agency Inventory Coordinator Static COV IT assets (desktop PCs and printers), must have written authorization by each employees’ supervisor with notification to the Agency Inventory Coordinator Mobile COV IT assets (laptops, PDAs, and portable printers) are intended to be used off Agency premises and shall not require any additional authorization when assigned to an individual employee or contractor Mobile COV IT assets (laptops, PDAs, and portable printers) are intended to be used off Agency premises and shall not require any additional authorization when assigned to an individual employee or contractor

53 IT Asset Management The Agency Inventory Coordinator shall maintain the records of all returns, transfers and off-site authorizations authorizations Annually, the Agency Inventory Coordinator shall conduct a paper inventory audit of all IT assets, conduct a paper inventory audit of all IT assets, supplemented with a random physical audit to supplemented with a random physical audit to ascertain the location of all COV IT assets ascertain the location of all COV IT assets

54 Records Retention The Agency Records Retention Manager shall maintain records retention policies and/or procedures Updated MRC Record Retention Procedures can be found obtained from Brandy Battle, Records Retention Manager,757-247-2260; Brandy.Battle@mrc.virginia.gov Brandy.Battle@mrc.virginia.gov Additional information can be obtained from the Library of Virginia at: http://www.lva.lib.va.us/whatwedo/records/ http://www.lva.lib.va.us/whatwedo/records/

55 Thanks ! Thanks for going through the training today. Information Security is critical at work and at home. We appreciate you taking the time to learn the contents of this training and highly encourage you taking some time regularly to read up on security topics – you can click on the security link at the bottom of our MRC web pages to visit the VITA-NG security web site at any time. Please contact Erik Barth (x72262); Linda Farris (x72280) or your supervisor if you have any questions about this training or information security topics in general.


Download ppt "Information Security User Policy Training Business Applications Department October 2009."

Similar presentations


Ads by Google