Maryland Cybersecurity Program Policydoit.maryland.gov/Lists/DoIT...
Transcript of Maryland Cybersecurity Program Policydoit.maryland.gov/Lists/DoIT...
Maryland Cybersecurity Program Policy
Last Updated: 01/31/2017
Maryland DoIT Cybersecurity Program Policy 2
Contents
1.0 Introduction ............................................................................................................................ 3
2.0 Document and Review History .............................................................................................. 3
3.0 Applicability and Audience .................................................................................................... 3
4.0 Policy ...................................................................................................................................... 3
4.1 DoIT Cybersecurity Program .........................................................................................4
4.2 Cybersecurity Roles and Responsibilities ......................................................................4
4.3 Cybersecurity Requirements and Policy ........................................................................4
4.4 Cybersecurity Program Plan ..........................................................................................5
4.5 Workforce ......................................................................................................................6
4.6 Key Performance Indicators ..........................................................................................7
4.7 Security Program Budget ...............................................................................................7
5.0 Exemptions ............................................................................................................................. 8
6.0 Policy Mandate and References ............................................................................................. 8
7.0 Definitions .............................................................................................................................. 8
8.0 Enforcement ........................................................................................................................... 8
Appendix A: Policy List ............................................................................................................... 10
Appendix B: Policy Map .............................................................................................................. 13
State of Maryland Cybersecurity Program and Policies Signature Page ...................................... 14
Maryland DoIT Cybersecurity Program Policy 3
1.0 Introduction
The Maryland Department of Information Technology (DoIT) is responsible for, and committed
to, managing the confidentiality, integrity, and availability of Information Technology (IT)
networks, systems, and applications for the Executive Branch of Maryland State Government.
This document establishes the DoIT Cybersecurity Program by implementing information
security policy initiatives across all IT Systems supported by, or under the policy authority of,
DoIT as directed within the scope of its authority under the 2013 Maryland Code §§ 3A-303 and
3A-305. Pursuant to its authority, DoIT will ensure the information security of State IT resources
by enacting this policy, which serves as the foundation for this program by establishing the
minimum requirements to be observed by all reporting agencies.
See State of Maryland Cybersecurity Program and Policies Signature Page, located on the last
page in this document, for official signature page authorizing the adoption and implementation of
the Cybersecurity Program and supporting policies by the Maryland Secretary of Information
Technology.
2.0 Document and Review History
This policy and supporting policies supersede the State of Maryland Information Security Policy
(version 3.1, Feb 2013). This document will be reviewed annually and is subject to revision.
Date Version Policy Updates Approved By:
01/31/2017 v1.0 Initial Publication Maryland CISO
3.0 Applicability and Audience
This policy and all supporting policies are enacted and enforced by the Secretary of Information
Technology or any individuals delegated to act on the Secretary’s behalf. This policy applies to
all agencies (defined in MD Human Svs Code § 7-101(g) (2015) as ‘Units of State
Government’) in the Executive Branch of the Maryland State Government, employees of such
agencies, contractors, and vendors supporting such agencies, and any entities or individuals
using resources belonging to such agencies. This policy also applies to all networks, systems and
applications (IT Systems) owned and/or operated by such agencies.
Non-Executive Branch agencies may use the Cybersecurity Program Policy and supporting
policies as information security best practices and adopt them as needed.
4.0 Policy
The following sub-sections establish the overall policy requirements covered by the
Cybersecurity Program. This policy sets the standard for supporting policy implementations
encompassing more specific areas of interest approved by the Secretary of Information
Technology.
Maryland DoIT Cybersecurity Program Policy 4
4.1 DoIT Cybersecurity Program
The Department of Information Technology is authorized to establish the Cybersecurity Program
for Executive Branch agencies. This policy protects the confidentiality, integrity, and availability
of State government resources and will adhere to the standards established by the National
Institute of Standards and Technology (NIST) documented under the Special Publication (SP)
800 series, including the Federal Information Processing Standards (FIPS) requirements. When
applicable, other laws, regulations, directives, executive orders, internationally recognized
standard methodologies and best practices may augment this guidance within the Cybersecurity
Program, such as those dictated by the Health Insurance Portability and Accountability Act of
1996 (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS).
All agencies under the purview of DoIT will comply with the Cybersecurity Program Policy as
directed by the Secretary of Information Technology. Any failure of an agency or entity to
comply with the policy and supporting cyber security policies will be treated as a security
violation and subject to the consequences dictated by this program and indicated under the
relevant policy area of interest.
4.2 Cybersecurity Roles and Responsibilities
The State of Maryland, through the authority of the Secretary of Information Technology, will
establish the Director of Cybersecurity position within DoIT. This position will include the
following requirements:
# Name Requirement
A Primary Responsibility Is responsible for coordinating, developing, implementing and maintaining the
Cybersecurity Program and policies for DoIT and all Executive State Agencies
within the scope of DoIT’s authority.
B Advisory Role Will serve as the Chief Information Security Officer (CISO) for the State and
primary cybersecurity advisor to the Secretary of Information Technology.
C Hiring Responsibility The Secretary of Information Technology will be responsible for hiring a
qualified individual to fill this position.
D Alternate / Backup If this position is not staffed by a full-time employee, then the Secretary of
Information Technology must either directly fulfill the responsibilities of the
position, or appoint an interim Director of Cybersecurity until a new individual
is hired.
4.3 Cybersecurity Requirements and Policy
The Director of Cybersecurity will establish cybersecurity requirements for DoIT and Maryland
Executive Agencies, and will promulgate those requirements into formal Cybersecurity Policies.
These policies will meet the following requirements:
# Name Requirement
A Standards-based Policies will be based upon reference material made available by the
National Institute of Standards and Technology, specifically:
Federal Information Processing Standards (FIPS)
Maryland DoIT Cybersecurity Program Policy 5
# Name Requirement
NIST Special Publications (SP)
In addition, these policies:
Will effectively mandate a set of controls that represent a “tailored
baseline” per the guidelines in NIST SP 800-53 Security and Privacy
Controls for Federal Information Systems and Organizations
Will address all control families within SP 800-53
B Final Executive Approval Policies will be approved and signed by the Secretary of Information
Technology and the Director of Cybersecurity.
C Update Cadence Policies will be formally reviewed and updated:
Annually
Upon any major change or realignment in the organization of State IT
programs
As required by authoritative audit findings
D Policy List Established supporting policies will include all from the list in Appendix A
E Availability Policies will be:
Made readily available to all constituent agencies, including IT staff and
all employees
Be available for download as a single document, or where feasible, in
discrete sub-sections that address specific topics
4.4 Cybersecurity Program Plan
DoIT shall develop and maintain a Cybersecurity Program Plan. This document will meet the
following requirements:
# Name Requirement
A Establish Cybersecurity
Program
This plan will be the authoritative plan of the Cybersecurity Program within
the Department of Information Technology.
B Strategy This plan will formally document the cybersecurity strategy for DoIT and
constituent agencies.
C Program Responsibilities This plan will identify the major responsibilities of the Cybersecurity
Program.
D Organizational Structure The plan will identify the organizational structure of the Cybersecurity
Program to include:
Sub-programs and areas of responsibility for each sub-program
Staff member titles, roles and responsibilities, and org chart
Explicit identification of the approval chain/authorities for major decisions
Identification of positions outside of the Cybersecurity Program that
perform key security functions, and identification of their roles and
responsibilities
A current list of all Cybersecurity Program staff members, including their
names and job titles
E DoIT Partner Organizations The plan will include identification of the other DoIT organizations/programs
that work and/or share responsibility with the Cybersecurity Program, and:
Maryland DoIT Cybersecurity Program Policy 6
# Name Requirement
Identify the nature of those relationships
Identify points of contact by title and name
Establish delineations of authority and roles and responsibilities where
responsibilities for a function is shared
F Constituent Agencies The plan will include a current list of all constituent agencies and
organizations, including:
A current list of security services being provided to each agency or
organization
Identification of IT and IT Security staff members within those agencies,
and their roles and responsibilities with respect to cybersecurity
Identification of physical and personnel security staff members within
those agencies, and a delineation of roles and responsibilities
G Executive Approval The plan will be approved and signed by the Secretary of Information
Technology and the Director of Cybersecurity.
H Update Cadence The plan will be formally reviewed and updated:
Annually;
Upon any major change or realignment in the organization of State IT
programs; or
Within 6 months of the hiring of a new Secretary of IT or Director of
Cybersecurity/CISO.
I Plan of Action and Milestones
(POA&M)
This plan will include a process for ensuring that plans of action and
milestones for the security program and associated information systems are
developed and maintained.
J Risk Management Approach This plan will embody a Risk Management approach to cybersecurity, to
include:
Formal measurement of risk
Explicit usage of risk measurements within security decision-making
processes
An authorization processes that uses risk assessments to determine
whether or not an information system may be allowed to operate within
DoIT-managed environments
4.5 Workforce
The State and DoIT will provide for hiring and/or contracting of a cybersecurity workforce
within the Cybersecurity Program as necessary to execute all policy requirements and will
establish a development and improvement program for that workforce:
# Name Requirement
A Workforce Size and
Quality
Workforce will be of a sufficient size and quality to execute policy
requirements in accordance with the Cybersecurity Program Plan. If sufficient
funding is unavailable, a formal report shall be provided to the Secretary of IT
outlining the resulting security shortfalls and the interim mitigation efforts by
the agency.
B Development &
Improvement
Mechanisms will be put in place to ensure that cybersecurity staff are able to
develop and improve skillsets in order to keep up with changes in the field.
Maryland DoIT Cybersecurity Program Policy 7
4.6 Key Performance Indicators
The Cybersecurity Program will establish Key Performance Indicators (KPIs) as a means to
measure the effectiveness of the program:
# Name Requirement
A Overall KPIs will be developed to measure the overall success of the Cybersecurity
Program.
B Per Sub-Program* KPIs will be developed to measure each sub-program or major subdivision of
the Cybersecurity Program. Sub-programs will begin measuring KPIs within
six months of inception or enrollment to the sub-program.
C Per Project Security team projects will report standard project management KPIs during
the run of each project. This reporting will begin within one month of the
launch of a new project.
D Operational KPIs* KPIs will be developed that measure operational factors.
E Monitoring of KPIs KPIs will be monitored and measured on a monthly basis.
F Reporting Cadence KPIs will be reported to the Director of Cybersecurity on a monthly basis.
*Insofar as security operations is a sub-division of the overall Cybersecurity Program, KPIs
developed to satisfy requirement 4.6(B) may also satisfy requirement 4.6(D).
4.7 Security Program Budget
The Department of Information Technology will explicitly establish a Cybersecurity Program
Budget, which will include and address cybersecurity concerns during its normal budgeting
processes. This will include the following requirements:
# Name Requirement
A Cybersecurity Program
Budget
DoIT will establish a budget for the Cybersecurity Program.
B Responsibility for Security
Program Budget Requests
The Director of Cybersecurity will be responsible for establishing and
communicating formal budget requests to DoIT for the Cybersecurity
Program, on an annual basis, or ad hoc as needed based upon newly identified
concerns.
C Mapping of Budget
Requests to Risk
Beginning with FY2018, the Cybersecurity Program will identify specific
risks that are intended to be remediated by each major cybersecurity budget
line item or line item group.
D Annual Consideration DoIT will formally consider budget requests from the Director of
Cybersecurity during its annual budget allocation process.
E Acute Consideration DoIT will formally consider budget requests from the Director of
Cybersecurity that emerge from:
Audit findings that indicate required controls and associated expenditures
beyond the baseline budget for the given fiscal year; or
Lessons learned from a cybersecurity incident.
Maryland DoIT Cybersecurity Program Policy 8
5.0 Exemptions
The Cybersecurity Program Policy establishes the Cybersecurity Program within DoIT; there are
no exemptions to this policy.
6.0 Policy Mandate and References
The Department of Information Technology (DoIT) has the authority to set policy and provide
guidance and oversight for the security of all IT systems within Executive Branch agencies in
accordance with Maryland Code §3A-303 and §3A-305.
7.0 Definitions
Term Definition
Cybersecurity The activity or process, ability or capability, or state whereby information and
communications systems and the information contained therein are protected
from and/or defended against damage, unauthorized use or modification, or
exploitation. (Ref: https://niccs.us-cert.gov/glossary).
Due Care Using reasonable care to protect the interests of an organization. Developing a
formalized security structure containing a security policy, standards, baselines,
guidelines, and procedures that are implemented through an organization’s
infrastructure.
Due Diligence Practicing the activities that maintain the due care effort. The continued
investigation and application of security into the existing infrastructure of an
organization.
IT Systems Collection of Maryland State Information Technology (IT) networks, systems,
and applications used as IT resources for the Executive Branch of the State of
Maryland.
Unit of State Government A department, agency, office, commission, council, or other unit in the
Executive Branch of the State government (MD Human Svs Code § 7-101(g)
(2015)).
8.0 Enforcement
The Maryland Department of Information Technology is responsible for enforcing policies for
Enterprise onboarded agencies. The DoIT Cybersecurity Program identifies the minimum
requirements necessary to comply with the information security standards and guidelines
provided within Cyber Security Program Policy and its supporting policies. Agencies not directly
managed by DoIT must exercise due diligence and due care to comply with the minimum
standards identified by the relevant DoIT policies.
If DoIT determines that an agency is not compliant with this policy or any supporting policy, the
non-compliant agency will be given a sixty (60) day notice to become compliant or at least
provide DoIT a detailed plan to meet compliance within a reasonable time before the issue is
reported to the Secretary of Information Technology. After which, the Secretary of Information
Technology, or a designated authority, may extend a non-compliant agency’s window of
resolution or authorize a DoIT representative to limit or restrict an agency’s access to external
Maryland DoIT Cybersecurity Program Policy 9
and internal communications (effectively shutting down connectivity) until such time the agency
becomes compliant.
Any attempt by personnel to circumvent or otherwise bypass this policy or any supporting policy
will be treated as a security violation and subject to investigation. The results of the investigation
may entail written reprimand, suspension, termination, and possibly criminal and/or civil
penalties.
Maryland DoIT Cybersecurity Program Policy 10
Appendix A: Policy List
The following policies and policy groups will be established. All highlighted rows after the
header row represent policy groupings, not individual policies.
Note: For a graphical Policy Map, see Appendix B.
Pol. # Policy Group or Policy Description
1 Cybersecurity Program
Policy
This policy will define the requirements for the Cybersecurity Program for
the DoIT and all agencies for which it provides IT services.
2 General Policies Policy group that includes individual policies not included with other
groupings.
2.1 Acceptable Use Policy This policy will define the requirements for acceptable use of computer
systems as well as a description of different types of accounts and their
associated responsibilities, including an acceptable use form that users must
sign annually.
2.2 Configuration
Management
This policy will define the requirements for baseline security configuration of
endpoints, devices and common applications, as well as the management and
application of those configurations, and change control for all configurations.
It will also define security requirements for the lifecycle associated with the
development and acquisition of new IT systems, products or capabilities.
Topics Covered: Systems Development Lifecycle.
2.3 Physical and
Environmental Protection
This policy will define the requirements for physical and environmental
security.
3 Assessment and
Authorization
Policy group that provides for the application of security assessments, and
subsequent authority to operate (Or withholding of authority).
3.1 Security Assessment This policy will define:
the requirements for the assessment of risk within the Enterprise. Will
mandate periodic, organization-wide assessments to determine overall risk
including identification of threats, vulnerabilities, likelihood of occurrence,
potential impact, etc;
the requirements for the safe and proper conduct of vulnerability
assessments and penetration tests; and
the requirements for the assessment of security with vendors that provide
IT-related services or products, prior to those services or products being
used by DoIT and Enterprise agencies, or in order to continue operation.
Topics Covered: Risk Assessment, Vulnerability Assessment, Penetration
Testing, and Vendor Assessment.
3.2 Third Party
Interconnection
This policy will define the requirements for the assessment of 3rd parties
(Non-vendors) prior to interconnection with the State, or in order to continue
interconnection.
3.3 Authority to Operate This policy will define the requirements for the assessment of specific
systems/environments to establish authority to operate (Or requirements for
an ATO)
4 Proactive Security Policy group that provides for the application of proactive security controls.
Maryland DoIT Cybersecurity Program Policy 11
Pol. # Policy Group or Policy Description
4.1 Endpoint and Application
Security
Policy sub-group, included within the Proactive Security group, which
provides for the application of security controls for endpoints and
applications.
4.1.1 Endpoint Protection This policy will define the requirements for additional security mechanisms
for endpoints, including integrity monitoring, host-based intrusion detection,
malware protection and other related instrumentation.
4.1.2 E-mail Security This policy will define the requirements for security of e-mail systems both at
the endpoint and server.
4.1.3 Patch Management This policy will define the requirements for management and remediation of
flaws and vulnerabilities.
4.1.4 Cloud Services Security This policy will define the requirements for the secure configuration of
hosted applications, including the hosting application (Such as Web and
application servers), and the applications themselves.
4.1.5 Data Security (File &
Database)
This policy will define the requirements for the security of files and
databases.
4.2 Network Access and
Security
Policy sub-group, included within the Proactive Security group, which
provides for the application of security controls for network access, borders
and general architecture.
4.2.1 Network Documentation
and Access
This policy will define the requirements for secure design of enterprise
network and application architectures including required network
documentation and requirements for network access.
4.2.2 Boundary Protection and
Internet Access
This policy will define the requirements for application of security controls at
both internal network borders, and borders between State networks and the
Internet.
4.2.3 Wireless Security This policy will define the security requirements for the security of wireless
networks within the State, and access to those networks.
4.2.4 Remote Access This policy will define the security requirements for remote access into State
networks from third party networks or the Internet.
4.2.5 Mobile Devices Security This policy will define the security requirements for the usage of mobile
devices on State networks.
4.3 Account Security and
Access
Policy sub-group, included within the Proactive Security group, which
provides for the application of security controls for the management of user
and machine accounts, including identification, authentication and subsequent
granting of access for those accounts, as well as the security of directory
services in which those accounts are managed.
4.3.1 Account Management This policy will define the requirements for the establishment and
management of accounts and authentication to those accounts, and will define
the requirements for training and security awareness throughout the State.
Note: Some additional, topic-specific training requirements may exist in other
policies as well.
Topics Covered: Training
4.3.2 Official Use of Social
Media
This policy will define the requirements for the official use of social media by
State personnel authorized to post communications on behalf of an Agency.
Maryland DoIT Cybersecurity Program Policy 12
Pol. # Policy Group or Policy Description
4.4 Other Policy sub-group, included within the Proactive Security group, which
provides for the application of security controls for areas outside of endpoint,
application, network or accounts.
4.4.1 Virtualization This policy will define the requirements for the secure application of
virtualization within the organization.
4.4.2 Media Protection This policy will define the requirements for secure configuration, and
management of storage media.
4.4.3 Asset Inventory This policy will define the security requirements for the maintenance of asset
inventories, and the contents of those inventories.
5 Monitoring and Response Policy group that defines how the organization will monitor for security
events, respond to security incidents and recover from disruptions.
5.1 Continuous Monitoring This policy will define the requirements for:
Continuous monitoring of security-related logs and alerts, as well
requirements for the triage processes for potential security events;
Assessing and documenting the threat environment; and
Auditing of events considered potentially pertinent to cybersecurity, as
well as log and alert contents, retention periods, etc.
Topics Covered: Security Event Auditing and Logging and Threat
Intelligence.
5.2 Cybersecurity Incident
Response
This policy will define the requirements for the response to security incidents,
and support for internal investigations.
5.3 Contingency Planning This policy will define the security requirements for the response to and
recovery from IT disruptions.
6 Compliance Policies Policy group that defines how the organization will comply with various laws
and regulations that mandate protections for specific data types and
processes.
6.1 Public and Confidential
Information
This policy will define the requirements for use, distribution, storage, and
disposal of public and confidential information within the State.
6.2 HIPAA Security Rule This policy will define the requirements for the security of health-related
information.
6.3 PCI DSS Compliance This policy will define the requirements for the security of payment card
information.
6.4 Auditing and Compliance This policy will define the requirements for conducting internal audits and
enforcement of the Cybersecurity Program and supporting policies
throughout the Enterprise and State.
Maryland DoIT Cybersecurity Program Policy 13
Appendix B: Policy Map
This appendix includes a map of the cybersecurity policies, and the groups in which they will be
contained.
Cybersecurity Program Policy
Assessment & Authorization
Security Assessment
- Risk Assessment- Vulnerability
Assessment - Penetration Testing
- Vendor Assessment
Third Party Interconnection
Proactive Security
E-mail Security
Account Management
-Awareness and Training
Monitoring and Response
Boundary Protection &
Internet Access
Network Documentation
and Access
- Network Documentation
- Network Access
Endpoint Protection
Configuration Management
- System Development
Lifecycle
Media Protection
Continuous Monitoring
- Security Event Auditing and Logging
- Threat Intelligence
Cybersecurity Incident
Response
- Breach Response
Guide
Contingency Planning
- Disaster Recovery
Mobile Device Security
Patch Management
Cloud Services Security
General Policies
Physical & Environmental
ProtectionWireless Access
Remote Access
Virtualization
Endpoint and Application Security
Network SecurityAccount Security
and Access
OtherAuthority to
Operate
Asset Management
Compliance
Public and Confidential Information
HIPAA Security Rule
PCI DSS Compliance
Auditing and Compliance
Acceptable Use
- Privileged Accounts- Acceptable Use
Agreements
Data Security
Official Use of Social Media