MCSD Sigurnosni pan
-
Upload
vedran-vukelic -
Category
Documents
-
view
218 -
download
0
Transcript of MCSD Sigurnosni pan
-
8/12/2019 MCSD Sigurnosni pan
1/15
MCSD IT Plan Document Information
Title: MCSD IT Security Plan
Type: MCSD Procedural Plan
Audience: MCSD IT Employees and Management
Approval Authority: Assistant Superintendent for Technology & Personnel
Contact: mail to:baatsm!marlboroschools"org
Status:Proposed: #anuary $% '($(
Appro)ed: T*A
MARLBORO CENTRAL SCHOOL DISTRICTInformation Technology Security Plan
#anuary $%th '($(
mailto:[email protected]:[email protected] -
8/12/2019 MCSD Sigurnosni pan
2/15
Table of ContentsIntroduction"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +
Information Technology Security Safeguards""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" ,
Physical Security""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" -
Personnel Security""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" -
Data Communications Security""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" -
Phone System Security"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" -
System Access Security"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" .
/egal Safeguards""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" %
0et1or 2sage Policy""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 3
Ensuring System Integrity""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 3
Security 4erification""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5
Security /ogs"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5
Security 4erification Team""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" $(
6andling 0on7compliance"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" $(
Security A1areness and Training""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" $$
Appendi8 A" 9indo1s Client for 0et1are Configuration 2tility
Settings"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" $'
Appendi8 *" Standard 0o)ell 0et1are ."- Security
Settings"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" $'
Appendi8 C" Standard ;ire1all TI?ATE7+$(*@
Settings"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" $+
Appendi8 D" /ist of staff 1ho ha)e access
to the 0et1or =perations Center""""""""""""""""""""""""""""""""""""""""""""""""""""""" $,
Appendi8 E" Security 4erification Team""""""""""""""""""""""""""""""""""""""""""""" $,
'
-
8/12/2019 MCSD Sigurnosni pan
3/15
Introduction
The Marlboro Central School District is referred to throughout this document as MCSDB" Theobecti)es of the MSCD IT Security Plan are the follo1ing:
Acuaint employees 1ith the security procedures reuired to ensure protection of
information technology systems at MCSD" Clarify employee responsibilities and duties 1ith respect to the protection of information
resources"
Enable managers and other 1orers to mae decisions about information security 1hich
are in eeping 1ith standard policies and procedures and 1hich are responsi)e to
pre)ailing local conditions"
Coordinate the efforts of different groups 1ithin MCSD so that information resources are
properly and consistently protected regardless of their location form or supportingtechnologies"
Pro)ide guidance for the performance of information system security audits and re)ie1s" Demonstrate upper management support for a strong information security program at
MCSD"
Establish a basis for disciplinary actions 1hen reuired to protect MCSD information
assets"MCSD is taing appropriate steps to ensure its information systems are properly protected fromall security threats" All MCSD information systems shall be protected regardless of storage or
transmission medium"
Three ey concepts form the bacbone of the security program at MCSD:
$" The Districts commitment to protecting )ital and confidential electronic files"
'" All information access is granted consistent 1ith the staff technology acceptable
use policy and other applicable *oard of Education policies and administrati)eregulations"
+" Information security is the responsibility of all computer system users"
All security procedures in this document are 1ritten 1ith these three concepts in mind"
MCSD Information Security Officer
Information Security Officer. The District maintains personnel 1ho ser)e as primary
Information Security =fficers" The Assistant Superintendent of Technology and Personnel ser)es
as the primary Information Technology Security =fficer" The Assistant Superintendent of
Technology and Personnel and the Technology Ser)ices Staff ser)e to implement and maintain
security of electronic information" The Assistant Superintendent of Technology and Personnel
+
-
8/12/2019 MCSD Sigurnosni pan
4/15
and the 0et1or Administrator are responsible for assessing the security riss and e8ternal
threats recommending actions to minimiFe those riss and conducting program re)ie1s to
assess the adeuacy of internal controls structures and business processes to protect school
information and technology resources"
The MCSD Information Security =fficer and 0et1or Administrator ha)e been assigned thefollo1ing responsibilities:
Maintain and )erify net1or and host security for all business systems"
De)elop and maintain formal security policies and procedures"
Maintain and )erify user ID and data set security databases"
Maintain and )erify 0o)ell 0et1are ."- group and user ID security databases"
4erify and re)ie1 0et1or Share /e)el access rights" 4erify /ocal Area 0et1or s1itchGrouter security settings"
Collaborate 1ith =rangeG2lster *=CES and the Mid 6udson >egional Information
Center on information security planning and maintenance"
De)elop and maintain a formal security a1areness and training program"
Information Technology Security Safeguards
This security plan reuires that good management practices be follo1ed to implement
information technology security safeguards based on the MCSD IT >is Assessment" Thefollo1ing is a list of reuirements for all information systems maintained at MCSD"
Physical Security
All net1or ser)ers shall be in a loced room or secured in a loced enclosure"
All net1or ser)er rooms shall ha)e C='based fire e8tinguishers located 1ithin the
room" 0et1or Technicians shall be a1are of the location of the closest fire alarm" The
net1or ser)er room shall ha)e a smoe detector installed in the room"
The net1or ser)er room should be monitored for temperature and humidity"
All net1or ser)ers shall be run on an uninterruptible po1er supply
-
8/12/2019 MCSD Sigurnosni pan
5/15
-
8/12/2019 MCSD Sigurnosni pan
6/15
System Access Security
Authentication
The identity of each indi)idual 1ho accesses business information must be )erified before gi)enaccess to the information" This identification process is normally performed using the userIDGpass1ord process" The user ID determines 1ho the user is claiming to be" The submission of
a correct pass1ord is taen to mean that the person is actually 1ho the user ID claims them to be"
2se of shared user IDs shall be limited to 1orstations allo1ing only single function use
-
8/12/2019 MCSD Sigurnosni pan
7/15
All )endor default pass1ords must be changed upon system installation"
If a suspected disclosure of pass1ords has occurred all in)ol)ed pass1ords shall be
immediately changed"
Proof of identity is reuired to obtain a reset pass1ord"
All users 1ill be forced to change their pass1ords at least e)ery 5( days or their accounts1ill be automatically disabled"
0e1 pass1ords 1ill be issued in a state that reuires immediately changing the first time
the user logs on"
Data Claification
All sensiti)e information shall be labeled either confidentialJ or internal use onlyJ in thedocument containing the sensiti)e information" At least once per uarter the MCSD Security
Engineer 1ill search the MCSD net1or to ensure that confidential and internal use only
documents are not accessible to the general public"
All personal data shall be treated as confidential information"
All storage medium shall be classified to highest le)el of information they may contain"
All storage medium must be destroyed or securely 1iped before disposal
Acce Right
=nce a user is authenticated they are only gi)en access to information necessary to completetheir ob function" All data shall be controlled to limit access to indi)iduals 1ho need access to
the information"
Dormant user IDs shall be remo)ed e)ery $' months"
A list of access rights to net1or resources shall be generated and re)ie1ed by
management yearly"
Legal Safeguards
Licening
MCSD must ha)e documentation pro)ing compliance 1ith soft1are license agreements"
If an end user loads personal soft1are on their PC they must pro)ide the MCSD help
des 1ith a copy of soft1are license and proof of purchase or a statement saying that the
user has in their possession a legal license for this soft1are"
MCSD is committed to obeying intellectual property la1s such as the 2"S" copyright la1as it relates to electronic information and copyrights"
The MCSD security officer 1ill perform a periodic re)ie1 of soft1are licensing to
ensure that MCSD is in compliance its soft1are license agreements"
Pri#acy
%
-
8/12/2019 MCSD Sigurnosni pan
8/15
MCSD shall attempt to ensure pri)acy of communications o)er its telephone and data
net1ors" 6o1e)er it should be noted that messages sent o)er MCSD internal electronic
mail systems are not subect to the pri)acy pro)isions of the Electronic andCommunications Pri)acy Act of $53. and therefore may legally be read by MCSD
management and system administrators if deemed necessary to meet business
reuirements" All MCSD information systems consisting of the euipment and information stored in
MCSD information systems are considered MCSDs property and as such may accessed
mo)ed read etc" as needed to meet MCSD business reuirements"
Statistical information deri)ed from business information systems may be disclosed to
parties outside the business only if the indi)iduals can not be identified by the
information released"
Legal Diclaimer
/egal disclaimer shall be placed on all net1or access points" Disclaimers shall be set up as a
logon banner upon net1or logon and as a lin at the bottom of all MCSD 1eb pages"
Logon Banner$
*y using this computer you implicitly agree to the terms of the MCSD Information Technology
Acceptable 2se Policy
%e& Diclaimer
Information may be posted and maintained on Indi)idual sites by MCSD personnel
-
8/12/2019 MCSD Sigurnosni pan
9/15
Ensuring System Integrity
'iru Protection
It is the responsibility of each indi)idual to scan their documents for )iruses before
sharing them 1ith other people both inside and outside of MCSD"
A )irus protection system shall be set up to automatically update all business )irus
scanners as ne1 )irus images are released"
It is the responsibility of each indi)idual to immediately notify the MCSD help des
upon finding a )irus"
All fire1alls used at MCSD shall filter out incoming Acti)eL and #a)a control )iruses at
fire1all"
The )irus protection system implemented at MCSD shall scan attached files 1hile in the
MS E8change inbo8"
The )irus protection system shall scan files immediately upon their being sa)ing to a file
ser)er or 1orstation"
Re"un"ancy an" Ta(e Bac)u( **
All business data shall be stored in at least t1o separate locations"
9here possible the MCSD net1or shall be set up to limit the number of single points
of failure in the system"
Monthly full tape bacup sets shall be stored for a minimum of si8 months"
As ser)er dis become full 1ith archi)ed data migration of the archi)ed data to aStorage Area 0et1or
-
8/12/2019 MCSD Sigurnosni pan
10/15
A method of automatic cloc synchroniFation shall be set up on the MCSD net1or in
order to insure accurate time information in the security logs"
All security related logs shall be re)ie1ed on a consistent basis to ensure that MCSD
security is not being compromised"
Administrators shall not ha)e rights to clear or alter security logs in order to insure that
the MCSD Security Engineer has accurate security information in the security log
Security Verification eam
A security team shall be set up to test the security of the net1or using no1n techniues used
by people 1ho try to gain access to net1ors" This security team shall be identified in 1riting to
the Central =ffice 1hen testing of the MCSD net1or is about to tae place" 0o testing of
net1or security 1ill tae place 1ithout the authoriFation from Central =ffice" 2pon completionof the security testing full documentation as to the methods used and the results of the test shall
be deli)ered to the Central =ffice"
Handling Non-compliance
Information Security Incident Management:
a. Definition" An information security incident includes but is not limited to one of the
follo1ing e)ents:
Attempts esponsible information technology staff 1ill initiate timely correcti)e action
document the incident and record lessons learned to pre)ent similar incidents from occurring in
$(
-
8/12/2019 MCSD Sigurnosni pan
11/15
the future" The Technology Ser)ices Staff retain documentation related to all information
security incidents"
d. Eceptions.If indi)iduals belie)e they ha)e a circumstance that reuires eceptionto the
MCSD IT Security Plan upon agreement 1ith the MCSD Information Security =fficer they 1ill
be allo1ed access or a temporary o)erride account" The MCSD Information Security =fficer
and Technology Ser)ices staff 1ill pro)ide ongoing monitoring of such instances"
!t is mandatory t"at all employees of #$SD report all s%spected sec%rity incidents to t"e #$SD
!nformation Sec%rity &fficer" They may do so by calling the MCSD help des or calling theMCSD Information Security =fficer directly" All reported security incidents must be
in)estigated"
Security Aareness and Training
All indi)iduals in)ol)ed in the management operation programming maintenance or use ofinformation technology must be a1are of their security responsibilities and no1 ho1 to fulfill
them" To this end MCSD has set up the MCSD Security A1areness and Training program" All
indi)iduals in)ol)ed 1ith information technology at MCSD shall recei)e an informationtechnology security a1areness briefing or be pro)ided 1ith appropriate information" In additionemployees 1ill be pro)ided 1ith refresher a1areness material or briefings as needed"
Indi)iduals assigned responsibilities for information technology security shall be pro)ided 1ithin7depth training regarding security techniues methodologies for e)aluating threats and
)ulnerabilities that affect specific information technology systems and applications and selection
and implementation of controls and safeguards"
The MCSD Information Security =fficer shall be responsible for documenting and maintaining
security training records"
$$
-
8/12/2019 MCSD Sigurnosni pan
12/15
Appendi! A" #ocal $indos Client for Netare Configuration %tilitySettings
2se the follo1ing procedure to ensure security of 9indo1s 1orstations"
/ocal Security at each 1orstation:
>estrict the >unB section of the registry" This prohibits the intrusion of spy1are
mal1are and other malicious programs that reuire utiliFation of this resource to operate"
>estrictions are in place for the follo1ing 1orstation components: My computer
net1or places control panel screen sa)ers bacground settings and destop"
Appendi! &" Standard No'ell Netare (")* Security Settings
Stan"ar" +rou( mem&erhi(
Right to file an" "irectorie
Right to (rinter
Right to the regitry
Account Policie
Right lite" &y ,er an" +rou(
Trut relationhi(
$'
-
8/12/2019 MCSD Sigurnosni pan
13/15
Au"it Setting for Account- .ile- Printer- an" the Regitry
E#ent log etting
The No#ell Client ue /01
Appendi! C" +ireall ,olicy
The Marlboro Central School District is protected by the ;ortigate7+$(*N ;ire1all" The same
fire1all used by =rangeG2lster *=CES for net1or monitoring and protection of the *=CES
net1or"
This de)ice allo1s MCSD the access and protection it needs 1hile utiliFing ser)ices such as
9eb access file transfer protocols anging from the ;orti?ate7+( series for small offices to the ;orti?ate7-((( series for largeenterprises ser)ice pro)iders and carriers the ;orti?ate line combines the ;orti=S security
operating system 1ith ;ortiASIC processors and other hard1are to pro)ide a comprehensi)e and
high7performance array of security and net1oring functions including:
;ire1all 4P0 and Traffic Shaping
Intrusion Pre)ention System
-
8/12/2019 MCSD Sigurnosni pan
14/15
/ayer 'G+ routing
Multiple 9A0 interface options
;orti?ate appliances pro)ide cost7effecti)e comprehensi)e protection against net1or content
and application7le)el threats 7 including comple8 attacs fa)ored by cybercriminals 7 1ithoutdegrading net1or a)ailability and uptime" ;orti?ate platforms incorporate sophisticated
net1oring features such as high a)ailability
-
8/12/2019 MCSD Sigurnosni pan
15/15
$heeler. 3ic Netor Administrator
0ace. 0edd Orange7%lster &OC6S 89)":8;"9;
$-