MCSD Sigurnosni pan

8/12/2019 MCSD Sigurnosni pan

1/15

MCSD IT Plan Document Information

Title: MCSD IT Security Plan

Type: MCSD Procedural Plan

Audience: MCSD IT Employees and Management

Approval Authority: Assistant Superintendent for Technology & Personnel

Contact: mail to:baatsm!marlboroschools"org

Status:Proposed: #anuary $% '($(

Appro)ed: T*A

MARLBORO CENTRAL SCHOOL DISTRICTInformation Technology Security Plan

#anuary $%th '($(
mailto:[email protected]:[email protected]


2/15

Table of ContentsIntroduction"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +

Information Technology Security Safeguards""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" ,

Physical Security""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" -

Personnel Security""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" -

Data Communications Security""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" -

Phone System Security"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" -

System Access Security"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" .

/egal Safeguards""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" %

0et1or 2sage Policy""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 3

Ensuring System Integrity""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 3

Security 4erification""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5

Security /ogs"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5

Security 4erification Team""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" $(

6andling 0on7compliance"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" $(

Security A1areness and Training""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" $$

Appendi8 A" 9indo1s Client for 0et1are Configuration 2tility

Settings"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" $'

Appendi8 *" Standard 0o)ell 0et1are ."- Security

Settings"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" $'

Appendi8 C" Standard ;ire1all TI?ATE7+$(*@

Settings"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" $+

Appendi8 D" /ist of staff 1ho ha)e access

to the 0et1or =perations Center""""""""""""""""""""""""""""""""""""""""""""""""""""""" $,

Appendi8 E" Security 4erification Team""""""""""""""""""""""""""""""""""""""""""""" $,

'


3/15

Introduction

The Marlboro Central School District is referred to throughout this document as MCSDB" Theobecti)es of the MSCD IT Security Plan are the follo1ing:

Acuaint employees 1ith the security procedures reuired to ensure protection of

information technology systems at MCSD" Clarify employee responsibilities and duties 1ith respect to the protection of information

resources"

Enable managers and other 1orers to mae decisions about information security 1hich

are in eeping 1ith standard policies and procedures and 1hich are responsi)e to

pre)ailing local conditions"

Coordinate the efforts of different groups 1ithin MCSD so that information resources are

properly and consistently protected regardless of their location form or supportingtechnologies"

Pro)ide guidance for the performance of information system security audits and re)ie1s" Demonstrate upper management support for a strong information security program at

MCSD"

Establish a basis for disciplinary actions 1hen reuired to protect MCSD information

assets"MCSD is taing appropriate steps to ensure its information systems are properly protected fromall security threats" All MCSD information systems shall be protected regardless of storage or

transmission medium"

Three ey concepts form the bacbone of the security program at MCSD:

$" The Districts commitment to protecting )ital and confidential electronic files"

'" All information access is granted consistent 1ith the staff technology acceptable

use policy and other applicable *oard of Education policies and administrati)eregulations"

+" Information security is the responsibility of all computer system users"

All security procedures in this document are 1ritten 1ith these three concepts in mind"

MCSD Information Security Officer

Information Security Officer. The District maintains personnel 1ho ser)e as primary

Information Security =fficers" The Assistant Superintendent of Technology and Personnel ser)es

as the primary Information Technology Security =fficer" The Assistant Superintendent of

Technology and Personnel and the Technology Ser)ices Staff ser)e to implement and maintain

security of electronic information" The Assistant Superintendent of Technology and Personnel

+


4/15

and the 0et1or Administrator are responsible for assessing the security riss and e8ternal

threats recommending actions to minimiFe those riss and conducting program re)ie1s to

assess the adeuacy of internal controls structures and business processes to protect school

information and technology resources"

The MCSD Information Security =fficer and 0et1or Administrator ha)e been assigned thefollo1ing responsibilities:

Maintain and )erify net1or and host security for all business systems"

De)elop and maintain formal security policies and procedures"

Maintain and )erify user ID and data set security databases"

Maintain and )erify 0o)ell 0et1are ."- group and user ID security databases"

4erify and re)ie1 0et1or Share /e)el access rights" 4erify /ocal Area 0et1or s1itchGrouter security settings"

Collaborate 1ith =rangeG2lster *=CES and the Mid 6udson >egional Information

Center on information security planning and maintenance"

De)elop and maintain a formal security a1areness and training program"

Information Technology Security Safeguards

This security plan reuires that good management practices be follo1ed to implement

information technology security safeguards based on the MCSD IT >is Assessment" Thefollo1ing is a list of reuirements for all information systems maintained at MCSD"

Physical Security

All net1or ser)ers shall be in a loced room or secured in a loced enclosure"

All net1or ser)er rooms shall ha)e C='based fire e8tinguishers located 1ithin the

room" 0et1or Technicians shall be a1are of the location of the closest fire alarm" The

net1or ser)er room shall ha)e a smoe detector installed in the room"

The net1or ser)er room should be monitored for temperature and humidity"

All net1or ser)ers shall be run on an uninterruptible po1er supply


5/15


6/15

System Access Security

Authentication

The identity of each indi)idual 1ho accesses business information must be )erified before gi)enaccess to the information" This identification process is normally performed using the userIDGpass1ord process" The user ID determines 1ho the user is claiming to be" The submission of

a correct pass1ord is taen to mean that the person is actually 1ho the user ID claims them to be"

2se of shared user IDs shall be limited to 1orstations allo1ing only single function use


7/15

All )endor default pass1ords must be changed upon system installation"

If a suspected disclosure of pass1ords has occurred all in)ol)ed pass1ords shall be

immediately changed"

Proof of identity is reuired to obtain a reset pass1ord"

All users 1ill be forced to change their pass1ords at least e)ery 5( days or their accounts1ill be automatically disabled"

0e1 pass1ords 1ill be issued in a state that reuires immediately changing the first time

the user logs on"

Data Claification

All sensiti)e information shall be labeled either confidentialJ or internal use onlyJ in thedocument containing the sensiti)e information" At least once per uarter the MCSD Security

Engineer 1ill search the MCSD net1or to ensure that confidential and internal use only

documents are not accessible to the general public"

All personal data shall be treated as confidential information"

All storage medium shall be classified to highest le)el of information they may contain"

All storage medium must be destroyed or securely 1iped before disposal

Acce Right

=nce a user is authenticated they are only gi)en access to information necessary to completetheir ob function" All data shall be controlled to limit access to indi)iduals 1ho need access to

the information"

Dormant user IDs shall be remo)ed e)ery $' months"

A list of access rights to net1or resources shall be generated and re)ie1ed by

management yearly"

Legal Safeguards

Licening

MCSD must ha)e documentation pro)ing compliance 1ith soft1are license agreements"

If an end user loads personal soft1are on their PC they must pro)ide the MCSD help

des 1ith a copy of soft1are license and proof of purchase or a statement saying that the

user has in their possession a legal license for this soft1are"

MCSD is committed to obeying intellectual property la1s such as the 2"S" copyright la1as it relates to electronic information and copyrights"

The MCSD security officer 1ill perform a periodic re)ie1 of soft1are licensing to

ensure that MCSD is in compliance its soft1are license agreements"

Pri#acy

%


8/15

MCSD shall attempt to ensure pri)acy of communications o)er its telephone and data

net1ors" 6o1e)er it should be noted that messages sent o)er MCSD internal electronic

mail systems are not subect to the pri)acy pro)isions of the Electronic andCommunications Pri)acy Act of $53. and therefore may legally be read by MCSD

management and system administrators if deemed necessary to meet business

reuirements" All MCSD information systems consisting of the euipment and information stored in

MCSD information systems are considered MCSDs property and as such may accessed

mo)ed read etc" as needed to meet MCSD business reuirements"

Statistical information deri)ed from business information systems may be disclosed to

parties outside the business only if the indi)iduals can not be identified by the

information released"

Legal Diclaimer

/egal disclaimer shall be placed on all net1or access points" Disclaimers shall be set up as a

logon banner upon net1or logon and as a lin at the bottom of all MCSD 1eb pages"

Logon Banner$

*y using this computer you implicitly agree to the terms of the MCSD Information Technology

Acceptable 2se Policy

%e& Diclaimer

Information may be posted and maintained on Indi)idual sites by MCSD personnel


9/15

Ensuring System Integrity

'iru Protection

It is the responsibility of each indi)idual to scan their documents for )iruses before

sharing them 1ith other people both inside and outside of MCSD"

A )irus protection system shall be set up to automatically update all business )irus

scanners as ne1 )irus images are released"

It is the responsibility of each indi)idual to immediately notify the MCSD help des

upon finding a )irus"

All fire1alls used at MCSD shall filter out incoming Acti)eL and #a)a control )iruses at

fire1all"

The )irus protection system implemented at MCSD shall scan attached files 1hile in the

MS E8change inbo8"

The )irus protection system shall scan files immediately upon their being sa)ing to a file

ser)er or 1orstation"

Re"un"ancy an" Ta(e Bac)u( **

All business data shall be stored in at least t1o separate locations"

9here possible the MCSD net1or shall be set up to limit the number of single points

of failure in the system"

Monthly full tape bacup sets shall be stored for a minimum of si8 months"

As ser)er dis become full 1ith archi)ed data migration of the archi)ed data to aStorage Area 0et1or


10/15

A method of automatic cloc synchroniFation shall be set up on the MCSD net1or in

order to insure accurate time information in the security logs"

All security related logs shall be re)ie1ed on a consistent basis to ensure that MCSD

security is not being compromised"

Administrators shall not ha)e rights to clear or alter security logs in order to insure that

the MCSD Security Engineer has accurate security information in the security log

Security Verification eam

A security team shall be set up to test the security of the net1or using no1n techniues used

by people 1ho try to gain access to net1ors" This security team shall be identified in 1riting to

the Central =ffice 1hen testing of the MCSD net1or is about to tae place" 0o testing of

net1or security 1ill tae place 1ithout the authoriFation from Central =ffice" 2pon completionof the security testing full documentation as to the methods used and the results of the test shall

be deli)ered to the Central =ffice"

Handling Non-compliance

Information Security Incident Management:

a. Definition" An information security incident includes but is not limited to one of the

follo1ing e)ents:

Attempts esponsible information technology staff 1ill initiate timely correcti)e action

document the incident and record lessons learned to pre)ent similar incidents from occurring in

$(


11/15

the future" The Technology Ser)ices Staff retain documentation related to all information

security incidents"

d. Eceptions.If indi)iduals belie)e they ha)e a circumstance that reuires eceptionto the

MCSD IT Security Plan upon agreement 1ith the MCSD Information Security =fficer they 1ill

be allo1ed access or a temporary o)erride account" The MCSD Information Security =fficer

and Technology Ser)ices staff 1ill pro)ide ongoing monitoring of such instances"

!t is mandatory t"at all employees of #$SD report all s%spected sec%rity incidents to t"e #$SD

!nformation Sec%rity &fficer" They may do so by calling the MCSD help des or calling theMCSD Information Security =fficer directly" All reported security incidents must be

in)estigated"

Security Aareness and Training

All indi)iduals in)ol)ed in the management operation programming maintenance or use ofinformation technology must be a1are of their security responsibilities and no1 ho1 to fulfill

them" To this end MCSD has set up the MCSD Security A1areness and Training program" All

indi)iduals in)ol)ed 1ith information technology at MCSD shall recei)e an informationtechnology security a1areness briefing or be pro)ided 1ith appropriate information" In additionemployees 1ill be pro)ided 1ith refresher a1areness material or briefings as needed"

Indi)iduals assigned responsibilities for information technology security shall be pro)ided 1ithin7depth training regarding security techniues methodologies for e)aluating threats and

)ulnerabilities that affect specific information technology systems and applications and selection

and implementation of controls and safeguards"

The MCSD Information Security =fficer shall be responsible for documenting and maintaining

security training records"

$$


12/15

Appendi! A" #ocal $indos Client for Netare Configuration %tilitySettings

2se the follo1ing procedure to ensure security of 9indo1s 1orstations"

/ocal Security at each 1orstation:

>estrict the >unB section of the registry" This prohibits the intrusion of spy1are

mal1are and other malicious programs that reuire utiliFation of this resource to operate"

>estrictions are in place for the follo1ing 1orstation components: My computer

net1or places control panel screen sa)ers bacground settings and destop"

Appendi! &" Standard No'ell Netare (")* Security Settings

Stan"ar" +rou( mem&erhi(

Right to file an" "irectorie

Right to (rinter

Right to the regitry

Account Policie

Right lite" &y ,er an" +rou(

Trut relationhi(

$'


13/15

Au"it Setting for Account- .ile- Printer- an" the Regitry

E#ent log etting

The No#ell Client ue /01

Appendi! C" +ireall ,olicy

The Marlboro Central School District is protected by the ;ortigate7+$(*N ;ire1all" The same

fire1all used by =rangeG2lster *=CES for net1or monitoring and protection of the *=CES

net1or"

This de)ice allo1s MCSD the access and protection it needs 1hile utiliFing ser)ices such as

9eb access file transfer protocols anging from the ;orti?ate7+( series for small offices to the ;orti?ate7-((( series for largeenterprises ser)ice pro)iders and carriers the ;orti?ate line combines the ;orti=S security

operating system 1ith ;ortiASIC processors and other hard1are to pro)ide a comprehensi)e and

high7performance array of security and net1oring functions including:

;ire1all 4P0 and Traffic Shaping

Intrusion Pre)ention System


14/15

/ayer 'G+ routing

Multiple 9A0 interface options

;orti?ate appliances pro)ide cost7effecti)e comprehensi)e protection against net1or content

and application7le)el threats 7 including comple8 attacs fa)ored by cybercriminals 7 1ithoutdegrading net1or a)ailability and uptime" ;orti?ate platforms incorporate sophisticated

net1oring features such as high a)ailability


15/15

$heeler. 3ic Netor Administrator

0ace. 0edd Orange7%lster &OC6S 89)":8;"9;

$-

MCSD Sigurnosni pan

Documents

Transcript of MCSD Sigurnosni pan