SLEEPYHEAD INSTRUCTION MANUAL_VER2008_1€¦ · Web viewSleepyhead Security Program Standards...

SLEEPYHEAD INSTRUCTION MANUAL

© Lateral Thinking 2008

2008 – EDITION

© Lateral Thinking 2008

(This Page Intentionally Left Blank.)

Sleepyhead Information Manual Information Security Program Standards Manual v1.0 2008

Table of ContentsIntroduction___________________________________________________________________5

Background___________________________________________________________________5Sleepyhead Security Program Manual Objective & Intent_____________________________6Sleepyhead Security Program Standards Applicability & Scope_______________________7

SCO Information and Information Technologies_____________________________________7SCO Facilities and Physical Property______________________________________________7

The Principles of Due Care & Due Diligence________________________________________7Manual Alignment with Information Security Best Practices___________________________8Manual Maintenance____________________________________________________________8

Information Security Standards__________________________________________________8

Roles and Responsibilities______________________________________________________8Standards for Information Asset Users__________________________________________8100 User Compliance_______________________________________________________8101 User Activity Monitoring Notice____________________________________________8102 User Security Acknowledgement___________________________________________8103 User Information Security Incident Reporting_________________________________9104 Physical Access / ID Badges______________________________________________9105 Prohibited Activities_____________________________________________________9106 Personally Owned Equipment and Software__________________________________9107 Laptop / Portable Information Storage Device Use_____________________________9108 User Authentication Credential Security____________________________________10109 Password Use________________________________________________________10110 User Password Rules__________________________________________________10Standards for Owners of Information Assets____________________________________11120 Owner Compliance____________________________________________________11121 Information Asset Classification__________________________________________11122 Risk Assessment______________________________________________________11123 Security Management__________________________________________________11124 Owner Acceptable Use Policy____________________________________________11125 Owner Authorization Approval____________________________________________11126 Access Authorization Reviews___________________________________________11127 Access and Use Agreements____________________________________________11Standards for Custodians of Information_______________________________________12130 Security Compliance___________________________________________________12

Management Security Standards________________________________________________12200 Information Classification_______________________________________________12201 Critical Application Classification__________________________________________13202 Security and Privacy Assessment_________________________________________13203 Project System Security Plans___________________________________________13204 Security Certification and Accreditation_____________________________________13205 Security Vulnerability Scanning___________________________________________13206 System Interconnectivity / Information Sharing_______________________________13207 System Inventory______________________________________________________13208 Information Security Standard Violation Disciplinary Action_____________________13

Sleepyhead Information Manual Information Security Program Standards Manual v1.0 2008 Operational Security Standards_________________________________________________14

300 Pre-Employment Screening______________________________________________14301 Separation of Duties___________________________________________________14302 Least Privilege________________________________________________________14303 Security Education and Awareness________________________________________14304 Personnel Separation__________________________________________________15305 Physical Security______________________________________________________15306 Physical Access Control________________________________________________15307 Visitors to SCO Facilities________________________________________________16308 Information Protection in the Work Area____________________________________16309 Sanitization and Disposal of Information____________________________________16310 Information Exchange via Portable Information Storage Devices_________________16311 Information Asset Transport / Shipping_____________________________________17312 Workstations_________________________________________________________17313 Laptops and Portable Computing Devices__________________________________17314 Backup Data_________________________________________________________17315 Business Continuity Planning____________________________________________17316 Disaster Recovery Planning_____________________________________________17317 Information Security Incident Reporting____________________________________18

Technical Security Standards___________________________________________________19400 Access Control_______________________________________________________19401 User Identification_____________________________________________________19402 User Authentication Techniques__________________________________________19403 Password Standards___________________________________________________19404 Automatic Session Timeout______________________________________________20405 Use Warning Banner___________________________________________________20406 Audit Trails___________________________________________________________20407 Secure Communications________________________________________________21408 Secure Storage_______________________________________________________21409 Encryption Standard___________________________________________________21410 Network Boundary Security______________________________________________21411 Firewall Standard______________________________________________________21412 Controlled Pathways (Gateways)_________________________________________21413 Malicious Code Protection_______________________________________________21414 Remote Access_______________________________________________________21415 Product Assurance (System Hardening)____________________________________22416 Patch Management____________________________________________________22417 System-to-System Interconnection (Node Authentication)______________________22418 Wireless Local Area Network Security Standard______________________________22

Privacy Standards_____________________________________________________________24500 Privacy Standards_____________________________________________________24

Glossary of Terms____________________________________________________________26

Appendix A: Information Security Incident Categories and Reporting Timeframes______28


Introduction

BackgroundSleepyheadTM1, is the trademark encryption system created by Lateral Thinking in 1976. SleepyheadTM is based on the replacement of alphabet letters with jungle sounds. Each sound is coupled to a letter or group of letters based on the animal, pitch and background noise. This manual aims to provide minimum organizational standard for the use of Sleepyhead and to provide come of the keys for decryption.

Main encryption keysSleepyheadTM is a pitch&sound based encryption system. Each pitch and sound corresponds to a consonant or group of consonants or a vowel and/or group of vowels.

Gibbon monkey sounds identify the alphabet to be used. A red-tailed gibbon monkey, as in the example will identify standard Latin alphabet

A laughing kookaboora-bird, when in low pitch, identifies the number of letters contained in the word, based on the number of laughs

Elephant sounds cancel the previous instructions and inform the encrypter that the sequence will be started anew in a different order to prevent decryption

1 Garbanjo in Spain and South America, Burdisso in Argentina, Pasculli in Italy, Dschungelverschlüsselung in Germany and Austria, Mützi in Switzerland


Uurgh sounds correspond to consonants.

Low pitch sounds correspond to dental consonants such as as /t/, /d/, /n. Double Click on the icon below to listen to an example of low pitch uurgh sound

High Pitch uurgh sounds correspond to labial consonants like /b and /v Double Click on the icon below to listen to an example of a high pitch uurgh sound

Through the specialised training, the decrypter will learn how to identify the consonants. French Guyana has been chosen as the main training camp due to the richness of its jungles.

Gnawrl sounds correspond to vocals. (example of a low pitch Gnawrl sound), Double click on the icon to

listen:

Low pitch Gnawrl sounds correspond to “a” and “e”. Through the specialised training, the decrypter will learn how to tell an “a” from an “e”. French Guyana has been chosen as the main training camp due to the richness of its jungles.

The following paragraphs shall detail the minimum security measures to be adopted when using the SleepyheadTM encryption system outside of Lateral Thinking designated areas.

Sleepyhead Security Program Manual Objective & IntentThe Sleepyhead Security Program Standards Manual objective is to establish minimal organizational information security standards for the Sleepyhead Controller’s Office (SCO) that specify how information assets are safeguarded. Information security standards facilitate SCO compliance with applicable state and federal government statutes, regulations, and directives (policies). These standards assist the SCO in the appropriate information and its technology classification, appropriate security controls implementation, and recommended business security actions and operational measures to protect SCO information assets. The SCO is committed to creating and maintaining an environment that protects SCO information assets from accidental or intentional unauthorized use, modification, disclosure, destruction, or theft. Adherence to information security standards will safeguard the confidentiality, integrity, and availability of SCO information assets and will protect the interests of the SCO, its personnel and contractors, business partners, and the general public.

This manual’s intent is to create and implement an environment that:

1. Protects information and technologies critical to the SCO.

2. Protects information as mandated by state and federal statutes, regulations, and administrative requirements.

3. Protects confidential and sensitive information.

4. Reinforces SCO’s reputation as an institution deserving of trust.

5. Complies with due diligence standards for the protection of information and technologies.


6. Assigns responsibilities to relevant SCO officers, executives, managers, personnel, contractors, and business partners.

7. Protects SCO physical resources and those physical resources entrusted to the SCO.


Sleepyhead Security Program Standards Applicability & Scope

SCO Information and Information Technologies The standards contained in this manual are applicable to all SCO information, in any form, related to SCO business activities, personnel, contractors, business partners and customers that are created, acquired, or disseminated using SCO owned or leased resources or funding. This manual is applicable to all information technologies associated with the creation, collection, processing, storage, transmission, analysis, and disposal of SCO information. This manual is applicable to all facilities, information media, information systems, infrastructure, applications, products, services, telecommunications networks, computer-controlled mail or print processing equipment, and related resources, which are sponsored by, leased or owned by, operated on behalf of, or developed for the benefit of, the SCO.

For the purposes of this manual, technologies and the information they contain are collectively known as information assets.

SCO Facilities and Physical PropertyThis manual’s contents are applicable to all SCO owned or leased facilities and physical property entrusted to the SCO.

The Principles of Due Care & Due Diligence The need for the SCO to keep pace with the ever-changing statutory landscape and technology environment is essential in maintaining information security and business viability. Due care and due diligence practices must be ingrained into the SCO’s culture in order to facilitate the constant self re-evaluation and assessment necessary for statutory and technology industry best practices compliance validation and to initiate necessary changes and seek enhancement opportunities.

The terms “due care” and “due diligence” are used in the fields of finance, securities, and law. These terms describe the “reasonable and prudent person” rule. A prudent person takes due care to insure that everything necessary is done to operate the business by sound business principles and in a legal ethical manner. A prudent person is also diligent (i.e., mindful, attentive, and ongoing) in their due care of the business. In the business world, stockholders, customers, business partners, and government regulators have the expectation that corporate officers will run the business in accordance with accepted business practices and in compliance with laws and other regulatory requirements. In the public sector, constituents and political leaders hold the same expectations of government agency officers. In addition to these expectations being a motivating force for officers, Federal Sentencing Guidelines and State Statutes now make it possible to hold both private and public sector organization officers liable for failing to exercise due care and due diligence in the management of their information privacy/security practices.

The importance of demonstrating “due care” and “due diligence” cannot be expressed enough in government. “Due care” and “due diligence” activities are the foundation for establishing and maintaining the trust of constituents. The SCO Sleepyhead Security Program Standards Manual’s content aligns with


industry standards and complies with statutory and administrative requirements are “due care” and “due diligence” activities.

Manual Alignment with Information Security Best Practices The SCO Sleepyhead Security Program Standards Manual is constructed to align with the intent and spirit of the following information security public and private sector best practices for information security controls and management:

International Organization for Standardization and International Electrotechnical Commission (ISO/IEC®) 27002: International Standards for Information Technology – Security Techniques – Code of practice for Information Security Management

Federal Information Processing Standards (FIPS) and National Institute of Standards and Technology (NIST) Special Publications

MaintenanceThe SCO Sleepyhead Security Program Standards Manual reflects the framework and objectives of the SCO Sleepyhead Security Program. Standard changes or updates should be submitted to the SCO Chief Information Security Officer. Standards will be reviewed annually by the SCO Information Security Office to ensure continued relevance in assuring information security and SCO business objectives.

Information Security Standards

Roles and Responsibilities

Standards for Information Asset Users These standards are applicable to all SCO functional organizations and personnel, including SCO employees, contractors, and vendors authorized to use SCO information assets.

For the purposes of these standards, the above entities are collectively known as Information Asset Users. This definition of “information asset user” excludes the general public whose only access is through publicly available services, such as the public websites of the SCO.

100User Compliance: Users shall abide by California Sleepyhead Controller’s Office (SCO), State, and Federal (when applicable) policies, laws, rules, regulations, standards, and procedures pertaining to information security, confidentiality, and privacy when handling information assets by or entrusted to the SCO. Users shall comply with defined business use criteria established by the owner of information for each information asset they utilize. Additionally, users shall comply with SCO when utilizing SCO information assets.

101User Activity Monitoring Notice: As stated, the SCO reserves the right to monitor and filter the use of its information assets. Users shall have no expectation of privacy unless expressly granted by SCO executive management.

102User Security Acknowledgement: Users shall annually, or when beginning employment, read, acknowledge, and sign the SCO Information Security Acknowledgement form (ISO-004).


103User Information Security Incident Reporting: Users shall report any reportable suspected or actual information security incidents to the SCO Information Security Office, owner of information, and custodian of information. (See Operational Security Standard 317 and Appendix A: Information Security Incident Categories and Reporting Timeframes.)

104Physical Access / ID Badges: SCO employees and contractors shall wear physical access / ID badges issued by the SCO ISO at all times when within a facility owned or leased by the SCO.

a. Physical access / ID badges shall be worn in such a manner as to be readily visible.

b. Physical access / ID badges assigned to individuals shall not be shared or loaned to another person.

c. The loss or theft of a physical access / ID badge shall be immediately reported to the applicable Division Physical Security Representative and SCO Information Security Office.

105Prohibited Activities: Users shall not disable, remove, install with intent to bypass, or otherwise alter SCO systems, networks, or security and administrative settings or components designed to protect or administer the SCO’s information assets.

a Users shall not download or install unapproved software on SCO information assets (e.g., PCs, IT systems, or networks).

b Users shall not connect unapproved hardware to SCO information assets (e.g., PCs, IT systems, or networks).

(The SCO Information Systems Division maintains the approved software and hardware lists. See SCO PC Hardware and Software Standards; and Enterprise Architecture Standards.)

106Personally Owned Equipment and Software: The use of personally owned or non-SCO equipment and software to process, access, or store SCO confidential or sensitive information is prohibited. Personally owned or non-SCO equipment and software includes, but is not limited to, personal computers and related equipment and software, Internet service providers, personal e-mail providers (e.g., Yahoo, Hotmail), personal library resources, handheld and Personal Digital Assistant (PDA) devices, cellular phones, cameras, facsimile machines, wireless systems, and photocopiers. Such personally owned equipment and software shall not be used to process, access, or store SCO confidential or sensitive information, or be connected to SCO systems or networks, without the written authorization from the appropriate SCO owner and custodian of information and the SCO Chief Information Security Officer.

107Laptop / Portable Information Storage Device Use: Users shall not store any information classified as confidential or sensitive on laptop computers or other portable information storage devices (e.g., USB/Flash Drives, PDA’s, CD-ROMs, DVDs, Tape, etc.) unless:

a. The device is owned or leased by the SCO.

b. The device is password/PIN protected.


c. The information is secured using an approved encryption technology.

d. The user is authorized to have access to the confidential or sensitive information by the applicable owner. Access to information must be for business purposes only.

108User Authentication Credential Security: Users shall be continuously aware that all credentials (e.g., the combination of User IDs, passwords, and/or access tokens) that allow access to SCO information assets are explicitly the property of the SCO. SCO credentials are classified as confidential information and must be handled and protected as such.

Each user is responsible for protecting the credentials assigned to them and shall not share these credentials with anyone else. If credentials are compromised, lost, or stolen, the user shall immediately report this to a supervisor and to the appropriate authentication system administrator to avoid unauthorized access or misuse. Credentials may be shared with system maintainers but the password must be immediately changed after maintenance or repair is complete.

Note: An information security best practice for protecting a password is to avoid writing passwords down or storing them electronically unless password protected and encrypted. Passwords should not be inserted into email messages or other forms of electronic communication without password protect and information encryption. Conveying a password in a telephone call should only be done when the receiving party is positively identified. No mobile phones should be utilized to convey a password. Commit passwords to memory!

109Password Use: Users may use the same password on internal systems, network devices, or applications, but shall not use their internal password for external systems, such as for accounts on an external web site, as these web sites may not protect passwords in an acceptable manner.

110User Password Rules: Users shall compose their own passwords. Users shall abide by the following standards when composing their password:

a. Passwords shall consist of a minimum of eight (8) characters.

b. Passwords shall consist of a combination of case sensitive alphabetic characters and either one (1) numeric or special character. The only special characters that should be utilized are @, #, or $.

Note: When composing a password, do not use dictionary words or obvious combinations of letters and numbers in passwords. Obvious combinations of letters and numbers include first names, last names, initials, pet names, user accounts spelled backwards, repeating characters, consecutive numbers, consecutive letters, and other predictable combinations and permutations.

c. Passwords shall be changed, at a maximum, every ninety (90) days.

d. Users shall not re-use his or her last six (6) passwords.


Standards for Owners of Information Assets SCO Divisions are owners of the information assets they utilize to conduct the business of the SCO. Owners of information have the following responsibilities.

120 Owner Compliance: SCO Division management shall abide by, and ensure their staff comply with SCO, State, and Federal (when applicable) policies, laws, rules, regulations, standards, and procedures pertaining to information security, confidentiality, and privacy when handling information assets by or entrusted to the SCO.

121 Information Asset Classification: SCO Divisions shall ensure the SCO information and applications for which they are responsible are appropriately classified. (Reference: Management Security Standards 200 and 201.)

122 Risk Assessment: SCO Divisions shall determine, in coordination with the SCO Information Security Office and custodian(s) of information, appropriate security controls (i.e., safeguards or countermeasures) for the information assets for which they are responsible and shall identify the resources needed to implement those controls. (Reference: Management Security Standard 202.)

123 Security Management: SCO Divisions shall ensure information security is planned for, documented, and integrated into the system life cycle (SLC) for all information technology projects that involve the processing, transport, or retention of information that is classified as confidential or sensitive, and for business critical applications and processes. (Reference: Management Security Standards 203 and 204.)

124 Owner Acceptable Use Policy: SCO Divisions shall develop information user “acceptable use” and “rules of behavior” for information assets for which they are responsible.

125 Owner Authorization Approval: SCO Divisions shall authorize access to, and use of, the information assets and facilities for which they are responsible.

126 Access Authorization Reviews: SCO Divisions shall conduct annual reviews of user accounts to validate the continued need for access to and use of the information assets for which they are responsible.

127 Access and Use Agreements: SCO Divisions shall establish and manage agreements with non-SCO state entities and non-state entities for which the division


has authorized access to, or use of, an SCO information asset for which they are responsible. Agreements with non-SCO state entities and non-state entities shall, at a minimum, cover:

a. Appropriate levels of confidentiality and privacy for the information based on classification.

b. Standards for transmission and storage of the information, if applicable.

c. Agreements to comply with all divisional requirements, SCO ISPM standards, and state and federal laws regarding the security and use of the information asset.

d. The use of signed confidentiality and non-disclosure user statements.

e. Requirements for the non-SCO state entities and non-state entities to apply security patches and upgrades and to keep virus software up-to-date on all systems on which the information asset may be accessed from or used on.

f. A requirement to notify promptly the division and the SCO Information Security Office if an information security incident involving the information asset occurs.

Standards for Custodians of InformationThe SCO Information Systems Division, Division IT Support staff, and any other system/network administrators are custodians of information assets they manage for an SCO owner of information. Custodians of information have the following responsibilities.

130 Security Compliance: Custodians of information shall ensure owner of information security requirements are implemented and enforced. Custodians of information shall continuously monitor security control (i.e., safeguards or countermeasures) operations and effectiveness and immediately report any problems or deficiencies to the appropriate owner of information and the SCO Information Security Office. Custodians of information shall ensure the information security posture of the SCO network and information assets is maintained during all network or information asset maintenance, monitoring activities, installations or upgrades, and throughout day-to-day operations.

Management Security StandardsThese standards specify security controls (i.e., safeguards or countermeasures) for information assets that focus on the management of information security risk and the management of the information asset.


200 Information Classification: Owners of information shall classify all information under their control. The criteria set forth in State Administrative Manual (SAM) Section 5320.5 shall be utilized to classify SCO information.

201 Critical Application Classification: For disaster recovery and business continuity planning purposes, owners of information shall determine which information technologies they utilize are critical applications. A critical application is defined as an information technology so important to the SCO’s mission and business that its loss or unavailability is unacceptable. With a critical application, even short-term unavailability of the information or service provided by the application would have a significant negative impact on the health and safety of the public or state workers; on the business, fiscal or legal integrity of SCO or state operations; or on the continuation of essential SCO programs.

202 Security and Privacy Assessment: For all information technology projects that involve the processing of information classified as confidential or sensitive, or result in the development of a critical application, a security assessment must be conducted by the SCO Information Security Office to determine the information security impact level of the project. As part of the assessment, the ISO will provide recommended appropriate information security controls (i.e., safeguards or countermeasures) for inclusion in the Project’s System Security Plan (SSP) to ensure security objectives (e.g., privacy, confidentiality, integrity, and availability).

203 Project System Security Plans: For all information technology projects that involve the processing of information classified as confidential or sensitive, or results in the development of a critical application, the project shall develop and document a System Security Plan (SSP). A SSP provides an overview of the security requirements, approved by the owner of information, for the information system and describes the security controls in place or planned for meeting those requirements. Updates to SSPs should occur once every three years or when significant changes occur to the system.

204 Security Certification and Accreditation: For all information technology projects that involve the processing of information classified as confidential or sensitive, or result in the development of a critical application, the SCO ISO shall conduct a security certification. A security certification is an evaluation of the security control features (i.e., safeguards or countermeasures) of a system. The ISO shall provide the appropriate owner of information with a security certification report for owner production accreditation purposes. Any significant changes occurring to a system or to its physical environment, users, etc., or deviations from SSP specifications, shall require a review of the impact

on the security of the system and shall require re-accreditation. All systems will be re-accredited every three years at a minimum or when a major change occurs.

205 Security Vulnerability Scanning: All SCO web systems and applications, and servers shall undergo quarterly vulnerability scanning or when significant changes are made to the system, application, or server.

206 System Interconnectivity / Information Sharing: Written authorization from the applicable owner of information shall be obtained prior to connecting an information asset with other systems and/or sharing confidential or sensitive information.

207 System Inventory: Owners of information, supported by custodians, shall develop and maintain an inventory of all systems that process confidential or sensitive information, or are critical applications, under their control. Inventories shall be updated annually or when significant changes occur to the system. Copies of the inventory shall be made available to the SCO Information Security Office and Information Systems Division for risk and enterprise management purposes and documentation.

208 Information Security Standard Violation Disciplinary Action: The appropriate appointing authority is responsible for conducting any disciplinary or adverse actions against SCO contractors or personnel who violate SCO ISPM standards.


Operational Security StandardsThese standards specify security controls (i.e., safeguards or countermeasures) for information assets that are primarily implemented and executed by people (as opposed to information technologies).

300 Pre-Employment Screening: The prior employment history for potential SCO personnel shall be carefully reviewed to ensure the individual has no privacy or security violation history (i.e., check references and with previous supervisors). Additionally, if permissible and/or appropriate for the duties and responsibilities of the position in question, criminal and/or financial history checks should also be preformed.

301 Separation of Duties: Owners and custodians of information shall ensure the principle of “separation of duties” is enforced in security control (i.e., safeguards or countermeasures) and business operations. Separation of duty, as a security principle, has as its primary objective the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific security process among multiple users and chains of command.

Segregation of duties in security controls ensures no single individual or organization is given too much responsibility -- no entity should be in a position to both perpetrate and conceal irregularities.

Two general categories of security control operations that must be separated are:

authorization vs. authentication administrative functions

user vs. administrator functions

302 Least Privilege: Owners and custodians of information shall ensure the principle of “least privilege” is enforced in security control (i.e., safeguards or countermeasures) and business operations. A user, process, or application shall only be allowed to access and use those information assets necessary to conduct authorized business activities.

303 Security Education and Awareness: The SCO Information Security Office (ISO) shall ensure information security is given a high priority in all current and future SCO activities and initiatives. The ISO shall provide regular and relevant information privacy and security education and awareness training to all SCO personnel by various means, which includes but is not limited to the ISO’s S.A.F.E. (Security Awareness for Employees) program. The S.A.F.E. program will consist of the following elements:

a. New SCO personnel’s initial information security presentation at new employee orientation. (This orientation should be received as soon as possible upon hiring but no later that three months after assuming duties.)


b. Electronic notices, briefings, pamphlets, and newsletter postings on the SCO Intranet (i.e., COIN) or delivered via email.

c. Information security awareness tools to enhance awareness and educate personnel on information resource privacy and security threats and the appropriate safeguards.

d. All SCO personnel shall receive annual (refresher) training in security education and awareness as part of the annual SCO Information Security Acknowledgement (ISO-004) process.

304 Personnel Separation: Upon termination or other departure of an employee or contractor, SCO Human Resources, the appropriate SCO manager/supervisor, or the contract manager shall ensure all access and privileges to SCO systems, networks, and facilities are immediately revoked. Physical access badges shall be returned to the SCO Information Security Office immediately.

305 Physical Security: All rooms, work areas/spaces, and facilities leased or owned by the SCO shall implement physical protection measures.

The SCO Information Security Office shall manage all physical protection systems implemented. Physical protection systems include, but are not limited to:

a. Card-controlled gates and doors (administered by the SCO Information Security Office’s C*CURE system).

b. Video cameras, motion detectors, and other intrusion security systems (administered by the SCO Information Security Office’s C*CURE system).

c. Equipping all doors and openings on a security perimeter with alarms as well as devices that close and lock the doors/openings automatically (administered by the SCO Information Security Office’s C*CURE system).

d. Automated alarm notification (from the Information Security Office’s C*CURE system) directly to assigned Information Security Office personnel and appropriate law enforcement agencies, or to a monitoring service who will immediately alert assigned Information Security Office personnel and appropriate law enforcement agencies.

Selection and implementation of physical security protections shall be coordinated among the SCO Information Security Office, Divisions, the Business Services Office, and applicable facility owners. (SCO Division Chiefs shall designate Physical Security Representatives to act on their behalf to plan and implement physical security protections.)

306 Physical Access Control: SCO divisions are responsible for authorizing access into the rooms, work areas/spaces, and facilities they utilize. SCO Division Chiefs shall designate Physical Security Representatives to act on their behalf to authorize physical access to employees, authorized contractors and facilities support staff by submitting a Physical Access Request form (ISO-002) to the Information Security Office. Individuals should be authorized the minimum access necessary to allow them to effectively accomplish their jobs.

a. SCO Division Physical Security Representatives shall annually review access authorizations granted.

b. SCO Division Physical Security Representatives shall immediately notify the ISO when an employee or contractor is terminated or departs, or when an employees job duties change so that access authorization can be revoked or changed appropriately.

c. SCO Division Physical Security Representatives are responsible for returning access badges to the SCO Information Security Office.


307 Visitors to SCO Facilities: SCO divisions shall restrict and control visitor access at all times to rooms, work areas/spaces, and facilities under their control. The division shall maintain records that contain visitor access information.

Visitors shall be escorted and supervised by division or SCO designated employees while within SCO controlled access rooms, work areas/spaces, and facilities.

Unless authorized by the SCO division management, visitors shall not utilize any image, audio, or electronic information recording device within an SCO controlled access room, work area/space, or facility.

308 Information Protection in the Work Area : All electronic, photographic, and hard copy media (e.g., flash drives, disk drives, diskettes, external hard drives, portable devices, photos, microfiche, tapes, and paper documents) containing confidential or sensitive information shall be physically protected from unauthorized use, loss, and theft. All media containing confidential or sensitive information must be secured (e.g., kept in a locked room, drawer, cabinet, or safe) when not in use or unattended. To the extent possible, media containing confidential or sensitive information shall be turned over or shall be put out of sight when visitors or individuals not authorized access to it are present.

309 Sanitization and Disposal of Information: Owners and custodians of information shall ensure sanitization and disposal methods utilized for electronic, photographic, and hard copy media, and other information technology resources (e.g., servers, routers, bizhubs, printers, etc.) render the confidential or sensitive information contained on the media or resource un-readable and un-recoverable. Media sanitization activities shall comply with the recommendations stated in NIST Special Publication 800-88: Guidelines for Media Sanitization.

310 Information Exchange via Portable Information Storage Devices: SCO confidential or sensitive information exchanged or transferred through portable information storage devices (e.g., USB/Flash Drives, PDA’s, CD-ROMs, DVDs, Tape, etc.) shall be protected by password/PIN access control and encryption when transported outside an SCO facility.


311 Information Asset Transport / Shipping: All information assets containing confidential or sensitive information that are transported / shipped to a non-SCO entity or to a destination outside an SCO facility shall, at a minimum, be securely packaged in a double-sealed conveyance (e.g., envelope, box, container, etc.). The second seal should be appropriately marked with the “unauthorized use” notice and the classification of the information contained on the asset. The receipt and delivery of the asset shall be monitored and accounted for to ensure the asset is not lost and the information has not been compromised while in transit.

Information assets being transported / shipped for repair, replacement, or disposal shall have all SCO information sanitized from them prior to leaving an SCO facility. (Reference: Operational Security Standard 309.)

312 Workstations: All SCO workstations, laptops, and portable computing device (e.g., PDAs), if technically feasible, shall implement an inactivity time-out mechanism (e.g., password protected screen saver) that hides the information displayed and locks use until the authorized user re-authenticates. The period of inactivity shall be a maximum of 15 minutes.

If the workstation, laptop, or portable computing device can not technically support an inactivity time-out mechanism, users shall log-off or manually lock the device before leaving it unattended.

313 Laptops and Portable Computing Devices: All SCO laptops and portable computing devices (e.g., PDAs) containing confidential or sensitive information shall have access control (e.g., userID & password protection) and a disk encryption protection mechanism. If technically feasible laptops and portable computing devices shall include firewall and malicious code safeguards.

314 Backup Data: Owners and custodians of information shall implement and enforce proper backup procedures for all system and network information based on the business needs. Backup information shall be stored a safe distance from the primary system and shall not share the same environmental conditions and disruption risks as the primary system.

315 Business Continuity Planning: The SCO Information Security Office (ISO) has primary leadership responsibility for the SCO Business Continuity and Incident Management Plans. SCO Division Chiefs shall designate Business Continuity Coordinators (BCC) to act on behalf of their divisions to collaboratively work with the Information Security Office to ensure that division critical business services and operations are sustained following a disaster or adverse event.

316 Disaster Recovery Planning: The SCO Information Systems Division (ISD) has primary leadership responsibility for the SCO Disaster Recovery Plan (DRP). The DRP identifies, prioritizes, and documents disaster recovery planning requirements and tasks necessary to recover all SCO Division identified critical systems, networks, applications, and other information technology resources. SCO Divisions shall collaboratively work with ISD to ensure that division critical information technologies and the information they contain are recovered and/or restored following a disruption of service, disaster, or adverse event.


317 Information Security Incident Reporting: Information security incidents (as defined in Appendix A: Information Security Incident Categories and Reporting Timeframes) shall be reported to the SCO Information Security Office within the incident category specified timeframe. The SCO Information Security Incident Report form (ISO-10) shall be utilized to document all reportable information security incidents.

Where immediate notification is the incident category specified timeframe, SCO personnel shall report incidents to the SCO ISO by one of the following means:

Contacting the ISO’s Help Desk

Using the ISO’s email account

Contacting a member of the ISO staff directly.

After immediate reporting, an ISO-10 shall be submitted as follow-up within two business days.

The SCO Information Security Office, after consultation with Executive Management, shall determine what, if any, outside authorities need to be contacted in regard to confirmed information security incidents in accordance with applicable State and federal laws and procedures.

Information concerning information security incidents is considered confidential. All SCO personnel and contractors contacted directly by the media should inform reporters that it is departmental procedure for all media inquiries and requests to be directed to the SCO Communications Office. All SCO personnel and contractors shall comply with the provision of SCO Information Memorandum 07-07 .

SCO personnel shall report equipment thefts to the SCO Information Security Office if the theft occurs within a SCO facility. If the theft occurs outside a facility owned or leased by the SCO, local law enforcement should be contracted first and then the SCO Information Security Office.

http://coin/policy_procedures/information_memorandums/07_07_press_media_inquiries_requests.pdf


Technical Security StandardsThese standards specify security controls (i.e., safeguards or countermeasures) for information assets that are primarily implemented and executed by the information asset costodian through mechanisms contained in the hardware, software, or firmware components of the asset.

400 Access Control: Users shall be provided access to SCO confidential or sensitive information, networks, and systems in accordance with a defined standard of access control such as:

Discretionary access control.

Mandatory access control.

Role-based access control.

The SCO default for access is role-based access control.

Access rights of users in the form of read, write, and execute shall be controlled appropriately, and the outputs of those rights shall be seen only by authorized individuals.

401 User Identification: To establish individual accountability for access and use of systems and networks, UserIDs shall be unique to each authorized production environment user.

402 User Authentication Techniques: Authentication techniques for all SCO systems and networks shall be commensurate with the authentication assurance level established by the owner of information based on risk and sensitivity of the system, network, and the information classification. (Reference: NIST Special Publication 800-63: Electronic Authentication Guideline.)

The use of password based authentication (Authentication Assurance Level 2) is the default for the SCO.

403 Password Standards: Passwords used for user authentication shall be system enforced to comply with the following criteria:

a. Passwords shall be a minimum length of eight (8) characters in a combination of case sensitive alphabetic characters and either numeric or special characters. The only special characters that should be utilized are @, #, and $.

b. Password changes for standard and privileged users shall be systematically enforced where possible.

c. Passwords shall be changed every ninety (90) days, at a maximum, for standard user accounts to reduce the risk of compromise through guessing, password cracking, or other attack & penetration methods.


d. Passwords shall be changed every sixty (60) days, at a maximum, for privileged user accounts to reduce the risk of compromise through guessing, password cracking, or other attack and penetration methods.

e. Users shall be prohibited from changing their passwords for at least fifteen (15) days after a recent change. Meaning, the minimum password age limit shall be fifteen (15) days after a recent password change.

f. Privileged users shall be able to override the minimum password age limit for users when necessary to perform required job functions.

g. The authentication system shall routinely prompt users to change their passwords within five to fourteen (5-14) days before such password expires.

h. Passwords shall be systematically disabled after a period of inactivity determined by business requirements or ninety (90) days to reduce the risk of compromise through guessing, password cracking, or other attack and penetration methods.

i. Users shall be prohibited from using, at a minimum, their last six (6) passwords to deter reuse of the same password.

j. A user account lockout feature shall disable the user account after five (5) unsuccessful consecutive login attempts. Account lockout duration shall be permanent until an authorized authentication system administrator reinstates the user account.

k. Clear-text representation of passwords shall be suppressed (blotted out) when entered at the login screen.

404 Automatic Session Timeout: Where technically feasible, all SCO applications shall establish and implement limits of time a session is allowed to remain idle before it is automatically timed out and terminated. The default time-out length is fifteen (15) minutes, but can be configured to meet business needs.

405 Use Warning Banner: All SCO systems and networks shall display the following log-on warning banner at all system access points:

"This is a State of California, Office of the State Controller computer system, which may be accessed and used only for official Government business by authorized personnel. Unauthorized access or use of the computer system may subject violators to criminal, civil, and/or administrative action. All information on this computer system may be intercepted, recorded, read, copied, and disclosed by and to authorized personnel for official purposes, including criminal investigations. Access or use of this computer system by any person whether authorized or unauthorized constitutes consent to these terms."

406 Audit Trails: Based on business requirements, SCO systems and networks shall generate audit logs that show, at a minimum, addition, modification, and/or deletion of confidential or sensitive information.


Audit trails shall establish accountability for activities conducted by users or systems. Audit logs must be protected from unauthorized modification, access, or destruction. Audit trail retention shall be based on business and legal requirement.

407 Secure Communications: An end-to-end encrypted tunnel shall protect SCO confidential or sensitive information communicated through public or shared networks not under the direct control of the SCO. The encryption methodology utilized shall comply with SCO Technical Security Standard 409: Encryption Standard.

408 Secure Storage: SCO confidential or sensitive information shall be encrypted while at rest (stored) within a DMZ or when directly accessible from a public or shared network not under the direct control of the SCO. The encryption methodology utilized shall comply with SCO Technical Security Standard 409: Encryption Standard.

409 Encryption Standard: Encryption technologies utilized by the SCO shall comply with Federal Information Processing Standards (FIPS) and National Institute for Standards and Technology (NIST) guidelines. At a minimum, encryption algorithms shall be at least 128-bit.

410 Network Boundary Security: Interfaces between SCO systems and networks and public or shared networks not under the direct control of the SCO shall be protected utilizing the following controls:

a. Port based restrictions on traffic flow.

b. Physical and/or logical segregation by the use of a DMZ (De-Militarized Zone) or Virtual Local Area Network (V-LAN) architecture configuration.

c. Network Address Translation (NAT). (If technically feasible the use of Port Address Translation (PAT) is recommended.)

411 Firewall Standard: All incoming and outgoing connections from SCO systems and networks to public or shared networks not under the direct control of the SCO shall be made through a packet filtering firewall.

412 Controlled Pathways (Gateways): All incoming and outgoing TCP/IP SCO network Application Layer communications shall be conducted via centrally designated gateways.

413 Malicious Code Protection: Malicious code protection software shall be installed, maintained, and utilized on all SCO systems and network components (where technically feasible).

414 Remote Access: Remote user access to SCO network internal systems shall be protected, at a minimum, in the following manner:

a. User systems connecting remotely to SCO network internal systems shall be managed (owned or leased) by the SCO.


b. User systems connecting remotely to SCO network internal systems must have antivirus software installed.

c. User systems connecting remotely to SCO network internal systems shall have the latest operating system and application patches installed.

d. Access to user or internal system diagnostic ports (especially dial-up diagnostic ports) shall be securely controlled and enabled only when needed for authorized diagnostic access.

e. All SCO users and user systems establishing a remote connection to a SCO network internal system shall be authenticated.

f. Inbound and outbound network traffic shall be controlled and limited to only that necessary to accomplish the business need.

g. Inbound and outbound traffic shall be encrypted.

h. Split-tunneling or dual homing shall be prohibited.

415 Product Assurance (System Hardening): All SCO information technologies shall be configured to meet business needs and reduce information security risk. At a minimum, all unnecessary software, services, ports, and drivers shall be disabled, removed, or closed; and default account credentials shall be changed. Additionally, based on business or security requirements, file protections and audit logging shall be enabled.

416 Patch Management: Manufacturer/vendor security patches shall be applied to all SCO systems and networks in a manner that ensures maximum protection against security vulnerabilities and minimum impact on SCO business operations. Custodians of information are responsible for implementing a patch management procedure that contains a systematic process of identifying, prioritizing, acquiring, implementing, testing, and validating security patches necessary for each system or network. A risk-based decision must be documented if security patches are not applied to a system or network.

417 System-to-System Interconnection (Node Authentication): Where non-SCO systems or applications connect to a SCO system or application, or where SCO systems or applications connect to SCO systems or applications via public or shared networks not under the direct control of the SCO, node authentication is required.

418 Wireless Local Area Network Security Standard: Wireless local area network (LAN) technology shall only be deployed if it is not technically or physically feasible to deploy a wired LAN architecture. (Reference: NIST Special Publication 800-48: Guide to Securing Legacy IEEE 802.11 Wireless Networks.)

a Wireless LANs shall be segregated from SCO networks and systems via a firewall.

b Wireless LAN access points (AP) shall be physically secured.


c The Wireless LAN Service Set Identifier (SSID) shall be changed from the default value. The SSID shall not contain characters that indicate the location of the wireless LAN (WLAN) access point, the name of the SCO, or any other identifying name. The SSID broadcast function shall be disabled, except where technology does not permit.

d All access points shall require a password to access its administrative features. This password shall be stored and transmitted in an encrypted format.

e The ad hoc mode for IEEE 802.11, also referred to as peer-to-peer mode or Independent Basic Service Set (IBSS), shall be disabled.

f Wireless LAN communications shall be encrypted. At a minimum, 802.11i (WAPA2) compliant Advanced Encryption Standard (AES) 128 bit encryption shall be utilized.


Privacy StandardsThese standards outline the requirements of the SCO pertaining to the collection, maintenance, and dissemination of personally identifiable information.

500 Privacy Standardsa Personal information may only be obtained through lawful means.

b Subjects providing personal information must be informed of the title, business address, telephone number, and electronic mail address, if applicable, of the SCO official responsible for record requests.

c All personal information may be collected only after specifying at or prior to the time of collection the purposes for which the information is to be used. Any subsequent use of the information shall be limited to, and consistent with, the fulfillment of those purposes previously specified.

d Any personal information collected or maintained by the SCO may not be disclosed, made available or otherwise used for a purpose other than those specified, except with the written consent of the subject of the information, or as required by law or regulation. Written consent must be obtained not more than 30 days before the anticipated disclosure or in the time limit agreed to in the written consent. To this end, the subject of personal information should always be notified that the SCO might use their private information to contact them for the purposes of receiving their written consent.

e Personal information shall only be collected for purposes that are relevant to which it is needed.

f To the greatest extent practicable, personal information shall be obtained directly from the individual who is the subject of the information rather than from another source.

g The general means by which personal information is protected against loss, unauthorized access, use, modification, or disclosure shall be posted, unless the disclosure of the general means would compromise legitimate SCO security objectives or law enforcement purposes.

REMINDER: All hardcopy and electronic documentation regarding SCO production systems and information related to the implementation and configuration of information security controls and safeguards, and vulnerability information (including security incident information), is classified as “confidential”, and should not be disclosed.

h Subjects providing personal information should be reminded that any information they submit may become a public record once submitted, and it may be subjected to public inspection and copying if not otherwise protected by federal or state law.


i Personal information shall never be distributed or sold to any third party without the permission of the subject providing such information except as prescribed by law.

j Access to personal information by individuals or systems must be limited to those customers, business partners, contractors, or entities specifically authorized by the Division Chief or their designated Information Security Coordinator to access that information in accordance with all relevant statutes and requirements.

Additional special privacy protections for minors:

k Personal information shall never be requested from or accepted from a minor without the written consent of a parent or guardian.

l Minors (people under the age of 18) are not eligible to use any SCO service that requires the submission of private information without their parent’s or guardian’s consent.

m Personal information pertaining to minors will never be provided to third parties.

n Minors should be advised to seek the consent of their parents or guardians for guidance on this matter.


Glossary of Terms– A –Accreditation: Accreditation is the official management decision given by a Division Chief to authorize operation of an information system and to explicitly accept the risk to SCO operations (including mission, functions, image, or reputation), information assets, or individuals, based on the implementation of an agreed upon set of security controls.

– B –Backup: A process by which information is copied in some form so as to be available and used if the original information from which it originated is lost, destroyed, or corrupted.

Business Continuity Plan (BCP): A plan that documents arrangements and procedures to enable an organization to respond to an event that lasts for an unacceptable period of time and return to performing its critical business functions after an interruption.

– C –Confidential Information: Information maintained by the SCO is exempt from disclosure under the provisions of the California Public Records Act (Government Code Sections 6250-6265) or other applicable state or federal laws. See SAM Section 5320.5.

Critical Application: An application so important to the SCO that its loss or unavailability is unacceptable. With a critical application, even short-term unavailability of the information provided by the application would have a significant negative impact on the health and safety of the public or state workers; on the fiscal or legal integrity of SCO and/or state operations; or on the continuation of essential SCO programs.

Custodian of Information: An employee or organizational unit (such as a SCO’s Information Systems Division and Department of Technology Services) acting as a caretaker of an automated file or data base.

– D – Disaster Recovery Plan (DRP): The management approved document that defines the resources, actions, tasks and data required to manage the technology recovery effort.

– H –Hardening:. A defense strategy to protect against attacks by removing vulnerable and unnecessary services, patching security holes, and securing access controls.

– I –Information Assets: (1) All categories of hard copy and automated information, including (but not limited to) documents, images, records, files, and data bases; and (2) information technology facilities, equipment (including personal computer systems), and software owned or leased by the SCO.

– N –Non-State Entity: A business, organization, or individual that is not a State entity, but requires access to SCO information assets in conducting business with the SCO. (This definition includes, but is not limited to, contractors, researchers, vendors, consultants, and their employees and entities associated with federal and local government and other states.)


– O –Owner of Information: The SCO Division that prepares, collects, or utilizes an information asset to conduct the business of the SCO.

– R –Risk Assessment: The process of identifying the vulnerabilities and threats to an organization by assessing the critical functions necessary for an organization to continue business operations, and defining the controls in place to reduce organization exposure and evaluating the cost for such controls.

– S –Sensitive Information: Information maintained by the SCO that requires special precautions to protect it from unauthorized modification, or deletion. See SAM Section 5320.5.


Appendix A: Information Security Incident Categories and Reporting Timeframes

Category Name Description Reporting Timeframe Criteria

CAT 1 Unauthorized Disclosure of Confidential or Sensitive Information

An unauthorized deliberate or inadvertent disclosure of information classified as “confidential or sensitive.”

Immediately upon discovery / detection.

CAT 2 Unauthorized Information Resource Access

A person gains logical and / or physical access without permission to a SCO network, system, application, or other information resource.


CAT 3 Denial of Service An attack that prevents or impairs the authorized use of SCO networks, systems, or applications by exhausting resources.

Within one hour of discovery / detection if the successful attack is still ongoing and the SCO or DTS (Department of Technology Services) is unable to successfully mitigate activity.

CAT 4 Malicious Code A virus, worm, Trojan horse, or other code-based malicious entity that infects a host.

Immediately upon discovery / detection if the attack leads to a CAT 1, 2, or 3 incident; or within one hour if the attack is ongoing and spreading throughout the SCO enterprise and the SCO or DTS (Department of Technology Services) is unable to successfully mitigate activity.

CAT 5 Unauthorized Access to an SCO Facility or Work Area

A person who is not authorized by the appropriate division enters a secure work area or facility.


CAT 6 Theft or loss of a SCO Information Resource

The theft or loss of an SCO information resource (i.e., PC, laptop, PDA, server, Microfiche, CD-ROM, USB Drive, etc.).

Immediately upon discovery / detection if the violation leads to a CAT 1 or 2, incident; or within one day upon discovery / detection.

CAT 7 Violation of a SCO Sleepyhead Security Program Standard

A person who violates any SCO Sleepyhead Security Program Standard without being granted an exception by an authorized entity.

Immediately upon discovery / detection if the violation leads to a CAT 1, 2, or 3 incident; or within one day upon discovery / detection.

CAT 8 Inappropriate Usage A person violates SCO and / or SCO Divisional acceptable information and / or information resource use policies.

Immediately upon discovery / detection if the violation leads to a CAT 1, 2, or 3 incident; or within one day upon discovery / detection.

CAT 9 Probes and Reconnaissance Scans

This category includes any activity that seeks to access or identify a SCO information resource, open ports, protocols, service, or any combination for later exploit. This activity does not directly result in a compromise or denial of service.

Monthly; if information resource stores confidential information or is classified as business critical, report within one hour of discovery.

CAT 10 Investigation Unconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to warrant further review.

Not Applicable; this category is for SCO use to categorize a potential incident that is currently being investigated.

SLEEPYHEAD INSTRUCTION MANUAL_VER2008_1€¦ · Web viewSleepyhead Security Program Standards...

Documents

Transcript of SLEEPYHEAD INSTRUCTION MANUAL_VER2008_1€¦ · Web viewSleepyhead Security Program Standards...