Information Security Standards

© California State Controller’s Office, Information Security Office 2008

(This Page Intentionally Left Blank.)

CaliforniaState Controller’s Office

Information Security Program Standards Manual v1.0 2008

Table of Contents

Introduction

Background

Information Security Program Manual Objective & Intent

Information Security Program Standards Applicability & Scope

SCO Information and Information Technologies

SCO Facilities and Physical Property

The Principles of Due Care & Due Diligence

Manual Alignment with Information Security Best Practices

Manual Maintenance

Information Security Standards

Roles and Responsibilities

Standards for Information Asset Users

100User Compliance

101User Activity Monitoring Notice

102User Security Acknowledgement

103User Information Security Incident Reporting

104Physical Access / ID Badges

105Prohibited Activities

106Personally Owned Equipment and Software

107Laptop / Portable Information Storage Device Use

108User Authentication Credential Security

109Password Use

110User Password Rules

Standards for Owners of Information Assets

120Owner Compliance

121Information Asset Classification

122Risk Assessment

123Security Management

124Owner Acceptable Use Policy

125Owner Authorization Approval

126Access Authorization Reviews

127Access and Use Agreements

Standards for Custodians of Information

130Security Compliance

Management Security Standards

200Information Classification

201Critical Application Classification

202Security and Privacy Assessment

203Project System Security Plans

204Security Certification and Accreditation

205Security Vulnerability Scanning

206System Interconnectivity / Information Sharing

207System Inventory

208Information Security Standard Violation Disciplinary Action

Operational Security Standards

300Pre-Employment Screening

301Separation of Duties

302Least Privilege

303Security Education and Awareness

304Personnel Separation

305Physical Security

306Physical Access Control

307Visitors to SCO Facilities

308Information Protection in the Work Area

309Sanitization and Disposal of Information

310Information Exchange via Portable Information Storage Devices

311Information Asset Transport / Shipping

312Workstations

313Laptops and Portable Computing Devices

314Backup Data

315Business Continuity Planning

316Disaster Recovery Planning

317Information Security Incident Reporting

Technical Security Standards

400Access Control

401User Identification

402User Authentication Techniques

403Password Standards

404Automatic Session Timeout

405Use Warning Banner

406Audit Trails

407Secure Communications

408Secure Storage

409Encryption Standard

410Network Boundary Security

411Firewall Standard

412Controlled Pathways (Gateways)

413Malicious Code Protection

414Remote Access

415Product Assurance (System Hardening)

416Patch Management

417System-to-System Interconnection (Node Authentication)

418Wireless Local Area Network Security Standard

Privacy Standards

500Privacy Standards

Glossary of Terms

Appendix A: Information Security Incident Categories and Reporting Timeframes

CaliforniaState Controller’s Office

Information Security Program Standards Manual v1.0 2008

Introduction

Background

The State Controller is the Chief Fiscal Officer of California, the eighth largest economy in the world. As the state’s independent fiscal watchdog, the Controller provides sound fiscal control over more than $100 billion in annual receipts and disbursements of public funds. The Controller uses audit authority to uncover fraud and abuse of taxpayer dollars and provides fiscal guidance to local governments. The Controller helps administer $400 billion in state pension funds. Among many other duties, the Controller serves on 76 state boards and commissions, with responsibilities ranging from protecting the California coastline to helping build new hospitals. In support of these responsibilities, the Controller’s Office administers numerous programs that handle information and physical property, which must be protected.

Information Security Program Manual Objective & Intent

The Information Security Program Standards Manualobjective is to establish minimal organizational information security standards for the State Controller’s Office (SCO) that specifyhow information assets are safeguarded. Information security standards facilitate SCO compliance with applicable state and federal government statutes, regulations, and directives (policies). These standards assist the SCO in the appropriate information and its technologyclassification, appropriate security controls implementation,and recommended business security actions and operational measures to protect SCO information assets. The SCO is committed to creating and maintaining an environment that protects SCO information assets from accidental or intentional unauthorized use, modification, disclosure, destruction, or theft. Adherence to information security standards will safeguard the confidentiality, integrity, and availability of SCO information assets and will protect the interests of the SCO, its personnel and contractors, business partners, and the general public.

This manual’s intent is to create and implement an environment that:

1. Protects information and technologies critical to the SCO.
2. Protects information as mandated by state and federal statutes, regulations, and administrative requirements.
3. Protects confidential and sensitive information.
4. Reinforces SCO’s reputation as an institution deserving of trust.
5. Complies with due diligence standards for the protection of information and technologies.
6. Assigns responsibilities to relevant SCO officers, executives, managers, personnel, contractors, and business partners.
7. Protects SCO physical resources and those physical resources entrusted to the SCO.

Information Security Program Standards Applicability & Scope

SCO Information and Information Technologies

The standards contained in this manual are applicable to all SCO information, in any form, related to SCO business activities, personnel, contractors, business partners and customers that are created, acquired, or disseminated using SCO owned or leased resources or funding. This manual is applicable to all information technologies associated with the creation, collection, processing, storage, transmission, analysis, and disposal of SCO information. This manual is applicable to all facilities, information media, information systems, infrastructure, applications, products, services, telecommunications networks, computer-controlled mail or print processing equipment, and related resources, which are sponsored by, leased or owned by, operated on behalf of, or developed for the benefit of, the SCO.

For the purposes of this manual, technologies and the information they contain are collectively known as information assets.

SCO Facilities and Physical Property

This manual’s contents are applicable to all SCO owned or leased facilities and physical property entrusted to the SCO.

The Principles of Due Care & Due Diligence

The need for the SCO to keep pace with the ever-changing statutory landscape and technology environment is essential in maintaining information security and business viability. Due care and due diligence practices must be ingrained into the SCO’s culture in order to facilitate the constant self re-evaluation and assessment necessary for statutory and technology industry best practices compliance validation and to initiate necessary changes and seek enhancement opportunities.

The terms “due care” and “due diligence” are used in the fields of finance, securities, and law. These terms describe the “reasonable and prudent person” rule. A prudent person takes due care to insure that everything necessary is done to operate the business by sound business principles and in a legal ethical manner. A prudent person is also diligent (i.e., mindful, attentive, and ongoing) in their due care of the business. In the business world, stockholders, customers, business partners, and government regulators have the expectation that corporate officers will run the business in accordance with accepted business practices and in compliance with laws and other regulatory requirements. In the public sector, constituents and political leaders hold the same expectations of government agency officers. In addition to these expectations being a motivating force for officers, Federal Sentencing Guidelines and State Statutes now make it possible to hold both private and public sector organization officers liable for failing to exercise due care and due diligence in the management of their information privacy/security practices.

The importance of demonstrating “due care” and “due diligence” cannot be expressed enough in government. “Due care” and “due diligence” activities are the foundation for establishing and maintaining the trust of constituents. The SCO Information Security Program Standards Manual’s content aligns with industry standards and complies with statutory and administrative requirements are “due care” and “due diligence” activities.

Manual Alignment with Information Security Best Practices

The SCO Information Security Program Standards Manual is constructed to align with the intent and spirit of the following information security public and private sector best practices for information security controls and management:

• International Organization for Standardization and International Electrotechnical Commission (ISO/IEC®) 27002: International Standards for Information Technology – Security Techniques – Code of practice for Information Security Management
• Federal Information Processing Standards (FIPS) and National Institute of Standards and Technology (NIST) Special Publications

Manual Maintenance

The SCO Information Security Program Standards Manual reflects the framework and objectives of the SCO Information Security Program. Standard changes or updates should be submitted to the SCO Chief Information Security Officer. Standards will be reviewed annually by the SCO Information Security Office to ensure continued relevance in assuring information security and SCO business objectives.

Information Security Standards

Roles and Responsibilities

Standards for Information Asset Users

These standards are applicable to all SCO functional organizations and personnel, including SCO employees, contractors, and vendors authorized to use SCOinformation assets.

For the purposes of these standards, the above entities are collectively known as Information Asset Users. This definition of “information asset user” excludes the general public whose only access is through publicly available services, such as the public websites of the SCO.

100User Compliance: Users shall abide by California State Controller’s Office (SCO), State, and Federal (when applicable) policies, laws, rules, regulations, standards, and procedures pertaining to information security, confidentiality, and privacy when handling information assets by or entrusted to the SCO. Users shall comply with defined business use criteria established by the owner of information for each information asset they utilize. Additionally, users shall comply with SCO Administrative Policy Section 3.300-Incompatible Activitiesand Internet/E-mail Policywhen utilizing SCO information assets.

101User Activity Monitoring Notice: As stated in the SCO Internet/E-mail Policy,the SCO reserves the right to monitor and filter the use of its information assets. Users shall have no expectation of privacy unless expressly granted by SCO executive management.

102User Security Acknowledgement: Users shall annually, or when beginning employment, read, acknowledge, and sign the SCO Information Security Acknowledgement form (ISO-004).

103User Information Security Incident Reporting: Users shall report any reportable suspected or actual information security incidents to the SCO Information Security Office, owner of information, and custodian of information. (See Operational Security Standard 317 and Appendix A: Information Security Incident Categories and Reporting Timeframes.)

104Physical Access / ID Badges: SCO employees and contractors shall wear physical access / ID badges issued by the SCO ISO at all times when within a facility owned or leased by the SCO.

1. Physical access / ID badges shall be worn in such a manner as to be readily visible.
2. Physical access / ID badges assigned to individuals shall not be shared or loaned to another person.
3. The loss or theft of a physical access / ID badge shall be immediately reported to the applicable Division Physical Security Representativeand SCO Information Security Office.

105Prohibited Activities: Users shall not disable, remove, install with intent to bypass, or otherwise alter SCO systems, networks, or security and administrative settings or components designed to protect or administer the SCO’s information assets.

aUsers shall not download or install unapproved software on SCO information assets (e.g., PCs, IT systems, or networks).

bUsers shall not connect unapproved hardware to SCO information assets (e.g., PCs, IT systems, or networks).

(The SCO Information Systems Division maintains the approved software and hardware lists. See SCO PC Hardware and Software Standards; and Enterprise Architecture Standards.)

106Personally Owned Equipment and Software: The use of personally owned or non-SCO equipment and software to process, access, or store SCO confidential or sensitive information is prohibited. Personally owned or non-SCO equipment and software includes, but is not limited to, personal computers and related equipment and software, Internet service providers, personal e-mail providers (e.g., Yahoo, Hotmail), personal library resources, handheld and Personal Digital Assistant (PDA) devices, cellular phones, cameras, facsimile machines, wireless systems, and photocopiers. Such personally owned equipment and software shall not be used to process, access, or store SCO confidential or sensitive information, or be connected to SCO systems or networks, without the written authorization from the appropriate SCO owner and custodian of information and the SCO Chief Information Security Officer.

107Laptop / Portable Information Storage Device Use: Users shall not store any information classified as confidential or sensitive on laptop computers or other portable information storage devices (e.g., USB/Flash Drives, PDA’s, CD-ROMs, DVDs, Tape, etc.) unless:

1. The device is owned or leased by the SCO.
2. The device is password/PIN protected.

1. The information is secured using an approved encryption technology.
2. The user is authorized to have access to the confidential or sensitive information by the applicable owner. Access to information must be for business purposes only.

108User Authentication Credential Security: Users shall be continuously aware that all credentials (e.g., the combination of User IDs, passwords, and/or access tokens) that allow access to SCO information assets are explicitly the property of the SCO. SCO credentials are classified as confidential information and must be handled and protected as such.

Each user is responsible for protecting the credentials assigned to them and shall not share these credentials with anyone else. If credentials are compromised, lost, or stolen, the user shall immediately report this to a supervisor and to the appropriate authentication system administrator to avoid unauthorized access or misuse. Credentials may be shared with system maintainers but the password must be immediately changed after maintenance or repair is complete.

Note: An information security best practice for protecting a password is to avoid writing passwords down or storing them electronically unless password protected and encrypted. Passwords should not be inserted into email messages or other forms of electronic communication without password protect and information encryption. Conveying a password in a telephone call should only be done when the receiving party is positively identified. No mobile phones should be utilized to convey a password. Commit passwords to memory!

109Password Use: Users may use the same password on internal systems, network devices, or applications, but shall not use their internal password for external systems, such as for accounts on an external web site, as these web sites may not protect passwords in an acceptable manner.

110User Password Rules: Users shall compose their own passwords. Users shall abide by the following standards when composing their password:

1. Passwords shall consist of a minimum of eight (8) characters.
2. Passwords shall consist of a combination of case sensitive alphabetic characters and either one (1) numeric or special character. The only special characters that should be utilized are @, #, or $.

Note: When composing a password, do not use dictionary words or obvious combinations of letters and numbers in passwords. Obvious combinations of letters and numbers include first names, lastnames, initials, pet names, user accounts spelled backwards, repeating characters, consecutive numbers, consecutive letters, and other predictable combinations and permutations.

1. Passwords shall be changed, at a maximum, every ninety (90) days.
2. Users shall not re-use his or her last six (6) passwords.

Standards for Owners of Information Assets

SCO Divisions are owners of the information assets they utilize to conduct the business of the SCO. Owners of information have the following responsibilities.

120Owner Compliance: SCO Division management shall abide by, and ensure their staff comply with SCO, State, and Federal (when applicable) policies, laws, rules, regulations, standards, and procedures pertaining to information security, confidentiality, and privacy when handling information assets by or entrusted to the SCO.

121Information Asset Classification: SCO Divisions shall ensure the SCOinformation and applications for which they are responsible are appropriately classified. (Reference: Management Security Standards 200 and 201.)

122Risk Assessment: SCO Divisions shall determine, in coordination with the SCO Information Security Office and custodian(s) of information, appropriate security controls (i.e., safeguards or countermeasures) for the information assets for which theyare responsible and shall identify the resources needed to implement those controls. (Reference: Management Security Standard 202.)

123Security Management: SCO Divisions shall ensure information security is planned for, documented, and integrated into the system life cycle (SLC) for all information technology projects that involve the processing, transport, or retention of information that is classified as confidential or sensitive, and for business critical applications and processes. (Reference: Management Security Standards 203 and 204.)

124Owner Acceptable Use Policy: SCO Divisions shall develop information user “acceptable use” and “rules of behavior”for information assets for which they are responsible.

125Owner Authorization Approval: SCO Divisions shall authorize access to, and use of, the information assets and facilities for which they are responsible.

126Access Authorization Reviews: SCO Divisions shall conduct annual reviews of user accounts to validate the continued need for access to and use of theinformation assets for which they are responsible.

127Access and Use Agreements: SCO Divisions shall establish and manage agreements with non-SCO state entities and non-state entities for which the division has authorized access to, or use of, an SCO information asset for which they are responsible. Agreements with non-SCO state entities and non-state entities shall, at a minimum, cover:

1. Appropriate levels of confidentiality and privacy for the information based on classification.
2. Standards for transmission and storage of the information, if applicable.
3. Agreements to comply with all divisional requirements, SCO ISPM standards, and state and federal laws regarding the security and use of the information asset.

1. The use of signed confidentiality and non-disclosure user statements.
2. Requirements for the non-SCO state entities and non-state entities to apply security patches and upgrades and to keep virus software up-to-date on all systems on which the information asset may be accessed from or used on.
3. A requirement to notify promptly the division and the SCO Information Security Office if an information security incident involving the information asset occurs.

Standards for Custodians of Information

The SCO Information Systems Division, DivisionIT Support staff, and any other system/network administrators are custodians of information assets they manage for an SCO owner of information. Custodians of information have the following responsibilities.