DPA Office of Administrative Courts

System Security Plan

DPA Office of Administrative Courts

LegalFiles

May 2013

CONFIDENTIAL

For Official Use Only - Portions of this information may be exempt from disclosureunder the Colorado Open Records Act. Colorado Revised Statute 24-72-204(2)(a)(VIII)(A).

Contents

System Record of Changes

System Security Plan

Introduction

System Identification

Security Team Roles and Responsibilities

Business System Owner

System Data Owner

Agency IT Director

Agency Information Security Officer

System Subject Matter Expert / Administrator

Authorizing Security Official

General System Design Description

System Environment – Architecture

Technical Specifications

Security Controls

System Record of Changes

Modifications made to this plan, since the last printing, should be documented here for audit and process management purposes

Date / Item / Description / Author / Version
January 2013 / Original / J. Buffington / 1.0
April 2013 / Security Controls
Contact Info / Added
Updated / J. Buffington / 1.1
May 2013 / Security Controls / Updated / J. Buffington / 1.2

System Security Plan

Introduction

The purpose of a System Security Plan (SSP) is

To document the security requirements of the system and describe the controls planned or in place to meet the requirements.

To delineate responsibilities and expected behavior of all individuals who access the system.

To establish and document the security controls, and form the basis for the authorization of individuals to perform security related activities in the system, supplemented by the assessment report and the Plan Of Actions and Milestones (POAM).

The objectives of this SSP are

To improve protection of information system resources.

To document the protection of the system security.

To respond to Internal and External system security Audits.

To demonstrate documented compliance to state and federal mandates.

This is a living document subject to annual review and regular updates as needed.

System Identification

LegalFiles– case management system for the Office of Administrative Courts.

Security Team Roles and Responsibilities

Business System Owner

The Business System Ownerhas sufficient knowledge of the system to be able to provide additional information or points of contact regarding the security plan and the system, as needed. They are the decision making authority as to budgetary and operation function of the system or solution.

Name: / Matt Azer / Address: / 633 17th St., Denver, CO
Title: / Director, Office of Admin Courts / Phone / 303-866-2452
Agency: / DPA / E-mail /

System Data Owner

The Data Owner is the designated individual who is ultimately responsible for the Confidentiality, Integrity and Availability (CIA) of the data owned by the System Owner. This individual typically determines how data is accessed, who the data is accessed by, its distribution and security. This individual has a clear understanding of all state, national, federal or international laws and regulations governing the security and access of the data.

Name: / Matt Azer / Address: / 633 17th St., Denver, CO
Title: / Director, Office of Admin Courts / Phone / 303-866-2452
Agency: / DPA / E-mail /

Agency IT Director

The Agency IT Director is the designated OIT representative responsible for the general management of the IT system or solution utilized by a system owner or agency. This individual is the decision making authority over budgetary requirements, project design, disaster recovery and ongoing maintenance and support of the system or solution for the system owner or agency.

Name: / Address:
Title: / IT Director / Phone
Agency: / OIT / E-mail

Agency Information Security Officer

The Information Security Officer (ISO) isresponsible for the security of the system and has been assigned responsibility in writing to ensure that the application has adequate security and is knowledgeable of the management, operational, and technical controls used to protect the system.

Name: / Mohamed Malki / Address: / 601 E. 18th Ave., Denver, CO
Title: / ISO / Phone / 303-764-7763
Agency: / OIT / E-mail /

System Subject Matter Expert / Administrator

The Subject Matter Expert (SME) is the individual responsible for the overall business management and administration of the system. This individual is involved in all operational discussions for the system to include user access control, documentation, applications, data, design and disaster recovery requirements for the system and is the primary business contact for all security events affecting the system.

Name: / Donna Childers / Address: / 633 17th St., Denver, CO
Title: / OAC Operations Manager / Phone / 303-866-5338
Agency: / DPA / E-mail /

Authorizing Security Official

The Colorado Chief Information Security Officer (CISO) after review of each System Security Plan (SSP) is the individual responsible for sponsoring and approving the operation or denying operation of state computing systems and solutions for the state of Colorado.

Name: / Jonathan Trull / Address: / 601 W. 18th Ave., Denver, CO
Title: / State of Colorado CISO / Phone / 303-764-7752
Agency: / OIT / E-mail /

General System Design Description

LegalFiles is a commercial system from the vendor of the same name for managing judicial cases. The Office of Administrative Courts uses LegalFiles to manage case documents, schedule hearings, track compliance with court orders, and coordinate office operations.

System Environment – Architecture

Infrastructure Diagram

Technical Specifications

System Attributes / Description
Architecture &Operating Environment / See Infrastructure Diagram above.
LegalFiles, Inc. provides a commercial software package called LegalFiles that is a case management solution that currently has many State and local government customers. The application is heavily oriented around Microsoft technologies. In this deployment, we installed a new web based user interface for LegalFiles, on 3 MS Windows 2008 R2 servers (IIS web server, SQL Server, file server). Application security is managed within the application.
Software / The version numbers for relevant software used are listed below:

• LegalFiles version 8.4.2
• MS Internet Explorer – v8.x and 9.x (certified supported web browser)
• .NET Framework 3.5/4.0
• MS Windows 2008 R2
• MS SQL Server- 2008/R2
• IIS 7
• Apache Tomcat 7.0.29

Physical Environment / Physical Location: OIT hosted at GGCC
Interfaces / Incorporating a connection with the “eFiling” online forms submission process developed by Vertiba. Planning go-live in July 2013.

Security Controls

Security Requirement / Existing Controls / Planned Controls
1. Identify unique requirements for protecting the application or system and system information in the case of disaster recovery operations. / LegalFiles is hosted on the new virtual server infrastructure at GGCC.
All virtual servers are backed up as a “snapshot” once weekly. Full server could be restored from this backup in under 4 hours.
Nightly backups capture incremental file changes. Individual files can be restored uponrequest within 4 hours.
All backups are “hot” for a two week cycle, then move to virtual tape.
2. Describe the application or system's user authentication requirements. / User accounts are managed by the System Subject Matter Expert / Administrator in OAC (see contact list above).
System login via the browser transport is secured via SSL with 2048 bit Encryption Certificate from the public certificate authority Entrust.
3. Describe the application or system’s system integrity requirements. / The system ensures system and data integrity from a number of perspectives:

• Authentication – all users must provide valid credentials to enter the LegalFiles application
• All communication and data transmission is encrypted at the transport level using SSL (HTTPS)
• Each user is assigned specific roles or privileges in LegalFiles
• LegalFileshas built in data validation to ensure proper integrity of data from a format, and context perspective. For example, ensuring that dates are formatted properly and related information makes sense in context such as end dates always coming after associated start dates.

4. For electronic commerce systems involving financial transactions, describe how you are ensuring that the parties in a transaction cannot deny that the transaction took place. / Not Applicable
5. Describe the application or system access controls and their rules for all levels of the system and/or application. / LegalFiles application roles are defined within the system. Group roles are used.
Security in LegalFiles is managed through system security configuration. Roles can be customized to allow or deny access at the module/screen level, as well as to allow or deny specific functionality within a module.
6. Describe the audit trails that will be captured and the details included in the audit trail for tracking administrative actions that impact access or change to critical data. / Within LegalFiles there are logs that record field/data, user change and date of change which can be accessed by administrators only.
7. Security Control selection (how did we select the controls) / LegalFiles provides administrative tools for security configuration in the application.
8. Physical barriers around the area where the system resides / Standard controls in place at GGCC: alarms, security code entry, security cameras and locked racks.
9. Workstation security / Workstations are managed by OIT and secured in the OAC offices.
10. Backup Frequency / Backups are performed and managed by Hosted Services team within OIT Service Operations.
All virtual servers are backed up as a “snapshot” once weekly. Full server could be restored from this backup in under 4 hours.
Nightly backups capture incremental file changes. Individual files can be restored upon request within 4 hours.
All backups are “hot” for a two week cycle, then move to virtual tape.
11. Backup Plan / Backups are performed and managed by Hosted Services team within OIT Service Operations.
All virtual servers are backed up as a “snapshot” once weekly. Full server could be restored from this backup in under 4 hours.
Nightly backups capture incremental file changes. Individual files can be restored upon request within 4 hours.
All backups are “hot” for a two week cycle, then move to virtual tape.
12. Disaster Recovery Plan / See “Security Controls #1” above
13. System Review / LegalFiles, Inc. developers verified the system architecture and configuration prior to go live. / Update System Security Plans once every year or when significant changes occur to the system.
14. Policy Waiver / Obtain written authorization from the DPA ISO if compliance with state Information Security Program Policy is not feasible or technically possible, or if there is a need to deviate from a policy to support its mission or business function.
Variance Requests will be submitted to the DPA Information Security Officer in the event that software, hardware, or network configuration requirements deviate from established DPA and OITS standards.
LegalFiles, Inc. will have 60 days to file a waiver or become compliant with the policy in question. All Policy waivers must be recorded and maintained for inspection by the DPA ISO.
15. Describe the process to define user access rights based on the individual's need to view and manipulate data within the application or system. / DPA OAC management identifies users responsible to complete job assignments and assigns the appropriate roles.
The security administrator (SA) is designated for the system. All requests for access to the system-level resources must be submitted to the SA for review and approval, using the OACApplication Access Request form. Time-limited access is provided on approval. / The Business Process Analyst for DPA will provide business guidance at the statewide level to guide staff in achieving inter-office consistency regarding security needs in the local offices.
16. Describe procedures for requesting, establishing, issuing, and closing user accounts in the system or application. These procedures must include the process for reviewing and confirming access rights on a specified schedule. / Computer access request forms are submitted via email to the OAC Security Administrator who grants or revokes user access and security template assignments.
In addition, the LegalFiles Security Administrator will also review existing access rights periodically for security changes necessary due to staff turnover or role assignment changes. / Monthly reports will be run and access will be denied for any user who has not logged into the system for 6 months.
17. Describe the procedures for identifying and reporting security violations. / OAC system administrators are responsible for reviewing failed authentication reports. Additionally, system usage reports are reviewed for identifying unusual system activity. In the event that a security violation is detected, the Security Administrator is informed, who then initiates DPA security violation incident handling procedure through notification to the OITService Desk. / Develop a plan to monitor authentication reports and unusual system activity and report to OAC and OIT in the event a security violation is detected.
18. Vulnerability/Penetration testing documents available? / Vulnerability/penetration test results documents will only be available to state personnel as provisioned by the DPA Information Security Officer.
19. Interface Security (transmission security, access control) / The LegalFiles interface uses 2048 bit SSL. All sessions require credential validation.
20. Vendor Access / LegalFiles support staff may be granted application and data access to the extent required to carry out end user application support according to the annual maintenance contract.
21. User Access / Login tracking and application activity logging is achieved through the application, and is stored in the back-end supporting database. / Application configurations must be enhanced to enforce strong password settings including length, complexity, and expiration
22. Server patch installs/upgrades / OIT Service Operations provides operating system maintenance including services such as patch management, server monitoring, upgrades, and anti-virus.
23. Application patch installs/upgrades / LegalFiles, Inc. typically does 2 major system upgrades per year with minor maintenance releases and patches as necessary. Notifications are provided along with release notes informing customers of the new releases, their timing, and their content.
24. Change Management / Any changes to LegalFiles that will impact OAC users will follow the OIT Change Management process.
25. System Admin Procedures and Responsibilities / OAC management designates the system administrator(s) for LegalFiles.
System admins receive additional training from LegalFiles support staff for properly configuring and maintaining the application.
26. Server Access Control / OIT application support staff is approved for RDP access to servers for installing and configuring LegalFiles software and supporting components on the web and database servers.

CONFIDENTIAL