Information Security Standards 2016 Update IIPS Security Standards Committee Roderick Brower - Chair

IT Standards Committee Officers Roderick B. Brower Chair (Ch. 1-Classifying Data & Legal Requirements) Deborah Joyner (Ch. 2-Securing the End User) Jeff Drake (Ch. 3-Securing the Network) Chuck Hauser (Ch. 4-Securing Systems) Karen Sasser (Ch. 5-Physical Security) Bambi Edwards (Ch. 6-Cyber Security Incident Response) Jodi Dyson (Ch. 7-Business Continuity & Risk Management)

How Did We Get Here (Again)? New State Information Security Manual (SISM) released from Enterprise Security & Risk Management Office (ESRMO) (December 2015) Extensive review by IT Standards Team started in immediately Submitted a first pass at cleaning up the IIPS Standards and got feedback from Michael McCray in January 2016 Will submit to ESRMO (Post IIPS Conference) for approval Yearly review of the IIPS Standards by IIPS Committee and based on releases from the ESRMO

CIOs Local College CIO plays an important role (060202) To manage and implement at local level First point of contact on issues of concern (conduit to ESRMO) Work closely with Business & Finance area on PCI Compliance

Passwords Managing Passwords All typical user passwords (e.g., UNIX, Windows, personal computing, RACF, applications, etc.) shall be changed at least every ninety (90) days. This includes College employee and contractor passwords (e.g., , Web and calendar) used to access systems and applications. Passwords shall not be reused until six additional passwords have been created.

Multi-factor Authentication Controlling Remote User Access All users wishing to establish a remote connection via the Internet to the college’s internal network must first authenticate themselves at a firewall or security device. It is recommended that all other remote access to systems, specifically those with confidential data, be achieved using multi-factor authentication (MFA) technologies.

Offsite Hosting/Vendors Contracting with External Suppliers/Other Service Providers Properly executed contracts and confidentiality agreements. These contracts must specify conditions of use and security requirements and the access, roles and responsibilities of the third party before access is granted. Colleges are required to ensure that vendors providing offsite hosting or cloud services will, on an annual basis, provide the College with an annual risk assessment report, validating compliance with College security requirements.

020303User: Information Security Training Mandatory information security awareness training to new staff as part of job orientation. Formal information security training appropriate for work responsibilities, on an annual basis. Insider threat training that will cover how to prevent, detect, and respond to an insider threat. Training in information security threats and safeguards, with the technical details to reflect the staff’s individual responsibility for configuring and maintaining information security. **Needs to be a Continuous Cycle**

030501Using Encryption Techniques Industry Standards should always be used if at all possible (PCI- DSS, NIST, ISO27001) Confidential data shall not be transmitted across wireless or public networks, including transmissions such as FTP and electronic mail. Secure transmission of confidential data shall use the most current encryption protocol version and must be FIPS compliant. If a College is not using the most current encryption protocol version, they must have a mitigation plan in place. (Meeting the higher standard is always best)

System Configuration Manual Systems Documentation Colleges should develop and maintain additional documentation that details hardware and software placement and configuration, provide flowcharts, etc. Documentation should include: Vendor name, address, and contact information License number and version Update information Configuration reports and listing for operating system and server software. Bios rev information Port listing

041004Using Mobile Communication Devices A minimum 4-digit numeric, user defined, personal identification number (PIN) that is changed every 90 days. A time out of inactivity that is 10 minutes or less. If technically possible, the ability to remotely erase the contents of the device, at the user’s request, management request via a help desk service request, or by the user’s own action. Colleges shall make end users aware that they are accepting the risk of personal data being lost. Users shall report lost or stolen mobile communication devices to a College’s service desk or to college management within 24 hours of confirmation.

Passwords Managing User Access (020102) User credentials that are inactive for a maximum of ninety (90) days must be disabled, except as specifically exempted by the security administrator. Passwords defined (020106) At least eight characters in length Strong passwords for High Security Systems

Initiation Development Implementation Assessment Who is responsible at your school????? Constant visitation of the plan, Constant improvement. Chapter 7 – Business Continuity and Risk Management

Conducting Security/Risk Assessments Due diligence Visit this subject yearly or more if needed This should be used in budget planning All critical systems should be included in the planning

Local Implementation You do NOT have to re-write these standards at your local institution This manual should be referenced in your local Administrative Procedures Manual  Statement should reflect that all standards included in the NCCC Information Security manual are followed locally Any deviation from the manual needs to be documented locally and college needs to be prepared to justify the deviation

Looking Forward (Items of Interest) Administrative rights to PCs on your local campuses (Labs vs. Office PCs) *only mentioned in guidance area FIPS compliance requirements Other questions????? (via )

Q&A Once approved by ESRMO Official Document will be placed on IIPS website: (About IIPS Tab)