VITA [Virginia Information Technologies Agency] IT Security Policy IT Security Standard IT Security Audit Standard Summer 2008 VITA publications
Information Technology Resource Management Information Technology Security Policy (SEC500-02) http://www.vita.virginia.gov/uploadedFiles/Library/ITRMSEC500-02ITSecPolicy.pdf (07/019/2007) Revision 4 Scope Applicable to the Commonwealth’s executive, legislative, and judicial branches, and independent agencies and institutions of higher education However, academic “instruction or research” systems are exempt provided they are not subject to a State or Federal Law/Act mandating security due diligence. This is offered only as guidance to local government entities. Summer 2008 VITA publications
Purpose of IT Security Policy To protect the Commonwealth information technology assets and the information processed by defining the minimum information technology security program for agencies of the Commonwealth of Virginia (COV). Sumer 2008 VITA publications
1.2 Guiding Principles COV Data is: IT security must be: A critical asset that shall be protected; Restricted to authorized personnel for official use. IT security must be: 1. A cornerstone of maintaining public trust; 2. Managed to address both business and technology requirements; 3. Risk-based and cost-effective; 4. Aligned with COV priorities, industry-prudent practices, and government requirements; 5. Directed by policy but implemented by business owners; 6. The responsibility of all users of COV IT systems and data. Summer 2008 VITA publications
1.3 Statement of Policy Each Agency Head is responsible for the security of the Agency's data and for taking appropriate steps to secure Agency IT systems and data by developing an Agency IT security program This policy and standards provide the minimum requirements to be implemented in a framework relative to information risk. Agency Heads may establish more restrictive IT security programs and related policies. If, in the judgment of the Agency Head, the Agency cannot meet the minimum requirements, a request for an exception shall be made in writing to the Chief Information Security Officer (CISO). Summer 2008 VITA publications
Policy Summary The function of this policy is to protect IT systems and data from credible threats, internal or external, deliberate or accidental. Must use all reasonable IT security control measures to: a. Protect data against unauthorized access and use; b. Maintain integrity of data; c. Meet requirements for availability of data; d. Meet federal, state and other regulatory and legislative requirements. Summer 2008 VITA publications
2. Roles and Responsibilities Each agency must maintain an organization chart that depicts the reporting structure of employees with specific responsibilities for security of IT systems and data and their specific It security roles and responsibilities. Chief Information Officer of the Commonwealth (CIO) directs development of policies, procedures and standards for assessing risks determines appropriate measures and performs audits of government electronic information. Summer 2008 VITA publications (I)
Roles and Responsibilities (2) Chief Information Security Officer (CISO) responsible for development and coordination of the IT Security Program and: a. Administers the Program and assesses whether it is implemented in according to Policies and Standards. b. Reviews requested exceptions. c. Provides solutions, guidance, and expertise. d. Maintains awareness of the status of sensitive systems. e. Facilitates effective implementation of IT Security Program by: i. Preparing, disseminating, and maintaining security policies, etc.; ii. Collecting data on the state of IT security; iii. Consultation on balancing security with business needs. f. Provides networking and liaison opportunities to ISOs. Spring 2008 VITA publications
Roles and Responsibilities (3) Agency Head responsible for security of the Agency's IT systems and data. Must: a. Designate via e-mail an ISO and provide the name, etc. to VITA biennially. (encouraged to add a backup). b. Determine the best location of IT security function in the Agency hierarchy. c. Maintain an Agency IT security program that is documented. d. Review and approve the Agency’s Business Impact Analyses, Risk Assessment, and Continuity of Operations Plan, including Disaster Recovery. e. Review the IT System Security Plan for each sensitive agency IT system, and disapprove those that do not mitigate risks. f. Maintain compliance with IT Security Audit Standard. • Developing / implementing Agency plan for IT security audits, and sending to CISO; • Requiring planned IT security audits are conducted; receiving reports of results; requiring development of Corrective Action Plans to address findings; and reporting to CISO findings and progress in implementing corrections. g. Facilitate communication process between DP staff and other areas. h. Establish program of IT security safeguards. i. Establish IT security awareness and training program. j. Provide the resources to enable employees to secure systems and data. Summer 2008 VITA publications
Roles and Responsibilities (4) Information Security Officer (ISO) must Develop and manage Agency IT security program to meet the requirements of IT security policies and standards commensurate with risk. Verify and validate that all agency IT systems and data are classified for sensitivity Develop and maintain an IT security awareness and training program for Agency staff, including contractors and IT service providers. Coordinate and provide IT security information to the CISO. Implement and maintain a balance of protective, detective and corrective controls for agency IT systems commensurate with data sensitivity, risk and criticality. Mitigate and report all IT security incidents and take actions to prevent recurrence. Maintain liaison with the CISO. Privacy Officer: an Agency must have one if required by law or regulation, such as HIPAA. Otherwise these responsibilities are carried out by the ISO. Includes: a. The requirements of state and federal Privacy laws. b. Disclosure of and access to sensitive data. c. Security and protection requirements in conjunction with IT systems when there is some overlap among sensitivity, disclosure, privacy, and security issues. Summer 2008 VITA publications
Roles and Responsibilities (5) System Owner -- the manager responsible for operation and maintenance of an Agency IT system, a. Require users to complete IT security awareness and training activities, then refresh annually. b. Manage system risk and develop additional IT security policies and procedures. c. Maintain compliance with IT security policies and standards. d. Maintain compliance with requirements specified by Data Owners in handling data. e. Designate a System Administrator for the system. Data Owner -- the Agency manager responsible for data policy and practice decisions and: a. Evaluates and classifies sensitivity of the data. b. Defines protection requirements based on sensitivity of data, legal or regulatory requirements, and business needs. c. Communicates data protection requirements to the System Owner. d. Defines requirements for access to the data. Summer 2008 VITA publications
Roles and Responsibilities (5) System Administrator implements, manages, and/or operates systems at the direction of the System Owner, Data Owner, and/or Data Custodian; assists Agency management in day-to-day administration of IT systems, and implements security controls and other requirements on IT systems for which assigned responsibility. Data Custodian is an individual or organization holding data for Data Owners. They: a. Protect data from unauthorized access, alteration, destruction, or usage. b. Establish, monitor, and operate IT systems per IT security policies and standards. c. Provide Data Owners with reports, as needed. IT System Users including contractors must: a. Read and comply with Agency IT security program requirements. b. Report breaches of IT security to agency management and/or the CISO. c. Take steps to protect the security of IT systems and data. Summer 2008 VITA publications
Risk Assessment and Management Business Impact Analysis (BIA) identify business functions that are essential or involve sensitive data and are dependent on IT. Decide IT appropriate level of protection Document and characterize types of data and classify the sensitivity of Agency IT systems and data for use in the RA process (availability, confidentiality and integrity). Then define and determine ownership of all IT systems classified as sensitive so that IT security roles can be assigned. The posting of sensitive data on a public web site is prohibited, unless a written exception is approved by the Agency Head identifying the business case, risks, mitigating logical and physical controls, and any residual risk. Summer 2008 VITA publications
Risk Assessment and Management, cont. Make a periodic formal RA for all IT systems classified as sensitive. [Agencies should conduct an informal risk analysis on those IT systems not sensitive and data and apply appropriate additional IT security controls]. The RA process assesses the threats to systems and data, probabilities of occurrence and the appropriate IT security controls necessary to reduce these risks to an acceptable level. After controls have been applied based on RA results, require periodic, independent IT Security Audits to determine whether their overall protection is adequate and effective. 5. IT Security Audits may identify additional required mitigating controls for sensitive Agency IT systems in order to provide protection of the systems and the data they handle. The Agency Head or designee then formally accepts any residual risk to operations of sensitive IT systems. Summer 2008 VITA publications
IT Contingency Planning IT Contingency Planning defines processes and procedures that plan for and execute recovery and restoration of IT systems and data that support essential business functions. It includes: Continuity of Operations Planning provides a business continuation strategy for essential Agency business functions [may or may not be dependent on IT resources]. The Virginia Department of Emergency Management provides guidance on Agency Continuity of Operations Plans. Disaster Recovery Planning defines specific processes and procedures for restoring IT systems and data that support essential business functions. IT System Backup and Restoration defines plans and restoration schedules that meet Agency mission requirements for backup and restoration of data. Summer 2008 VITA publications
Security Plans IT Systems Security Logical Access Control define the steps that provide protection for IT systems in the areas of IT System Hardening, IT Systems Interoperability Security, Malicious Code Protection, and IT Systems Development Life Cycle Security. Agency IT systems may require further security controls for protection based on sensitivity and risk, including availability needs, identified through Risk Management policies, processes, and procedures. This Plan must be reviewed and approved by the Agency Head or ISO. Logical Access Control define the steps necessary to protect the confidentiality, integrity, and availability of IT systems and data. The requirements identify the measures to verify that all IT system users are who they say they are and that they are permitted to use the systems and data they are attempting to access. This requires Account Management, Password Management, and Remote Access. Summer 2008 VITA publications
Protection and Safeguards, etc. Data Protection provides security safeguards for the processing and storing of data. This outlines the methods used to safeguard the data. It includes Media Protection and Encryption. Storing any data classified as sensitive on any mobile device including laptops and non-network drive, but excluding backup media, is prohibited unless the data is encrypted and there is a written exception approved by the Agency Head identifying the business case, risks, etc. Facilities Security safeguards require planning and application of facilities security practices to provide a first line of defense against damage, theft, unauthorized disclosure of data, loss of control over system integrity, and interruption to computer services. Summer 2008 VITA publications
Protection and Safeguards, cont. Personnel Security controls reduce risk by specifying Access Determination and Control requirements that restrict access to those individuals who require such access as part of their job duties. Also includes Security Awareness and Training requirements. Threat Management addresses preparing for and responding to IT security incidents. This includes Threat Detection, Incident Handling, and Monitoring and Logging. When unencrypted personally identifiable information is subject to a breach in security resulting in unauthorized disclosure, the data owning agency shall provide notice to affected individuals. This should occur without unreasonable delay as soon as verification of a breach is made, consistent with investigative needs COV CIRT and law enforcement entities. IT Asset Management involves protection of components of systems by managing them in a planned, organized, and secure fashion. It includes IT Asset Control, Software License Management, and Configuration Management and Change Control. Summer 2008 VITA publications
Compliance and Monitoring COV measures compliance through processes that include: Inspections, reviews, and evaluations; Monitoring; Audits; and Confiscation and removal of IT systems and data. General Monitoring Activities are used to improve IT security, to assess use of resources, and protect from attack. Use of IT resources constitutes permission to monitor use. There is no expectation of privacy when utilizing COV IT resources. COV may review data abd activities and act on information discovered and disclose it to law enforcement, etc. User Agreement to Monitoring Use of a system is implied consent to monitoring activities whether or not a warning banner is displayed. Users acknowledge that any misuse may be subject to disciplinary action and legal prosecution. Summer 2008 VITA publications
Compliance and Monitoring, cont. Internet Privacy Code of Virginia § 2.2-3803 (B) Every public body with an Internet website must develop an Internet privacy policy statement User Monitoring Notification is provided when possible to users by a warning banner that systems may be monitored and viewed by authorized personnel. What is Monitored? Network traffic; application and data access; keystrokes; e-mail and Internet usage; and message and data content. Requesting and Authorizing Monitoring The CISO or ISO must authorize monitoring or scanning activities for network traffic, application and data access, keystrokes, user commands, and e-mail and Internet usage (message and content) for COV IT systems and data.. Infrastructure Monitoring Agency IT personnel are responsible for maintaining security in their environment by monitoring for security and policy compliance, notifying the CISO and Agency ISO of any detected or suspected incidents. Installing or using unauthorized monitoring devices is strictly prohibited. Summer 2008 VITA publications
IT SECURITY AUDITS The CIO must direct the development of policies, procedures and standards for performing security audits of state electronic information. (Code of Virginia § 2.2-2009) Performance of IT Security Audits Conducted by CISO personnel, Agency Internal Auditors, the Auditor of Public Accounts, or staff of a private firm that, in the judgment of the Agency, has the experience and expertise required to perform IT security audits. Annually develop and submit to CISO an audit plan for Agency electronic information which include all components of any COV IT system in which it resides. The audits must measure compliance with the security policy. IT Security Auditors also should use standards that measure compliance with any other federal and COV regulations. Summer 2008 VITA publications
IT SECURITY AUDITS, cont. Documentation and Reporting of IT Security Audits After conducting the audit, the auditor shall report the audit results to the Agency Head who then requires the development of a Corrective Action Plan. At least once each quarter, each Agency Head must submit to the CISO a report containing a record of all IT Security Audits during the quarter. The report must include all findings and state whether the Agency concurs or does not concur with each. The report must also include the status of outstanding corrective actions for previous audits. Summer 2008 VITA publications
PROTECTION OF IT RESOURCES The CISO (with the Agency Head via the ISO or other Administration authority) may authorize the confiscation and removal of any IT resource suspected to be the object of inappropriate use or violation of COV IT security laws or policies to preserve evidence that might be utilized in forensic analysis of a security incident. Summer2008 VITA publications
REQUESTING EXCEPTION TO IT SECURITY POLICY If an Agency Head determines that compliance would result in an adverse impact to the Agency, the Head may request approval to deviate from the requirement by submitting an exception request to the CISO. Each request must be in writing and include the reasons for the exception and compensating controls. Requests shall be evaluated and decided by the CISO, and the requesting party informed of the action. Denied exception requests may be appealed to the CIO through the CISO. Summer 2008 VITA publications