1 information security compliance system owner training module 3 supplement: analysis of policy...

1

Information Security ComplianceSystem Owner Training

Module 3 Supplement:Analysis of Policy Compliance Checklist Issues

Richard GadsdenInformation Security Office

Office of the CIO – Information Services+1-843-792-8307

[email protected]

2

Compliance Checklist Issues

➲ Assume you have a score < 3 for a given compliance requirement

➲ The fact that you're not meeting that requirement is a compliance issue

➲ Document each compliance issue, and your recommended approach to its remediation, in the Risk Analysis Worksheet

● Compliance issue => Security Issue● Remediation approach => Recommended Controls

3

Issue #1(Risk Management)

➲ Issue: Risk assessments have not been performed (or documented) at appropriate points in the System's life cycle.

➲ Ideas for Recommended Controls:● Assemble a qualified risk assessment team.● Conduct a risk assessment for the system in its current

life cycle stage.● Document the risk analysis and the recommended

security controls in the Risk Analysis Worksheet.

4

Issue #2(Risk Management)

➲ Issue: Significant risks to the System have not been identified, and/or are not being managed.

➲ Ideas for Recommended Controls:● From the Risk Analysis Worksheet, develop a Security

Plan, and get it approved.● Execute the Security Plan.● Develop and implement evaluation procedures (see

Issue #3).

5

Issue #3(Evaluation)

➲ Issue: The effectiveness of the System’s security measures is not being monitored and evaluated

➲ Ideas for Recommended Controls: ● For each documented and implemented security

procedure or other control, make sure someone is designated as being responsible for monitoring and evaluating its effectiveness.

● Require each responsible person to develop an evaluation plan, and provide periodic reports.

6

Issue #4(Workforce Security)

➲ Issue: The System lacks procedures for ensuring that no workforce member is granted access to protected information without authorization.

➲ Control Ideas:● Develop, document, and implement procedures for

establishing user accounts and access levels.● Define who has authority for granting access, and who

has responsibility for provisioning access. There should

be a separation of duties between the two.

7

Issue #5(Workforce Security)

➲ The System lacks procedures for ensuring that workforce members’ access is terminated when their authorization is revoked.

➲ Recommended Control Ideas:● Develop, document, and implement procedures for

terminating user accounts in a timely manner when their

access is no longer authorized.● Communication of changes in users' role / authorization

status to system administrators is a key issue here.

8

Issue #6(Awareness and Training)

➲ Users do not have access to appropriate System-specific training resources and materials.

➲ Recommended Control Ideas:● Develop training and/or documentation that explains

users’ security responsibilities.● Ensure that all users are trained / aware.

9

Issue #7(Incident Response)

➲ Issue: Emergency contacts have not been identified, or are not known by the CSIRT.

➲ Control Ideas:● Identify the key people who should be contacted if a

security incident occurs. Depending on the System's

criticality and sensitivity, set up on-call duty / rotation.

● Register emergency contact information in the MUSC

System Registry.

10

Issue #8(Contingency Plan)

➲ Issue: A contingency plan for the System is not being maintained.

➲ Control Ideas:● If a contingency plan has never been developed, then

assign someone with the responsibility for overseeing

the development and maintenance of a plan.● Note: The depth and breadth of the plan should be

determined by the System’s criticality.

11


➲ Issue: The System’s contingency plan is not being periodically tested.

➲ Control Ideas:● Assign responsibility for developing and maintaining an

appropriate test plan.● Establish a means of verifying that the test plan is being

executed, and that test results are being used to improve

the contingency plan itself.

12


➲ Issue: The System's contingency plan is not being revised as needed.

➲ Control Ideas:● Establish responsibility for monitoring the conditions

(environmental, operational, policy or regulatory

changes) that should trigger a review of the contingency

plan, and its modification if appropriate.

13

Issue #11(Workstation Security)

➲ Issue: The list of authorized applications is not evident to prospective users of the workstations within the System's boundaries.

➲ Control Ideas:● Include this information in the documentation / training

that is provided to the System's users (see Issue #6).● Restrict user privileges on the System's workstations to

the minimum set of privileges required to run the authorized applications.

● Note: If there are no workstations within your System's boundaries, then the Workstation Security policy, and Issues #11-14, do not apply to your System.

14


➲ Issue: The users of the System's workstations do not have, or do not follow, appropriate procedures for initiating, terminating, and suspending their sessions.

➲ Control Ideas:● Define and document these procedures (see Issue #6).

● Discipline workforce members who disregard procedures.

● Implement workstation session time-outs, as a last line of

defense against user carelessness.

15


➲ Issue: Physical access to the System's workstations is not restricted to authorized users.

➲ Control Ideas:● To the extent possible, use physical security measures

(e.g. locked doors) to restrict access.

● Address the need to protect the physical security of

workstations in user documentation / training. E.g., users

should be trained to recognize and report suspected

unauthorized access.

16


➲ Issue: Visual access to workstation displays is not being restricted to authorized users.

➲ Control Ideas:● Orient workstations in a way that minimizes opportunities

for “shoulder surfing” by unauthorized users.

● Use directional display filters where appropriate, e.g. if

workstations must be used in high traffic areas.

17

Issue #15(Device and Media Controls)

➲ Issue: Protected information is not being erased from the System’s media prior to disposal or re-use.

➲ Control Ideas:● Document appropriate procedures, and assign

responsibilities clearly.● Note: Procedures should address all electronic or digital

media used or produced by the system: disks, tapes, cd-roms, etc. Examples:

● Surplus disks: Use secure disk wiping procedure, or otherwise render any stored data unrecoverable.

● Tapes: Use de-gausser (OCIO-IS Operations).

18


➲ Issue: The physical security of the System’s devices and media is not being maintained during movement and storage.


maintaining physical security of all devices and media.● Notes:

● Mobile devices and media, such as laptops, PDAs, and portable disks/memory devices, require special attention. Consider encryption (see Issue #23).

● Backup tapes rotated off-site require appropriate tracking and control of all tapes in inventory.

19


➲ Issue: Hardware maintenance contracts do not address confidentiality requirements.

➲ Control Ideas:● Review all hardware maintenance contracts to see if

confidentiality of device/media contents is protected.● At contract renewal time, negotiate protections for

confidentiality of device/media contents.● Note: For new systems, address this requirement up

front (before any contracts signed or P.O.'s issued).

20

Issue #18(Access Control)

➲ Issue: The System lacks adequate access control procedures.

➲ Control Ideas:● Develop, document, and implement access control

procedures to protect against all reasonably anticipated threats.

● Note: Access control is a very broad protection category. Most systems are exposed to a wide range of threats. Make sure that both the threats and the vulnerabilities that could create opportunities for unauthorized access to your System are understood by your risk assessment team, and that the access controls that are selected and implemented, are reasonable and appropriate.

21


➲ Issue: Users of the System are not assigned unique identifiers to enable tracking of access.


assigning unique identifiers and access credentials (e.g.

passwords) to each authorized user.

● Note: Audit Controls (Issues #25-28) are a necessary,

complementary control to enable tracking of access.

22


➲ Issue: Users are capable of managing their passwords or other access credentials.

➲ Control Ideas:● Document procedures for user management of

passwords or other credentials.● Ensure that all users are trained / aware of their

responsibilities, including maintaining the confidentiality

of their passwords, and reporting any apparent

discrepancies in the use of their accounts.

23

Good Password Practices(Issues #19-20)

➲ Passwords should be conveyed to new users in a controlled manner. Positive identification should be required.

➲ Procedures for resetting forgotten passwords must provide for positive identification of the person requesting the password reset.

➲ No user should ever be required to reveal his password in order to obtain technical support. Users should be trained to recognize any such request as a possible social engineering attack.

24

More Good Password Practices(Issues #19-20)

➲ Users should be required to choose a password that cannot be easily guessed by an attacker.

➲ Users should be instructed not to choose a password that they have ever been assigned previously.

➲ Users should be instructed not to choose a password that they have ever used or been assigned on any non-MUSC system.

➲ Users should be required to change their assigned password upon their first login.

➲ Users should be required to change their passwords at reasonable intervals.

25


➲ Issue: User sessions that provide access to protected information do not time out.

➲ Control Ideas:● Implement application session time-outs if feasible.● If infeasible, document why, and implement and

document appropriate workarounds (e.g., workstation

time-outs, user training, reminders, monitoring,

enforcement...)

26


➲ Issue: There is no (documented) procedure to allow users to obtain access to the System in an emergency.

➲ Control Ideas:● In the System's contingency plan (see Issue #8),

document any emergency scenarios in which users would need to be able to obtain access.

● Develop, document, and implement emergency access procedures, if and as appropriate.

27


➲ Issue: Encryption of the System's data is not being used when reasonable and appropriate.

➲ Control Ideas:● Through the risk analysis process, identify any critical

points, either within the System or in interfaces between the System and other systems, where data that being stored or transmitted should be encrypted to protect it from unauthorized access.

● If and as needed, develop, document and implement appropriate encryption and key management procedures (see Issues #31-32).

28

When to Encrypt? Assess the Risks(Issue #23)

➲ Examples (often considered “high risk”)● Sensitive data stored on a device that is at a non-

negligible risk of loss or theft. Examples include portable devices such as laptops, PDAs, thumb drives, etc.

● Data transmitted over any network where there is a non-negligible risk of interception or eavesdropping. Examples include wireless transmission, and transmission over the Internet.

● Any stored and/or transmitted data that is especially sensitive, such as passwords and encryption keys.

29

Issue #24(Network Access)

➲ Issue: One or more of the System's networked components is not being kept hardened in accordance with MUSC standards.

➲ Control Ideas:● Develop and maintain an inventory of all networked

system components.● Identify who is responsible for configuring and

maintaining each device in accordance with MUSC's security and networking standards.

30

Issue #25(Audit Controls)

➲ Issue: There are no (documented) procedures for collecting and maintaining appropriate records of System activity.

➲ Control Ideas:● Guided by the risk analysis process, identify what types

of System event records should be collected.● Document any gaps in the System's capability to collect

the event records of interest.● Develop, document and implement procedures for

collecting and maintaining the event records of interest, to the extent possible and feasible.

31


➲ Issue: An appropriate retention schedule for System activity records has not been established, has not been documented, or is not being followed.

➲ Control Ideas:● Guided by the risk analysis process, determine an

appropriate retention schedule for the System's event records, and document it.

● Implement the documented retention schedule.● Re-visit / revise as needed, and during the System's

normal risk management cycle.

32


➲ Issue: System activity records are not being regularly reviewed and analyzed.

➲ Control Ideas:● Assign responsibility for regular review and analysis of

the System's event logs.● If and as warranted by assessed risks, implement

procedures for automated analysis of event records, and timely generation of security alerts, routed to the appropriate personnel.

33


➲ Issue: Procedures have not been established for making System activity records available for external review.

➲ Control Ideas:● Determine who will be responsible for making logs and

other event records available to authorized personnel during incident response and compliance investigations.

● If any special procedures need to be observed in these situations, document them.

34

Issue #29(Person or Entity Authentication)

➲ Issue: Appropriate procedures and other controls are not being used to authenticate each person or entity seeking access to the System's protected information.

➲ Control Ideas:● Develop, document and implement appropriate

procedures for authenticating users, recipients, etc.● Develop, document and implement appropriate

procedures for authenticating other entities (e.g., interfaces with other systems).

35

Issue #30(Data Integrity)

➲ Issue: The System's data is not being appropriately protected against improper alteration or loss during storage, processing or transmission.

➲ Control Ideas:● Guided by the risk analysis process, determine any

critical points in processing, storage and/or transmission where data requires special integrity protection.

● Develop, document and implement appropriate procedures and controls to protect data integrity at each of these critical points.

36

Issue #31(Encryption)

➲ Issue: Appropriate encryption procedures are not being used.

➲ Control Ideas:● For each critical point where encryption is needed (see

Issue #23), develop, document and implement appropriate encryption procedures.

● Notes: Good encryption = good algorithms + good implementation + good configuration. It is easy to do encryption badly. Done badly, it can do more harm than good, so it's important to get it right.

37

Issue #32(Encryption)

➲ Issue: Appropriate (documented) procedures are not being used to manage encryption keys.

➲ Control Ideas:● Address key management during the development,

documentation and implementation of the System's encryption procedures.

● Notes: The processing power of computers makes encryption (relatively) easy, but key management remains a fundamentally hard problem. It takes work to do it right.

38

Issue #33(Documentation)

➲ Issue: The System's processes for security management and operations are not being documented.

➲ Control Ideas:● Assign clear responsibility for documenting each of the

System's security management processes (including risk assessment, security planning, and monitoring and evaluation of the effectiveness of operational procedures).

● Assign clear responsibility for documenting each of the System's operational security procedures.

39

Issue #34(Documentation)

➲ Issue: The System's security documentation is not available, reviewed, updated, or retained as required.

➲ Control Ideas:● Assign clear responsibilities for:

● Making operational documentation available to all authorized personnel who need access to it.

● Reviewing and updating all documentation as needed.● Use red binder for tracking changes, and for ensuring

that all retention requirements are met.

1 information security compliance system owner training module 3 supplement: analysis of policy...

Documents