Operational Security Standards

300. 
     Pre-Employment Screening: The prior employment history for potential SCO personnel shall be carefully reviewed to ensure the individual has no privacy or security violation history (i.e., check references and with previous supervisors). Additionally, if permissible and/or appropriate for the duties and responsibilities of the position in question, criminal and/or financial history checks should also be preformed.
     
301. 
     Separation of Duties: Owners and custodians of information shall ensure the principle of “separation of duties” is enforced in security control (i.e., safeguards or countermeasures) and business operations. Separation of duty, as a security principle, has as its primary objective the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific security process among multiple users and chains of command.
     

Two general categories of security control operations that must be separated are:

• 
  authorization vs. authentication administrative functions
  
• 
  user vs. administrator functions
  

300. 
     Least Privilege: Owners and custodians of information shall ensure the principle of “least privilege” is enforced in security control (i.e., safeguards or countermeasures) and business operations. A user, process, or application shall only be allowed to access and use those information assets necessary to conduct authorized business activities.
     
301. 
     Security Education and Awareness: The SCO Information Security Office (ISO) shall ensure information security is given a high priority in all current and future SCO activities and initiatives. The ISO shall provide regular and relevant information privacy and security education and awareness training to all SCO personnel by various means, which includes but is not limited to the ISO’s S.A.F.E. (Security Awareness for Employees) program. The S.A.F.E. program will consist of the following elements:
     

1. 
   New SCO personnel’s initial information security presentation at new employee orientation. (This orientation should be received as soon as possible upon hiring but no later that three months after assuming duties.)
   

1. 
   Electronic notices, briefings, pamphlets, and newsletter postings on the SCO Intranet (i.e., COIN) or delivered via email.
   
2. 
   Information security awareness tools to enhance awareness and educate personnel on information resource privacy and security threats and the appropriate safeguards.
   
3. 
   All SCO personnel shall receive annual (refresher) training in security education and awareness as part of the annual SCO Information Security Acknowledgement (ISO-004) process.
   

300. 
     Personnel Separation: Upon termination or other departure of an employee or contractor, SCO Human Resources, the appropriate SCO manager/supervisor, or the contract manager shall ensure all access and privileges to SCO systems, networks, and facilities are immediately revoked. Physical access badges shall be returned to the SCO Information Security Office immediately.
     
301. 
     Physical Security: All rooms, work areas/spaces, and facilities leased or owned by the SCO shall implement physical protection measures.
     

1. 
   Card-controlled gates and doors (administered by the SCO Information Security Office’s C*CURE system).
   
2. 
   Video cameras, motion detectors, and other intrusion security systems (administered by the SCO Information Security Office’s C*CURE system).
   
3. 
   Equipping all doors and openings on a security perimeter with alarms as well as devices that close and lock the doors/openings automatically (administered by the SCO Information Security Office’s C*CURE system).
   
4. 
   Automated alarm notification (from the Information Security Office’s C*CURE system) directly to assigned Information Security Office personnel and appropriate law enforcement agencies, or to a monitoring service who will immediately alert assigned Information Security Office personnel and appropriate law enforcement agencies.
   

300. 
     Physical Access Control: SCO divisions are responsible for authorizing access into the rooms, work areas/spaces, and facilities they utilize. SCO Division Chiefs shall designate Physical Security Representatives to act on their behalf to authorize physical access to employees, authorized contractors and facilities support staff by submitting a Physical Access Request form (ISO-002) to the Information Security Office. Individuals should be authorized the minimum access necessary to allow them to effectively accomplish their jobs.
     

1. 
   SCO Division Physical Security Representatives shall annually review access authorizations granted.
   
2. 
   SCO Division Physical Security Representatives shall immediately notify the ISO when an employee or contractor is terminated or departs, or when an employees job duties change so that access authorization can be revoked or changed appropriately.
   
3. 
   SCO Division Physical Security Representatives are responsible for returning access badges to the SCO Information Security Office.
   

300. 
     Visitors to SCO Facilities: SCO divisions shall restrict and control visitor access at all times to rooms, work areas/spaces, and facilities under their control. The division shall maintain records that contain visitor access information.
     

Unless authorized by the SCO division management, visitors shall not utilize any image, audio, or electronic information recording device within an SCO controlled access room, work area/space, or facility.

300. 
     Information Protection in the Work Area : All electronic, photographic, and hard copy media (e.g., flash drives, disk drives, diskettes, external hard drives, portable devices, photos, microfiche, tapes, and paper documents) containing confidential or sensitive information shall be physically protected from unauthorized use, loss, and theft. All media containing confidential or sensitive information must be secured (e.g., kept in a locked room, drawer, cabinet, or safe) when not in use or unattended. To the extent possible, media containing confidential or sensitive information shall be turned over or shall be put out of sight when visitors or individuals not authorized access to it are present.
     
301. 
     Sanitization and Disposal of Information: Owners and custodians of information shall ensure sanitization and disposal methods utilized for electronic, photographic, and hard copy media, and other information technology resources (e.g., servers, routers, bizhubs, printers, etc.) render the confidential or sensitive information contained on the media or resource un-readable and un-recoverable. Media sanitization activities shall comply with the recommendations stated in NIST Special Publication 800-88: Guidelines for Media Sanitization.
     
302. 
     Information Exchange via Portable Information Storage Devices: SCO confidential or sensitive information exchanged or transferred through portable information storage devices (e.g., USB/Flash Drives, PDA’s, CD-ROMs, DVDs, Tape, etc.) shall be protected by password/PIN access control and encryption when transported outside an SCO facility.
     

300. 
     Information Asset Transport / Shipping: All information assets containing confidential or sensitive information that are transported / shipped to a non-SCO entity or to a destination outside an SCO facility shall, at a minimum, be securely packaged in a double-sealed conveyance (e.g., envelope, box, container, etc.). The second seal should be appropriately marked with the “unauthorized use” notice and the classification of the information contained on the asset. The receipt and delivery of the asset shall be monitored and accounted for to ensure the asset is not lost and the information has not been compromised while in transit.
     

300. 
     Workstations: All SCO workstations, laptops, and portable computing device (e.g., PDAs), if technically feasible, shall implement an inactivity time-out mechanism (e.g., password protected screen saver) that hides the information displayed and locks use until the authorized user re-authenticates. The period of inactivity shall be a maximum of 15 minutes.
     

300. 
     Laptops and Portable Computing Devices: All SCO laptops and portable computing devices (e.g., PDAs) containing confidential or sensitive information shall have access control (e.g., userID & password protection) and a disk encryption protection mechanism. If technically feasible laptops and portable computing devices shall include firewall and malicious code safeguards.
     
301. 
     Backup Data: Owners and custodians of information shall implement and enforce proper backup procedures for all system and network information based on the business needs. Backup information shall be stored a safe distance from the primary system and shall not share the same environmental conditions and disruption risks as the primary system.
     
302. 
     Business Continuity Planning: The SCO Information Security Office (ISO) has primary leadership responsibility for the SCO Business Continuity and Incident Management Plans. SCO Division Chiefs shall designate Business Continuity Coordinators (BCC) to act on behalf of their divisions to collaboratively work with the Information Security Office to ensure that division critical business services and operations are sustained following a disaster or adverse event.
     
303. 
     Disaster Recovery Planning: The SCO Information Systems Division (ISD) has primary leadership responsibility for the SCO Disaster Recovery Plan (DRP). The DRP identifies, prioritizes, and documents disaster recovery planning requirements and tasks necessary to recover all SCO Division identified critical systems, networks, applications, and other information technology resources. SCO Divisions shall collaboratively work with ISD to ensure that division critical information technologies and the information they contain are recovered and/or restored following a disruption of service, disaster, or adverse event.
     

300. 
     Information Security Incident Reporting: Information security incidents (as defined in Appendix A: Information Security Incident Categories and Reporting Timeframes) shall be reported to the SCO Information Security Office within the incident category specified timeframe. The SCO Information Security Incident Report form (ISO-10) shall be utilized to document all reportable information security incidents.
     

• 
  Contacting the ISO’s Help Desk at 916-322-8094.
  
• 
  Using the ISO’s email account: infosec@sco.ca.gov.
  
• 
  Contacting a member of the ISO staff directly.
  

The SCO Information Security Office, after consultation with Executive Management, shall determine what, if any, outside authorities need to be contacted in regard to confirmed information security incidents in accordance with applicable State and federal laws and procedures.

Information concerning information security incidents is considered confidential. All SCO personnel and contractors contacted directly by the media should inform reporters that it is departmental procedure for all media inquiries and requests to be directed to the SCO Communications Office. All SCO personnel and contractors shall comply with the provision of SCO Information Memorandum 07-07.

SCO personnel shall report equipment thefts to the SCO Information Security Office if the theft occurs within a SCO facility. If the theft occurs outside a facility owned or leased by the SCO, local law enforcement should be contracted first and then the SCO Information Security Office.