Technical Security Standards

Information Security Standards


Technical Security Standards


Download 377.5 Kb.
bet12/16
Sana02.01.2022
Hajmi377.5 Kb.
#200822
1   ...   8   9   10   11   12   13   14   15   16
Bog'liq
isp manual

Technical Security Standards


These standards specify security controls (i.e., safeguards or countermeasures) for information assets that are primarily implemented and executed by the information asset costodian through mechanisms contained in the hardware, software, or firmware components of the asset.

  1. Access Control: Users shall be provided access to SCO confidential or sensitive information, networks, and systems in accordance with a defined standard of access control such as:

        • Discretionary access control.

        • Mandatory access control.

        • Role-based access control.

The SCO default for access is role-based access control.

Access rights of users in the form of read, write, and execute shall be controlled appropriately, and the outputs of those rights shall be seen only by authorized individuals.



  1. User Identification: To establish individual accountability for access and use of systems and networks, UserIDs shall be unique to each authorized production environment user.

  2. User Authentication Techniques: Authentication techniques for all SCO systems and networks shall be commensurate with the authentication assurance level established by the owner of information based on risk and sensitivity of the system, network, and the information classification. (Reference: NIST Special Publication 800-63: Electronic Authentication Guideline.)

The use of password based authentication (Authentication Assurance Level 2) is the default for the SCO.

  1. Password Standards: Passwords used for user authentication shall be system enforced to comply with the following criteria:

  1. Passwords shall be a minimum length of eight (8) characters in a combination of case sensitive alphabetic characters and either numeric or special characters. The only special characters that should be utilized are @, #, and $.

  2. Password changes for standard and privileged users shall be systematically enforced where possible.

  3. Passwords shall be changed every ninety (90) days, at a maximum, for standard user accounts to reduce the risk of compromise through guessing, password cracking, or other attack & penetration methods.



  1. Passwords shall be changed every sixty (60) days, at a maximum, for privileged user accounts to reduce the risk of compromise through guessing, password cracking, or other attack and penetration methods.

  2. Users shall be prohibited from changing their passwords for at least fifteen (15) days after a recent change. Meaning, the minimum password age limit shall be fifteen (15) days after a recent password change.

  3. Privileged users shall be able to override the minimum password age limit for users when necessary to perform required job functions.

  4. The authentication system shall routinely prompt users to change their passwords within five to fourteen (5-14) days before such password expires.

  5. Passwords shall be systematically disabled after a period of inactivity determined by business requirements or ninety (90) days to reduce the risk of compromise through guessing, password cracking, or other attack and penetration methods.

  6. Users shall be prohibited from using, at a minimum, their last six (6) passwords to deter reuse of the same password.

  7. A user account lockout feature shall disable the user account after five (5) unsuccessful consecutive login attempts. Account lockout duration shall be permanent until an authorized authentication system administrator reinstates the user account.

  8. Clear-text representation of passwords shall be suppressed (blotted out) when entered at the login screen.

  1. Automatic Session Timeout: Where technically feasible, all SCO applications shall establish and implement limits of time a session is allowed to remain idle before it is automatically timed out and terminated. The default time-out length is fifteen (15) minutes, but can be configured to meet business needs.

  2. Use Warning Banner: All SCO systems and networks shall display the following log-on warning banner at all system access points:

"This is a State of California, Office of the State Controller computer system, which may be accessed and used only for official Government business by authorized personnel.  Unauthorized access or use of the computer system may subject violators to criminal, civil, and/or administrative action.  All information on this computer system may be intercepted, recorded, read, copied, and disclosed by and to authorized personnel for official purposes, including criminal investigations.  Access or use of this computer system by any person whether authorized or unauthorized constitutes consent to these terms."

  1. Audit Trails: Based on business requirements, SCO systems and networks shall generate audit logs that show, at a minimum, addition, modification, and/or deletion of confidential or sensitive information.

Audit trails shall establish accountability for activities conducted by users or systems. Audit logs must be protected from unauthorized modification, access, or destruction. Audit trail retention shall be based on business and legal requirement.

  1. Secure Communications: An end-to-end encrypted tunnel shall protect SCO confidential or sensitive information communicated through public or shared networks not under the direct control of the SCO. The encryption methodology utilized shall comply with SCO Technical Security Standard 409: Encryption Standard.

  2. Secure Storage: SCO confidential or sensitive information shall be encrypted while at rest (stored) within a DMZ or when directly accessible from a public or shared network not under the direct control of the SCO. The encryption methodology utilized shall comply with SCO Technical Security Standard 409: Encryption Standard.

  3. Encryption Standard: Encryption technologies utilized by the SCO shall comply with Federal Information Processing Standards (FIPS) and National Institute for Standards and Technology (NIST) guidelines. At a minimum, encryption algorithms shall be at least 128-bit. (References: NIST Special Publications 800-29: A comparison of the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2, 800-53: Recommended Security Controls for Federal Information Systems; 800-111: Guide to Storage Encryption Technologies for End User Devices.)

  4. Network Boundary Security: Interfaces between SCO systems and networks and public or shared networks not under the direct control of the SCO shall be protected utilizing the following controls:

  1. Port based restrictions on traffic flow.

  2. Physical and/or logical segregation by the use of a DMZ (De-Militarized Zone) or Virtual Local Area Network (V-LAN) architecture configuration.

  3. Network Address Translation (NAT). (If technically feasible the use of Port Address Translation (PAT) is recommended.)

  1. Firewall Standard: All incoming and outgoing connections from SCO systems and networks to public or shared networks not under the direct control of the SCO shall be made through a packet filtering firewall.

  2. Controlled Pathways (Gateways): All incoming and outgoing TCP/IP SCO network Application Layer communications shall be conducted via centrally designated gateways.

  3. Malicious Code Protection: Malicious code protection software shall be installed, maintained, and utilized on all SCO systems and network components (where technically feasible).

  4. Remote Access: Remote user access to SCO network internal systems shall be protected, at a minimum, in the following manner:

  1. User systems connecting remotely to SCO network internal systems shall be managed (owned or leased) by the SCO.



  1. User systems connecting remotely to SCO network internal systems must have antivirus software installed.

  2. User systems connecting remotely to SCO network internal systems shall have the latest operating system and application patches installed.

  3. Access to user or internal system diagnostic ports (especially dial-up diagnostic ports) shall be securely controlled and enabled only when needed for authorized diagnostic access.

  4. All SCO users and user systems establishing a remote connection to a SCO network internal system shall be authenticated.

  5. Inbound and outbound network traffic shall be controlled and limited to only that necessary to accomplish the business need.

  6. Inbound and outbound traffic shall be encrypted.

  7. Split-tunneling or dual homing shall be prohibited.

  1. Product Assurance (System Hardening): All SCO information technologies shall be configured to meet business needs and reduce information security risk. At a minimum, all unnecessary software, services, ports, and drivers shall be disabled, removed, or closed; and default account credentials shall be changed. Additionally, based on business or security requirements, file protections and audit logging shall be enabled.

  2. Patch Management: Manufacturer/vendor security patches shall be applied to all SCO systems and networks in a manner that ensures maximum protection against security vulnerabilities and minimum impact on SCO business operations. Custodians of information are responsible for implementing a patch management procedure that contains a systematic process of identifying, prioritizing, acquiring, implementing, testing, and validating security patches necessary for each system or network. A risk-based decision must be documented if security patches are not applied to a system or network.

  3. System-to-System Interconnection (Node Authentication): Where non-SCO systems or applications connect to a SCO system or application, or where SCO systems or applications connect to SCO systems or applications via public or shared networks not under the direct control of the SCO, node authentication is required.

  4. Wireless Local Area Network Security Standard: Wireless local area network (LAN) technology shall only be deployed if it is not technically or physically feasible to deploy a wired LAN architecture. (Reference: NIST Special Publication 800-48: Guide to Securing Legacy IEEE 802.11 Wireless Networks.)

  1. Wireless LANs shall be segregated from SCO networks and systems via a firewall.

  2. Wireless LAN access points (AP) shall be physically secured.



  1. The Wireless LAN Service Set Identifier (SSID) shall be changed from the default value. The SSID shall not contain characters that indicate the location of the wireless LAN (WLAN) access point, the name of the SCO, or any other identifying name. The SSID broadcast function shall be disabled, except where technology does not permit.

  2. All access points shall require a password to access its administrative features. This password shall be stored and transmitted in an encrypted format.

  3. The ad hoc mode for IEEE 802.11, also referred to as peer-to-peer mode or Independent Basic Service Set (IBSS), shall be disabled.

  4. Wireless LAN communications shall be encrypted. At a minimum, 802.11i (WAPA2) compliant Advanced Encryption Standard (AES) 128 bit encryption shall be utilized.



Download 377.5 Kb.

Do'stlaringiz bilan baham:
1   ...   8   9   10   11   12   13   14   15   16



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©fayllar.org 2024
ma'muriyatiga murojaat qiling