Information Security Standards


Download 377.5 Kb.
bet7/16
Sana02.01.2022
Hajmi377.5 Kb.
#200822
1   2   3   4   5   6   7   8   9   10   ...   16
Bog'liq
isp manual

Manual Maintenance


The SCO Information Security Program Standards Manual reflects the framework and objectives of the SCO Information Security Program. Standard changes or updates should be submitted to the SCO Chief Information Security Officer. Standards will be reviewed annually by the SCO Information Security Office to ensure continued relevance in assuring information security and SCO business objectives.

Information Security Standards

Roles and Responsibilities

Standards for Information Asset Users


These standards are applicable to all SCO functional organizations and personnel, including SCO employees, contractors, and vendors authorized to use SCO information assets.

For the purposes of these standards, the above entities are collectively known as Information Asset Users. This definition of “information asset user” excludes the general public whose only access is through publicly available services, such as the public websites of the SCO.




  1. User Compliance: Users shall abide by California State Controller’s Office (SCO), State, and Federal (when applicable) policies, laws, rules, regulations, standards, and procedures pertaining to information security, confidentiality, and privacy when handling information assets by or entrusted to the SCO. Users shall comply with defined business use criteria established by the owner of information for each information asset they utilize. Additionally, users shall comply with SCO Administrative Policy Section 3.300-Incompatible Activities and Internet/E-mail Policy when utilizing SCO information assets.

  2. User Activity Monitoring Notice: As stated in the SCO Internet/E-mail Policy, the SCO reserves the right to monitor and filter the use of its information assets. Users shall have no expectation of privacy unless expressly granted by SCO executive management.

  3. User Security Acknowledgement: Users shall annually, or when beginning employment, read, acknowledge, and sign the SCO Information Security Acknowledgement form (ISO-004).



  1. User Information Security Incident Reporting: Users shall report any reportable suspected or actual information security incidents to the SCO Information Security Office, owner of information, and custodian of information. (See Operational Security Standard 317 and Appendix A: Information Security Incident Categories and Reporting Timeframes.)

  2. Physical Access / ID Badges: SCO employees and contractors shall wear physical access / ID badges issued by the SCO ISO at all times when within a facility owned or leased by the SCO.

      1. Physical access / ID badges shall be worn in such a manner as to be readily visible.

      2. Physical access / ID badges assigned to individuals shall not be shared or loaned to another person.

      3. The loss or theft of a physical access / ID badge shall be immediately reported to the applicable Division Physical Security Representative and SCO Information Security Office.

  1. Prohibited Activities: Users shall not disable, remove, install with intent to bypass, or otherwise alter SCO systems, networks, or security and administrative settings or components designed to protect or administer the SCO’s information assets.

        1. Users shall not download or install unapproved software on SCO information assets (e.g., PCs, IT systems, or networks).

        2. Users shall not connect unapproved hardware to SCO information assets (e.g., PCs, IT systems, or networks).

(The SCO Information Systems Division maintains the approved software and hardware lists. See SCO PC Hardware and Software Standards; and Enterprise Architecture Standards.)

  1. Personally Owned Equipment and Software: The use of personally owned or non-SCO equipment and software to process, access, or store SCO confidential or sensitive information is prohibited. Personally owned or non-SCO equipment and software includes, but is not limited to, personal computers and related equipment and software, Internet service providers, personal e-mail providers (e.g., Yahoo, Hotmail), personal library resources, handheld and Personal Digital Assistant (PDA) devices, cellular phones, cameras, facsimile machines, wireless systems, and photocopiers. Such personally owned equipment and software shall not be used to process, access, or store SCO confidential or sensitive information, or be connected to SCO systems or networks, without the written authorization from the appropriate SCO owner and custodian of information and the SCO Chief Information Security Officer.

  2. Laptop / Portable Information Storage Device Use: Users shall not store any information classified as confidential or sensitive on laptop computers or other portable information storage devices (e.g., USB/Flash Drives, PDA’s, CD-ROMs, DVDs, Tape, etc.) unless:

  1. The device is owned or leased by the SCO.

  2. The device is password/PIN protected.



  1. The information is secured using an approved encryption technology.

  2. The user is authorized to have access to the confidential or sensitive information by the applicable owner. Access to information must be for business purposes only.

  1. User Authentication Credential Security: Users shall be continuously aware that all credentials (e.g., the combination of User IDs, passwords, and/or access tokens) that allow access to SCO information assets are explicitly the property of the SCO. SCO credentials are classified as confidential information and must be handled and protected as such.

Each user is responsible for protecting the credentials assigned to them and shall not share these credentials with anyone else. If credentials are compromised, lost, or stolen, the user shall immediately report this to a supervisor and to the appropriate authentication system administrator to avoid unauthorized access or misuse. Credentials may be shared with system maintainers but the password must be immediately changed after maintenance or repair is complete.

Note: An information security best practice for protecting a password is to avoid writing passwords down or storing them electronically unless password protected and encrypted. Passwords should not be inserted into email messages or other forms of electronic communication without password protect and information encryption. Conveying a password in a telephone call should only be done when the receiving party is positively identified. No mobile phones should be utilized to convey a password. Commit passwords to memory!

  1. Password Use: Users may use the same password on internal systems, network devices, or applications, but shall not use their internal password for external systems, such as for accounts on an external web site, as these web sites may not protect passwords in an acceptable manner.

  2. User Password Rules: Users shall compose their own passwords. Users shall abide by the following standards when composing their password:

  1. Passwords shall consist of a minimum of eight (8) characters.

  2. Passwords shall consist of a combination of case sensitive alphabetic characters and either one (1) numeric or special character. The only special characters that should be utilized are @, #, or $.

Note: When composing a password, do not use dictionary words or obvious combinations of letters and numbers in passwords. Obvious combinations of letters and numbers include first names, last names, initials, pet names, user accounts spelled backwards, repeating characters, consecutive numbers, consecutive letters, and other predictable combinations and permutations.

  1. Passwords shall be changed, at a maximum, every ninety (90) days.

  2. Users shall not re-use his or her last six (6) passwords.




Download 377.5 Kb.

Do'stlaringiz bilan baham:
1   2   3   4   5   6   7   8   9   10   ...   16



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©fayllar.org 2024
ma'muriyatiga murojaat qiling