Operations Security Plan Document Name: New Hampshire Lottery Operations Security Plan Date: January 2014

Transcription

1 Operations Security Plan Prepared for the Document Name: New Hampshire Lottery Operations Security Plan Date: January 2014

2 Table of Contents Section Introduction...1 Purpose...1 Objective...1 Section Introduction...3 Risk and Vulnerability Assessment...3 Security Coordination...4 Information Security Responsibilities 4 Authorization Process 5 Independent Review 5 Third Party Access Assessment 5 Section Introduction...7 Formulating Strategy...7 Strategic Areas...7 Section Recruiting and Resource Security...9 Job Descriptions 9 General Manager... 9 Operations Manager... 9 Business Analyst... 9 Operations Security Manager... 9 Physical Security Manager... 9 Marketing Manager... 9 Customer Service Manager Recruitment Screening 10 Confidentiality Agreement 10 User Training 10 Incident Reporting Security Weakness 11 Software Malfunction 11 Disciplinary Action Control of Personnel Section Secure Areas Physical Security Perimeter 13 Physical Entry Controls 14

3 Operations 14 Delivery and Loading Area Security 15 Clear Desk Policy 15 Removal of Property 15 Equipment Security Equipment Protection 16 Power Supply 16 Cabling Security 17 Equipment Maintenance 17 Off-Site Equipment Security 17 Equipment Disposal 18 Section Malicious Software Protection Virus Controls 19 Housekeeping Data Back-up 20 Operator Logs 20 Fault Logging 21 Environmental Monitoring 21 Media Handling and Security Removable Computer Data Media Management 21 Data Handling Procedures 22 System Documentation Security 22 Media Disposal 22 Application Access Control Information Access Restriction 23 System Utilities Use 24 Data and Software Exchange Data and Software Exchange Agreements 24 Media in Transit Security 25 Electronic Mail Security 25 Electronic Office Systems Security 26 Development and Support Environments Controls Change Control Procedure 27 Operating System Change Technical Review 28 System Planning and Acceptance Capacity Planning 28 System Acceptance 28 Fallback Planning 29 Change Control 29 Section System Security Requirements Security Requirements and Specifications 31 Operational Procedures Documentation 32 Incident Management Procedures 33 Segregation of Duties 34 Separation of Development and Operational Facilities 35 External Contractor Management 35 Monitoring System Access and Use Event Logging 36 System Use Monitoring 36

4 Clock Synchronization 36 Application Access Control Information Access Restriction 37 System Utilities Use 37 Section Business Requirement for Network Security Access Control Policy 39 User Access Management User Registration 39 Privilege Management 40 User Password Management 40 User Access Rights Review 41 User Responsibilities Password Use 41 Unattended User Equipment 42 Network Access Control Limited Services 43 Enforced Path 43 User Authentication 43 Node Authentication 44 Remote Diagnostic Port Protection 44 Network Connection Control 44 Network Routing Control 44 Network Management Network Security Controls 45 Monitoring Network System Access and Use Event Logging 45 Network System Use Monitoring 46 Clock Synchronization 46 Section Retailer Terminal Access Control Automatic Terminal Identification 47 Terminal Logon Procedures 47 User Identifiers 48 Terminal Time-out 48 Section Access Security Applications and Data Security Input Data Validation 49 Internal Processing Validation 50 Data Encryption 50 Message Authentication 50 Application Access Control Information Access Restriction 51 Database Files Security Database Control 52 Test Database Protection 52 Section Controlling Patches Change Control 53

5 Section Introduction Procedures for Responding Incident Management Procedures 56 Key Personnel New Hampshire Lottery 57 New Hampshire State Agencies Error! Bookmark not INTRALOT 58 Section Compliance with Legal Requirements Control of Proprietary Software Copying 61 Safeguarding Organizational Records 61 Data Protection 62 Misuse of Facilities Prevention 62 Clear Desk Policy 62 Removal of Property 62 Program Source Library Access Control 62 Sensitive System Isolation 63 Media Handling and Security Removable Computer Media Management 64 Data Handling Procedures 64 System Documentation Security 64 Media Disposal 65 Section Overview Evaluation Process Ensuring Security Policy Compliance 67 Evaluation Procedure Section Introduction User Responsibilities User Training 69 Control of Personnel 69 Clear Desk Policy 70 User Password Management 70 Data Handling Procedures 70 Incident Reporting 70 Confidentiality Agreement 70 Disciplinary Action 70 Training Section Introduction Audit Security Review Audit Controls 74 System Audit Tools Protection 74

6

7 Section 1 Business Impact Analysis Introduction The availability, integrity and confidentiality of information, systems and networks that support business assets are essential to maintain legal compliance and maintain a respected organizational image. Information security management enables information to be shared, while ensuring the protection of information and computing assets. The day-to-day business operation of the New Hampshire Lottery and the resulting benefactors of its success depend on this security and the public trust. Information security is essential to protect the integrity of the total system which processes gaming transactions and cannot be overstated. It has three basic components: Confidentiality, which is protecting sensitive information from unauthorized disclosure or intelligible interception. Integrity, which is safeguarding the accuracy and completeness of information and computer software. Availability, which is ensuring that information and vital services are available to users when required. Purpose The purpose of the Operations Security Plan (OSP) is to ensure business continuity and minimize the impact of security incidents. Objective Information takes many forms. It can be stored on computers, transmitted across networks, printed out or written down on paper, and spoken in conversations. The objective of the OSP is to apply appropriate protection to all forms of information, including papers, databases, files, tapes, materials, and any other methods used to convey knowledge and ideas. Additionally, the Operations Security Plan specifies actions to be taken in the event of a security breach to maximize containment and prevent, as much as possible, any impact on operations. The key to a fully functional Operations Security Plan is to have the processes, procedures, and safeguards in place to avoid compromise. This plan makes every effort to provide a means to accomplishing this goal. Since the operation of the New Hampshire Lottery VT Operations Security Plan APR 2010 (DRAFT) CONFIDENTIAL Page 1 of 80

8 and INTRALOT alike will evolve over the period of our partnership, the OSP must also evolve in order to provide directives that are current, promote maximum efficiencies, and incorporate the latest tools and techniques. Timelines and procedures for scheduled audits and updates can be found in Section 14 Plan Evaluation of this document. VT Operations Security Plan April 2010 (DRAFT) CONFIDENTIAL Page 2 of 80

9 Section 2 Risk, Threat and Vulnerability Analysis Introduction A Risk Assessment is performed in order to determine how best to manage information security within the organization. A management framework is established to initiate and control the implementation of the Operations Security Plan within the organization. Management forums are established to approve operations security policy, to assign security roles, and to coordinate the implementation of security across the organization. Designated Lottery staff such as the Director, currently Mr. Charles McIntyre,, the Security Director, Auditing, and agents of the New Hampshire State Troopers, along with INTRALOT New Hampshire Project and Corporate security personnel will form the core of the forum committee. Multi disciplined approaches to information security are encouraged, such as auditors, users and administrators working together to address security issues effectively. Typically the forum undertakes the following: review and approve information security policies and overall responsibilities; monitor exposure to major threats to information assets; review and monitor security incidents; Approve major initiatives to enhance information security. Risk and Vulnerability Assessment Risk analysis techniques are applied to complete information systems and facilities. Assessment of risks involves systematic consideration of the following items: the business harm likely to result from a significant breach of security, taking into account the potential consequences of failures of information confidentiality, integrity, and availability; the realistic likelihood of such a breach occurring in the light of prevailing threats and controls. VT Operations Security Plan April 2010 (DRAFT) CONFIDENTIAL Page 3 of 80

10 The results of this assessment will help to guide and determine the appropriate management action and priorities for managing information security risks and for implementing the controls. Security Coordination Information security measures are coordinated through a crossfunctional forum. This forum, made up of INTRALOT and Lottery management is necessary to coordinate the implementation of information security measures. Security professionals from the New Hampshire Lottery should attend as required due to the regulations imposed by any state agency on the behalf of the Lottery and the passthrough connectivity between the gaming system and State of New Hampshire networks. Consult New Hampshire ITSD agency for security guidelines to include, but not limited to: Remote Access Virtual Private Network Computer Incident Reporting Online Privacy Policy New Hampshire Lottery Online System Request for Proposal INTRALOT Proposal to Online System Request for Proposal Typically, such a forum: agrees to specific roles and responsibilities for information security across both organizations; agrees to specific methodologies and processes for information security, such as risk assessment and a security classification system; agrees and supports organization-wide security initiatives, such as a security awareness program; ensures that security is part of the information planning process; coordinates the implementation of specific information security measures for new systems or services; promotes the visibility of business support for information security throughout both organizations. Information Security Responsibilities The security of the On-line Gaming System (LOTOS) is the responsibility of INTRALOT. INTRALOT management may delegate security authority to VT Operations Security Plan April 2010 (DRAFT) CONFIDENTIAL Page 4 of 80

11 individual user managers or service providers. Nevertheless, we remain ultimately accountable for protecting the security of the system. The areas for which individual managers are responsible include: The various assets and security processes associated with each individual system. The responsibility for each asset or security process. The assignment of authorization levels. Authorization Process Two levels of authorization are implemented, as follows: (a) Business approval. Each site (primary Data Center and Backup Site) will have appropriate user management approval, authorizing its purpose and use. Approval is maintained for the system security environment, to ensure that it conforms to all relevant security policies and requirements. (b) Technical approval. Where necessary, all devices connected to the communication network or maintained by a particular service provider will be of an approved device type. Independent Review The Operations Security Plan sets out responsibilities and policy for information security. It is reviewed both internally, by the Lottery, and by an independent audit. The actual practice of information security is reviewed to provide assurance that organizational practices properly reflect the Plan, and that it is feasible and effective. Third Party Access Assessment Where there is a business need to connect to the system from a third party, a risk analysis is carried out to identify any requirements for specific security measures. The analysis will take into account the type of access required, the value of the information, the security measure employed by the third party and the implications of the access for the security of the organization system infrastructure. Access to organizational facilities will not be provided until the appropriate measures have been implemented and a contract has been signed defining the terms for the connection. VT Operations Security Plan April 2010 (DRAFT) CONFIDENTIAL Page 5 of 80

12 This page has been intentionally left blank.. VT Operations Security Plan April 2010 (DRAFT) CONFIDENTIAL Page 6 of 80

13 Section 3 Security Strategy Introduction Security encompasses the overall operation of the New Hampshire gaming system environment and cannot be concerned only with a limited scope such as the data centers themselves. Every system, facility, and asset associated with the operation must be considered. For this reason, our strategy must consider a broad focus entailing: physical security electronic Security intellectual property/copyrighted material security communications security Formulating Strategy As stated in Section 2 Risk, Threat, and Vulnerability Assessment, key players have the shared responsibility to continuously reshape the OSP so that it best achieves its goal. We must maintain a constant and coordinated vigil due to the evolving mission of the Lottery/INTRALOT partnership, the size and scope of operations, and the steady emergence of new threats. Strategic Areas This plan lays out specific strategic areas of concern and deals with the unique circumstances on an individual basis. The areas have been broken down into: Personnel Security Practices minimizing risks due to the quality, knowledge, and restrictions placed on our personnel resources Physical Security safeguards in place to harden, control access to/from, and monitor physical facilities Data Security control of sensitive data through least privileged access, encryption measures, and archive/destruction procedures Systems Security controlling access to and the hardening of the gaming system to minimize exposure VT Operations Security Plan April 2010 (DRAFT)CONFIDENTIAL Page 7 of 80

14 Telecommunications Operational and Physical Security controlling and the hardening of communications and physical security Terminal Security protection of the terminal from malicious intent and unauthorized access Telecommunications Access Security Applications and Data Security controlling access to and the hardening of system applications and data Patch Management processes for testing and implementation of patches to hardware and software Incident Response procedures for recognition training, reporting, and escalation Protection of Software and Other Copyrighted Materials safeguarding valuable soft assets through least privileged access, proper storage, and effective backup plans Plan Evaluation Security Awareness and Training Plan Maintenance VT Operations Security Plan April 2010 (DRAFT)CONFIDENTIAL Page 8 of 80

15 Recruiting and Resource Security Section 4 Personnel Security Practices Security roles and responsibilities are included in job descriptions, where appropriate. These include any general responsibilities for implementing or maintaining security policy, as well as any specific responsibilities for the protection of particular assets, or for the execution of particular security processes or activities. Job Descriptions General Manager The General Manager is responsible for all activity at the Primary Data Center and the Backup Data Center. Operations Manager The Operations Manager is responsible for all activity in the Operations and Hotline department, including computer and network operations. The Operations Manager is also responsible for overseeing data storage procedures. Business Analyst The Business Analyst is responsible for all activity associated with testing software and hardware. Operations Security Manager The Operations Security Manager is responsible for the system security of the Primary Data Center and the Backup Data Center. Physical Security Manager The Security Manager is responsible for the physical security of the Primary Data Center and the Backup Data Center. Marketing Manager The Marketing Manager is a liaison with the Lottery to assist with sales and marketing strategy, and is responsible for all terminal training activity. VT Operations Security Plan April 2010 (DRAFT)CONFIDENTIAL Page 9 of 80

16 Customer Service Manager The Customer Service Manager is responsible for all terminal maintenance and repair activity and for managing all warehouse activity. Recruitment Screening Applications for employment are screened for all positions within the INTRALOT organization. The following checks are made for each application under consideration for a position: at least four (4) satisfactory character references, two business and two personal; a check for completeness and accuracy of the applicant s job application; confirmation of academic and professional qualifications; identification verification (e.g., driver s license, passport); a credit check; a background check. Confidentiality Agreement All employees of INTRALOT are required to sign a confidentiality (nondisclosure) agreement at the time they are hired. This is part of the condition of employment. Subcontractors that are not covered by an existing contract are also required to sign a confidentiality agreement prior to providing services to INTRALOT. User Training Users are trained in security procedures and the correct use of the system. Users are also formally authorized in writing of the scope of their access to system security rights and restrictions. Training ensures that the users are aware of information security threats and concerns, and are equipped to support organization security policy in the course of their normal work. Security training is provided at the time of hire and includes security policies and procedures, system training, and roles and responsibilities. VT Operations Security Plan April 2010 (DRAFT)CONFIDENTIAL Page 10 of 80

17 Incident Reporting All employees and subcontractors are made aware of the procedure for reporting the different types of incidents (security breach, threat, weakness or malfunction) that might have an impact on the security of the organizational assets. They are required to report any observed or suspected incidents as quickly as possible. Security Weakness System users are required to note and report any observed or suspected security weakness in, or threats to, systems or services. Users should report these matters to their first-line manager or directly to their department manager. Users should not, under any circumstances, attempt to prove a suspected weakness. Software Malfunction Users are required to note any software that does not appear to be functioning correctly (i.e., according to specification) and to report the matter to their firstline supervisor. Should the malfunction be a result of a suspected virus, then immediate action should be taken as follows: 1. Note the symptoms and any message appearing on the screen. 2. Stop using the computer and isolate it if possible. 3. Inform the Operations Department immediately. 4. If the equipment is to be examined, disconnect it from any organizational networks before re-powering it. Read/Writable electronic media should not be transferred to other computers. Users should not, under any circumstances, attempt to remove the suspected software. Recovery is carried out by the appropriate training and experienced staff. Disciplinary Action There is a formal disciplinary process for employees who have allegedly violated security policies and procedures. Depending upon the extent of the violation, the employee will receive appropriate disciplinary action up to and including immediate termination and may also be subject to criminal prosecution. VT Operations Security Plan April 2010 (DRAFT)CONFIDENTIAL Page 11 of 80

18 Control of Personnel All personnel associated with and known to the operation will have the proper identification credentials and corresponding access permissions. In the event that the employment status or job function changes for an individual, appropriate changes in access is made immediately. In order to facilitate this action in a timely manner requires that New Hampshire Lottery and INTRALOT advise each other immediately should such an action be necessary. Coordination between the Operations and Human Resources representatives of both entities is essential to this effort. VT Operations Security Plan April 2010 (DRAFT)CONFIDENTIAL Page 12 of 80

19 Section 5 Physical Security Secure Areas The objective of a secure area is to prevent unauthorized access, damage and interference of system services. To this end, the Operations department, which supports critical and sensitive business activities, is housed in a secure area within the Data Center and the Backup Site. The departments are protected from unauthorized access, damage and interference, and are also physically protected. They each have a defined security perimeter with entry controls and security barriers. Physical Security Perimeter Physical security protection is based on defined perimeters and achieved through a series of strategically located barriers throughout the building. Each level of physical protection has a defined perimeter, around which a consistent level of security protection is maintained. The following guidelines were followed for establishing the security perimeter: The security perimeter is consistent with the value of the assets or services under its protection. The perimeter is clearly defined. Support functions and equipment, such as fax machines and photocopiers, are placed to minimize the risks of unauthorized access to secure areas or compromise of sensitive information. Physical barriers are extended form floor to ceiling, as necessary, to prevent unauthorized entry and environmental contamination. Unauthorized personnel are not permitted inside the secure area. The Gaming Systems and ICS Systems are housed in dedicated areas separate from each other. When vacated, secure areas are physically locked and periodically checked. Personnel maintaining support services are granted access to secure areas only when required and authorized. When appropriated, their activities are restricted and monitored. VT Operations Security Plan April 2010 (DRAFT)CONFIDENTIAL Page 13 of 80

20 Photography, recording or video equipment is not allowed within security perimeters, unless previously authorized. Physical Entry Controls Secure areas are protected with appropriate entry controls to ensure that only authorized personnel are allowed access. The Physical Security Manager retains access to those controls and provides authorized personnel with approved access. On a monthly basis, the Security Committee will review the access report to ensure proper distribution of access has been granted. Entry Controls include: All employees must use key-cards and type 5-digit PIN to enter secure areas. Interior and exterior doors are self-locking. ITVS cameras are mounted around the exterior perimeter of the building and in security-sensitive areas such as Operations. ITVS cameras are mounted around the exterior and interior of the live ticket stock room. Security monitors are manned 365/24/7. Visitor must sign in and out, and are supervised when in secure areas. Employees must wear visible identification at all times. Access rights are revoked immediately for staff that leaves employment. Operations The operations room and communications room area designed to take into account the possibility of damage from fire, flood, explosions, civil unrest and other forms of natural and man-made disasters. Consideration has also been given to any security threats by neighboring accommodations. The following measures have been considered: Key facilities are situated away from areas of public access or direct approach by public vehicles. The building is unobtrusive and gives little or no indication of its purpose, with no obvious signs, outside or inside the building, identifying the presence of computing activities. Hazardous and combustible materials are stored securely at a safe distance from the site. Computer supplies are not stored within the operations room until required. CONFIDENTIAL Page 14 of 80

21 Backup media is stored in a secure vault at the Ohio Data Center and Vermont Lottery, which is a safe distance from the primary Data Center. Appropriate safety equipment is installed, including fire alarms, smoke detectors, fire suppression systems, fire extinguishing equipment, and fire escapes. Safety equipment is checked regularly in accordance with manufacturers instructions. Emergency procedures are documented in the Business Continuity Plan and regularly tested. Delivery and Loading Area Security The shipping and receiving area for the warehouse and repair depot are isolated from public visibility and protected with security access measures. The following guidelines were applied: Access to the warehouse and depot area from outside of the building is restricted to identified, authorized personnel. The holding area is designed so that supplies can be unloaded without gaining access to other parts of the building. Sensitive items (ticket stock, repair parts, etc) are stored in a locked, storage area within the warehouse. Incoming material is inspected for potential hazards before it is moved from the holding area to the point of use. Clear Desk Policy INTRALOT has a Clear Desk Policy for sensitive papers, CDs and diskettes in order to reduce the risks of unauthorized access, loss or and damage to information outside the normal working hours. The following guidelines are applied, where appropriate: Papers and storage media should be stored in cabinets or drawers when not in use. Sensitive or critical business information should be locked away when not required, especially when the office is vacated. Personal computers and computer terminals should be password protected and logged off when not in use. Removal of Property It is prohibited to remove equipment, data or software off-site by employees without management authorization and approval. VT Operations Security Plan April 2010 (DRAFT)CONFIDENTIAL Page 15 of 80

22 Equipment Security The protection of IT equipment (including that used off-site) is necessary in order to reduce the risk of unauthorized access to data and to safeguard against loss or damage. Special measure are enforced to protect against hazards or unauthorized access, and to safeguard supporting facilities, such as the electrical supply and cabling infrastructure. Equipment Protection Computer equipment is sited and protected in such a way as to reduce the risks from environmental hazards and opportunities for unauthorized access. The following guidelines were followed to ensure equipment security: Where possible, equipment is sited to minimize unnecessary access into work areas. Workstations handling sensitive data should be positioned to reduce the risk of exposing of the information on the screen to others. The following checklist should be used to identify potential hazards: fire; smoke; water; dust; vibration; chemical effects; electrical supply interference; electromagnetic radiation Smoking is prohibited in the building. Power Supply Equipment is protected from power failure or other electrical anomalies. These include an uninterruptible power supply (UPS) unit for the computer room, and for all Operations room computers. A backup generator is also used and will automatically power-on when power anomalies are detected. The backup power supply equipment is tested regularly in accordance with the manufacturers recommendation and in compliance with the Business Continuity Plan policy and procedures. CONFIDENTIAL Page 16 of 80

23 Cabling Security Power and telecommunication cabling carrying data or supporting IT services within the Data Center and Backup Site are protected from interception or damage through the following measures: Power and telecommunication lines into the facilities are underground. Network cabling is encased in conduit to protect from unauthorized interception or damage. All system data is encrypted and a redundant pair of firewalls are installed to prevent unauthorized access. Inspection and termination points are either in a locked room or encased in armored conduit. Equipment Maintenance IT equipment is maintained to ensure its continued availability and integrity. The following guidelines are observed: Equipment is maintained in accordance with the supplier s recommended service intervals and specifications. Repairs and servicing of equipment will only be carried out by authorized personnel. A record of any faults or suspected faults is kept, along with all maintenance records. Off-Site Equipment Security Any computer equipment, regardless of ownership, used outside the facility to support business activity is subject to management authorization and the degree of security protection equivalent to that of on-site equipment. The following guidelines will apply: Personal computers will not be used at home for business activities if virus controls are not in place. When traveling, equipment and media will not be left unattended in public places. Portable computers are carried as hand luggage when traveling. Portable computers are vulnerable to theft, loss or unauthorized access when traveling. They are provided with appropriate access protection (passwords or encryption) to prevent unauthorized access to their contents. Manufacturers instructions regarding the protection of equipment should be observed at all time, such as protecting the equipment against exposure to strong electromagnetic fields. VT Operations Security Plan April 2010 (DRAFT)CONFIDENTIAL Page 17 of 80

24 Security risks, such as damage, theft, and eavesdropping, may vary considerably between locations and should be taken into account in determining the most appropriate security measures. Equipment Disposal An organization s data can be compromised through careless disposal of equipment. All items of equipment containing storage media, including hard drives, must be checked to ensure that any sensitive data and licensed software are removed or overwritten prior to disposal. Damaged storage devices containing very sensitive data will require risk assessment to determine if items should be destroyed, repaired or discarded. CONFIDENTIAL Page 18 of 80

25 Section 6 Data Security Malicious Software Protection Precautions are required to prevent and detect the introduction of malicious software to safeguard the integrity of data. A range of malicious techniques has been developed to exploit the vulnerability of computer software to unauthorized or unknown modifications, with names such as computer viruses, network worms, Trojan horses and logic bombs. Managers of IT facilities must be alert to the dangers of malicious software, and should, where appropriate, introduce special measures to prevent or detect the introduction of malicious software. In particular, it is essential that precautions are taken to prevent and detect computer viruses on personal computers. Virus Controls Virus detection and prevention measures and appropriate user awareness procedures must be implemented. Users are reminded that prevention is better than cure. The basis of protection against viruses is founded on good security awareness, appropriate system access controls and the following specific guidelines: (a) INTRALOT has established a formal policy requiring compliance with software licenses and prohibiting the use of unauthorized software. (b) Anti-virus software developed by a reputable supplier is used as follows: virus-specific detection software (which is regularly updated) is used to scan computers and media for know viruses, either as a precautionary measure or on a routine basis; virus repair software is used with caution and only in cases where virus characteristics are fully understood and the correct repair is certain. (c) Regular reviews of the software and data content of systems supporting critical business processes is conducted. The presence of any spurious files or unauthorized amendments is formally investigated. (d) Any external storage media of uncertain or unauthorized origin is checked for viruses before use. VT Operations Security Plan April 2010(DRAFT)CONFIDENTIAL Page 19 of 80

26 (e) Management procedures and responsibilities have been established for reporting and recovering from virus attacks. Housekeeping Housekeeping measures are required to maintain the integrity and availability of data. Routine procedures are established for generating back-up copies of data, logging events and faults and, where appropriate, monitoring the equipment environment. Data Back-up Back-up copies of essential business data are taken daily. An adequate offsite, backup facility is provided to ensure that all essential data and software can be recovered following a computer disaster or media failure. The following guidelines will apply: A minimum level of back-up information is stored in a secure vault at the Ohio Data Center and Vermont Lottery Headquarters. This location is geographically diverse and a sufficient distance to escape any damage from a disaster at the Primary Data Center. Back-up data is given an appropriate level of physical and environmental protections. The controls applied to the media at the primary site are extended to cover the Backup Site. Back-up data is regularly tested, where practical, to ensure that the data can be relied upon for emergency use when necessary. Data is retained for no less than 365 days and archived copies of documents, files, application software is retained indefinitely, or until they are replaced with tested, approved and authorized updated copies. Operator Logs Computer operators will maintain logs of all work carried out, including completed checklists of daily, weekly, and monthly procedures. Operator logs will include, but not be limited to: system start and finish times; process start and finish times; system errors and corrective action taken; confirmation of the correct handling of data files and computer output. Operator logs are subject to regular, independent checks against operating procedures. VT Operations Security Plan April 2010(DRAFT)CONFIDENTIAL Page 20 of 80

27 Fault Logging Faults are reported and corrective action taken. Faults reported by users regarding problems with computer or communications systems are logged. Rules for the handling of reported faults will include the following: review of fault logs to ensure that faults have been satisfactorily resolved; review of corrective measures to ensure that security controls have not been compromised, that the action taken is fully authorized, and data has not been maliciously modified and/or corrupted. Environmental Monitoring Computer environments, including temperature, humidity and power supply quality, are monitored where necessary to identify conditions that might adversely affect the operation of computer equipment or data contents, and to enable any corrective action to be taken prior to the loss of data. Media Handling and Security Computer media is controlled and physically protected to prevent damage to assets and interruptions to business activities. Appropriate operating procedures are established to protect computer media, input/output data and system documentation from damage, theft and unauthorized access. Removable Computer Data Media Management Procedures are in place for the management of removable computer media. The following controls apply in the operational environment: A data storage system is used that avoids the use of descriptive labels so that data cannot be identified from its label. If data is no longer required, the previous contents of any re-usable media are erased or destroyed if it is no longer required by the organization. A written authorization is required for all media removed from the organization and a record is kept of all such removals to maintain an audit trail. All media is to be stored in a safe, secure environment. VT Operations Security Plan April 2010(DRAFT)CONFIDENTIAL Page 21 of 80

28 Data Handling Procedures Procedures for handling sensitive data have been established in order to protect such data from unauthorized disclosure or misuse. Procedures have been drawn up for the secure handling of all sensitive input/output media, such as documents, computer media, reports, and any other sensitive items. The following items have been covered: handling and labeling input/output media; maintenance of a formal record of the authorized recipients of data; ensuring that input data are complete; confirmation of receipt of transmitted media, where appropriate; keeping the distribution of data to a minimum; clear marking of all copies of data for the attention of the authorized recipient; review of distribution lists and lists of authorized recipients at regular intervals. System Documentation Security System documentation may contain a range of sensitive information, such as descriptions of applications processes, procedures, data structures and authorization processes. The following controls have been applied to protect system documentation from unauthorized access: The distribution list for system documentation is kept to a minimum and authorized by the application owner; Computer generated documentation is stored separately from other application files, and assigned an appropriate level of access protection. Media Disposal Computer media is disposed of securely and safely when no longer required. Sensitive information may be leaked to outside persons through careless disposal of computer media. Clear procedures for the secure disposal of media have been established to minimize this risk. The following guidelines have been applied: (a) Media containing sensitive information is disposed of securely and safely by incineration or shredding, or emptied of data for use by another application within the organization. VT Operations Security Plan April 2010(DRAFT)CONFIDENTIAL Page 22 of 80

29 (b) The following check-list is to be used to identify items that might require security disposal: input documents, such as faxes; magnetic tapes; removable computer media; program listings; test data; system documentation (c) Should a collection and disposal service by employed for the disposal of papers, equipment and media, care is to be taken in selecting a suitable contractor with adequate security controls and experience. (d) Disposal of sensitive items is logged, where possible, for future reference and to maintain an audit trail. Application Access Control Logical access controls are used to control access to applications and data to prevent unauthorized access to information held in computer systems. Logical access is restricted to authorized users. Application systems will: control user access to data and application system functions, in accordance with the business access control policy; provide protection from unauthorized access for any utility software that is capable of overriding system or application controls; not compromise the security of other systems with which IT resources are shared. Information Access Restriction Users of application systems, including support staff, are provided with access to data and application system functions in accordance with a defined access policy, based on individual business application requirements and consistent organizational information access policy. Application of the following controls has been considered in order to support access policy requirements: providing menus to control access to application system function; VT Operations Security Plan April 2010(DRAFT)CONFIDENTIAL Page 23 of 80

30 restricting users knowledge of data or application system functions that they are not authorized to access, with appropriate editing of user documentation; controlling the access capabilities of users (e.g., read, write, delete, execute); ensuring that application outputs from systems handling sensitive data contain only the data that are relevant to the use of the output and are sent only to authorized terminals and locations, including periodic review of such outputs to ensure that redundant data are removed. System Utilities Use Use of system utility programs that might be capable of overriding system and application data must be restricted and tightly controlled. The following controls have been applied: password protection for system utilities; segregation of system utilities from application software; limitation of the use of system utilities to the minimum practical number of authorized users; authorization for other ad hoc use of system utilities; limitation of the availability of system utilities; logging of all use of system utilities; defining and documenting authorization levels for system utilities; removal of all unnecessary utility and system software. Data and Software Exchange Exchanges of data and software between organizations are controlled to prevent loss, modification or misuse of data. Exchanges are carried out on the basis of formal agreement. Procedures and standards to protect media in transit are established. Data and Software Exchange Agreements Formal agreements, including software escrow agreements when appropriate, are established for exchange of data and software (whether electronic or manual) between INTRALOT and the New Hampshire Lottery. The security content of such an agreement will reflect the sensitivity of the business information involved. The agreements will specify appropriate security conditions including: VT Operations Security Plan April 2010(DRAFT)CONFIDENTIAL Page 24 of 80

31 management responsibilities for controlling and notifying transmission, dispatch and receipt; procedures for notifying transmission, dispatch and receipt; minimum technical standards for packaging and transmission; courier identification standards; responsibilities and liabilities in the event of loss of data; data and software ownership and responsibilities for data protection, software copyright compliance and similar consideration; technical standards for recording and reading data and software; any special measures required to protect very sensitive items, such as encryption keys. Media in Transit Security Computer media can be vulnerable to unauthorized access, misuse or corruption during transportation. The following controls are applied to safeguard computer media being transported between sites: (a) Reliable transport or couriers are used. A list of authorized courier is agreed upon with management and a procedure to check the identification of couriers implemented. (b) Packaging is sufficient to protect the contents from any physical damage likely to arise during transit. (c) Special measures are adopted, where necessary, to protect sensitive information from unauthorized disclosure or modification. Examples include: use of locked containers; delivery by hand; tamper-proof packaging (which reveals any attempt to gain access); in exceptional cases, splitting of the consignment into more than one delivery and dispatch by different routes. Electronic Mail Security Controls are to be applied, where necessary, to reduce the business and security risks associated with electronic mail. Electronic mail ( ) is increasingly being used for business communications, replacing traditional forms of communications, such as letters and faxes. Consideration must be given to the need for controls to reduce any business or security risks that may VT Operations Security Plan April 2010(DRAFT)CONFIDENTIAL Page 25 of 80

32 be presented by the introduction of containing sensitive data. Issues that are addressed include: the vulnerability of messages to unauthorized interception or modification; the vulnerability to error, such as incorrect addressing or misdirection, and the general reliability and availability of the service. the impact of a change of communication media on business process, such as the effect of increased speed of dispatch or a change from company-to-company or person-to-person addressing; legal considerations, such as the potential need for proof of origin, dispatch, delivery and acceptance; the need for security measures to control remote user access to accounts. INTRALOT has implemented clear policies regarding the status and use of E- mail. Electronic Office Systems Security Clear policies and guidelines are required to control the business and security risks associated with electronic office systems. Electronic office systems provide opportunities for faster dissemination and sharing of business information. Consideration has been given to the security and business implications of such facilities, and the need for appropriate policies and guidelines. Requirements and issues include the following: the possible need to exclude any categories of sensitive business information if the system security does not provide an appropriate level of security protections; the need for a clear policy and controls to manage information sharing, such as the use of corporate electronic bulletin boards; the suitability of the system to support business applications, such as communicating orders and authorizations; the categories of staff and of contractors or business partners, that are allowed to use the system and the locations from which it may be accessed; the possible need to restrict selected facilities to specific categories of user; the possible need to indicate the status of user, such as employees or contractors, in directories for the benefit of other users; the policy regarding retention and back-up of information held on the system; VT Operations Security Plan April 2010(DRAFT)CONFIDENTIAL Page 26 of 80

33 the requirements and arrangements for fallback. Development and Support Environments Controls Project and support environments are strictly controlled to maintain the security of application system software and data. Managers who are responsible for application systems will also be responsible for the security of the project or support environment. They will ensure that all proposed system changes are reviewed to make certain that the security of either the system or the operating environment is not compromised. Change Control Procedure In order to minimize the corruption of information systems and the data they contain, there is strict control over the implementation of changes. Formal change control procedures are therefore necessary. The procedures ensure that security and control are not compromised, that support programmers are given access only to those parts of the system that are necessary for their work, and that formal interdisciplinary agreement and approval for any change are obtained. The process will include: (a) maintaining a record of agreed authorization levels, including: support team focal point for change requests; user authority for submission of change requests; user authority levels for acceptance of detailed proposals; user authority for the acceptance of completed changes; (b) only accepting changes submitted by authorized users; (c) reviewing security controls and integrity procedures to ensure that they will not be compromised by the changes; (d) identifying all computer software, data files, database entities and hardware that require amendment; (e) obtaining approval for detailed proposals/specifications before work commences; (f) ensuring that changes are accepted by the authorized user before implementation; (g) ensuring that the system documentation set is updated upon completion of each change and that old documentation is archived or disposed of; VT Operations Security Plan April 2010(DRAFT)CONFIDENTIAL Page 27 of 80

34 (h) maintaining a version control for all software updates; (i) maintaining an audit log of all change requests. Operating System Change Technical Review Periodically, it may be necessary to change the operating system, such as installing a new release. When changes occur, the application system is reviewed to ensure that there is no adverse impact on data security. This process will include: reviewing application control and integrity procedures to ensure that they have not been compromised by the operating system changes; ensuring that the annual support plan and budget will cover reviews and system testing resulting from operating system changes; ensuring that notification of operating system changes are provided in time to allow appropriate reviews to take place before implementation. System Planning and Acceptance Advance planning and preparation are required to ensure the availability of adequate capacity and resource, and to minimize the risk of systems failures or data loss. Future capacity requirements projections are made to reduce the risk of system overload and resulting corruption and/or loss of data. The operational requirements of new systems are established, documented and tested prior to their acceptance. Fallback requirements for services supporting multiple applications are coordinated and regularly reviewed. Capacity Planning Capacity requirements are monitored to avoid failures due to inadequate capacity. Projections of future computer capacity requirements are made to ensure that adequate processing power and storage remain available. These projections take into account new system requirements as well as current and projected trends in computer and network use. Computer and network managers use this information to identify and avoid potential bottlenecks that might present a threat to system security or data services, and plan appropriate remedial action. System Acceptance Acceptance criteria is established and suitable tests carried out prior to acceptance. Computer managers will ensure that the requirements and criteria VT Operations Security Plan April 2010(DRAFT)CONFIDENTIAL Page 28 of 80