Custod. July 30, 20100

Transcription

1 AgriLife Infrmatin Technlgy Custd dian Prcedures and Best Practices July 30, 20100

2 TABLE OF CONTENTS Intrductin.. 3 Custdian Requirements Appendix A - Definitins Appendix B - IT Security & Management Prgram Calendar f Events Appendix C - Terms f Use Appendix D - AgriLife IT Cntact Infrmatin 16 Appendix E - Related Statutes, Plicies and Prcedures Page 2

3 INTRODUCTION What is the bjective f this dcument? Ensure AgriLife and Cllege f Agriculture and Life Sciences IT staff are aware f the requirements t prperly administer University and Agency resurces in accrdance with State, University, and AgriLife Agency rules, regulatins and prcedures. Wh is the audience fr this dcument? University r Agency emplyees that are respnsible fr supprting IT services within an Academic Department, AgriLife Research r AgriLife Extensin Service area f peratin. These staff are als knwn as System administratrs r custdians. Wh/What is a custdian? A custdian is typically an IT manager/resurce respnsible fr implementing wner defined cntrls and access t an infrmatin resurce. Custdians may include state emplyees, vendrs and any third party acting as an agent f, r therwise n behalf f the state entity. Page 3

4 CUSTODIAN REQUIREMENTS Custdians are required t perfrm the fllwing within their assigned areas f peratin. If these requirements are nt fulfilled by the custdian, the department r unit head shall be respnsible fr identifying alternative resurces t fulfill these duties. These requirements apply t all cmputing and infrmatin resurces lcated within Texas A&M University facilities and Texas AgriLife Research r Extensin Service lcatins regardless f funding surce r wner f the system. A. Ensure that all apprpriate persnnel are aware f and cmply with these prcedures. It is recmmended that the custdian assist the unit head in cmmunicating an annual reminder fr cmputer resurce use prcedures. Distribute the AgriLife Best Practices Guideline dcument t emplyees annually. Unit heads shuld guarantee custdians are familiar with and practice all the fllwing requirements t maintain University r Agency based cmputing resurces. B. Create and maintain apprpriate perfrmance standards, cntrl practices, and prcedures designed t prvide reasnable assurance that all emplyees bserve these prcedures. Prcesses and prcedures that shuld be implemented include: A dcumented lgn ID creatin prcess that ensures accunts are authrized befre being issued. Ensuring cntrls are in place t verify accunt and passwrd regulatins are in cmpliance. Emplyee exit prcedures that ensure cmputing lgn IDs and access cntrls are disabled at the time f emplyee departure/terminatin. Implement regular mnitring f lgn IDs t ensure that accunts that have nt been used in mre than 45 days are deactivated and eventually remved. A verificatin prcess t ensure that perating system and applicatin patches are applied t all IT resurces at the earliest pssible cnvenience. Perfrm regular scans f servers and wrkstatins t identify and prtect all cnfidential and sensitive data. Page 4

5 Nte: It is suggested that randm wrkstatin scans be cnducted at quarterly intervals. This requirement is mre restrictive than the annual scanning requirement impsed by the University SAPs. All wrkstatins that are used by persnnel supprting accunting r HR functins shuld be scanned at quarterly intervals. Cnfidential data that is identified must either be remved r encrypted. Scanning tls can be btained frm the fllwing surces: Identity Finder: O/Identity_Finder.php Crnell Spider Spider Utilize the Sphs "Data Cntrl Events" reprt t mnitr mvement f Cnfidential infrmatin t prtable cmputing devices. The reprt is available thrugh the Sphs enterprise cnsle. Please cntact AgriLife IT if yu need assistance in utilizing Sphs Data Cntrl Event functinality. C. Schedule risk and vulnerability assessments at required frequency by the imprtance f the data prcessed. All custdians will participate in either the University r AIT facilitated ISSAC assessment prcess. Utilize the vulnerability scanning resurces available via mysecurity.tamu.edu t ensure all sftware vulnerabilities are identified and remediated Nte: Risk assessments must be perfrmed at least annually n all systems, but we recmmend systems with missin critical r cnfidential data be assessed at a minimum twice per year. D. Prvide technical, physical and prcedural safeguards fr the infrmatin resurces. Technical: Cnduct timely patch management f cmputing systems. Nte: AIT Recmmends a mnthly review f all patches fr servers and wrkstatins and that critical patches be applied as sn as pssible. It is highly recmmended that yu dcument the review f patches as well as dcument the applicatin f these patches (date, systems patched). Auditrs typically request this infrmatin during system IT audits. Physical: Assure cmputing systems are secure (physically and lgically) and that backup media (nsite and ffsite) are prperly secured. Prcedural: Establish and dcument unit based accunt and data management prcedures. (i.e. hw wrkstatins hard drive data is remved r destryed befre surplus r re-issue) E. Assist wners in evaluating the cst-effectiveness f cntrls and mnitring. Custdian and data wner must determine the value f the data and implement apprpriate, cst effective, security safeguards t ensure the prtectin f the data. Page 5

6 F. Cnduct reviews f physical security implementatins and develp/update emergency prcedures fr physical security f IT resurces Annually review physical security implementatins and develp r update emergency prcedures fr physical security f IT resurces. Nte: These prcedures shuld be written and include what steps t take and wh t cntact in an emergency (see Sectin H fr training requirements). G. Review access permissins and remve access fr individuals wh are n lnger emplyed r n lnger require access t IT resurces. At a minimum f twice annually, custdians must review access permissins and remve access fr individuals wh are n lnger emplyed r n lnger require access t IT resurces. Nte: AIT strngly suggests that yu develp a wrkflw prcess that disables and remves accunts as emplyees n lnger require access. H. Ensure infrmatin resurces are prtected frm envirnmental hazards. Designated emplyees must be trained t mnitr envirnmental cntrl prcedures and equipment. Designated emplyees must als be trained in desired respnse prcedures in case f emergencies, equipment r facilities prblems. Recmmended training prcedures include: Actin plans/prcedures fr pwer lss r disruptin. At a minimum, dcumentin shuld be prvided t the department r unit head detailing the level f availability, cmputing resurces will prvide, in the event f pwer lss. Actin plans/prcedures fr envirnmental hazards such as fire, r fld/water incursin. At a minimum, ff site strage f missin critical infrmatin data shuld be prvided. This includes regular testing and recvery prcedures fr this data. Actin plans/prcedures fr disruptins in envirnmental cntrls such as cling. At a minimum, a dcument shuld be prvided t the department r unit head stating what level f availability will be fr cmputer resurces in the event f disrupted cling. I. Implement a written disaster recvery plan fr infrmatin resurces. Custdians are required t dcument a Disaster Recvery plan (fr all IT resurces) with AgriLife IT and update the plan each August. (Link: AIT Disaster Recvery Dcumentatin Applicatin) Perfrm tests f Disaster Recvery prcedures at annual intervals. Dcumentatin must als be kept f these test events and their results (i.e. enhancements, changes, r issues nted). Where applicable, dcumentatin shuld be revised t detail required changes identified frm the testing prcedures. J. Implement system identificatin and lgn banners in accrdance with state requirements fr all infrmatin resurces (Windws, Mac, Linux, etc.). Registry mdificatin files fr Windws systems and instructins fr implementing banners n Mac systems are available at the AIT Security page at - Page 6

7 Required banner cntent MUST include: This cmputer system and all data herein are fficial State f Texas resurces and as such are available nly fr authrized purpses by authrized users. Use fr any ther purpse may result in administrative r disciplinary actins r criminal prsecutin against the user. Usage is subject t mnitring and security testing. The user shuld have n expectatin f privacy except as therwise prvided by applicable privacy laws. K. Implement the mnitring techniques and prcedures fr detecting, reprting, and investigating incidents. Incidents must be reprted t securityhelp@ag.tamu.edu r via the web frm at Fr Departments/Centers using Sphs, yur Anti-Virus / MalWare reprts will be autmatically rlled int the ISO mnthly DIR reprt. Departments nt yet utilizing Sphs are required t submit a Mnthly Anti-Virus / Malware reprt t the AIT Infrmatin Security Officer. All ther security incidents shuld be reprted t the ISO using the and web site link abve. L. Perfrm a review f system lgs at regular intervals fr infrmatin resurces perfrming missin critical r cnfidential peratins. Utilize lg scanning utilities t review system lgs husing cnfidential infrmatin r perfrming missin critical peratins. Server lgs shuld be rutinely mnitred and reviewed fr bth peratinal quality assurance purprses as well as security. AIT recmmends either a weekly r mnthly scheduled prcedure t perfrm this activity. M. Verify that User security guidelines are distributed t all emplyees, understd by emplyees and are fllwed. AIT recmmends distributin f the frmal user guidelines t all staff at annual intervals. Annual distributin f the User Best Practices dcument t all staff. N. Cnfirm that emplyees attaching persnal systems t AgriLife (University r System) netwrks are fllwing the same guidelines required fr state wned systems. These include the fllwing: Current and wrking Anti-virus/Anti-malware prduct installed Page 7

8 Operating system and applicatin patches are current. N peer-t-peer file sharing applicatins are installed that culd be prviding unlicensed cpyrighted cntent. Nte: Cllege: Peer-t-Peer file sharing applicatins are currently still apprved by University prcedures Agencies: Peer-t-Peer file sharing applicatins have been prhibited withut frmal apprval as f Feb 2010 (See Agency Cmputer Use Guidelines fr details) Cnfidential and r persnally identifiable infrmatin is identified and prperly prtected All user accunts have passwrds that meet recmmended passwrd guidelines and are nt set t aut-lgin Files and Flders n prtable devices cntaining agency missin critical r cnfidential infrmatin are encrypted O. Implement Management Cntrls described belw. The paragraphs belw ffer high level descriptins f management cntrl strategies yu shuld be aware f and implement. The titles f each are links t mre specific infrmatin. In additin t the University SAP reference, specific AgriLife restrictins r guidelines may exist. Please refer t Appendix C fr references t the applicable agency prcedures. If additinal clarificatin is needed, please cntact the AgriLife Infrmatin Security Officer at Securityhelp@ag.tamu.edu PHYSICAL SECURITY It is plicy t prtect cmputer hardware, sftware, data, and dcumentatin frm misuse, theft, unauthrized access, and envirnmental hazards. ACCOUNTS AND PASSWORDS The cnfidentiality and integrity f data stred n cmputer systems must be prtected by access cntrls t ensure that nly authrized users have access. This access must be restricted t nly thse capabilities that are apprpriate t each user's jb duties. INTERNET AND A variety f University SAPs and Agency prcedures describe plicies and cntrls that shuld be in place and administered regarding the use f Internet and services. This access shuld be primarily restricted t thse activities that are apprpriate fr each user's jb duties. Page 8

9 COMPUTER VIRUS PROTECTION and WORKSTATION SECURITY/INTEGRITY Cmputer viruses, trjans, wrms, spyware, and ther such malicius applicatins are prgrams designed t make unauthrized changes t prgrams and data, and therefre, can cause destructin r disclsure f agency resurces. Sphs is the frmally supprted and funded anti-virus, and data-leakage tl in Texas A&M AgriLife and the Cllege f Agriculture and Life Sciences and is prvided at n cst t all emplyees. BACKUP AND RECOVERY All electrnic infrmatin cnsidered f institutinal value must be cpied nt backup strage media n a regular basis (i.e., backed up) fr disaster recvery and business cntinuity purpses. This sectin utlines the minimum requirements fr the creatin and retentin f backups. Special backup needs, identified thrugh risk analysis, which exceed these requirements shuld be implemented n an individual basis. DATA CLASSIFICATION/PROTECTION In accrdance with the definitins applied t Cnfidential and Sensitive data in the Definitins sectin f this dcument (Appendix A), security cntrls must be implemented t prtect data apprpriate t data value r risk (f access/use by anther party). CHANGE MANAGEMENT Change management prcedure describes the requirements fr managing changes in a ratinal and predictable manner s that staff and clients can plan accrdingly. Changes require serius frethught, careful mnitring, and fllw-up evaluatin t reduce negative impact t the user cmmunity and t increase the value f infrmatin resurces. INCIDENT MANAGEMENT This prcedure describes the requirements fr dealing with cmputer security incidents. INTRUSION DETECTION Intrusin detectin plays an imprtant rle in implementing and enfrcing an rganizatinal security plicy. Intrusin detectin prvides tw imprtant functins in prtecting infrmatin resurces: AgriLife IT recmmends that a weekly r mnthly review be perfrmed n all cmputing platfrms if autmated tls are nt in use. All servers and wrkstatins shuld have audit lgging enabled fr the purpse f creating and maintaining an activity lg. All suspected and/r cnfirmed instances f successful intrusins shuld be reprted t the AgriLife IT Infrmatin Security fficer. Page 9

10 NETWORK CONFIGURATION The netwrk cnfiguratin prcedures establish a prcess fr any expansin and use f the netwrk infrastructure. AgriLife netwrk infrastructure is prvided by Texas A&M University and TTVN. It is imprtant that the infrastructure, which includes cabling and the assciated 'active equipment', cntinues t develp with sufficient flexibility t meet demands while remaining capable f expliting develpments in high speed netwrking. This apprach allws fr implementatin f enhanced user services. Nte: Cllege: All netwrking planning and updates shuld be crdinated with Texas A&M University CIS netwrking team in accrdance with CIS plicies and service regulatins. Agencies: As f July 2010, all netwrking planning and updates shuld be crdinated with the AgriLife IT Netwrk Engineer. This includes all changes t firewall, netwrk switch, wireless access pints, and ruters. PORTABLE COMPUTING The purpse f AgriLife prtable cmputing security prcedures is t establish the prcess fr the use f mbile cmputing devices and their cnnectin t the netwrk.prtable cmputing devices (laptp cmputers, phnes, remvable strage devices) are becming increasingly pwerful and affrdable. Their small size and functinality are making these devices mre desirable as replacements fr desktp devices. Hwever, the prtability ffered by these devices increases the security expsure. Nte: All prtable cmputing devices shuld be encrypted when handling cnfidential infrmatin. Prtable devices pssessing cnfidential infrmatin must be prtected by a passwrd lgin. All unattended prtable devices cntaining cnfidential infrmatin must be physically secured. SECURITY MONITORING Security Mnitring is used t cnfirm the security practices and cntrls in place are are effective. Mnitring cnsists f activities such as the review f: user accunt lgs, applicatin lgs, data backup recvery lgs, autmated intrusin detectin system lgs, etc. The purpse f the security mnitring plicy is t ensure that infrmatin resurce security cntrls are in place, are effective, and are nt being bypassed. One f the benefits f security mnitring is the early identificatin f wrngding r new security vulnerabilities. The security mnitring prcedure applies t all individuals that are respnsible fr the installatin f new infrmatin resurces, the peratins f existing infrmatin resurces, and individuals charged with infrmatin resurces security. Page 10

11 PLATFORM HARDENING Servers are relied upn t stre and deliver data in a secure, reliable fashin. There must be assurance that data cnfidentiality, integrity and availability are maintained. One f the required steps is t ensure that the servers are installed and maintained t prevent unauthrized access, unauthrized use, and disruptins in service. The purpse f server hardening prcedures is t describe the requirements fr installing a new server in a secure fashin and maintaining the integrity f server. Dcumentatin n server hardening is available at - SYSTEMS DEVELOPMENT AND ACQUISITION The purpse f the system develpment prcedure is t describe the requirements fr develping and/r implementing new applicatin sftware. This prcedure is designed accrding t Texas Administrative Cde Rule Infrmatin Resurces Security Safeguards, sectin Security Plicies. NOTE: Any third-party cntractrs r in-huse sftware develpers are required t meet all security plicies when develping sftware fr public access n State f Texas infrmatin resurces. These plicies and standards must be maintained n a regular basis. It is recmmended that apprpriate budget and resurce plans be established fr all custm web based sftware implementatins. Inability t regularly maintain r meet these standards culd result in an immediate "take-dwn" request frm Texas A&M System r AgriLife IT administratin. VENDOR ACCESS Vendrs play an imprtant rle in the supprt f custmer peratins, hardware and sftware management. Vendrs can remtely view, cpy and mdify data and audit lgs, crrect sftware and perating systems prblems, mnitr and fine tune system perfrmance, mnitr hardware perfrmance and errrs, mdify envirnmental systems, and reset alarm threshlds. Setting limits and cntrls n what can be seen, cpied, mdified, and cntrlled by vendrs will eliminate r reduce the risk f lss f revenue, liability, lss f trust, and embarrassment t AgriLife. The purpse f vendr access prcedures is t establish the prcess fr vendr access t AgriLife infrmatin resurces and supprt services (A/C, UPS, PDU, fire suppressin, etc.), vendr respnsibilities, and prtectin f infrmatin. The vendr access prcedure applies t all individuals wh are respnsible fr the installatin f new infrmatin resurces assets, and the peratins and maintenance f existing infrmatin resurces and wh d r may allw vendr access fr maintenance, mnitring and trubleshting purpses. TRAINING AND ACKNOWLEDGEMENT New emplyees will receive training n infrmatin security measures and requirements and be required t acknwledge receptin and acceptance f the prvisins f this rule, by signing AgriLife Frm AG-415, Emplyee Acknwledgment. All emplyees are expected t review and acknwledge the prvisins f this rule every tw years, and will d s thrugh classes ffered in HRCnnect, the TAMUS Human Resurces ffice s nline training venue. Nn-emplyee users f infrmatin resurces will be issued a Page 11

12 cpy f these infrmatin security guidelines and required t sign an acknwledgment frm prir t being granted access. ADMINISTRATOR / SPECIAL ACCESS Technical supprt staff, security administratrs, custdians and thers may have special access requirements.. The granting, cntrlling and mnitring f these accunts is imprtant t an verall security prgram. The purpse f the administratr/special access management prcedure is t establish the prcess fr the creatin, use, mnitring, cntrl and remval f accunts with special access privilege. PRIVACY Privacy plicies are used t establish the respnsibilities and limits fr custdians and users in prviding AgriLife and TAMU infrmatin resurces privacy. Authrized AgriLife IT staff have the right t examine infrmatin n infrmatin resurces under the cntrl r custdy f any AgriLife agency r Cllege f Agriculture and Life Sciences The general right t privacy is extended t the electrnic envirnment as far as pssible. Hwever, there shuld be n expectatin f privacy beynd that which is expressly prvided by applicable privacy laws. Privacy is limited by the Texas Public Infrmatin Act, administrative review, custdians, and audits. Page 12

13 Appendix A - Definitins A. Owner f an Infrmatin Resurce - A persn respnsible fr a business functin and fr determining cntrls and access t infrmatin resurces supprting that business functin. Fr example, the wner is typically the Unit head, Directr r their designee. B. Custdian f an Infrmatin Resurce - A persn respnsible fr implementing wner defined cntrls and access t an infrmatin resurce. Custdians may include state emplyees, vendrs, and any third party acting as an agent f, r therwise n behalf f the state entity. Fr example, the custdian is typically an IT manager r resurce. C. User f an Infrmatin Resurce - An individual r autmated applicatin authrized t access an infrmatin resurce in accrdance with the wner defined cntrls and access rules. D. Cnfidential data - data that is excluded frm disclsure under requirements frm federal r state law. This can include but is nt limited t: persnnel recrds, health recrds, financial recrds, address infrmatin, student educatin recrds, credit card, scial security, r drivers license numbers. E. Sensitive data - Sensitive data may be subject t disclsure r release under the Texas Public Infrmatin Act, hwever AgriLife r the data wner has decided that the data must have the same r equivalent level f prtectin as Cnfidential data. Examples f sensitive data include: Operatinal infrmatin, persnnel recrds, infrmatin security prcedures, internal cmmunicatin. F. Missin critical - data which if access t was unavailable, an essential missin f the University, agency r department wuld nt be able t be cntinued, and r wuld cause a significant financial lss t be incurred, wuld cause institutinal embarrassment t take place, wuld cause an inability t cmply with federal regulatins r legal bligatin, r culd cause a pssible clsure f a agency r University department. G. Prtable Cmputing Device Any device ther than a desktp cmputer that can stre data, access the Internet r AgriLife netwrks, systems r applicatins. Examples include ntebk cmputers, internet enabled phnes, net bk cmputers, and prtable memry devices such as USB drives and memry sticks Page 13

14 Appendix B - IT Security and Management Prgram Calend dar f Events Page 14

15 Appendix C - Terms f use Electrnic files created, sent, received, r stred n Infrmatin Resurces wned, leased, administered, r therwise under the custdy and cntrl f AgriLife are the prperty f the agency. Vilatin f these prcedures may result in disciplinary actin up t and including terminatin fr emplyees and tempraries; a terminatin f emplyment relatins in the case f cntractrs r cnsultants; r dismissal fr interns and vlunteers. Additinally, individuals are subject t lss f access privileges fr AgriLife Infrmatin Resurces, and ptentially civil, r criminal prsecutin. Page 15

16 Appendix D - Cntact Infrmatin AgriLife Infrmatin Technlgy Cntacts Chuck Braden Infrmatin Security Officer jcbraden@ag.tamu.edu Phne: Tm Lyster IT Crdinatr - Cllege f Agriculture and Life Sciences, AgriLife Research tlyster@tamu.edu Phne: Jim Segers IT Crdinatr - Texas AgriLife Extensin Service j-segers@tamu.edu Phne: Alan Kurk IT Directr - Texas A&M AgriLife akurk@tamu.edu Phne: Page 16

17 Appendix E - Related Statutes, Plicies, r Requirements Texas Admin. Cde Ch. 202, Infrmatin Security Standards Texas Admin. Cde Ch. 206, State Web Sites Texas Admin. Cde Ch. 213, Electrnic and Infrmatin Resurces System Plicy 29.01, Infrmatin Resurces System Regulatin , Electrnic Infrmatin Services Access and Security Texas AgriLife Research - Infrmatin Security, Cmputer Use, and Sftware Installatin/Use (Rev ) Texas AgriLife Extensin Service - Infrmatin Security, Cmputer Use, and Sftware Installatin/Use (Rev ) Page 17