You are the CISO of your company. Your primary responsibility is assessment, management, and implementation of InfoSec in your organization. Your organization has set up

Version 1.5 Revised December 2017 | Office of Management and Enterprise Services | Information Services

State of Oklahoma

Information Security

Policy, Information Security Policy, Procedures, Guidelines

Procedures, Guidelines

Information Security Policies, Procedures, Guidelines

Revised December 2017 Page 2 of 94

TABLE OF CONTENTS

PREFACE ………………………………………………………………………………………………………………………………….. 6

INFORMATION SECURITY POLICY………………………………………………………………………………………… 7

1.0 INTRODUCTION …………………………………………………………………………………………………………….. 9

1.1 BACKGROUND……………………………………………………………………………………………………………….. 9

1.2 POLICY, PROCEDURES, GUIDELINES ………………………………………………………………………….. 9

1.3 AUDIENCE ……………………………………………………………………………………………………………………. 10

2.0 INFORMATION ……………………………………………………………………………………………………………… 11

2.1 INFORMATION CONFIDENTIALITY ……………………………………………………………………………… 11

2.2 INFORMATION CONTENT ……………………………………………………………………………………………. 12

2.3 INFORMATION ACCESS ………………………………………………………………………………………………. 12

2.4 INFORMATION SECURITY …………………………………………………………………………………………… 13

2.5 INFORMATION AVAILABILITY ……………………………………………………………………………………… 13

3.0 SECURITY PROGRAM MANAGEMENT ………………………………………………………………………… 14

3.1 CENTRAL SECURITY PROGRAM…………………………………………………………………………………. 14

3.2 HOSTING AGENCY SECURITY …………………………………………………………………………………….. 15

3.3 AGENCY SECURITY …………………………………………………………………………………………………….. 15

3.4 INCIDENT MANAGEMENT ……………………………………………………………………………………………. 15

3.5 EVENT LOGGING AND MONITORING ………………………………………………………………………….. 16

4.0 RISK MANAGEMENT …………………………………………………………………………………………………. 18

4.1 RISK ASSESSMENT …………………………………………………………………………………………………… 18

4.2 RISK MITIGATION ………………………………………………………………………………………………………… 19

5.0 PERSONNEL/USER ISSUES ………………………………………………………………………………………… 20

5.1 STAFFING …………………………………………………………………………………………………………………….. 20

5.2 AWARENESS/TRAINING ………………………………………………………………………………………………. 20

5.3 PERSONAL COMPUTER USAGE …………………………………………………………………………………. 21

5.4 EMAIL USAGE ………………………………………………………………………………………………………………. 22

5.5 INTERNET/INTRANET SECURITY ………………………………………………………………………………… 23

6.0 HELP DESK MANAGEMENT …………………………………………………………………………………………. 26

Information Security Policies, Procedures, Guidelines

Revised December 2017 Page 3 of 94

6.1 SUPPORT CALLS …………………………………………………………………………………………………………. 26

6.2 PASSWORD RESETS …………………………………………………………………………………………………… 27

6.3 VOICE MAIL SECURITY ……………………………………………………………………………………………….. 27

7.0 PHYSICAL AND ENVIRONMENTAL SECURITY ……………………………………………………………. 29

7.1 OPERATIONS CENTER ……………………………………………………………………………………………….. 29

7.2 OPERATIONS MONITORING ………………………………………………………………………………………… 29

7.3 BACK-UP OF INFORMATION ………………………………………………………………………………………… 30

7.4 ACCESS CONTROL ……………………………………………………………………………………………………… 31

7.5 NETWORK ……………………………………………………………………………………………………………………. 31

7.6 ELECTRONIC COMMERCE SECURITY ……………………………………………………………………….. 34

7.7 MOBILE COMPUTING …………………………………………………………………………………………………… 35

7.8 REMOTE COMPUTING …………………………………………………………………………………………………. 36

7.9 EXTERNAL FACILITIES ……………………………………………………………………………………………….. 37

7.10 ENCRYPTION ………………………………………………………………………………………………………………. 37

8.0 BUSINESS CONTINUITY ………………………………………………………………………………………………. 39

8.2 DISASTER RECOVERY PLAN ………………………………………………………………………………………. 43

8.3 BUSINESS RECOVER STRATEGY ……………………………………………………………………………….. 45

9.0 DATA CENTER MANAGEMENT ……………………………………………………………………………………. 47

9.1 OPERATING PROCEDURES ………………………………………………………………………………………… 47

9.2 OPERATIONAL CHANGE CONTROL ……………………………………………………………………………. 47

9.3 SEGREGATION OF DUTIES …………………………………………………………………………………………. 48

9.4 SEPARATION OF DEVELOPMENT AND OPERATIONAL FACILITIES ………………………….. 48

9.5 SYSTEMS PLANNING AND ACCEPTANCE ………………………………………………………………….. 49

9.6 CAPACITY PLANNING ………………………………………………………………………………………………….. 50

9.7 SYESTEMS ACCEPTANCE…………………………………………………………………………………………… 50

9.8 OPERATIONS AND FAULT LOGGING ………………………………………………………………………….. 51

9.9 MANAGEMENT OF REMOVABLE COMPUTER MEDIA …………………………………………………. 51

9.10 DISPOSAL OF MEDIA …………………………………………………………………………………………………… 51

9.11 EXCHANGES OF INFORMATION AND SOFTWARE ……………………………………………………… 52

9.12 PUBLICLY AVAILABLE SYSTEMS ………………………………………………………………………………… 52

9.13 USE OF SYSTEM UTILITIES …………………………………………………………………………………………. 53

Information Security Policies, Procedures, Guidelines

Revised December 2017 Page 4 of 94

9.14 MONITORING SYSTEMS ACCESS AND USE ……………………………………………………………….. 53

9.15 CONTROL OF OPERATIONAL SOFTWARE …………………………………………………………………. 55

9.16 ACCESS CONTROL TO SOURCE LIBRARY ………………………………………………………………… 55

9.17 CHANGE CONTROL PROCEDURES ……………………………………………………………………………. 56

9.18 RESTRICTIONS ON CHANGES TO SOFTWARE ………………………………………………………….. 56

9.19 INTRUSION DETECTION SYSTEMS (IDS) ……………………………………………………………………. 57

9.20 CONTROLS ON MALICIOUS SOFTWARE …………………………………………………………………….. 57

9.21 FIREWALLS ………………………………………………………………………………………………………………….. 58

9.22 EXTERNAL FACILITIES MANAGEMENT ……………………………………………………………………….. 58

10.0 LEGAL REQUIREMENTS ………………………………………………………………………………………………. 60

10.1 SOFTWARE COPYRIGHT …………………………………………………………………………………………….. 60

10.2 PROTECTION OF INFORMATION ………………………………………………………………………………… 60

10.3 PRIVACY OF PERSONAL INFORMATION …………………………………………………………………. 61

11.0 COMPLIANCE WITH SECURITY POLICY ……………………………………………………………………… 62

APPENDIX A: GLOSSARY ……………………………………………………………………………………………………… 63

APPENDIX B: SAMPLE CRISIS TEAM ORGANIZATION …………………………………………………………. 66

APPENDIX C: RESPONSIBILITY GRID …………………………………………………………………………………… 67

APPENDIX D: CONTINGENCY PLAN CONSIDERATIONS ……………………………………………………… 69

APPENDIX E: PROCEDURES AND ACCEPTABLE USE …………………………………………………………. 70

APPENDIX E, SECTION 1. COMPUTER (CYBER) INCIDENT REPORTING PROCEDURES …… 70

NOTIFICATION ………………………………………………………………………………………………………………………. 71

RESPONSE ACTIONS ………………………………………………………………………………………………………………. 71

AGENCY RESPONSIBILITIES……………………………………………………………………………………………………… 71

INCIDENT REPORTING FORM ……………………………………………………………………………………………………. 73

APPENDIX E, SECTION 2. INCIDENT MANAGEMENT PROCEDURE………………………………………… 74

OVERVIEW ……………………………………………………………………………………………………………………………. 74

INCIDENT RESPONSE TEAM ORGANIZATION ……………………………………………………………………………….. 75

INCIDENT RESPONSE PROCEDURES ………………………………………………………………………………………… 77

APPENDIX E, SECTION 3. MEDIA SANITIZATION PROCEDURES FOR THE DESTRUCTION

OR DISPOSAL OF ELECTRONIC STORAGE MEDIA ………………………………………………………………. 82

INTRODUCTION ………………………………………………………………………………………………………………….. 82

Information Security Policies, Procedures, Guidelines

Revised December 2017 Page 5 of 94

POLICY …………………………………………………………………………………………………………………………………. 82

PROCEDURES …………………………………………………………………………………………………………………… 82

APPROVED DESTRUCTION OR DISPOSAL METHODS ……………………………………………………… 83

BACKGROUND AND GUIDELINES …………………………………………………………………………………………….. 85

APPENDIX E SECTION 4. REMOVABLE MEDIA: ACCEPTABLE USE POLICY ……………………… 87

SOFTWARE ENCRYPTION ALTERNATIVES (MOBILE COMPUTING AND REMOVABLE MEDIA) ……….. 88

HARDWARE ENCRYPTION ALTERNATIVES (USB FLASH DRIVES—OTHERS MAY BE ADDED IF

APPROVED) – CURRENT APPROVED AND VETTED LIST OF DEVICES …………………………………………… 89

APPENDIX E, SECTION 5. MOBILE COMPUTING DEVICES: ACCEPTABLE USE POLICY

……………………………………………………………………………………………………………………………………………….. 92

Information Security Policies, Procedures, Guidelines

Revised December 2017 Page 6 of 94

PREFACE

The contents of this document include the minimum Information Security Policy, as well as procedures, guidelines and best practices for the protection of the information assets of the State of Oklahoma (hereafter referred to as the State). The Policy, as well as the procedures, guidelines and best practices apply to all state agencies. As such, they apply equally to all State employees, contractors or any entity that deals with State information.

The Office of Management and Enterprise Services Information Services (OMES IS) will communicate the Policy, procedures, guidelines and best practices to all state agencies. In turn, all agencies are required to review the Policy and make all staff members aware of their responsibility in protecting the information assets of the State. Those agencies that require additional controls should expand on the content included in this document, but not compromise the standards set forth.

The Policy and those procedures prefaced by "must" are mandatory as the system involved will be classified as insecure without adherence. Guidelines and best practices are generally prefaced with "should" and are considered as mandatory unless limited by functional or environmental considerations.

It is recognized that some agencies have their own proprietary systems that may not conform to the Policy, procedures, guidelines and best practices indicated in this document. A plan for resolution of these system limitations should be created. Any exceptions are to be documented and be available on request. Other non-system related standards that do not require system modification should be instituted as soon as possible.

Revisions to this document are maintained collectively in Appendix E: Revisions, which includes a "Revision Table" describing each addition, change or deletion and the date it was implemented. All revisions are referenced using this procedure. The original document will remain intact.

Information Security Policies, Procedures, Guidelines

Revised December 2017 Page 7 of 94

STATE OF OKLAHOMA

INFORMATION SECURITY POLICY

Information is a critical State asset. Information is comparable with other assets in that there is a cost in obtaining it and a value in using it. However, unlike many other assets, the value of reliable and accurate information appreciates over time as opposed to depreciating. Shared information is a powerful tool and loss or misuse can be costly, if not illegal. The intent of this Security Policy is to protect the information assets of the State. This Security Policy governs all aspects of hardware, software, communications and information. It covers all State Agencies as well as contractors or other entities who may be given permission to log in, view or access State information. Definitions:

■ Information includes any data or knowledge collected, processed, stored, managed, transferred or disseminated by any method.

■ The Owner of the information is the State Agency responsible for producing, collecting and maintaining the authenticity, integrity and accuracy of information.

■ The Hosting State Agency has physical and operational control of the hardware, software, communications and data bases (files) of the owning Agency. The Hosting Agency can also be an Owner.

The confidentiality of all information created or hosted by a State Agency is the responsibility of that State Agency. Disclosure is governed by legislation, regulatory protections and rules as well as policies and procedures of the owning State Agency. The highest of ethical standards are required to prevent the inappropriate transfer of sensitive or confidential information. All information content is owned by the State Agency responsible for collecting and maintaining the authenticity, integrity and accuracy of the information. The objective of the owning State Agency is to protect the information from inadvertent or intentional damage, unauthorized disclosure or use according to the owning Agency's defined classification standards and procedural guidelines. Information access is subject to legal restrictions and to the appropriate approval processes of the owning State Agency. The owning State Agency is responsible for maintaining current and accurate access authorities and communicating these in an agreed upon manner to the security function at the State Agency hosting the information. The hosting State Agency has the responsibility to adhere to procedures and put into effect all authorized changes received from the owning State Agencies in a timely manner. Information security – The State Agency Director, whose Agency collects and maintains (owns) the information, is responsible for interpreting confidentiality restrictions imposed by

Information Security Policies, Procedures, Guidelines

Revised December 2017 Page 8 of 94

laws and statutes, establishing information classification and approving information access. The hosting State Agency will staff a security function whose responsibility will be operational control and timely implementation of access privileges. This will include access authorization, termination of access privileges, monitoring of usage and audit of incidents. The State Agencies that access the systems have the responsibility to protect the confidentiality of information which they use in the course of their assigned duties.

Information availability is the responsibility of the hosting State Agency. Access to information will be granted as needed to all State Agencies to support their required processes, functions and timelines. Proven backup and recovery procedures for all data elements to cover the possible loss or corruption of system information are the responsibility of the hosting State Agency.

The hosting State Agency is responsible for securing strategic and operational control of its hardware, software and telecommunication facilities. Included in this mandate is the implementation of effective safeguards and firewalls to prevent unauthorized access to system processes and computing / telecommunication operational centers. Recovery plans are mandatory and will be periodically tested to ensure the continued availability of services in the event of loss to any of the facilities.

Development, control and communication of Information Security Policy, Procedures and Guidelines for the State of Oklahoma are the responsibility of OMES IS. This Policy represents the minimum requirements for information security at all State Agencies. Individual agency standards for information security may be more specific than these state-wide requirements but shall in no case be less than the minimum requirements.

Information Security Policies, Procedures, Guidelines

Revised December 2017 Page 9 of 94

1.0 INTRODUCTION

1. This document states the Policy and outlines procedures, guidelines and best practices required for creating and maintaining a secure environment for the storage and dissemination of information.

2. It is critical that all agencies and their staff are fully aware of the Policy, procedures,

guidelines and best practices and commit to protecting the information of the State. Common sense and high ethical standards are required to complement the security guidelines.

3. The Policy, procedures, guidelines and best practices outlined represent the

minimum security levels required and must be used as a guide in developing a detailed security plan and additional policies (if required).

1.1 BACKGROUND

1. The information Policy, procedures, guidelines and best practices apply to all agencies and are inclusive of their hardware facilities, software installations, communication networks / facilities as well as information.

1.2 POLICY, PROCEDURES, GUIDELINES

1. OMES IS has, among other responsibilities, the mandate to establish minimum mandatory standards for information security and internal controls as well as contingency planning and disaster recovery (reference: Oklahoma Statute, Title 62. Section 34.12(A)(3) Duties of Information Services).

2. In reference to the responsibilities stated above, the Statute reads as follows:

"Such standards shall, upon adoption, be the minimum requirements applicable to all agencies. These standards shall be compatible with the standards established for the Oklahoma Government Telecommunications Network. Individual agency standards may be more specific than statewide requirements but shall in no case be less than the minimum mandatory standards. Where standards required of an individual agency of the state by agencies of the federal government are stricter than the state minimum standards, such federal requirements shall be applicable."

Information Security Policies, Procedures, Guidelines

Revised December 2017 Page 10 of 94

1.3 AUDIENCE

1. The Policy, procedures, guidelines and best practices are for distribution to all State agencies through their respective Security Representative who will then be responsible for communicating the details to State employees as well as contractors or other entities whose position responsibilities include the creation, maintenance, or access of State information residing on any computer system or platform. Appendix C assigns the primary responsibility of the procedures, guidelines and best practices to the User, Owning Agency, or Hosting Agency.

Information Security Policies, Procedures, Guidelines

Revised December 2017 Page 11 of 94

2.0 INFORMATION

1. Management of information requires a working set of procedures, guidelines and best practices that provide guidance and direction with regards to security. The primary focus is on the confidentiality and integrity of the information required for delivering information throughout the State.

2.1 INFORMATION CONFIDENTIALITY

1. The overriding premise is that all information hosted or created by a State Agency is property of the State. As such, this information will be used solely for performance of position related duties. Any transfers or disclosures are governed by this rule.

2. The confidentiality of all information created or hosted by a State Agency is the

responsibility of all State Agencies. Disclosure is governed by legislation, regulatory protections, rules as well as policies and procedures of the State and of the owning State Agency. The highest of ethical standards are required to prevent the inappropriate transfer of sensitive or confidential information.

3. Release of information is strictly for job related functions. Confidentiality is

compromised when knowingly or inadvertently, information crosses the boundaries of job related activities.

4. Users must be required to follow good security practices in the selection and use

of passwords. Passwords provide a means of validating a user's identity and thereby establish access rights to information processing facilities or services. All agency staff must be advised to:

(A) keep passwords confidential, (B) avoid keeping a paper record of passwords, unless this can be stored

securely, (C) change passwords whenever there is any indication of possible

system or password compromise, (D) select quality passwords with a minimum length of eight characters which

are: (i) easy to remember, (ii) not based on anything somebody else could easily guess or obtain

using person related information, e.g. names, telephone numbers and dates of birth etc.,

(iii) free of consecutive identical characters or all-numeric or all- alphabetical groups,

(E) change passwords at regular intervals (passwords for privileged accounts should be changed more frequently than normal passwords),

(F) avoid reusing or cycling old passwords, (G) change temporary passwords at the first log-on, (H) not include passwords in any automated log-on process, e.g. stored in a

Information Security Policies, Procedures, Guidelines

Revised December 2017 Page 12 of 94

macro or function key, and (I) not share individual user passwords.

2.2 INFORMATION CONTENT

1. All information content hosted by a state agency is owned by and is the primary responsibility of the Agency responsible for collecting and maintaining the authenticity, integrity and accuracy of information. The objective of the owning State Agency is to protect the information from inadvertent or intentional damage as well as unauthorized disclosure or use according to the classification standards and procedural guidelines of the owning State Agency.

2. The following procedures must be followed by all State Agencies:

(A) All information content must reflect the actual state of affairs of the respective Agency.

(B) Changes in the status of personnel who have system access are entered in the system immediately and the appropriate authorization / change form sent to the hosting agency's Security Administration.

(C) In the event of a dismissal, the respective Agency is to call and notify the hosting agency's Security Administration immediately.