Upload
johnathan-jordan
View
215
Download
0
Embed Size (px)
Citation preview
Information Security Standards
2015 Update
IIPS Security Standards Committee
Roderick Brower - Chair
IT Standards Committee Officers
Roderick B. Brower Chair (Ch. 1-Classifying Data & Legal Requirements)Deborah Joyner (Ch. 2-Securing the End User)Jeff Drake (Ch. 3-Securing the Network)Chuck Hauser (Ch. 4-Securing Systems)Karen Sasser (Ch. 5-Physical Security)Bambi Edwards (Ch. 6-Cyber Security Incident Response)Jodi Dyson (Ch. 7-Business Continuity & Risk Management)
How Did We Get Here?
• New document released from SCIO (January 2015)• Extensive review by IT Standards Team started in July• Will submit to SCIO (Post IIPS Conference)• Seek approval from SCIO• Yearly review of the IIPS Standards by IIPS Committee and
based on releases from the SCIO
Highlights
•Manual has been reduced from 15 to 7 chapters
• Consolidation • Reduction of redundancy• Document getting better
CIOs• Local College CIO is defined
(Introduction Section)
• To manage and implement at local level
• First point of contact on issues of concern (conduit to State CIO)
• Work closely with Business & Finance area on PCI Compliance
Data Owners and Custodians010101 Classifying Information
• Responsible for data • Responsible for data procedures
(software development requests, testing, patch approvals)
• These individuals should be clearly defined and documented by title in college manuals
User Re-Certification
020101 Managing Access Control Standards
• User rights shall be reviewed and approved by data owners at six (6)-month intervals.
• Yearly?????
030107 Time-Out Facility
•For some higher risk information systems, such as systems that process student or employee data, tax data, or credit card information, the requirement for a session idle timeout shall be 15 minutes or less, as determined by law or industry standards. The local college CIO should make the determination as to which system(s) should meet this timeout requirement.
System Configuration Manual
040407 Systems DocumentationColleges should develop and maintain additional documentation that details hardware and software placement and configuration, provide flowcharts, etc.•Documentation should include:•Vendor name, address, and contact information•License number and version•Update information•Configuration reports and listing for operating system and server software.•Bios rev information•Port listing
Passwords
•Managing User Access (020102)• User credentials that are inactive for a maximum of
ninety (90) days must be disabled, except as specifically exempted by the security administrator.
•Passwords defined (020106)• At least eight characters in length• Strong passwords for High Security Systems
Highlights041002 Using Laptop/Portable Computers
• Must adhere to College Acceptable Use Policy
• Training to raise user awareness of the additional risks that accompany mobile computing and the controls with which users must comply
• If not protected by encryption software, the BIOS password on such devices must be enabled if technically possible.
• Training to raise user awareness of the additional risks that accompany mobile computing and the controls that should be implemented.
Highlights
Chapter 7 – Business Continuity and Risk Management
• Initiation• Development• Implementation• Assessment
Constant visitation of the plan, Constant improvement.
Incidents
060201 Reporting Information Security Incidents
•Incident Response Reporting • Local CIO is first point of contact and handles
reporting of incidents• ITS is notified by local CIO
Local Implementation
• You do NOT have to re-write these
standards at your local institution• This manual should be referenced in your
local Administrative Procedures ManualStatement should reflect that all
standards included in the NCCC Information Security manual are followed locally
• Any deviation from the manual needs to be documented locally and college needs to be prepared to justify the deviation
Looking Forward
• Living document (This document is not perfect)
• Manual will be updated as Statewide Manual is updated
• Edits will be sent out, reviewed, and adopted at the “upcoming” IIPS Conference (as needed)
Q&A
Once approved by SCIOOfficial Document will be placed on
IIPS website:http://www.nciips.org/
(About IIPS Tab)