55
Information Information Security User Security User Policy Training Policy Training Business Applications Business Applications Department Department October 2009 October 2009

Information Security User Policy Training Business Applications Department October 2009

Embed Size (px)

Citation preview

Page 1: Information Security User Policy Training Business Applications Department October 2009

Information Security Information Security User Policy TrainingUser Policy Training

Business Applications DepartmentBusiness Applications DepartmentOctober 2009October 2009

Page 2: Information Security User Policy Training Business Applications Department October 2009

PurposePurpose

Provide acceptable information security Provide acceptable information security principles and practices for all MRC principles and practices for all MRC employees and contractorsemployees and contractors

Protect and safeguard information residing Protect and safeguard information residing within the MRC environmentwithin the MRC environment

Page 3: Information Security User Policy Training Business Applications Department October 2009

Aligned with COV and State PoliciesAligned with COV and State Policies COV ITRM Policy SEC519-00, Information COV ITRM Policy SEC519-00, Information

Technology Security PolicyTechnology Security Policy

COV ITRM Standard SEC501-01, Information COV ITRM Standard SEC501-01, Information Technology Security StandardTechnology Security Standard

DHRM Policy 1.75, Use of Internet and DHRM Policy 1.75, Use of Internet and Electronic Communication SystemsElectronic Communication Systems

MRC Information Security Program and MRC Information Security Program and Continuity of Operations Plan (COOP)Continuity of Operations Plan (COOP)

Page 4: Information Security User Policy Training Business Applications Department October 2009

ScopeScope

All MRC employees and contractors have All MRC employees and contractors have the responsibility to safeguard informationthe responsibility to safeguard information

All software and hardware used to process All software and hardware used to process electronic information should be protected electronic information should be protected from unauthorized use, destruction or theftfrom unauthorized use, destruction or theft

Page 5: Information Security User Policy Training Business Applications Department October 2009

DefinitionsDefinitions

““PC” refers to both networked, standalone PC” refers to both networked, standalone and file server workstations and the data and file server workstations and the data stored on those workstations or computer stored on those workstations or computer mediamedia

IT system users are MRC personnel or IT system users are MRC personnel or contractors that require the access to and contractors that require the access to and use of PC resources managed for the use of PC resources managed for the CommissionCommission

Page 6: Information Security User Policy Training Business Applications Department October 2009

Guiding PrinciplesGuiding Principles

Commonwealth of Virginia (COV) Data is:Commonwealth of Virginia (COV) Data is:

A critical asset that shall be protected by A critical asset that shall be protected by the concept of least privilegethe concept of least privilege

Restricted to authorized personnel for Restricted to authorized personnel for official useofficial use

Page 7: Information Security User Policy Training Business Applications Department October 2009

Guiding PrinciplesGuiding Principles

Information security must be:Information security must be:

A cornerstone of maintaining public trustA cornerstone of maintaining public trust Managed to address both business and Managed to address both business and

technology requirementstechnology requirements Risk-based and cost-effectiveRisk-based and cost-effective The responsibility of all users of COV IT The responsibility of all users of COV IT

systems and datasystems and data

Page 8: Information Security User Policy Training Business Applications Department October 2009

Key IT Security Roles and Key IT Security Roles and ResponsibilitiesResponsibilities

Steve Bowman, Commissioner, Agency Head:Steve Bowman, Commissioner, Agency Head: responsible for the security of the Agency's IT systems responsible for the security of the Agency's IT systems and dataand data

Erik Barth: Information Security Officer (ISO)Erik Barth: Information Security Officer (ISO): develops : develops and manages the Agency’s IT security programand manages the Agency’s IT security program

Linda Farris: Backup Information Security OfficerLinda Farris: Backup Information Security Officer: : assists in implementation of the Agency’s IT security assists in implementation of the Agency’s IT security programprogram

Jane McCroskey, Privacy Officer:Jane McCroskey, Privacy Officer: provides guidance on provides guidance on the requirements of state and federal Privacy lawsthe requirements of state and federal Privacy laws

Page 9: Information Security User Policy Training Business Applications Department October 2009

Key IT Security Roles and Key IT Security Roles and ResponsibilitiesResponsibilities

Agency Division Heads, Data Owners:Agency Division Heads, Data Owners: responsible for the policy responsible for the policy and decisions regarding data and decisions regarding data

Erik Barth, System Owner/System Administrator:Erik Barth, System Owner/System Administrator: assists in the assists in the day-to-day administration of systems and implements security day-to-day administration of systems and implements security controls and other requirementscontrols and other requirements

Debbie Sparks, Agency Inventory Coordinator: Debbie Sparks, Agency Inventory Coordinator: responsible for responsible for maintaining accurate records for transfers and returns of maintaining accurate records for transfers and returns of hardware and software assets and off-site authorizationshardware and software assets and off-site authorizations

Page 10: Information Security User Policy Training Business Applications Department October 2009

Key IT Security Roles and Key IT Security Roles and ResponsibilitiesResponsibilities

John Bull, FOIA CoordinatorJohn Bull, FOIA Coordinator, coordinates , coordinates Freedom of Information Act information requestsFreedom of Information Act information requests

Rick Lauderman, COOP CoordinatorRick Lauderman, COOP Coordinator, coordinates , coordinates Continuity of Operations Planning (Disaster Continuity of Operations Planning (Disaster Recovery)Recovery)

Brandy Battle, Records Retention ManagerBrandy Battle, Records Retention Manager, , maintains records retention policies and/or maintains records retention policies and/or proceduresprocedures

Page 11: Information Security User Policy Training Business Applications Department October 2009

Key IT Security Roles and Key IT Security Roles and ResponsibilitiesResponsibilities

Data Custodians are individuals in physical or logical Data Custodians are individuals in physical or logical possession of data for Data Owners possession of data for Data Owners Terri Short, CFLS, Administrative Accounting SystemsTerri Short, CFLS, Administrative Accounting Systems Tony Watkinson, HMPTSTony Watkinson, HMPTS Ben Stagg, OGLS, CAD and GISBen Stagg, OGLS, CAD and GIS Warner Rhodes, LEDSWarner Rhodes, LEDS Joe Grist, FDSJoe Grist, FDS Lewis Gillingham, SWFTLewis Gillingham, SWFT Linda Hancock, HRLinda Hancock, HR Todd Sperling, Agency Web SiteTodd Sperling, Agency Web Site

Page 12: Information Security User Policy Training Business Applications Department October 2009

Key IT Security Roles and Key IT Security Roles and ResponsibilitiesResponsibilities

System users include all employees and contractors that have System users include all employees and contractors that have access to Agency PC resourcesaccess to Agency PC resources

System users’ responsibilities include the following:System users’ responsibilities include the following: Read and comply with the User Security Policy Read and comply with the User Security Policy Report breaches of IT security, actual or suspected, to agency Report breaches of IT security, actual or suspected, to agency

management and/or the ISO management and/or the ISO Take reasonable and prudent steps to protect the security of IT Take reasonable and prudent steps to protect the security of IT

systems and data to which they have accesssystems and data to which they have access

Page 13: Information Security User Policy Training Business Applications Department October 2009

SupervisorsSupervisorsAll supervisors shall conduct an annual position review of All supervisors shall conduct an annual position review of employees with IT roles and responsibilitiesemployees with IT roles and responsibilities

This annual review should be conducted in alignment with the This annual review should be conducted in alignment with the annual review of all Employee Work Profiles (EWP) in October annual review of all Employee Work Profiles (EWP) in October

Security related roles must be described in employee EWPsSecurity related roles must be described in employee EWPs

Page 14: Information Security User Policy Training Business Applications Department October 2009

Risk ManagementRisk ManagementProtects COV IT systems and data based on sensitivity and Protects COV IT systems and data based on sensitivity and riskrisk

Allows each Agency to determine how these factors apply to Allows each Agency to determine how these factors apply to IT systems including system availability needsIT systems including system availability needs

Formal system risk assessments will be conducted at MRC Formal system risk assessments will be conducted at MRC

as necessary, but at least every three yearsas necessary, but at least every three years

Page 15: Information Security User Policy Training Business Applications Department October 2009

Risk ManagementRisk Management

System users must report any activity they perceive may System users must report any activity they perceive may pose a risk to the security of information managed and pose a risk to the security of information managed and accessed by agency PC systems to their supervisoraccessed by agency PC systems to their supervisor

Supervisors shall report in writing any credible risks to the Supervisors shall report in writing any credible risks to the Data Custodian of the affected system and the ISOData Custodian of the affected system and the ISO

Page 16: Information Security User Policy Training Business Applications Department October 2009

IT Contingency PlanningIT Contingency PlanningDefines processes and procedures that plan for and execute Defines processes and procedures that plan for and execute recovery and restoration of IT systems and datarecovery and restoration of IT systems and data

MRC Contingency Planning documents:MRC Contingency Planning documents: MRC IT Business Impact Analysis, Risk Assessment, MRC IT Business Impact Analysis, Risk Assessment,

Contingency Management, and Disaster Recovery PlanContingency Management, and Disaster Recovery Plan MRC Continuity of Operations Plan (COOP)MRC Continuity of Operations Plan (COOP)

Page 17: Information Security User Policy Training Business Applications Department October 2009

IT Contingency PlanningIT Contingency Planning

System users that have been assigned a role in contingency System users that have been assigned a role in contingency planning must do the following:planning must do the following:

Read and comply with requirements described by Read and comply with requirements described by applicable Agency contingency plansapplicable Agency contingency plans

Treat contingency plans as sensitive dataTreat contingency plans as sensitive data Store contingency plans at a secure off-site locationStore contingency plans at a secure off-site location

Page 18: Information Security User Policy Training Business Applications Department October 2009

Continuity of Operations and Continuity of Operations and Disaster Recovery Planning TeamDisaster Recovery Planning Team

The agency’s COOP Coordinator will focus on theThe agency’s COOP Coordinator will focus on the

following activities:following activities:

Updating the COOP ReportUpdating the COOP Report Determining the COOP/DRP team membersDetermining the COOP/DRP team members Testing the COOP Plan on an annual basisTesting the COOP Plan on an annual basis

Page 19: Information Security User Policy Training Business Applications Department October 2009

IT Systems SecurityIT Systems Security

Defines the necessary steps for effective protection of Defines the necessary steps for effective protection of Agency IT systems Agency IT systems

Ensures security in the following areas:Ensures security in the following areas:

System HardeningSystem Hardening IT Systems Interoperability SecurityIT Systems Interoperability Security Malicious Code ProtectionMalicious Code Protection IT Systems Development Life Cycle SecurityIT Systems Development Life Cycle Security

Page 20: Information Security User Policy Training Business Applications Department October 2009

IT Systems SecurityIT Systems SecuritySystems users or contractors should know and comply withSystems users or contractors should know and comply with

the following standards:the following standards:

Use systems for state business purposesUse systems for state business purposes Use virus and malware protection/detection software Use virus and malware protection/detection software Ensure that anti-virus and anti-malware software is properly Ensure that anti-virus and anti-malware software is properly

functioning and using up to date signature filesfunctioning and using up to date signature files Prevent the use of computer games on all state owned PC Prevent the use of computer games on all state owned PC

resourcesresources Delete or ask for assistance in deleting computer game software on Delete or ask for assistance in deleting computer game software on

newly purchased PC workstationsnewly purchased PC workstations

Page 21: Information Security User Policy Training Business Applications Department October 2009

IT Systems SecurityIT Systems Security

All IT system users are prohibited from the following:All IT system users are prohibited from the following:

Intentionally developing or experimenting with malicious Intentionally developing or experimenting with malicious programs (e.g., viruses, worms, spyware, keystroke programs (e.g., viruses, worms, spyware, keystroke loggers, phishing software, Trojan horses, etc.)loggers, phishing software, Trojan horses, etc.)

Knowingly propagating malicious programs including Knowingly propagating malicious programs including opening email attachments from unknown sourcesopening email attachments from unknown sources

Page 22: Information Security User Policy Training Business Applications Department October 2009

IT Systems SecurityIT Systems Security

Any employee or contractor involved in systemsAny employee or contractor involved in systems

development or systems installation for thedevelopment or systems installation for the

Commission must do the following:Commission must do the following:

Read and comply with the security requirements for Read and comply with the security requirements for systems development life cycle in the systems development life cycle in the MRC Information MRC Information Security ProgramSecurity Program

Page 23: Information Security User Policy Training Business Applications Department October 2009

Logical Access ControlLogical Access Control

Defines the steps necessary to protect the confidentiality, Defines the steps necessary to protect the confidentiality, integrity, and availability of COV IT systems and data against integrity, and availability of COV IT systems and data against compromise compromise

Defines requirements in the areas of account management, Defines requirements in the areas of account management,

password management, and remote accesspassword management, and remote access

Page 24: Information Security User Policy Training Business Applications Department October 2009

Logical Access ControlLogical Access Control

Commission employees and contractors are prohibited from Commission employees and contractors are prohibited from the following:the following:

Accessing data or systems for which they have not been Accessing data or systems for which they have not been granted authorization to accessgranted authorization to access

Using guest and shared accounts: please report any Using guest and shared accounts: please report any existing guest or shared accounts to the Agency ISOexisting guest or shared accounts to the Agency ISO

Page 25: Information Security User Policy Training Business Applications Department October 2009

Logical Access ControlLogical Access ControlIT system users are required to do the following:IT system users are required to do the following:

Obtain formal authorization and a unique user ID and Obtain formal authorization and a unique user ID and password prior to using the Agency systems including password prior to using the Agency systems including Citrix remote access capabilitiesCitrix remote access capabilities

Prevent unauthorized use of unattended PC workstations Prevent unauthorized use of unattended PC workstations when confidential information is accessiblewhen confidential information is accessible

Use screen saver passwords or automatic Windows Use screen saver passwords or automatic Windows workstation locking (should not exceed ten minutes) workstation locking (should not exceed ten minutes)

Page 26: Information Security User Policy Training Business Applications Department October 2009

Logical Access ControlLogical Access Control

IT system users are required to keep all passwords IT system users are required to keep all passwords confidential:confidential:

Passwords should not be posted or displayed or storedPasswords should not be posted or displayed or stored

Passwords are not to be included in any type of script, Passwords are not to be included in any type of script, batch login file or procedurebatch login file or procedure

Passwords shall not be transmitted electronically Passwords shall not be transmitted electronically without use of industry accepted encryption standardswithout use of industry accepted encryption standards

Immediately change passwords and notify the ISO if Immediately change passwords and notify the ISO if suspect their passwords have been compromisedsuspect their passwords have been compromised

Page 27: Information Security User Policy Training Business Applications Department October 2009

All employees and contractors requesting system access All employees and contractors requesting system access accounts should do the following:accounts should do the following: Complete the Employee System Access form for the Complete the Employee System Access form for the

creation, modification or deletion of system accounts at creation, modification or deletion of system accounts at the following link:the following link:

http://www.mrc.virginia.gov/hr/http://www.mrc.virginia.gov/hr/ Provide the following signatures on the form: employee, Provide the following signatures on the form: employee,

supervisor, and system ownersupervisor, and system owner

The IT department will maintain all system access The IT department will maintain all system access informationinformation

Logical Access ControlLogical Access Control

Page 28: Information Security User Policy Training Business Applications Department October 2009

Sensitive Systems (CFLS; FSS/FTS; SMS):Sensitive Systems (CFLS; FSS/FTS; SMS):

All employees and contractors that requestAll employees and contractors that request

access to agency sensitive systems must fill outaccess to agency sensitive systems must fill out

the non-disclosure form at: the non-disclosure form at:

http://www.mrc.virginia.gov/hr/http://www.mrc.virginia.gov/hr/

**This form requires the following signatures:**This form requires the following signatures:

Employee, Data Custodian, and ISOEmployee, Data Custodian, and ISO

Logical Access ControlLogical Access Control

Page 29: Information Security User Policy Training Business Applications Department October 2009

Granting Sensitive or Non-Sensitive System Access for Granting Sensitive or Non-Sensitive System Access for

External UsersExternal Users

The Data Custodian for each sensitive/non-sensitive system The Data Custodian for each sensitive/non-sensitive system will do the following:will do the following:

Grant access for external users Grant access for external users Provide a signed copy of all non-disclosure forms to the ISO Office (as Provide a signed copy of all non-disclosure forms to the ISO Office (as

applicable to the sensitive system), or if the system is self-registering, users applicable to the sensitive system), or if the system is self-registering, users will electronically accept the terms of usage, including non-disclosure of will electronically accept the terms of usage, including non-disclosure of sensitive informationsensitive information

Conduct an annual review, verify and keep on file a listing of active external Conduct an annual review, verify and keep on file a listing of active external users requiring access to the sensitive system users requiring access to the sensitive system

Logical Access ControlLogical Access Control

Page 30: Information Security User Policy Training Business Applications Department October 2009

Data ProtectionData Protection

Provides security safeguards for the processing and Provides security safeguards for the processing and storing of datastoring of data

Includes requirements in the areas of Media Includes requirements in the areas of Media Protection and EncryptionProtection and Encryption

Page 31: Information Security User Policy Training Business Applications Department October 2009

Data ProtectionData ProtectionDataset Creators or Data Custodians are responsible for Dataset Creators or Data Custodians are responsible for protecting and identifying stored sensitive dataprotecting and identifying stored sensitive data

CFLS, FTS/FSS and SMS are the agency systems currently CFLS, FTS/FSS and SMS are the agency systems currently identified as sensitiveidentified as sensitive

Sensitive data may not be stored on mobile data storage Sensitive data may not be stored on mobile data storage media, local desktop or laptop computers media, local desktop or laptop computers UNLESSUNLESS properly properly encrypted and physically and logically secured in a encrypted and physically and logically secured in a reasonable manner and authorized in writing by the Agency reasonable manner and authorized in writing by the Agency HeadHead

Page 32: Information Security User Policy Training Business Applications Department October 2009

Data ProtectionData Protection

Pickup, receipt, transfer, and delivery of all data Pickup, receipt, transfer, and delivery of all data storage media containing sensitive data is restricted storage media containing sensitive data is restricted to authorized personnel onlyto authorized personnel only

Sensitive data may not be transmitted without Sensitive data may not be transmitted without proper encryptionproper encryption

Page 33: Information Security User Policy Training Business Applications Department October 2009

Data ProtectionData ProtectionData Custodians shall be responsible for submitting the Data Custodians shall be responsible for submitting the following authorizations to the ISO: following authorizations to the ISO:

Transporting sensitive data in hardcopy or on mobile Transporting sensitive data in hardcopy or on mobile storage mediastorage media

Storing sensitive data on local desktop or laptop computerStoring sensitive data on local desktop or laptop computer Authorizations should include names and a brief Authorizations should include names and a brief

description of the business needdescription of the business need

The ISO shall request written authorization from the agency The ISO shall request written authorization from the agency head and maintain authorization recordshead and maintain authorization records

Page 34: Information Security User Policy Training Business Applications Department October 2009

Data ProtectionData Protection

Data storage media must be sanitized prior to disposal Data storage media must be sanitized prior to disposal or reuseor reuse

All data destruction shall be done in accordance with All data destruction shall be done in accordance with ITRM ITRM Removal of Commonwealth Data from Surplus Removal of Commonwealth Data from Surplus Computer Hard Drives and Electronic Media Standard Computer Hard Drives and Electronic Media Standard (ITRM Standard SEC2003-02.1)(ITRM Standard SEC2003-02.1)

Page 35: Information Security User Policy Training Business Applications Department October 2009

Data ProtectionData Protection

Data Custodians shall be responsible for requesting in Data Custodians shall be responsible for requesting in writing from the ISO the destruction or sanitization of writing from the ISO the destruction or sanitization of data storage media with sensitive datadata storage media with sensitive data

The ISO or his designee shall be responsible for data The ISO or his designee shall be responsible for data destruction or sanitization and the documentation of destruction or sanitization and the documentation of suchsuch

Page 36: Information Security User Policy Training Business Applications Department October 2009

Data ProtectionData ProtectionAll personnel with access to sensitive data systems must All personnel with access to sensitive data systems must sign a non-disclosure and security agreement :sign a non-disclosure and security agreement :

The agreement makes clear unauthorized disclosure of The agreement makes clear unauthorized disclosure of any sensitive data is prohibitedany sensitive data is prohibited

For all VITA-NG personnel and contractors the agency For all VITA-NG personnel and contractors the agency will accept non-disclosure and security agreements will accept non-disclosure and security agreements signed as a condition of their employment with VITA-NGsigned as a condition of their employment with VITA-NG

Page 37: Information Security User Policy Training Business Applications Department October 2009

Data ProtectionData ProtectionIT system users are required to perform the following data IT system users are required to perform the following data protection measures:protection measures:

Regularly backup data files stored on local drivesRegularly backup data files stored on local drives Store backup copies of critical non-network data files Store backup copies of critical non-network data files

offsiteoffsite Be aware that data files stored on network directories will Be aware that data files stored on network directories will

be backed up by the Business Application Department be backed up by the Business Application Department each business dayeach business day

Store magnetic media (diskettes, tapes, CD-ROM) in a Store magnetic media (diskettes, tapes, CD-ROM) in a secure container away from extreme temperaturesecure container away from extreme temperature

Page 38: Information Security User Policy Training Business Applications Department October 2009

Facilities SecurityFacilities Security

Requires planning and application of facilities security Requires planning and application of facilities security practices to provide a first line of defense for IT systems practices to provide a first line of defense for IT systems against the following:against the following:

Damage, theft, and unauthorized disclosure of dataDamage, theft, and unauthorized disclosure of data Loss of control over system integrityLoss of control over system integrity Interruption of computer servicesInterruption of computer services

Page 39: Information Security User Policy Training Business Applications Department October 2009

Facilities SecurityFacilities SecurityAll employees are instructed to:All employees are instructed to: Maintain an office environment that employsMaintain an office environment that employs

practical, cost efficient safeguards to protectpractical, cost efficient safeguards to protect

against human, natural and environmental risksagainst human, natural and environmental risks

to Agency information resources to Agency information resources Report immediately any suspicious situations or Report immediately any suspicious situations or

problems related to facilities such as heating, cooling, problems related to facilities such as heating, cooling, water, electrical, fire suppression, security access water, electrical, fire suppression, security access systems and door lockssystems and door locks

Page 40: Information Security User Policy Training Business Applications Department October 2009

Facilities SecurityFacilities Security

Employees must accompany visitors to areas of the Agency Employees must accompany visitors to areas of the Agency that house sensitive data, particularly the First Floor Network that house sensitive data, particularly the First Floor Network Room Room

If visitors are not accompanied by agency personnel they If visitors are not accompanied by agency personnel they must have proper authorization by the ISO or VITA-NG to be must have proper authorization by the ISO or VITA-NG to be working in those areasworking in those areas

Page 41: Information Security User Policy Training Business Applications Department October 2009

Facilities SecurityFacilities SecurityEmployees and contractors should perform the following Employees and contractors should perform the following steps to protect equipment and data:steps to protect equipment and data:

Lock office areas when departing from an unattended Lock office areas when departing from an unattended main office suite or field officemain office suite or field office

Keep vaulted rooms locked when not in use to protect Keep vaulted rooms locked when not in use to protect sensitive datasensitive data

Lock vehicle, remove equipment and data from vehicles, Lock vehicle, remove equipment and data from vehicles, boats, or planes when not in useboats, or planes when not in use

Page 42: Information Security User Policy Training Business Applications Department October 2009

Personnel SecurityPersonnel Security

Reduces risk to COV IT systems and dataReduces risk to COV IT systems and data

Specifies access determination and control requirements to Specifies access determination and control requirements to individuals who require sensitive data and systems as part of individuals who require sensitive data and systems as part of their job duties their job duties

Includes Security Awareness and Training requirements to Includes Security Awareness and Training requirements to provide all IT system users with an appropriate provide all IT system users with an appropriate understanding of policiesunderstanding of policies

Page 43: Information Security User Policy Training Business Applications Department October 2009

Personnel SecurityPersonnel Security

All personnel and contractors shall:All personnel and contractors shall:

Complete agency security training at least annually or as Complete agency security training at least annually or as soon as practical after starting work for the Commissionsoon as practical after starting work for the Commission

Adhere to DHRM Adhere to DHRM Policy 1.75 – Use of Internet and Policy 1.75 – Use of Internet and Electronic Communication SystemsElectronic Communication Systems

Have no expectation of privacy: the Agency and COV Have no expectation of privacy: the Agency and COV reserve the right (with or without cause) to monitor, reserve the right (with or without cause) to monitor, access, and disclose all data on COV systemsaccess, and disclose all data on COV systems

Page 44: Information Security User Policy Training Business Applications Department October 2009

Personnel SecurityPersonnel SecurityBackground checks:Background checks:

All new Business Application Systems employees of the All new Business Application Systems employees of the Agency, VITA-NG staff, and contractors are required to Agency, VITA-NG staff, and contractors are required to undergo pre-employment background checks and at least undergo pre-employment background checks and at least every two years after the initial hire dateevery two years after the initial hire date

Individual Agency divisions shall determine the need for Individual Agency divisions shall determine the need for background checks of personnel within their area of background checks of personnel within their area of

responsibility who have access to sensitive systemsresponsibility who have access to sensitive systems

Page 45: Information Security User Policy Training Business Applications Department October 2009

Personnel SecurityPersonnel Security

It shall be the responsibility of the Human Resources Officer It shall be the responsibility of the Human Resources Officer to report, in writing, to the ISO all permanent and temporary to report, in writing, to the ISO all permanent and temporary employee terminations employee terminations

Agency supervisors shall report, in writing, transfers and Agency supervisors shall report, in writing, transfers and request modifications of user access rightsrequest modifications of user access rights

The ISO shall maintain a file documenting The ISO shall maintain a file documenting

terminations and associated removal of physical and logical terminations and associated removal of physical and logical access rights access rights

Page 46: Information Security User Policy Training Business Applications Department October 2009

Threat ManagementThreat Management

Addresses protection of COV IT systems and data by Addresses protection of COV IT systems and data by preparing for and responding to IT security incidentspreparing for and responding to IT security incidents

Includes Threat Detection, Incident Handling, and IT Includes Threat Detection, Incident Handling, and IT Security Monitoring and LoggingSecurity Monitoring and Logging

Page 47: Information Security User Policy Training Business Applications Department October 2009

Threat ManagementThreat Management

All system users must report immediately to their supervisors All system users must report immediately to their supervisors any unauthorized disclosure of data or incidents that any unauthorized disclosure of data or incidents that potentially could compromise datapotentially could compromise data Users are required to immediately logoff and shutdown Users are required to immediately logoff and shutdown

their computerstheir computers

Supervisors must report such incidents immediately to the Supervisors must report such incidents immediately to the ISOISO

Page 48: Information Security User Policy Training Business Applications Department October 2009

Threat ManagementThreat Management

Security Incident Handling and Reporting Security Incident Handling and Reporting

The agency ISO will report all events within 24 hours that have a The agency ISO will report all events within 24 hours that have a real impact on the Commission to the CISO and VITA using the real impact on the Commission to the CISO and VITA using the following form:following form:

https://https://www.vita.virginia.gov/security/incident/secureCompIncidentForm/threatReporting.cfmwww.vita.virginia.gov/security/incident/secureCompIncidentForm/threatReporting.cfm

The agency ISO will keep all documented materials in the IT The agency ISO will keep all documented materials in the IT filesfiles

Page 49: Information Security User Policy Training Business Applications Department October 2009

IT Asset ManagementIT Asset Management

Concerns protection of the components thatConcerns protection of the components that

comprise COV IT systems by managing them in acomprise COV IT systems by managing them in a

planned, organized, and secure fashionplanned, organized, and secure fashion

Includes IT Asset Control, Software LicenseIncludes IT Asset Control, Software License

Management, Configuration Management, andManagement, Configuration Management, and

Change ControlChange Control

Page 50: Information Security User Policy Training Business Applications Department October 2009

IT Asset ManagementIT Asset Management

Installation of software on Agency IT systems is prohibited Installation of software on Agency IT systems is prohibited until approved by the Information Security Officer (ISO) or until approved by the Information Security Officer (ISO) or VITA-NGVITA-NG

Unauthorized installation, duplication and/or violation of the Unauthorized installation, duplication and/or violation of the software license agreement of copyrighted software is illegal software license agreement of copyrighted software is illegal and subject to a Group II Offense under the State Employee and subject to a Group II Offense under the State Employee Standards of Conduct: "Unauthorized Use or Misuse of State Standards of Conduct: "Unauthorized Use or Misuse of State Property or Records"Property or Records"

Page 51: Information Security User Policy Training Business Applications Department October 2009

IT Asset ManagementIT Asset ManagementOnly authorized personnel in the Business Applications Only authorized personnel in the Business Applications Department or VITA-NG may procure or dispose of agency Department or VITA-NG may procure or dispose of agency hardware and software assetshardware and software assets

Appropriate property transfer documents containing information on Appropriate property transfer documents containing information on the returns of surplus hardware and software assets should be the returns of surplus hardware and software assets should be made to the ISO or when appropriate to VITA-NG personnelmade to the ISO or when appropriate to VITA-NG personnel

All returns (upon employee termination) and transfers of hardware All returns (upon employee termination) and transfers of hardware and software assets must be made with the appropriate property and software assets must be made with the appropriate property transfer documentation and thereby coordinated with the Agency transfer documentation and thereby coordinated with the Agency Inventory CoordinatorInventory Coordinator

Page 52: Information Security User Policy Training Business Applications Department October 2009

IT Asset ManagementIT Asset ManagementPersonal IT assets, including hardware like laptops and media like Personal IT assets, including hardware like laptops and media like personal flash drives or usb hard drives, on Agency facilities are personal flash drives or usb hard drives, on Agency facilities are prohibitedprohibited

Removing assets from the agency:Removing assets from the agency:

Static COV IT assets (desktop PCs and printers), must have written Static COV IT assets (desktop PCs and printers), must have written authorization by each employees’ supervisor with notification to the authorization by each employees’ supervisor with notification to the Agency Inventory CoordinatorAgency Inventory Coordinator

Mobile COV IT assets (laptops, PDAs, and portable printers) are Mobile COV IT assets (laptops, PDAs, and portable printers) are intended to be used off Agency premises and shall not require any intended to be used off Agency premises and shall not require any additional authorization when assigned to an individual employee or additional authorization when assigned to an individual employee or contractor contractor

Page 53: Information Security User Policy Training Business Applications Department October 2009

IT Asset ManagementIT Asset Management

The Agency Inventory Coordinator shall maintain the records The Agency Inventory Coordinator shall maintain the records of all returns, transfers and off-siteof all returns, transfers and off-site

authorizationsauthorizations

Annually, the Agency Inventory Coordinator shallAnnually, the Agency Inventory Coordinator shall

conduct a paper inventory audit of all IT assets,conduct a paper inventory audit of all IT assets,

supplemented with a random physical audit tosupplemented with a random physical audit to

ascertain the location of all COV IT assetsascertain the location of all COV IT assets

Page 54: Information Security User Policy Training Business Applications Department October 2009

Records RetentionRecords Retention

The Agency Records Retention Manager shall maintain The Agency Records Retention Manager shall maintain records retention policies and/or proceduresrecords retention policies and/or procedures

Updated MRC Record Retention Procedures can be found Updated MRC Record Retention Procedures can be found obtained from Brandy Battle, Records Retention obtained from Brandy Battle, Records Retention Manager,757-247-2260; Manager,757-247-2260; [email protected]@mrc.virginia.gov

Additional information can be obtained from the Library of Additional information can be obtained from the Library of Virginia at: Virginia at: http://www.lva.lib.va.us/whatwedo/records/http://www.lva.lib.va.us/whatwedo/records/

Page 55: Information Security User Policy Training Business Applications Department October 2009

Thanks !Thanks !

Thanks for going through the training today.Thanks for going through the training today.

Information Security is critical at work and at home. We Information Security is critical at work and at home. We

appreciate you taking the time to learn the contents of this appreciate you taking the time to learn the contents of this

training and highly encourage you taking some time training and highly encourage you taking some time

regularly to read up on security topics – you can click on regularly to read up on security topics – you can click on

the security link at the bottom of our MRC web pages to the security link at the bottom of our MRC web pages to

visit the VITA-NG security web site at any time.visit the VITA-NG security web site at any time.

Please contact Erik Barth (x72262); Linda Farris (x72280) or your Please contact Erik Barth (x72262); Linda Farris (x72280) or your supervisor if you have any questions about this training or supervisor if you have any questions about this training or information security topics in general.information security topics in general.