Oregon Department of Education

Information Security Plan

August 2015 Revision ControlDocument Title: ODE Information Security Plan (DRAFT)Author: Richard Woodford, ISO, CISSPDraft: August 2012

Table of Contents(To be completed on final version)

Introduction ODE is entrusted with a wide range of confidential and sensitive information pertaining to students, faculty staff, and other members of the community (e.g. partners). We take seriously our obligation to be stewards of that trust. We are obligated by law and institutional policy to take all reasonable and appropriate steps to protect the confidentiality, availability, privacy, and integrity of information in our custody. This obligation is broad and applies to information in both electronic and material form. Our practices are designed both to prevent the inappropriate disclosure of information and to preserve vital information in case of intentional or accidental loss.

This document outlines the guiding principles, roles and responsibilities, compliance requirements, and controls used to achieve this mandate. It also recommends security improvements for fiscal year 2015-17 (these improvements are highlighted in this document).

Guiding PrinciplesThe department's strategy is multi-faceted and must continue to evolve to meet ever-changing threats. At the core, the plan is designed to uphold the following principles:

The department must protect the privacy of student, employee, and partner records by ensuring the security and protection of confidential and sensitive information in its custody.

The department must maintain proper organizational structures and strategies to assure adequate controls and other measures necessary to protect its information systems. Risk Assessments are an important to validate the effectiveness of these measures. Risk is inherent for any organization that must maintain the confidentiality of information, whether it is online or consists of paper files. Risk management must include analysis to avoid unnecessary efforts and expenses. Risk is managed on an ongoing basis, as the environment changes, new technology is released, user requirements evolve, or cost-risk factors are further analyzed. Adequate controls not only help mitigate risk but also generally correspond to best business practice in

1 | P a g e

assuring transparency and consistency of business processes and effectiveness and availability of underlying technologies.

Align our standards, practices, and controls with industry standards and applicable laws, regulations, and policies. The controls in this plan are based on the SANS Top 20 Critical Security Controls (CSC) which align with NIST and other standards and best practices. Other primary regulatory drivers include FERPA, the Oregon Identity Theft Protection Act, Oregon statewide policy, and the Oregon statewide standards.

The continuing education and awareness of the partners and staff on information security issues is a critical factor in minimizing information security risk overall. In particular, as the department refines its guidelines and procedures for maintaining the confidentiality of information that is deemed highly sensitive, employees who handle this data need to be provided appropriate and periodic training on approved procedures.

Scope of the Information Security Plan This Information Security Plan applies to all information that is acquired, transmitted, processed, stored, and/or maintained by ODE or any ODE auxiliary organization, whether in digital or paper format. It encompasses all locations in which ODE information resides including the main office, remote work areas, and hosted environments. It applies to all ODE employees, consultants, contractors, partners, and any person having access to ODE information in any form or format.

Information Security plays a leading role in safeguarding the department's protected data and related systems. However, information security planning and assurance cannot be successfully accomplished solely within the IT division; therefore, the plan outlines the responsibilities of ODE organizational units and the intersecting responsibilities of other ODE departments and individuals.

About this Document This document summarizes ODE's current plan to maintain the security of its information assets. It conveys both long-term strategies and near-term activities we are pursuing to improve our overall information security posture. The plan is presented in five sections:

Roles and Responsibilities Information Security Policies, Compliance, and Standards Risk Assessment and Mitigation Security controls Priorities for Improvement (2015-2017)

The document includes a glossary of common information security terms.

Roles and Responsibilities The department assumes a coordinated approach to the protection of information resources and repositories of confidential information that are under its custody by establishing appropriate and reasonable administrative, technical and physical safeguards that include all

2 | P a g e

individuals, related units, and others that administer, install, maintain, or make use of ODE’s computing resources and other repositories of information.

At ODE, that coordinated approach includes the following administrative structures and responsibilities:

The Chief Information Officer (CIO) is responsible for the development and implementation of policies and practices that maintain ODE’s information security and ensuring a periodic review of institutional risks and vulnerabilities. The CIO discusses information security findings and required actions with Department leadership, including an annual review of the Information Security Plan (Plan) with the Department Superintendents and Directors.

The Information Security Officer (ISO) is responsible for: The development, maintenance, and periodic update of the Information Security Plan;

the integration, coordination and interpretation of ODE Information Security policies and standards; and development and implementation of guidelines that are more specific and procedures to support those policies and standards with the particular context of ODE.

Recommend new guidelines, tools, and practices to enhance ODE’s Information Security posture.

Coordinate department IS Risk Assessment. Keep current with relevant threats against the department. Deliver targeted Awareness Training seminars in addition to ensuring staff, contractors,

and other applicable individuals complete the online Awareness Training. Facilitate information security planning that promotes secure practices and decreases

risk to information and data systems. Maintain department procedures, standards, and guidelines in adherence with ODE

information security policies. Identify and coordinate mitigation of weaknesses in ODE’s infrastructure, data

systems, and applications. Update the incident response plan and run the CSIRT (see definition on next page).

The Computer Security Incident Response Team (CSIRT), responds to serious ODE Information Security incidents, and works with the CIO and ISO to identify incident mitigation plans and makes recommendations to the department head on how to reduce future risk and strengthen ODE’s security posture. ODE will develop an Incident Response plan to supplement this plan.

Managers including Superintendent, Assistant Superintendent, Directors, and Managers also play an important role in the overall information security strategy. They are responsible for understanding the importance of managing information security risks both within their organizations and across the department as a whole, and are ultimately responsible for the protection and use of data/information within their organization. They set an example and establish a tone in their organizations that stresses the importance of information protection,

3 | P a g e

compliance, and awareness. They are responsible for classifying data, defining security compliance requirements, authorizing access, monitoring compliance with ODE/department security policies and standards, and managing risks associated with information assets under their protection. Finally, they are responsible for working with the ISO to mitigate vulnerabilities in their areas and to collaboratively implement good information security practices.

Department technical staff, both within the IT division and other ODE divisions, are responsible for the maintenance and protection of systems and applications used to transact or store department data. The duties include, but are not limited, to adhering to department security standards, such as those that pertain to system hardening, data sanitization, log/event management, patch management, and password/access controls. All staff have the responsibility to remain aware of information security risks, be attentive to sound practices and to report any potential disclosure or loss of information to their directors, managers supervisors, the Information Security Officer, or other responsible parties.

Information Security Policies, Compliance, and Standards This section introduces the reader to the major information security legal requirements that ODE is bound to uphold and the policies the Department have adopted to facilitate compliance. Detailed information on compliance requirements and policies can be found on the State of Oregon website.

ODE’s information security practices must comply with a variety of federal and state laws as well as its own internal policies. These laws and policies are generally designed to protect individuals and organizations against the unauthorized disclosure of information that could compromise their identity or privacy. "Level 3 (restricted) protected data" as defined by the Oregon Data Classification guidelines covers a variety of types including personally identifiable information (e.g., social security numbers), personal financial information (e.g., credit card numbers), health information, and other confidential information.

Among the laws and regulations that mandate baseline privacy and information security controls, the most notable include the following:

Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. S1232g; 34 CFR Part 99) - Protects the privacy of student education records and gives parents certain rights with respect to their children’s education records.

The state of Oregon Identity Theft Protection Act (ORS 646A.600) State of Oregon Information Security Policies – 107-004-051, 107-004-052, 107-004-

053, 107-004-100, 107-004-110, 107-004-120

Additional laws and regulations apply in the wake of unauthorized disclosure of individuals' data, requiring the Department to take specific actions if any protected data may have been disclosed either accidentally or maliciously to unauthorized parties. A detailed list of regulations and compliance requirements is included in Appendix B. Individuals who handle

4 | P a g e

protected data are encouraged to speak with their managers or the Information Security Officer (ISO) to better familiarize themselves with relevant laws and regulations.

Another set of standards that provides an information security framework is ISO 27001 and 27002. All of these components are in this plan; this is just a different layout.

Department Information Security Policy and StandardsThe department has a body of information security policies that prescribe methods of compliance with relevant laws and regulations as well as generally accepted current best practices. Our policies take the further step of establishing practices to safeguard not only information protected by law, but also information that ODE leadership has deemed to be of a sufficiently confidential nature that it should be treated as legal protected data. Detailed information on Department security policies and other information can be found at: http://www.ode.state.or.us/search/page/?id=3554

Risk Assessment and MitigationOur information security plan is further enabled by four core practices:

Risk assessment and vulnerability management Implementation of SANS Top 20 Critical Controls (see Appendix A) which are designed

to reduce risk Incident response (needs updating)

5 | P a g e

Employee education and training on information security risks and appropriate responses

These practices enable us to proactively identify risks, continuously improve our strategy, and direct our response in case of an information security incident.

Information Security Risk Assessment and Vulnerability Management In accordance with department policy, ODE performs periodic assessments of its information security risks and vulnerabilities. Risk assessments may focus particular types of information, areas of the organization, or technologies. Each year the ISO, in consultation with the CIO and the Management Team, identifies a set of priorities for information security risk assessments. The results of risk assessments are shared with the CIO and the Management Team, together with a plan for implementing specific actions to address risks and vulnerabilities. The ISO is responsible for monitoring the implementation of agreed upon actions and reporting their completion to Department leadership.

Security ControlsSecurity Controls are measures taken to reduce risk by detecting or preventing malicious or unwanted actions and mitigate the effects of an attack. Controls employed should align with the SANS Top 20 and provide automated notices or responses when applicable. While most security functions can be performed manually, most security violations, compromises, and incidents happen very quickly and near-real-time detection is critical (as opposed to log analysis – which should be a post-incident task). Some examples of this type of tools includes Intrusion Detection Systems, monitoring and logging solutions, change detection tools, vulnerability detection, and data access monitoring.

Managing Compromises or Breaches of Information Security – Incident ResponsePlanning for incident response involves organizing an Incident Response Team that is responsible for problem identification and resolution. The primary function of an Incident Response team is:

Quickly recognize an incident Establish automated and manual responses Know reporting responsibilities Provide Incident Management function for security incidents Certify actions for later review or law enforcement purposes

A security incident begins when a security related event is reported to the ODE IT division. When an alert involves personally identifiable information, a cross-functional team of members from different areas of the Department will analyze and recommend the best course of action. Current members of the Computer Security Incident Response Team (CSIRT) include:

Information Security Officer CIO Director of Infrastructure Director of Data Management Help Desk Team Lead Risk Management Staff

6 | P a g e

The general steps for incident response are also NIST/SANS based. When an incident occurs, responders should follow these general concepts to mitigate the attack and reduce its impact:

Detect the incident and determine its intent and risk Identify the type of incidents, risks posed, and assets threatened Protect vulnerable assets Respond to contain the incident Recover systems to normal operation Notify all relevant and affected individuals Perform a Post-Incident Review and provide recommendations to improve defenses

Employee Education and Training – Security AwarenessSecurity Awareness is another example of a security control. The entire Department Community needs to understand and support the information security objectives of availability, confidentiality and integrity, and what tradeoffs may be necessary for effective control of the information infrastructure’s vulnerabilities. The State of Oregon has established an online information security program to serve all departments that will promote an ongoing dialogue about information security risks and recommended practices. ODE has a multi-pronged approach to training and awareness. Current strategies include the following: A privacy and confidentiality agreement signed by all newly hired staff.

A brief overview of key information security awareness training as part of all new employee hires orientations

An online ODE Information Security Awareness Training course for all staff, faculty, and student staff

An information security website that serves as a repository of information for ODE information security standards and guidelines, educational materials, as well as information about current issues/alerts, policies and practices

Periodic communiqués to the Department community, or targeted audience(s), alerting ODE employees of specific vulnerabilities

Presentations and discussions with management

Securing the ODE Technical Infrastructure This section identifies some of the specific strategies in place to secure the core technology infrastructure (e.g., network, hardware, data center) of the Department. It describes some of information security concerns unique to specific technology areas and highlights the measures employed to secure ODE infrastructure.

Assurance of service, spam rejection, fraudulent email/phishing-scam processing, copyright protection, appropriate authorization for the use of resources, privacy/confidentiality, protection against unauthorized network access, protecting web sites from typical attacks (e.g. defacement, protected information theft), and maintaining auditable documentation of plans and procedures

Internet and Data Center Firewalls, Traffic Monitoring, Intrusion Detection/Prevention Systems

Virtual Private Network (VPN) and Secure Access Gateways

7 | P a g e

Desktop Management Systems with Policy Enforcement tools Application and Server Security Certificates Enterprise Anti-virus/malware and Patch-management systems Server, Network, and Application-level Vulnerability Scanning Tools Physical and Logical Access Controls to Servers and other Protected Resources Confidential network zone to logically separate and protect confidential data systems Encryption for systems that store/access confidential data and are transported outside

the secure environment of the ODE network or facilities Organization of staff to respond to the range of security Issues

Enterprise Server Environment Two IT-managed department data center facilities protect department servers and storage from unauthorized physical access and assure appropriate logging, data protection and monitoring/alerting. Operational procedures allow physical and logical access only to authorized users and helps ensure that all other staff access servers only to the degree appropriate to their job roles.

Identity and Access Management ODE's identity management and authentication and authorization system (AD) ensures appropriate access to all department computing resources. Network, application, and server access is logged by individual logins to facilitate investigation of possible intrusions or misuse of resources. For applications, only the minimum set of privileges allowed for a user to accomplish his/her objective is granted.

Priorities for Improvement (2015-2017) ODE’s Information Security priorities center on tasks associated with addressing ODE’s greatest risk areas. 2015 – 2017 Goals:

Have business risk assessment (ISBRA) performed by ETS Clean up and standardize our Active Directory (AD) environment Implement an Intrusion Detection System (IDS) Implement a tool that can identify existing or new security problems Implement measures to detect data access that fall outside “need to know” Implement a tool to monitor for malicious activity – particularly internet activity Update ODE security policies Begin a basic data classification project Improve our security awareness program

One of the recommendations made by the Inspector General’s audit of ODE was to have a risk assessment performed by an outside entity. The state CIO/ESO office has risk assessment offering referred to as ISBRA. ODE requested to have that done this year. Cost: Free.

Cleaning up and standardizing our Active Directory environment is crucial to making access management simpler and more secure. The ISO recommends ODE purchase a tool (Varonis)

8 | P a g e

that will make this job much easier and thorough. In general, some tasks can be done manually, but automated tools are an obvious improvement. For example, using an Intrusion Detection System to watch for signs of attacks compared to having a person watch the network traffic. Obviously, the IDS would be far more effective. For access management, a tool like Varonis is far more effective than attempting to clean-up access manually. Varonis also detects excessive access that may have been granted unintentionally. Cost: $20,000.

ODE has a proof-of-concept version of Siricata (open-source IDS) running. That should be implemented into production. Cost: $1000.

Varonis also offers a tool that is a huge improvement in monitoring data access. ODE currently has almost way to tell when a person or process reads a file. Varonis monitors reads, writes, and changes. Not only does this provide an audit trail and detect unauthorized access, it can also alert to a malicious program that is reading data without the knowledge of the end-user. Cost: $40,000.

ODE currently has Websense to monitor web activity. However, we only have the license that blocks pornography and other offensive content. Another license blocks websites that are known sources of malware. The ISO recommends the purchase of this license to reduce malware infections from the web (currently the number one source of malware infections). Cost: $20,000.

ODE has good but outdated security policies. Some of them are several years old and need updating. The ISO recommends reviewing/updating all ODE information security policies. Cost: 400 hours.

The state of Oregon mandates that all agencies classify their data. ODE currently does not have an initiative to do this. To meet this mandate, we should (at least) implement some basic guidelines. The ISO recommends a policy that states:

Data that is intentionally published to the public is by default level 1 (published) information.

Data that is not published is by default level 2 (limited). Data that is level 3 (restricted) because it contains personally identifiable or other

sensitive data should be labeled as such. The agency does not have any level 4 (critical) data.

See Appendix B for a matrix of recommended safeguards based on data classification.Cost: 100 hours.

And finally, the ISO recommends updating and improving our security awareness program. There are several approaches to doing this. Cost will vary.

Glossary of Terms

Access - The ability to read or write data

9 | P a g e

Active Directory (AD) - Microsoft’s system to control authentication, authorization, and access

Authentication - Verification of identity (e.g. a username and password)

Authorization - To allow access based on authentication

Availability - Having systems or information available for use (in security terms, not interrupted by a malicious act or event)

Awareness - The knowledge and attitude members of an organization possess regarding the protection of sensitive systems and information

Breach – The exploit of a vulnerability to gain access to protected information or assets

Change Detection - A system that detects changes to a system or to data

Confidentiality - Ensuring that information is accessible only to those authorized to have access

Controls (security) - Safeguards or measures to avoid, detect, counteract, or minimize risks to physical property, information, computer systems, or other assets

CSIRT - Computer Security Incident Response Team

Data (assets) - Information that is necessary for the business to meet its mission

Data Classification – An information security process whereby the confidentiality, sensitivity, availability, and integrity are we rated to determine level of protection required (see matrix below)

Data Sanitization – A process that assures data is completely and irreversibly erased from media before it is repurposed or surplused

Defacement – The unwanted modification of a public website by malicious hackers

Disclosure – The unintentional release of sensitive data

Encryption – Making data un-readable except by those possessing an authorized key

Exploit – The use of a vulnerability to gain access to a system

FERPA – Federal Education Rights and Privacy Act

Firewall – A device that only allows specified addresses and services between networks (e.g. the internal network and the internet

Guidelines – A general, non-mandatory set of rules or requirements that determine overall direction

Hackers (malicious) – A malicious actor who aims to attack your information systems and jeopardize your security for a variety of economic or political reasons

Hosted – Having your all or part of your network infrastructure housed in an offsite facility who is a service provider.

Incident (security) – An unwanted event that has the potential to cause substantial harm to department security

Integrity – Assurance that information is authentic and has not been tampered with.

10 | P a g e

Intrusion Detection (Protection) System – A system that detects abnormal network activity and takes proscribed actions to mitigate

ISBRA – An Information Security Business Risk Assessment performed by DAS ESO.

ISO 27001 & 27002 - International Organization for Standardization. An independent, non-governmental organization that specifies high-level security practices

Log (event) Management – Collecting and correlating logs from multiple systems in order to identify any anomalous activity.

Mitigate – Reduce the risk

“Need to know” – A security concept that specifies that, no matter the person, information is only access by people who need to access (read) it

NIST – National Institute of Standards and Technology, a body who sets national standards for technology that most information system standards are based on directly or indirectly

Oregon Identity Theft Protection Act – A set of laws that govern how organizations are to handle improper information disclosures of personal and sensitive information

Oregon statewide (security) standards – A basic set of security standards put together by DAS ESO to assist agencies in best practices

Patch Management – Making sure all systems are up-to-date with current patches form the manufacturer

Phishing – The attempt to lure individual(s) into disclosing sensitive information through Social Engineering

Physical – Direct physical access to the system hardware or networks that can lead to a security breach

Privacy – The protection of personally identifiable or other sensitive information

Risk - Potential of losing something of value

Risk Assessment - The determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat

Safeguards – A measure or measures put into place to reduce risk

SANS – A U.S. Company recognized as a premier source of information and training related to information security

Secure Access Gateway – A device that allows valid external users to access internal resources securely

Security – Protects of information from loss of confidentiality, integrity, or availability

Social Engineering – A non-technical manipulation of a person to breach the security of an organization

SPAM – Unwanted or unsolicited email either malicious or a waste of resources

SANS Top 20 Critical Controls (CSC) – A condensed set of NIST controls into the top 20 most critical

11 | P a g e

Sensitive – Information that needs extra protection from security breaches

System Hardening – Configuring a system so that vulnerabilities are minimized

Threat – A potential that can result in a security incident

Virtual Private Network (VPN) – Encrypted communication from point to point over the public internet

Vulnerability – A weakness for flaw in a system that can be leveraged to breach a system

Appendix A (Relevant Policies, Regulations, and Controls)

State PolicyPolicy Number Policy Title Effective

Date

107-004-050 Information Asset Classification 1/31/2008

107-004-051 Controlling Portable and Removable Storage Devices

7/30/2007

107-004-052 Information Security 7/30/2007

107-004-053 Employee Security 7/30/2007

107-004-100 Transporting Information Assets 1/31/2008

107-004-110 Acceptable Use of State Information Assets 10/16/2007

107-004-120 Information Security Incident Response 11/10/2008

SANS 20 critical controls (referenced)

SANS 20 Critical Security Controls (Consensus Audit Guidelines)/NIST 800-53/FISMA

12/1/2011

FERPA gives parents access to their child's education records, an opportunity to seek to have the records amended, and some control over the disclosure of information from the records. With several exceptions, schools must have a student's consent prior to the disclosure of education records after that student is 18 years old. The law applies only to educational agencies and institutions that receive funding under a program administered by the U.S. Department of Education. Other regulations under this act, effective starting January 3, 2012, allow for greater disclosures of personal and directory student identifying information and regulate student IDs and e-mail addresses.[2]

Examples of situations affected by FERPA include school employees divulging information to anyone other than the student about the student's grades or behavior, and schoolwork posted on a bulletin board with a grade. Generally, schools must have written permission from the parent or eligible student in order to release any information from a student's education record.

12 | P a g e

This privacy policy also governs how state agencies transmit testing data to federal agencies. For example, see Education Data Network.

This U.S. federal law also gave students 18 years of age or older, or students of any age if enrolled in any postsecondary educational institution, the right of privacy regarding grades, enrollment, and even billing information, unless the school has specific permission from the student to share that specific type of information. https://nces.ed.gov/pubs97/web/97859.asp

SANS Top 20 Critical Controls

Control Description, Control, and Relevance Current State

Critical Control 1: Inventory of Authorized and Unauthorized Devices

Know what devices are on your network and where they are located (physically and logically), what they do, and who is responsible for them. This protects against malicious devices entering the environment and assists with incident response. A good hardware database along with network access control and/or a scanner (e.g. NESSUS) to prevent or detect rogue devices.

Significant improvements underway

Critical Control 2: Inventory of Authorized and Unauthorized Software

Have only authorized software on systems to protect from “trojan horse” programs, illicit or unwanted activity, and guard against copyright violations. Perform regular inventory.

Significant improvements made in 2015

Critical Control 3: Secure Configurations for Hardware and Software

Have a base configuration that is known to be secure and supportable and detect changes that create vulnerabilities or support problems. Setup tools or techniques to detect unwanted changes to your environment.

Needs work

Critical Control 4: Continuous Vulnerability Assessment and Mitigation

Continuously monitor network and systems for vulnerabilities and mitigate as much as possible. Active scanners like NESSUS and Nexpose help identify; regular updates and patches help mitigate.

Significant improvements made in 2015

13 | P a g e

Critical Control 5: Malware Defenses

Have multiple layers to detect malicious software and keep them up to date. Make sure support staff and end-users know how to respond to potential malware.

Significant improvements made in 2015

Critical Control 6: Application Software Security

Use an application security scanner (e.g. Nexpose) to scan for vulnerabilities in applications (especially public facing applications).

Need to restart the program

Critical Control 7: Wireless Device Control

Use strong access control and encryption on wireless networks. Make wireless networks a separate, less secure, network zone that provides internet and minimal internal access through secure ports.

Significant improvements made in 2014

Critical Control 8: Data Recovery Capability

Ensure that all critical data is recoverable in the event of a minor or major system failure or loss.

Significant improvement project underway

Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps

Make sure technical staff and end-users should have appropriate security training.

Training continuing at acceptable (but not optimal) level

Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

Physically secure and apply secure configurations to firewalls and other network devices. Make sure default passwords are changed and minimize persons with access to network infrastructure.

Needs constant review

Critical Control 11: Limitation and

Use network and host-based firewall to permit only required ports, protocols, and services to run on the

Needs improvement

14 | P a g e

Control of Network Ports, Protocols, and Services

network (use next gen firewall or host-based firewall technology).

Critical Control 12: Controlled Use of Administrative Privileges

Limit the number of administrative privileges and limit the scope of each account to what is needed. Only use administrative access when required to perform job duties. Never share admin passwords. Log all use of admin privileges. Do not use administrative credentials unless performing a task that requires them.

Good practices in place, but improvements needed

Critical Control 13: Boundary Defense

Invest in defenses at ingress and egress points of your network. These are choke points where malicious activity can be detected and/or blocked using advanced firewalls, web filters, email filters, and any other vector.

Firewall and web filter need updating

Critical Control 14: Maintenance, Monitoring, and Analysis of Security Audit Logs

Implement a tool to store and analyze security and audit logs to both alert on active malicious activity or to refer back to for incident investigation.

Need to implement a log management and analysis tool

Critical Control 15: Controlled Access Based on the Need to Know

Grant all individuals access only to data and systems they need to do their job functions.

Part of Active Directory cleanup

Critical Control 16: Account Monitoring and Control

Monitor all accounts for unusual activity and alert or automatically mitigate potentially malicious behavior. Products such as Varonis DataVantage provide this type of functionality.

Need Varonis DataVantage or similar tool!

15 | P a g e

Critical Control 17: Data Loss Prevention

Setup tools or techniques to detect data from leaving the premises. Varonis DataVantage and other DLP tools can help, but policy against physically transporting data out of the business should also be implemented and enforced.

Need Varonis DataVantage or similar tool!

Critical Control 18: Incident Response Capability

Develop and incident response plan and incident response team and make sure they retain the needed skills. Have a “cheat sheet” of critical information, actions, and tools that can be gotten to quickly even if internal systems are not accessible.

Needs updating

Critical Control 19: Secure Network Engineering

Design security into networks at the engineering phase rather than try to retrofit security controls onto a production system.

Ongoing

Critical Control 20: Penetration Tests and Red Team Exercises

Have an external party (or designated internal staff) try to penetrate the network from a hacker’s perspective to test defenses and staff responses.

None planned

16 | P a g e

Appendix B (Data Classification Matrix)

Security Control

Item Level 1 Data (published) Level 2 Data (limited) Level 3 Data (restricted) Level 4 Data (critical)

Data Integrity Access controls Access Controls Access controls and auditing

Access controls and auditing

Logging Basic logging Basic logging Enhanced logging Advanced logging

Network Traffic None None Segregation of internal network traffic

Segregation of internal network traffic

Physical Security Basic physical security Basic physical security Enhanced physical security

Enhanced physical security

System configuration and Vulnerability Detection

Secure system configurations; regular vulnerability scans

Secure system configurations; regular vulnerability scans

Secure system configurations; regular vulnerability scans and third-party assessments

Secure system configurations; regular vulnerability scans and third-party assessments

Confidentiality Nome Restricted by policy Restricted by policy Restricted by policy

Servers and Workstations with Access

Restricted access to systems with the ability to change data, i.e. locked keyboard or server cabinet

Restricted access to systems with the ability to read or change data, i.e. locked keyboard or server cabinet

Restricted access to systems with the ability to read or change data, i.e. locked keyboard or server cabinet

Restricted access to systems with the ability to read or change data, i.e. locked keyboard or server cabinet

Authentication None to read; single-factor authentication to modify

Single-factor authentication required, i.e. password; authentication logged

Single-factor authentication required, i.e. password; authentication logged

Dual-factor authentication required, i.e. biometrics, pin, token; authentication and user actions logged

Access Control “Read Only” for public and “Read/Write” for business

Role based Role based “Need to Know” based for named individual

Data in Transit None Encryption across public networks; none for private networks

Encryption across public networks; none for private networks

Encryption across public and private networks unless transmission is contained within a secure facility or network

Disposal Reformat Single-pass data wipe DOD-5220 data wipe Physical destruction

Staff Requirements Nondisclosure agreement and background check

Nondisclosure agreement and background check

Nondisclosure agreement and background check

Nondisclosure agreement and background check

Additional control None Based on Risk One of the following: Data resides

within a secure facility with two-sets of locked doors and physical assess logs

Encryption

One of the following: Data only

resides within a secure facility with two-sets of locked doors and physical assess logs

Encryption Additional

detective control (e.g. surveillance cameras, security guards, positive ID and sign in)

17 | P a g e

Security Control

Item Level 1 Data (published) Level 2 Data (limited) Level 3 Data (restricted) Level 4 Data (critical)

Oregon Department of Education Information Security Plan

18 | P a g e