Attachment 17-A Data Security

DCC_Attachment 17-A_DataSecurity_v2.0_022406 to post

STATE OF TEXAS

Department of Information Resources

Data Center Computing and Facilities Consolidation

REQUEST FOR OFFER

ATTACHMENT 17-A

DATA SECURITY PROCEDURES

FEBRUARY 24, 2006

This document contains confidential and proprietary information of State of Texas - DIR. It is furnished for evaluation purposes only. Except with the express prior written permission of State of Texas - DIR, this document and the information contained herein

may not be published, disclosed, or used for any other purpose.

Attach 17-A – Page 1 of 22

State of Texas – DIR Confidential DRAFT – Dated 02/24/0


Service Provider Guidelines

This Attachment to an Exhibit of the RFO contains specific information supplied by State of Texas - DIR for the Service Provider’s use when responding to the RFO.

Service Provider Instructions

1. The Service Provider will not modify or change anything contained within this Attachment.

2. The Service Provider’s response to the RFO should reflect and comply with the information contained in this Attachment.

3. If the Service Provider wishes to suggest changes to any of State of Texas - DIR’s content or requirements contained in this Attachment, these suggestions should be summarized and submitted separately to State of Texas - DIR in the Service Provider Confirmation Document, as described in the RFO Instructions – Part 4, Proposal Documents Created by Service Provider. Any notation of objections or issues associated with the Attachment content does not eliminate or modify the requirements of this Attachment or this RFO, and the Service Provider’s proposal must not assume any incorporation of the Service Provider’s suggested changes.




TABLE OF CONTENTS 1.0 INTRODUCTION........................................................................................................................... 6 2.0 SYSTEM SECURITY OVERVIEW............................................................................................. 7 3.0 SYSTEM SECURITY POLICIES ................................................................................................ 8

3.1 Computer Systems Access ............................................................................................................ 8 3.2 Annual Awareness and Risk Assessment ..................................................................................... 8 3.3 SUDO Access ............................................................................................................................... 9 3.4 SETUID/SETGID Executables..................................................................................................... 9 3.5 System Hardening ......................................................................................................................... 9

4.0 DISTRIBUTED SYSTEM NORMAL OPERATIONS ............................................................. 10 5.0 PASSWORD SECURITY ............................................................................................................ 10

5.1 Password Content........................................................................................................................ 11 5.2 Password Cycle ........................................................................................................................... 11 5.3 Password Request ....................................................................................................................... 11 5.4 Forgotten Passwords/Reset Password ......................................................................................... 11

6.0 COMPUTER SOFTWARE SECURITY.................................................................................... 12 6.1 Software List ............................................................................................................................... 12 6.2 Protective Policy and Procedures................................................................................................ 12

7.0 PROTECTION OF BACKUP MEDIA....................................................................................... 13 7.1 Tape Media Protection ................................................................................................................ 13 7.2 Angelo Archive and Storage ....................................................................................................... 13

8.0 IRS (SECURITY OF CLASSIFIED INFORMATION) ........................................................... 13 8.1 IRS Media Handling ................................................................................................................... 13 8.2 Proper Disposal of IRS Data....................................................................................................... 13

9.0 NETWORK SECURITY.............................................................................................................. 13 9.1 Access to Information Resources................................................................................................ 14 9.2 Confidentiality of Data and Systems .......................................................................................... 14 9.3 Identification / Authentification.................................................................................................. 14 9.4 Encryption................................................................................................................................... 14 9.5 Auditing ...................................................................................................................................... 14 9.6 Security Incidents........................................................................................................................ 14 9.7 Systems Development, Acquisition and Testing ........................................................................ 14




9.8 Security Policies Internet / Intranet Use...................................................................................... 14 9.9 Intrusion Detection...................................................................................................................... 14 9.10 Network Access .......................................................................................................................... 15 9.11 Network Configuration ............................................................................................................... 15 9.12 Portable Computing .................................................................................................................... 15 9.13 Security Monitoring .................................................................................................................... 15 9.14 Perimeter Security Controls ........................................................................................................ 15

9.14.1 DMZ (Demilitarized Zone) ................................................................................................. 15 9.14.2 Firewall ............................................................................................................................... 15 9.14.3 Intrusion Detection System................................................................................................. 15 9.14.4 Router Security ................................................................................................................... 16 9.14.5 System Identification / Logon Banner ................................................................................ 16

10.0 DIR MONTHLY INCIDENT REPORTING INSTRUCTIONS.............................................. 16 10.1 Introduction................................................................................................................................. 16 10.2 Reporting Requirements ............................................................................................................. 16 10.3 Logging In................................................................................................................................... 17 10.4 Passwords.................................................................................................................................... 17 10.5 Getting Started ............................................................................................................................ 17 10.6 Submit Function.......................................................................................................................... 17 10.7 Reset Function ............................................................................................................................ 17 10.8 Error Messages............................................................................................................................ 17 10.9 Miscellaneous Items.................................................................................................................... 17 10.10 Completed Report ................................................................................................................... 18 10.11 Printouts .................................................................................................................................. 18 10.12 Profile Information.................................................................................................................. 18 10.13 Monthly Incident Report......................................................................................................... 18 10.14 Report Status........................................................................................................................... 18 10.15 Viruses/Worms ....................................................................................................................... 19 10.16 Incident Types......................................................................................................................... 20 10.17 Incident Profiles: ..................................................................................................................... 21 10.18 Systems Affected by Incidents................................................................................................ 21 10.19 Response Activities and General Information: ....................................................................... 21 10.20 Impacts .................................................................................................................................... 22




10.21 Comments to be Shared .......................................................................................................... 22




1.0 INTRODUCTION

This Attachment describes State of Texas - DIR’s current procedures related to Data Security. The Service Provider will adhere to all procedures as part of providing the Services.




2.0 SYSTEM SECURITY OVERVIEW

Security of Computing Systems at the State Data Centers is managed through controlled access to the computer systems and servers, but excludes those agencies who operate in the Mainframe Environment (Currently, agencies operating in the Mainframe environment are responsible for their own systems security).

In taking steps to protect data on Service Provider managed servers, workstations, and networks, the following ideals are considered:

• Confidentiality – ensuring that private data stays private

• Integrity – ensuring that data and systems have not been altered in an unauthorized manner

• Availability – insuring that system and data are available when needed

• Accountability – all actions are traceable

• Assurance – insuring that all of the above mentioned elements are in place

The tools and methods that the State Data Centers i uses to enforce the basic ideal of system security are constantly evolving. As computer attack methods become more sophisticated, so do the tools that we use to defend systems and networks. The Service Provider will use a comprehensive Computer Security (COMPUSEC) program which involves the protection of computing resources from unauthorized local and network access, and from Denial of Service/Distributed Denial of Service attacks (DoS/DDoS) from outside sources. Broadly stated, the base policies of the data centers are:

• User access request forms

• “Hardened” system and network installations

• Application of vendor recommended system updates and security patches (clusters, fixes, efixes, APARs, PTFs, etc)

• Application of “best recommended practice” configurations, from recognized computer security leaders (CERT, CIAC, SANS, etc) on systems and servers

• Enhanced audit logging

• Periodic review of user accounts

• Periodic review of security logs

Both the Data Center Manager and the Systems Security Administrator must review all changes to the Security Procedures for approval.

All Service Provider employees have completed an extensive security screening process prior to employment within the TXSDC facility. The Service provider will establish standards and policies for code of ethics for its employees. Failure to comply with these standards and policies are grounds for termination.




3.0 SYSTEM SECURITY POLICIES

The Security Policies are those principles that guide effective access control of the TXSDC Computer Systems.

3.1 Computer Systems Access

Computer Systems access is only granted on an individual account basis. Group accounts are restricted to special circumstances, and each request for a group account will have to be thoroughly justified to the Systems Security Administrator and Technical Services Manager/Data center Manager.

For non-Service Provider personnel:

• Completing and submitting the Systems Access Request Form (TXSDC)

• Approval from an authorized agency approval authority

• Approval from the Systems Security Administrator

For Service Provider personnel:

• Completing and submitting the Systems Access Request Form (TXSDC)

• Approval from the Systems Security Administrator

• Approval from the Technical Services Manager or Data center Manager

Computer accounts will not be granted without completing all of these steps, regardless of the circumstances. Individual accounts represent personal accountability for each user, and user-ids and passwords will be restricted to the individual granted access. Sharing your user-id and password with any other individual is prohibited, and constitutes grounds for termination of your system account on all Service Provider managed systems. When an account is created, the user will be provided with a temporary password to access their account with. This password will be given only to the individual requesting access. The temporary password expires as soon as the user attempts login, and the system will prompt the user for a new password. Service Provider administrators, helpdesk personnel, or other employees will never ask a user for their password. If there is a problem accessing an account, a new temporary password will be issued. For this reason, users are warned never to give their password to anyone, over the phone or via e-mail, regardless of whom this person represents themselves as.

3.2 Annual Awareness and Risk Assessment

All Service Provider employees are required to attend annual Security Awareness Training. The State of Texas-DIR reserves the right to administer the Security Awareness Training as often as necessary in order to relay all security policy changes. Risk assessments will be performed on an annual basis and will include all aspects of the TXSDC systems security requirements.




3.3 SUDO Access

“SUDO” is a command that allows root level privileges, on a command specific, or system wide basis, without having to distribute the system root password to multiple people. This allows certain individuals to execute privileged commands without knowing the root password. This command can allow a more distributed allocation of responsibilities, but it can also be very dangerous. Access to the sudo command will be considered on a case-by-case basis, as promiscuous use of this command could compromise system security.

3.4 SETUID/SETGID Executables

SetUID/SetGID executable files and scripts have had a history of problems, and will be limited to the absolute minimum number of processes necessary to run the system. As a rule, no new SetUID/SetGID executables will be introduced into the environment, unless specifically authorized by the Systems Security Administrator and the Technical Services Manager/Data center Manager.

3.5 System Hardening

All servers and workstations managed by the Service provider are “hardened” against unauthorized local and network access. Steps common to all servers includes:

• Installation of latest Operating System patches, APARs, PTFs, and efixes to secure system. NOTE: Patches will only be obtained from a verifiable vendor source!

• Installation of MD5 (used to verify the digital signatures of downloaded patches)

• Disable any unnecessary network services

• Install TCP Wrappers

• On Unix systems, remove /etc/hosts.equiv

• On Unix systems, remove unnecessary $HOME/.rhosts files

• Disable the uucp account

• Disable the rexd service

• Set default umask to 022

• Install and regular checks of Tiger and Tripwire

• For systems logging in from unprotected networks, Secure Shell (ssh) will be used (vice telnet, rsh, rlogin, ftp, etc.)

• Set password length to a minimum of 8 characters, with one numeric character required

• On servers which require ftp services, install WU-FTPD

• For Windows, rename the Administrator account

• For Windows, install and update antivirus software

• For Windows, secure the Emergency Recovery Diskettes (ERDs)




More specific information can be found in the TXSDC documents “AIX System and Security Setup”, “Solaris System and Security Setup”, and “Windows System and Security Setup”. System and security administrators will consult the appropriate document when installing or upgrading these systems.

4.0 DISTRIBUTED SYSTEM NORMAL OPERATIONS

System security is highly dependant on monitoring system activities and logs. On a daily basis, Service Provider Security administrators and/or Operations personnel will perform the following system checks:

• Review system security logs

• Review system access logs

• Review network access logs

• Review reports located at the Computer Emergency Response Team (CERT) center http://www.cert.org

• Review reports located at the Computer Incident Advisory Capability (CIAC) center http://www.ciac.org

On a quarterly basis, the following additional checks will be performed:

• System patch review

• User account review

• System audit log configuration review

On a yearly basis, the following additional check will be performed:

• Operating System upgrade review

If a security problem is discovered, the individual performing the review will initiate a Change Ticket, using the Service Provider Change Management Procedures, to address the security problem. Any fixes, patches, or workarounds, will be documented in the Change Ticket.

In any event, should the individual performing the review notice any unusual activity or obvious system compromise, the appropriate technical team lead will be notified, along with the Technical Services Manager and Data Center Manager, for appropriate further action.

5.0 PASSWORD SECURITY

Password security within the TXSDC varies by customer as their requirements differ based upon data and/or State requirements. These policies are used to govern the Service Provider and as a base for those customers that do not care to establish their own set of rules and regulations. It is the responsibility of each customer to communicate their requirement for implementation by Service Provider on their behalf. Some typical password security measures, which are used by TXSDC customers, are included in this Section.



http://www.cert.org/

http://www.ciac.org/


5.1 Password Content

Passwords should have a minimum of 8 characters.

No dictionary words are allowed.

Passwords cannot contain more than 2 characters that are identical.

Passwords should include 2 of the 4 following characteristics:

• Upper-case alphabetic

• Lower-case alphabetic

• Numeric

• Special characters

When changing your password, the new password must have at least 3 characters different form the old password.

5.2 Password Cycle

Number of failed logins before account is locked: 3

Number of Days to warn user before password expires: 10

Number of passwords before reuse: 8

Weeks before password reuse: 26

Weeks between password expiration and lockout: 1

Password minimum age is 4 weeks.

Passwords will expire every 90 days at a minimum. Customer Agency practices may dictate a shorter expiration period. This requirement is also dictated by the IRS.

5.3 Password Request

Passwords requested must be accompanied by Mother’s maiden name and the last four digits of the user’s social security number.

5.4 Forgotten Passwords/Reset Password

Requests for forgotten passwords and/or resetting passwords will be honored only when the Mother’s maiden name and last four digits of the user’s social security number are provided.




6.0 COMPUTER SOFTWARE SECURITY

6.1 Software List

Includes all software required to satisfy contract requirements. This list of software is maintained by our local and regional procurement personnel.

6.2 Protective Policy and Procedures

A “role” is a specific data processing function that a user performs. Examples include terminal operator, application developer, database administrator, etc. Users normally slip from one role to another naturally without being aware of the change. Security relevant roles require a more structured approach.

The Systems Administrators/Systems Programmers are responsible for operating system security, layered product security, system users with system administration responsibilities. The Systems Administrator/Systems Programmer is also responsible for the central software security administration of the facility. The duties include the following:

• Establishing and enforcing the security administration procedures,

• Administering the software security components of the operating system,

• Administering the security interfaces between applications and the security package,

• Maintaining user accounts,

• Processes and review audit logs covering any system information for which they are responsible,

• Ensures all users receive the security requirements and directives,

• Reports security related problems to Project Manager and SIMS Project Manager

• Requests implementation of access control authorizations,

• Reports any identified system vulnerabilities,

• Monitors to ensure correct implementation of access controls,

• Maintains a library of applicable security publications

• Provides necessary assistance to obtain connectivity capability for users.

• Software installations of security applications and interfaces,

• System maintenance and configuration/change control,

• Maintains operating systems integrity, and

• Installs appropriate security controls

• Creating and modifying software security databases,

Administering specific networking related security issues.




7.0 PROTECTION OF BACKUP MEDIA

7.1 Tape Media Protection

Tape media is strategically placed in automated tape Silos with minimal access to hardware equipment. Only authorized Service Provider employees have access into these Silo environments. As backups are made to existing application data there are requirements to send offsite for Disaster Recovery efforts. These tapes are logged, gathered and stored into hard cases for shipment to and from offsite storage.

These cases are physically secured to keep from having attempts to gain access from individuals outside Service Provider employment.

7.2 Angelo Archive and Storage

Angelo Archive is an independently owned and operator local business that provides secured offsite storage for local business. They have been in the business for over 20 years and are licensed and bonded. These individuals understand the nature of the data they store for the State of Texas and other business and can provide further descriptions of their procedures as required.

8.0 IRS (SECURITY OF CLASSIFIED INFORMATION)

8.1 IRS Media Handling

There are two distinct, secured, IRS tape storage containers at our facility. Both storage containers are located within a secured, key card controlled area (computer floor) and both types of storage containers use key locks. Key access controls are in place to account for keys to these containers.

Currently there are 300 Red (IRS) 3490 tapes that should be kept in the OAG silos at all times. (Unless instructed otherwise by an OAG approver)

The second IRS storage container is a fire rated safe that stores any IRS magnetic tapes that were created by outside entities and shipped to TxSDC for processing.

8.2 Proper Disposal of IRS Data

If the CSD, or TXSDC receives magnetic tapes directly from the IRS or SSA that contain IRS tax information and the tapes have served their purpose, the magnetic tapes must not be released for destruction without first being subjected to electromagnetic erasing. This electromagnetic erasing is known as tape degaussing. Once the tape has been properly degaussed the tape can be destroyed by cutting the tape into lengths of 18 inches or less or by burning the tape to effect complete incineration.

9.0 NETWORK SECURITY

Network security involves the following responsibilities by TXSDC network engineering personnel and other Service provider staff.




9.1 Access to Information Resources

Cisco Pix firewalls deny all access to information resources except to that which has been explicitly authorized. [TAC202.7(a)]

9.2 Confidentiality of Data and Systems

Cisco Pix firewalls are used to secure and segment data and systems. Information resources assigned from one agency to another must be authorized by the providing agency. Access to these information resources will not be granted if the result will cause exposure to either agency. [TAC202.7(b)(2)]

9.3 Identification / Authentification

Virtual Private Network (VPN) connections, for authorized users, are password protected using the current industry best practices. [TAC202.7(c)]

9.4 Encryption

3DES, a 168-bit encryption algorithm, is used to encode data transmissions. [TAC202.7(d)]

9.5 Auditing

All changes to information resources require a change approval that is documented and stored on a secure server. Changes to network devices are also logged to a syslog server that maintains records for 45 days. [TAC202.7(e)]

9.6 Security Incidents

All security incidents are thoroughly investigated and documented. Any affected agency will be promptly notified upon initial detection of incident. All necessary procedures will be followed until containment of the security breach. [TAC202.7(f)]

9.7 Systems Development, Acquisition and Testing

All development, acquisition, and test systems will be treated and secured like a production environment, unless specified by the requesting agency. [TAC202.7(g)]

9.8 Security Policies Internet / Intranet Use

Internet Access is a privilege given to TXSDC personnel and is monitored to ensure prudent use. [TAC202.7(h)(8)]

9.9 Intrusion Detection

An intrusion detection system is in place that logs attempts to bypass security mechanisms. This system is audited weekly and maintains logs for 45 days. [TAC202.7(h)(9)]




9.10 Network Access

Cisco Pix firewalls prevent all network access except to that which has been explicitly authorized. A TACACS+ server authenticates and logs connections to all network devices. [TAC202.7(h)(10)]

9.11 Network Configuration

TXSDC follows the guidelines and best practices for configuring and securing the network as set forth by both Cisco Systems, Inc. and the National Security Agency (NSA). [TAC202.7(h)(11)]

9.12 Portable Computing

Mobile computing devices must be authenticated to the network using either EAP or MAC Authentication. These devices will be encrypted using the Wireless Encryption Protocol (WEP). [TAC202.7(h)(14)]

9.13 Security Monitoring

A TACACS+ server authenticates and logs connections to all network devices. [TAC202.7(h)(16)]

9.14 Perimeter Security Controls

The following procedures will be applied to address Network Perimeter Security Controls.

9.14.1 DMZ (Demilitarized Zone)

DMZs are secured using a combination of Cisco Pix firewalls and access-lists applied to the routers. [TAC202.7(i)(1)]

9.14.2 Firewall

Cisco Pix firewalls are used to secure and segment data and systems. Information resources assigned from one agency to another must be authorized by the providing agency. Access to these information resources will not be granted if the result will cause exposure to either agency. Cisco IOS firewalls are also implemented on some routers to provide another level of security. [TAC202.7(i)(2)]

9.14.3 Intrusion Detection System

An intrusion detection system is in place that records syslog information for all network devices and stores the logs for 45 days. Alerts are sent to a 24-hour monitor and can alert network personnel if deemed necessary. [TAC202.7(i)(3)]




9.14.4 Router Security

Routers are secured at the perimeter by access-lists. A TACACS+ server authenticates all users requesting access into the routers. [TAC202.7(i)(4)]

9.14.5 System Identification / Logon Banner

The following banner is displayed on TXSDC network devices:

• “Unauthorized Access is Prohibited by Law”

• “Your ip has been logged in an IDS DEVICE” [TAC202.7(j)]

10.0 DIR MONTHLY INCIDENT REPORTING INSTRUCTIONS

10.1 Introduction

TAC 202.7 (f)(3) states “Each agency shall provide summary reports to the Department (Department of Information Resources) that contains information concerning violations of security policy of which the agency has become aware. An agency shall not be required to report security incidents unless it reasonably believes such incidents may involve criminal activity under Texas Penal Code Chapters 33 (Computer Crimes) or 33A (Telecommunications Crimes).” “Reports must be sent to the Department on a monthly basis no later than the fifth (5th) working day after the end of the month.” (http://www.dir.state.tx.us/security/policies/index.htm)

Security incidents which have a substantial likelihood of being propagated to other systems beyond the control of the agency should be reported to DIR within 24 hours (In addition to being included in the monthly report). [TAC 202.7 (f)(1)]. The DIR Emergency Pager Number is 1 (800) 490-6311 or local number (512) 305-1667.

Incident Reporting System Security

Several steps have been taken to ensure the security of the information provided. The application development team has worked in conjunction with the Security Office at DIR to provide as secure a system as possible. DIR has taken every reasonable step to secure the system, and the information provided by agencies.

10.2 Reporting Requirements

The TAC 202.7 (f) requires that agencies and universities report by the 5th working day of the month. Based on this requirement, the Incident Reporting system will remind the agency incident reporter, the IRM and DIR if an agency has not reported by the eighth day of the month. This will give the agency an opportunity to report the monthly incidents. Agencies will receive an email that the report has been successfully completed at the end of the reporting period. This will allow agencies to make changes up to the last reporting date. If an agency does not report after the required date, the agency will then be required to include the information in the next month’s report.




10.3 Logging In

To keep the Security Incident Reporting system secure, the link is not available on the DIR Security Office web site. The site can only be accessed by typing in the URL: https://sirs.dir.state.tx.us/login.html. Please bookmark it for convenience.

10.4 Passwords

The first login creates a prompt to change the password. Please follow instruction on the password page for the required password format. Also, passwords can be changed at any time by clicking on the “Change Password” link on the Navigation Bar.

If you forget your password, please call Security Office Contact at 512-936-2652.

Incident Reporting System Help Function

The Incident Reporting system provides “help” features throughout the system. Click on the blue help links for windows with additional information.

10.5 Getting Started

Each section is listed on the as a link Navigation Bar. Moving from one section to another automatically saves the previous section. If the required information is complete, a check (√) will appear next to the section on the Navigation Bar.

10.6 Submit Function

The Submit function saves the section you have just completed. If you go to the next section without clicking the Submit button, your data will not be saved. You may come back at a later time, before the cutoff date, to complete the report. Please make sure that the check marks (√) appear on the sections you complete, otherwise there could be an error.

10.7 Reset Function

The Reset function is used to reset the section to your previous entries. It will reset the entries only if you have saved them by using the Submit function. It will not clear the entries.

10.8 Error Messages

If there is an error within the section, an error message will appear at the top of the page once the Submit button is clicked If the error has been corrected and the section is complete, a check (√) will appear next to the section on the Navigation Bar.

10.9 Miscellaneous Items

Do not attempt to refresh your screen while in the system. Also, do not use the Back button on your tool bar. Use the section names on the Navigation Bar to move from one section to the next. If the Back button is used, the entries will not be saved.



https://sirs.dir.state.tx.us/login.html


Please use the Log Out function on the tool bar when leaving the system. Be sure and click on the Submit button in order to save your entries before you log out.

10.10 Completed Report

When the report is completed, and all the required sections have a check mark (√) by them on the Navigation Bar, simply click on the Log Out link on the Navigation Bar. The Incident Report can be re-entered and changes made up until the cut off date.

Once the due date has passed, the system cannot be accessed for that month. After the 5th working day of the month, the system will be reset for the next month. If you have additional information, please include it in the next month’s incident report.

10.11 Printouts

Please print each section if you want a print out. DIR is in the first phase of this system design. The second phase will include agency requested reports.

10.12 Profile Information

Profile information is mutually exclusive from the Monthly Incident Report. Each agency is required to complete profile information the first time the online system is used. The form can be updated throughout the year.

This form will be used by DIR to create email groups based on an agency’s configuration. Alerts will be sent to agencies and universities based on the type of incident and the agency’s configuration. This will also assist DIR in determining the type of training needed. Click on the Submit button when completed.

The IDS Management section on the Navigation Bar is part of the Profile Information. Be sure and complete this section as well and include the exact made and model of your IDS and firewall(s). This section does not have a Submit button. When you click on the Add button, the information will be saved.

10.13 Monthly Incident Report

10.14 Report Status

This section identifies your agency information and is automatically filled in when the user logs in. In order to add or change this information, the agency/university Information Resource Manager will need to contact DIR either through a letter or email. Send the email to: Security [email protected] or send a letter to:

Security Coordinator

P.O. Box 13564

Austin, TX 78711-3564

If your agency or university encountered no incidents for the month:



mailto:Security [email protected]

mailto:Security [email protected]


• check the “No incidents were detected during this reporting period” box,

• click on the Submit button,

• click on “Log Out” on the Navigation Bar.

If you have incidents:

• leave the “No incidents were detected during this reporting period” blank,

• click on the Submit button,

• proceed with the reporting by clicking on the section link on the left Navigation Bar.

10.15 Viruses/Worms

Click the Navigation Bar link for “Virus/Worms” and enter the names of the top 10 viruses/worms that you detected for the current month. Please use the “Symantec’s Virus Page” or McAfee’s Virus Page links on the page, and cut and paste the exact virus name into the name field of the Viruses/Worms section. This will ensure consistency of virus names when compiling the top 10 viruses for the state.

Indicate the source of the viruses as either External or Internal by entering the appropriate number in each field. You may have both internal and external entries for the same virus. For example, assume you had a total of 100 virus incidents for a particular virus. You might have 15 virus infections which occurred because an employee brought in an infected disk and shared it with others. That would be reported under “Internal”. You might also have 85 infections for the same virus which came through an email attachment. That would be reported as “External”. If you only have 1 incident for a particular virus, enter it in the appropriate field, either internal or external, and enter a 0 in the field left blank, otherwise you will receive an error message.

If you have more than 10 virus types for the month, enter Other as the virus name and put the totals in External and/or Internal cells. Virus totals will be calculated automatically and included in (A), Malicious Code section, #1 Viruses/Worms. This section does not have a Submit button, the add button saves the entry.

Malicious Code: Malicious Code can be attacks by programs typically written to masquerade their presence and are often difficult to detect. They include:

• Viruses and worms

• Back Door and Trojan horse programs, and;

• Other. Other is not limited to but can include scripts used by crackers/hackers to gain privileges, capture passwords, and/or modify audit logs. It also includes all remaining viruses other than the top 10 reported under the Viruses/Worms section.

(A) Malicious Code: Logic Bombs and Back Doors should be listed separately from viruses in the fields provided.

(B) Actual Infections: These fields indicate the number of actual infections of hard disks and servers. Totals will be calculated automatically and will populate Incident Types section, #1, Actual Infections.




When completed, click on the Submit button.

10.16 Incident Types

This section is a breakdown of the types of incidents that have occurred.

1. Actual Infections

• (A)Malicious Code section,

• (B), Actual Infections.

2. This pertains to someone gaining unauthorized access to perhaps your computer room, to a computer itself, or a communications closet.

3. Unauthorized Information Access An example might be a user leaving their computer logged on and another user accesses the computer and subsequently information they are not authorized for.

4. Web Site Defacement

5. Theft of Equipment

6. Theft of Information

7. Unauthorized Use

Access to a user's account to perpetrate an attack is not absolutely necessary. Unauthorized use includes:

• using the network file system (NFS) to mount the file system of a remote server machine

• using the VMS file access listener to transfer files without authorization

• using inter-domain access mechanisms in Windows NT to access files and directories in another organization's domain

8. Unauthorized Misuse

Misuse can be intentional or unintentional. Misuse incidents and response are based on agency risk assessment and defined by agency policy. Misuse includes:

• use of a computing system for other than official purposes

• changes made to system hardware, firmware, or software characteristics without the agency's knowledge, instruction, or consent.

9. Accidental or Planned Disruption

A disruption in computer services that is either planned or happens by accident. Scheduled maintenance which temporarily disrupts business operations is a planned disruption. An accidental disruption can be a power outage, a virus infection, a server malfunction or anything that can affect the flow of the business operation or a loss of data.

10. Disruption or Denial of Service

Disruptions to network and computing services include:




• erasing a critical program

• spamming (flooding accounts with email)

11. Others

Anything that does not fit any of the above categories. Hoaxes would fall into the “Others” category. Hoaxes spread false information about incidents or vulnerabilities. Many of these are spread via email chain letters. For example, information on the Good Times Virus spread rapidly across the Internet, but it never existed.


10.17 Incident Profiles:

Of those detected with IDS and/or log reviews, indicate the number caused from internal and the number caused from external sources.


10.18 Systems Affected by Incidents

Server Types

Indicate the number of incidents which affected by each server type. Under “Other Types: Identify if appropriate” indicate any other type of server affected in the text box below and the number of incidents in the field to the right.


10.19 Response Activities and General Information:

This section gathers information regarding the effects of the incident.

If question number five, “How many reported incidents resulted in damage to agency/university information resources assets?” is one or higher, question 5. a should also be answered.

If question seven, “How many incidents resulted in implementation of new security measures?” is one or higher, then at least one of the sub-set questions, 7. a,b,c or d must be answered. All may be answered if appropriate.

If question eight, “How many reported incidents resulted in proliferation (if known)?” is one or higher, then at least one of the subset questions, 8. a or b must be answered. Both may be answered if appropriate.





10.20 Impacts

It is very important that this section be filled out as accurately as possible. This aggregate information helps to give an overall picture of the security posture of the state and is correlated to previous months and years to measure improvement.

When reporting partial hours, please round to the nearest hour. If it is one to sixty minutes, round to 1 hour. When completed, click on the Submit button.

10.21 Comments to be Shared

This section is optional. Enter any information you think would be helpful to other agencies and universities regarding your incident response experiences/solutions. The information should be generic, (i.e., no identifying information) since the information may be sent via the IRAPC list to others.




Technology

Attachment 17-A Data Security