Information Security Policy, Procedures, Guidelines

State of OklahomaInformation SecurityPolicy, Information Security Policy, Procedures, GuidelinesProcedures, GuidelinesVersion 1.5 Revised December 2017 Office of Management and Enterprise Services Information Services

Information Security Policies,Procedures, GuidelinesTABLE OF CONTENTSPREFACE. 6INFORMATION SECURITY POLICY. 71.0INTRODUCTION . 91.1BACKGROUND. 91.2POLICY, PROCEDURES, GUIDELINES . 91.3AUDIENCE . 102.0INFORMATION . 112.1INFORMATION CONFIDENTIALITY . 112.2INFORMATION CONTENT . 122.3INFORMATION ACCESS . 122.4INFORMATION SECURITY . 132.5INFORMATION AVAILABILITY . 133.0SECURITY PROGRAM MANAGEMENT . 143.1CENTRAL SECURITY PROGRAM. 143.2HOSTING AGENCY SECURITY. 153.3AGENCY SECURITY. 153.4INCIDENT MANAGEMENT . 153.5EVENT LOGGING AND MONITORING . 164.0RISK MANAGEMENT . 184.1RISK ASSESSMENT . 184.2RISK MITIGATION . 195.0PERSONNEL/USER ISSUES . 205.1STAFFING . 205.2AWARENESS/TRAINING . 205.3PERSONAL COMPUTER USAGE . 215.4EMAIL USAGE . 225.5INTERNET/INTRANET SECURITY. 236.0HELP DESK MANAGEMENT . 26Revised December 2017Page 2 of 94

Information Security Policies,Procedures, Guidelines6.1SUPPORT CALLS . 266.2PASSWORD RESETS . 276.3VOICE MAIL SECURITY . 277.0PHYSICAL AND ENVIRONMENTAL SECURITY . 297.1OPERATIONS CENTER . 297.2OPERATIONS MONITORING. 297.3BACK-UP OF INFORMATION. 307.4ACCESS CONTROL . 317.5NETWORK . 317.6ELECTRONIC COMMERCE SECURITY . 347.7MOBILE COMPUTING . 357.8REMOTE COMPUTING . 367.9EXTERNAL FACILITIES . 377.10ENCRYPTION . 378.0BUSINESS CONTINUITY . 398.2DISASTER RECOVERY PLAN. 438.3BUSINESS RECOVER STRATEGY . 459.0DATA CENTER MANAGEMENT . 479.1OPERATING PROCEDURES . 479.2OPERATIONAL CHANGE CONTROL . 479.3SEGREGATION OF DUTIES . 489.4SEPARATION OF DEVELOPMENT AND OPERATIONAL FACILITIES . 489.5SYSTEMS PLANNING AND ACCEPTANCE . 499.6CAPACITY PLANNING . 509.7SYESTEMS ACCEPTANCE. 509.8OPERATIONS AND FAULT LOGGING . 519.9MANAGEMENT OF REMOVABLE COMPUTER MEDIA . 519.10DISPOSAL OF MEDIA . 519.11EXCHANGES OF INFORMATION AND SOFTWARE. 529.12PUBLICLY AVAILABLE SYSTEMS . 529.13USE OF SYSTEM UTILITIES . 53Revised December 2017Page 3 of 94

Information Security Policies,Procedures, Guidelines9.14 MONITORING SYSTEMS ACCESS AND USE. 539.15CONTROL OF OPERATIONAL SOFTWARE . 559.16ACCESS CONTROL TO SOURCE LIBRARY . 559.17CHANGE CONTROL PROCEDURES . 569.18RESTRICTIONS ON CHANGES TO SOFTWARE . 569.19INTRUSION DETECTION SYSTEMS (IDS) . 579.20CONTROLS ON MALICIOUS SOFTWARE . 579.21FIREWALLS . 589.22EXTERNAL FACILITIES MANAGEMENT. 5810.0LEGAL REQUIREMENTS. 6010.1SOFTWARE COPYRIGHT . 6010.2PROTECTION OF INFORMATION . 6010.3PRIVACY OF PERSONAL INFORMATION . 6111.0 COMPLIANCE WITH SECURITY POLICY . 62APPENDIX A: GLOSSARY . 63APPENDIX B: SAMPLE CRISIS TEAM ORGANIZATION . 66APPENDIX C: RESPONSIBILITY GRID . 67APPENDIX D: CONTINGENCY PLAN CONSIDERATIONS . 69APPENDIX E: PROCEDURES AND ACCEPTABLE USE. 70APPENDIX E, SECTION 1. COMPUTER (CYBER) INCIDENT REPORTING PROCEDURES . 70NOTIFICATION . 71RESPONSE ACTIONS . 71AGENCY RESPONSIBILITIES. 71INCIDENT REPORTING FORM . 73APPENDIX E, SECTION 2. INCIDENT MANAGEMENT PROCEDURE. 74OVERVIEW . 74INCIDENT RESPONSE TEAM ORGANIZATION . 75INCIDENT RESPONSE PROCEDURES . 77APPENDIX E, SECTION 3. MEDIA SANITIZATION PROCEDURES FOR THE DESTRUCTIONOR DISPOSAL OF ELECTRONIC STORAGE MEDIA . 82INTRODUCTION . 82Revised December 2017Page 4 of 94

Information Security Policies,Procedures, GuidelinesPOLICY . 82PROCEDURES . 82APPROVED DESTRUCTION OR DISPOSAL METHODS . 83BACKGROUND AND GUIDELINES . 85APPENDIX E SECTION 4. REMOVABLE MEDIA: ACCEPTABLE USE POLICY . 87SOFTWARE ENCRYPTION ALTERNATIVES (MOBILE COMPUTING AND REMOVABLE MEDIA) . 88HARDWARE ENCRYPTION ALTERNATIVES (USB FLASH DRIVES—OTHERS MAY BE ADDED IFAPPROVED) - CURRENT APPROVED AND VETTED LIST OF DEVICES . 89APPENDIX E, SECTION 5. MOBILE COMPUTING DEVICES: ACCEPTABLE USE POLICY. 92Revised December 2017Page 5 of 94

Information Security Policies,Procedures, GuidelinesPREFACEThe contents of this document include the minimum Information Security Policy, as well asprocedures, guidelines and best practices for the protection of the information assets of theState of Oklahoma (hereafter referred to as the State). The Policy, as well as the procedures,guidelines and best practices apply to all state agencies. As such, they apply equally to allState employees, contractors or any entity that deals with State information.The Office of Management and Enterprise Services Information Services (OMES IS) willcommunicate the Policy, procedures, guidelines and best practices to all state agencies.In turn, all agencies are required to review the Policy and make all staff members awareof their responsibility in protecting the information assets of the State. Those agencies thatrequire additional controls should expand on the content included in this document, but notcompromise the standards set forth.The Policy and those procedures prefaced by "must" are mandatory as the system involvedwill be classified as insecure without adherence. Guidelines and best practices are generallyprefaced with "should" and are considered as mandatory unless limited by functional orenvironmental considerations.It is recognized that some agencies have their own proprietary systems that may not conformto the Policy, procedures, guidelines and best practices indicated in this document. A planfor resolution of these system limitations should be created. Any exceptions are to bedocumented and be available on request. Other non-system related standards that do notrequire system modification should be instituted as soon as possible.Revisions to this document are maintained collectively in Appendix E: Revisions, whichincludes a "Revision Table" describing each addition, change or deletion and the date it wasimplemented. All revisions are referenced using this procedure. The original document willremain intact.Revised December 2017Page 6 of 94

Information Security Policies,Procedures, GuidelinesSTATE OF OKLAHOMAINFORMATION SECURITY POLICYInformation is a critical State asset. Information is comparable with other assets in that thereis a cost in obtaining it and a value in using it. However, unlike many other assets, the valueof reliable and accurate information appreciates over time as opposed to depreciating.Shared information is a powerful tool and loss or misuse can be costly, if not illegal. Theintent of this Security Policy is to protect the information assets of the State.This Security Policy governs all aspects of hardware, software, communications andinformation. It covers all State Agencies as well as contractors or other entities who maybe given permission to log in, view or access State information.Definitions: Information includes any data or knowledge collected, processed, stored,managed, transferred or disseminated by any method. The Owner of the information is the State Agency responsible for producing,collecting and maintaining the authenticity, integrity and accuracy of information. The Hosting State Agency has physical and operational control of the hardware,software, communications and data bases (files) of the owning Agency.TheHosting Agency can also be an Owner.The confidentiality of all information created or hosted by a State Agency is theresponsibility of that State Agency. Disclosure is governed by legislation, regulatoryprotections and rules as well as policies and procedures of the owning State Agency. Thehighest of ethical standards are required to prevent the inappropriate transfer of sensitive orconfidential information.All information content is owned by the State Agency responsible for collecting andmaintaining the authenticity, integrity and accuracy of the information. The objective of theowning State Agency is to protect the information from inadvertent or intentional damage,unauthorized disclosure or use according to the owning Agency's defined classificationstandards and procedural guidelines.Information access is subject to legal restrictions and to the appropriate approvalprocesses of the owning State Agency. The owning State Agency is responsible formaintaining current and accurate access authorities and communicating these in an agreedupon manner to the security function at the State Agency hosting the information. Thehosting State Agency has the responsibility to adhere to procedures and put into effect allauthorized changes received from the owning State Agencies in a timely manner.Information security – The State Agency Director, whose Agency collects and maintains(owns) the information, is responsible for interpreting confidentiality restrictions imposed byRevised December 2017Page 7 of 94

Information Security Policies,Procedures, Guidelineslaws and statutes, establishing information classification and approving information access.The hosting State Agency will staff a security function whose responsibility will beoperational control and timely implementation of access privileges. This will include accessauthorization, termination of access privileges, monitoring of usage and audit of incidents. TheState Agencies that access the systems have the responsibility to protect the confidentialityof information which they use in the course of their assigned duties.Information availability is the responsibility of the hosting State Agency. Access toinformation will be granted as needed to all State Agencies to support their requiredprocesses, functions and timelines. Proven backup and recovery procedures for all dataelements to cover the possible loss or corruption of system information are theresponsibility of the hosting State Agency.The hosting State Agency is responsible for securing strategic and operational control of itshardware, software and telecommunication facilities. Included in this mandate is theimplementation of effective safeguards and firewalls to prevent unauthorized access tosystem processes and computing / telecommunication operational centers. Recovery plansare mandatory and will be periodically tested to ensure the continued availability of servicesin the event of loss to any of the facilities.Development, control and communication of Information Security Policy, Procedures andGuidelines for the State of Oklahoma are the responsibility of OMES IS. This Policyrepresents the minimum requirements for information security at all State Agencies. Individualagency standards for information security may be more specific than these state-widerequirements but shall in no case be less than the minimum requirements.Revised December 2017Page 8 of 94

Informatio

security guidelines. 3. The Policy, procedures, guidelines and best practices outlined represent the minimum security levels required and must be used as a guide in developing a detailed security plan and additional policies (if required). 1.1 BACKGROUND 1. The information Policy, procedures, guidelines and best practices apply to all