Reference #: ITD-SEC-13.1
Issue #: 1
Issue Date: March 18, 2013
Table of Contents
This policy articulates requirements that assist management in defining a framework that establishes secure agency Information Technology (IT) environments.
This policy requires the development, adoption and implementation of detailed operating procedures that support the principles of least privilege and separation of duties to facilitate secure operation of information processing facilities.
It is the responsibility of Agency Heads to have controls in place and in effect that provide reasonable assurance that the three guiding security principles, confidentiality, integrity and availability, are met. The Agency Head has the responsibility to exercise due diligence in the adoption of this framework. Agencies must achieve compliance with the overall information security goals of the Commonwealth including compliance with laws, regulations, policies and standards to which their technology resources and data, including but not limited to personal information, are subject.
All agencies and entities governed by the overarching Enterprise Information Security Policy must adhere to requirements of this supporting policy.
- Executive Department Agencies,  in addition to any agency or third party that connects to the Commonwealth’s wide area network (MAGNet), must comply with this policy.
- Executive Department Agencies are required to ensure compliance by any business partner that accesses Executive Department IT Resources or shared environments, e.g. MAGNet; and
- Executive Department Agencies are required to ensure compliance by third parties in any aspect of the process of providing goods and services to their agency. These include, but are not limited to, electronic data collection, storage, processing, disposal, dissemination and maintenance. Third parties that interact in any way with Executive Department Commonwealth IT Resources, e.g. MAGNet, are required to comply with this policy.
Other Commonwealth entities are encouraged to adopt, at a minimum, security requirements in accordance with this Enterprise Communications & Operations Management Policy or a more stringent agency policy that addresses agency specific and business related directives, laws, and regulations.
Agencies are required to develop and implement policies and formal procedures including relevant documentation to secure the operations, availability, and maintenance of IT Resources and information assets including network infrastructure and communications from unauthorized access, destruction, corruption, and misuse.
Such policy and procedures must address the need for development, test, and production environments to be separated in order to reduce the risk of unauthorized access or inadvertent changes to the production environment.
It is necessary to identify the degree of separation needed to prevent operational problems or security incidents prior to identifying and implementing appropriate controls and security hardening.
Agencies are required to implement procedures for managing system activities associated with access to information and information systems, modes of communication, and information processing by implementing:
1. Controls for securing removable/portable media: Agencies are required to develop and enforce policy and procedures regarding storage of information classified as having high sensitivity on portable devices.
Implementation of required protective measures to safeguard the confidentiality and integrity of the data in the event of theft or loss of the portable device may include encryption or physical protection for access to the IT Resource.
Policy and procedure must be established for controlled management of removable media which includes at a minimum, the following controls:
1.1. Implement logging and audit trails of media removal from or relocations within the organization's premises and maintain as appropriate to the data classification level.
1.2. Require prior management approval and authorization for storage of data as appropriate to the data classification level on removable media including removal or relocation of the media.
1.3. Impose restrictions on the type(s) of media, and usages thereof, where necessary for adequate security.
1.4. Restrict agency users from storing high sensitivity data including but not limited to personal information on removable media (i.e., USB thumb drives, flash drives, compact discs, tapes) unless specifically directed to do so as part of their job function and authorized by agency management.
1.5. Encrypt all data on mobile and remote computers/devices (e.g. laptops and/or desktops) that are used from outside an agency location to access or store high sensitive data to support normal business operations.
1.6. Ensure that high sensitive maintained on peripheral devices (e.g., USB enabled portable storage devices, DVD, and/or CD-ROM) is secured through the use of encryption technologies or other security measures.
1.7. Restrict remote access to high sensitivity information, including but not limited to PII, to authorized remote access services as identified in the Enterprise Access Control Security Policy and the Enterprise Information Security Standards: Data Classification .
1.8. Use a “time-out” or automatic log out function for remote access and mobile devices requiring user re-authentication after a specific, agency defined period of inactivity.
1.9. Track remote or mobile access to high sensitivity information and have procedures to ensure saved or downloaded information is securely deleted when it is no longer required for business purposes.
1.10. Secure disposal of media when no longer required. High sensitive data must be thoroughly erased or destroyed from the removable media.
1.11. Electronic media and other non-paper media containing personal information shall be destroyed or erased so that personal information cannot practicably be read or reconstructed.
2. Data backup procedures: Agencies are required to develop and implement backup procedures to ensure that backup of systems and data and verification testing are performed, schedules and backup documentation are written, and storage locations chosen, in accordance with industry best practices and agency security requirements.
Sufficient back up procedures will prevent loss of vital information and achieve backup, recovery and continuous operation consistent with the agency’s business and core functions. Such procedures must be followed to protect all agency mission critical IT Resources and include at a minimum:
2.1. Backup copies of agency IT systems information including a list of servers and associated volumes and/or devices and software must be completed, tested and retained to ensure the systems are fully recoverable in accordance with this policy.
2.2. Backup media containing backup information must be safeguarded according to its applicable data classification. When utilizing third party resources for off-site storage the media must be physically secured and/or encrypted to guard against loss or theft.
2.3. Backup media (a minimum of one fully recoverable version) must be regularly stored offsite at a secure alternate agency location or through an approved third-party data archive firm.
2.4. The frequency of backups must be determined by the volatility of the data; the retention period for backup copies should be determined by the criticality of the data, at a minimum, thirty days.
2.5. Backup schedules must be accessible only to authorized IT personnel. Such schedules may be modified only by authorized senior IT personnel.
2.6. Changes to the backup schedules must be requested and managed through a change control procedure/process including appropriate modifications to the associated documentation.
2.7. Backup media must be stored in multiple locations dependent upon the criticality of the data resident on the media. Appropriate redundancy of the storage is dependent upon the risks to the medium and the retention period for the data; redundancy is particularly important storage retention requirements exceed the rated life of the medium.
2.8. All critical agency data accessed from desktops, laptops or other portable devices must be stored on secured networked file server storage devices to allow for regular backup.
2.9. Backup documentation must be maintained, up to date and include identification of all critical data, programs, storage documentation and support items necessary to perform essential recovery tasks to fully recover from either single or multiple system/application failures.
2.10. Backup and recovery documentation must be reviewed, tested and updated regularly to account for new technology, business driver changes, and application migration to other platforms.
3. Separation of Duties: Separation or segregation of duties is a method for reducing risk of accidental or deliberate system misuse by segregating an individual staff member’s (including but not limited to employee, contractor, etc.) sphere of influence and control, and must be applied to the extent possible and practicable to all IT systems particularly those that collect, handle, store, process, dispose, or disseminate high sensitivity data.
4. Data collection and secure disposal of data/media: Data must be secured and retained for the period in which its use was intended while taking into consideration the data record retention laws and regulations to which they may be subject. Upon determination the data is no longer required; it and media on which it is stored must be disposed of in a secure manner
Proper management of data requires agencies to perform periodic reviews of data and assess their classifications and controls, with adherence to the Enterprise Information Security Standards: Data Classification .
Agencies are required to develop and implement formal procedures for data handling, storage and secure disposal of the data and media to protect data from unauthorized disclosure or misuse. The procedures must include at a minimum the following controls:
4.1. Physical and technical access restrictions appropriate to the enterprise data classification standards level.
4.2. Handling and labeling of all media according to its indicated enterprise data classification standards level (high sensitivity).
4.3. Maintenance of formal records of data transfers, including logging and audit trails for data classified as high sensitivity.
4.4. Review at appropriate intervals of the distribution and authorized recipient lists.
4.5. Use of generally-accepted secure disposal methods for media that contain or might contain high sensitivity data.
4.6. Implement and monitor logging and audit trails of disposal operations where appropriate to the sensitivity of the data.
5. Monitoring system use: Procedures must be established and implemented to appropriately monitor IT system usage and monitoring activity results reviewed regularly including at a minimum the following controls:
5.1. Configure event tracking and recording as needed per classification of the IT system. The level of monitoring should coincide with the criticality of the system and the results of the risk/vulnerability assessment.
5.2. Monitor and review data as determined by the criticality of the application/system or information involved, past experience with information security incidents, and general risk assessment.
6. Audit logging: Audit logs which record exceptions, user activities, and other information security related events must be produced, and retained for a predetermined time period agreed to by agency management and business application owners, to assist in future investigations and access control monitoring including at a minimum the following controls:
6.1. Record system events as needed and with consideration for impact on system performance and capacity, at a minimum the following key events:
6.1.1. System identity;
6.1.2. Date/time and details of the event;
6.1.3. The user-ID associated with the event;
6.1.4. Terminal identity and/or location;
6.1.5. Network addresses and protocols;
6.1.6. Records of successful and unsuccessful system accesses or other resource accesses;
6.1.7. Changes to system configurations;
6.1.8. Use of privileged accounts and
6.1.9. Use of system utilities and applications, files accessed and the kinds of access, alarms raised by the access control or any other protection system.
6.2. Monitor and review system administrator and system operator activities on a regular basis.
6.3. Implement appropriate combination of security protections (technical, physical and administrative) to ensure integrity and availability of audit logs.
6.4. Restriction to logs must be enforced by protecting the logs from unauthorized access that could result in recorded information being altered or deleted. System administrators must be prevented from erasing or deactivating logs of their own activity.
7. Protection of log information, (administrator and operator logs): Logging facilities and log information must be protected against tampering and unauthorized access.
7.1. System administrator and system operator activities must be appropriately logged, as part of the general audit trail process and procedure.
7.2. The logs must be checked regularly to ensure that the correct procedures are being followed.
8. Protection of system documentation: System documentation must be protected against unauthorized access including at a minimum the following controls:
8.1. Secure storage (i.e. locked file cabinets or office) of documentation, in hard copy or electronic format; and
8.2. Implement authentication and access control measures, where appropriate to the sensitivity of the documentation.
9. Fault logging: Faults must be logged, analyzed and necessary actions taken to remediate wherever possible.
9.1. Faults reported by users regarding problems with agency IT processing or communication systems must be logged, assigned and managed by the Help Desk from inception through resolution to the greatest extent possible.
9.2. Fault logs must be reviewed regularly by system administrators to ensure that unnecessary or unforeseen risks are not being introduced.
9.3. When faults indicate that a risk has been introduced, a security incident must be opened with the Enterprise Security Office per the Enterprise IT Security Incident Response Policy.
10. Antivirus: All agencies are required to deploy and maintain antivirus software and regularly update the virus definition files to protect IT systems from constant threats including malware, viruses, worms, and Trojan horses.
10.1. All IT systems vulnerable to electronic viruses must be appropriately safeguarded against infection and retransmission.
10.2. Agency wide automated updates of virus definitions must be employed where practicable to ensure that the most up-to-date definitions are in effect.
11. Network controls: Agency networks must be appropriately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using MAGNet, including information in transit and by implementing at a minimum the following controls:
11.1. Separation of operational responsibilities for networks from those for computer systems and operations, where appropriate;
11.2. Implementation of appropriate controls to assure the availability of network services and information services using the network;
11.3. Establishment of responsibilities and procedures for management of equipment on the network, including equipment in user areas;
11.4. Special controls to safeguard the confidentiality and integrity of sensitive data passing over the organization's network and to/from public networks;
11.5. Appropriate logging and monitoring of network activities, including security-relevant actions;
11.6. Implementation of management processes to ensure coordination of and consistency in the elements of the network infrastructure;
11.7. Electronic transfers of high sensitive data (i.e., including personal information) require strong encryption using industry-standard encryption software, as well as secure file transfer mechanisms.
11.8. All hosts must be security hardened to required levels including all current operating system and network software security updates and patches;
11.9. Securely store documentation of the network architecture including configuration settings of all hardware and software components that make up the network. The components should be managed and maintained in an asset register.
12. Clock synchronization: The system clocks of all relevant agency information processing systems within the organization or security domain must be appropriately synchronized with an agreed-upon time source to ensure the accuracy of all system audit logs in the event it may be required for an incident investigation.
12.1. Time and frequency services are significant elements to network infrastructure and are critical to emerging applications therefore must be protected from being compromised through implementation of sufficient security mechanisms.
12.2. Selection and implementation of such security mechanisms must take into consideration the potential performance impact to the designated time source.
13. Network management controls and services: Agencies are required to ensure the protection of information in networks including protection of the supporting network infrastructure.
13.1. Security features, service levels and management requirements for all network services must be identified in reasonable detail, and included in a network services agreement, whether those services are provided in-house or outsourced.
13.2. Controls must include specification and implementation of:
13.2.1. Technologies applied for security of network services, such as authentication, encryption and connection controls;
13.2.2. Technical parameters and rules for secured connection with the network;
13.2.3. Procedures and processes to control/restrict network access; and
13.2.4. Adequate monitoring, logging, and assurance mechanisms including the monitoring of the security events, faults, and security device (i.e., firewalls, intrusion detection/prevention, etc.) usage and network health are required to verify that security safeguards and controls are in place and in effect.
14. Exchange of information: Agencies are required to maintain the security of information and software exchanged within an organization and with any external entity.
14.1. Exchanges of information and software between organizations must be based on a formal exchange agreement, and should be compliant with any relevant legislation.
14.2. Controls must include implementation of:
14.2.1. Procedures and standards established to protect information and physical media containing information in transit;
14.2.2. Agreements to control the exchange of software between organization organizations;
14.2.3. Procedures in place to protect the exchange of information through the use of all types of communications facilities including wireless communications and electronic communications, voice, facsimile, and video;
14.2.4. Procedures for the detection of and protection against malicious code that may be transmitted through the use of electronic communications;
14.2.5. Cryptographic techniques to protect the confidentiality, integrity and authenticity of information;
14.2.6. retention and disposal guidelines for all business correspondence, including messages, in accordance with relevant national and local legislation and regulations and contracts to which the agency is a party; and
14.2.7. A Set of protocols to ensure sensitive information or data is shared with the correct audience. (i.e., The Traffic Light Protocol (TLP).
15. Electronic Commerce: In order to ensure the security of electronic commerce services and their secure use, agencies who offer these services must have controls in place to protect public networks from fraudulent activity, contract dispute and unauthorized disclosure and modification.
All Commonwealth entities that process, transmit, or store credit card payment data (internally or through a 3 rd. party processor) through ANY means (lockbox, mail, cashier window, point-of-sale (POS) swipe or keypad device, telephone, interactive voice response (IVR) systems, or web application) must certify and attest annually that the department is PCI compliant . Security considerations for electronic commerce should include the following:
15.1. Controls must include implementation of:
15.1.1. Protection of online transactions
15.1.2. Protection against contract disputes
15.1.3. Protection of confidentiality and integrity of order information
15.1.4. Use of cryptographic techniques to protect ecommerce activities
15.1.5. Provisions to ensure ecommerce hosting service providers reduce vulnerability to network attacks;
15.1.6. Procedures in place to ensure that information in the system cannot be accessed by persons without appropriate authorization and
15.1.7. Controls to protect electronic signatures.
All agencies and entities governed by the overarching Enterprise Information Security Policy are subject to the referenced roles and responsibilities in addition to those specifically stated within this supporting policy. The roles and responsibilities associated with implementation and compliance with this policy follow:
Assistant Secretary for Information Technology
- Develop mandatory standards and procedures for agencies to follow before entering into contracts that will provide third parties with access to electronic high sensitivity information including but not limited to personal information or IT systems containing such information.
- The Assistant Secretary for Information Technology is responsible for the approval and adoption of the Enterprise Communications & Operations Management Policy and its revisions.
Secretariat Chief Information Officer (SCIO) and Agency Head
- SCIOs and Agency heads are responsible for exercising due diligence in adhering to the requirements contained in this policy.
- Provide communication, training and enforcement of this policy that support the security goals of the Secretariat, its agencies and the Commonwealth.
Secretariat or Agency Information Security Officer (ISO)
- Ensure that the goals and requirements of the Enterprise Communications & Operations Management Policy are implemented and met.
Enterprise Security Board (ESB)
- Recommend revisions and updates to this policy and related standards.
The Executive Office of Technology Services and Security (EOTSS)
- After review of any related recommendations of the Enterprise Security Board, issue revisions and updates to this policy and related standards.
- Required to comply with agency implementation of this policy at a minimum or a more stringent agency specific policy including:
- Attestation and certification that third parties have read Executive Order 504 and this policy.
- Review and compliance with all information security programs, plans, guidelines, standards and policies that apply to the work they will be performing for their contracting agency.
- Communication of such provisions to and enforce them against their subcontractors, and that they will implement and maintain any other reasonable and appropriate security procedures and practices necessary to protect high sensitivity information including but not limited to personal information to which they are given access as part of the contract from unauthorized access, destruction, use, modification, disclosure or loss.
Primary references that were used in development of this policy include:
Executive Order 504
Additional information referenced includes:
M.G.L., Ch 93H
M.G.L., Ch 93I
M.G.L., Ch 66A
HIPAA Security Rule
Key terms used in this policy have been provided below for your convenience. For a full list of terms please refer to the EOTSS web site where a full glossary of Commonwealth Specific Terms is maintained.
No terms specific to this policy have been included.
|Date||Action||Effective Date||Next Review Date|
Accessibility remediation - no content changes