Interconnectivity Standard

Sujets:

Standards

June 22, 2011

Remonter

Purpose

This document provides the minimum requirements to establish, maintain, and terminate interconnections with the shared state IT infrastructure or to IT systems outside state government.

Remonter

Overview

The State of Iowa maintains a variety of data in its IT systems, including confidential and sensitive customer information. Connecting agency IT systems to networks outside of their agency increases the risk of unauthorized access to information and disruption of service. Protection of data and systems will be enhanced by ensuring that agencies follow standards when connecting to the shared state IT infrastructure or to IT systems outside state government.

Remonter

Scope

For the purpose of this standard, security is defined as the ability to protect the confidentiality, integrity, and availability of information processed, stored and transmitted by agencies. Information technology assets covered by this policy include those that process, store, transmit or monitor digital information. This document presents minimum standards which must be met by agencies wishing to connect to the shared State IT infrastructure and IT systems outside state government.

This standard applies to all agencies as defined by Iowa Code Chapter 8A, Section 101. Non-participating agencies are encouraged to follow the guidelines in this and other enterprise level policies, standards, guidelines, processes and procedures.

Remonter

Definitions

Selected terms used in the Enterprise Interconnectivity Standard are defined below:

  • Anti-virus Software: A program that monitors a computer or network to identify all major types of malware and prevent or contain malware incidents.

  • Compromise: Disclosure of information to unauthorized persons, or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object may have occurred.

  • Interconnection or interconnectivity: The direct connection of two or more IT systems for the purpose of sharing data and other information resources. This includes connections to other agencies; trading partners; third party service providers; and the Internet.

  • Penetration Test: Security test in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network.
  • Security Controls: The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.
  • Security Incident: An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
  • Vulnerability Assessment: Formal description and evaluation of the vulnerabilities in an information system.
Remonter

Updates

This standard will be reviewed at least every two years and updated as needed.

Remonter

Elements of the Standard

The following elements apply to agencies connecting to the shared State IT infrastructure or IT systems outside state government.

  1. Logging: Agencies shall maintain and review logs for all servers and network devices. Agencies shall:
    1. Develop a log review policy including:
      1. Length of time for log retention (Log retention must be at least 90 days)
      2. Individual(s) responsible for log review
      3. Log review frequency
      4. Log review procedures
    2. Develop baseline behavior for normal activity
    3. Derivation of Time: Devices will synchronize their time with a NTP server. Daylight savings time will be adjusted.
  2. Encryption: Agencies must use a minimum of 256-bit encryption for: remote connections; administration tasks; and file transfers containing confidential data.

  3. Firewalls: Agencies shall install and maintain firewalls at all interconnections to their agency. This includes connections to other agencies; trading partners; third party service providers; and the Internet. The following requirements must be met for firewalls:

    1. Default passwords are changed before installation
    2. Software and/or integrated operating systems of hardware firewalls are up to date. Updates must be tested before going into production.
    3. SNMP community strings are changed from default setting
    4. Firewalls shall perform ingress and egress filtering

    5. Firewalls shall block all traffic by default. An exception list shall be established to identify authorized ports, services and addresses. Ports with no activity for over a year shall be closed.

    6. Critical systems are segregated into logical zones

    7. Firewalls must fail in a closed state

    8. Firewall configurations are reviewed, and updated quarterly by network administrators
  4. Logical Access Controls: Agencies shall use Access Control Lists (ACL) and access rules to specify the access for authorized personnel (or agencies if they are using a site-to-site VPN) to networked devices (servers, routers, switches and firewalls). ACLs shall include the level of access and the types of transactions and functions that are permitted (e.g., read, write, execute, delete, create, and search).
    1. ACLs shall be:
      1. Configured offline
      2. Versioned in a repository
      3. Distributed to the appropriate control device
    2. Agencies shall grant appropriate access privileges:
      1. Based on roles or job functions
      2. Based on the principle of least privilege
    3. Only system administrators with a business need have access to the controls
  5. Banner: Log-on screens used for entry into an agency’s network shall have a warning banner. The agency's legal counsel shall approve the banner and notify users that:
    1. Users are entering a State of Iowa system
    2. Access is limited to authorized use only
    3. Users consent to monitoring
  6. Identification and Authentication: Agencies shall identify and authenticate users to ensure that they are authorized to access the interconnection:
    1. At a minimum passwords and user IDs will be used. Passwords shall be:
      1. At least eight characters and administrator passwords shall be at least 10 characters
      2. A mixture of numbers, upper- and lower-case letters
      3. Include at least one special character
      4. Changed at least every sixty days
    2. Master password files shall be encrypted and protected from unauthorized access.
    3. Emergency administrator passwords shall be stored securely.
    4. The following may be used in addition to strong passwords.
      1. Digital certificates
      2. Authentication tokens
      3. Biometrics
      4. Smart cards
  7. Virus Scanning: Agencies shall install anti-virus software on all servers and computers, except for mainframe computers. The following requirements must be met:
    1. Data transferred to the agency from an external source is scanned
    2. Anti-virus software automatically checks for updates at least daily
    3. Administrators are notified via email, text message or pager if the anti-virus software cannot automatically clean a detected virus
    4. Users are instructed on how to report a suspected virus
  8. System Updates: Agencies shall apply system updates and security patches to their systems in a timely manner. Agencies shall:
    1. Establish a patch methodology
    2. Test patches/updates prior to installation
    3. Install critical patches for active exploits within five (5) business days of release
    4. Non-critical patches shall be applied per a schedule established by the agency

  9. Physical Security: Agencies shall provide appropriate physical security for their information technology systems to prevent unauthorized access.

    1. Servers, routers, switches and other network equipment shall be stored securely in a locked cabinet or room

  10. Security Incidents: Agencies shall notify the Information Security Office of security incidents that involve the disclosure of confidential information, unauthorized access to systems or that may affect other agencies.

    1. Agencies shall develop procedures for incident response and identify an incident response team
    2. Agencies shall isolate and respond to incidents originating from their systems
    3. Law enforcement shall be notified when appropriate
    4. DAS-ISO shall notify appropriate agency personnel of security incidents affecting their agency.
  11. Security Awareness and Training: Agencies shall:
    1. Provide and track security awareness training for new users upon hire and refresher training for all users on an annual basis
    2. Provide and track technical security training annually for staff responsible for managing agency interconnections
    3. Provide training on Enterprise Security Standards
    4. Establish an acceptable use policy and distribute it to all users

  12. Security Reviews: Each agency shall review their security controls at least annually, or when significant change occurs. Agency security reviews shall cover all agency systems and include the following:

    1. Annual vulnerability assessment
    2. Annual external penetration test including all external connections to the agency
    3. Documentation of security problems
    4. Develop a remediation plan to address security problems

The Information Security Office shall conduct annual security reviews of state systems.

  1. Communication: Agencies shall maintain communication with the Information Security Office. Agencies shall provide the Information Security Office with:
    1. The name and phone number for the:
      1. Primary security personnel
      2. Primary technical personnel
    2. A list of new, restored or terminated interconnections
    3. A network diagram and list of internal and external IP addresses
  2. Disconnection: Agencies are subject to emergency disconnection from the shared State IT infrastructure. Agencies may be disconnected if any of the following occur:
    1. An agency system is infected by malware and remediation is unavailable
    2. An agency system is infected by malware and there is a high risk of infecting other systems
    3. An agency system compromise
    4. Confidential information is at risk of disclosure
    5. An agency system is accessed by an unauthorized user

Prior to disconnection agencies shall be:

  1. Given the opportunity to isolate and investigate the incident
  2. Notified by telephone and receive e-mail confirmation of the notification
  3. Provided details on when and under what conditions the interconnection shall be restored
  4. If an agency cannot be reached and an emergency exists item “b” may be omitted

 

  1. Modems: Agencies shall prohibit unauthorized dial-in modem access. Modems shall:
    1. Require management approval
    2. Disconnect from the phone line when not in use
    3. Use a callback feature where possible
    4. Disable the modem answering capability if not needed
  2. Intrusion Detection System: Agencies shall implement and monitor an intrusion detection system (IDS). All traffic to/from agency interconnections shall be monitored.
Remonter

Effective Date

Agencies must be fully compliant with this standard on or before June 22, 2011.

Remonter

Enforcement

This standard will be enforced pursuant to Iowa Administrative Code 11—25.11(8A).

Remonter

Variance

Iowa Administrative Code 11 - 25.11(2) provides for variances from security standards. Requests for a variance from any of the requirements of this policy will be submitted in writing to the Chief Information Security Officer prior to implementation.

Remonter