SunSpot Credit Union

Computer Incident Response Team—Access & Authorization Policy

1.0       Policy Statement

This policy applies to SunSpot Credit Union employees, temporary workers, contractors, and consultants who use or access SunSpot Credit Union information systems and computers.

2.0       Purpose/Objectives

Definitions for this policy are as follows:

• SunSpot Credit Union: (SCU).
• Incident Response Team: (IRT). Personnel designated to respond to security incidents.
• Incident Response Policy: (IRP). Establishes Incident Response (IR) procedures for dealing with incidents related to technology and information risk.
• Graham-Leach-Bliley Act: (GLBA).
• Chief Information Office: (CIO).
• Information Security Officer: (ISO).

This document establishes IRT membership, roles, responsibilities, and authority. IRT members and their authority are as follows:

• Information Security Officer (ISO): IRT team leader with authority over all SCU information systems in the event of a security incident. The ISO has the authority to perform any legal action necessary to protect SCU resources and private information, and customer personal and financial information.
• Senior System Administrator: overall responsible for monitoring internal systems and configurations. Designated by the ISO authority to change configurations and take actions as required to protect SCU information resources and customer private and financial information in the event of a security incident. Has the authority to represent and communicate with law enforcement.
• Network Administrator. Works closely with the Senior Systems Administrator. Granted the authority to take networks and systems offline if required to protect SCU information systems, and customer private and financial information.
• Human Resources Director: Granted the authority manage staff regulation and law related matters that may result from a security incident.
• Public Relations Director: Granted the authority to communicate with news and other public entities, stockholders, and other non-legal entities as dictated by the ISO.
• Law Firm: The authority to conduct legal matters related to security incidents per direction of the ISO. Has the authority to represent and communicate with law enforcement.

3.0       Scope

This policy applies to all SCU security domain areas to include computers and devices, SCU system users, security detection systems, firewalls, remote access VPN software and hardware, and applications, that are controlled and operated by SCU staff or its designated IT Infrastructure Implementation Agents, contractors, and vendors, throughout at all branches of SCU, SCU Enterprise Cloud, Web, and Data Center providers, and other offsite facilities.

4.0       Standards

Require compliance with section 501(b) of the Gramm-Leach-Bliley Act (GLB Act).4 and section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act).5 The Security Guidelines establish standards relating to administrative, technical, and physical safeguards to ensure the security, confidentiality, integrity and the proper disposal of customer information. Specific standards are as follows:

• Develop and maintain an effective information security program.
• Ensure the security of customer information at all times.
• Procedures for notifying customers of confirmed or suspected private information exposure.

5.0       Procedures

Responsible IRT members must consider GLBA standards when responding to incidents. The ISO is responsible for overseeing the development, implementation, and maintenance of this policy. The CIO is responsible for enforcing this policy. The SCU incident response model is as follows:

1. Incident detection. The Senior System Administrator and Network Administrator are responsible for monitoring Intrusion Detection and Prevention Systems (IDS/IDPS), system logs, and maintain communications with the help desk in order to detect possible security incidents. If a possible incident is detected, they will notify the ISO who will determine if the IRT needs to be activated.
2. The ISO will direct team members to implement additional control configurations to stop an attack, secure systems, and begin collecting evidence. Per SCU IRP, the ISO will issue evidence bags, make available electronic collection media, and chain of custody forms. All evidence will be collected and chain of custody maintained per the SCU IRP standards. The ISO and CSU law firm will monitor evidence collection procedures.
3. After evidence collection is complete or to a point where normal operations will not interfere with collection, the ISO will direct team member to recover systems per SCU IRP, Business Continuity Plans (BIA)’s, and other applicable SCU technical and administrative publications and policies.
4. Conduct analysis and debrief. At the ISO direction, the IRT will meet to discuss, evaluate, and make recommendations to prevent future incidents.
5. The ISO will be responsible for constructing and disseminating an incident report based on the IRT analysis of the incident. The report is to be used by HR, the Public Relations Director, and retained law firm for communicating details of the incident and make decisions on possible disciplinary or legal action.
6. Process improvement. Policy updates and additional training as required are to be implemented per the SCU IRP and training policy.

6.0       Guidelines

In the course of business it is inevitable that situations will arise that policy does not specifically address. Guidelines for these issues are as follows:

• Unforeseen security events or conflicts in procedures are to be referred to the ISO for guidance. In the event that the ISO is unavailable, the Senior System Administrator or CIO, dependent on the most senior present, will fulfill the ISO duties.

7.0       Policy Enforcement and Violations

Violations of this policy will be addressed in accordance relevant SCU information security and human resource policies. The appropriate level of disciplinary action will be determined on an individual case basis by the appropriate executive or designee, with sanctions up to or including termination depending upon the severity of the offense. The ISO is responsible for official interpretation of this policy. Questions regarding the application of this policy should be directed to the SCU Information Technology department.

Disclaimer

The post Security Policy Example – IRT Access & Authorization Policy appeared first on .

SunSpot Health Care Provider

Remote Access Policy for Remote Workers & Medical Clinics

1.0       Policy Statement

• It is SunSpot Health Care Provider (SHCP) policy to protect Information Resources based on risk against accidental or unauthorized disclosure, modification, or destruction, and assure the Confidentiality, Integrity, and Availability (CIA) of clinic and patient data.
• Apply appropriate physical and technical safeguards in a manner intended to reduce obstacles to conducting clinic business.
• Comply with applicable state and federal laws, and other clinic governing policies.

2.0       Purpose/Objectives

This Policy serves as the foundation for the security of remote access to clinic information system resources, and provides the Information Security Officer the authority to implement policies, standards, procedures, and guidelines, deemed necessary to protect clinic and patient data. Definitions found in this policy are as follows:

• Information Security Office: (ISO)
• Health Insurance Portability and Accountability Act: (HIPAA)
• Virtual Private Network: (VPN). A technology that allows the creation of a secure connection to a private network, or between private networks, over public networks such as the Internet.
• Secure Socket Layer: (SSL). A standard security technology for establishing an encrypted link between a web server and a browser.
• Electronic Private Health Information (ePHI).

3.0       Scope

This policy applies to all SHCP Local Area Network (LAN) to Wide-area Network (WAN) devices and security detection systems, firewalls, remote access VPN software and hardware, and remote access users, that are controlled and operated by SHCP staff or its designated IT Infrastructure Implementation Agents, contractors, and vendors, throughout at all branches of SHCP, SHCP Enterprise Cloud, Web, and Data Center providers, and other offsite facilities.

4.0       Standards

SHCP security policies are guided by HIPAA which defines data protection controls necessary to comply with the HIPAA standards. These standards are mandatory requirements, and establish an effective baseline of appropriate system, administrative, and physical controls. All policies must be designed to ensure that SHCP conforms to the following HIPAA standards:

• Two-factor authentication, example; unique user name and password
• Proper remote user access privilege approval system.
• Time-outs on inactive portals or VPN sessions.
• Restrictions on downloading of ePHI to remote host devices.
• ePHI in transit or at rest must be encrypted on host and server systems.
• Ensure remote access users are trained on policies and remote access use.
• All computers that use or store ePHI must use anti-malware software.
• Use Intrusion Detection/Intrusion Detection Prevention (IDS/IDPS).
• Conduct regular system scans and audits.

5.0       Procedures

Responsible administrators and managers must consider HIPAA standards when performing maintenance and configuration of information systems. They must implement processes and control procedures that meet HIPAA standards to include effective oversight of activities and transactions. The ISO will establish the requirement for a remote access policy and is responsible for the design, implementation, and management of the clinics security program.

• Authentication and granting remote access privileges. Individual department heads are responsible for requesting remote access privileges for their employees to include specifying the desired level of access. The department head will initiate a remote access request form that must be approved by the ISO, and then routed to the system administrator. The system administrator will create a unique account requiring a complex password for each remote user. Accounts created will be logged and tracked.
• The system administrator will be responsible for configuring a twenty (20) minute inactivity time-out on all VPN connections.
• Downloading ePHI on unprotected non-clinic devices is prohibited. The system administrator will configure mechanisms that will prevent remote hosts from downloading information.
• Users transmitting data outside of SHCP systems are required to encrypt the data using SSL certificates and digital signatures. All physical storage media must be encrypted using proven industry standard algorithms. The ISO is responsible for approving all SSL certificates. The system administrator is responsible for the creation, configuration, and tracking of SSL certificates.
• The ISO is responsible for overseeing and monitoring security and remote access user training. Department heads are responsible for ensuring employee compliance.
• The system administrator will install, update, and monitor anti-malware software on all SHCP computers and servers. The ISO will regularly audit patch and update policy compliance, and review scan logs monthly.
• The system administrator will review IDS/IDPS scan logs daily. The ISO will audit system logs monthly.

6.0       Guidelines

In the course of business it is inevitable that situations will arise that policy does not specifically address. Guidelines for these issues are as follows:

• Unforeseen security events or conflicts in procedures are to be referred to the ISO for guidance. In the event that the ISO is unavailable, the system administrator fulfills ISO duties.

7.0       Policy Enforcement and Violations

Violations of this policy will be addressed in accordance relevant SHCP information security and human resource policies. The appropriate level of disciplinary action will be determined on an individual case basis by the appropriate executive or designee, with sanctions up to or including termination depending upon the severity of the offense. The ISO is responsible for official interpretation of this policy. Questions regarding the application of this policy should be directed to the SHCP Information Technology department.

Disclaimer

The post Security Policy Example – Remote Access appeared first on .

The SANS Reading Room article; Security Policy for the use of handheld devices in corporate environments, provides a security policy template for Governing the use of hand-held devices in a corporate environment. Standard template elements are as follows:

• Introduction
• Purpose
• Scope of application and obligation
• Roles and Responsibilities
• Target Readership
• How to use the policy template
• Definitions
• References

The actual security policy contains the following elements:

• General policy requirements which discuss a wide range of elements to include roles and responsibilities of users, inventory of mobile devices, authorized and forbidden services, and user awareness training.
• Physical security. This policy includes, physical security as it relates to theft or loss of a mobile device, device safety, password requirements, ownership, remote blocking and wiping, availability and business continuity, and camera use.
• Operating System (OS) security. Items covered include firmware and OS update and patching, hardening, signed and unsigned application use, firewalls and anti-virus, and defining a security model for the device itself.
• Personal Area Network (PAN) security. Items covered here include, the use of Bluetooth, PINS and pairing, Bluetooth device security, file transfer over PAN, audits, and unauthorized use.
• Data security. A few items covered here include, information classification, restrictions, data security as it relates handling information, and encryption.
• Corporate network access security. Some items listed are. Access control to the network, remote access to corporate resources, internal access to resources, and wireless support.
• Over-the-air provisioning security. This policy covers device management, provision security, and communications security
• Internet security. Includes acceptable use, general email security, and attachment restrictions,
• Forbidden services
• Unauthorized actions

Overall, the template generally falls in line with other commonly used policy frameworks. It covers all the general elements with the exception of legal or industry general requirements.

References

Guerin, N., & Wanner, R. (2008, May 29). Security Policy for the use of handheld devices in corporate environments. Retrieved September 19, 2017, from https://www.sans.org/reading-room/whitepapers/pda/security-policy-handheld-devices-corporate-environments-32823.

Johnson, R. (2015). Security Policies and Implementation Issues (2nd ed.). Burlington, MA: Jones & Bartlett Learning.

The post Security Policy Template for Hand-Held Devices appeared first on .

Typical business areas commonly involved with policy framework include; development, maintenance, and compliance. Some of the common roles associated with policy framework include; Chief Information Security Officer (CISO), Information Resources Manager, and Security Manager.

The SANS Reading Room publication; Information Security Policy – A Development Guide for Large and Small Companies, describes a guideline rather than specific roles.  The guideline describes a two-part structure consisting of primary involvement members, and secondary involvement members.

Primary Involvement:

• Information Security Team. The team or parts of the team should be assigned overall responsibility for developing framework, and policies. Overall control is normally given to a designated member with others in supporting roles as needed. The primary team guides policy framework and policy from development through to revision as the cycle dictates.
• Technical Writers(s). Many companies have technical writers on staff. Even though they probably will not take an active role in development, they can be an invaluable resource when it comes to planning and structure of the project.

Secondary Involvement:

• Technical Staff: In addition to security staff, it is probable that expertise from other areas will be needed. Staff from these areas will have in-depth knowledge of day-to-day operations, and knowledgeable of technical issues in their areas.
• Legal Counsel should review policy documents when complete. They can also provide guidance on industry regulations such as the Health Information Portability and Accountability Act (HIPAA), and Sarbanes Oxley (SOX).
• Human Resources (HR) should also review all policies to ensure they comply with company HR policies.
• Audit and Compliance. Departments responsible for internal audits will likely be involved in monitoring policies. They should be involved in the development of frameworks and policies to ensure that they are enforceable.
• User Groups. During revision stages users can provide a good indication on how successful a policy has been, and what parts might need revision. They often notice where improvements can be made in style, layout, and wording.

References

Diver, S. (06, July 12). Information Security Policy – A Development Guide for Large and Small Companies. Retrieved September 7, 2017, from https://www.sans.org/reading-room/whitepapers/policyissues/information-security-policy-development-guide-large-small-companies-1331.

The post IT & Security Framework and Policy Development Team appeared first on .

The SANS Reading Room article, SANS Survey on Mobility/BYOD Security Policies and Practices found that 61% of organizations allowed personal devices to connect to protected company systems, but only 9% of organizations were truly aware of the particular devices that were connecting to protected systems, and what resources they were accessing. Of all the organizations polled, 60% responded that they have a risk program in place, but 50% of those did not have BYOD Acceptable Use Policies in place even though 95% of those surveyed stated they understood the importance of having a robust policy in place.

The SANS survey specifically mentioned that respondents listed that the most critical practices to implement included; data protection and encryption, secure access to corporate resources, knowing what sensitive data that personal devices can access, and requiring end point protection such as anti-malware, mandatory updates and patches, data loss prevention, and secure web browsing. Other practices not commonly mentioned in the survey included mandatory user education, application white and black listing, and secure distribution of applications, example; corporate app store, keeping an inventory of installed apps, and mandatory “sandboxing”.

In addition to standard end-point controls, organizations should also practice secure network control, example; Virtual Private Networks (VPN), authentication to access data, and encrypting data in motion and at rest.

In conclusion, research shows that most organizations currently rely on traditional tried and true security controls when dealing with BYOD connections to protected systems. What was of note is that control over access can often be inconsistent and decentralized. Often the fall back or backup control was policies that did not specifically address BYOD. Often organizations do not have an organized and centralized way to secure BYOD access. Fortunately, many organizations are starting to respond to BYOD security concerns by implementing stronger policies and mobile-focused controls.

References

Johnson, K., DeLaGrange, T., & Filkins, B. (2012, October). SANS Survey on Mobility/BYOD Security Policies and Practices. Retrieved September 3, 2017, from https://www.sans.org/webcasts/survey-results-byod-security-policies-practices-95940/.

Johnson, R. (2015). Security Policies and Implementation Issues (2nd ed.). Burlington, MA: Jones & Bartlett Learning.

The post Bring Your Own Device (BYOD) Policies and Practices appeared first on .

• Clearly define ownership of a system
• Define exact components of a system
• Make clear that these components are for business use only
• Use specific cases and situational analysis of “what if” scenarios illustrating how the policy works
• Clearly describe what non-acceptable use is for example; prohibiting harassment, illegal activity, pornography, and offensive comments or behavior
• Specify repercussions for non-compliance

Why is an AUP important?

According to a survey by International Data Corp (IDC), 30 to 40% of Internet access is spent on non-work related browsing, and 60% of all online purchases are made during working hours. Other findings include the following::

• 70% of all web traffic to Internet pornography sites occurs during the work hours of 9am-5pm.
• 58% of industrial espionage is perpetrated by current or former employees.
• 80% of computer crime is committed by “insiders”. They manage to steal $100 million by some estimates;
  $1 billion by others.
• 48% of large companies blame their worst security breaches on employees.
• 64% of employees say they use the Internet for personal interest during working hours.
• 70% of all Internet porn traffic occurs during the nine-to-five work day.
• 37% of workers say they surf the web constantly at work.
• 90% of employees feel the Internet can be addictive, and 41 percent admit to personal surfing at work for
  more than three hours per week.
• 25% of corporate Internet traffic is considered to be “unrelated to work”.
• 30-40% of lost productivity is accounted for by cyber-slacking.
• 32.6% of workers surf the net with no specific objective; men are twice as likely as women.
• 27% of Fortune 500 organizations have defended themselves against claims of sexual harassment stemming from inappropriate email.
• 90% of respondents (primarily large corporations and government agencies) detected computer security breaches within the previous 12 months, 80% acknowledged financial losses due to computer breaches,
• 44% were willing and/or able to quantify their losses, at more than $455 million.

References

GFI White Paper – The importance of an Acceptable Use Policy

Click to access acceptable_use_policy.pdf

Kostadinov, D. (2014, September 23). The Essentials of an Acceptable Use Policy. Retrieved August 29, 2017, from http://resources.infosecinstitute.com/essentials-acceptable-use-policy/#gref.

The post Information System Acceptable Use Policy (AUP) appeared first on .

In flat organizations, there are less layers between management and employees so decisions and problem solving generally happens faster and at a lower level. Smaller organizations tend to be flat and often exhibit looser or more relaxed relationships between managers and employees since they overall work more closely together making decisions and running their area of the organization. This often results in a decentralized management structure where employees might have more leeway in their behavior and the application of policies might be more relaxed. Application of policies is more direct with the decision on how policies are applied and enforced is done on a lower level.

With flat organizations, managers are much closer to lower levels which tends to give them an increased span of responsibility, and oversight of a wider area of the organization. With this wide span of responsibility, it becomes difficult to escalate every issue to higher management for resolution, which forces managers to make quicker, and sometimes inconsistent decisions.  This inconsistency can be a problem with information security, for example, conflicting statements and enforcement between front-line and high level managers. This is why clearly defining security policies in a flat organization is of paramount importance

Hierarchical structures are usually a necessity in large organizations. Senior leadership is more detached from lower level employees by several layers of management which results in a different dynamic than is found in flat organizations. The application of policies is more abstract with lower level employees seeing policy decisions as coming from on high. Application and enforcement of policies is more formalized throughout the structure with policies being constructed by high level managers, and enforced throughout lower levels. This often results in employees following policies more out obligation and with a sometime sense of apathy, rather than a sense of belonging found in smaller work units

Hierarchal organizations have the challenge of enforcing policies consistently because of the disconnect between lower and higher levels of the organization which can result in a reduced sense of accountability. High level managers responsible for constructing policies must take a proactive approach and lead by example to emphasize the importance of following policies. Additionally, there is a greater number of touch points and personalities that must be engaged when implementing policy. As the number of touch points increases, the more complex the relationship matrix becomes.

Other considerations include employee apathy which often manifests through an attitude of just going through the motions, or by just doing the minimum to get by. Well-defined security policies recognize that there will always be a certain level of apathy and non-compliance towards policies, and seeks strategies to reduce apathy and compliance issues. The following are strategies to overcome apathy towards security policies:

• Engaged communication. Leaders should make a conscious effort to listen and understand reason for worker apathy. Policy should be adjusted as a way to demonstrate that workers concerns are important.
• Ongoing awareness. The message of value and importance of information security should be continually reinforced. Awareness can be an effective measure against apathy.
• Set expectations. Monitor compliance and enforce accountability.
• Create layers of redundancy. Avoid reliance on single points of failure such as one person or one technology.
• Reward compliance. Recognize individuals and groups who model desired behavior. Something as simple as public recognition from an executive can be effective.

Coy, C. (2013, March 17). Office Hierarchies – Which One Is Best for Your Business? Retrieved September 4, 2017, from https://www.cornerstoneondemand.com/rework/office-hierarchies.

Elmy-liddiard, M. (2002). SANS Institute InfoSec Reading Room. Building and Implementing an Information Security Policy. https://www.sans.org/reading-room/whitepapers/policyissues/building-implementing-information-security-policy-509.

The post Implementing Security Policies in Flat and Hierarchical Management Structures appeared first on .