Handbook for Trustworthy Information Systems: Section 9
Criteria Group 2: Security measures
Questions to Ask
- Who can invoke change mechanisms for object, process, and user security levels?
- Who (creator, current owner, system administrator, etc.) can grant access permissions to a record after the record is created?
- Is there a help desk or group that offers advice and can respond to security incidents in a timely manner?
- Is system performance monitoring used to analyze system performance logs in real time to look for availability problems, including active attacks, and system and network slowdowns and crashes?
- Is there a list of all internal and external user groups and the types of data created and/or accessed?
- Have all positions been reviewed with respect to appropriate security levels?
- What are the procedures for the destruction of controlled-access hard copies?
- How is information purged from the system?
- How is reuse of hardware, software, and storage media prevented?
Criteria Group 2: System administrators should establish, document, and implement security measures.
2A. User Identification / Authorization
1. User identification and access procedures should be established and documented. Users should be authenticated prior to being granted access.
Did You Know:
- “Agencies shall limit access to computerized information resources and computer systems to authorized users.”
- "Agencies shall identify and control each point of access to computerized information or computer systems by an appropriate security method.”
- “Agencies shall establish and use appropriate authentication methods to ensure each user is identified prior to granting access to computerized information resources.”
(Minnesota Department of Administration, Office of Technology, Computerized Information Resources Security Standards for State Agencies. IRM Standard 16, Version 1. June 1998.) Refer to Bibliography
2. Each user should be assigned a unique identifier and password. Identifiers and passwords should not be used more than once within a system. Use of access scripts with embedded passwords should be limited and controlled.
Did You Know:
- “Authorized users of computerized information resources shall not disclose their means of authentication.” (Minnesota Department of Administration, Office of Technology, Computerized Information Resources Security Standards for State Agencies. IRM Standard 16, Version 1. June 1998.)Refer to Bibliography
- Upon successful log-in, users should be notified of date and time of last successful log-in, location of last log-in, and each unsuccessful log-in attempt on user identifier since last successful entry.
Where identification codes in human-readable form are considered too great a security liability, other forms should be employed such as encoded security cards or biometric-based devices.
3. Password rules should include standard practices such as minimum password length, expiration dates, and a limited number of log-on attempts. System administrators should determine what level and frequency of log-on error constitutes a misuse problem which, in turn, would trigger the notification of security personnel.
4. Users should be restricted to only the level of access necessary to perform their job duties.
5. Permission to alter disposition/retention codes, and/or to create, modify, and delete records should be granted only to authorized users with proper clearance. Modification of record identifiers is not allowed.
6. Access to private keys for digital signatures should be limited to authorized individuals.
Did You Know:
- “Each agency that chooses to use digital signature technology must establish a digital signature implementation and use policy.”
- “An individual must protect and not disclose or make available his or her digital signature private key or password to other persons, including fellow state employees, managers, and supervisors.”
- “When conducting State business, an employee must only use a digital signature key pair and certificate purchased with state funds. Employees must not use a State digital signature key pair for personal business.”
- “The agency must revoke the ex officio digital signature key pair whenever there is a change in the person occupying the office.”
(Minnesota Department of Administration, Office of Technology, Minnesota State Agency Digital Signature Implementation and Use Standard. IRM Standard 18, Version 1. 19 November 1999.) Refer to Bibliography
7. Lists of all current and past authorized users along with their privileges and responsibilities should be maintained. The current list should be reviewed on a regular schedule to ensure the timely removal of authorizations for former employees, and the adjustment of clearances for workers with new job duties.
8. Personnel duties and access restrictions should be arranged such that no individual with an interest in record content will be responsible for administering system security, quality controls, audits, or integrity-testing functions. No individual should have the ability to single-handedly compromise the system’s security and operations.
2B. Internal System Security
1. Access to system documentation should be controlled and monitored.
2. Access to output and storage devices should be controlled and monitored.
3. Controls should be in place to ensure proper security levels of data when archiving, purging, or moving from system to system. Controls should be in place for the transportation or mailing of media or printed output.
4. Procedures should be implemented to ensure the complete sanitization and secure disposal of hardware, software, and storage media when outdated or supplanted by newer versions, units, etc. Documentation should include date, equipment identifiers, methods, and personnel names.
5. Insecurity-detection mechanisms should be constantly monitoring the system. Failsafes and processes to minimize the failure of primary security measures should be in place at all times.
6. Security procedures and rules should be reviewed on a routine basis to maintain currency.
7. Measures should be in place to guard the system’s physical security. Items to consider include:
a. access to rooms with terminals, servers, wiring, backup media
b. data interception
c. mobile/portable units such as laptops
d. structural integrity of building
e. fire safety
f. supporting services such as electricity, heat, air conditioning, water, sewage, etc.
8. Security administration personnel should undergo training to ensure full understanding of the security system’s operation.
2C. External System Security
1. In cases of remote access to the system, especially through public telephone lines, additional security measures should be employed. Possible action could include the use of input device checks, caller identification checks (phone caller identification), call backs, and security cards.
2. For records originating outside the system, the system should be capable of verifying their origin and integrity. At a minimum, the system should:
a. verify the identity of the sender or source
b. verify the integrity of, or detect errors in, the transmission or informational content of the record
c. detect changes in the record since the time of
its creation or the application of a digital signature
d. detect any viruses or worms present
Did You Know:
- “Organizations conducting business over the Internet need robust security controls to ensure data integrity, data confidentiality, and system availability. Data integrity controls help protect the accuracy and completeness of data, both in storage and while in transit. Confidentiality controls help ensure that sensitive data, such as credit card numbers, cannot be seen by unauthorized individuals. Finally, system availability controls help minimize the amount of time when citizens cannot use the system to conduct business.” (Office of the Legislative Auditor, Financial-Related Audit: Department of Public Safety, Web-Based Motor Vehicle Registration Renewal System as of April 2001. August 2001, Report No. 01-43.)
- “It is a sad reality that unscrupulous individuals discover new discover new security exploits daily and use that knowledge to penetrate organizations with many layers of preventative defenses. This inherent security administration problem is why every organization must vigilantly monitor its systems for signs of attack. Since time is of the essence when under attack, every organization must also have decisive incident response procedures. Those that do not may fail to discover that they are completely unsecured until extensive damage has been done.” (Office of the Legislative Auditor, Financial-Related Audit: Department of Public Safety, Web-Based Motor Vehicle Registration Renewal System as of April 2001. August 2001, Report No. 01-43.)
- “Agencies shall take appropriate preventative actions to protect their computer information from corruption by viruses.” (Minnesota Department of Administration, Office of Technology, Computerized Information Resources Security Standards for State Agencies. IRM Standard 16, Version 1. June 1998.) Refer to Bibliography
- “Agencies shall monitor and evaluate, on an ongoing basis, the effectiveness of security tools and virus protection being used within their agency. Security tools and virus protection systems which are not found to be effective shall be updated in a timely manner.” (Minnesota Department of Administration, Office of Technology, Computerized Information Resources Security Standards for State Agencies. IRM Standard 16, Version 1. June 1998.)Refer to Bibliography
‹ ‹back: Section 9
TIS Handbook last updated July 2002, Version 4.