Maryland Cybersecurity Program Policydoit.maryland.gov/Lists/DoIT...

Maryland Cybersecurity Program Policy

Last Updated: 01/31/2017

Maryland DoIT Cybersecurity Program Policy 2

Contents

1.0 Introduction ............................................................................................................................ 3

2.0 Document and Review History .............................................................................................. 3

3.0 Applicability and Audience .................................................................................................... 3

4.0 Policy ...................................................................................................................................... 3

4.1 DoIT Cybersecurity Program .........................................................................................4

4.2 Cybersecurity Roles and Responsibilities ......................................................................4

4.3 Cybersecurity Requirements and Policy ........................................................................4

4.4 Cybersecurity Program Plan ..........................................................................................5

4.5 Workforce ......................................................................................................................6

4.6 Key Performance Indicators ..........................................................................................7

4.7 Security Program Budget ...............................................................................................7

5.0 Exemptions ............................................................................................................................. 8

6.0 Policy Mandate and References ............................................................................................. 8

7.0 Definitions .............................................................................................................................. 8

8.0 Enforcement ........................................................................................................................... 8

Appendix A: Policy List ............................................................................................................... 10

Appendix B: Policy Map .............................................................................................................. 13

State of Maryland Cybersecurity Program and Policies Signature Page ...................................... 14


1.0 Introduction

The Maryland Department of Information Technology (DoIT) is responsible for, and committed

to, managing the confidentiality, integrity, and availability of Information Technology (IT)

networks, systems, and applications for the Executive Branch of Maryland State Government.

This document establishes the DoIT Cybersecurity Program by implementing information

security policy initiatives across all IT Systems supported by, or under the policy authority of,

DoIT as directed within the scope of its authority under the 2013 Maryland Code §§ 3A-303 and

3A-305. Pursuant to its authority, DoIT will ensure the information security of State IT resources

by enacting this policy, which serves as the foundation for this program by establishing the

minimum requirements to be observed by all reporting agencies.

See State of Maryland Cybersecurity Program and Policies Signature Page, located on the last

page in this document, for official signature page authorizing the adoption and implementation of

the Cybersecurity Program and supporting policies by the Maryland Secretary of Information

Technology.

2.0 Document and Review History

This policy and supporting policies supersede the State of Maryland Information Security Policy

(version 3.1, Feb 2013). This document will be reviewed annually and is subject to revision.

Date Version Policy Updates Approved By:

01/31/2017 v1.0 Initial Publication Maryland CISO

3.0 Applicability and Audience

This policy and all supporting policies are enacted and enforced by the Secretary of Information

Technology or any individuals delegated to act on the Secretary’s behalf. This policy applies to

all agencies (defined in MD Human Svs Code § 7-101(g) (2015) as ‘Units of State

Government’) in the Executive Branch of the Maryland State Government, employees of such

agencies, contractors, and vendors supporting such agencies, and any entities or individuals

using resources belonging to such agencies. This policy also applies to all networks, systems and

applications (IT Systems) owned and/or operated by such agencies.

Non-Executive Branch agencies may use the Cybersecurity Program Policy and supporting

policies as information security best practices and adopt them as needed.

4.0 Policy

The following sub-sections establish the overall policy requirements covered by the

Cybersecurity Program. This policy sets the standard for supporting policy implementations

encompassing more specific areas of interest approved by the Secretary of Information

Technology.


4.1 DoIT Cybersecurity Program

The Department of Information Technology is authorized to establish the Cybersecurity Program

for Executive Branch agencies. This policy protects the confidentiality, integrity, and availability

of State government resources and will adhere to the standards established by the National

Institute of Standards and Technology (NIST) documented under the Special Publication (SP)

800 series, including the Federal Information Processing Standards (FIPS) requirements. When

applicable, other laws, regulations, directives, executive orders, internationally recognized

standard methodologies and best practices may augment this guidance within the Cybersecurity

Program, such as those dictated by the Health Insurance Portability and Accountability Act of

1996 (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS).

All agencies under the purview of DoIT will comply with the Cybersecurity Program Policy as

directed by the Secretary of Information Technology. Any failure of an agency or entity to

comply with the policy and supporting cyber security policies will be treated as a security

violation and subject to the consequences dictated by this program and indicated under the

relevant policy area of interest.

4.2 Cybersecurity Roles and Responsibilities

The State of Maryland, through the authority of the Secretary of Information Technology, will

establish the Director of Cybersecurity position within DoIT. This position will include the

following requirements:

# Name Requirement

A Primary Responsibility Is responsible for coordinating, developing, implementing and maintaining the

Cybersecurity Program and policies for DoIT and all Executive State Agencies

within the scope of DoIT’s authority.

B Advisory Role Will serve as the Chief Information Security Officer (CISO) for the State and

primary cybersecurity advisor to the Secretary of Information Technology.

C Hiring Responsibility The Secretary of Information Technology will be responsible for hiring a

qualified individual to fill this position.

D Alternate / Backup If this position is not staffed by a full-time employee, then the Secretary of

Information Technology must either directly fulfill the responsibilities of the

position, or appoint an interim Director of Cybersecurity until a new individual

is hired.

4.3 Cybersecurity Requirements and Policy

The Director of Cybersecurity will establish cybersecurity requirements for DoIT and Maryland

Executive Agencies, and will promulgate those requirements into formal Cybersecurity Policies.

These policies will meet the following requirements:

# Name Requirement

A Standards-based Policies will be based upon reference material made available by the

National Institute of Standards and Technology, specifically:

Federal Information Processing Standards (FIPS)


# Name Requirement

NIST Special Publications (SP)

In addition, these policies:

Will effectively mandate a set of controls that represent a “tailored

baseline” per the guidelines in NIST SP 800-53 Security and Privacy

Controls for Federal Information Systems and Organizations

Will address all control families within SP 800-53

B Final Executive Approval Policies will be approved and signed by the Secretary of Information

Technology and the Director of Cybersecurity.

C Update Cadence Policies will be formally reviewed and updated:

Annually

Upon any major change or realignment in the organization of State IT

programs

As required by authoritative audit findings

D Policy List Established supporting policies will include all from the list in Appendix A

E Availability Policies will be:

Made readily available to all constituent agencies, including IT staff and

all employees

Be available for download as a single document, or where feasible, in

discrete sub-sections that address specific topics

4.4 Cybersecurity Program Plan

DoIT shall develop and maintain a Cybersecurity Program Plan. This document will meet the

following requirements:

# Name Requirement

A Establish Cybersecurity

Program

This plan will be the authoritative plan of the Cybersecurity Program within

the Department of Information Technology.

B Strategy This plan will formally document the cybersecurity strategy for DoIT and

constituent agencies.

C Program Responsibilities This plan will identify the major responsibilities of the Cybersecurity

Program.

D Organizational Structure The plan will identify the organizational structure of the Cybersecurity

Program to include:

Sub-programs and areas of responsibility for each sub-program

Staff member titles, roles and responsibilities, and org chart

Explicit identification of the approval chain/authorities for major decisions

Identification of positions outside of the Cybersecurity Program that

perform key security functions, and identification of their roles and

responsibilities

A current list of all Cybersecurity Program staff members, including their

names and job titles

E DoIT Partner Organizations The plan will include identification of the other DoIT organizations/programs

that work and/or share responsibility with the Cybersecurity Program, and:


# Name Requirement

Identify the nature of those relationships

Identify points of contact by title and name

Establish delineations of authority and roles and responsibilities where

responsibilities for a function is shared

F Constituent Agencies The plan will include a current list of all constituent agencies and

organizations, including:

A current list of security services being provided to each agency or

organization

Identification of IT and IT Security staff members within those agencies,

and their roles and responsibilities with respect to cybersecurity

Identification of physical and personnel security staff members within

those agencies, and a delineation of roles and responsibilities

G Executive Approval The plan will be approved and signed by the Secretary of Information

Technology and the Director of Cybersecurity.

H Update Cadence The plan will be formally reviewed and updated:

Annually;

Upon any major change or realignment in the organization of State IT

programs; or

Within 6 months of the hiring of a new Secretary of IT or Director of

Cybersecurity/CISO.

I Plan of Action and Milestones

(POA&M)

This plan will include a process for ensuring that plans of action and

milestones for the security program and associated information systems are

developed and maintained.

J Risk Management Approach This plan will embody a Risk Management approach to cybersecurity, to

include:

Formal measurement of risk

Explicit usage of risk measurements within security decision-making

processes

An authorization processes that uses risk assessments to determine

whether or not an information system may be allowed to operate within

DoIT-managed environments

4.5 Workforce

The State and DoIT will provide for hiring and/or contracting of a cybersecurity workforce

within the Cybersecurity Program as necessary to execute all policy requirements and will

establish a development and improvement program for that workforce:

# Name Requirement

A Workforce Size and

Quality

Workforce will be of a sufficient size and quality to execute policy

requirements in accordance with the Cybersecurity Program Plan. If sufficient

funding is unavailable, a formal report shall be provided to the Secretary of IT

outlining the resulting security shortfalls and the interim mitigation efforts by

the agency.

B Development &

Improvement

Mechanisms will be put in place to ensure that cybersecurity staff are able to

develop and improve skillsets in order to keep up with changes in the field.


4.6 Key Performance Indicators

The Cybersecurity Program will establish Key Performance Indicators (KPIs) as a means to

measure the effectiveness of the program:

# Name Requirement

A Overall KPIs will be developed to measure the overall success of the Cybersecurity

Program.

B Per Sub-Program* KPIs will be developed to measure each sub-program or major subdivision of

the Cybersecurity Program. Sub-programs will begin measuring KPIs within

six months of inception or enrollment to the sub-program.

C Per Project Security team projects will report standard project management KPIs during

the run of each project. This reporting will begin within one month of the

launch of a new project.

D Operational KPIs* KPIs will be developed that measure operational factors.

E Monitoring of KPIs KPIs will be monitored and measured on a monthly basis.

F Reporting Cadence KPIs will be reported to the Director of Cybersecurity on a monthly basis.

*Insofar as security operations is a sub-division of the overall Cybersecurity Program, KPIs

developed to satisfy requirement 4.6(B) may also satisfy requirement 4.6(D).

4.7 Security Program Budget

The Department of Information Technology will explicitly establish a Cybersecurity Program

Budget, which will include and address cybersecurity concerns during its normal budgeting

processes. This will include the following requirements:

# Name Requirement

A Cybersecurity Program

Budget

DoIT will establish a budget for the Cybersecurity Program.

B Responsibility for Security

Program Budget Requests

The Director of Cybersecurity will be responsible for establishing and

communicating formal budget requests to DoIT for the Cybersecurity

Program, on an annual basis, or ad hoc as needed based upon newly identified

concerns.

C Mapping of Budget

Requests to Risk

Beginning with FY2018, the Cybersecurity Program will identify specific

risks that are intended to be remediated by each major cybersecurity budget

line item or line item group.

D Annual Consideration DoIT will formally consider budget requests from the Director of

Cybersecurity during its annual budget allocation process.

E Acute Consideration DoIT will formally consider budget requests from the Director of

Cybersecurity that emerge from:

Audit findings that indicate required controls and associated expenditures

beyond the baseline budget for the given fiscal year; or

Lessons learned from a cybersecurity incident.


5.0 Exemptions

The Cybersecurity Program Policy establishes the Cybersecurity Program within DoIT; there are

no exemptions to this policy.

6.0 Policy Mandate and References

The Department of Information Technology (DoIT) has the authority to set policy and provide

guidance and oversight for the security of all IT systems within Executive Branch agencies in

accordance with Maryland Code §3A-303 and §3A-305.

7.0 Definitions

Term Definition

Cybersecurity The activity or process, ability or capability, or state whereby information and

communications systems and the information contained therein are protected

from and/or defended against damage, unauthorized use or modification, or

exploitation. (Ref: https://niccs.us-cert.gov/glossary).

Due Care Using reasonable care to protect the interests of an organization. Developing a

formalized security structure containing a security policy, standards, baselines,

guidelines, and procedures that are implemented through an organization’s

infrastructure.

Due Diligence Practicing the activities that maintain the due care effort. The continued

investigation and application of security into the existing infrastructure of an

organization.

IT Systems Collection of Maryland State Information Technology (IT) networks, systems,

and applications used as IT resources for the Executive Branch of the State of

Maryland.

Unit of State Government A department, agency, office, commission, council, or other unit in the

Executive Branch of the State government (MD Human Svs Code § 7-101(g)

(2015)).

8.0 Enforcement

The Maryland Department of Information Technology is responsible for enforcing policies for

Enterprise onboarded agencies. The DoIT Cybersecurity Program identifies the minimum

requirements necessary to comply with the information security standards and guidelines

provided within Cyber Security Program Policy and its supporting policies. Agencies not directly

managed by DoIT must exercise due diligence and due care to comply with the minimum

standards identified by the relevant DoIT policies.

If DoIT determines that an agency is not compliant with this policy or any supporting policy, the

non-compliant agency will be given a sixty (60) day notice to become compliant or at least

provide DoIT a detailed plan to meet compliance within a reasonable time before the issue is

reported to the Secretary of Information Technology. After which, the Secretary of Information

Technology, or a designated authority, may extend a non-compliant agency’s window of

resolution or authorize a DoIT representative to limit or restrict an agency’s access to external


and internal communications (effectively shutting down connectivity) until such time the agency

becomes compliant.

Any attempt by personnel to circumvent or otherwise bypass this policy or any supporting policy

will be treated as a security violation and subject to investigation. The results of the investigation

may entail written reprimand, suspension, termination, and possibly criminal and/or civil

penalties.


Appendix A: Policy List

The following policies and policy groups will be established. All highlighted rows after the

header row represent policy groupings, not individual policies.

Note: For a graphical Policy Map, see Appendix B.

Pol. # Policy Group or Policy Description

1 Cybersecurity Program

Policy

This policy will define the requirements for the Cybersecurity Program for

the DoIT and all agencies for which it provides IT services.

2 General Policies Policy group that includes individual policies not included with other

groupings.

2.1 Acceptable Use Policy This policy will define the requirements for acceptable use of computer

systems as well as a description of different types of accounts and their

associated responsibilities, including an acceptable use form that users must

sign annually.

2.2 Configuration

Management

This policy will define the requirements for baseline security configuration of

endpoints, devices and common applications, as well as the management and

application of those configurations, and change control for all configurations.

It will also define security requirements for the lifecycle associated with the

development and acquisition of new IT systems, products or capabilities.

Topics Covered: Systems Development Lifecycle.

2.3 Physical and

Environmental Protection

This policy will define the requirements for physical and environmental

security.

3 Assessment and

Authorization

Policy group that provides for the application of security assessments, and

subsequent authority to operate (Or withholding of authority).

3.1 Security Assessment This policy will define:

the requirements for the assessment of risk within the Enterprise. Will

mandate periodic, organization-wide assessments to determine overall risk

including identification of threats, vulnerabilities, likelihood of occurrence,

potential impact, etc;

the requirements for the safe and proper conduct of vulnerability

assessments and penetration tests; and

the requirements for the assessment of security with vendors that provide

IT-related services or products, prior to those services or products being

used by DoIT and Enterprise agencies, or in order to continue operation.

Topics Covered: Risk Assessment, Vulnerability Assessment, Penetration

Testing, and Vendor Assessment.

3.2 Third Party

Interconnection

This policy will define the requirements for the assessment of 3rd parties

(Non-vendors) prior to interconnection with the State, or in order to continue

interconnection.

3.3 Authority to Operate This policy will define the requirements for the assessment of specific

systems/environments to establish authority to operate (Or requirements for

an ATO)

4 Proactive Security Policy group that provides for the application of proactive security controls.



4.1 Endpoint and Application

Security

Policy sub-group, included within the Proactive Security group, which

provides for the application of security controls for endpoints and

applications.

4.1.1 Endpoint Protection This policy will define the requirements for additional security mechanisms

for endpoints, including integrity monitoring, host-based intrusion detection,

malware protection and other related instrumentation.

4.1.2 E-mail Security This policy will define the requirements for security of e-mail systems both at

the endpoint and server.

4.1.3 Patch Management This policy will define the requirements for management and remediation of

flaws and vulnerabilities.

4.1.4 Cloud Services Security This policy will define the requirements for the secure configuration of

hosted applications, including the hosting application (Such as Web and

application servers), and the applications themselves.

4.1.5 Data Security (File &

Database)

This policy will define the requirements for the security of files and

databases.

4.2 Network Access and

Security


provides for the application of security controls for network access, borders

and general architecture.

4.2.1 Network Documentation

and Access

This policy will define the requirements for secure design of enterprise

network and application architectures including required network

documentation and requirements for network access.

4.2.2 Boundary Protection and

Internet Access

This policy will define the requirements for application of security controls at

both internal network borders, and borders between State networks and the

Internet.

4.2.3 Wireless Security This policy will define the security requirements for the security of wireless

networks within the State, and access to those networks.

4.2.4 Remote Access This policy will define the security requirements for remote access into State

networks from third party networks or the Internet.

4.2.5 Mobile Devices Security This policy will define the security requirements for the usage of mobile

devices on State networks.

4.3 Account Security and

Access


provides for the application of security controls for the management of user

and machine accounts, including identification, authentication and subsequent

granting of access for those accounts, as well as the security of directory

services in which those accounts are managed.

4.3.1 Account Management This policy will define the requirements for the establishment and

management of accounts and authentication to those accounts, and will define

the requirements for training and security awareness throughout the State.

Note: Some additional, topic-specific training requirements may exist in other

policies as well.

Topics Covered: Training

4.3.2 Official Use of Social

Media

This policy will define the requirements for the official use of social media by

State personnel authorized to post communications on behalf of an Agency.



4.4 Other Policy sub-group, included within the Proactive Security group, which

provides for the application of security controls for areas outside of endpoint,

application, network or accounts.

4.4.1 Virtualization This policy will define the requirements for the secure application of

virtualization within the organization.

4.4.2 Media Protection This policy will define the requirements for secure configuration, and

management of storage media.

4.4.3 Asset Inventory This policy will define the security requirements for the maintenance of asset

inventories, and the contents of those inventories.

5 Monitoring and Response Policy group that defines how the organization will monitor for security

events, respond to security incidents and recover from disruptions.

5.1 Continuous Monitoring This policy will define the requirements for:

Continuous monitoring of security-related logs and alerts, as well

requirements for the triage processes for potential security events;

Assessing and documenting the threat environment; and

Auditing of events considered potentially pertinent to cybersecurity, as

well as log and alert contents, retention periods, etc.

Topics Covered: Security Event Auditing and Logging and Threat

Intelligence.

5.2 Cybersecurity Incident

Response

This policy will define the requirements for the response to security incidents,

and support for internal investigations.

5.3 Contingency Planning This policy will define the security requirements for the response to and

recovery from IT disruptions.

6 Compliance Policies Policy group that defines how the organization will comply with various laws

and regulations that mandate protections for specific data types and

processes.

6.1 Public and Confidential

Information

This policy will define the requirements for use, distribution, storage, and

disposal of public and confidential information within the State.

6.2 HIPAA Security Rule This policy will define the requirements for the security of health-related

information.

6.3 PCI DSS Compliance This policy will define the requirements for the security of payment card

information.

6.4 Auditing and Compliance This policy will define the requirements for conducting internal audits and

enforcement of the Cybersecurity Program and supporting policies

throughout the Enterprise and State.


Appendix B: Policy Map

This appendix includes a map of the cybersecurity policies, and the groups in which they will be

contained.

Cybersecurity Program Policy

Assessment & Authorization

Security Assessment

- Risk Assessment- Vulnerability

Assessment - Penetration Testing

- Vendor Assessment

Third Party Interconnection

Proactive Security

E-mail Security

Account Management

-Awareness and Training

Monitoring and Response

Boundary Protection &

Internet Access

Network Documentation

and Access

- Network Documentation

- Network Access

Endpoint Protection

Configuration Management

- System Development

Lifecycle

Media Protection

Continuous Monitoring

- Security Event Auditing and Logging

- Threat Intelligence

Cybersecurity Incident

Response

- Breach Response

Guide

Contingency Planning

- Disaster Recovery

Mobile Device Security

Patch Management

Cloud Services Security

General Policies

Physical & Environmental

ProtectionWireless Access

Remote Access

Virtualization

Endpoint and Application Security

Network SecurityAccount Security

and Access

OtherAuthority to

Operate

Asset Management

Compliance

Public and Confidential Information

HIPAA Security Rule

PCI DSS Compliance

Auditing and Compliance

Acceptable Use

- Privileged Accounts- Acceptable Use

Agreements

Data Security

Official Use of Social Media

Maryland Cybersecurity Program Policydoit.maryland.gov/Lists/DoIT...

Documents

Transcript of Maryland Cybersecurity Program Policydoit.maryland.gov/Lists/DoIT...