Secretary of State Information Technology Security Policies and … · 2017-07-05 · Information...

Secretary of State Information Technology

Security Policies and Standards FOR EXTERNAL USERS

The enclosed Information Technology Security Policies have been developed to protect The Illinois Secretary of State’s critical operations, partners, assets, staff and customers. Compliance to these policies is mandatory. If you have any questions regarding any of the policies or your responsibilities in implementing them, please contact the Department of Information Technology Security Administrator.

Proprietary Information The enclosed policies and procedures are proprietary to The Illinois Secretary of State. The material may only be copied or re-distributed for compliance purposes. Otherwise the permission of The Illinois Secretary of State’s Office is required.

Property of The Illinois Secretary of State Version 1.0 September 2014 of 15

TABLE OF CONTENTS Executive Summary………………………………………………………………… 3

Vision and Philosophy……………………………………………………………………………………. 3 Information Security Directive……………………………………………………………………… 3 Security Environment……………………………………………………………………………………. 3 Roles and Responsibilities…………………………………………………………………………….. 4 Sanctions for Policy Violations………………………………………………………………………. 4 Policy Administration……………………………………………………………………………………… 4

Information Security Policies and Standards……………………………………… 5 Purpose…………………………………………………………………………………………………………… 5 Policy Statement……………………………………………………………………………………………. 5 Standards for Risk Assessment…………………………………………………………………….. 5 Standards for Risk Management and Security Controls Measures……………… 7

Information Classification, Handling, and Disposal Policy & Standards…. 8 Purpose…………………………………………………………………………………………………………… 8 Policy Statement……………………………………………………………………………………………. 8 Standards………………………………………………………………………………………………………. 8

Incident Response Policy & Standards…………………………………………….. 10

Purpose………………………………………………………………………………………………………… 10 Policy Statement…………………………………………………………………………………………. 10 Scope…………………………………………………………………………………………………………… 10 Standards..…………………………………………………………………………………………………..10

Acceptable Use Policy & Standards…………………………………………………. 12

Purpose………………………………………………………………………………………………………… 12 Policy Statement…………………………………………………………………………………………. 12 Applicability………………………………………………………………………………………………….12 Standards..…………………………………………………………………………………………………..12


Executive Summary

Vision and Philosophy It is the obligation of all users of The Illinois Secretary of State's computer systems to protect the technology and information assets of The Illinois Secretary of State's office. The computer systems and networks of The Illinois Secretary of State (IL SOS) perform a valuable service to the people of this state and contain confidential information about the citizens of the state and the state’s business. This information must be protected from unauthorized access, theft, and destruction. Due to the tremendous amount of information we collect, store, process, and share with our partners, the IL SOS established a high priority to protect this critical information. The foundation of an effective information security program is strong Information Security Policies that are in balance with the IL SOS operations. Information Security Policies define a concise set of behaviors that provide a secure and ever enabling environment in which the IL SOS will use and manage its information resources with protection from data loss, service disruption, misuse or unauthorized access. The IL SOS’ Information Security Policies represent the combined efforts of the Deputy Secretary of State/Chief of Staff, Department of Information Technology, Personnel, Legal, Internal Audit, and the Security Policy Committee (SPC), and user communities.

Information Security Directive The management of the IL SOS is committed to refining and maintaining appropriate policies and procedures that ensure integration of information systems policies in line with the IL SOS’ mission, overall business operations, and risk posture in accordance with regulatory guidelines. This will be accomplished by active management oversight, effectively managing and monitoring information security risks, delineating clear accountability, and setting appropriate review processes to ensure that the infrastructures necessary to identify, monitor, and control information security risks are continuously addressed.

Security Environment The IL SOS utilizes customer data to deliver products and services to our customers. We collect, process, store and share sensitive information that enables us to maintain and perform our mission. Accordingly, all customer information as well as other sensitive “need to know” information will be protected by all staff, contractors, partners, and service providers in accordance with well defined policies and procedures. It should be noted that no customer payment card information is processed or stored within any IL SOS application/system. All customer payment card data is processed by a 3rd party provider. No payment card processing is performed by the IL SOS Offices. The management and staff of the IL SOS and along with any External Users shall operate on the security principle of “that which is not explicitly allowed is explicitly denied”. Attempts by anyone to access, monitor, use or share information that is not explicitly allowed to them will be considered a security violation. The IL SOS will also operate on the principle of “Defense in Depth”. The security of the IL SOS’ information will not rely on a single means of protection when multiple means of protection are justified by our risk assessment. The IL SOS will deploy systems, processes, policies, procedures and training to protect the IL SOS’ mission critical data assets and the IL SOS’ operations. Most importantly, the IL SOS will monitor and enforce compliance to established policies. To this end, the IL SOS’ Information Technology Security Policies and Standards for External Users addresses IL SOS systems and data to ensure the continued confidentiality, integrity and availability for data and critical systems. This particular area of our policies focuses on the needs of External Users.


Roles and Responsibilities The Executive Office of IL SOS is ultimately responsible for the oversight of IT and sensitive data. Oversight is provided by designated management-level representatives from each functional area of the IL SOS’ Office who comprise the Security Policy Committee (SPC). Assignments are based upon technical and/or managerial competency in relation to the complexity of the products or services. The SPC will periodically provide reports to guide program adjustments. The Director of Information Technology will provide oversight of the Security Administrator (SA) who, along with the SPC, are responsible for carefully considering the impact of any policy or procedural changes in current products and services which may affect both the security of information and functionality of products. All External Users must maintain the individual responsibilities as outlined in the End User Acceptable User Policy & Standards – External Users contained in subsequent sections of this document. External Users are required to acknowledge their acceptance of those responsibilities in writing. The guiding principles for External Users include:

o Limit access to users on a “need to know” basis. o Deploy information security safeguards in a “Defense in Depth” strategy to limit single points

of potential vulnerabilities. o Enforce accountability to the IL SOS security policies. o Remain vigilant for new threats that may cause damage to the IL SOS, or our customer data,

stored or written, and adjust the external security program to control such risks. External Users are required to comply with these policies and standards established by IL SOS. All External Users accessing any IL SOS systems or information will execute a confidentiality and non-disclosure agreement.

Sanctions for Policy Violations Failure to comply with our Information Security Policies and Standards may result in sanctions by IL SOS. Any sanctions will be in direct correlation to and depending upon the type and severity of the violation, such as, whether it causes any liability or loss, and/or the presence of any repeated violation(s). Each situation will be judged on a case-by-case basis. Sanctions may include referral for criminal or civil prosecution, depending upon the severity of the violation. This policy constitutes advance notice that appropriate sanctions shall be imposed for violations. Sanctions may also include termination of the access agreement between the External User and IL SOS.

Policy Administration The SA will have the responsibility for reviewing and updating the Information Security Policies. Security policies will be reviewed by the SPC and approved by the Executive Office of the IL SOS for implementation. All policies will be reviewed annually and updated when there are changes to the environment. All policies are subject to review by Internal Audit, External Auditors as well as Information Technology. All information security policies will include the following elements:

o Purpose o Policy Statement o Applicability o Standards


INFORMATION SECURITY POLICIES & STANDARDS – EXTERNAL USERS

Purpose Protecting the confidentiality, integrity, and availability of customer and sensitive financial information, records and transactions is critical to the IL SOS. All customers’ personally identifying information is confidential, regardless of the media on which it is stored, the manual or automated systems that process it, or the methods by which it is distributed. All External Users share in the responsibility to ensure that the appropriate procedures and controls are implemented and that information security remains a constant priority. This policy is to be used in conjunction with sound risk analysis and good judgment. The primary objective of this policy is to ensure that the appropriate protection is placed on all of IL SOS customer information, records and transactions transmitted by computer and data communication systems owned by or administered for the IL SOS and accessed by External Users.

Policy Statement All information collected, processed, stored on or transmitted in and throughout the IL SOS’ computer systems and networks will be treated as IL SOS assets. It is the policy of the IL SOS to prohibit unauthorized access, disclosure, duplication, modification, diversion, destruction, loss, misuse or theft of all information assets. All External Users shall maintain information security programs to control risks associated with access, use, storage, sharing, and destruction of sensitive customer and financial information. These programs document minimum standards of behavior for External Users and include clear guidance for the operations. At a minimum, these programs include:

o Risk Assessment o Risk Mitigation and Management o Monitoring and Reporting o Audit o IT Oversight and Program Adjustment o Vendor Management

Standards for Risk Assessment For each critical process deployed, the External User shall undertake a comprehensive risk assessment to identify critical information assets, threats to those assets, and effectiveness of risk controls. The risk assessment shall review risks to the entire process and not be limited to specific IT systems. The risk assessment shall be performed on an annual basis and the results thereof shall be sent to the SA. The SA, in conjunction with the SPC, shall decide to what degree potential issues will be mitigated to reduce risk to the IL SOS’ customers. For each system, service, or activity offered by or through the IL SOS, a risk assessment shall be performed following the guidelines published in the National Institute of Standards & Technology (NIST) SP800-30 rev. 1. At a minimum, an External User storing any IL SOS information/data shall include activities outlined in the diagram on the following page:


STEPS 1-4 EXTERNAL USERS (INQUIRY ONLY) STEPS 1–9 EXTERNAL USERS (STORAGE/COLLECTION)

Input Risk Assessment Activities Output

INQUIRY, STORAGE/ COLLECTION

INQUIRY, STORAGE/ COLLECTION INQUIRY, STORAGE/ COLLECTION INQUIRY, STORAGE/ COLLECTION STORAGE/ COLLECTION STORAGE/ COLLECTION STORAGE/ COLLECTION STORAGE/ COLLECTION STORAGE/

COLLECTION

• Hardware • Software • System Interfaces • Data and Information • People • System Mission

Step 1 SYSTEM CHARACTERIZATION

• System Boundary • System Functions • System and Data Criticality • System and Data

S iti it

• History of System Attack

• Data from Other (outside) Sources

Step 2 THREAT IDENTIFICATION

• Threat Statement

• Reports from Prior Risk Assessments

• Any Audit Comments • Security Requirements • Security Test Results

Step 3 Vulnerability Identification

• List of Potential Vulnerabilities

• Current Controls • Planned Controls

Step 4 CONTROL ANALYSIS

• List of Current and Planned Controls

• Threat-Source Motivation

• Threat Capability • Nature of Vulnerability

Step 5 Likelihood determination

• Likelihood Rating

• Mission Impact Analysis • Asset Criticality

Assessment • Data Criticality

Step 6 Impact Analysis

• Loss of Integrity • Loss of Availability • Loss of Confidentiality

• Likelihood Rating

• Likelihood of Threat Exploitation

• Magnitude of Impact • Adequacy of Planned or

Current Controls

Step 7 RISK DETERMINATION

• Risks and Associated Risk Levels

• Coordination with CRO

Step 8 CONTROL RECOMMENDATIONS

• Recommended Controls

Step 9 RESULTS DOCUMENTATION

• Risk Assessment Report


Standards for Risk Management and Security Control Measures All information systems require effective and reliable controls to maintain data confidentiality, assure availability and integrity, ensure customer privacy, and protect the IL SOS’ computer and telecommunication systems from unauthorized intrusions and access, misuse, or fraud. Based upon justification detailed in the risk assessment, the External Users shall be required to implement controls that support the following principles. POLICY DEVELOPMENT The External Users shall leverage best practices including ISO 27001 and 27002, or comparable standards approved by IL SOS, to develop policies and document security procedures to meet operational risk mitigation objectives as well as compliance with protections and other regulatory requirements. This includes Federal Drivers Privacy Protection Act, 18 USC § 2721 et. seq., the Illinois Vehicle Code, 625 ILCS 5/2-123, the Personal Information Protection Act, 815 ILCS 530 et. seq., and Title 92 Illinois Administrative Code, Part 1002. ACCESS CONTROLS All IL SOS’ computers and telecommunications systems limit access to External Users who have a proven “need-to-know”. Access to Confidential/Restricted information is granted at the minimum level of access necessary to perform assigned responsibilities and is in compliance pursuant to the Access Control Policy. Access controls will implement the following safeguards:

1. Logical access restrictions: Information Technology will provide an infrastructure to validate unique user identification through central authentication systems and will implement user log-in monitoring to verify that only users granted access to sensitive data are allowed access to IL SOS sensitive systems and data.

2. Access restrictions on physical locations containing customer information: Access to the data center, server areas, and record storage areas containing confidential information, applications and systems shall be limited to authorized personnel.

PHYSICAL SECURITY All critical, confidential, and sensitive information and information processing systems must be physically protected from unauthorized access, damage, and service disruption. ENCRYPTION Any system or service requiring the transmission or storage of information such as Social Security Numbers (SSN's), passwords, client/customer account information, non-public personal financial information will use an approved method of encryption as a means of protecting data. MONITORING SYSTEMS External Users will monitor the critical systems that access IL SOS information and evaluate whether the controls are functioning effectively and that no security breaches have occurred. At a minimum, established standards will address the following:

1. Exception reports for security policy violations will be immediately reported to the SA and the IL SOS External User’s Liaison.

2. Vulnerability assessments, penetration tests, access monitoring and other events will be periodically performed. Industry standard security tools will be used to verify that vulnerabilities are mitigated immediately and well within 30 days of receiving vulnerability notices. Results will be analyzed and policies/controls modified as needed to prevent, detect, and respond to possible security breaches.

INFORMATION SECURITY INCIDENT RESPONSE Information security incident response is an important component of the IL SOS’ information technology program. Appropriate responses to information security incidents are defined in the Incident Response Policy.


INFORMATION CLASSIFICATION, HANDLING, AND DISPOSAL POLICY & STANDARDS – EXTERNAL USERS

Purpose Unauthorized access to sensitive information including but not limited to customer data, could introduce fraud, identity theft, damage to the IL SOS reputation, or other risks to the organization. Since our sensitive information is stored, processed and shared in both electronic and paper form, safeguards are required to address data classification, handling, storage, and disposal.

Policy Statement External Users will protect the information it accesses or possesses in its custody based on the nature of the information and the risk exposure from inappropriate or undesired access, disclosure, or destruction. The degree of protection provided correlates directly with the risk exposure given the information’s media. The degree of protection afforded information shall be consistently applied during creation, handling, processing, storage, and disposal.

The External User must ensure that information on all media is classified, handled and disposed of in a secure manner. The External User is responsible for all procedures and guidelines to protect information while it is being processed or stored in either electronic or paper form. The IL SOS encourages minimal use and storage of its confidential data to reduce the risk of data compromise.

This principle must be rigorously observed in the treatment of all IL SOS data processed by the External User. Transactional data shall not be stored longer than permitted by law.

Standards External Users shall enforce the following standards when handling and disposing of sensitive information.

DOCUMENT IDENTIFICATION AND CLASSIFICATION Document control is critical to maintain staff and customer privacy as well as to protect valuable information assets of the IL SOS. The first step in the process is to classify documents as Public, Internal Use Only, Confidential, or Restricted. The classification values and examples are: Classification Value Public Distribution of this material is not limited. Information includes marketing programs, forms

and other information cleared for release to the public.

Internal Use Only

Disclosure of this information is intended for internal distribution only. Public release could cause measurable damage to this organization or its customers. Information marked for “Internal Use Only” or higher will be restricted to authorized staff and other participants who have executed an approved Non-Disclosure Agreement. This information includes internal processing procedures, employee schedules and other information required to function within the IL SOS’ Office but too sensitive to release to the public.

Confidential/Restricted

Disclosure of this information could cause serious damage to IL SOS and IL SOS customers and could result in criminal/civil penalties. Information such as company financials, highly restricted-personal information, including but not limited to name, address, social security number, medical information, driver’s license number, state identification card number, customer client financial-data and “privileged” legal documents must be carefully restricted to employees with only a strict “business need-to-know.” Information classified as “private” must always bear handling instructions that include confidentiality and legal warnings. Proprietary knowledge, intellectual property, product research and development, and other similar documents will be restricted. Access shall only be granted on a strict “business need-to-know” basis.


DOCUMENT AND MEDIA INVENTORY All External Users shall maintain a list of all documents and media types containing IL SOS data with the appropriate classification such as Confidential/Restricted. HANDLING OF PHYSICAL MEDIA External Users must physically secure all paper and electronic media that contains IL SOS data, including but not limited to Confidential/Restricted information. Transportation of media containing Confidential/Restricted information whether in hardcopy or electronic form, will be secured through use of a secured courier or a delivery mechanism that can be accurately tracked. INFORMATION DISPOSAL Confidential/Restricted and Internal Use Only materials shall be discarded through shredding either by a local shredder or by placing them in a paper and hard copy media collection point (shred bin). The shred bin shall be secure to protect documents prior to final disposal. External Users shall shred all documents and dispose of them according to confidential handling requirements in their access agreement and in accordance with the Personal Information Protection Act, 815 ILCS 530. All data on sensitive systems must be cleared of all classified data before disposal. No sensitive systems may be sold as “working systems” and the hard drives or other storage media must be removed prior to disposal. When disposing of electronic media that previously contained confidential information, the External User is responsible for ensuring that all media is electronically disabled through magnetic destruction or other means. All disk drives used for organizational business shall be removed from systems prior to systems recycling or resale. All disks and tape media shall be physically destroyed and not sold. DOCUMENT HANDLING Paper material with any Internal Use Only or Confidential/Restricted information shall be carefully handled to protect both classified organization or business information as well as customer information. All Confidential/Restricted documents stored and unattended shall be secured. External User shall maintain paper and hard copy media collection points (shred bins) or local shredders at each facility to collect and protect Confidential/Restricted and internal use only until it can be properly destroyed. If the External User is unsure of the sensitivity of information on a document, contact the IL SOS External User Liaison. Any information classified as Internal Use Only or Confidential/Restricted is not intended for public consumption. As such, special steps must be taken when sharing these documents with external entities. All documents and information not classified as Public will require formal approval from the IL SOS External User Liaison.


INCIDENT RESPONSE POLICY & STANDARDS – EXTERNAL USERS

Purpose Information collection, processing, storage and sharing are essential for IL SOS to deliver services to its customers. However, that information is also valuable to those who would misuse that data to cause damage to the IL SOS or defraud its customers. Authorized External Users and the IL SOS shall deploy administrative, technical, and physical controls to protect confidential IL SOS information as well as customer privacy. However, if controls fail to protect sensitive data, IL SOS and External Users must have an Incident Response Plan to mitigate damage, investigate the cause, and recover services or data. The purpose for this section of policy is to establish guidelines for the response to unauthorized network intrusions or other significant information security incidents.

Policy Statement Incident Response is the final stage in a process that escalates events through an operation review process to determine if an event or intrusion observed on a production system could have caused a breach of the system or compromise of sensitive data.

Scope All employees and External Users must report any and all suspicious actions, activities, incidents and breaches to the IL SOS External User Liaison. External Users shall report in accordance with the terms of the Access Agreement.

Standards External Users shall maintain an Incident Response Plan that will enable the IL SOS to respond immediately to a system breach. All External Users will maintain an Incident Response Plan to be used in the event of system compromise. The plan will address specific incident response procedures, data backup processes, roles and responsibilities, and communication and contact strategies. The intent of the External User Incident Response Plan is to mitigate risk, and ensure the IL SOS will be able to respond to incidents according to the following priorities:

o Human life and safety; o Sensitive or mission-critical systems and data; o Other systems and data; o Damage to systems and data; and o Disruption to access or services. o Reduce potential direct and indirect financial loss from network intrusions o Mitigate operational impact from cyber incidents o Comply with regulatory requirements for information security o Meet industry best practices as published by the FBI and National Infrastructure Protection

Center (NIPC) IL SOS characterizes cyber incidents as any unwanted, or in some instances, unexplained network or system behavior. IL SOS segments these incidents into the following categories consistent with definitions published by the National Infrastructure Protection Center (NIPC):

o Increased or unauthorized access to informational assets o Unauthorized disclosure of information o Corruption of information o Denial of Service o Theft of IT resources

The External Users’ plan includes:

o Roles, responsibilities, and communication strategies in the event of a compromise. o Coverage and responses for all critical system components. o A formal process to report incidents and track response activities.


o Guide response in the following phases: • Containment • Eradication • Recovery • Follow-up

o Defined escalation processes. o Procedures to conduct a post event review to determine the cause and guide control

enhancements. o Procedures for notification, such as credit card associations and Acquirers. o A strategy for business continuity post compromise. o Reference or inclusion of incident response procedures from card associations. o Adherence to legal requirements for reporting compromises as required by State Privacy laws.

External Users will ensure:

o Integrated event escalation procedures to identify incidents that require declaration of an incident.

o Notice will be provided to VISA, the Secret Service, FBI and other authorities if cardholder data is compromised.

o 24/7 incident response and monitoring coverage for any evidence of unauthorized activity, critical IDS alerts, and/or reports of unauthorized critical system or content file changes.

o Specific personnel are designated to be available on a 24/7 basis to respond to compromise alerts.

o Appropriate training to staff with security breach response responsibilities. o Establish a process to modify and evolve the incident response plan according to lessons

learned and to incorporate industry developments.


ACCEPTABLE USE POLICY & STANDARDS – EXTERNAL USERS

Purpose Information systems provide access to both data and processes required to support most IL SOS functions. They have contributed to substantial improvements in both productivity and customer service. However, the use of information systems to access customer or financial data, electronic mail (Email), the Internet, and remote access to IL SOS systems introduce risk. The purpose of this policy is to define end user acceptable use criteria for organizational systems.

Policy Statement Computers and networks can provide access to information resources both internal and external to the IL SOS networks. To ensure this information is handled responsibly, users are to respect the rights of other users, protect the confidentiality and integrity of the systems and related physical resources, and observe all relevant laws, requirements and regulations. Failure to comply or act in accordance with this policy will result in sanctions, up to and including termination of access or use privileges. Specific guidance for end user acceptable use may be found in the standards established for this policy. A formal signed acknowledgement and understanding of the IL SOS acceptable use policies and standards will be a mandatory requirement for all External Users prior to obtaining access to IL SOS data assets.

Applicability This policy applies to all External Users, pursuant to an access agreement who are granted access to the network for business or governmental purposes.

Standards The following standards are provided to establish the acceptable use of IL SOS technology for all External Users who are granted access to the network for business purposes. These standards will include but not be limited to:

o Obtaining Access o Security o Acceptable Use Standards for:

• IL SOS Systems and Networks • Email • Internet Access • Remote Access • Telephone and Modem Access

OBTAINING ACCESS To be granted access to the network for business purposes of the IL SOS, External Users authorized by management may access the IL SOS systems by first obtaining permission to access those systems. Authorized access may occur only after the External User signs and submits an Access Agreement to the External User’s Liaison. Access to the IL SOS systems and data is dependent upon the External User’s job requirements. External Users will be limited to only the minimum amount of access required to perform assigned duties. The limitation of access is defined in the Access Agreement. Since Remote Access to systems introduces a higher level of risk, only the IL SOS Information Technology Technical Services designees may grant remote access to External Users who are granted access to the network for business or governmental purposes according to the following standards:

o Computer systems may be monitored or audited by the IL SOS or Auditor General. o All information (including personal or confidential information) placed on or sent over this

system may be examined, recorded, copied, used or disclosed by the IL SOS for authorized purposes.


o All information collected during monitoring may be used for purposes of any administrative, civil or criminal action or proceeding.

SECURITY External Users are responsible for safeguarding systems and the confidentiality, integrity, and availability of information within their control. Before leaving the area of a workstation where an External User is logged in, the External Users will remove the smartcard, or in cases where a smartcard is not used, lock or logoff the workstation.

External Users will promptly report any unexpected system behavior or irregularities in information to the SA and to the External User’s Liaison immediately. The SA will report any suspected or actual system intrusion, hack, virus, or other computer security incident to the Technical Service Section of Information Technology immediately. External Users shall report any and all breaches and intrusions to the Office of the Inspector General and the Office of the General Counsel as per the access agreement.

ACCEPTABLE USE All use of the IL SOS systems must be in accordance with the restrictions set forth in this policy. IL SOS Systems Acceptable Use Standards

As specified in the Information Security Policies and Standards Policy, access to our systems up to and including network systems access and remote access will be granted only after explicit approval to use such access is obtained.

IL SOS requires the following: o All device use is authenticated with smartcard, PIN or username and password or other

authentication item (e.g., token). All External Users will maintain a list of devices and personnel authorized for access.

o All copyright or other protections must be observed. o All External Users will be responsible for the confidentiality, integrity, and security of their

files. Any changes made to their files without their consent are to be reported to the SA and the External User’s Liaison immediately.

o ILSOS reserves the right to revoke the system privileges of any External User at any time. Conduct that interferes with the normal and proper operation of our information systems, which adversely affects the ability of others to use these information systems, or which is harmful or offensive to others will not be permitted.

o All messages or data created, stored, transmitted, or retrieved over IL SOS systems or through IL SOS Internet access are the property of the IL SOS. The IL SOS reserves the right to access the contents of any messages or data sent over its computer network and use that information to enforce its policies. If the content violates regulations or laws, the IL SOS reserves the right to submit the information to law enforcement for potential prosecution.

o External Users have no expectation of privacy or confidentiality in any of their system usage. System usage will be monitored for policy, security, and/or network management reasons from time to time and is subject to inspection at any time. Any personal information placed on the IL SOS information system resources becomes the property of the IL SOS.

o All External Users shall report any irregularities found in information or information systems in accordance with the terms of the access agreement.

o A smartcard, User-ID and password or Username and password is considered equivalent to a user signature. Shared accounts or passwords are strictly prohibited.

o Password security to all systems is to be maintained by not sharing smartcard and revealing pin or revealing username and passwords to anyone.

o External Users will remove their smartcard or logoff of all IL SOS systems when they leave their workstation.

o The privacy and confidentiality of all sensitive IL SOS data and customer information is to be protected. It is understood that unauthorized disclosure of any sensitive information could be an invasion of privacy and may result in disciplinary, civil, and/or criminal actions against an individual. Any unauthorized publication of social security numbers, computer software source


codes, computer/network access codes, details of IL SOS network architecture, and business relationships is prohibited.

o External Users must respect the rights of other users, respect the integrity of the systems and related physical resources, and observe all relevant laws, regulations, and contractual obligations. Through its legal representation, the IL SOS will cooperate with law enforcement authorities regarding information security and related incidents.

o External Users agree to cooperate with IL SOS and/or any regulatory agency conducting an authorized, reasonable internal security investigation.

o External Users shall not monitor, change, delete or tamper with IL SOS data. o External Users are responsible to protect the availability of sensitive IL SOS data. o External Users shall utilize virus protection software. o External Users shall not knowingly introduce malicious software into the IL SOS systems.

IL SOS Systems Unacceptable Use

Although this is not an all inclusive list, External Users are prohibited from the following unacceptable use of the IL SOS systems:

o Use of IL SOS Systems including Email to communicate sexual, discriminatory or other harassing messages.

o Any attempt to negate or circumvent the IL SOS security controls, policies and procedures (e.g., disabling virus protection or tunneling a protocol through a firewall) is strictly prohibited.

o Unauthorized use, destruction, modification, and distribution of IL SOS information or information systems are prohibited. Release of IL SOS information must be in accordance with the IL SOS policies or access agreements.

o Sabotage, destruction, misuse, or unauthorized system repairs are prohibited on IL SOS information systems and on systems accessing IL SOS data. All repairs must be authorized.

o IL SOS prohibits the use of personal computing systems or test devices within IL SOS or on IL SOS networks or on systems accessing IL SOS data unless authorized in writing by the Department of Information Technology. Any business conducted on personally owned devices is subject to the policies herein.

o Removal of any IL SOS supplied hardware/software is not allowed unless prior approval has been obtained. Removal of any equipment or software from the IL SOS for personal use is not allowed.

o IL SOS Information systems will not be used to solicit for religious or political causes. o Use of tools that compromise security (e.g., password crackers and network sniffers) is

prohibited except as used by the Information Technology staff as part of an ongoing security program.

o Intentional interference with the normal operation of the network, including the propagation of computer viruses and sustained high volume network traffic, which substantially hinders others in their use of the network is prohibited.

o Theft of the IL SOS resources including sensitive information is prohibited. Use that violates local, state or federal laws is strictly prohibited.

Remote Access Acceptable Use Standards Access to IL SOS systems will be available for authorized External Users through the Internet via our secure Virtual Private Network (VPN) connection. Remote access to the IL SOS network shall be permitted in accordance with the following standards:

o Only the Director of Information Technology or SPC may authorize individuals to access with remote and VPN/MS Terminal Services privileges. Each External User must provide documented justification for remote privileges. This documentation will be stored as part of the user’s access request documentation.

o Remote or VPN access is only provided through the use of a licensed copy of software that allows such access to occur.

o External Users may obtain remote access only through the IL SOS approved firewalls, modems and telecommunications front-end equipment.

o External Users must not type any remote access passwords while someone is watching. o External Users must not permanently store passwords on a PC and/or mobile device. This

includes permanent storage for use in automatic login.


o External Users must not leave the PC and/or mobile device unattended and remotely logged on to the IL SOS network.

o External Users must not share dynamic password token cards, smart cards, fixed passwords, or any other access devices or access parameters with any other person.

o Devices used to remotely connect to the IL SOS networks must employ encrypted volumes to protect the remote storage of any classified information.

o The IL SOS Information Technology department must approve the configuration of all remotely connected systems.

o If the client software provides a logging capability, a log must be produced. o External Users will be limited to the minimum amount of access required to perform the

necessary duties while the session is active. All other access and privileges will be limited to the specific function performed by each External User.

o The remote or VPN session must be terminated as soon as the External User has finished his or her work.

o Remote access to any IL SOS system containing customer data or access to systems that contain customer data will require two factor authentication and use of a secure connection between the host and the remote device.


Secretary of State Information Technology Security Policies and … · 2017-07-05 · Information...

Documents

Transcript of Secretary of State Information Technology Security Policies and … · 2017-07-05 · Information...