SNA to IP Network Migration

brokenroomΔίκτυα και Επικοινωνίες

21 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

93 εμφανίσεις

SNA to IP Network Migration

ISAC Guidelines

1/15/13


Page
1

of
9

Scope

The purpose of this guideline is to clarify the network security controls referenced in the CSU
“Business Process Guide SNA to IP (Systems Network Architecture to Internet Protocol)” and
provide additional risk mitigation strategies.

The ISAC guidelines a
re in agreement with the CSU Information Security Policy and the CSU
Information Security Standards for the protection of Level 1 information and may exceed the
minimum security requirements specified in the “Decentralized Customer Information Security
Sta
tement of Understa
nding & Compliance Validation”
from the California State Controller’s
Office.

Campus should to conduct a risk assessment and implement appropriate compensating controls
to protect Level 1 information and minimize the risks of exposure or

access to the SCO systems,
in accordance with ICSUAM 8020.

Security Controls Guidelines

1. Network Access Controls

These controls are directed to the network and firewall administrators

The “Business Process Guide SNA to IP” indicates (Figure 2 and Append
ix B) that CSU
approved model for SNA to IP requires that the workstations used to connect to the SCO must be
located in a “Contained VLAN”. Due to the payroll/HR content, this requirement is consistent
with the NTA Route Switch Baseline Standard Design V
1.0 which requires this VLAN to be
inside a security zone. The California State Controller’s Office Decentralized Customer
Information Security Statement of Understanding & Compliance Validation questionnaire E1
provides remote access network standards.


Based on risk assessment for access to large amounts of protected level 1 information, the
documents listed above, and the implementation example documented in the “Business Process
Guide SNA to IP”, leads to the following guidelines:

1

The workstations must

reside in a VLAN/subnet specifically for the SNA to IP users.
Static IP addresses should be assigned to each workstation to facilitate monitoring and
logging.

2

The VLAN/subnet must be behind a firewall set to allow egress (outbound) traffic to
SCO (myvssy5
.teale.ca.gov) only.

3

No ingress (inbound) traffic to the contained VLAN/subnet should be allowed except for
the management and administration of the workstations.

4

Intranet firewall egress (outbound) rules may allow for access to authentication servers,
DNS
, and other services for administration and management only.

SNA to IP Network Migration

ISAC Guidelines

1/15/13


Page
2

of
9

5

All egress and ingress traffic must be logged and must be retained according to campus
and CSU retention policy.


2. SCO Information Security Assessment

These controls are directed at the
managers responsible for completing the SCO Decentralized
Department Information Security Assessment and Requirements Checklists


A. Organizational and Management
Practices

Security Control Requirements needed to
indicate “Yes” with compliance

1. Confide
ntiality & Non
-
Disclosure
Agreements



Does the department
implement confidentiality or non
-
disclosure
agreements with employees, contractors, and
external entities to ensure the department’s
needs for protection of HRMS and other
classified information ar
e met?

An approved system
-
wide
confidentiality/disclosure agreement signed
by each user/vendor must be on file.

2. Configuration Change Control



Are
changes made to HRMS related information
systems controlled and documented? Are
changes reviewed and app
roved by the
department’s Information Security Officer?

All changes to the virtual and physical SCO
environment, aside from routine maintenance
(OS patches, anti
-
virus agent updates, etc.)
must be documented reviewed and approved
according to the campus ch
ange control
procedures, including approval by the ISO.

3. Vulnerability Scanning



Does the
department perform regular occurring (e.g.,
bi
-
annual, quarterly, monthly) vulnerability
scanning in order to evaluate the
configuration, patch status, and servic
es of
department information systems for known
vulnerabilities?

Patch management, anti
-
virus, firewall and
other maintenance reports/logs should be
reviewed regularly to detect vulnerabilities.


Network scans should be performed to affirm
that the firewa
lls rules are configured
properly (i.e. the scans should reveal that
inbound connections are not allowed).

B. Physical Security Practices



1. Physical Access Control



To protect
HRMS information from unauthorized
access, theft, and malicious activity does the
The doors to the SCO
workstations must be
locked to unauthorized users. Other perimeter
security measures: card access or guard.


SNA to IP Network Migration

ISAC Guidelines

1/15/13


Page
3

of
9

department control physical access to
facilities or work areas containing equipment
used for HRMS access or information
processing?

Visitors/guest: Must be escorted or the
department must have a visitor log sign in/out
for vendors, guests, visiting staff (name,
dept/vendor name,

purpose of visit, date, time
in and out, signature in and out
.)


Confidential information must be locked up
daily (clean desk).


Ensure control and privacy of verbalized or
viewable confidential information within the
work area.


Output devices, such as
printers, must be
secured to prevent unauthorized individuals
from gaining access to the output.


The appropriate Director
(HR/Payroll/Accounts Payroll) should
approve all key/card access to the physically
restricted SCO area. Access should be
reviewing b
y the Director at least once a year
to confirm only authorized personnel have
access.

C. Data Security Practices



1. Access Controls



If HRMS access and use
is facilitated through the department’s Local
(or Wide) Area Network resources please
address
the following access control
questions:


a. Do department authentication controls
require, at a minimum, each individual to
have a unique UserID and User selected
confidential password?


U s e r s mu s t l o g o n w i t h a u n i q u e U s e r I D

a n d
p a s s w o r d me e t i n g “ p a s s w o r d r e q u i r e me n t s ”.


S o me o t h e r a c c e p t a b l e a u t h e n t i c a t i o n
me t h o d s w o u l d b e f o r l o g i n t o t h e
w o r k s t a t i o n:

SNA to IP Network Migration

ISAC Guidelines

1/15/13


Page
4

of
9

-

Biometrics (such as palm or fingerprint
scan) can be used to login to the machine.

-

Two factor authentication (token p
lus
password, with shorter pin allowed)



b. Are users allowed
more than five (5)*
consecutive
unsuccessful login
attempts before the
user account is
locked and must be
administratively
reset?

*SCO recommends
three (3) attempts

Users must be locked
out a
fter 3
consecutive
unsuccessful login
attempts and be
administratively
reset.



c. Are users required
to manually enter a
password; is the use
of programmed
function keys (PF
keys) and stored
passwords
prohibited?

Users must enter a
password manually
for
the application
login, not allowing
the use of any PF
keys. Stored
passwords are
prohibited.

d. Does the
department enforce
“strong” password
rules similar to the
following?


Passwords are
required to by six (6)
or more characters

Passwords are
required t
o consist of
Password policy
requirements must be
in place or stronger
acceptable

access
controls to minimize
risk.


Passwords should be
10 characters or more
for user accounts and
12 characters or more
SNA to IP Network Migration

ISAC Guidelines

1/15/13


Page
5

of
9

both alpha and
numeric character

Passwords required
to expire in ninety
(90) days or less

Users prevented from
re
-
using a password
within six (6)
password history
iterations.

for administrative
passwords.


Passwords should
consist of 3 of the
following 4 character
sets:


1. lower case letters


2. upper case
letters


3. numbers


4. printable
characters


Password should
expire in six months
or less.


Users should be
prevented from re
-
using a password.

2. Data Storage and
Portable Media
Protection

Does the
department have
policies and
procedures to protect
data on electronic
storage media,
including CDs, USB
drives, and tapes are
in place. Policy
should include
requirements to
utilize encryption and
access control on
data storage and
portable medi
a that
retain any
P
rotected level 1 data
must not be stored on
external media or
devices.


If protected level 1
data is stored on
external media or
devices, policies and
procedures to protect
data must be in place:
encrypt and/or
password protect,
lock up, label the
device,

inventory
regularly, retain only
as long as needed,
destroy/overwrite
SNA to IP Network Migration

ISAC Guidelines

1/15/13


Page
6

of
9

information classified
as confidential.
Procedures should
include labels on
media to show
sensitivity levels and
handling
requirements,
rotation, retention
and archival
schedules, and
appropriate
destruction/disposal
of media and data.

securely.



D. Personal
Computer Security
Practices



Personal
computing devices
include desktops,
laptops, notebooks,
and tablets.

Note: The use and
any device where
access to HRMS

is
achieved remotely
(i.e., telework) is
prohibited by the
SCO. All personal
computers shall
access HRMS from
department business
facilities only.

Personal devices are
strictly prohibited for
use with HRMS.

1.
Inactivity Lockout



Does the
department en
force
the use of a password
protected screen
Password protected
screen saver should
be activated at a
minimum of 15
minutes of inactivity.

SNA to IP Network Migration

ISAC Guidelines

1/15/13


Page
7

of
9

saver that is activated
after a predetermined
inactivity time
period* on all
personal computing
devices (i.e. issued
workstations)
utilized for access to
HRMS?

*The SCO
recommends that the
screen saver sessio
n
be activated after a
maximum of 15 to 20
minutes.

2.
Malicious Code
Protection



Does the
department maintain
up
-
to
-
date malicious
code protection
software on all
personal computing
devices and systems
utilized in
conjunction with
access to HRMS?

Updated malicious
code protection
software must
utilized.


Updates should be
pushed a
utomatically
as released by the
vendor. Updates must
be pushed at least
daily.

E. Remote Access
& Wireless LAN
Use


1. Remote Access



Access to HRMS via
remote access (i.e.,
telework) or remote
control technologies
is prohibited. Does
the department
Procedures must be
in place that prohibits
access to HRMS
from a remote
device: telework or a
place outside of the
department area
.

SNA to IP Network Migration

ISAC Guidelines

1/15/13


Page
8

of
9

p
rohibit the use of
remote access or
remote control of
facilitating
methodologies and
technologies in
conjunction with
HRMS?


For example: do not
enable any VPN
access to the
“contained
VLAN/segment”
and/or allow remote
terminal access
through the HRMS
workstations to SCO.

2. Wireless LAN Use



Access to HRMS
via Wireless LAN
technologies is
prohibited. Does the
department p
rohibit
the use of Wireless
LAN technologies in
conjunction with
HRMS?

Procedures must be
in place that prohibit
access to the
“contained
VLAN/segment”
from wireless
networks and
devices.


Procedures must be
in place to detect and
disable any rogue
wire
less access
points that attempt to
connect to the
“contained
VLAN/segment”

F. Incident
Response Practices


1.
Incident Response



Does the
department have
incident response
policies and
procedures consistent
with applicable laws
Written information
security incident
response proce
dures
must be in place
identifying roles and
responsibilities,
investigation,
SNA to IP Network Migration

ISAC Guidelines

1/15/13


Page
9

of
9

and state policies in
place? These include
but are not limited to
identification of roles
and responsibilities,
investigation,
containment and
escalation

procedures,
documentation and
preservation of
evidence,
communication
protocols, lessons
learned, and
immediate reporting
the SCO
Decentralization
Security
Administrator and
Information Security
Office.

containment and
escalation
procedures,
documentation and
preservation of
evidence,
communication
protocols, lessons
learned, and
immediate reporting
the SCO
Decentralization
Secu
rity
Administrator and
Information Security
Office as well as
coordinating with the
CSU CISO and HR.