ITPROSEC Information Security Policy and Standards

This document defines the general information security policy for the protection of the integrity, confidentiality and availability of the IT Profession Security’s (ITPROSEC) networks, computer systems and information. This document is one in a series that defines information security policy that are applicable to people, processes and technology at the ITPROSEC.

This documented is aligned with five sections of ISO/IEC 27002:2013 “Information technology – Security techniques – Code of practice for information security controls”:

  • Section 9:  Access Control
    • Section 10: Physical and environment security
    • Section 12: Operations Security
    • Section 13: Communications Security
    • Section 18: Compliance

Table of Contents

Document Control 1

Document Review.. 1

Document Approval 2

Document Note. 2

Table of Contents. 3

1.         Introduction. 5

2.         Scope. 5

3.         Target audience. 6

4.         Terms. 6

5.         Technical specification. 6

6.         Access control 7

6.1     Business requirements for access control 7

6.1.1.         Access Control procedures. 7

6.1.2.         Access to networks and network services. 7

6.2 User Management 8

6.2.1.         Password management 8

6.2.2.         Password requirements. 9

6.2.3.         Password use, change and maintenance. 9

6.3 System and Application Access Control 10

7.1. 10

6.3.1 Information access restriction. 10

7.2.         Secure Logon procedures. 10

7.3.         Access control systems. 11

7.4.         Use of Privileged utility programs. 11

7.5.         Access to program Source code. 12

7.         Operational security. 13

7.1     Operational procedures and responsibilities 13

7.1.1.         Use of Privileged utility programs (Tools) 13

7.1.2.         Operational Change Management 13

7.1.3.         Capacity management 14

7.2.         Protection against unauthorize Software and Malware/Spyware. 15

7.2.1.         Unauthorized Software installation and use. 15

7.3.         New System Configuration requirement 16

7.3.1.         Server Configuration. 16

7.4.         Backup. 17

7.4.1.         Information backup. 17

7.5.         Logging and Monitoring. 18

7.6.         Control of Operational software. 19

7.7.         Information Systems Audit 20

7.8.         Technical Vulnerability Management 20

8.         Communications. 22

8.1.         Network security. 22

8.1.1.         Network security management 22

8.1.2.         Security of Network services. 22

8.1.3.         Segregation in Networks. 23

8.2.         Information transfer 23

8.2.1.         Information exchange Policies and Procedures. 23

8.2.2.         Agreements on information transfer 24

8.2.3.         Security of Media in transit 24

8.2.4.         Electronic Messaging. 24

8.2.5.         Confidentiality or Non-disclosure agreements 25

9.         Compliance. 27

9.1.         Internal compliance. 27

9.2.         External compliance. 27

9.2.1      Compliance with Legal requirements 27

9.3.         Information Security reviews. 28

9.3.1.         Independent review of Information Security. 29

10.     Physical and Environmental Security. 31

10.1.      Secure Areas. 31

10.2.      Information Technology Equipment 32

Appendix A – Terms and definitions. 33

Appendix B – References. 35

This document defines the general information security policy for the protection of the integrity, confidentiality and availability of the IT Profession Security’s (ITPROSEC) networks, computer systems and information. This document is one in a series that defines information security policy that are applicable to people, processes and technology at the ITPROSEC.

This documented is aligned with five sections of ISO/IEC 27002:2013 “Information technology – Security techniques – Code of practice for information security controls”:

  • Section 9:  Access Control
    • Section 10: Physical and environment security
    • Section 12: Operations Security
    • Section 13: Communications Security
    • Section 18: Compliance

This document is also aligned with the Government of Galaxy IT Standards (GO-ITS).  The requirements outlined in this document must be implemented unless business or functional requirements preclude doing so. In cases where the requirements can’t be met, security exemptions must be raised and approved.

This information security policy document is intended to outline the security controls that should be in place to protect the integrity, confidentiality and availability of ITPROSEC networks, computer systems and information.

All information security policy documents will be reviewed on an ongoing basis to account for the changing threat landscape and the evolution of security and other related technologies and processes.

The requirements outlined in this document must be followed and other additional requirements may arise from any or all the following:

  • Security assessments;
    • Security testing and evaluations (e.g. vulnerability assessments, penetration testing, static code analysis, etc.); and
    • Provincial and federal privacy laws.
    • Galaxy Government Directives
    • ITPROSEC policy and/or process changes

          The target audience for this document includes, but is not limited to:

  • Information security personnel
    • Internal auditors
    • Application or developer personnel
    • Inforamtion System department personnel
    • Help desk personnel
    • User account management staff
    • Data Center management staff
    • Project managers
    • Record and Inforamtion staff

This document follows specific wording conventions. The following terms have specific obligations associated with them:

Must: this word, or the terms “required”, means it is a mandatory requirement.

Should: this word “should”, or the terms “recommended”, indicates there may be a valid reason or best for the business functionality and security.

In this document, the technical specification comprised or mapped from Industry Standard Framework ISO 27002:2013/2015 are as below.

  • Section 3: Access Control (maps to Section 9 of ISO 27002:2013)
    • Section 4:  Operations Security (maps to section 12 of ISO 27002:2013)
    • Section 5:  Communications Security (maps to section 13 of ISO 27002:2015)
    • Section 6:  Compliance (maps to section 18 of ISO 27002:2015)
    • Section 7: Physical and Environment (maps to section 10 of ISO 27002:2015)
Objective:  To limit access to information and information processing facilities.  
  1.  
  2.  
  3.  
  4.  
  5.  
  6.  
    1.  

User access and privilege management procedures must be conducted in a comprehensive manner.  Information and/or systems owners (or their approved delegate) should formally approve requests for access.

The following requirements must be addressed with access control procedures:

  1. The principles of segregation of duties and least privilege should be implemented to reduce the risk of an external intrusion or unintentional or deliberate misuse of systems or information within the ITPROSEC;
  2. The need-to-know principle must be applied and only users who require access to sensitive or confidential information as part of their job duties should be granted access;
  3. Access must only be provided after formal authorization is granted, via unique authentication credentials with a formal record documenting the provision of access;
  4. The use of generic or shared accounts must not be used;
  5. If there is a business requirement for the use of a generic or shared account, these accounts must be documented, tracked, and removed when no longer required;
  6. Generic or shared accounts must be subject to the same password expiration and change requirements as individually assigned accounts issued to regular users;
  7. Elevated privilege accounts (e.g., administrator/root) should not be used for normal business tasks which includes, but is not limited to, web browsing, accessing e-mail and other documents;
  8. Requirements for the expiry of privileged access rights should be defined; and
  9. Comprehensive user access and privilege reviews must be conducted on a regular basis to ensure that end users and IT personnel have formally approved and appropriate access to ITPROSEC data and services.

Users should only be provided with access to the networks and network services they have been specifically authorized to use.

Unauthorized and insecure connections to network services can affect the whole organization. Users should only be granted access to services they require and are authorized to use.

All remote access by ITPROSEC staff into the ITPROSEC network must be through a secure channel such as a VPN. The following security controls must be in place for VPN connections or for wireless access:

  1. Two-factor authentication is required for all remote access to the ITPROSEC network.  The authentication should be comprised of something you know (e.g. username and password) and something you have (e.g. a hardware or software token or a smart card);
  2. Session information should be protected using the Advanced Encryption Standard (AES) with a minimum key size of 128-bits (256 bit or greater should be used when possible or recommended);
  3. Any communication between a remote access server (RAS) device and an authentication server needs to be made via a secure channel; and
  4. The use of network services such as wireless or remote access must be monitored.

Unauthorized and insecure connections to network services can put the ITPROSEC at risk. This control is particularly important for network connections to applications housing sensitive information and for users in high-risk locations (e.g. public or external locations outside of the ITPROSEC’s control).

6.2 User Management

Objective:  To ensure authorized user access and to prevent unauthorized access to systems and services.  

Passwords are the most common type of credentials deployed within the ITPROSEC’s access control systems. The following password management requirements must be addressed by access control systems intended to protect ITPROSEC Information Assets:

  1. Passwords are highly sensitive and must be protected appropriately (i.e. encrypted/hashed in both in storage and transmission);
  2. Users are required to maintain their own passwords. Any secure temporary passwords must be randomly generated and changed at first login;
  3. Managers must assist in efforts to revoke user credentials when they are no longer required;
  4. Passwords should never be stored on computer systems in an unprotected form (e.g. stored in a text, word or excel file or in memory);
  5. A mechanism must be in place to ensure that password values are not reused by the same user with a span of twelve consecutive months;
  6. Accounts must be locked out after the fifth consecutive incorrect password entry and users must contact the help desk to enable further attempts or to reset the account password after validating the user/requestor;
  7. Administrators with access to Information Service assets and infrastructure must not share the job function of user password maintenance;
  8. Controls must be in place to ensure that emergency passwords are changed after use, with details regarding use of emergency accounts/passwords reviewed by appropriate personnel;
  9. Passwords must not be hard coded into applications, automated login processes, scripts, macros, or function keys; and
  10. Access control systems that cannot meet the defined “password management” controls defined in this section of the standard should be as a security exception and reviewed and approved by the business owner of the system or application and Information Security.
  11. Any default user account must be changed, or a Guest account should be removed / disabled.

Users must be aware of their responsibilities and the risks to I&IT assets and adhere to the following password requirements:

  1. System and user passwords must be a minimum of eight (8) characters in length;
  2. Mobile device passwords must be a minimum of six (6) characters in length;
  3. Passwords for service accounts must be a minimum of twenty (20) characters in length;
  4. Passwords must be complex and contain at least one of the following categories:
    1. Uppercase characters
    1. Lowercase characters
    1. Numeric number 10 digits (0 through 9)
    1. Non-alphanumeric characters: [email protected]#$%^&*_-+=’|\()[]:;”’<>,.>/
  5. Users must change their passwords at least once every 45 days;
  6. Passwords must be unique for twelve (12) iterations to prevent risks associated with password re-use;
  7. Users must change their password whenever there is any indication of possible compromise;
  8. Apple devices must lock after 5 minutes of inactivity, with 10 consecutive password failures causing the device to be disabled and wiped of information
  9. Default vendor passwords should be altered following installation of systems or software;
  10. User passwords must not be constructed of information that is easily deduced (e.g. names of pets, birthdays, addresses, hobbies, etc.);
  11. Users must not use the same password for business and non-business purposes and unique passwords must be selected for remote access and for access to different platforms; and
  12. Where possible passphrases should be used instead of shorter password values.
  13. Access control systems that cannot meet the defined “password requirement” controls defined in this section of the standard should be as a security exception and reviewed and approved by the business owner of the application or system and Information Security.

Users must adhere to the following password use requirements:

  1. Users must not divulge their passwords to anyone, including IT support staff or other people in authoritative roles;
  2. User must contact the ITPROSEC help desk or user account manager for assistance with their password, and should report any suspected or confirmed breach/leakage or disclosure of a password to the Chief Information Officer (CIO) and Information Security Office (ISO); and
  3. Users must promptly change any password they suspect has been shared or disclosed to an unauthorized party.

6.3 System and Application Access Control

Objective:  To prevent unauthorized access to systems and applications.  
  • 7.1.              

6.3.1 Information access restriction

Access to information and application system functions by end users and support personnel should be restricted in accordance with the defined access control policy.

Information owners (or in some cases system owners) of applications and the information held within the application should manage access rights and rules for applications, in accordance with the business requirements and the established access control policy/procedure. (refer to section 6.3.3)

The following capabilities should be considered to support access restriction requirements:

  1. Menus to control access to application system functions should be provided;
  2. The access rights of users should be granted as per business requirements and approvals;
  3. If a user changes roles and/or department their existing access should be removed, and new access should be provisioned as required;
  4. Access rights should be removed immediately on all platforms when a user separates, retires or otherwise terminates employment;
  5. Access rights should also be removed immediately if access is no longer required or if an account has been inactive for 90 days.

Access to Operating Systems and Applications should be controlled by a secure log-on procedure.

A log-on process should disclose a minimal amount of information about the operating system, service or application the user is trying to access, in order to prevent an unauthorized user with unnecessary information.  Log-on procedures should comply with the following requirements:

  1. Display a warning banner that indicates the system should only be accessed by authorized users. The ITPROSEC approved Standard Banner as below:

“This system is the property of the ITPROSEC and access to this system is for authorized ITPROSEC users only. Individual use of this computer system and/or network without ITPROSEC authorization, is strictly prohibited. Monitoring of transmissions or transactional information may be conducted to ensure the proper functioning and security of electronic communication resources. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible criminal activity or policy violation, system personnel may provide the evidence to law enforcement or to other senior officials for disciplinary action. 

  • No password transmits in clear text;
  • Suppress displaying the password being entered or hide the password with characters or symbols;
  • The number of log on attempts must limited to 5 times
  • The Account lock down must be setup after the number of threat hold reach
  • Audit trail must be enabled for both successful and un-successful logon attempts;
  • Logging and Alert must be enabled.

The following operational requirements must be addressed by access control systems:

  1. Access control systems must be centrally deployed and managed;
  2. The design and operation of centralized access control systems must include resiliency and redundancy;
  3. Access rights of users who have left the ITPROSEC or have changed job roles must be blocked or removed in a timely manner unless a valid business reason exists;
  4. Elevated privileges must be assigned on an “as needed” basis, such that these privileges are not provided for an unnecessary duration;
  5. The use of elevated privilege accounts must be logged, and monitored on a frequent basis to assist in detecting unauthorized access or misuse;
  6. Where possible, privileged access accounts should use two-factor authentication;
  7. Prior to being granted access to any systems, users should sign an acceptable use agreement; and
  8. Systems that house confidential or sensitive information should terminate a user session after 20 minutes of inactivity.

The use of utility programs that might be capable to overriding system and application controls should be restricted and tightly controlled.

System utilities that provide administrative capabilities for systems should be tightly controlled as the misuse of these tools could present a threat to the security controls of an operating system or application.

In order to manage risk associated with system utilities, the following controls should be in place:

  1. Where possible these utilities should use identification, authentication and authorization procedures;
  2. System utilities should be segregated from application software;
  3. The use of system utilities should be restricted to a limited number of administrators who require access to these tools for systems management;
  4. Logging should be in place to track the usage of system utilities; and
  5. Unnecessary software-based utilities and system software must be removed or disabled.

Access to program source code should be restricted.

Access to program source code and associated technical documents (such as designs, specifications, verification plans and validation plans) should be tightly controlled to prevent the introduction of unauthorized functionality, to avoid unintentional changes as well as to maintain the confidentiality of intellectual property. Source code, specifically should be stored in a central source code library. The following elements should be considered to protect program source libraries:

  1. Where possible, program source libraries should not be held in production systems;
  2. Program source code and program source code libraries should be managed according to established procedures;
  3. Granular access control policies should be put in place to manage access to source code repositories;
  4. An audit log should be maintained of all access to program source libraries;
  5. Maintenance and copying of program source libraries should follow change control procedures. (refer to section 7.1.2)
Objective:  To ensure correct and secure operations of information processing facilities.  
  •  

System operating procedures should be documented, maintained and made available to all users who need them.

Operating procedures should be treated as formal documents that must be reviewed and approved by management. The procedures should include system operations instructions for the following:

  1. Processing and handling of information;
  2. System backup procedures;
  3. Scheduling requirements, including, interdependencies with other systems, mandatory start/stop times for system work, maintenance windows, or changes, if applicable;
  4. Instructions for handling errors or other exception conditions, which might arise during job execution, including restrictions on the use of system utilities;
  5. Support and escalation contacts in the event of unexpected operational or technical difficulties;
  6. System contingency, restart and recovery procedures for use in the event of a system failure; and
  7. Special output and media handling instructions, such as the management of confidential output, including procedures for secure disposal of equipment and/or data.

Changes to business processes, information processing facilities, systems and applications must be controlled. Unauthorized or uncontrolled changes to systems can cause major disruptions to the availability of information systems, business processes or security controls. Formal management responsibilities, policies, and procedures should be in place to ensure satisfactory control of all changes to systems, applications or procedures.

The following change related controls must be in place:

  1. A Change Control record must be submitted for any changes to the production in the computing environment;
  2. Change control records must be reviewed and approved by the appropriate ITPROSEC personnel (IT Service, ISO or top management), prior to changes being implemented;
  3. Changes must be planned, tested and documented the test result where possible, prior to being implemented in production;
  4. The potential impacts of changes must be considered, including security risk, impacts, prior to the implementation of the change;
  5. Details of planned or proposed changes must be communicated to all relevant persons prior to the implementation of the change;
  6. Change procedures must tested to confirm that the change was successful, and that the security posture of the environment has not been weakened;
  7. Roll back procedures must exist for reversing unsuccessful changes.

As the demand for data center processing continues to increase, the ITPROSEC needs to maintain the ability to meet this demand from a facilities, personnel and technology perspective. The risks associated with capacity management can be reduced by taking the following measures:

  1. System tuning;
  2. Monitoring the use of resources (e.g. storage, CPU, memory, etc.)
  3. Input from the user base; and
  4. Projecting future requirements.

For each new system, capacity requirements should be identified.  Where possible detective controls should be implemented to automatically notify ITPROSEC or third-party vendor personnel of capacity related issues.

  • Separation of development, testing and operational environments for Application / Software

Development and testing facilities must be physically and/or logically separated to reduce the risk associated with unauthorized access or changes to production systems. Operational (production) systems require the highest level of availability and integrity. Using the same equipment and software to develop and test new systems makes production systems vulnerable to potential failures of integrity and loss of availability.

If development or test personnel have access to production systems, they may be able to introduce unauthorized and untested code or alter production data.  Depending on the nature of the systems, this capability could be used to commit fraud, introduce untested code, or malware.

          The following controls should be implemented:

  1. Development, test and production software should be run in physically or logically separated environments;
  2. Rules for the promotion of code or transfer of software from develop to production should be defined and formally documented;
  3. Development and testing activities should be separated from production operations and physical or logical segregation must be employed;
  4. Users should use different user profiles for production and testing systems; and
  5. Sensitive data should not be copied into the testing environment unless equivalent security controls are provided for the testing system.
  1. 1.  
  2. 2.  
  3. 3.  
  4. 4.  
  5. 5.  
  6. 6.  
  7. 7.  
    1.  
Objective:  To ensure that information and sensitive information are protected against malware.  

Software controls are required to prevent the introduction of malware and unknown to the ITPROSEC environment.

Software and information processing facilities are vulnerable to the introduction of malware. Users should be made aware of the dangers of unauthorized software or malware.

The principle of least privilege must be applied to govern the control on the end user machine.  Identify what types of software installation are permitted (if any) by end users and what types of installations are prohibited.

  1. Installing and use of non-ITPROSEC unauthorized software is prohibited;
  2. Appropriate control will be in implemented to prevent or detect the use of unauthorized software (e.g. application whitelisting or administrative lock down);
  3. Implementing controls that prevent users from accessing suspected or known malicious websites (e.g. blacklisting or block URL);
  4. Formal procedures to protect against risks associated with obtaining files and software either from or via external networks;
  5. Perimeter firewall devices must manage and limit incoming and outgoing network connections to a pre-defined spectrum of approved connections, services and applications.
  • Protection against Malware/Spyware

Malware could potentially be present as executable or interpretable scripts, shell code, or program commands in files, e-mail or web content and as such these files should be scanned. Vendor updates to malware signature files should be monitored and updated daily. In addition:

  1. Anti-malware/Antivirus software must be installed, operated, and signature/definition file must be updated regularly on all ITPROSEC owned Laptop/Desktop (Windows/Mac) and Servers (Windows, Linux, other supported system)
  2. Malware signature updates must only be downloaded from trusted sites;
  3. Regular scanning any files on electronic media or uncertain or unauthorized origin, or files received over unknown networks;
  4. Scanning any electronic mail attachments for malware prior to use; and
  5. Appropriate business continuity plans for recovering from malware related incidents, including all necessary data and software backup and recovery arrangements.

When a new system is creating or deploying, a minimum basic security configuration must be established before putting in the production or handing over to a user.

  • The server has a minimal operating system configuration.
  • The server does not provide more than one service for specific application or purpose.
  • The server has been scanned with CIS-CAT Lite open source tool (CIS Configuration Assessment Tool) and has been secured appropriately according to scanning results.  https://learn.cisecurity.org/cis-cat-landing-page
  • The server has been scanned with a vulnerability scanner and has been secured appropriately accordingly to the scanning results and ITPROSEC IT Vulnerability Action guide.
  • The server is protected with a host-based firewall.
  • The server is protected with a network firewall at the appropriate edge of network segment.
  • All firewall rules are whitelist based.
  • If possible, group-based device policies are employed for firewall rules.
  • Firewall rules and configurations are backed up.
  • Remote administration access is secured with appropriate network encryption protocols.
  • Remote access is disabled for built-in privileged system accounts such as root and Administrator.
  • Additional software components added above and beyond the base OS install are documented properly.
  • Only software necessary for the server’s primary function has been installed and enabled on the server.
  • Superfluous services provided with the base OS install have been removed or disabled.
  • Any compilers or development environments that were installed in order to install software have been removed.
  • The server uses the proper NTP servers.
  • OS and software patching will be performed according to the vendor’s patch release schedule.
  • A server Data is properly backed up to another system or location. Also make sure restore process tested or function accordingly.
  • Server Security Monitoring and Protection should be enabled
  • Server logging should be enabled, logs are collected and monitored for security related events.
  • If centralize log repository in place, Logs should be forwarding to centralized log repository.
  • Audit trails of security related events are enabled and retained.
  • A security related events are reported to the Information Security Office
  • Access to the server should be limited where possible to files, data and applications and should follow a role-based model.
  • Unneeded user accounts have been removed from the system.
  • Elevated privileges are not granted to non-administrative accounts.
  • Tools such as sudo or runas may be used to temporarily elevate privileges of user accounts.
  • Where possible administrative accounts are linked to a single individual.
  • Shared administrative accounts have their passwords and use restricted and protected fully possible.
  • Passwords adhere to the UBIT password policy.
  • The default Windows Administrator account has been disabled and a new administrator account may be created.
  • Default passwords for built-in accounts have been disabled.
  • Where possible automatic idle time-out log-off of administrative users sessions must be set to 10 minutes.
  • Direct server login capability has been disabled for accounts that do not require it.
  • Logon banners have been implemented for interactive logins, explaining appropriate system use and that user activities could be monitored. – refer section “6.3.2 Secure Logon Procedure
  • The number of failed login attempts to the server is limited to five. Upon five failed login attempts, the account is locked out of the system for at least one hour.
    • All hosts (Laptops, Workstations, Mobile devices)
  • Secure with an initial password-protected log-on and authorization.
  • A disk encryption is recommended on Laptop/desktop workstations.
  • Whole disk encryption required on portable devices (iPhone, mobile)
  • Set screen saver or idle time out to lock the screen automatically when a user inactivity for 10 minutes
  • A minimum of the Endpoint Security (Anti-virus /Malware) must be installed and if supported DLP, Encryption client software with the most up-to-date malware database (definition) should be updated.
  • Separate local admin and user accounts for each of account apply.
  • Up to date VPN software if a user requires VPN connection.
  • Regular, timely Operating System and other software updates.
Objective: To protect against loss of data.  

Backup copies of essential business information and software must be taken regularly. Comprehensive backup capabilities should be provided to ensure that all essential business information and software can be recovered following a disaster, system or media failure. The following controls should be considered:

  1. The extent and frequency of backups should reflect the business requirements of the ITPROSEC;
  2. Backups should be stored in a remote location, far enough away to escape any damage from a disaster at the primary site;
  3. Backup information should be given an appropriate level of physical and environmental protection consistent with the standards applied at the main site.  The controls applied to media at the main site should be extended to cover the backup site;
  4. Restoration procedures should be regularly checked, tested or verified to ensure that they are effective, they can be completed within the time allotted in the operational procedures for recovery;
  5. A retention period for backup media should be determined;
  6. Information from systems storing highly sensitive information (as determined by a security assessment) must be encrypted using approved methods; and
  7. Backups must be managed in accordance with records retention schedules.

The frequency of backups must be based upon availability requirements, as defined by a business impact assessment and/or the initial requirements established during the business case for the system.  Backups must be stored in a secure off-site facility and system restoration processes must be tested at a minimum annually.

Objective:  To record events and generate evidence.  
  •  
    •  
    •  
    •  
    •  
    •  
      • Event logging

Events on systems must be logged and archived for the purpose of system monitoring and audit.  Operator, system, and audit/event logs must be stored on a centralized log server.  These logs must include at a minimum, where relevant, the following:

  1. User IDs;
  2. System start and halt times;
  3. Dates, times and details of key events, e.g. log-on and log-off;
  4. System activities, error and any corrective action taken in response;
  5. Records of successful and failed system access attempts;
  6. Records of successful and unsuccessful data and other resource access attempts;
  7. Changes to system configuration;
  8. Use of privileges;
  9. Files access and the kind of access (e.g. read, write);
  10. Activation and de-activation of protection systems, such as anti-virus systems; and
  11. A timestamp indicating when the log entry was generated by the system, with system time synchronized to a redundant and validated reference time source.

As event logs can contain sensitive data such as personally identifiable data, appropriate privacy protection measures should be taken.

  • Protection of Log information

Logging facilities, log files must be protected against unauthorized access and tampering to maintain file integrity. Controls related to protecting log file information provide the following capabilities:

  1. Prevent log files being edited or deleted;
  2. Modifications to the type of information being recorded in logs; and
  3. Adequate storage capacity to ensure minimum 90 days of logs can be maintained.

The security control must be implemented to protect log files and functioning a log file to support the ITPROSEC’s established Incident Response Program (IRP) v1.2, troubleshooting technical issues and may be required as evidence should an investigation be initiated.

  • Administrator and User Logs

The activities of administrators and User must be logged, and the logs protected and reviewed regularly.

All administrative activities must have a clear audit trail.  These logs are important for providing assurance of the integrity of computer operations.  The logs must be retained for minimum 90 days and should be reviewed regularly.

  • Clock synchronization

The clocks of information processing systems within the ITPROSEC must be synchronized with accurate time source such as NTP server from reliable source.

Proper time synchronization is important to ensure that system logs are time and date stamped accurately.  These time and date stamps serve as an audit trail for transactions between end users.  An atomic time source should be used to ensure that time is kept synchronized.

Objective:  To ensure the integrity of operational (production) systems.  
  •  Installation of software on Operational Systems

The Operating systems can be vulnerable to the installation of unauthorized software and unauthorized changes to operating system software can result in the loss of data integrity. To minimize risk to operational systems the following controls must be in place:

  1. The Operating systems and Applications should only be updated by the trained administrators and upon Change Management approval;
  2. Production systems must only hold approved executable code and not development software;
  3. Extensive testing must be conducted prior to implementing the operational software (e.g. security testing, usability testing, and performance testing);
  4. Where possible a configuration management solution must be adopted to help control implemented software as well as system documentation;
  5. Previous versions of application software should be retained as a contingency measure; and
  6. Old versions of software should be archived, together with all required information and parameters, procedures, configuration details and supporting software for as long as the data are retained in archive.
  7. Vendor provided production software used in the Operational Systems must be maintained at a level supported by the vendor.
Objective:  To minimize the impact of audit activities on operational systems.  
  • 7.6.  
    • Information Systems Audit

Audit requirements and activities involve on the production systems must be carefully planned and agreed upon to minimize disruptions to business processes.

The following principles must be followed:

  1. Prior to any audit activity commencing, the proposed scope must be reviewed and agreed to by appropriate ITPROSEC management personnel;
  2. The scope of technical audit tests must be agreed and controlled;
  3. Audit checks must be limited to read-only access to software and data;
  4. Any tools used in an audit must be thoroughly tested in a development environment before they are used in a production environment;
  5. All access during the audit must be monitored and logged to produce a reference trail; and
  6. The person(s) conducting the audit must be independent of the systems or activities being audited.
Objective:  To reduce risks resulting from exploitation of published technical vulnerabilities.  
  • 7.7.  
    • Management of Technical vulnerabilities

Information about technical vulnerabilities of information systems being used at the ITPROSEC should be obtained in a timely manner. The ITPROSEC’s exposure to such vulnerabilities should be evaluated and appropriate measures taken to address risk.

Many attacks against organizations’ information systems are based on the exploitation of published technical vulnerabilities. The time between a vulnerability being discovered and an exploit being published continues to be shortened.

Refer vulnerability management process “I.T. Vulnerability Management Policy_Standards_Procedures V 1.3” for the details.

The following capabilities should be in place:

  1. Roles and responsibilities associated with technical vulnerability management should be defined, including functions such as monitoring, vulnerability scanning, risk assessment and patching;
  2. A timeline should be established for reacting to notifications about potentially relevant vulnerabilities;
  3. Once a potential technical vulnerability has been identified, the ITPROSEC should identify associated risks and actions to be taken. Actions could involve patching of a vulnerable system or applying other compensating controls;
  4. Depending on how urgently a technical vulnerability needs to be addressed, the action should be carried out according to the controls related to change management (refer to section 6.1.2) or by following established incident response procedures;
  5. If a patch is available, the risks associated with installing the patch should be assessed (the risk of not applying the patch should also be assessed);
  6. Patches should be tested in a development or testing environment before they are installed to ensure they are effective and do not result in side effects that cannot be tolerated;
  7.  If no patch or workaround is available, actions such as turning off services related to the vulnerability, modifying or adding access controls (e.g. firewalls or filtering on routers), and raising awareness about the vulnerability should be considered;
  8. Vulnerabilities on systems that are considered high risk should be addressed first; and
  9. The technical vulnerability management program should be monitored and regularly evaluated to ensure it is operating effectively.
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  • 8.  
  •  
Objective:  To ensure the protection of information in networks and supporting information processing facilities.  
  •  
    •  

Network managers must implement controls to ensure the security of data in networks, and protection of connected services from unauthorized access. Specifically, the following controls must be implemented:

  1. Responsibilities and procedures for the management of networking equipment should be established;
  2. Encryption should be used to safeguard the confidentiality and integrity of data passing over public networks or over wireless networks to protection the connected systems and applications;
  3. Logging and monitoring capabilities should be applied to enable recording and detection of actions that may affect, or are relevant to information security; and
  4. Management activities should be closely coordinated both to optimize the service to the business and ensure that controls are consistently applied across the infrastructure.

Security features, service levels, and management requirements of all network services should be identified and included in any network services agreements, whether these services are provided in-house or outsourced.

The use of third parties to supply network services to the ITPROSEC could potentially expose the ITPROSEC to unauthorized access attempts by other parties.  This could in turn lead to a breach of confidentiality and loss of integrity if the third-party services are not sufficiently secure. Availability is another key attribute that should be reviewed when assessing a third party’s capability. It is important to review the resilience of a supplier’s operations, including their facilities, geographic dispersion of personnel and their fallback plans to address network or equipment failures.

Security features, service levels, and management requirements should be identified for particular services. The ITPROSEC must ensure that network service providers implement these measures and a right to audit clause should be included in contracts where appropriate.

Network services include the managed security solutions such as firewalls or intrusion detection systems as well as the provision of network links and network management services.

Groups of information services, users, and information systems shall be segregated on networks.

Networks are vulnerable to unauthorized access attempts and this can potentially result in breaches of confidentiality and loss of integrity or availability for the network or systems attached to the network.  The following capabilities should be in place:

  1. Production, staging/test, and development zones should be established and logically separated by firewalls;
  2. Network zones must be implemented and managed in a manner that respects this separation of environments. For example, development hosts should never be used in a zone created for production systems;
  3. Development staff should not be provided with access to the production zone with the exception of temporary access that is granted in case of emergency;
  4. Privileged access granted to developers is to be revoked by the Technical Services team as soon as the emergency is over; and
  5. Applications should not go live in the production environment until they have been approved through established change management procedures (refer to section 6.1.2).
  6. 9.  
  7. 10.  
  8. 11.  
  9. 12.  
  10. 13.  
  11. 14.  
  12. 15.  
  13. 16.  
    1. 16.1.  
Objective:  To maintain the security of information transferred within the ITPROSEC and with any external entity.  

The exchange of information using electronic communication facilities, such as networks, cloud services, cell phones, and email carry a risk for to ITPROSEC information. The following security controls should be implemented:

  1. High classified or sensitive information must be encrypted to protect the confidentiality, integrity and authenticity of the information;
  2. High classified or sensitive information transferred out of the ITPROSEC must be encrypted.  This includes information transferred via FTP and email;
  3. Established data retention and disposal guidelines should be followed for all business correspondence, including email, in accordance with provincial and federal laws;
  4. High classified or sensitive information should not be left on printers or copiers as they may be accessed by unauthorized personnel;
  5. ITPROSEC employees should use caution when communicating with others in public places to ensure they do not disclose high classified or sensitive information; and
  6. ITPROSEC employees need to be mindful when entering personal or demographic information on the Internet to avoid collection for unauthorized use.

Agreements should address the secure transfer of business information between the ITPROSEC and external parties.

When the ITPROSEC provides information to another organization there is always a risk that it may not be looked after with the level of care we desire. This could potentially lead to unauthorized exposure of the information resulting in a breach of confidentiality.

The following controls, where practical, should be included in exchange agreements:

  1. Classify the information according to “Data Classification and Control process” for transmission, dispatch and receipt;
  2. Minimum classification standards for packing and transmission;
  3. Procedures to ensure a proper audit trail is generated;
  4. Responsibilities should be identified in regards to handling security incidents such a loss of data;
  5. Where practical an agreed upon labeling system for sensitive or critical information should be agreed upon; and
  6. Any special controls that may be required to protect sensitive information such as sealed or encryption measures.

Protection of data must consider current legislation, which may prohibit certain uses, or require specific data handling measures.

Media containing information should be protected against unauthorized access, misuse or corruption during transportation beyond the ITPROSEC’s physical boundaries.

Potential vulnerabilities to the transportation of information include loss, unauthorized access and misuse.  These vulnerabilities present risk to the confidentiality, integrity and availability of the information or software on the media that is transferred.  Where applicable, the following steps should be taken when transporting media:

  1. Reliable transport or couriers should be used;
  2. Procedures need to be in place to check the identification of couriers when shipping or receiving items to the ITPROSEC data center;
  3. Where appropriate, controls should be adopted to protect sensitive information from unauthorized disclosure such as:
    1. Lockable containers
    1. Tamper proof packaging
    1. Hand delivery

All shipments should be recorded and where appropriate authorized.

Information involved in electronic messaging should be appropriately protected.

Email poses a number of risks to the ITPROSEC such as being used inappropriately by a user or being a vector for viruses or other malicious software. Security measures must be taken to minimize the risks associated with the use of email.

The following technical controls should be implemented to help mitigate the risks associated with email:

  1. All email clients (desktops and laptops) and email servers must run anti-virus software and virus signatures must be updated regularly;
  2. All email transmitting should be classified (e.g. high, medium, low or public) in subject line according to “ITPROSEC Data Classification and Control process
  3. Mail gateways must inspect all inbound and outbound email for viruses, spam and other malicious software;
  4. Mail gateways must provide a proper audit trail (e.g. complete SMTP header information, time & date) of inbound and outbound email messages;
  5. Protection against abuse such as the unauthorized use of a SMTP relay or user enumeration; and
  6. Access to ITPROSEC email from publicly accessible networks requires two-factor authentication or at least very secure connectivity.

All electronic communications using the ITPROSEC’s equipment are considered to be in the possession, custody and control of the Commission.

The communication of confidential information with third parties should not take place in the absence of some form of confidentiality or non-disclosure agreement. Requirements for confidentiality or non-disclosure agreements reflecting the ITPROSEC’s needs for the protection of information should be identified and classified regularly according to Data Classification and Control process.

Confidentiality or non-disclosure agreements must address the requirement to protect confidential information using legally enforceable terms and conditions. The following elements should be considered for inclusion in confidentiality agreements:

  1. A definition of the information to be protected (e.g. High, Medium Low or Public);
  2. Expected duration of the agreement, including cases where confidentiality might need to be maintained indefinitely;
  3. Actions required when an agreement is terminated;
  4. Responsibilities and actions of signatories to avoid unauthorized information disclosure, including encryption requirements and requirements relating to the location and storage of data (e.g. data storage in Canada);
  5. A right to audit clause should be included to allow the monitoring of activities that involve confidential information;
  6. A process for notification and reporting of unauthorized disclosure or confidential information leakage;
  7. Expected actions to be taken in case of a breach of the agreement; and
  8. Terms for information to be returned or destroyed at the end of an agreement.

Based on the nature of the agreement, the ITPROSEC may have other elements that need to be included in a confidentiality or non-disclosure agreement. In considering whether a confidentiality or non-disclosure agreement is required, staff should consult with the ITPROSEC’s General Counsel’s Office (GCO) and Information Security office (ISO) for ITPROSEC Data Classification and Control process. All confidentiality and non-disclosure agreements should be drafted by GCO or protected by ISO policies, if prepared by a third party, reviewed by GCO.

  •  
Objective:  To avoid breaches of legal and contractual requirements.  

Managers or ISO must ensure that all security operations within their area of responsibility are carried out properly and in a manner that meets identified security policy requirements.

The owners of information systems, programs, and/or data should support regular review of their compliance with relevant policies, standards and procedures to ensure that information security policy have been properly addressed, and safeguards are appropriately deployed.

Objective:  To avoid breaches of legal and contractual requirements.  

Several areas of external compliance requirements exist.  ITPROSEC assets must be managed in compliance with these requirements. 

The design, operation, and management of information systems are subject to statutory, regulatory, and contractual requirements that may influence security considerations. Advice on specific legal issues should be sought in instances where security techniques may contravene legal requirements (i.e., system monitoring).

  •   Intellectual Property and Copyright

Procedures should be implemented to ensure compliance with restrictions on the use of software and copyrighted materials. Failure to comply with requirements can lead to fines or legal action.

In particular, the following safeguards should be implemented:

  1. Use existing procurement and vendor of record channels to obtain software and media;
  2. Maintain awareness among staff regarding acquisition of software products;
  3. Maintain asset inventory, including proof of license ownership, master copies, etc.;
  4. Maintain controls to ensure that fixed seat licenses are not inadvertently exceeded;
  5. Monitor the installation of acquired software packages and control inappropriate installation;
  6. Ensure all contracts are reviewed by the ITPROSEC’s General Counsel Office (GCO)
  •  
  •  
    •  
    •  
      •  
      •  
      • Organizational Records

ITPROSEC records must be protected from loss, unauthorized release, falsification and destruction. Some Commission records may need to be securely retained to meet legal and regulatory requirements, as well as to support essential business activities.

Records should be classified, with storage requirements and retention periods clearly defined for each record type used within the ITPROSEC.  Archival procedures should be considered for various types of records to ensure they are protected. Refer to the ITPROSEC Records Retention Schedules for addition details.  Technological changes and integrity protection should be considered when choosing a medium for electronic records to ensure they can be accessed but not modified.  The ITPROSEC’s Information and Records Management Policy should be referred to for specific details.

  •    Data protection and privacy of personal information

The ITPROSEC is bound by legislative requirements at both the provincial and federal level regarding the protection of personal privacy. Security techniques and methods must comply with all relevant provincial and federal privacy legislation.

If personal information is subject to disclosure due to a security breach, Government of Galaxy privacy breach procedures, or those outlined within any relevant legislation or ITPROSEC policy/process must be undertaken. Privacy breaches should be reported immediately to the ITPROSEC’s General Counsel’s Office (GCO), Chief Information Officer (CIO) and Information Security office (ISO).

  • Cryptography

Controls must be in place to ensure compliance with Canadian and international agreements, laws, regulations related to the use, import, and export of cryptographic software and devices. Required review may include:

  1. Determination of import/export status for cryptographic hardware and software;
  2. Determination of import/export status for items to which cryptography is to be added; and
  3. Determination of use of any cryptography in any jurisdiction where not sanctioned.

Cryptography deployed as a technical safeguard within an access control system (e.g., to pass credentials and/or provide for integrity assurance), or to provide for communications security, must meet the requirements details in the ITPROSEC policy “Information security policy for the use of Cryptography”.

Objective:  To ensure that information security is implemented and operated in accordance with the ITPROSEC’s security policies and procedures.  

The ITPROSEC’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes, and procedures for information security) should be reviewed independently by the third party at planned intervals or when significant changes to the security implementation occur.

The ITPROSEC’s approach to information security and its implementation should be reviewed periodically (e.g. annually) to ensure that controls in place are suitable and operating properly. The results of the independent review should be reported to management.

Reviews should be carried out by an individual independent of the area under review.  Results of independent reviews should be recorded, and corrective actions taken.

If an external party is engaged to conduct an independent review, no information should be provided until a contract or agreement is in place that outlines terms and conditions for the review.

  • Internal Compliance

Managers should regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards, and any other security requirements.

Managers should review the information security policy in defined ITPROSEC policies and standards to ensure they are met.  Where feasible, automatic measurement and reporting tools should be used to provide efficient and regular review capabilities.

If any non-compliance is found as a result of the review, managers should:

  1. Identify the causes of non-compliance;
  2. Evaluate the need for actions to achieve compliance;
  3. Implement appropriate corrective action; and
  4. Review corrective action taken to verify its effectiveness and identify any deficiencies or weaknesses.
  5. Report the non-compliance to the CIO, GCO, ISO.

Results of reviews and corrective actions taken by managers should be recorded and records should be maintained.

  • Technical Compliance with policies and standards

Information Security Office should be regularly reviewed for compliance with the ITPROSEC’s information security policies and standards.

Technical compliance, where possible, should be assessed with the assistance of automated tools with the output reviewed by a technical specialist.  Alternatively, manual reviews should be conducted by an experienced technical specialist should be performed.

Any technical compliance reviews should be conducted by competent, authorized personnel and should be supervised by the appropriate personnel from the ITPROSEC.

  1.  
Objective:  To ensure that information system facilities are secured and protected.  

  1. Data Center

The data centers are the critical to ITPROSEC’s day to day business operation. The changes become increasingly dynamic, accommodating rapid application changes and on-the-fly deployments, physical security has remained relatively static, based on perimeter appliances like firewalls, router or other network chokepoint devices that leave the insides of the data center vulnerable.

Refer “ITPROSEC Information Security Physical Control Policy v1.0” for more information of physical control and roles and responsibilities.

Some of Physical control standard for the data center are as follows:

  • The data center should be a physically separated from all other ITPROSEC offices.
  • Data Server rooms must be locked down to prevent attacks, equipped with riot doors, fire doors, and other doors resistant to forcible entry.
  • The server room should have limited access to those employees that require access for job duties only.
  • Access to the server/data rooms must be logged either electronically or on log sheets.
  • The person getting access must be required to log in and log out (log book) in place where authentication devices or data storage facilities exist must require access logs records to be maintained.
  • The data center or server room contain mission critical equipment, therefore, should be in the middle of the facility (not against the wall, not in the basement, ground or top floor).
  • Fire-rated walls surrounding data facilities must be non-combustible and resistant to fire for at least one hour. All openings to these walls (doors, ventilation ducts, etc.) should be self-closing and likewise rated at least one hour.
  • Periodically assessed to ensure that physical security controls are in place to physically protect the information stored or processed in that data centre.
    • Environment control
  • A Fire detection or sensor must be installed to detect and protect from the facility.
  • A Fire Extinguishers must be in place in case of fire with appropriate extinguishers such as- for class A, common combustibles fires, soda acid or water is used to eliminate fire. Class B, liquid fires, need carbon monoxide, halon or halon substitutes, and soda acid is used to contain these fires. Class C, electrical fires, must have carbon monoxide or halon or halon substitutes used for fire elimination. Class D, metal fires, should have dry power suppressants used for fire removal.
  • A motion detector, CCTV or an intrusion alarm monitor should be implemented in order to prevent or deterrent from the unauthorized access.
  • The data center or server room must be designed to controlling the environment including the climate such as heating, ventilation and air-conditioning (HVAC) system must be monitored to the humidity and should be range between 40 and 60 percent to control static electricity.
  • Water flooding and leakage prevention or water sensor should be implemented. Water flooding and leakage can cause substantial damage to electronics and anything using electricity, especially in use and electrocution may occur because of it.
Objective:  To ensure that information system equipments are reliable, operational, protected and redundancy to ensure business can continue and operational as needed.  

Defending against accidental or malicious misuse, loss or theft of Servers, laptops, desktops are crucial to protect from sensitive information leakage, theft or loss.

Additionally, proper protection for the cabling used to transmit information from various location (e.g. data center, service provider, internal local network or internet connection etc.) to support ITPROSEC’s day to day business operation.

  1. Technological Equipment Control

The below are some of physical control requirements in regard to Information Technology equipment safety.

  • All the business-critical server must be residing in the Data Center and lockdown the door.
  • All the business-critical network or network related devices – firewall, switches, routers, cables must be in the protected rack and properly secure inside the data center.
  • Laptops must be secured by proper security cable including the docking station.
  • Desktop must also be secured by proper security cable.
  • Printer and Scanner should be positioned properly to ensure removing and stealing is difficult and recommended to secure by the security cable.
  • Laptop and mobile devices not leaving in vehicles or not leaving unattended in public places.

Appendix A – Terms and definitions

Term Definition
Access Entry to an electronic network provided by the ITPROSEC to employees and other authorized individuals on our outside of the ITPROSEC premises.
Access controls Procedures/devices designed to restrict entry to a physical area (physical access controls) or to limit use of a computer/communications system or stored data (logical access control)
Authentication To establish the validity of a claimed identity of a user prior to gaining access (e.g. passwords, access cards).
Authorization To grant permission to access resources according to a predefined approval scheme.
Availability The degree of readiness expected of information systems and IT resources to deliver an appropriate and timely level of service, regardless of circumstances.
Confidentiality Ensuring that information is accessible only to those authorized to have access.  Unauthorized disclosure of the information constitutes a loss of confidentiality.  The protection of confidentiality must be consistent with the sensitivity of the information and legislative requirements (e.g. FIPPA)
Cryptography The art of protecting information by transforming it (encrypting it) into an unreadable format, called cipher text.  Only those who possess a secret key can decipher (or decrypt) the message into plain text.
Data Any formalized representation of facts, concepts or instructions suitable for communication, interpretation or processing by a person or by automatic means.
Elevated privileges Enhanced rights and/or administrative control, assigned to a user, over a specific I&IT resource or group of resources.
Information The meaning derived from or assigned to facts or data, within a specific context.
Integrity The authenticity, accuracy and completeness of data that can be affected by unauthorized or accidental additions, changes and/or deletions.
Non-repudiation A method of guaranteeing message transmission between parties via digital signature and/or encryption. 
Risk A potential opportunity or threat that may have an impact on the ITPROSEC’s ability to meet its business objectives.
Risk assessment Process of risk analysis and risk evaluation including a study of vulnerabilities, threats, likelihood, loss and impact.
Safeguard A protective and precautionary measure to prevent a security threat from happening.
Service account An account which is generally used for application-to-application authentication or web service authentication.
Two-factor authentication Requires the user to physically possess something (i.e. smartcard or token) in addition to something the user knows (i.e. a password or a PIN).  The physical component (i.e. smartcard, token) is independently separate from the desktop or laptop used to conduct the authentication process.

Appendix B – References

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: