Government of Ontario IT Standard (GO ITS) GO-ITS Number 25.0 General Security Requirements Version # : 1.2 Status: Approved Prepared under the delegated authority of the Management Board of Cabinet UNCLASSIFIED © Queen's Printer for Ontario, 2012 Last Review Date: 2012-11-15 Sensitivity: Unclassified Approved Version #: 1.2 Copyright & Disclaimer Government of Ontario reserves the right to make changes in the information contained in this publication without prior notice. The reader should in all cases consult the Document History to determine whether any such changes have been made. 2012 Government of Ontario. All rights reserved. Other product or brand names are trademarks or registered trademarks of their respective holders. This document contains proprietary information of Government of Ontario, disclosure or reproduction is prohibited without the prior express written permission from Government of Ontario. Template Info Template Name Template # Template Version No. GO ITS Template 12.02.10 2.4 Template Author Template Completion Date Design: PMCoE 2012-06-12 Boilerplate: SPPB/ICS Document History Date Summary 2003-01-14 Created: GO-ITS 25.0 DRAFT v0.1 2008-01-07 New draft number changed to version 1.1 2008-02-19 Aligned with ISO 27002:2005, Input from 2007-2008 review process incorporated 2008-02-20 Approved by IT Standards Council 2008-04-09 Minor corrections and changes to more closely align with ISO 27002:2005, Adjustment to include access control and monitoring sections as per consultations with Ontario Internal Audit Division 2008-04-17 Approved by Architecture Review Board 2012-04-14 Organizational updates, updated hyperlinks and references, minor adjustment and errata 2012-04-19 GO-ITS 25.19 content has been merged 2012-06-12 Document format updated, minor adjustments 2012-11-15 Minor updates approved by Information Technology Executive Leadership Council (ITELC). Approved document version number set to 1.2 GO-ITS 25.0 General Security Requirements Page 2 of 40 Sensitivity: Unclassified Approved Version #: 1.2 Table of Contents 1. 2. FOREWORD .........................................................................................................................................................................................................5 INTRODUCTION..................................................................................................................................................................................................6 2.1. Background and Rationale............................................................................................................................................................................6 2.2. Target Audience................................................................................................................................................................................................6 2.3. Scope ...................................................................................................................................................................................................................7 2.3.1. In Scope ............................................................................................................................ 7 2.3.2. Out of Scope ..................................................................................................................... 7 2.4. Applicability Statements...................................................................................................................................................................................7 2.4.1. Organization ...................................................................................................................... 7 2.4.2. Other Applicability ............................................................................................................. 7 2.4.3. Terms ................................................................................................................................ 8 2.5. Roles and Responsibilities..............................................................................................................................................................................8 2.5.1. Contact Information........................................................................................................... 8 3. TECHNICAL SPECIFICATION......................................................................................................................................................................9 3.1. Operational procedures and responsibilities .............................................................................................................................................9 3.1.1. Access control procedures................................................................................................ 9 3.1.2. Access control systems .................................................................................................... 9 3.1.3. Documented operating procedures ................................................................................ 10 3.1.4. Operational change control ............................................................................................. 11 3.1.5. Incident management procedures .................................................................................. 12 3.1.6. Segregation of duties ...................................................................................................... 14 3.1.7. Separation of development and operational facilities ..................................................... 15 3.1.8. External facilities management ....................................................................................... 16 3.2. System planning and acceptance............................................................................................................................................................17 3.2.1. Capacity planning ........................................................................................................... 17 3.2.2. System acceptance ......................................................................................................... 18 3.3. Protection against malicious software......................................................................................................................................................19 3.3.1. Controls against malicious software ............................................................................... 19 3.4. System administration ..................................................................................................................................................................................20 3.4.1. Information back-up ........................................................................................................ 20 3.4.2. Activity logging ................................................................................................................ 21 3.4.3. Fault logging ................................................................................................................... 21 3.5. Network management.................................................................................................................................................................................22 3.5.1. Management: .................................................................................................................. 22 3.5.2. Identification and authentication ..................................................................................... 23 3.5.3. Privileges and parameters .............................................................................................. 23 3.5.4. Confidentiality, integrity, availability, and non-repudiation .............................................. 23 3.5.5. Monitoring, response, recovery, and review ................................................................... 23 3.5.6. Planning, implementation, management, review and audit ............................................ 24 3.6. Media handling and security.......................................................................................................................................................................24 3.6.1. Management of removable computer media .................................................................. 24 3.6.2. Information handling procedures .................................................................................... 25 3.6.3. Security of system documentation .................................................................................. 26 3.7. Exchanges of information and software..................................................................................................................................................26 3.7.1. Information and software exchange agreements ........................................................... 26 3.7.2. Security of media in transit.............................................................................................. 28 3.7.3. Electronic commerce security ......................................................................................... 28 3.7.4. Security of electronic mail ............................................................................................... 28 3.7.4.1. Security risks ............................................................................................................... 28 3.7.4.2. Procedures for electronic mail ..................................................................................... 29 3.7.5. Security of electronic office systems ............................................................................... 29 GO-ITS 25.0 General Security Requirements Page 3 of 40 Sensitivity: Unclassified Approved Version #: 1.2 3.7.6. Publicly available systems .............................................................................................. 30 3.7.7. Other forms of information exchange ............................................................................. 31 4. RELATED STANDARDS..............................................................................................................................................................................32 4.1. Impacts to Existing Standards....................................................................................................................................................................32 4.2. Impacts to Existing Environment...............................................................................................................................................................32 5. COMPLIANCE REQUIREMENTS............................................................................................................................................................32 5.1. Internal compliance........................................................................................................................................................................................32 5.1.1. Access to accounts and information ............................................................................... 32 5.2. External compliance......................................................................................................................................................................................33 5.2.1. Compliance with legal requirements ............................................................................... 33 5.2.2. Intellectual property and copyright .................................................................................. 33 5.2.3. Organizational records .................................................................................................... 34 5.2.4. Data protection and privacy of personal information ...................................................... 34 5.2.5. Cryptography .................................................................................................................. 34 5.3. Audit....................................................................................................................................................................................................................34 5.3.1. Impact ............................................................................................................................. 35 5.3.2. Monitoring ....................................................................................................................... 35 5.4. Implementation and Metrics........................................................................................................................................................................35 6. ACKNOWLEDGEMENTS............................................................................................................................................................................36 7. RECOMMENDED VERSIONING AND/OR CHANGE MANAGEMENT.................................................................................37 7.1. Publication Details..........................................................................................................................................................................................37 7.1. Requirements Levels....................................................................................................................................................................................38 8. APPENDICES ....................................................................................................................................................................................................38 8.1. Normative References.................................................................................................................................................................................38 8.2. Informative References................................................................................................................................................................................38 9. GLOSSARY ........................................................................................................................................................................................................39 GO-ITS 25.0 General Security Requirements Page 4 of 40 Sensitivity: Unclassified Approved Version #: 1.2 1. Foreword Government of Ontario Information Technology Standards (GO ITS) are the official publications on the IT standards adopted by the Ministry of Government Services for use across the government’s IT infrastructure. These publications support the responsibilities of the Ministry of Government Services (MGS) for coordinating standardization of Information & Information Technology (I&IT) in the Government of Ontario. In particular, GO ITS describe where the application of a standard is mandatory and specify any qualifications governing the implementation of standards. All GO-ITS 25 Standards are based on the work of recognized global authorities in information and operational security, both in government and industry. Copies of cited GO-ITS standards may be obtained as follows: Intranet: http://intra.collaboration.gov.on.ca/mgs/occio/occto/our-services/technology-adoption/technicalstandards-1/approved-go-its-standards/ Internet: http://www.ontario.ca/itstandards/ GO-ITS 25.0 General Security Requirements Page 5 of 40 Sensitivity: Unclassified Approved Version #: 1.2 2. Introduction This document defines general security requirements for the protection of the integrity, confidentiality and availability of Government of Ontario networks and computer systems. This document is one in a series, which define platform-independent technical security requirements. This document references the following four sections from ISO/IEC 27002:2005 “Information technology Security techniques - Code of practice for information security management”: Communications and operations management Access control Information systems acquisition, development and maintenance Compliance Security requirements are determined by both government and industry, and are published both internally and to the public. The requirements in this document may reflect advances in knowledge since the publication of the ISO/IEC code of practice, and must be implemented unless exigent business or functional requirements preclude doing so, and exemptions are approved. 2.1. Background and Rationale The GO-ITS 25 Security Standards describe parameters, features, or configurations that define the context-specific requirements. The implementing business unit may choose the appropriate method to satisfy the standard, as long as the security objective of the standard is met or exceeded. The GO-ITS 25 documents will be reviewed on an ongoing basis to take into account the evolution of security and other related technologies. Changes or additions to the GO-ITS 25 Security Standards will be established in writing and communicated to all appropriate personnel. It is intended that context-specific, step-by-step implementation procedures will be derived from the GO-ITS 25 Security Standards by business units. These specific procedures may be influenced by requirements arising from any or all of the following: Threat and Risk Assessments (TRA); Privacy Impact Assessments (PIA); Security Testing and Evaluation (STE) (Vulnerability Assessments [VA], Penetration Testing, Code Review, etc.); Provincial Privacy laws. (FIPPA, MFIPPA, PHIPA); and Federal Privacy laws. (Privacy Act, PIPEDA). 2.2. Target Audience The target audience for this document includes, but is not limited to: TRA and PIA analysts Internal auditors Developers Technical implementers Procurement staff Program managers GO-ITS 25.0 General Security Requirements Page 6 of 40 Sensitivity: Unclassified Approved Version #: 1.2 2.3. Scope 2.3.1.In Scope GO-ITS 25 Security requirements apply to all vendors, ministries, former Schedule I and IV agencies, and third parties (including any information technology system or network that processes ministry and agency information) under contract to the Ontario government unless exempted in a Memorandum of Understanding. The scope of this document is to provide a working set of general requirements that provide guidance and direction with regards to information security. Its primary focus is on the integrity of the infrastructure and processes required for delivering applications and services throughout the various Ontario government networks and environments. Additional documents in this series will cover more specific themes and requirements, and it is recommended that they be consulted for more specific guidance. 2.3.2.Out of Scope This document has no specific out of scope requirements associated with it. It is intended as a baseline for all Government of Ontario I&IT projects and services. 2.4. Applicability Statements 2.4.1.Organization All ministries and clusters are subject to Government of Ontario IT Standards. All adjudicative and advisory agencies are subject to Government of Ontario IT Standards. All other agencies that are using OPS information and information technology products or services are required to comply with Government of Ontario IT standards if they are subject to the Management and Use of I&IT Directive OR Government of Ontario IT Standards by Memorandum of Understanding. As new GO IT standards are approved, they are deemed mandatory on a go-forward basis (Go-forward basis means at the next available project development or procurement opportunity). When implementing or adopting any Government of Ontario IT standards or IT standards updates, ministries, I&IT Clusters and applicable agencies must follow their organization's pre-approved policies and practices for ensuring that adequate change control, change management and risk mitigation mechanisms are in place and employed. For the purposes of this document, any reference to ministries or the Government includes applicable agencies. 2.4.2.Other Applicability Interconnected computer systems and networks are necessary for Government operations, and the actions of one organizational element can influence the security of another. Changes to a computer-based environment in one ministry or cluster may affect the environment in another ministry or cluster. Therefore the measurement of risk must be based on an “enterprise-wide” evaluation, and include input and representation from a number of sources. These considerations make it mandatory that every Ontario public service employee complies with security requirements. Details on responsibilities for members of the Ontario Public Service are outlined in the Corporate Policy on Information and Information Technology (I&IT) Security and the Information and the Acceptable Use of I&IT Resources Policy. Additionally, given the existence of Alternative Service Delivery (ASD) methods, security requirements and procedures must also form part of any contract or agreement affecting the GO-ITS 25.0 General Security Requirements Page 7 of 40 Sensitivity: Unclassified Approved Version #: 1.2 computer-based environments of the Ontario government, and will apply with equal force to third party contractors (and sub-contractors) as to Ontario government employees. 2.4.3.Terms Within this document, certain wording conventions are followed. There are precise requirements and obligations associated with the following terms: Must Should The requirement is mandatory. Without it, the system is not considered secure. The requirement ought to be adhered to, unless exigent business needs dictate otherwise and the full implications of non-compliance are understood. All exceptions are to be documented and approved in writing by management, identifying the rationale for the exception to standard practice. 2.5. Roles and Responsibilities 2.5.1.Contact Information Provide the following information: Accountable Role (Standard Owner) Definition The individual or committee ultimately accountable for the process of developing this standard. Where a committee owns the standard, the committee Chair is accountable for developing the standard including future updates. There must be exactly one accountable role identified. The accountable person also signs off as the initial approver of the proposed standard before it is submitted for formal endorsement to Architecture Review Board (ARB) and approval by ITELC. (Note: in the OPS this role is normally at the IT executive or manager level). Accountable Role: Title: Manager, Security Policy and Administration Ministry/Cluster: MGS Division: OCCIO Responsible Role Definition The organization(s) responsible for the development of this standard. There may be more than one responsible organization identified if it is a partnership/joint effort. (Note: the responsible organization(s) provides the resource(s) to develop the standard). Responsible Organization(s): Ministry/Cluster: Ministry of Government Services Division: OCCIO Branch: Corporate Security Branch Support Role Definition The support role is the resource(s) to whom the responsibility for actually completing the work and developing the standard has been assigned. If there is more than one support role, the first role identified should be that of the editor – the resource responsible for coordinating the overall effort. Support Role (Editor): Ministry/Cluster: Ministry of Government Services Division: OCCIO Branch: Corporate Security Branch Section: Policy and Administration GO-ITS 25.0 General Security Requirements Page 8 of 40 Sensitivity: Unclassified Approved Version #: 1.2 Job Title: Senior Security Policy Advisor Name: Tim Dafoe Phone: (416) 327-1260 Email: tim.dafoe@ontario.ca The above individual will be contacted by the Innovation Controllership and Strategy (ICS) division, once a year, or as required, to discuss and determine potential changes and/or updates to the standard (including version upgrades and/or whether the standard is still relevant and current). 3. Technical Specification The following requirements apply to all I&IT assets and operations within the scope of the Management and Use of Information & Information Technology (I&IT) Directive. 3.1. Operational procedures and responsibilities Responsibilities and procedures for the management and operation of all information systems should be established. This includes the development of appropriate operating instructions and incident response procedures. 3.1.1.Access control procedures Management of user access and privileges must be conducted in a comprehensive manner to ensure that only those users and operations staff with formal authorization from system owners can access associated data and services. The following requirements must be addressed within access control procedures: a) Segregation of duties and least privilege principles must be implemented to reduce the risk of external intrusion and negligent or deliberate system misuse within the organization; b) System roles and duties must be assigned to individual and accountable users, and the use of shared or role accounts for any purpose must be avoided; c) Access must only be provided after formal authorization is granted, via unique identifiers and credentials, with formal records documenting the provision of access; d) Access assignment and revocation must be formally documented, with procedures for periodic validation (e.g., frequent and routine searches for redundant or duplicate entries in access control databases) to ensure only authorized users maintain access to the system, and to ensure access will be revoked if the duties of the associated user change such that access is no longer required; e) Elevated privileges (i.e., those typically used for system administration, user account administration, or content management) must be assigned to accounts not used for routine access, granted on a strict least privilege basis, with assignment subject to more frequent routine review (to ensure only authorized users are granted such privileges due to an ongoing business requirement); and f) Management of user access and privileges must be conducted in a comprehensive manner to ensure that only those users and operations staff with formal authorization from system owners can access associated data and services. 3.1.2.Access control systems The following operational requirements must be addressed by access control systems: GO-ITS 25.0 General Security Requirements Page 9 of 40 Sensitivity: Unclassified Approved Version #: 1.2 a) Access control systems must be centrally deployed and managed; b) The design and operation of centralized access control systems must include resilience and redundancy to reduce impact if failures occur; c) Access must be granted only after authorization and authentication procedures are complete, and a successful result has been returned for the credentials presented and/or the initiated session; d) Access control systems must support documented business and security requirements (e.g., the rationale for deploying the access control system); e) Access control systems must be managed such that all authorized users of the system (and the roles, rules and/or privileges associated with their accounts or credentials) are individually authorized by the relevant, responsible program manager (with documentation); f) Access control systems must be managed such that authorized user accounts or credentials that are no longer in use, or no longer required (e.g., due to a change in employee role) are identified and removed with 24 hours of notification; g) Expired entries in access control databases must not be assigned to new users (to prevent expired privileges being provided to users who do not require them); h) In instances where passwords are assigned, password management techniques must be consistent with the direction described in GO-ITS 25.15 Security Requirements for Password Management and Use; i) Elevated privileges must be assigned on a “need for use” basis (or per event), such that these privileges are not provided for an unnecessary duration; j) Log and audit information associated with elevated privileges must be subject to more frequent review; k) The robustness (e.g., the degree of identity assurance associated with credentials, and/or the number of authentication factors required as credentials) for a given access control system should be increased if sensitive information is to be processed or stored; l) Access control systems should be managed in a manner that requires authorized users to be provided with a written statement of the access rights and responsibilities for the system; and m) Access control systems should be managed in a manner that requires authorized users to sign a use agreement that indicates their acceptance of disclosed access rights and responsibilities. Additional, situation-specific access control guidance is provided throughout this document. Other GO-ITS 25 standards should be also consulted for technology-specific advice. 3.1.3.Documented operating procedures System operating procedures should be documented and maintained. Operating procedures should be treated as formal documents. Revisions to operating procedures must be reviewed and approved by management. The procedures should specify all system operation instructions including the following: a) Processing and handling of information; b) Scheduling requirements, including interdependencies with other systems, and mandatory start/stop times for system work, maintenance windows, or changes, if applicable; GO-ITS 25.0 General Security Requirements Page 10 of 40 Sensitivity: Unclassified Approved Version #: 1.2 c) Instructions for handling errors or other exceptional conditions including restrictions on the use of system privileges and utilities; d) Support contacts in the event of unexpected operational or technical difficulties; e) Special output handling instructions, such as the use of special stationery or the management of confidential output, including procedures for secure disposal of equipment and/or data; and f) System contingency, restart and recovery procedures for use in the event of system failure. Documented procedures should also be prepared for system administration activities associated with information processing and communication facilities, such as boot and halt procedures, back-up, equipment maintenance, data centre procedures, and mail handling management/safety. 3.1.4.Operational change control Changes to information processing facilities and systems must be controlled. Inadequate control of changes to information processing facilities and systems is a common cause of system or security failures. Formal management responsibilities, policies, and procedures should be in place to ensure satisfactory control of all changes to equipment, software or procedures. Operational programs should be subject to strict change control. When programs are changed, an audit log containing all relevant information should be retained. Changes to the operational environment can impact applications. Wherever possible, operational and application change control procedures should be integrated; these procedures should address all requirements described in GO-ITS 35 OPS Enterprise Change Management. All changes, however minimal, have a measurable impact on both the systems being changed, and adjacent systems that interact or share resources with the system being changed. Change control processes are intended to reflect this reality, and must manage the lifecycle of a system, from planning, through implementation and management, to removal and disposal. The administrator of the system must be responsible for ensuring that change control records are accurately and promptly filed. Change control must detail system changes, and how changes affect the enforcement of security policy. Changes must be reviewed to ensure that the security posture of the changed environment has not been reduced in robustness or effect. Changes may increase the relative complexity of an environment, and increase the demands on security components. To ensure security, the following must be detailed during change control: a) b) c) d) e) f) g) h) i) System composition and configuration (hardware, software, etc.); Practices and procedures; Confidentiality, availability, and integrity requirements of existing systems and data; Identification and authentication mechanisms, assigned privileges, and credentials; Monitoring of, response to, and recovery from events, and review of related procedures; Planning, implementation, management, review and audit of systems and procedures; Resource utilisation, particularly as it affects adjacent systems; Required changes to existing Service Level Agreements (SLAs); and Required changes to agreements, contracts, or licences. GO-ITS 25.0 General Security Requirements Page 11 of 40 Sensitivity: Unclassified Approved Version #: 1.2 The change approval procedure must include security oversight, as well as approvals from managers of both the systems requesting change, and systems affected by the change. Security Testing and Evaluation (STE), such as a vulnerability assessment (VA) and/or penetration test, should be performed against production environments prior to being returned to operations to verify that any changes made have not compromised the intended level of security. This holds true especially in the event of a significant change to hardware, software, or configuration. Procedures must exist for retroactively documenting an unscheduled, but unavoidable change (e.g., in response to an emergency discovery of vulnerability, or patch release). These procedures must include a definition of what constitutes a reasonable exception to the proactive change control procedures. For significant changes (e.g., replacement, removal, or addition of a system) a vulnerability assessment and/or penetration test must be performed to re-validate the security of the system, prior to that system returning to production use. Changes must be tested to confirm that the change was successful, and that the security posture of the environment was not weakened. Roll back procedures must exist for reversing unsuccessful changes. 3.1.5.Incident management procedures Incident management responsibilities and procedures must be established to ensure a quick, effective and orderly response to security incidents. Incident response and management must comply with the requirements described in GO-ITS 37 Incident Management. To prepare for security events and incidents, the following controls must be implemented: a) Procedures should be established to cover all potential types of security incidents, including: 1) Information system failures or critical errors; 2) Denial of service, or other loss of availability; 3) Errors resulting from incomplete or inaccurate business data; 4) Breaches of confidentiality; and 5) Unauthorized use, access, change, or other loss of integrity. b) In addition to normal contingency plans (designed to recover systems or services as quickly as possible) the procedures should also cover: 1) Analysis and identification of the cause of the incident; 2) Planning and implementation of remedies to prevent recurrence, if necessary; 3) Collection of audit trails and similar evidence, with documented chain of custody; 4) Communication with those affected by or involved with recovery from the incident; and 5) Reporting the action to the appropriate authority. c) Audit trails and similar evidence should be collected and secured by qualified professionals, as appropriate, for: 1) Internal problem analysis; 2) Use as evidence in relation to a potential breach of contract, breach of regulatory requirement or in the event of civil or criminal proceedings; and 3) Negotiating for compensation from software and service suppliers. GO-ITS 25.0 General Security Requirements Page 12 of 40 Sensitivity: Unclassified Approved Version #: 1.2 d) Action taken to recover from security breaches and correct system failures should be carefully and formally controlled. The procedures should ensure that: 1) Only clearly identified and authorized staff are allowed access to live systems and data; 2) All emergency and/or forensic actions taken are documented in detail; 3) Emergency action is reported to management and reviewed in an orderly manner; and 4) The integrity of business systems and controls is confirmed with minimal delay. A document detailing responses to anomalous events, with response measures corresponding to the frequency or severity of the event must exist. Response measures must be practiced and the results of such exercises reviewed to evaluate the effectiveness of the measures. Examples of events with security implications that must be detailed include but are not limited to the following: a) Denied connection or transaction attempts based on incorrect data or conditions, including: 1. User ID or password failure; 2. Client certificate; 3. Challenge/response; 4. Time of day; 5. Source/client location; and 6. Violation of connection rules. b) Patterns of activity which may not have been denied, but which are suspicious: 1. Anomalous connection behaviour with multiple invalid user IDs; 2. Anomalous connection behaviour with a valid user ID (frequency, concurrency, time and date, widely varying location, multiple access from disparate locations and/or hardware IDs, etc.); and 3. Sequential or random anonymous connection attempts (port/service, network address, etc.). Responses to suspected intrusions, or persistent intrusion attempts, must include an attempt to determine whether a compromise has occurred, and help to deter future intrusion attempts. These measures must include, but are not limited to, the following (as appropriate): a) Limiting or denying access, based on source or location of connection attempts; b) Changing network connection mechanisms, telephone numbers, or other means of access; c) Locking accounts; d) Auditing accounts for: 1. Inactivity; 2. Unauthorized creation; 3. Weak passwords; 4. Inappropriate permissions; 5. Administrative privilege activity; and 6. Expired or revoked access. GO-ITS 25.0 General Security Requirements Page 13 of 40 Sensitivity: Unclassified Approved Version #: 1.2 Systems involved in a security incident must be removed from the network if it is determined that they are adversely affecting, propagating problems of some type to, or jeopardizing the security of, other systems or data. Systems involved in incidents must not be turned off without consultation with the responsible security authority for the group and/or Ministry involved. If they have been shut down, for whatever reason, they must not be started again, and administration of the system must be turned over to the relevant security operations group and/or appropriate CSB analysts. Security administrators and forensic analysts may power the system on under controlled circumstances to capture and record system state information. Precautions must be taken to safeguard any sensitive information on devices under forensic review. Incident response procedures for incidents involving specific systems should include the following: a) Limiting or denying access, based on source or location of connection attempts; b) A single point of contact to co-ordinate handling of the incident, and a backup in case they cannot be reached; c) A contact escalation chain, with milestones or times at which an event must be escalated; d) Backup contacts for each point in the escalation chain; e) A response checklist with room for comments; and f) Post-event review and revision of procedures, based on exceptions to the prepared plan. There must also be procedures for secure handling, and preservation, of an evidence trail (with documented chain of custody) for: a) b) c) d) Client activity or requests (both allowed and denied); Server configuration changes and/or administrator login and use of privilege; System activity; and Interpreted events as reported by Intrusion Detection/Prevention Systems. 3.1.6.Segregation of duties Duties and areas of responsibility must be segregated in order to reduce opportunities for unauthorized access, modification, or other misuse of information or services. Small organizations may find this method of control difficult to achieve, but the principle should be applied as far as is possible and practicable. Whenever it is difficult to segregate, other controls such as monitoring of activities, audit trails and management supervision must be implemented. It is important that security audit remains independent. The initiation of an event should be separated from its authorization. If the ability of a single individual to perpetrate theft or fraud in their area of responsibility without being detected is controlled, collusion is forced. An audit mechanism should be used to detect collusion attempts. The following controls must be implemented: a) Roles or duties required to enable unauthorized access, theft, or fraud must be segregated; GO-ITS 25.0 General Security Requirements Page 14 of 40 Sensitivity: Unclassified Approved Version #: 1.2 b) Basic separation of duties requires a minimum of two roles (e.g., separate actors for raising a purchase order and verifying that the goods have been received, or authorizing cheques and having physical access to cheque printing equipment); and c) If there is a documented high danger of theft or fraud, and a high impact associated with successful collusion, processes and controls must be devised such that three or more actors need be involved to satisfy unique roles. To satisfy the requirement that the duties of administration and configuration be separated, there should be segregation between the administrator of the operation of the system, the administrator of the configuration of the system (if the system supports such a distinction), and all administrators of external support applications (e.g., PKI, IDS, IPS, firewalls, etc.). Different staff members must hold these accounts. Applications running persistently (i.e., as services) must be configured to run under their own accounts and privileges, where possible. Permissions on application accounts must be at least as restrictive as those on user accounts, denying access by default, and allowing file or resource access only as required. 3.1.7.Separation of development and operational facilities Development and testing facilities must be physically (not logically or virtually) separated from operational facilities when data confidentiality is at a high sensitivity level, or due to other estimated criticality factors (e.g., documented integrity or availability concerns, or due to reasons of sensitive data aggregation). Other sensitivity levels must provide logical isolation as a minimum requirement. Rules for the transfer of software from development to operational status should be defined and documented. Development and test activities can cause serious problems, including unwanted modification of files or the system environment, disclosure of confidential information, or system failure. A strong degree of separation is necessary between operational, test and development environments to prevent operational problems. A similar separation should also be implemented between development and test functions, to maintain a stable control environment in which to perform meaningful tests and to prevent inappropriate developer access during testing. Mutual separation of development, test and operational facilities will reduce the risk of accidental change, unauthorized access to operational software and business data, and interference with the quality of testing. If development or test staff have access to the operational system and its information, they may be able to introduce unauthorized and untested code or alter operational data. On some systems this capability could be misused to commit fraud, or introduce untested or malicious code. Untested and/or malicious code can result in serious security and operational problems. Developers and testers can pose potential threat to the confidentiality of operational information. Development and testing activities may cause unintended changes to software and information if they share the same computing environment. The following controls should be implemented: a) Development, test, and operational software should be run on different computer equipment (e.g., separate memory, processor, bus, etc.), and must be, in the case of high sensitivity data or requirements for a high degree of integrity or availability. A virtual environment (one employing logical components to enforce separation) does not fully meet these criteria; GO-ITS 25.0 General Security Requirements Page 15 of 40 Sensitivity: Unclassified Approved Version #: 1.2 b) Development and testing activities should be reliably separated from production operations, and physical segregation (not logical or virtual) must be employed in instances of high sensitivity data processing and/or storage; c) Compilers, source code, editors and other system utilities should not be accessible from operational systems when not required; d) Different authentication procedures and credentials should be used for operational and test systems, to reduce the risk of error and/or loss of credentials. Users must use different passwords for these systems, and menus should display appropriate identification messages; and e) Development staff must only have access to operational passwords where required for support purposes. Controls should ensure that such passwords are changed after use or when such support is no longer required. Changes to systems must be validated in a test environment with the same services as those in production. Changes must be tested against existing services, existing security mechanisms, and current server and client connection mechanisms. Testing must be done within isolated networks, using anonymous and depersonalized data taken from the production environment or random information. If data cannot be effectively made anonymous and depersonalized, the test environment must be protected using the same measures as are used to protect the production environment. In general, personal information should not be introduced to any test or development environment. Isolated network environments must be within a physically secure location to prevent against observation of, or interference with, test systems. Clients or systems accessing the test environment must not be able to access a production environment, so as to avoid potentially damaging communication (be it intentional or otherwise) between test and production environments, or operator confusion during administration. Test systems must have all data securely removed before being relinquished for other use. The data must be securely removed as described in the Operating Procedures for Disposal, Loss and Incident Reporting of Computerized Devices. Systems must not be migrated directly from development to production environments. Production components must be “built from scratch”, based on the system assembly instructions compiled in the test environment (e.g., the “build book”). 3.1.8.External facilities management The use of an external contractor to manage information systems may introduce potential security exposures, such as the possibility of compromise, damage, or loss of data at the contractor’s site. Prior to using external facilities management services, the risks must be identified and appropriate controls agreed to with the contractor, and incorporated into any agreements. Particular issues that should be addressed include: a) b) c) d) e) Identifying sensitive or critical applications better retained in-house; Obtaining the approval of business application owners; Identifying implications for business continuity plans; Specifying security standards, and the process for measuring compliance; Allocation of specific responsibilities and procedures to monitor all relevant security activities in an effective manner; GO-ITS 25.0 General Security Requirements Page 16 of 40 Sensitivity: Unclassified Approved Version #: 1.2 f) Definition and documentation of responsibilities and procedures for reporting and handling security incidents; g) Protecting personal information and sensitive data from unauthorized access; and h) Privacy breach notification according to Government of Ontario direction and/or requirements. External parties who are managing facilities on behalf of the Government of Ontario must agree to: a) Be bound by the principles, requirements, and best practices under which the Government of Ontario operates, including GO-ITS and Information Security and Privacy Classification (ISPC) Policy requirements; b) Periodically audited by a third party, one approved by the Government of Ontario, to confirm adherence to those principles, requirements, and best practices; and c) Oblige other customers and business partners via agreements to adhere to practices that are as, or more, secure than Government of Ontario’s in circumstances where they may influence the security of Government of Ontario I&IT operations. Liabilities and recourse due to failure to comply with these requirements must be specified in advance. Circumstances under which mutual obligations must be stipulated include, but are not limited to: a) b) c) d) e) 3.2. Service outage; Perimeter breach and/or unauthorized release of sensitive data; Privacy breach and/or unauthorized disclosure of personal information; Failure to follow documented procedures; and Third-party certification of external facilities, with respect to agreed service levels. System planning and acceptance Advance planning and preparation are required to ensure the availability of adequate capacity and resources to minimize the risk of systems failure. The operational, functional, and non-functional requirements of new systems should be established, documented and tested prior to their acceptance and use. 3.2.1.Capacity planning Capacity demands must be monitored and projections of future capacity requirements made to ensure that resources such as adequate processing power, network capacity, and storage are available. These projections should take account of new business and system requirements and current and projected trends in the organization’s information processing needs. Mainframe computers require particular attention because of the much greater cost and lead time required for procurement of new capacity. Managers of mainframe services should monitor the utilisation of key system resources, including processors, main storage, file storage, printers and other output devices, and communications systems. Trends in system use should be identified. Managers should use trend information to identify and avoid potential bottlenecks that might present a threat to system security or user services, and plan appropriate remedial action. GO-ITS 25.0 General Security Requirements Page 17 of 40 Sensitivity: Unclassified Approved Version #: 1.2 Capacity planning must take into account the demands of providing functionality, and the requirement to maintain accurate activity records, under both typical and peak loads. To ensure security is enforced in capacity planning, all specified access control systems must: a) Fail over to a high security or access denied state in the event of critical resource (e.g., CPU, bandwidth, etc.) shortage; b) Record authorization and/or authentication events, both failed and successful; and c) Properly manage the authentication of users throughout the performance of functions such as stateful or stateless session management. Consideration must be given to the length of time required to acquire additional components as per vendor availability. Larger and more complex systems generally incur an increased lead-time for resource procurement. Enough lead-time should be taken to acquire additional resources, if projections indicate an increase in traffic volume. Business and mission critical systems must not be deployed such that they represent a single point of failure. Fail-over capacity must be designed into these systems, minimally providing an ‘N+1’ architecture (where ‘N+1’ dictates that there must always be one more than the bare minimum number of components necessary to deliver a functional system). 3.2.2.System acceptance Acceptance criteria for new information systems, upgrades and new versions must be established and suitable tests of the system carried out prior to acceptance. System owners and program managers should ensure that the requirements and criteria for acceptance of new systems are clearly defined, agreed, documented and tested. The following controls should be considered when planning an acceptance strategy: a) b) c) d) e) f) g) Performance and computing capacity requirements; Error recovery and restart procedures, and contingency plans; Preparation and testing of routine operating procedures to defined standards; Agreed set of security controls in place; Effective manual procedures; Business continuity arrangements, as required; Evidence that installation of the new system will not adversely affect existing systems, particularly at peak processing times, such as month end; h) Evidence that consideration has been given to the effect the new system has on the overall security of the organization; and i) Training in the operation or use of new systems. For major projects, the operations function and users should be consulted at all stages in the development process to ensure the operational efficiency of the proposed system design. Appropriate tests should be carried out to confirm that all acceptance criteria are fully satisfied. Prior to deployment, new systems must be evaluated to ensure that business and security requirements have been met. Systems must be subject to Security Testing and Evaluation (STE) methods geared to the sensitivity level of processing prior to being accepted for production use. In critical instances, systems should be subjected to external assessment via a third-party expert group in Security Testing and Evaluation prior to initial deployment, and whenever major changes have been made to the system configuration or composition. GO-ITS 25.0 General Security Requirements Page 18 of 40 Sensitivity: Unclassified Approved Version #: 1.2 3.3. Protection against malicious software Controls are required to prevent and detect the introduction of malicious software to the environment. Software and information processing facilities are vulnerable to the introduction of malicious software. Users should be made aware of the dangers of unauthorized or malicious software, and managers should, where appropriate, introduce special controls to detect or prevent its introduction. 3.3.1.Controls against malicious software Detection and prevention controls to protect against malicious software and appropriate user awareness procedures must be implemented. Protection against malicious software should be based on security awareness, appropriate system access and change management controls. All systems must employ controls to protect against malicious code. The following controls should be considered when planning a strategy for malicious code control: a) Formal procedures requiring compliance with software licenses and prohibiting the use of unauthorized software; b) Formal procedures to protect against risks associated with obtaining files and software either from or via external networks, or on any other medium, indicating what protective measures should be taken; c) Installation and regular update of anti-virus detection and repair software to scan computers and media either as a precautionary control or on a routine basis for certain types of malicious code; d) Conducting regular software review for systems supporting critical business processes. The presence of any unapproved files or unauthorized software should be formally investigated; e) Checking any files on electronic media of uncertain or unauthorized origin, or files received over unknown networks, for malicious software, prior to use; f) Checking any electronic mail attachments and downloads for malicious software before use. This check may be carried out at different places (e.g., at electronic mail servers, desktop computers or when joining the network of the organization); g) Management procedures and responsibilities to deal with virus protection on systems, training in their use, reporting and recovering from attacks; h) Appropriate business continuity plans for recovering from attacks, including all necessary data and software back-up and recovery arrangements; and i) Procedures to verify all information relating to malicious software, and ensure that warning bulletins are accurate and informative. Managers should ensure that qualified sources of information are used to differentiate between hoaxes and real incidents. Staff should be made aware of the problem of hoaxes and what to do on receipt of them. In addition all users should be made familiar with their obligations under the published Guidelines for Acceptable Use of I&IT Resources Policy. Malicious code may be present as executable or interpretable scripts, shell code, or program commands in files, e-mail or web content. All of these should be checked and verified against known signatures of malicious code. Attack signatures must be monitored on a daily basis and updated immediately upon release for detection functions to remain effective. In addition: a) The installation of software must be restricted to administrative staff; GO-ITS 25.0 General Security Requirements Page 19 of 40 Sensitivity: Unclassified Approved Version #: 1.2 b) Anti-virus software must be installed, operated, and updated regularly for both clients and servers, as appropriate; and c) Firewall devices or software must manage and limit both incoming and outgoing network connections to a pre-defined spectrum of approved connections, services and applications. Software updates must only be downloaded from authoritative sites; cryptographic signatures or certificates of origin for the software must be provided by the vendor, and must be confirmed to be accurate prior to installation. Patch management operations must comply with the requirements described in GO-ITS 42 Operating Procedure for Patch Management. 3.4. System administration Routine procedures should be established for carrying out an approved back-up strategy, taking back-up copies of data and rehearsing their timely restoration, logging events and faults and, where appropriate, monitoring the equipment environment to maintain the integrity and availability of information processing and communication services. 3.4.1.Information back-up Back-up copies of essential business information and software must be taken regularly. Adequate back-up facilities should be provided to ensure that all essential business information and software could be recovered following a disaster or media failure. Back-up arrangements for individual systems should be regularly tested to ensure that they meet the requirements of business continuity plans. The following controls should be considered: a) A minimum level of back-up information, together with accurate and complete records of the back-up copies and documented restoration procedures, should be stored in a remote location, at a sufficient distance to escape any damage from a disaster at the main site. At least three generations or cycles of back-up information should be retained for critical business applications; b) Back-up information should be given an appropriate level of physical and environmental protection consistent with the standards applied at the main site. The controls applied to media at the main site should be extended to cover the back-up site; c) Back-up media should be regularly tested, where practicable, to ensure that they can be relied upon for emergency use when necessary; d) Restoration procedures should be regularly checked and tested to ensure that they are effective and that they can be completed within the time allotted in the operational procedures for recovery; e) The retention period for the back-up media should be determined; and f) Information from systems processing high sensitivity information, or data sets that by nature of inherent confidentiality or aggregation constitute high sensitivity information (as defined by the ISPC Policy), must be encrypted using approved methods for the purposes of back-up. The frequency of data backups must be based upon availability requirements, as defined by the business case for the system. Storage must take place in a secure off-site facility, and system restoration procedures must be tested regularly. Configuration of systems must be stored offline, such that they may not be viewed, copied, or modified by unauthorized staff. GO-ITS 25.0 General Security Requirements Page 20 of 40 Sensitivity: Unclassified Approved Version #: 1.2 3.4.2.Activity logging The activities and events on a system must be logged and archived for the purpose of routine monitoring and audit. Operator, system, and audit logs must be stored on a centralized, secure log server. These logs must include, as a minimum requirement: a) b) c) d) e) f) g) h) i) System start and halt times; System errors and any corrective action taken in response; Confirmation of the correct boot procedure, and handling of data and output; The identity of the individual invoking commands or functions resulting in a log entry; The timestamps associated with the beginning and end of any user or operator session; The issuance and use of privilege if granted; Errors and related messages associated with user or operator activities; Connections and session initiations related to user or operator access to the system; The origin of user or operator sessions, be this an indication of node, terminal, client, or other mode of specifying session origin, if the session is not conducted from the system console; j) Changes to system mode, run level, or security context where applicable; and k) A timestamp indicating when the log entry was generated by the system, with system time synchronized to a redundant and validated time source. System logs must also be generated to capture output resulting from automated processes. Specific details of files accessed or modified should be recorded in the audit logs, where applicable and given the configuration of the system. 3.4.3.Fault logging Faults must be reported and corrective action taken. Faults reported by users regarding problems with information processing or communications systems should be logged. There should be clear rules for handling reported faults including: a) Review of fault logs to ensure that faults have been satisfactorily resolved; and b) Review of corrective measures to ensure that controls have not been compromised, and that the action taken is fully authorized. The following measures should be taken, depending on the frequency and nature of the faults, once detected: a) Monitoring of all network interfaces should increase in detail; b) Monitoring of servers and services should increase in detail; and c) Escalate the event and notify support/security staff, as dictated by relevant incident response procedures. In the event of a critical system fault, the administrative contact for the system must be notified, and provided with the following information: a) b) c) d) User or system ID associated with the fault; Operator name; Date and time fault occurred; Description of fault; GO-ITS 25.0 General Security Requirements Page 21 of 40 Sensitivity: Unclassified Approved Version #: 1.2 e) Description of actions that caused fault (if possible); and f) Description of responsive action taken (if any). If it is determined that the fault is security related, the incident must be escalated to the security contact for the system. Escalation and incident response processes should reference the requirements expressed in GO-ITS 37 Incident Management. Fault logs are intended to track systems errors that occur during normal system operation. They may also indicate an attack on the system, the network, or adjacent systems. Logging must include, but is not limited to, the following events: a) b) c) d) e) f) g) Device errors and status messages; File or other resource access failures; Licensing activities; Authentication failures; Session duration; New device detection; Network connection activities (e.g., host up/down, connectivity problems, changes involving network interfaces, or the system hardware/network addresses, etc.); h) Operator activities (e.g., backups, restores, rollback, etc.); i) Remote connections to/from the system; j) Any security alerts not captured by operator, system, or audit logs); k) System or application error messages; l) Use of privileged commands, and/or attempts to invoke a privileged mode or alter system mode, security context, or run level; and m) User logons. 3.5. Network management The security management of networks that span organizational boundaries requires attention. Additional controls should be implemented to protect sensitive data passing over public networks and the supporting infrastructure. Network managers must implement controls to ensure the security of data in networks, and the protection of connected services from unauthorized access. In particular, the following controls should be implemented: 3.5.1.Management: a) Operational responsibility for networks should be separated from computer operations where appropriate; b) Responsibilities and procedures for the management of remote equipment, including equipment in user areas, should be established; c) If necessary, special controls should be established to safeguard the confidentiality and integrity of data passing over public networks, and to protect the connected systems. Special controls may also be required to maintain the availability of the network services and computers connected; d) Management activities should be closely co-ordinated both to optimize the service to the business and to ensure that controls are consistently applied across the infrastructure; GO-ITS 25.0 General Security Requirements Page 22 of 40 Sensitivity: Unclassified Approved Version #: 1.2 e) Logical or virtual network segmentation must not be used as a primary safeguard in environments where high sensitivity processing is performed and/or threats have been identified via a TRA; f) Security Zones must be employed to separate operations on the network, such as the components or layers of an application. The boundaries between such zones must be physical and robust in nature (discrete hardware instances, not logically or virtually enforced): 1) Where high sensitivity data is processed or stored; 2) Where a TRA identified a requirement for high levels of integrity and/or availability; and 3) Where the boundary is considered to be an external perimeter; g) Discrete hardware implementations of Security Zones should leverage multiple platforms to increase the technical difficulty of subverting defence in depth controls; and h) All hardware network components of logically or virtually enforced implementations of Security Zones must be managed as security or policy enforcement devices, with a commensurate degree of rigour in operation and change control. 3.5.2.Identification and authentication a) Authentication requests must be denied by default, and permitted only upon presentation of the proper combination of password and/or credentials, and user ID. 3.5.3.Privileges and parameters a) Assignment of access rights must be limited, based on use cases, and granted according to the principle of least privilege. 3.5.4.Confidentiality, integrity, availability, and non-repudiation a) Sensitive communications must be protected from malicious observation or modification; b) System technologies from different vendors must integrate so as to not cause an aggregate reduction in the efficacy of combined security features; c) Operating systems of clients and servers must be hardened, as per approved Corporate Security recommendations and relevant build books; d) All access must default to ‘prohibited’, and all ports must default to ‘closed’, upon poweron or warm reset of network equipment; e) Firewalls that employ enterprise-grade stateful layer three designs for control must be used to enforce network policy by forwarding only pre-approved connections; f) Systems must be placed between firewalls (as described above) in a DMZ network segment, to protect them from internal and external threats; and g) Networks with physical media that cannot be effectively managed, or is public, must employ additional confidentiality and integrity safeguards. 3.5.5.Monitoring, response, recovery, and review a) Network traffic must be monitored and analysed by an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS); b) Incident response procedures must exist, and be practised, in anticipation of hostile network events; c) Business Continuity Management must be exercised, to ensure that network resources are available during, and restored as quickly as possible after, a hostile event; GO-ITS 25.0 General Security Requirements Page 23 of 40 Sensitivity: Unclassified Approved Version #: 1.2 d) Processes and procedures for dealing with hostile events must be reviewed after practice or exercise, and must be updated to reflect lessons learned; and e) Interactive network activity from client systems must be reliably associated with a specific user account at any given time. 3.5.6.Planning, implementation, management, review and audit a) Proposed systems must have their security measures validated via testing and evaluation, prior to implementation in a production environment; b) Changes may not be made to proposed plans during implementation, without approval of the project owner and the security team; c) Documentation must be updated to include exceptions made during implementation to proposed designs; d) Remote access to systems must be securely managed as described in relevant GO-ITS 25 series documents; e) A change control process must manage requests for a change in, or granting of, access; f) Users must be educated as to what security mechanisms exist, the reasons for their use, and the requirements for compliance with those mechanisms; and g) Security mechanisms must periodically be reviewed, to validate the sufficiency of their protection in the context of current intrusion techniques and technology. Security mechanisms must periodically be audited to ensure that they are functioning as designed, as safeguard efficacy is required if they are to reduce risk. 3.6. Media handling and security The management of removable computer media, such as tapes, disks, cassettes and printed reports must be controlled and physically protected to prevent damage to assets and interruption of business activities. Media must be disposed of securely and safely in accordance with ISPC Policy requirements when no longer required. Sensitive information may be inadvertently disclosed to unauthorized persons through careless disposal of media, causing harm to the Government or citizens. 3.6.1.Management of removable computer media Appropriate operating procedures must be established to protect documents, computer media (tapes, disks, cassettes), input/output data and system documentation from damage, theft and unauthorized access. a) If no longer required, the previous contents of any re-usable media that are to be removed from the organization should be erased permanently and completely using secure methods; b) Authorization should be required for all media removed from the organization and a record of all such removals to maintain an audit trail should be kept; c) All media should be stored in a safe, secure environment, in accordance with manufacturers’ specifications; and d) All procedures and authorization levels should be clearly documented. Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) components should not be equipped with removable media devices. If a removable media device is required as part of installation, it should be removed (if possible) once the installation is complete. This reduces the GO-ITS 25.0 General Security Requirements Page 24 of 40 Sensitivity: Unclassified Approved Version #: 1.2 possibility that the system could be easily booted via removable media (floppy, CD, etc.) and compromised. This also reduces the likelihood that staff with physical access to systems will remove data without authorization. Removable media must be stored according to the environmental requirements of the media, and must be stored such that only staff authorized to perform backup and recovery of data have access to the media. Accountability for media must be enforced before, during, and after use. 3.6.2.Information handling procedures All Government of Ontario information must be classified and handled according to ISPC Policy requirements, to protect I&IT assets from unauthorized disclosure or misuse. Processes for handling data related to documents, computing systems, networks, mobile computing, mobile communications, mail, voice mail, voice communications, multimedia, postal services or facilities, use of fax machines and any other sensitive items (e.g. blank cheques, blank card stock, or invoices) must be consistent with asset classification and adhere to ISPC policy. The following controls must be implemented: a) b) c) d) Labelling of all media, in accordance with ISPC Policy requirements; Access restrictions, badge procedure, etc. to identify unauthorized personnel; Maintenance of a formal record of the authorized recipients of high sensitivity data; Ensuring that input data is complete, that processing is properly completed and that output validation is applied; e) Protection of spooled data awaiting output to a level consistent with its identified sensitivity; f) Storage of media in an environment which accords with manufacturer specifications; g) Keeping the distribution of data to a minimum in accordance with the principle of least privilege; h) Clear marking of all copies of data for the attention of the authorized recipient; and i) Review of distribution lists and lists of authorized recipients at regular intervals. When handling sensitive data such as configuration files and passwords, the following precautions must be taken: a) Transmitted and stored information that has been classified as high sensitivity data must be protected through use of encryption of a type and strength identified by Corporate Security as sufficient to withstand attack, as documented in GO-ITS 25.12 Use of Cryptography; b) Unencrypted password or credential information must not be cached, and must be encrypted when in transport or during session initiations (e.g., over a network); and c) Access to backup media must be limited to authorized personnel. GO-ITS 25.0 General Security Requirements Page 25 of 40 Sensitivity: Unclassified Approved Version #: 1.2 3.6.3.Security of system documentation System documentation may contain a range of sensitive information (e.g., descriptions of applications processes, procedures, data structures, and authorization processes). As such, system documentation must be protected from unauthorized access, and kept current. The following controls should be implemented: a) System documentation should be classified, labelled, and stored securely; b) The access list for system documentation should be kept to a minimum and authorized by the application owner; and c) System documentation held on a public network, or supplied via a public network, should be appropriately protected. Access to documentation, whether in printed format or online, must be restricted to authorized staff. Online documentation must be protected through application of: a) Access rights; b) User and group ownership (i.e., unauthenticated or unauthorized users must not have access to information); and c) Approved encryption (for documentation dealing with security configuration settings). In addition, online documentation must not be copied, transmitted, or modified without permission. Printed documentation must be protected through the following restrictions: a) All documentation must be retrieved from printers as soon as printing is complete, or the security feature available on some printers must be used (a code, once entered, prints the job while the user is present at the printer); b) All documentation must be secured when not in use; c) Security documentation must not be left unattended; d) Security documentation must not be removed from secure areas; and e) Security documentation must not be copied without permission. Third party maintenance personnel who require access to system documentation must sign a Non-Disclosure Agreement. In addition, third party personnel must not be permitted to remove system documentation. 3.7. Exchanges of information and software Exchanges of information and software between organizations must be controlled, and must be compliant with both ISPC Policy and any relevant legal requirements (e.g., privacy legislation). Exchanges must be carried out on the basis of agreements. Procedures and standards to protect information and media in transit must be established. The business and security implications associated with electronic data interchange, electronic commerce, electronic mail and the requirements for controls must be considered. 3.7.1.Information and software exchange agreements Agreements must be established for the electronic or manual exchange of information and software between organizations. GO-ITS 25.0 General Security Requirements Page 26 of 40 Sensitivity: Unclassified Approved Version #: 1.2 The security provisions present in such an agreement should reflect the sensitivity of the business information involved. Agreements on security provisions should include: a) Management responsibilities for controlling and notifying transmission, dispatch and receipt; b) Procedures for notifying sender, transmission, dispatch and receipt; c) Minimum technical standards for packaging and transmission; d) Courier identification standards; e) Responsibilities and liabilities in the event of loss of data; f) Use of labels according to ISPC Policy requirements, to ensure the meaning of the labels is immediately understood throughout the OPS, and that the information can be appropriately protected; g) Information and software ownership and responsibilities for data protection, software copyright compliance and similar considerations; h) Technical standards for recording and reading information and software; and i) Any special controls that may be required to protect sensitive items, such as cryptographic measures. Agreements as to the use, protection, duplication, and re-transmission of shared information and software must exist and be agreed to prior to any transmission of data between organizations. High sensitivity information must not be distributed without written permission from the relevant program manager (or a delegated authority). These agreements must specify intent and usage parameters for all shared data. Remedies must be specified to enforce agreed-upon usage and protection standards, and to provide recourse for failure to adhere to those standards. Where ongoing measures must be taken, both parties must have an agreement regarding the type of service that must be provided, how the provision of that service may be verified, and penalties for failure to provide the agreed upon level of service. Measures for the control of data must be defined both while in transmission, and in storage at the recipient’s location. Security provisions must include: a) Protection from unintended use, sharing, or duplication; and b) Means by which the operation of data protection mechanisms may be verified. Protection of data must take into account current legislation, which may prohibit certain uses, or require specific data handling measures. External data sharing partners must: a) b) c) d) Follow practices that meet or exceed Government of Ontario internal security practices; Submit to regular Government of Ontario and/or external audit of those practices; Agree to penalties for failure to adhere to all agreements; and Agree to be held liable for all repercussions arising from a failure to adhere to all agreements. GO-ITS 25.0 General Security Requirements Page 27 of 40 Sensitivity: Unclassified Approved Version #: 1.2 3.7.2.Security of media in transit Information can be vulnerable to unauthorized access, misuse or corruption during physical transport, for instance when sending media via the postal service or via courier. As such, media being transported must be protected from unauthorized access, misuse or corruption. For example: a) Reliable transport or couriers should be used. A list of authorized couriers should be agreed with management and a procedure to check the identification of couriers implemented; b) Packaging should be sufficient to protect the contents from any physical damage likely to arise during transit and in accordance with manufacturers’ specifications; and c) Special security provisions should be adopted, where necessary, to protect sensitive information from unauthorized disclosure, modification, or removal. Examples include: 1) Use of locked containers; 2) Use of item / cargo / document manifests and records of receipt; 3) Delivery by hand; 4) Tamper-evident packaging (which reveals attempt to gain access); 5) In exceptional cases, splitting of the consignment into more than one delivery and dispatch by different routes; and 6) Use of digital signatures and approved cryptography at a level and of a type that meets GO-ITS 25.12 and ISPC Policy requirements. 3.7.3.Electronic commerce security Electronic commerce can involve the use of electronic data interchange (EDI), electronic mail and online transactions. Electronic commerce is vulnerable to a number of network threats that may result in fraudulent activity, contract dispute and disclosure or modification of information, and must be protected against these threats. Consideration should be given to the resilience to attack of the host used for electronic commerce, and the security implications of any network interconnection required for its implementation. Software used for electronic commerce systems must also be subject to STE practices, such as a vulnerability assessment, before initial deployment. 3.7.4.Security of electronic mail Electronic mail differs from traditional forms of business communications due to its speed, message structure, degree of informality and vulnerability to unauthorized actions. Consideration should be given to the need for controls to reduce security risks created by electronic mail. 3.7.4.1. Security risks The following security risks should be addressed: a) Vulnerability of messages to unauthorized access/interception, modification, or denial of service; b) Vulnerability to error (e.g., incorrect addressing or misdirection, and the general reliability and availability of the service); c) Impact of a change of communication media on business processes (e.g., the effect of increased speed of dispatch or the effect of sending formal messages from person to person rather than company to company); GO-ITS 25.0 General Security Requirements Page 28 of 40 Sensitivity: Unclassified Approved Version #: 1.2 d) Legal considerations, such as the potential need for proof of origin, dispatch, delivery and acceptance; e) Implications of publishing e-mail distribution lists that reach internal addresses or many staff; and f) Controlling remote user access to electronic mail accounts. 3.7.4.2. Procedures for electronic mail Procedures for the use of electronic mail must be developed and controls put in place to reduce security risks created by electronic mail. These controls should address the following: a) Attacks on electronic mail (e.g., malicious attachments, social engineering, viruses, interception); b) Protection of electronic mail attachments; c) Guidelines on when not to use electronic mail; d) Employee education regarding inappropriate use (e.g., sending defamatory electronic mail, use for harassment, or unauthorized purchasing); e) Use of approved cryptographic techniques to protect the confidentiality and integrity of electronic messages, such as GO-PKI; and f) Additional controls for vetting messaging that cannot be authenticated. If e-mail is used to provide alerts or other communications to analysts within IDS or IPS operating environments, these mail messages must be protected from observation or modification if they will travel over a non-private network. E-mail messages must be sent at appropriate intervals so as not to overwhelm the end user’s channel of communications. If available on mail servers, the following features must be configured and enabled: a) b) c) d) Scanning of SMTP traffic for illegal commands; Scanning of traffic for hostile executable and/or malicious content; Removal of executable and/or otherwise malicious content; and Control over abuse, such as the unauthorized use of SMTP relay or user enumeration. 3.7.5.Security of electronic office systems Procedures and guidelines must be prepared and implemented to control the business and security risks associated with electronic office systems. Consideration given to the security and business implications of interconnecting such systems should include: a) Vulnerabilities of information in office systems (e.g., recording phone calls or conference calls, confidentiality of calls, storage of faxes, opening mail, distribution of mail, increasing complexity of multi-function office devices with network interfaces, remote management, and local storage); b) Procedures and appropriate controls to manage information sharing (e.g., the use of corporate electronic bulletin boards); c) Excluding categories of sensitive business information if the system does not provide an appropriate level of protection; GO-ITS 25.0 General Security Requirements Page 29 of 40 Sensitivity: Unclassified Approved Version #: 1.2 d) The suitability, or otherwise, of the system to support business applications such as communicating orders or authorizations; e) Categories of staff, contractors or business partners allowed to use the system and the locations from which it may be accessed; f) Restricting selected access to specific categories of user (e.g., restricting access to sensitive project information by limiting collaboration materials to the staff working on that project); g) Identifying the status of users (e.g., employees of the organization or contractors in directories for the benefit of other users); h) Retention and back-up of information held on the system; and i) Fallback requirements and arrangements. Communication between interconnected components, and other network policy enforcement systems, must adhere to the activity logging requirements described in section 2.4 of this document. 3.7.6.Publicly available systems Care must be taken to protect the integrity of electronically published information and publicly accessible information systems, to prevent unauthorized modification that could jeopardize transactions and/or harm the reputation of the publishing organization. Information on a publicly available system (e.g., information on a Web server accessible via the Internet), may need to comply with laws, rules and regulations in the jurisdiction in which the system is located or where trade is taking place. In addition, publicly available Web servers must abide by GO-ITS 23 Web Standard and ISPC Policy requirements. There must be a formal authorization process before information is made publicly available, and the integrity of such information must be protected to prevent unauthorized modification. Software, data and other information requiring a high level of integrity, made available on a publicly accessible system, should be protected by appropriate mechanisms (e.g., cryptography, digital signatures, etc.). Electronic publishing systems, especially those that permit feedback and direct entering of information, should be carefully controlled so that: a) Information is obtained in compliance with any data protection legislation; b) Information input to, and processed by, the publishing system will be processed completely and accurately in a timely manner; c) Sensitive information will be protected during the collection process and when stored; and d) Access to the publishing system does not allow unintended access to networks to which it is connected. Measures taken to ensure the confidentiality, integrity, availability, and authenticity of publicly observable systems, and their communications, must periodically be reviewed to ensure their adequacy given current intrusion techniques and technology. These measures must include, but are not limited to: a) Systems that are publicly available (e.g., a public web server) must have security controls in place to ensure that the integrity of the data is protected; b) Services that require public access for functionality (e.g., a public web server would require public access to HTTP and HTTPS services) should be the only services that are enabled on the system, in keeping with the principle of least privilege; GO-ITS 25.0 General Security Requirements Page 30 of 40 Sensitivity: Unclassified Approved Version #: 1.2 c) All services that do not require public access must be disabled and/or removed after review of technical and functional requirements (for example, a public web server would have TCP/UDP small servers disabled, and services such as networked file systems, SMTP, POP, and TELNET disabled and removed, if supported); d) Backups must be performed daily on public systems (at least incrementally) to ensure minimal loss of data; e) If a public system is used for processing transactions, a secure transport protocol must be used along with server certificates; f) Sensitive or personal information (e.g., names, credit card numbers, etc.) must not be stored on publicly accessible components of a transaction processing system any longer than required for the completion of a transaction; g) Sensitive or personal information stored on a system for the purpose of completing a transaction must be isolated such that it cannot be interpreted or modified by the system (e.g., secure application design); h) Transactions must be monitored (inbound and outbound). Traffic data must not include potentially harmful or sensitive content, for example: 1. System structure or configuration information; 2. Networking configuration; 3. System account information; 4. Executable or interpretable code, unless required; and 5. Non-alphanumeric characters, unless required; and i) Input or output content must be subject to inspection techniques such as bounds checking, and must not exceed identified acceptable values. Data confidentiality and integrity must be maintained via a cryptographic system, when sharing data or performing transactions between servers, via public networks. Cryptographic systems deployed within the Government of Ontario must be evaluated (ideally by a third party and/or via a recognized evaluation scheme) for suitability against current attack techniques and technology. The strength of deployed cryptography must be appropriate given the sensitivity of transmitted data, and compliant with GO-ITS 25.12. The MGS Corporate Security Branch is the cryptographic authority for the Government of Ontario; algorithms, implementations, effective key length, and other factors must meet Corporate Security requirements. 3.7.7.Other forms of information exchange Verbal discussion of security mechanisms, system configuration, access controls, credentials, user accounts, use of cryptography, or other similar sensitive information should not be conducted in public areas, before personnel who lack appropriate administrative authorization (or whose authorization is unknown), or before staff who have not been subject to personnel screening and signed an NDA or relevant Government of Ontario security documentation. GO-ITS 25.0 General Security Requirements Page 31 of 40 Sensitivity: Unclassified Approved Version #: 1.2 4. Related Standards 4.1. Impacts to Existing Standards Identify any Standards that reference or are referenced by this Standard and describe the impact. GO-IT Standard All GO-ITS 25 standards Impact All standards in this series refer to this document; this document is considered a normative reference for the entire series. Recommended Action Update only, no impact. Compliance with all standards is mandatory. 4.2. Impacts to Existing Environment Impacted Infrastructure Impact Recommended Action 5. Compliance Requirements 5.1. Internal compliance Managers must ensure that all security operations within their area of responsibility are carried out correctly and in a manner that meets security requirements. All areas within the organization must be subject to regular review to ensure compliance with the information technology requirements and additional standards outlined in this document. Owners of information systems, programs, and/or data should support regular review of their compliance with all relevant directives, policies, standards, and procedures to ensure that security requirements have been properly addressed, and safeguards are appropriately deployed. 5.1.1.Access to accounts and information For computing environments and access control systems within the scope of this document, program managers must not be permitted to request the following: Access to a user’s credential or identity as assigned by an access control system; Access to data, files, etc. stored by a user whereby access to such information is managed by an access control system; and/or Information encrypted by a user through the use of a key or cryptographic process controlled by an access control system, even if desired for recovery purposes. Program managers must ensure that employees use central repositories, shared folders, or other mechanisms such that any critical work products remain accessible to relevant staff. In such GO-ITS 25.0 General Security Requirements Page 32 of 40 Sensitivity: Unclassified Approved Version #: 1.2 instances, effective management of project information is the primary means by which access to such information should be safeguarded. Program managers must act to protect the integrity of credentials granted to users. This must include the following: Ensuring appropriate handling of user credentials; Ensuring appropriate education for users regarding the use and security of their credentials, and any related access control system or identity service (e.g., GO-PKI); and Ensuring that inappropriate requests that could harm the integrity of user accounts, assigned credentials, or electronic identities are not accepted. It is incumbent on staff with Director-level authority (or greater) to diligently review and authorize requests for the recovery of the information described above. 5.2. External compliance Several areas of external compliance requirements exist. Government of Ontario I&IT assets must be managed appropriately to comply with these requirements. All external vendors and service operators must be subject to regular review to ensure compliance with the information technology requirements and additional standards outlined in this document. 5.2.1.Compliance with legal requirements The design, operation, and management of information systems are subject to statutory, regulatory, and contractual requirements that may influence security considerations. Advice on specific legal issues should be sought in instances where security techniques may contravene legal requirements (i.e., system monitoring) or when these techniques must be used in other jurisdictions. 5.2.2.Intellectual property and copyright Procedures should be implemented to ensure compliance with legal restrictions on the use of software and copyrighted intellectual property. Failure to comply with requirements can lead to legal action and financial consequences. Legislative, regulatory, and/or contractual requirements may exist that place restrictions on the kinds of reproduction or transmission permitted for proprietary materials or materials in respect of which there may be an intellectual property right. Legal advice should be sought in instances where these limits are not clear. In particular, the following safeguards should be implemented: a) b) c) d) e) f) Use existing procurement and vendor of record channels to obtain software and media; Maintain awareness among staff regarding acquisition of software products; Maintain asset inventory, including proof of license ownership, master copies, etc.; Maintain controls to ensure fixed seat licenses are not inadvertently exceeded; Monitor the installation of acquired packages and control inappropriate installation; and Maintain license conditions and remove software where license status is unknown. GO-ITS 25.0 General Security Requirements Page 33 of 40 Sensitivity: Unclassified Approved Version #: 1.2 5.2.3.Organizational records Records must be protected from loss, destruction, and falsification. Some types of organizational records may need to be securely retained to meet statutory or regulatory requirements, as well as to support essential business activities (such as those records which confirm financial status). Records should be categorized, with retention periods and storage requirements made clear for each type of record that is identified for the program area. Consideration should be given to the archival procedure used for the storage of records to ensure they are protected. Technology change and integrity protection should be factors in the choice of medium for electronic records, to ensure they can be accessed, and cannot be modified. 5.2.4.Data protection and privacy of personal information The Government of Ontario is bound by legislative requirements at both the provincial and federal level regarding the protection of personal privacy (as outlined in the Introduction of this document). Security techniques and methods must fully comply with ISPC Policy requirements and all relevant federal and provincial privacy legislation. Processes such as Privacy Impact Assessments should be employed to identify areas of privacy risk, and legal advice should be obtained where uncertainty exists regarding privacy impact, particularly when data is being archived, aggregated, transferred to third parties, or transmitted to other jurisdictions. If personal information is subject to disclosure due to a breach, any duties under Government of Ontario privacy breach procedures, or those outlined within any relevant legislation, must be undertaken. 5.2.1.Cryptography Controls must be in place to ensure compliance with national and international agreements, laws, regulations, and/or other instruments regarding use, import, and export of cryptographic software and devices. The cryptographic mechanisms described or implied in this document are robust and may not be legal for use or import/export in all jurisdictions. Required review may include: a) b) c) d) Determination of import/export status for cryptographic hardware and software; Determination of import/export status for items to which cryptography is to be added; Determination of use of any cryptography in any jurisdiction where not sanctioned; and Lawful access requirements of other jurisdictions. Cryptography deployed as a technical safeguard within an access control system (e.g., to pass credentials and/or provide for integrity assurance), or to provide for communications security, must meet the requirements described in GO-ITS 25.12 Use of Cryptography. Legal advice should be obtained to ensure compliance with all relevant requirements, particularly if any solution employing cryptographic methods is to be located in another jurisdiction. 5.3. Audit Periodic audit is required to ensure that security practices and safeguards meet the minimum requirements expressed in this document and that the operation of a given project or environment is sound. GO-ITS 25.0 General Security Requirements Page 34 of 40 Sensitivity: Unclassified Approved Version #: 1.2 5.3.1.Impact To reduce the potential impact or risk of such audit on operational systems: a) b) c) d) e) Audit scope and requirements should be discussed and controlled prior to audit activities; Audit activity should be conducted without write/modify privileges where possible; Access provided during audit activities should be monitored and supervised; All relevant procedures required to conduct the audit should be provided in advance; and Audit tools should be protected from unauthorized use or modification. 5.3.2.Monitoring Systems must be monitored on an ongoing basis, in accordance with any legal (e.g., privacy or regulatory) requirements, to detect failure or subversion of safeguards and controls. Operator, system, audit, activity and fault logs must be routinely monitored (by staff trained to identify relevant events) for this purpose; the extent of monitoring should be commensurate with the operational criticality of the system, the extent of system interconnection, nature of any prior incidents, and data sensitivity (as determined by ISPC Policy). Appropriate separation of duties must be maintained during monitoring activity, and the integrity of log information must be protected against both deliberate acts and automated alteration due to overwriting or other action of a process or service. As maintenance of an evidentiary trail requires consistent business practices and safeguards, the following measures must be followed as a part of normal daily activities: a) Log data must be forwarded to a log host. The log host must be a dedicated, purposebuilt, and hardened system on a separately managed network, whose only function is to receive and store activity data; stored data must be protected against modification or overwriting; b) Data for the log host should be encrypted while in transit, and the log host should generate an alert if a monitored device fails to send data for a given period of time; c) Timestamps for messages from all monitored systems and other log-generating devices (firewalls, routers, servers, etc.) must be synchronized to a redundant and validated time source; and d) Consider sending the activity logs to a dedicated printer in a secure room in situations where such logging is absolutely essential (e.g., preserving evidentiary data in an ongoing investigation). 5.4. Implementation and Metrics The intention of the OCCIO is to advertise and promote this standard as being a mandatory component throughout government. However, in order to effectively manage its implementation, ministries, clusters and applicable agencies are expected to adopt and monitor compliance to this standard. GO-ITS 25.0 General Security Requirements Page 35 of 40 Sensitivity: Unclassified Approved Version #: 1.2 6. Acknowledgements Consulted Please indicate who was consulted as part of the development of this standard. Include individuals (by role and organization) and committees, councils and/or working groups. (Note: consulted means those whose opinions are sought, generally characterized by two-way communications such as workshops): Organization Consulted (Ministry/Cluster) CSB Internal Consultation Ontario Internal Audit Division OCIPO (now IPA) Division Branch Date MGS OCCIO Finance OCIPO / IPA CSB OIAD Privacy Jan./Feb. 2008 Mar. 2008 Jan./Feb. 2008 Committee/Working Group Consulted SADWG Date Jan./Feb. 2008 Informed Please indicate who was informed during the development of this standard. Include individuals (by role and organization) and committees, councils and/or working groups. (Note: informed means those who are kept up-to-date on progress, generally characterized by one-way communication such as presentations): Organization Informed (Ministry/Cluster) Division Committee/Working Group Informed IT Standards Council (Dissolved) (For Information) GO-ITS 25.0 General Security Requirements Branch Date Date Feb. 2008 Page 36 of 40 Sensitivity: Unclassified Approved Version #: 1.2 7. Recommended Versioning and/or Change Management Changes (i.e., all revisions, updates, versioning) to the standard require authorization from the “responsible” organization(s). Once a determination has been made by the responsible organization to proceed with changes, ICS as custodians of the I&IT Rules Refresh Plan will coordinate and provide assistance with respect to the approvals process. The approval process for changes to standards will be determined based on the degree and impact of the change. The degree and impact of changes fall into one of two categories: Minor updates - require confirmation from ARB, and communication to stakeholders and ITELC. Changes are noted in the “Document History” section of the standard. Minor updates generally consist of: Editorial corrections (spelling, grammar, references, etc.) made with the intention to eliminate confusion and produce consistent, accurate, and complete work. Formatting changes (due to template updates or to improve readability of document). Documented organizational changes e.g., renaming of committees, approved transition of committee responsibilities, approved reporting relationship changes. Standard revisions - require consultation with stakeholders, ARB endorsement, and ITELC approval. Standard revisions consist of any updates to the I&IT Rules Refresh Plan that are not considered minor and may: represent new standard or significant revision to an existing standard represent a major version change to one or more specifications impact procurement require configuration changes to current solutions impact other standards respond to legislative, policy or procurement changes 7.1. Publication Details All approved Government of Ontario IT Standards (GO ITS) are published on the OCCIO Intranet web site. Please indicate with a checkmark below if this standard is also to be published on the public, GO ITS Internet Site. Standard to be published on both the OPS Intranet and the GO ITS Internet web site (available to the public, vendors etc.) GO-ITS 25.0 General Security Requirements Page 37 of 40 Sensitivity: Unclassified Approved Version #: 1.2 7.1. Requirements Levels Within this document, certain wording conventions are followed. There are precise requirements and obligations associated with the following terms: Must This word, or the terms "REQUIRED" or "SHALL", means that the statement is an absolute requirement. Should This word, or the adjective "RECOMMENDED", means that there may exist valid reasons in particular circumstances to ignore the recommendation, but the full implications (e.g., business functionality, security, cost) must be understood and carefully weighed before choosing a different course. 8. Appendices 8.1. Normative References Management and Use of Information & Information Technology (I&IT) Directive: http://intra.ops.myops.gov.on.ca/cms/tiles.nsf/(vwReadResourcesByRefId_Content)/cpd2008.04.11.0 9.46.33.J6N_res/$File/ManagementOfITDir.pdf Corporate Policy on Information and Information Technology (I&IT) Security: http://intra.ops.myops.gov.on.ca/cms/tiles.nsf/(vwReadResourcesByRefId_Content)/cpd2011.08.09.1 0.22.28.JV4_res/$File/corporatePolicyIandITSecurity.pdf Information Security & Privacy Classification Policy http://intra.ops.myops.gov.on.ca/cms/tiles.nsf/(vwReadResourcesByRefId_Content)/cpd2008.08.18.1 4.34.52.PSU_res/$File/InformationSecurity&PrivacyClassificationPolicy-Aug05.pdf 8.2. Informative References ISO/IEC Standards: http://www.iso.org GO-ITS 25.0 General Security Requirements Page 38 of 40 Sensitivity: Unclassified Approved Version #: 1.2 9. Glossary Access: Entry to an electronic network provided by the government to its employees and other authorized individuals on or outside government premises, including telework situations. Access controls: Procedures/devices designed to restrict entry to a physical area (physical access controls) or to limit use of a computer/communications system or stored data (logical access controls). Accountability: The obligation to answer for results and the manner in which responsibilities are discharged. Accountability cannot be delegated. Authentication: To establish the validity of a claimed identity of a user prior to gaining access (e.g., passwords, access cards). Authorization: To grant permission to access resources according to a predefined approval scheme. Availability: The degree of readiness expected of information systems and IT resources to deliver an appropriate and timely level of service, regardless of circumstances. Confidentiality: Ensuring that information is accessible only to those authorized to have access. Unauthorized disclosure of the information constitutes a loss of confidentiality. The protection of confidentiality must be consistent with the sensitivity of information and legislative requirements (e.g., FIPPA, PHIPA). Credentials: Evidence provided to prove the claimed identification (e.g., presenting related contextual information or tokens in order to access electronic resources). Cryptography: The transformation of data into a form unreadable by anyone (encryption) without the correct decryption key, ensuring confidentiality by keeping the information hidden from anyone for whom it was not intended, including those who can see the encrypted data. Data: Any formalized representation of facts, concepts or instructions suitable for communication, interpretation or processing by a person or by automatic means. Elevated privileges: Enhanced rights and/or administrative control, assigned to a user, over a particular I&IT resource or class of resources. Information: The meaning derived from or assigned to facts or data, within a specified context. Information Technology assets: Those resources (hardware, software, data etc.) associated with the creation, storage, processing and communication of information in the form of data, text, image and voice. Integrity: The authenticity, accuracy and completeness of data that can be affected by unauthorized or accidental additions, changes and/or deletions. Network: IT systems that can be made of one or both of the following components: Local Area Network (LAN) - Network of Information technology systems wholly situated at one geographical address; Wide Area Network (WAN) - located over more than one geographical site. Non-repudiation: The quality embodied by services where transaction and identity assurance are managed to the degree that receipt of information or completion of transactions cannot reasonably be denied by participants. Password: A string of characters (letters, numbers and other symbols) that are used to authenticate an identity or to verify access authorization. Privacy: The ability of an individual or group to control personal information and prevent it from being used by people or for purposes other than those they consented to when they provided the information. Organizations must have controls to restrict the collection, use and/or disclosure of personal information to that authorized by the individual or group. In the case of Government organizations, legislative GO-ITS 25.0 General Security Requirements Page 39 of 40 Sensitivity: Unclassified Approved Version #: 1.2 authority is required to collect and use the personal information needed for the delivery of a specific program or service. Program: A specific program or service within a Ministry. Program Manager: The person responsible for the continued development, operational control, implementation, monitoring, etc. of a specific program or service within a Ministry. Responsibility: The obligation to perform a given task or tasks associated with a specific role. Risk: A potential opportunity or threat that may impact on an organization’s ability to meet its business objectives. Safeguard: A protective and precautionary measure to prevent a security threat from happening. Security Testing and Evaluation (STE): Any collection of processes or assessment models whereby the functional capabilities and security assurance of a given safeguard or system is examined (e.g., vulnerability assessment, penetration testing, code review). STE can be conducted according to formal methodologies, or performed informally for a basic degree of validation (e.g., the security portion of a generic acceptance testing procedure). In the case of physical facilities, STE activities may include audits of physical design, facility construction, access control systems, and compliance with minimum standards. Threat risk assessment (TRA): A tool to assist Program Managers in fulfilling their responsibilities for security risk management and the development of security plans. A Threat Risk Assessment (TRA) is used to: Assess the sensitivity of program assets and information; Identify and analyse potential threats and vulnerabilities; Assess the level of risk taking into consideration the effectiveness of current security measures; and Recommend appropriate measures to protect assets and information from loss, theft, destruction, modification, or misuse. User: A person authorized to access and use Information and Information Technology resources. GO-ITS 25.0 General Security Requirements Page 40 of 40
© Copyright 2024