Information Security Framework for Education Birth-12 Drafted by the Education Information Security Committee, Information Security Framework Workgroup Workgroup Members: Rick Wahlstrom (NWRESD, chair), Amy McLaughlin (ODE), Nick Lapp (IMESD), Benjamin Tate (Salem-Keizer SD), John Goucher (Hillsboro SD), Lance Queen (Crook County SD) Security Components I. Risk Management Risk Management is the process of identifying, assessing, and taking steps to reduce risk to an acceptable level for information systems and data. Risk management is critical for <district name> to successfully implement and maintain a secure environment. Risk assessments identify, quantify, and prioritize risks against criteria established by the district for risk acceptance and objectives. Assessment results guide and determine appropriate district action and priorities for managing information security risks and for implementing controls needed to protect information assets. Risk assessments (RAs) can be conducted on any entity within district or any outside entity that has signed a third party agreement with an outside company. RAs can be conducted on any information system including applications, servers, and networks, and any process or procedure by which these systems are administered and/or maintained. The role of Information Security Officer (ISO) can be designated or his or her responsibilities assigned to an existing individual. The ISO is responsible for leading and or facilitating the Information Security Risk Assessment Team. The identification of information security risks and notification of the ISO is the responsibility of all district personnel. The execution, development, and implementation of remediation programs are the joint responsibility of the ISO and the department responsible for the process or systems with the identified risk. District staff are expected to cooperate fully with any RA being conducted on systems for which they are held accountable. Staff are further expected to work with the Information Security Risk Assessment Team in the development of a remediation plan. Risk management can include the following steps as part of a risk assessment: 1. Identify the risks a. Identify agency assets and the associated information owners Release date: August 15, 2012 1 b. Identify the threats to those assets c. Identify the vulnerabilities that might be exploited by the threats d. Identify the impacts that losses of confidentiality, integrity and availability may have on the assets 2. Analyze and evaluate the risks a. Assess the business impacts on the district that might result from security failures, taking into account the consequences of a loss of confidentiality, integrity or availability of those assets b. Assess the realistic likelihood of security failures occurring in the light of prevailing threats and vulnerabilities, and impacts associated with these assets, and the controls currently implemented c. Estimate the level of risks d. Determine whether the risks are acceptable 3. Identify and evaluate options for the treatment of risk a. Apply appropriate controls b. Accept the risks c. Avoid the risks d. Transfer the associated business risks to other parties (students, personnel, etc.) 4. Select control objectives and controls for the treatment of risks II. Security Policy The objective of an information security policy is to provide management direction and support for information security in accordance with <district name> business requirements and governing laws and regulations. Information security administrative rules supporting the overarching information security policy will be approved by the district, published and communicated to all employees, students, and external parties as appropriate. These rules will set <district name>’s approach to managing information security and will align with relevant federal and state regulations and laws. Information security rules will be reviewed at planned intervals annually or if significant changes occur to ensure their continuing suitability, adequacy, and effectiveness. Reviews will include assessing opportunities for improvement of <district name>’s information security policies and approach to managing information security in response to changes to <district name>’s environment, new threats and risks, business circumstances, legal and policy implications, and technical environment. III. Organization of Information Security and Privacy Information security is proactively managed at <district name> Management approves information security procedures, assigns security roles, and coordinates and reviews the implementation of security across the (school/district/ESD). Release date: August 15, 2012 2 Information security requires coordination and communication throughout the district. This includes ensuring staff and teachers fully understand their roles and responsibilities in maintaining information security and privacy standards. Information security responsibilities must be clearly defined and communicated to staff through easy to locate <procedures/training/administrative rules>. Key responsibilities in information security and privacy are identified and assigned to specific personnel. In most cases, these responsibilities are a part of an individual’s position, not a separate position. Key responsibilities include: ● Primary point of contact for Information Security (Information Security Officer) ● Primary point of contact for FERPA Privacy Compliance ● Primary point of contact for Information Security Incident Response ● Primary point of contact for security administration IV. Asset Management Asset Management is the process of tracking and reporting the value and ownership of information assets. Information asset management is essential in order to provide reliable and secure services. Information assets include: Information - the data itself whether stored on paper or electronically Databases Paper filing systems Information technology systems used to store and process valued information Districts have an obligation to maximize the security and efficiency of asset tracking and utilization. An accurate inventory of information and information systems allows districts to better define and control the components of the infrastructure and services provided. Asset tracking also enables districts to leverage configuration management tools and practices, as well as plan for future asset needs by determining availability of equipment. Accuracy is a key goal in all aspects of Asset Management. Districts should establish a baseline effort to establish an asset management database. All assets, as defined below, should be tracked in an asset management database, processes should be put in place to maintain the validity and accuracy of the data and annual reviews should be conducted to verify the data. Once the baseline has been established, districts should undertake process development as part of their next steps. Processes can cover a variety of areas, but should at least establish steps for the following areas: 1. Asset Ordering 2. Asset Receiving and Check-in 3. Asset Requests Release date: August 15, 2012 3 4. Asset QA 5. Asset Decommission 6. Asset Surplus/Trade-In Additionally, standards should be developed for the following areas: 1. 2. 3. 4. 5. Asset Shipping and Receiving Asset Storage Asset Tagging Asset Tracking Asset Reporting V. Human Resources Security All employees, volunteers, contractors, and third party users of <district name> information and information assets will understand their responsibilities and will be deemed suitable for the roles they are considered for to reduce the risk of theft, fraud, or misuse of information. Security responsibilities will be addressed prior to employment in position descriptions and any associated terms and conditions of employment. Where appropriate, all candidates for employment, volunteer work, contractors, and third party users will be adequately screened, especially for roles that require access to sensitive information. Management is responsible for ensuring security is considered during hiring and throughout the individual’s employment with the district. The district intends to ensure that persons employed by or contracting with the district have not engaged in any criminal behavior that is incompatible with their duties and responsibilities with regard to access and handling of protected information, and the mission of the agency. To achieve this goal, the district includes notice in hiring announcements that a background check will be conducted on potential candidates. As a condition of employment, applicants applying for positions must sign an authorization form allowing the district to conduct a criminal background check. The district conducts criminal background checks on all prospective employees, direct hire temporary appointments, and external transfer employees. The Human Resources department will ensure that external contractors have completed criminal background checks on all contractors assigned to work at the district. Information security requirements are included in the position descriptions of the Information Security Officer. All new employees and temporary employees receive training on the district’s Information Security program and are covered and required to sign relevant security documents. All employees and contractors participate in security awareness training annually, at which time they also sign all applicable security policies. Security training, includes, but is not limited to, training on security policies and procedures, FERPA and HIPAA, individual preventative security steps, as well as information on IT security that educates the user to the dangers at work and at home. Release date: August 15, 2012 4 Procedures will be implemented to ensure that an employee, volunteer, contractor, or third party’s exit from the district is managed, and the return of all equipment and removal of all access rights are completed. VI. Physical and Environmental Security The purpose of physical and environment security is to prevent unauthorized physical access, damage, theft, compromise, and interference to <district name> information and facilities. Locations housing critical or sensitive information or information assets will be secured with appropriate security barriers and entry controls. They will be physically protected from unauthorized access, damage, and interference. Secure areas will be protected by appropriate security entry controls to ensure that only authorized personnel are allowed access. All equipment containing storage media will be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal. For more information on physical and environmental security please see the following sample documents: ● Building Security Policy ● Visitor Policy ● Workstation Security Policy (http://www.sans.org/securityresources/policies/200802_002.doc) ● MDF/IDF Security Policy ○ Authorized personnel only ○ Key lock at minimum, keypad with logging recommended ● Sustainable Acquisition and Disposal of Electronic Equipment – Statewide Policy 107009-0050 (http://www.oregon.gov/DAS/OP/docs/policy/state/107-009-0050.pdf?ga=t) ● MDF/IDF Environment Guidelines ○ Water/fire avoidance ○ Windowless rooms ○ Temperature controlled rooms ○ Steady power supply with UPS devices in place ● Data Backup Policy ○ Backup frequency ○ Offsite backups VII. Communications and Operations Management To ensure the correct and secure operation of information processing facilities, responsibilities and procedures for the management and operation of all information processing facilities should be established. This includes the development of appropriate operating procedures. Segregation of duties should be implemented, where appropriate, to reduce the risk of negligent or deliberate system misuse. OPERATIONAL PROCEDURES AND RESPONSIBILITIES Release date: August 15, 2012 5 Documented operating procedures Change management Segregation of duties Separation of development, test, and operational facilities THIRD PARTY SERVICE DELIVERY MANAGEMENT Service delivery monitoring and review of third party services Managing changes to third party services SYSTEM PLANNING AND ACCEPTANCE Capacity management System acceptance PROTECTION AGAINST MALICIOUS AND MOBILE CODE Controls against malicious code Controls against mobile code BACK-UP Information back-up NETWORK SECURITY MANAGEMENT Network controls Security of network services MEDIA HANDLING Management of removable media Disposal of media Information handling procedures Security of system documentation EXCHANGE OF INFORMATION Information exchange policies and procedures Exchange agreements Physical media in transit Electronic messaging Business information systems ELECTRONIC COMMERCE SERVICES Electronic commerce On-Line Transactions Publicly available information MONITORING Audit Release date: August 15, 2012 6 logging Monitoring system use Protection of log information Administrator and operator logs Fault logging Clock synchronization VIII. Access Control Access to information, information systems, information processing facilities, and business processes will be controlled on the basis of business and security requirements. Formal procedures will be developed and implemented to control access rights to information, information systems, and services to prevent unauthorized access. Users will be made aware of their responsibilities for maintaining effective access controls, particularly regarding the use of passwords. The district system access rules enforces the expectation that users have individually assigned user names and users understand that they are held accountable for actions taken with their user name and password. Users will be made aware of their responsibilities to ensure unattended equipment has appropriate protection. A clear desk rule for papers and removable storage devices and a clear screen rule is strongly recommended especially in work areas accessible by students, parents, or the public. Steps will be taken to restrict access to operating systems to authorized users. Protection will be required commensurate with the risks when using mobile computing and teleworking facilities. <district name> insures appropriate password policies, auto-locking of systems and other PC security policies by use of the district’s Directory Group Policy and only the district’s domain administrators have the ability to change group policy. The procedures for access to systems vary depending on the type of access and how that access is facilitated. Any users requiring local administrator access to server systems must fill out an <insert your form name here>. All employees will receive training on the use of passwords, when systems are to be locked or timed out, how the different levels of information security determines how information assets are handled, and when and how information will be transported and disposed of. All users requiring remote access to the district’s network to work remotely are required to fill out and submit for management approval. The district’s System Development Lifecycle (SDLC) and its End-User Development standards define responsibilities for ensuring appropriate controls are programmed according to business needs and information security requirements. IX. Information System Acquisition, Development, and Maintenance In order to ensure data and software integrity, confidentiality, and availability, all new systems (off-the-shelf or custom built) must be designed with security in mind. This is most effective when security is planned and implemented throughout the entire life cycle. Access to system files and program source code will be controlled and information technology projects and support activities conducted in a secure manner. Technical vulnerability management will be Release date: August 15, 2012 7 implemented with measurements taken to confirm effectiveness. Districts should undertake the following initiatives as a baseline to secure information system acquisition, maintenance, and development. Encryption - Encryption should be used, where appropriate, to protect sensitive information at rest and in transit. All remote access should be encrypted and secured (i.e. VPN tunnel). Remote access should only be granted when an established business need exists. Network and System Monitoring - Procedures should be in place to monitor and review network and information technology systems. District Network and Security teams should maintain and review various security and access reports regularly to ensure the security of network and information technology systems. Some of the systems districts can employ to verify and maintain IT security include SNORT, NESSUS, Tracking System Access (TSA), and Nagios. These systems can be used to determine if an inappropriate access has been attempted and to prevent unauthorized access to systems and data. Any controls deployed should be based on a risk analysis. Data Access Review - Access to data should also be reviewed. A system like TSA should be used to capture employee access to sensitive data. The system provides processes that can be used by multiple applications to store tracking activity data. Additionally, this system provides a process to archive the data. Information System Acquisition and Development - Where a district is involved in the purchase of applications or the custom development or adoption of applications to support their business processes it is strongly recommended that they adhere to the project management procedures identified in the Project Management Body of Knowledge (PEMBOK) and include information security throughout the development and/or procurement cycle from requirements gathering through implementation. Each information system has an identified owner and each information system acquisition or development project has an identified sponsor. Each system that is developed should have clearly defined access needs, user authorization needs, separation of duties, and accountability controls, Maintenance of Information Systems - Information systems require ongoing maintenance to remain both operational and secure. Maintenance changes to applications, middleware, and hardware should be reviewed and approved to ensure all risk and impact (both to the application and all downstream resources) are fully understood. Once the baseline concepts have been established into the software development life-cycle, additional goals should be established. These goals should occur at each stage of the lifecycle. Specific goals for each stage should be: Release date: August 15, 2012 8 Project Initiation Define sensitivity of information involved Define criticality of system Define security risks Define level of protection needed Define regulatory/legal/privacy issues Functional Design Determine acceptable level of risk Identify security requirements and controls Design Specification Design security controls Review designs Software Development Document security issues and controls Test code as it develops Release and Maintain Review tests Certify system Constantly assess security position X. Information Security Incident Management An information security or privacy incident is a single, or series of, unwanted or unexpected information security events that result in harm, or pose a significant threat of harm to information assets, protected student data, or the organization’s infrastructure. Examples of information security or privacy incidents include: ● Any incident relevant to the Oregon Identity Theft Protection Act ● Any incident relevant to FERPA ● Any incident relevant to the Health Insurance Portability and Accountability Act (HIPAA) ● Lost or stolen documents containing sensitive information ● Conversation containing sensitive information overheard by unauthorized person who discloses the information to the public ● A virus or worm has become wide spread ● A keystroke logger has infected a workstation used to enter sensitive information ● Web site defaced ● Unauthorized access to information was gained ● Any kind of sabotage that effects information ● Denial of service attacks. The district will identify and document capabilities to respond to information security and privacy Release date: August 15, 2012 9 incidents involving information in any form whether electronic, data, paper or verbal. At a minimum a basic incident response plan includes: ● Primary point of contact and backup for an information security incident. ● Identification of additional resources (district personnel, ESD personnel, ODE personnel) ● Process for reporting and responding to an information security incident ● Police department contact if the incident is criminal in nature ● Primary point of contact for information security and privacy incidents ● Backup point of contact for information security and privacy incidents ● Other information security and privacy incident resources The following is a basic process for identifying and responding to an information security or privacy incident: 1. Identify the event 2. Has protected data been lost, exposed, or disclosed? If yes, what type? a. FERPA protected student data b. Personally Identifiable Information as defined in the Oregon Identity Theft Protection Act 3. Is the organization at risk of continuing to lose data? 4. Identify, document and execute steps to re-mediate the problem 5. Contact any of the following as necessary: a. Oregon Department of Education b. Police c. Oregon Department of Consumer and Business Services (for losses involving data protected under the Oregon Identity Theft Protection Act) d. Other schools, districts, ESDs that may be experiencing the same issue e. Others as necessary 6. Once the incident is resolved, conduct a lessons learned exercise to prevent repetition. XI. Business Continuity Management The purpose of business continuity management is to counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption. A business continuity management process will be established to minimize the impact on the district and recover from loss of information assets to an acceptable level through a combination of preventive and recovery controls. A managed process will be developed and maintained for business continuity throughout the agency that addresses the information security requirements needed for the district’s business continuity. Templates and examples of how to develop a district business continuity plan are available at http://www.oregon.gov/DAS/EISPD/BCP/Forms_Examples.shtml For more information about the district’s business continuity plan (BCP) please contact the district superintendent’s office. Release date: August 15, 2012 10 XII. Compliance The design, operation, use, and management of information and information assets are subject to statutory, regulatory, and contractual security requirements. Compliance with legal requirements is necessary to avoid breaches of law, statutory, regulatory or contractual obligations, and of any security requirements. Legal requirements include, but are not limited to: state statutes, federal statutes and regulations, contractual agreements, intellectual property rights, copyrights, and protection and privacy of personal information. The following federal and state statutes and regulations apply: Federal Regulations ● FERPA ● CIPA ● COPPA ● HIPPA Oregon Revised Statutes (ORS) References ● ORS 326.565 Standards for student records; rules ● ORS 326.575 Records when student transfers or is placed elsewhere; notice to parents; amendments to records; rules ● ORS 336.187 When school authorized to disclose information about student; immunity of recipient ● ORS 343.045 Criteria for development and operation of special programs; rules ● ORS 343.155 Procedures to protect rights of child with disability; rules; content of rules Oregon Administrative Rules (OAR) References ● ● ● ● ● ● ● ● ● ● 581-021-0250 An Educational Agency or Institution's Policy Regarding Student Education Records 581-021-0265 Confidentiality of Student Education Records 581-021-0270 Rights of Inspection and Review of Education Records 581-021-0330 Prior Consent to Disclose Information 581-021-0340 Exceptions to Prior Consent 581-021-0360 Conditions for the Disclosure of Information to Other Educational Agencies or Institutions 581-021-0370 Conditions for the Disclosure of Information for Federal or State Program Purposes 581-021-0371 Conditions for Disclosure of Information to Comply with Judicial Order or Subpoena 581-021-0372 Conditions for the Disclosure of Information When Legal Action Initiated 581-021-0380 Conditions for the Disclosure of Information in Health and Safety Emergencies Release date: August 15, 2012 11 581-021-0390 Conditions for the Disclosure of Directory Information 581-021-0391 Conditions for the Disclosure of Information to Juvenile Justice Agencies ● 581-021-0400 Recordkeeping Requirements ● 581-021-0430 The Distribution of Rules Relating to Student Records ● ● Reference (links to web pages) Communications and Operations Management ISO_IEC_27002-2005.pdf Workstation Security Policy (http://www.sans.org/securityresources/policies/200802_002.doc) Sustainable Acquisition and Disposal of Electronic Equipment – Statewide Policy 107009-0050 (http://www.oregon.gov/DAS/OP/docs/policy/state/107-009-0050.pdf?ga=t) Business Continuity Plans, http://www.oregon.gov/DAS/EISPD/BCP/Forms_Examples.shtml District Policies – to be developed in separate document District Administrative Rules – to be developed in separate document Definitions Asset - Any resource that could contribute to the delivery of a service that is racked via an asset tag and reported on annually for value. Entity - Any business unit, department, group, or third party, internal or external to the district, responsible for maintaining district assets. Risk - Those factors that could affect confidentiality, availability, and integrity of the district's key information assets and systems. InfoSec is responsible for ensuring the integrity, confidentiality, and availability of critical information and computing assets, while minimizing the impact of security procedures and policies upon business productivity. Roles and Responsibilities (to be developed) Release date: August 15, 2012 12