Information Security Standards

2015 Update

IIPS Security Standards Committee

Roderick Brower - Chair

IT Standards Committee Officers

Roderick B. Brower Chair (Ch. 1-Classifying Data & Legal Requirements)Deborah Joyner (Ch. 2-Securing the End User)Jeff Drake (Ch. 3-Securing the Network)Chuck Hauser (Ch. 4-Securing Systems)Karen Sasser (Ch. 5-Physical Security)Bambi Edwards (Ch. 6-Cyber Security Incident Response)Jodi Dyson (Ch. 7-Business Continuity & Risk Management)

How Did We Get Here?

• New document released from SCIO (January 2015)• Extensive review by IT Standards Team started in July• Will submit to SCIO (Post IIPS Conference)• Seek approval from SCIO• Yearly review of the IIPS Standards by IIPS Committee and

based on releases from the SCIO

Highlights

•Manual has been reduced from 15 to 7 chapters

• Consolidation • Reduction of redundancy• Document getting better

CIOs• Local College CIO is defined

(Introduction Section)

• To manage and implement at local level

• First point of contact on issues of concern (conduit to State CIO)

• Work closely with Business & Finance area on PCI Compliance

Data Owners and Custodians010101 Classifying Information

• Responsible for data • Responsible for data procedures

(software development requests, testing, patch approvals)

• These individuals should be clearly defined and documented by title in college manuals

User Re-Certification

020101 Managing Access Control Standards

• User rights shall be reviewed and approved by data owners at six (6)-month intervals.

• Yearly?????

030107 Time-Out Facility

•For some higher risk information systems, such as systems that process student or employee data, tax data, or credit card information, the requirement for a session idle timeout shall be 15 minutes or less, as determined by law or industry standards. The local college CIO should make the determination as to which system(s) should meet this timeout requirement.

System Configuration Manual

040407 Systems DocumentationColleges should develop and maintain additional documentation that details hardware and software placement and configuration, provide flowcharts, etc.•Documentation should include:•Vendor name, address, and contact information•License number and version•Update information•Configuration reports and listing for operating system and server software.•Bios rev information•Port listing

Passwords

•Managing User Access (020102)• User credentials that are inactive for a maximum of

ninety (90) days must be disabled, except as specifically exempted by the security administrator.

•Passwords defined (020106)• At least eight characters in length• Strong passwords for High Security Systems

Highlights041002 Using Laptop/Portable Computers

• Must adhere to College Acceptable Use Policy

• Training to raise user awareness of the additional risks that accompany mobile computing and the controls with which users must comply

• If not protected by encryption software, the BIOS password on such devices must be enabled if technically possible.

• Training to raise user awareness of the additional risks that accompany mobile computing and the controls that should be implemented.

Highlights

Chapter 7 – Business Continuity and Risk Management

• Initiation• Development• Implementation• Assessment

Constant visitation of the plan, Constant improvement.

Incidents

060201 Reporting Information Security Incidents

•Incident Response Reporting • Local CIO is first point of contact and handles

reporting of incidents• ITS is notified by local CIO

Local Implementation

• You do NOT have to re-write these

standards at your local institution• This manual should be referenced in your

local Administrative Procedures ManualStatement should reflect that all

standards included in the NCCC Information Security manual are followed locally

• Any deviation from the manual needs to be documented locally and college needs to be prepared to justify the deviation

Looking Forward

• Living document (This document is not perfect)

• Manual will be updated as Statewide Manual is updated

• Edits will be sent out, reviewed, and adopted at the “upcoming” IIPS Conference (as needed)

Q&A

Once approved by SCIOOfficial Document will be placed on

IIPS website:http://www.nciips.org/

(About IIPS Tab)