Skip to main content

OM 9.1.2 - Information Security Standards

Effective Date: January 2023
Last Updated: April 24, 2023
Responsible University Office: Office of Information Technology
Responsible University Administrator: Chief Information Officer


Policy Contact:

Office of Information Technology
helpdesk@clarkson.edu

1 Purpose

The Information Security Steering Committee of Clarkson University has adopted these information security Standards, which define the appropriate administrative, technical, and physical safeguards over sensitive information. These standards are designed to:

●                Ensure that the safeguards adequately address the legal, regulatory, and mandatory requirements for information security;

●                Provide adequate coverage of the recommended best practices spanning in the eighteen NIST Control Families; and

●                Give a general assurance level that the confidentiality, integrity, and availability of the University's assets will be upheld.

These Standards are based upon NIST 800-53 rev4 and they represent the What elements of information security that are specific to the University. Clarkson University will update these standards as need arises and will continue to review them annually. As these standards are not policy, updates shall not require Board approval, but will be reviewed and formally approved by the Information Security Steering Committee at least annually.

In addition to the Standards defined here, Clarkson University also maintains a set of procedures, plans and processes that define the HowWhen, and Who elements of information security and the expected behavior of personnel as they work to carry out the Standards in an approved manner that upholds these Standards.

2 Scope

These standards are applicable to all information in the possession of the University, including its affiliates and its agents, which may be stored, processed, or transmitted by any means. This includes electronic information, information on paper, and information shared orally or visually (e.g., telephone and video conferencing). Also included is any information in storage or in electronic or physical transmission outside of the University's facilities (e.g., service providers).

3 Roles & Responsibilities

Ultimate accountability for the Information Security controls rests with the Director of Network Services and Information Security. The control owners are accountable to ensure that the controls assigned to them are in-place and effective throughout the scope of the organization for which the controls apply.

●                For administrative controls, the control owner will most likely oversee the execution of controls and possibly will be the implementor of the controls as well.

●                For technical controls, the control owner is accountable, and may or may not choose to have IT implement the controls on their behalf.

●                For physical controls, there will be a division of labor between the control owner and the facilities team.

4 Information Security Standards

4.1                Access Control Policy and Procedures

4.1.1                          Standard Owner: Board, Senior Management, Information Technology

4.1.2                          Standard References

NIST: AC-1

GLBA: Effective

GDPR:

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.9.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.312(a)(1)

PCI-DSS: 12.1, 12.1.1

4.1.3                          Standard

The organization will:

  • Develop, document, and disseminate standards that address purpose, scope, roles and responsibilities for managing access management activities;
  • Develop and document the roles and responsibilities for individuals who have access to information systems;
  • Document supporting procedures;
  • Disseminate the information to ensure coordination among the organization’s entities; and
  • Policy and procedure are approved and reviewed every
  • Review the standards

4.2 Access Control Policy and Procedures

4.2.1                          Standard Owner: Information Technology

4.2.2                          Standard References

NIST: AC-1

GLBA:
GDPR:

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.9.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.312(a)(1)

PCI-DSS: 7.1, 7.1.1, 7.1.2, 7.2

4.2.3                          Standard

A formal, documented emergency access procedure (for system and facilities) for enabling authorized workforce members during an emergency.

4.3 Account Management

4.3.1                          Standard Owner: Information Technology

4.3.2                          Standard References

NIST: AC-2

GLBA:
GDPR:

ISO27001: A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6

HIPAA: 164.308(a)(3)(ii)(B), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(a)(2)(ii)

PCI-DSS: 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.2, 7.2.2

4.3.3                          Standard

All user access to systems must be granted based on (1) valid access authorization, including business justification, by [Whom], (2) intended system usage, and (3) other attributes as required by the organization or associated mission’s/business functions.

4.4                Account Management

4.4.1                          Standard Owner: Information Technology

4.4.2                          Standard References

NIST: AC-2

GLBA: Effective

GDPR:

ISO27001: A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6

HIPAA: 164.308(a)(3)(ii)(B), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(a)(2)(ii)

PCI-DSS: 7.1, 7.1.2, 7.2

4.4.3                          Standard

Accounts with special privileges will only be used for those tasks requiring it, not for day-to-day usage.

4.5 Account Management | Access Enforcement | Least Privilege

4.5.1                          Standard Owner: Information Technology

4.5.2                          Standard References

NIST: AC-2 AC-3 AC-6

GLBA: Effective

GDPR:

ISO27001: A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6 A.6.2.2, A.9.1.2, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.1, A.14.1.2, A.14.1.3, A.18.1.3

HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C),

164.308(a)(5)(ii)(C), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv)

PCI-DSS: 7.1, 7.1.1, 7.1.2, 7.1.4, 7.2, 7.2.1, 7.2.3, 8.1, 8.1.1, 8.1.2, 8.1.3, 8.1.5, 10.1

4.5.3                          Standard

A formal, documented process for granting appropriate access to organization information systems will be documented. Only the most minimal access will be provisioned based on a need-to-know basis. All revisions to organization workforce member and software program access rights will be tracked and logged. Security groups and ACLs will be used to provide limited, role-based access to shared resources. For systems not relying on domain accounts, the account creation/removal process will also be documented. At a minimum, tracking and logging of all access requests will require the following information:

  • Data and time of revision
  • Identification of workforce member or software program whose access is being revised
  • Brief description of revised access right(s)


  • Approval by system owner/stewards or their chosen delegate
  • Reason for revision


This information will be securely maintained.

4.6 Access Enforcement

4.6.1                          Standard Owner: Information Technology

4.6.2                          Standard References

NIST: AC-3

GLBA: Effective

GDPR:

ISO27001: A.6.2.2, A.9.1.2, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.1, A.14.1.2, A.14.1.3, A.18.1.3

HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv)

PCI-DSS: 1.2.1 7.2.3

4.6.3                          Standard

Access to internal, nonpublic-facing systems from untrusted sites, by default, will be blocked at the organization perimeter firewall.

4.7 Access Enforcement | Least Privilege

4.7.1                          Standard Owner: Information Technology

4.7.2                          Standard References

NIST: AC-3 AC-6

GLBA: Draft

GDPR:

ISO27001: A.6.2.2, A.9.1.2, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.1, A.14.1.2, A.14.1.3, A.18.1.3 A.9.1.2, A.9.2.3, A.9.4.4, A.9.4.5

HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv)

PCI-DSS: 7.1.1, 7.1.3, 8.1.4

4.7.3                          Standard

All organization workforce members will have their information system privileges automatically disabled after their user ID or access method has had 90 days of inactivity. All such privileges that are disabled in this manner will be reviewed to ensure that the inactivity is not due to termination of employment. If termination is the reason for inactivity, there will be review of situation to ensure that all access to CONFIDENTIAL INFORMATION (or ability to physical access information) has been eliminated.

4.8 Access Enforcement | Least Privilege

4.8.1                          Standard Owner: Information Technology

4.8.2                          Standard References

NIST: AC-3 AC-6

GLBA: Draft

GDPR:

ISO27001: A.6.2.2, A.9.1.2, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.1, A.14.1.2, A.14.1.3, A.18.1.3 A.9.1.2, A.9.2.3, A.9.4.4, A.9.4.5

HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv)

PCI-DSS: 7.1.2, 7.1.3

4.8.3                          Standard

Access reviews for privileged and non-privileged accounts on systems storing restricted information will be conducted annually.

4.9 Information Flow Enforcement

4.9.1                          Standard Owner: Information Technology

4.9.2                          Standard References

NIST: AC-4

GLBA: On Hold

GDPR:

ISO27001: A.13.1.3, A.13.2.1, A.14.1.2, A.14.1.3

HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.310(b)

PCI-DSS:

4.9.3                          Standard

The organization will define a Security Architecture Plan that addresses:

  • The flow of information between inter-connected systems; and
  • Defined security rules by network

4.10 Separation of Duties

4.10.1                    Standard Owner: Information Technology

4.10.2                    Standard References

NIST: AC-5

GLBA: Effective

GDPR:

ISO27001: A.6.1.2

HIPAA: 164.308(a)(3)(i), 164.308(a)(4)(i), 164.308(a)(4)(ii)(A), 164.312(a)(1)

PCI-DSS:

4.10.3                    Standard

Where possible, software developers will not utilize elevated access to production systems.

4.11 Least Privilege

4.11.1                    Standard Owner: Information Technology

4.11.2                    Standard References

NIST: AC-6

GLBA: Effective

GDPR:

ISO27001: A.9.1.2, A.9.2.3, A.9.4.4, A.9.4.5

HIPAA: 164.308(a)(3)(i), 164.308(a)(4)(i), 164.308(a)(4)(ii)(A), 164.312(a)(1)

PCI-DSS: 7.1.2, 7.1.3

4.11.3                    Standard

Only the most minimal access will be provisioned based on a need-to-know basis.

4.12 Unsuccessful Logon Attempts

4.12.1                    Standard Owner: Information Technology

4.12.2                    Standard References

NIST: AC-7

GLBA: Effective

GDPR:

ISO27001: A.9.4.2

HIPAA:
PCI-DSS:

4.12.3                    Standard

Organization workforce members shall not attempt to gain access to organization information systems containing restricted information for which they have not been given proper authorization.

4.13 Unsuccessful Logon Attempts

4.13.1                    Standard Owner: Information Technology

4.13.2                    Standard References

NIST: AC-7

GLBA: Effective

GDPR:

ISO27001: A.9.4.2

HIPAA:

PCI-DSS: 2.2,2.2.4, 8.1.6, 8.1.7

4.13.3                    Standard

Systems will lock accounts after no more than 5 failed login attempts.

4.14 System Use Notification

4.14.1                    Standard Owner: Information Technology

4.14.2                    Standard References

NIST: AC-8

GLBA: On Hold

GDPR:

ISO27001: A.9.4.2

HIPAA:

PCI-DSS: 2.2.4

4.14.3                    Standard

The organization displays an approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable laws, directives, policies, regulations, standards, and guidance and states that:

  • users are accessing organizational information systems;
  • system usage may be monitored, recorded, and subject to audit;


  • unauthorized use of the system is prohibited and subject to disciplinary action; and
  • use of the system indicates consent to monitoring and

4.15 Previous Logon (Access) Notification

4.15.1                    Standard Owner: Information Technology

4.15.2                    Standard References

NIST: AC-9

GLBA: On Hold

GDPR:

ISO27001: A.9.4.2

HIPAA:

PCI-DSS: 2.2.4

4.15.3                    Standard

Workstation, laptop, and server logon systems will suppress and/or not display the username of the previously logged on user.

4.16 Concurrent Session Control

4.16.1                    Standard Owner: Information Technology

4.16.2                    Standard References

NIST: AC-10

GLBA: On Hold

GDPR:

ISO27001: --

HIPAA:
PCI-DSS:

4.16.3                    Standard

Critical applications will be configured to limit the number of concurrent sessions for each account and/or account type.

4.17 Session Lock

4.17.1                    Standard Owner: Information Technology

4.17.2                    Standard References

NIST: AC-11

GLBA: Effective

GDPR:

ISO27001: A.11.2.8, A.11.2.9

HIPAA: 164.310(b), 164.312(a)(2)(iii)

PCI-DSS: 2.2,2.2.4, 8.1.8, 12.3.8

4.17.3                    Standard

Endpoints must prevent further access to the information assets by initiating a session lock after 15 minutes of inactivity or upon receiving a request from a user. In addition, systems must retain the session lock until the user reestablishes access using established identification and authentication procedures.

4.18 Session Termination

4.18.1                    Standard Owner: Information Technology

4.18.2                    Standard References

NIST: AC-12

GLBA: On Hold

GDPR:

ISO27001: --

HIPAA: 164.310(b), 164.312(a)(2)(iii)

PCI-DSS: 2.2,2.2.4, 8.1.8, 12.3.8

4.18.3                    Standard

Systems will disconnect application and remote access sessions after 240 minutes of idle time.

4.19 Remote Access

4.19.1                    Standard Owner: Information Technology

4.19.2                    Standard References

NIST: AC-17

GLBA: Effective

GDPR:

ISO27001: A.6.2.1, A.6.2.2, A.13.1.1, A.13.2.1, A.14.1.2

HIPAA: 164.310(b)

PCI-DSS: 8.1.5

4.19.3                    Standard

Applications accessed through external facing webservers without appropriate SSL encryption will only be accessed via approved VPN.

4.20 Remote Access

4.20.1                    Standard Owner: Information Technology

4.20.2                    Standard References

NIST: AC-17

GLBA: Effective

GDPR:

ISO27001: A.6.2.1, A.6.2.2, A.13.1.1, A.13.2.1, A.14.1.2

HIPAA: 164.310(b)

PCI-DSS: 8.1.5,12.3.9,12.3.10

4.20.3                    Standard

Remote access technologies for vendors will only be enabled when needed, with immediate deactivation after use.

4.21 Wireless Access

4.21.1                    Standard Owner: Information Technology

4.21.2                    Standard References

NIST: AC-18

GLBA: Effective

GDPR:

ISO27001: A.6.2.1, A.13.1.1, A.13.2.1

HIPAA:

PCI-DSS: 4.1, 4.1.1, 11.1

4.21.3                    Standard

Public wireless networks will be considered open, insecure networks.

4.22 Wireless Access

4.22.1                    Standard Owner: Information Technology

4.22.2                    Standard References

NIST: AC-18

GLBA: Effective

GDPR:

ISO27001: A.6.2.1, A.13.1.1, A.13.2.1

HIPAA:

PCI-DSS: 1.2.3, 2.1.1, 4.1, 9.1.3, 11.1, 11.1.1, 11.1.2, 12.3

4.22.3                    Standard

Without prior authorization, departments or personnel will not setup their own wireless access-points or networks

4.23 Use of External Information Systems

4.23.1                    Standard Owner: Information Technology

4.23.2                    Standard References

NIST: AC-20

GLBA: On Hold

GDPR:

ISO27001: A.11.2.6, A.13.1.1, A.13.2.1

HIPAA:

PCI-DSS: 1.3.5

4.23.3                    Standard

All connections between organization Information Systems and external systems will be approved and documented.

4.24 Use of External Information Systems

4.24.1                    Standard Owner: Information Technology

4.24.2                    Standard References

NIST: AC-20

GLBA: Effective

GDPR:

ISO27001: A.11.2.6, A.13.1.1, A.13.2.1

HIPAA:

PCI-DSS: 1.3.5

4.24.3                    Standard

The Director of Network Services & Information Security will approve any system which interfaces with systems that store or process information classified as 'Clarkson-Restricted'.

4.25 Publicly Accessible Content

4.25.1                    Standard Owner: Information Technology, | Compliance

4.25.2                    Standard References

NIST: AC-22

GLBA: Effective

GDPR:

ISO27001: --

HIPAA:
PCI-DSS:

4.25.3                    Standard

Information classified as Clarkson-Restricted will not be posted on the organization's publicly available website.

4.26 Access Control Decisions

4.26.1                    Standard Owner: Information Technology

4.26.2                    Standard References

NIST: AC-24

GLBA: Effective

GDPR:

ISO27001: A.9.4.1*

HIPAA:
PCI-DSS:

4.26.3                    Standard

All access requests will go through a managerial approval process prior to access enforcement.

4.27 Audit and Accountability Policy and Procedures

4.27.1                    Standard Owner: IT

4.27.2                    Standard References

NIST: AU-1

GLBA: Effective

GDPR:

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.312(b)

PCI-DSS: 12.1, 12.1.1

4.27.3                    Standard

The organization will:

  • Develop, document, and disseminate audit and accountability standards that addresses purpose, scope, roles, responsibilities, and management commitment, coordination among organizational entities, and


  • Develop procedures to facilitate the implementation of these
  • Review and update these standards and associated procedures, at a minimum,

4.28 Audit Events | Non-repudiation

4.28.1                    Standard Owner: IT

4.28.2                    Standard References

NIST: AU-2 AU-10

GLBA: Effective

GDPR:

ISO27001: --

HIPAA: 164.308(a)(5)(ii)(C), 164.312(b)

PCI-DSS: 8.1.5, 10.1, 10.2, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.4,

10.6.1

4.28.3                    Standard

Security events for Active Directory, firewalls, servers, applications, and databases will be defined. This includes:

  • Permission Altered Alerts (accounts/groups created, group membership modified, VPN groups modified)
  • Inappropriate Use & Login for Administrators (successful/failed logon attempts, application/operating system/network devices administrator accounts, service accounts, accounts used to provision access, local administrator accounts)
  • Inappropriate Use for Workforce (successful/failed logon attempts, multiple account locks/disabled/deleted)
  • System Events (logs cleared, virus/malware detected, NTP time change, rogue wireless devices)
  • System Health (active directory groups created/removed, application restarts/shutdowns, taxing active directory queries)
  • File Integrity (critical/sensitive file changes)
  • Network Intrusion Attempts
  • Application & Database (failed logon attempts, accounts created/modified)
  • Event types, date and time, origination of event, identity or name of affected data, system component, or resource

4.29            Content of Audit Records

4.29.1                    Standard Owner: IT

4.29.2                    Standard References

NIST: AU-3

GLBA: Effective

GDPR:

ISO27001: A.12.4.1* HIPAA: 164.312(b) PCI-DSS: 10.5.3, 10.7

4.29.3                    Standard

Logs from Active Directory, firewalls (both internal and external), servers, and DNS will be sent to the central logging server.

4.30 Audit Storage Capacity

4.30.1                    Standard Owner: IT

4.30.2                    Standard References

NIST: AU-4

GLBA: Effective

GDPR:


ISO27001: A.12.1.3 HIPAA: 164.312(b) PCI-DSS: 10.5.3, 10.7

4.30.3                    Standard

Logs will be moved to a centralized logging system within 24 hours of being recorded.

4.31 Response to Audit Processing Failures

4.31.1                    Standard Owner: IT

4.31.2                    Standard References

NIST: AU-5

GLBA: Effective

GDPR:

ISO27001: --

HIPAA:
PCI-DSS:

4.31.3                    Standard

The central logging server will be monitored for system disk capacity, availability, and running of the syslog process

4.32 Audit Review, Analysis, and Reporting

4.32.1                    Standard Owner: IT

4.32.2                    Standard References

NIST: AU-6

GLBA: On Hold

GDPR:

ISO27001: A.12.4.1, A.16.1.2, A.16.1.4

HIPAA: 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.312(b)

PCI-DSS:

4.32.3                    Standard

Metrics reports for security events will be created and monitored on a periodic basis, based on the criticality of the logs. As well, an alerting process will be used.

4.33 Time Stamps

4.33.1                    Standard Owner: IT

4.33.2                    Standard References

NIST: AU-8

GLBA: Effective

GDPR:

ISO27001: A.12.4.4

HIPAA:

PCI-DSS: 2.2,2.2.4, 10.3.3, 10.4, 10.4.1, 10.4.2, 10.4.3

4.33.3                    Standard

All workstations and servers will receive their time via NTP from industry accepted time sources.

4.34 Protection of Audit Information

4.34.1                    Standard Owner: IT

4.34.2                    Standard References

NIST: AU-9

GLBA: Effective

GDPR:

ISO27001: A.12.4.2, A.12.4.3, A.18.1.3

HIPAA:

PCI-DSS: 10.5, 10.5.1, 10.5.2

4.34.3                    Standard

Audit logs will be secured so that cannot be altered:

  • Access limited to those with job-related needs
  • Protected via access control mechanisms, physical segregations

4.35 Audit Record Retention

4.35.1                    Standard Owner: IT

4.35.2                    Standard References

NIST: AU-11

GLBA: Draft

GDPR:

ISO27001: A.12.4.1, A.16.1.7

HIPAA:

PCI-DSS: 10.5.3, 10.5.4, 10.5.5

4.35.3                    Standard

Logs will be sent to a central log server and retained for a minimum of 3 months online, 9 months offline (total of 1 year available). Log files will be monitored for change.

4.36 Monitoring for Information Disclosure

4.36.1                    Standard Owner: IT

4.36.2                    Standard References

NIST: AU-13

GLBA: On Hold

GDPR:

ISO27001: --

HIPAA:

PCI-DSS: 10.6, 10.6.1, 10.6.2, 10.6.3

4.36.3                    Standard

Logs will be monitored and security events investigated, at a minimum, daily. If a security incident has occurred, the incident response procedures will be executed and followed.

4.37 Security Awareness and Training Policy and Procedures

4.37.1                    Standard Owner: Information Security

4.37.2                    Standard References

NIST: AT-1

GLBA: Effective

GDPR:

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.308(a)(5)(i)

PCI-DSS: 12.6, 12.6.1

4.37.3                    Standard

The organization will:

  • Develop, document, and disseminate security awareness and training standards that addresses purpose, scope, roles, responsibilities, and management commitment, coordination among organizational entities, and
  • Develop procedures to facilitate the implementation of the
  • Review and update Policies every year
  • Review and update the standards and associated procedures, as

4.38 Security Awareness Program

4.38.1                    Standard Owner: Information Security

4.38.2                    Standard References

NIST: AT-1

GLBA: Effective

GDPR:

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.308(a)(5)(i)

PCI-DSS: 12.6, 12.6.1

4.38.3                    Standard

The organization will develop, implement, and regularly review a formal, documented program for providing, at a minimum on-hire and thereafter annually, appropriate security training and awareness to workforce members

4.39 Security Awareness Training

4.39.1                    Standard Owner: Information Security

4.39.2                    Standard References

NIST: AT-2

GLBA: Effective

GDPR:

ISO27001: A.7.2.2, A.12.2.1

HIPAA: 164.308(a)(5)(i), 164.308(a)(5)(ii)(A), 164.308(a)(5)(ii)(B)

PCI-DSS: 3.7, 4.3, 8.4, 12.6, 12.6.1

4.39.3                    Standard

Employees training and security reminder communications, at a minimum, will address:

  • The importance of keeping creating, using, and safeguarding authentication credentials


  • Ensuring that organization workforce members understand that all activities involving their user identification and password will be attributed to
  • Security policies, procedures, and standards for protecting the confidentiality, integrity, and availability of information and systems
  • Significant risks to organization information systems and data
  • Information security legal and business responsibilities
  • How, and to whom an incident shall be reported
  • How to identify, report, and avoid malicious software, other forms of suspicious electronic communication and social engineering attempts

4.40 Role-Based Security Training

4.40.1                    Standard Owner: Information Security

4.40.2                    Standard References

NIST: AT-3

GLBA: Effective

GDPR:

ISO27001: A.7.2.2* HIPAA: 164.308(a)(5)(i) PCI-DSS:

4.40.3                    Standard

The organization provides role-based security training to personnel with assigned security roles and responsibilities:


  • Before authorizing access to the information system or performing assigned duties;
  • when required by information system changes; and
  • annually

4.41 Role-Based Security Training

4.41.1                    Standard Owner: Information Security | Finance* | Compliance*

4.41.2                    Standard References

NIST: AT-3

GLBA: Effective

GDPR:

ISO27001: A.7.2.2*

HIPAA: 164.308(a)(5)(i)

PCI-DSS: 3.7, 4.3, 8.4, 9.9, 9.9.3, 12.6, 12.6.1

4.41.3                    Standard

Employees who access, store, process, or protect credit cardholder data will receive, at a minimum on-hire and thereafter annually, training on appropriate procedures for safeguarding credit cardholder data

4.42 Security Training Records

4.42.1                    Standard Owner: Information Security

4.42.2                    Standard References

NIST: AT-4

GLBA: Effective

GDPR:

ISO27001: --

HIPAA: 164.308(a)(5)(i)

PCI-DSS: 12.6.1 12.6.2

4.42.3                    Standard

After training has been conducted, each organization workforce member will verify that he or she has received the training, understood the material presented, and agrees to comply with it

4.43 Configuration Management Policy and Procedures

4.43.1                    Standard Owner: IT

4.43.2                    Standard References

NIST: CM-1

GLBA: Effective

GDPR:

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA:

PCI-DSS: 12.1, 12.1.1

4.43.3                    Standard

The organization will:

  • Develop, document, and disseminate configuration management standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities and
  • Develop procedures to facilitate the implementation of these
  • Review and update these standards and associated procedures, at a minimum,

4.44 Baseline Configuration

4.44.1                    Standard Owner: IT

4.44.2                    Standard References

NIST: CM-2

GLBA: Draft

GDPR:

ISO27001: --

HIPAA:

PCI-DSS: 1.1.1, 1.1.5, 1.1.6, 1.2.2, 1.5, 2.2, 2.2.2, 2.2.4, 2.2.5, 2.5, 3.7, 4.3, 5.4, 6.7, 7.3, 8.1.4, 8.1.6, 8.1.7, 8.1.8,

10.4.3,12.1,12.1.1, 12.3

4.44.3                    Standard

Management procedures will be created that address:

  • The documentation of Hardening Configuration Standards, by operating system. These configuration controls will be based industry accepted standards (e.g., Center for Internet Security or CIS).
  • System account configurations
  • Groups, roles, and responsibilities for management of network components
  • Documented business justification for all ports, protocols, ports allowed/disallowed, and any security features implemented for those protocols considered insecure
  • For routers, securing and synchronization of configuration files
  • Documentation of security parameters that prevent misuse


  • Secure coding techniques in the software development lifecycle
  • Synchronizations with industry accepted time sources

4.45 Baseline Configuration

4.45.1                    Standard Owner: IT

4.45.2                    Standard References

NIST: CM-2 CM-6

GLBA: Effective

GDPR:

ISO27001: --

HIPAA:

PCI-DSS: 1.4, 2.2

4.45.3                    Standard

Organization owned laptops and employee owned user devices are prohibited from storing, processing, or transmitti ng credit cardholder data. Desktops and mobile devices (e.g., tablets, smartphones) may be used to process cardholder transactions only if equipped with P2PE-compliant devices and are authorized by IT.

4.46 Baseline Configuration

4.46.1                    Standard Owner: IT

4.46.2                    Standard References

NIST: CM-2 CM-6

GLBA: Draft

GDPR:

ISO27001: --

HIPAA:

PCI-DSS: 2.2,2.2.4

4.46.3                    Standard

All systems that access, store, process, or transmit non-Public Information will be configured to:

  • Not display information system or application identifying information until the log-in process has been successfully completed
  • Where supported, display a logon banner
  • Not provide help messages during the log-in procedure that would assist an unauthorized user If an error arises during authentication, the system will not indicate which part of the data is correct or incorrect

4.47 Configuration Change Control | Security Impact Analysis

4.47.1                    Standard Owner: IT

4.47.2                    Standard References

NIST: CM-3 CM-4

GLBA: Effective

GDPR:

ISO27001: A.12.1.2, A.14.2.2, A.14.2.3, A.14.2.4 A.14.2.3

HIPAA:

PCI-DSS: 1.5,2.2.4, 2.5, 3.7, 4.3, 5.4, 6.3.1, 6.3.2, 6.4, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.5.1, 6.4.5.2, 6.4.5.3, 6.4.5.4, 6.7,

7.3, 8.8, 9.10, 10.8, 11.6

4.47.3                    Standard

The organization will develop, document, implement, and maintain a change management process for managing changes to production systems containing Clarkson-Restricted data.

This process will address:

  • Documentation of security impact analysis, functionality testing, back out procedures
  • The documentation and retention of change records
  • Review and authorization of changes with explicit consideration for security impact analyses
  • Coordination and communication of changes
  • Oversight for proposed configuration-controlled changes
  • If a new application or changed application that stores non-Public Information, the system will store evidence of a vulnerability scan
  • The removal of development, test and/or custom application accounts, user IDs, and passwords before the application become active or are released into production
  • The removal of custom code prior to production release
  • Where possible, separate development, test, and production systems
  • Separation of duties between development/test and production systems
  • Credit cardholder data is not being stored
  • Removal of test data

4.48 Access Restrictions for Change

4.48.1                    Standard Owner: IT

4.48.2                    Standard References

NIST: CM-5

GLBA: Effective

GDPR:

ISO27001: A.9.2.3, A.9.4.5, A.12.1.2, A.12.1.4, A.12.5.1

HIPAA:

PCI-DSS: 2.2.4

4.48.3                    Standard

IT administrators or authorized vendors will be the only groups who have administrator access to servers

4.49 Configuration Setti ngs

4.49.1                    Standard Owner: IT

4.49.2                    Standard References

NIST: CM-6

GLBA: Draft

GDPR:

ISO27001: --

HIPAA:

PCI-DSS: 2.2,2.2.4, 8.1.8

4.49.3                    Standard

Where technically feasible, computing devices will be electronically locked when they are no longer in use:

  • Servers: 10 minutes
  • Laptops and Desktops: 15 minutes


  • Mobile Devices (smart phones, tablets): 3 minutes
  • Network Devices: 10 minutes


Exceptions to this standard will be granted and must be approved by the Director of Network Svcs and Information Security.


4.50 Configuration Setti ngs

4.50.1                    Standard Owner: IT

4.50.2                    Standard References

NIST: CM-6

GLBA: On Hold

GDPR:

ISO27001: --

HIPAA:
PCI-DSS:

4.50.3                    Standard

Configuration-controlled computing devices will be sampled and scanned every 6 months to identify, document, implement, and approve any deviations to the configuration setti ngs in accordance with the Hardening Configuration Standards.

4.51            Least Functionality

4.51.1                    Standard Owner: IT

4.51.2                    Standard References

NIST: CM-7

GLBA: Effective

GDPR:

ISO27001: A.12.5.1*

HIPAA:

PCI-DSS: 2.2.1

4.51.3                    Standard

Where economically feasible, only one primary function can be assigned to a production server to prevent functions that require different security levels from co-existing on the same server (For example, web servers, database servers, and DNS will be implemented on separate servers). This includes one primary function per virtualized system instance.

4.52 Information System Component Inventory

4.52.1                    Standard Owner: IT

4.52.2                    Standard References

NIST: CM-8

GLBA: On Hold

GDPR:

ISO27001: A.8.1.1, A.8.1.2

HIPAA: 164.310(d)(1), 164.310(d)(2)(iii)

PCI-DSS: 2.2.4,2.4, 7.2.1, 9.7.1, 9.9.1, 11.1.1, 12.2

4.52.3                    Standard

In order to maintain an inventory of all information systems, approved technologies, and electronic media, and to ensure computing assets comply with configuration standards, the Change Management process will identify and update asset inventories.

4.53 Software Usage Restrictions

4.53.1                    Standard Owner: IT

4.53.2                    Standard References

NIST: CM-10

GLBA: Effective

GDPR:

ISO27001: A.18.1.2

HIPAA:
PCI-DSS:

4.53.3                    Standard

All software usage will be tracked, and controlled in accordance with contract requirements and copyright laws.

4.54            Software Usage Restrictions

4.54.1                    Standard Owner: IT

4.54.2                    Standard References

NIST: CM-10

GLBA: Effective

GDPR:

ISO27001: A.18.1.2

HIPAA:
PCI-DSS:

4.54.3                    Standard

Peer to Peer software is prohibited.

4.55            User-Installed Software

4.55.1                    Standard Owner: IT

4.55.2                    Standard References

NIST: CM-11

GLBA: Effective

GDPR:

ISO27001: A.12.5.1, A.12.6.2

HIPAA:

PCI-DSS: 12.3, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.6, 12.3.7

4.55.3                    Standard

Software programs will not be installed on workstations or servers without prior authorizations. Only approved software will be installed on organizational assets.

4.56            Contingency Planning Policy and Procedures

4.56.1                    Standard Owner: Operations

4.56.2                    Standard References

NIST: CP-1

GLBA: Effective

GDPR:

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.308(a)(7)(i)

PCI-DSS: 12.1, 12.1.1

4.56.3                    Standard

The organization will:

  • Develop, document, and disseminate standards and an emergency operations center (EOC) contingency plan that addresses the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
  • Develop procedures to facilitate the implementation of the
  • Review and update the standards and the EOC contingency plan and associated procedures, at a minimum,
  • Ensure that contingency plans have adequately addressed safeguarding critical information during a serious outage or

4.57            Contingency Plan

4.57.1                    Standard Owner: Operations

4.57.2                    Standard References

NIST: CP-2

GLBA: Effective

GDPR:

ISO27001: A.6.1.1, A.17.1.1, A.17.2.1

HIPAA: 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.310(a)(2)(i), 164.312(a)(2)(ii)

PCI-DSS:

4.57.3                    Standard

The organization develops and maintains a Business Impact Assessment process to identify and regularly analyze the criticality of organization information systems.

4.58            Contingency Plan

4.58.1                    Standard Owner: Operations

4.58.2                    Standard References

NIST: CP-2

GLBA: Effective

GDPR:

ISO27001: A.6.1.1, A.17.1.1, A.17.2.1

HIPAA: 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.310(a)(2)(i), 164.312(a)(2)(ii)

PCI-DSS:


4.58.3                    Standard

The organization will have a Continuity Plan both preparing for and effectively responding to emergencies and disasters that may damage the confidentiality, integrity, or availability of its information systems. At a minimum, the plan will address:

  • Identification of significant processes and controls that protect the confidentiality, integrity, and availability of Non-Public Information on organization information
  • Identification and prioritization of emergencies that may impact organization information systems containing Non-Public Information.
  • Documenting procedures for how organization will respond to specific emergencies that impact information systems containing Non-Public
  • Define procedures for how organization, during and immediately after a crisis situation, will maintain the processes and controls that ensure the availability, integrity and confidentiality of Non-Public Information on organization information systems.
  • Define a procedure that ensures that authorized employees can enter organization facilities to enable continuation of processes and controls that protect Non-Public Information while organization is operating in emergency
  • Return to normal procedures

4.59            Contingency Plan

4.59.1                    Standard Owner: Operations

4.59.2                    Standard References

NIST: CP-2

GLBA: Effective

GDPR:

ISO27001: A.6.1.1, A.17.1.1, A.17.2.1

HIPAA: 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.310(a)(2)(i), 164.312(a)(2)(ii)

PCI-DSS:

4.59.3                    Standard

IT will create and document a disaster recovery plan to support the BCP. The plan will be reviewed regularly and revised as necessary. At a minimum, the recovery plan will include:

  • The conditions for activating the
  • Identification and definition of organization workforce member
  • Resumption procedures (manual and automated) which describe the actions to be taken to return organization information systems to normal operations within required time
  • Notification and reporting
  • Procedure(s) for allowing appropriate employees physical access to organization facilities so that they can implement recovery procedures in the event of a




4.60            Contingency Plan

4.60.1                    Standard Owner: Operations

4.60.2                    Standard References

NIST: CP-2

GLBA: Effective

GDPR:

ISO27001: A.6.1.1, A.17.1.1, A.17.2.1

HIPAA: 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.310(a)(2)(i), 164.312(a)(2)(ii)

PCI-DSS:

4.60.3                    Standard

Authorized organization workforce members will have access to the current BCP and DR plans and an appropriate number of current copies of the plan will be kept off-site.

4.61            Contingency Plan

4.61.1                    Standard Owner: Operations

4.61.2                    Standard References

NIST: CP-2

GLBA: Effective

GDPR:

ISO27001: A.6.1.1, A.17.1.1, A.17.2.1

HIPAA: 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.310(a)(2)(i), 164.312(a)(2)(ii)

PCI-DSS:

4.61.3                    Standard

The organization’s contingency plans will be kept current. Examples of events that will result in an update of the plan include, but are not limited to:

  • Change in disaster recovery
  • Change in contact information for disaster recovery
  • Significant change(s) to organization’s technical or physical
  • Change in key suppliers or
  • Significant change in threats to organization facilities or information

4.62            Contingency Training

4.62.1                    Standard Owner: Operations

4.62.2                    Standard References

NIST: CP-3

GLBA: On Hold

GDPR:

ISO27001:  A.7.2.2* HIPAA: 164.308(a)(7)(ii)(D) PCI-DSS:

4.62.3                    Standard

Organization workforce members will receive training and awareness on organization’s disaster preparation and disaster and emergency response processes

4.63            Contingency Plan Testing

4.63.1                    Standard Owner: IT

4.63.2                    Standard References

NIST: CP-4

GLBA: Effective

GDPR:


ISO27001:  A.17.1.3 HIPAA: 164.308(a)(7)(ii)(D) PCI-DSS:

4.63.3                    Standard

The Disaster Recovery plan will be tested for select systems, at a minimum, annually.

4.64            Contingency Plan Testing

4.64.1                    Standard Owner: IT

4.64.2                    Standard References

NIST: CP-4

GLBA: Effective

GDPR:

ISO27001:  A.17.1.3 HIPAA: 164.308(a)(7)(ii)(D) PCI-DSS:

4.64.3                    Standard

Backup & Recovery Procedure will be tested at least annually.

4.65            Contingency Plan Testing

4.65.1                    Standard Owner: IT

4.65.2                    Standard References

NIST: CP-4

GLBA: On Hold

GDPR:

ISO27001:  A.17.1.4 HIPAA: 164.308(a)(7)(ii)(D) PCI-DSS:

4.65.3                    Standard

The results of the DRP test will be formally documented and presented to appropriate organization management. The contingency plan will be revised as necessary to address issues or gaps identified in the testing process

4.66            Alternate Storage Site

4.66.1                    Standard Owner: IT

4.66.2                    Standard References

NIST: CP-6

GLBA: Effective

GDPR:

ISO27001: A.11.1.4, A.17.1.2, A.17.2.1 HIPAA: 164.308(a)(7)(ii)(B), 164.310(a)(2)(i) PCI-DSS: 9.5.1

4.66.3                    Standard

Backup copies of Clarkson-Restricted Information will be stored at a secure, remote location at a minimum of 100 miles from the system of record for which the backups were made.

4.67            Alternate Processing Site

4.67.1                    Standard Owner: IT

4.67.2                    Standard References

NIST: CP-7

GLBA: Effective

GDPR:

ISO27001: A.11.1.4, A.17.1.2, A.17.2.1 HIPAA: 164.308(a)(7)(ii)(B), 164.310(a)(2)(i) PCI-DSS:

4.67.3                    Standard

The organization and/or its cloud-based vendors will provide at least one alternative processing site should the primary site become unavailable.

4.68            Information System Backup

4.68.1                    Standard Owner: IT

4.68.2                    Standard References

NIST: CP-9

GLBA: Effective

GDPR:

ISO27001: A.12.3.1, A.17.1.2, A.18.1.3

HIPAA: 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(B), 164.310(d)(2)(iv)

PCI-DSS:

4.68.3                    Standard

The organization will have a formal, documented backup plan for its information systems. At a minimum, the plan will:

  • Identify information systems and electronic media to be backed
  • Provide a backup
  • Identify where backup media are stored and who may access
  • Outline restoration
  • Identify who is responsible for ensuring the backup of information systems and electronic media

4.69            Information System Backup

4.69.1                    Standard Owner: IT

4.69.2                    Standard References

NIST: CP-9

GLBA: Effective

GDPR:

ISO27001: A.12.3.1, A.17.1.2, A.18.1.4

HIPAA: 164.308(a)(7)(ii)(B)

PCI-DSS:


4.69.3                    Standard

Backup copies of all non-Clarkson-Public Information on organization electronic media and information systems will be made regularly. This includes both Non-Public Information received by organization and created within organization

4.70            Identification and Authentication Policy and Procedures

4.70.1                    Standard Owner: Tech Services

4.70.2                    Standard References

NIST: IA-1

GLBA: Effective

GDPR:

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA:

PCI-DSS: 12.1, 12.1.1

4.70.3                    Standard

The organization will:

  • Develop, document, and disseminate identification and authentication standards that addresses the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
  • Develop procedures to facilitate the implementation of these
  • Review and update these standards and associated procedures, at a minimum,

4.71            Identification and Authentication (Organizational Users)

4.71.1                    Standard Owner: HR

4.71.2                    Standard References

NIST: IA-2

GLBA: Draft

GDPR:

ISO27001: A.9.2.1

HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)

PCI-DSS: 8.8,12.6,12.6.1

4.71.3                    Standard

All new organization employees will receive appropriate security training before being provided with account credentials that would allow access to organizational information systems.

4.72            Identification and Authentication (Organizational Users)

4.72.1                    Standard Owner: HR

4.72.2                    Standard References

NIST: IA-2

GLBA: Effective

GDPR:

ISO27001: A.9.2.1

HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)

PCI-DSS: 8.1.1, 8.2, 8.5,12.5.3

4.72.3                    Standard

Each user and system account will have a unique user ID. Every account will be required to have a password. Shared accounts are prohibited. All exceptions must be approved by the Director of Network Services and Information Security.

4.73            Identification and Authentication (Organizational Users)

4.73.1                    Standard Owner: Tech Services

4.73.2                    Standard References

NIST: IA-2

GLBA: On Hold

GDPR:

ISO27001: A.9.2.1

HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)

PCI-DSS: 8.5,12.5.3

4.73.3                    Standard

Group accounts will not be used. All exceptions must be approved by the CSO.

4.74            Identification and Authentication (Organizational Users)

4.74.1                    Standard Owner: Tech Services

4.74.2                    Standard References

NIST: IA-2

GLBA: Effective

GDPR:

ISO27001: A.9.2.1

HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)

PCI-DSS: 8.2.6

4.74.3                    Standard

To the extent practicable, all new user accounts will have a randomly generated first time password.

4.75            Identification and Authentication (Organizational Users)

4.75.1                    Standard Owner: HR

4.75.2                    Standard References

NIST: IA-2

GLBA: Effective

GDPR:

ISO27001: A.9.2.1

HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)

PCI-DSS: 8.5.1,12.5.3

4.75.3                    Standard

Authentication credentials and methods will not be shared or revealed to others. Sharing an authentication method means the authorized user assumes responsibility for actions that another party takes with the disclosed method.

4.76            Identifier Management

4.76.1                    Standard Owner: Tech Services

4.76.2                    Standard References

NIST: IA-4

GLBA: Effective

GDPR:

ISO27001: A.9.2.1

HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)

PCI-DSS: 12.5.3

4.76.3                    Standard

User IDs will be unique to individuals.

4.77            Authenticator Management

4.77.1                    Standard Owner: Tech Services

4.77.2                    Standard References

NIST: IA-5

GLBA: Effective

GDPR:

ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3

HIPAA: 164.308(a)(5)(ii)(D)

PCI-DSS: 8.2.6

4.77.3                    Standard

Where practicable, initial use of an account, a password reset will be required. For this password reset, the user will be authenticated by a combination of unique information provided by the individual and information provided by Clarkson University

4.78            Authenticator Management

4.78.1                    Standard Owner: Tech Services

4.78.2                    Standard References

NIST: IA-5

GLBA: Effective

GDPR:

ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3

HIPAA: 164.308(a)(5)(ii)(D)

PCI-DSS:

Standard

User IDs and passwords will never be distributed in the same communication

4.79            Authenticator Management

4.79.1                    Standard Owner: Tech Services

4.79.2                    Standard References

NIST: IA-5

GLBA: Effective

GDPR:

ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3

HIPAA: 164.308(a)(5)(ii)(D)

PCI-DSS: 8.2.2

4.79.3                    Standard

A formal, documented process for authenticating identities will exist for users needing a password reset

4.80            Authenticator Management

4.80.1                    Standard Owner: Tech Services

4.80.2                    Standard References

NIST: IA-5

GLBA: On Hold

GDPR:

ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3

HIPAA: 164.308(a)(5)(ii)(D)

PCI-DSS: 8.2.4

4.80.3                    Standard

Passwords will be changed every 180 days. Accounts used to process, transmit, or store credit cardholder data will be changed every 60 days.

4.81            Authenticator Management

4.81.1                    Standard Owner: Tech Services

4.81.2                    Standard References

NIST: IA-5

GLBA: Draft

GDPR:

ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3

HIPAA: 164.308(a)(5)(ii)(D)

PCI-DSS: 8.2.5

4.81.3                    Standard

Passwords will not be allowed to be re-used based on the previous 20 passwords which were used prior to the password reset.

4.82            Authenticator Management

4.82.1                    Standard Owner: Tech Services

4.82.2                    Standard References

NIST: IA-5

GLBA: Effective

GDPR:

ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3

HIPAA: 164.308(a)(5)(ii)(D)

PCI-DSS: 8.2.3

4.82.3                    Standard

Passwords will conform to a minimal complexity standard. That standard mandates a mix of numeric, alphabetical, and special characters. Passwords will be a minimum length of 10 characters

4.83            Authenticator Management

4.83.1                    Standard Owner: Tech Services

4.83.2                    Standard References

NIST: IA-5

GLBA: Effective

GDPR:

ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3

HIPAA: 164.308(a)(5)(ii)(D)

PCI-DSS: 8.2.3

4.83.3                    Standard

Passwords will not be based on something that can be easily guessed or obtained using personal information (e.g., names, favorite sports team, etc.)

4.84            Authenticator Feedback

4.84.1                    Standard Owner: Tech Services

4.84.2                    Standard References

NIST: IA-6

GLBA: Effective

GDPR:

ISO27001: A.9.4.2

HIPAA: 164.308(a)(5)(ii)(D)

PCI-DSS:

4.84.3                    Standard

All password and PIN based authentication systems will be masked, suppressed, or otherwise obscured so that unauthorized persons are not able to observe them

4.85            Cryptographic Module Authentication

4.85.1                    Standard Owner: Tech Services

4.85.2                    Standard References

NIST: IA-7

GLBA: Effective

GDPR:

ISO27001:  A.18.1.5 HIPAA: 164.308(a)(5)(ii)(D) PCI-DSS: 8.2.1

4.85.3                    Standard

Passwords will be encrypted, in storage, using a one-way encryption algorithm.

4.86            Identification and Authentication (Non- Organizational Users)

4.86.1                    Standard Owner: Tech Services

4.86.2                    Standard References

NIST: IA-8

GLBA: Effective

GDPR:

ISO27001: A.9.2.1

HIPAA:

PCI-DSS: 8.2.1

4.86.3                    Standard

Methods (e.g., password or PIN) for authentication to organization information systems will not be built into logon scripts.

4.87            Identification and Authentication (Non- Organizational Users)

4.87.1                    Standard Owner: Tech Services

4.87.2                    Standard References

NIST: IA-8

GLBA: Effective

GDPR:

ISO27001: A.9.2.1

HIPAA:

PCI-DSS: 2.1, 2.5

4.87.3                    Standard

Vendor provided default accounts will be changed.

4.88            Identification and Authentication (Non- Organizational Users)

4.88.1                    Standard Owner: Tech Services

4.88.2                    Standard References

NIST: IA-8

GLBA: Effective

GDPR:

ISO27001: A.9.2.1

HIPAA:

PCI-DSS: 8.1.5

4.88.3                    Standard

Guest access will be limited to minimal functions to bridge the need for a secure environment with the need to provide courtesy services to visitors.

4.89            Identification and Authentication (Non- Organizational Users)

4.89.1                    Standard Owner: Tech Services

4.89.2                    Standard References

NIST: IA-8

GLBA: Effective

GDPR:

ISO27001: A.9.2.1

HIPAA:

PCI-DSS: 8.1.5.12.5.3

4.89.3                    Standard

Where possible, guest accounts will not be created.

4.90            Service Identification and Authentication

4.90.1                    Standard Owner: Tech Services

4.90.2                    Standard References

NIST: IA-9

GLBA: Effective

GDPR:

ISO27001: --

HIPAA:
PCI-DSS:

4.90.3                    Standard

Service accounts will be requested and provisioned via the Access Control Procedure.

4.91            Adaptive Identification and Authentication

4.91.1                    Standard Owner: Tech Services

4.91.2                    Standard References

NIST: IA-10

GLBA: Validate GDPRISO27001: -- HIPAA:

PCI-DSS: 8.1.5, 8.3

4.91.3                    Standard

Two-factor authentication is required for:

  • Where supported by the system, all Privileged User access
  • All use of the VPN
  • All remote access to systems processing credit card information (PCI-DSS Requirement)

4.92            Policy & Procedures

4.92.1                    Standard Owner: Information Security

4.92.2                    Standard References

NIST: IR-1

GLBA: Effective

GDPR:

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1 A.18.1.1, A.18.2.2

HIPAA: 164.308(a)(6)(i)

PCI-DSS: 11.1.2,12.1,12.1.1,12.5.3 12.10.1

4.92.3                    Standard

The organization will:

  • Develop, document, and disseminate incident response standards and an incident response plan that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities and
  • Develop and document a process for escalating reported incidents (e.g., automated, non-automated, service providers) in accordance with the Incident Response Plan
  • Develop procedures to facilitate the implementation of these
  • Review and update this policy and associated procedures, at a minimum,

4.93            Information Security

4.93.1                    Standard Owner: Information Security

4.93.2                    Standard References

NIST: IR-2

GLBA: On Hold

GDPR:

ISO27001: A.7.2.2* HIPAA: 164.308(a)(6)(i) PCI-DSS: 12.10.4

4.93.3                    Standard

Regular training and awareness will be provided for organization workforce members who have been assigned a role in the Incident Response Plan or Incident Response Procedures

4.94            Incident Response Plan Testing

4.94.1                    Standard Owner: Information Security

4.94.2                    Standard References

NIST: IR-3

GLBA: Effective

GDPR:


ISO27001: --

HIPAA: 164.308(a)(6)(i)

PCI-DSS: 12.10.2

4.94.3                    Standard

The Incident Response Plan and Incident Response Procedures will be tested annually.

4.95            SIRT: authority to operate

4.95.1                    Standard Owner: Information Security

4.95.2                    Standard References

NIST: IR-4

GLBA: Effective

GDPR:

ISO27001: A.16.1.4, A.16.1.5, A.16.1.6

HIPAA: 164.308(a)(6)(ii)

PCI-DSS: 11.1.2

4.95.3                    Standard

When responding to an incident, the Security Incident Response Team (SIRT) will take all appropriate actions to ensure that the confidentiality, integrity, and availability of organization information systems has not been compromised. Such actions can include, but are not limited to, temporarily removing an information system from the organization network, or blocking the building in which the incident occurred, requesting access to an information system or viewing data.

4.96            Monitoring & tracking incidents

4.96.1                    Standard Owner: Information Security

4.96.2                    Standard References

NIST: IR-5

GLBA: Effective

GDPR:

ISO27001: --

HIPAA: 164.308(a)(1)(ii)(D), 164.308(a)(6)(ii)

PCI-DSS: 12.10.6

4.96.3                    Standard

The organization will have mechanisms for quantifying and monitoring the types, volumes and costs of security incidents. This information should be used to identify the need for improved or additional security controls

4.97            Security event escalation

4.97.1