OM 9.1.2 - Information Security Standards
|
Effective Date: January 2023 |
Policy Contact: Office of Information Technology |
1 Purpose
The Information Security Steering Committee of Clarkson University has adopted these information security Standards, which define the appropriate administrative, technical, and physical safeguards over sensitive information. These standards are designed to:
● Ensure that the safeguards adequately address the legal, regulatory, and mandatory requirements for information security;
● Provide adequate coverage of the recommended best practices spanning in the eighteen NIST Control Families; and
● Give a general assurance level that the confidentiality, integrity, and availability of the University's assets will be upheld.
These Standards are based upon NIST 800-53 rev4 and they represent the What elements of information security that are specific to the University. Clarkson University will update these standards as need arises and will continue to review them annually. As these standards are not policy, updates shall not require Board approval, but will be reviewed and formally approved by the Information Security Steering Committee at least annually.
In addition to the Standards defined here, Clarkson University also maintains a set of procedures, plans and processes that define the How, When, and Who elements of information security and the expected behavior of personnel as they work to carry out the Standards in an approved manner that upholds these Standards.
2 Scope
These standards are applicable to all information in the possession of the University, including its affiliates and its agents, which may be stored, processed, or transmitted by any means. This includes electronic information, information on paper, and information shared orally or visually (e.g., telephone and video conferencing). Also included is any information in storage or in electronic or physical transmission outside of the University's facilities (e.g., service providers).
3 Roles & Responsibilities
Ultimate accountability for the Information Security controls rests with the Director of Network Services and Information Security. The control owners are accountable to ensure that the controls assigned to them are in-place and effective throughout the scope of the organization for which the controls apply.
● For administrative controls, the control owner will most likely oversee the execution of controls and possibly will be the implementor of the controls as well.
● For technical controls, the control owner is accountable, and may or may not choose to have IT implement the controls on their behalf.
● For physical controls, there will be a division of labor between the control owner and the facilities team.
4 Information Security Standards
4.1 Access Control Policy and Procedures
4.1.1 Standard Owner: Board, Senior Management, Information Technology
4.1.2 Standard References
NIST: AC-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.9.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.312(a)(1)
PCI-DSS: 12.1, 12.1.1
4.1.3 Standard
The organization will:
- Develop, document, and disseminate standards that address purpose, scope, roles and responsibilities for managing access management activities;
- Develop and document the roles and responsibilities for individuals who have access to information systems;
- Document supporting procedures;
- Disseminate the information to ensure coordination among the organization’s entities; and
- Policy and procedure are approved and reviewed every
- Review the standards
4.2 Access Control Policy and Procedures
4.2.1 Standard Owner: Information Technology
4.2.2 Standard References
NIST: AC-1
GLBA:
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.9.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.312(a)(1)
PCI-DSS: 7.1, 7.1.1, 7.1.2, 7.2
4.2.3 Standard
A formal, documented emergency access procedure (for system and facilities) for enabling authorized workforce members during an emergency.
4.3 Account Management
4.3.1 Standard Owner: Information Technology
4.3.2 Standard References
NIST: AC-2
GLBA:
GDPR:
ISO27001: A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6
HIPAA: 164.308(a)(3)(ii)(B), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(a)(2)(ii)
PCI-DSS: 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.2, 7.2.2
4.3.3 Standard
All user access to systems must be granted based on (1) valid access authorization, including business justification, by [Whom], (2) intended system usage, and (3) other attributes as required by the organization or associated mission’s/business functions.
4.4 Account Management
4.4.1 Standard Owner: Information Technology
4.4.2 Standard References
NIST: AC-2
GLBA: Effective
GDPR:
ISO27001: A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6
HIPAA: 164.308(a)(3)(ii)(B), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(a)(2)(ii)
PCI-DSS: 7.1, 7.1.2, 7.2
4.4.3 Standard
Accounts with special privileges will only be used for those tasks requiring it, not for day-to-day usage.
4.5 Account Management | Access Enforcement | Least Privilege
4.5.1 Standard Owner: Information Technology
4.5.2 Standard References
NIST: AC-2 AC-3 AC-6
GLBA: Effective
GDPR:
ISO27001: A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6 A.6.2.2, A.9.1.2, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.1, A.14.1.2, A.14.1.3, A.18.1.3
HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C),
164.308(a)(5)(ii)(C), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv)
PCI-DSS: 7.1, 7.1.1, 7.1.2, 7.1.4, 7.2, 7.2.1, 7.2.3, 8.1, 8.1.1, 8.1.2, 8.1.3, 8.1.5, 10.1
4.5.3 Standard
A formal, documented process for granting appropriate access to organization information systems will be documented. Only the most minimal access will be provisioned based on a need-to-know basis. All revisions to organization workforce member and software program access rights will be tracked and logged. Security groups and ACLs will be used to provide limited, role-based access to shared resources. For systems not relying on domain accounts, the account creation/removal process will also be documented. At a minimum, tracking and logging of all access requests will require the following information:
- Data and time of revision
- Identification of workforce member or software program whose access is being revised
- Brief description of revised access right(s)
- Approval by system owner/stewards or their chosen delegate
- Reason for revision
This information will be securely maintained.
4.6 Access Enforcement
4.6.1 Standard Owner: Information Technology
4.6.2 Standard References
NIST: AC-3
GLBA: Effective
GDPR:
ISO27001: A.6.2.2, A.9.1.2, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.1, A.14.1.2, A.14.1.3, A.18.1.3
HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv)
PCI-DSS: 1.2.1 7.2.3
4.6.3 Standard
Access to internal, nonpublic-facing systems from untrusted sites, by default, will be blocked at the organization perimeter firewall.
4.7 Access Enforcement | Least Privilege
4.7.1 Standard Owner: Information Technology
4.7.2 Standard References
NIST: AC-3 AC-6
GLBA: Draft
GDPR:
ISO27001: A.6.2.2, A.9.1.2, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.1, A.14.1.2, A.14.1.3, A.18.1.3 A.9.1.2, A.9.2.3, A.9.4.4, A.9.4.5
HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv)
PCI-DSS: 7.1.1, 7.1.3, 8.1.4
4.7.3 Standard
All organization workforce members will have their information system privileges automatically disabled after their user ID or access method has had 90 days of inactivity. All such privileges that are disabled in this manner will be reviewed to ensure that the inactivity is not due to termination of employment. If termination is the reason for inactivity, there will be review of situation to ensure that all access to CONFIDENTIAL INFORMATION (or ability to physical access information) has been eliminated.
4.8 Access Enforcement | Least Privilege
4.8.1 Standard Owner: Information Technology
4.8.2 Standard References
NIST: AC-3 AC-6
GLBA: Draft
GDPR:
ISO27001: A.6.2.2, A.9.1.2, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.1, A.14.1.2, A.14.1.3, A.18.1.3 A.9.1.2, A.9.2.3, A.9.4.4, A.9.4.5
HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv)
PCI-DSS: 7.1.2, 7.1.3
4.8.3 Standard
Access reviews for privileged and non-privileged accounts on systems storing restricted information will be conducted annually.
4.9 Information Flow Enforcement
4.9.1 Standard Owner: Information Technology
4.9.2 Standard References
NIST: AC-4
GLBA: On Hold
GDPR:
ISO27001: A.13.1.3, A.13.2.1, A.14.1.2, A.14.1.3
HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.310(b)
PCI-DSS:
4.9.3 Standard
The organization will define a Security Architecture Plan that addresses:
- The flow of information between inter-connected systems; and
- Defined security rules by network
4.10 Separation of Duties
4.10.1 Standard Owner: Information Technology
4.10.2 Standard References
NIST: AC-5
GLBA: Effective
GDPR:
ISO27001: A.6.1.2
HIPAA: 164.308(a)(3)(i), 164.308(a)(4)(i), 164.308(a)(4)(ii)(A), 164.312(a)(1)
PCI-DSS:
4.10.3 Standard
Where possible, software developers will not utilize elevated access to production systems.
4.11 Least Privilege
4.11.1 Standard Owner: Information Technology
4.11.2 Standard References
NIST: AC-6
GLBA: Effective
GDPR:
ISO27001: A.9.1.2, A.9.2.3, A.9.4.4, A.9.4.5
HIPAA: 164.308(a)(3)(i), 164.308(a)(4)(i), 164.308(a)(4)(ii)(A), 164.312(a)(1)
PCI-DSS: 7.1.2, 7.1.3
4.11.3 Standard
Only the most minimal access will be provisioned based on a need-to-know basis.
4.12 Unsuccessful Logon Attempts
4.12.1 Standard Owner: Information Technology
4.12.2 Standard References
NIST: AC-7
GLBA: Effective
GDPR:
ISO27001: A.9.4.2
HIPAA:
PCI-DSS:
4.12.3 Standard
Organization workforce members shall not attempt to gain access to organization information systems containing restricted information for which they have not been given proper authorization.
4.13 Unsuccessful Logon Attempts
4.13.1 Standard Owner: Information Technology
4.13.2 Standard References
NIST: AC-7
GLBA: Effective
GDPR:
ISO27001: A.9.4.2
HIPAA:
PCI-DSS: 2.2,2.2.4, 8.1.6, 8.1.7
4.13.3 Standard
Systems will lock accounts after no more than 5 failed login attempts.
4.14 System Use Notification
4.14.1 Standard Owner: Information Technology
4.14.2 Standard References
NIST: AC-8
GLBA: On Hold
GDPR:
ISO27001: A.9.4.2
HIPAA:
PCI-DSS: 2.2.4
4.14.3 Standard
The organization displays an approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable laws, directives, policies, regulations, standards, and guidance and states that:
- users are accessing organizational information systems;
- system usage may be monitored, recorded, and subject to audit;
4.15 Previous Logon (Access) Notification
4.15.1 Standard Owner: Information Technology
4.15.2 Standard References
NIST: AC-9
GLBA: On Hold
GDPR:
ISO27001: A.9.4.2
HIPAA:
PCI-DSS: 2.2.4
4.15.3 Standard
Workstation, laptop, and server logon systems will suppress and/or not display the username of the previously logged on user.
4.16 Concurrent Session Control
4.16.1 Standard Owner: Information Technology
4.16.2 Standard References
NIST: AC-10
GLBA: On Hold
GDPR:
ISO27001: --
HIPAA:
PCI-DSS:
4.16.3 Standard
Critical applications will be configured to limit the number of concurrent sessions for each account and/or account type.
4.17 Session Lock
4.17.1 Standard Owner: Information Technology
4.17.2 Standard References
NIST: AC-11
GLBA: Effective
GDPR:
ISO27001: A.11.2.8, A.11.2.9
HIPAA: 164.310(b), 164.312(a)(2)(iii)
PCI-DSS: 2.2,2.2.4, 8.1.8, 12.3.8
4.17.3 Standard
Endpoints must prevent further access to the information assets by initiating a session lock after 15 minutes of inactivity or upon receiving a request from a user. In addition, systems must retain the session lock until the user reestablishes access using established identification and authentication procedures.
4.18 Session Termination
4.18.1 Standard Owner: Information Technology
4.18.2 Standard References
NIST: AC-12
GLBA: On Hold
GDPR:
ISO27001: --
HIPAA: 164.310(b), 164.312(a)(2)(iii)
PCI-DSS: 2.2,2.2.4, 8.1.8, 12.3.8
4.18.3 Standard
Systems will disconnect application and remote access sessions after 240 minutes of idle time.
4.19 Remote Access
4.19.1 Standard Owner: Information Technology
4.19.2 Standard References
NIST: AC-17
GLBA: Effective
GDPR:
ISO27001: A.6.2.1, A.6.2.2, A.13.1.1, A.13.2.1, A.14.1.2
HIPAA: 164.310(b)
PCI-DSS: 8.1.5
4.19.3 Standard
Applications accessed through external facing webservers without appropriate SSL encryption will only be accessed via approved VPN.
4.20 Remote Access
4.20.1 Standard Owner: Information Technology
4.20.2 Standard References
NIST: AC-17
GLBA: Effective
GDPR:
ISO27001: A.6.2.1, A.6.2.2, A.13.1.1, A.13.2.1, A.14.1.2
HIPAA: 164.310(b)
PCI-DSS: 8.1.5,12.3.9,12.3.10
4.20.3 Standard
Remote access technologies for vendors will only be enabled when needed, with immediate deactivation after use.
4.21 Wireless Access
4.21.1 Standard Owner: Information Technology
4.21.2 Standard References
NIST: AC-18
GLBA: Effective
GDPR:
ISO27001: A.6.2.1, A.13.1.1, A.13.2.1
HIPAA:
PCI-DSS: 4.1, 4.1.1, 11.1
4.21.3 Standard
Public wireless networks will be considered open, insecure networks.
4.22 Wireless Access
4.22.1 Standard Owner: Information Technology
4.22.2 Standard References
NIST: AC-18
GLBA: Effective
GDPR:
ISO27001: A.6.2.1, A.13.1.1, A.13.2.1
HIPAA:
PCI-DSS: 1.2.3, 2.1.1, 4.1, 9.1.3, 11.1, 11.1.1, 11.1.2, 12.3
4.22.3 Standard
4.23 Use of External Information Systems
4.23.1 Standard Owner: Information Technology
4.23.2 Standard References
NIST: AC-20
GLBA: On Hold
GDPR:
ISO27001: A.11.2.6, A.13.1.1, A.13.2.1
HIPAA:
PCI-DSS: 1.3.5
4.23.3 Standard
All connections between organization Information Systems and external systems will be approved and documented.
4.24 Use of External Information Systems
4.24.1 Standard Owner: Information Technology
4.24.2 Standard References
NIST: AC-20
GLBA: Effective
GDPR:
ISO27001: A.11.2.6, A.13.1.1, A.13.2.1
HIPAA:
PCI-DSS: 1.3.5
4.24.3 Standard
The Director of Network Services & Information Security will approve any system which interfaces with systems that store or process information classified as 'Clarkson-Restricted'.