OM 9.1.2 - Information Security Standards
|
Effective Date: January 2023 |
Policy Contact: Office of Information Technology |
1 Purpose
The Information Security Steering Committee of Clarkson University has adopted these information security Standards, which define the appropriate administrative, technical, and physical safeguards over sensitive information. These standards are designed to:
● Ensure that the safeguards adequately address the legal, regulatory, and mandatory requirements for information security;
● Provide adequate coverage of the recommended best practices spanning in the eighteen NIST Control Families; and
● Give a general assurance level that the confidentiality, integrity, and availability of the University's assets will be upheld.
These Standards are based upon NIST 800-53 rev4 and they represent the What elements of information security that are specific to the University. Clarkson University will update these standards as need arises and will continue to review them annually. As these standards are not policy, updates shall not require Board approval, but will be reviewed and formally approved by the Information Security Steering Committee at least annually.
In addition to the Standards defined here, Clarkson University also maintains a set of procedures, plans and processes that define the How, When, and Who elements of information security and the expected behavior of personnel as they work to carry out the Standards in an approved manner that upholds these Standards.
2 Scope
These standards are applicable to all information in the possession of the University, including its affiliates and its agents, which may be stored, processed, or transmitted by any means. This includes electronic information, information on paper, and information shared orally or visually (e.g., telephone and video conferencing). Also included is any information in storage or in electronic or physical transmission outside of the University's facilities (e.g., service providers).
3 Roles & Responsibilities
Ultimate accountability for the Information Security controls rests with the Director of Network Services and Information Security. The control owners are accountable to ensure that the controls assigned to them are in-place and effective throughout the scope of the organization for which the controls apply.
● For administrative controls, the control owner will most likely oversee the execution of controls and possibly will be the implementor of the controls as well.
● For technical controls, the control owner is accountable, and may or may not choose to have IT implement the controls on their behalf.
● For physical controls, there will be a division of labor between the control owner and the facilities team.
4 Information Security Standards
4.1 Access Control Policy and Procedures
4.1.1 Standard Owner: Board, Senior Management, Information Technology
4.1.2 Standard References
NIST: AC-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.9.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.312(a)(1)
PCI-DSS: 12.1, 12.1.1
4.1.3 Standard
The organization will:
- Develop, document, and disseminate standards that address purpose, scope, roles and responsibilities for managing access management activities;
- Develop and document the roles and responsibilities for individuals who have access to information systems;
- Document supporting procedures;
- Disseminate the information to ensure coordination among the organization’s entities; and
- Policy and procedure are approved and reviewed every
- Review the standards
4.2 Access Control Policy and Procedures
4.2.1 Standard Owner: Information Technology
4.2.2 Standard References
NIST: AC-1
GLBA:
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.9.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.312(a)(1)
PCI-DSS: 7.1, 7.1.1, 7.1.2, 7.2
4.2.3 Standard
A formal, documented emergency access procedure (for system and facilities) for enabling authorized workforce members during an emergency.
4.3 Account Management
4.3.1 Standard Owner: Information Technology
4.3.2 Standard References
NIST: AC-2
GLBA:
GDPR:
ISO27001: A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6
HIPAA: 164.308(a)(3)(ii)(B), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(a)(2)(ii)
PCI-DSS: 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.2, 7.2.2
4.3.3 Standard
All user access to systems must be granted based on (1) valid access authorization, including business justification, by [Whom], (2) intended system usage, and (3) other attributes as required by the organization or associated mission’s/business functions.
4.4 Account Management
4.4.1 Standard Owner: Information Technology
4.4.2 Standard References
NIST: AC-2
GLBA: Effective
GDPR:
ISO27001: A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6
HIPAA: 164.308(a)(3)(ii)(B), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(a)(2)(ii)
PCI-DSS: 7.1, 7.1.2, 7.2
4.4.3 Standard
Accounts with special privileges will only be used for those tasks requiring it, not for day-to-day usage.
4.5 Account Management | Access Enforcement | Least Privilege
4.5.1 Standard Owner: Information Technology
4.5.2 Standard References
NIST: AC-2 AC-3 AC-6
GLBA: Effective
GDPR:
ISO27001: A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6 A.6.2.2, A.9.1.2, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.1, A.14.1.2, A.14.1.3, A.18.1.3
HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C),
164.308(a)(5)(ii)(C), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv)
PCI-DSS: 7.1, 7.1.1, 7.1.2, 7.1.4, 7.2, 7.2.1, 7.2.3, 8.1, 8.1.1, 8.1.2, 8.1.3, 8.1.5, 10.1
4.5.3 Standard
A formal, documented process for granting appropriate access to organization information systems will be documented. Only the most minimal access will be provisioned based on a need-to-know basis. All revisions to organization workforce member and software program access rights will be tracked and logged. Security groups and ACLs will be used to provide limited, role-based access to shared resources. For systems not relying on domain accounts, the account creation/removal process will also be documented. At a minimum, tracking and logging of all access requests will require the following information:
- Data and time of revision
- Identification of workforce member or software program whose access is being revised
- Brief description of revised access right(s)
- Approval by system owner/stewards or their chosen delegate
- Reason for revision
This information will be securely maintained.
4.6 Access Enforcement
4.6.1 Standard Owner: Information Technology
4.6.2 Standard References
NIST: AC-3
GLBA: Effective
GDPR:
ISO27001: A.6.2.2, A.9.1.2, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.1, A.14.1.2, A.14.1.3, A.18.1.3
HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv)
PCI-DSS: 1.2.1 7.2.3
4.6.3 Standard
Access to internal, nonpublic-facing systems from untrusted sites, by default, will be blocked at the organization perimeter firewall.
4.7 Access Enforcement | Least Privilege
4.7.1 Standard Owner: Information Technology
4.7.2 Standard References
NIST: AC-3 AC-6
GLBA: Draft
GDPR:
ISO27001: A.6.2.2, A.9.1.2, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.1, A.14.1.2, A.14.1.3, A.18.1.3 A.9.1.2, A.9.2.3, A.9.4.4, A.9.4.5
HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv)
PCI-DSS: 7.1.1, 7.1.3, 8.1.4
4.7.3 Standard
All organization workforce members will have their information system privileges automatically disabled after their user ID or access method has had 90 days of inactivity. All such privileges that are disabled in this manner will be reviewed to ensure that the inactivity is not due to termination of employment. If termination is the reason for inactivity, there will be review of situation to ensure that all access to CONFIDENTIAL INFORMATION (or ability to physical access information) has been eliminated.
4.8 Access Enforcement | Least Privilege
4.8.1 Standard Owner: Information Technology
4.8.2 Standard References
NIST: AC-3 AC-6
GLBA: Draft
GDPR:
ISO27001: A.6.2.2, A.9.1.2, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.1, A.14.1.2, A.14.1.3, A.18.1.3 A.9.1.2, A.9.2.3, A.9.4.4, A.9.4.5
HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv)
PCI-DSS: 7.1.2, 7.1.3
4.8.3 Standard
Access reviews for privileged and non-privileged accounts on systems storing restricted information will be conducted annually.
4.9 Information Flow Enforcement
4.9.1 Standard Owner: Information Technology
4.9.2 Standard References
NIST: AC-4
GLBA: On Hold
GDPR:
ISO27001: A.13.1.3, A.13.2.1, A.14.1.2, A.14.1.3
HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.310(b)
PCI-DSS:
4.9.3 Standard
The organization will define a Security Architecture Plan that addresses:
- The flow of information between inter-connected systems; and
- Defined security rules by network
4.10 Separation of Duties
4.10.1 Standard Owner: Information Technology
4.10.2 Standard References
NIST: AC-5
GLBA: Effective
GDPR:
ISO27001: A.6.1.2
HIPAA: 164.308(a)(3)(i), 164.308(a)(4)(i), 164.308(a)(4)(ii)(A), 164.312(a)(1)
PCI-DSS:
4.10.3 Standard
Where possible, software developers will not utilize elevated access to production systems.
4.11 Least Privilege
4.11.1 Standard Owner: Information Technology
4.11.2 Standard References
NIST: AC-6
GLBA: Effective
GDPR:
ISO27001: A.9.1.2, A.9.2.3, A.9.4.4, A.9.4.5
HIPAA: 164.308(a)(3)(i), 164.308(a)(4)(i), 164.308(a)(4)(ii)(A), 164.312(a)(1)
PCI-DSS: 7.1.2, 7.1.3
4.11.3 Standard
Only the most minimal access will be provisioned based on a need-to-know basis.
4.12 Unsuccessful Logon Attempts
4.12.1 Standard Owner: Information Technology
4.12.2 Standard References
NIST: AC-7
GLBA: Effective
GDPR:
ISO27001: A.9.4.2
HIPAA:
PCI-DSS:
4.12.3 Standard
Organization workforce members shall not attempt to gain access to organization information systems containing restricted information for which they have not been given proper authorization.
4.13 Unsuccessful Logon Attempts
4.13.1 Standard Owner: Information Technology
4.13.2 Standard References
NIST: AC-7
GLBA: Effective
GDPR:
ISO27001: A.9.4.2
HIPAA:
PCI-DSS: 2.2,2.2.4, 8.1.6, 8.1.7
4.13.3 Standard
Systems will lock accounts after no more than 5 failed login attempts.
4.14 System Use Notification
4.14.1 Standard Owner: Information Technology
4.14.2 Standard References
NIST: AC-8
GLBA: On Hold
GDPR:
ISO27001: A.9.4.2
HIPAA:
PCI-DSS: 2.2.4
4.14.3 Standard
The organization displays an approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable laws, directives, policies, regulations, standards, and guidance and states that:
- users are accessing organizational information systems;
- system usage may be monitored, recorded, and subject to audit;
4.15 Previous Logon (Access) Notification
4.15.1 Standard Owner: Information Technology
4.15.2 Standard References
NIST: AC-9
GLBA: On Hold
GDPR:
ISO27001: A.9.4.2
HIPAA:
PCI-DSS: 2.2.4
4.15.3 Standard
Workstation, laptop, and server logon systems will suppress and/or not display the username of the previously logged on user.
4.16 Concurrent Session Control
4.16.1 Standard Owner: Information Technology
4.16.2 Standard References
NIST: AC-10
GLBA: On Hold
GDPR:
ISO27001: --
HIPAA:
PCI-DSS:
4.16.3 Standard
Critical applications will be configured to limit the number of concurrent sessions for each account and/or account type.
4.17 Session Lock
4.17.1 Standard Owner: Information Technology
4.17.2 Standard References
NIST: AC-11
GLBA: Effective
GDPR:
ISO27001: A.11.2.8, A.11.2.9
HIPAA: 164.310(b), 164.312(a)(2)(iii)
PCI-DSS: 2.2,2.2.4, 8.1.8, 12.3.8
4.17.3 Standard
Endpoints must prevent further access to the information assets by initiating a session lock after 15 minutes of inactivity or upon receiving a request from a user. In addition, systems must retain the session lock until the user reestablishes access using established identification and authentication procedures.
4.18 Session Termination
4.18.1 Standard Owner: Information Technology
4.18.2 Standard References
NIST: AC-12
GLBA: On Hold
GDPR:
ISO27001: --
HIPAA: 164.310(b), 164.312(a)(2)(iii)
PCI-DSS: 2.2,2.2.4, 8.1.8, 12.3.8
4.18.3 Standard
Systems will disconnect application and remote access sessions after 240 minutes of idle time.
4.19 Remote Access
4.19.1 Standard Owner: Information Technology
4.19.2 Standard References
NIST: AC-17
GLBA: Effective
GDPR:
ISO27001: A.6.2.1, A.6.2.2, A.13.1.1, A.13.2.1, A.14.1.2
HIPAA: 164.310(b)
PCI-DSS: 8.1.5
4.19.3 Standard
Applications accessed through external facing webservers without appropriate SSL encryption will only be accessed via approved VPN.
4.20 Remote Access
4.20.1 Standard Owner: Information Technology
4.20.2 Standard References
NIST: AC-17
GLBA: Effective
GDPR:
ISO27001: A.6.2.1, A.6.2.2, A.13.1.1, A.13.2.1, A.14.1.2
HIPAA: 164.310(b)
PCI-DSS: 8.1.5,12.3.9,12.3.10
4.20.3 Standard
Remote access technologies for vendors will only be enabled when needed, with immediate deactivation after use.
4.21 Wireless Access
4.21.1 Standard Owner: Information Technology
4.21.2 Standard References
NIST: AC-18
GLBA: Effective
GDPR:
ISO27001: A.6.2.1, A.13.1.1, A.13.2.1
HIPAA:
PCI-DSS: 4.1, 4.1.1, 11.1
4.21.3 Standard
Public wireless networks will be considered open, insecure networks.
4.22 Wireless Access
4.22.1 Standard Owner: Information Technology
4.22.2 Standard References
NIST: AC-18
GLBA: Effective
GDPR:
ISO27001: A.6.2.1, A.13.1.1, A.13.2.1
HIPAA:
PCI-DSS: 1.2.3, 2.1.1, 4.1, 9.1.3, 11.1, 11.1.1, 11.1.2, 12.3
4.22.3 Standard
4.23 Use of External Information Systems
4.23.1 Standard Owner: Information Technology
4.23.2 Standard References
NIST: AC-20
GLBA: On Hold
GDPR:
ISO27001: A.11.2.6, A.13.1.1, A.13.2.1
HIPAA:
PCI-DSS: 1.3.5
4.23.3 Standard
All connections between organization Information Systems and external systems will be approved and documented.
4.24 Use of External Information Systems
4.24.1 Standard Owner: Information Technology
4.24.2 Standard References
NIST: AC-20
GLBA: Effective
GDPR:
ISO27001: A.11.2.6, A.13.1.1, A.13.2.1
HIPAA:
PCI-DSS: 1.3.5
4.24.3 Standard
The Director of Network Services & Information Security will approve any system which interfaces with systems that store or process information classified as 'Clarkson-Restricted'.
4.25 Publicly Accessible Content
4.25.1 Standard Owner: Information Technology, | Compliance
4.25.2 Standard References
NIST: AC-22
GLBA: Effective
GDPR:
ISO27001: --
HIPAA:
PCI-DSS:
4.25.3 Standard
Information classified as Clarkson-Restricted will not be posted on the organization's publicly available website.
4.26 Access Control Decisions
4.26.1 Standard Owner: Information Technology
4.26.2 Standard References
NIST: AC-24
GLBA: Effective
GDPR:
ISO27001: A.9.4.1*
HIPAA:
PCI-DSS:
4.26.3 Standard
All access requests will go through a managerial approval process prior to access enforcement.
4.27 Audit and Accountability Policy and Procedures
4.27.1 Standard Owner: IT
4.27.2 Standard References
NIST: AU-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA: 164.312(b)
PCI-DSS: 12.1, 12.1.1
4.27.3 Standard
The organization will:
- Develop, document, and disseminate audit and accountability standards that addresses purpose, scope, roles, responsibilities, and management commitment, coordination among organizational entities, and
- Develop procedures to facilitate the implementation of these
- Review and update these standards and associated procedures, at a minimum,
4.28 Audit Events | Non-repudiation
4.28.1 Standard Owner: IT
4.28.2 Standard References
NIST: AU-2 AU-10
GLBA: Effective
GDPR:
ISO27001: --
HIPAA: 164.308(a)(5)(ii)(C), 164.312(b)
PCI-DSS: 8.1.5, 10.1, 10.2, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.4,
10.6.1
4.28.3 Standard
Security events for Active Directory, firewalls, servers, applications, and databases will be defined. This includes:
- Permission Altered Alerts (accounts/groups created, group membership modified, VPN groups modified)
- Inappropriate Use & Login for Administrators (successful/failed logon attempts, application/operating system/network devices administrator accounts, service accounts, accounts used to provision access, local administrator accounts)
- Inappropriate Use for Workforce (successful/failed logon attempts, multiple account locks/disabled/deleted)
- System Events (logs cleared, virus/malware detected, NTP time change, rogue wireless devices)
- System Health (active directory groups created/removed, application restarts/shutdowns, taxing active directory queries)
- File Integrity (critical/sensitive file changes)
- Network Intrusion Attempts
- Application & Database (failed logon attempts, accounts created/modified)
- Event types, date and time, origination of event, identity or name of affected data, system component, or resource
4.29 Content of Audit Records
4.29.1 Standard Owner: IT
4.29.2 Standard References
NIST: AU-3
GLBA: Effective
GDPR:
ISO27001: A.12.4.1* HIPAA: 164.312(b) PCI-DSS: 10.5.3, 10.7
4.29.3 Standard
Logs from Active Directory, firewalls (both internal and external), servers, and DNS will be sent to the central logging server.
4.30 Audit Storage Capacity
4.30.1 Standard Owner: IT
4.30.2 Standard References
NIST: AU-4
GLBA: Effective
GDPR:
ISO27001: A.12.1.3 HIPAA: 164.312(b) PCI-DSS: 10.5.3, 10.7
4.30.3 Standard
Logs will be moved to a centralized logging system within 24 hours of being recorded.
4.31 Response to Audit Processing Failures
4.31.1 Standard Owner: IT
4.31.2 Standard References
NIST: AU-5
GLBA: Effective
GDPR:
ISO27001: --
HIPAA:
PCI-DSS:
4.31.3 Standard
The central logging server will be monitored for system disk capacity, availability, and running of the syslog process
4.32 Audit Review, Analysis, and Reporting
4.32.1 Standard Owner: IT
4.32.2 Standard References
NIST: AU-6
GLBA: On Hold
GDPR:
ISO27001: A.12.4.1, A.16.1.2, A.16.1.4
HIPAA: 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.312(b)
PCI-DSS:
4.32.3 Standard
Metrics reports for security events will be created and monitored on a periodic basis, based on the criticality of the logs. As well, an alerting process will be used.
4.33 Time Stamps
4.33.1 Standard Owner: IT
4.33.2 Standard References
NIST: AU-8
GLBA: Effective
GDPR:
ISO27001: A.12.4.4
HIPAA:
PCI-DSS: 2.2,2.2.4, 10.3.3, 10.4, 10.4.1, 10.4.2, 10.4.3
4.33.3 Standard
All workstations and servers will receive their time via NTP from industry accepted time sources.
4.34 Protection of Audit Information
4.34.1 Standard Owner: IT
4.34.2 Standard References
NIST: AU-9
GLBA: Effective
GDPR:
ISO27001: A.12.4.2, A.12.4.3, A.18.1.3
HIPAA:
PCI-DSS: 10.5, 10.5.1, 10.5.2
4.34.3 Standard
Audit logs will be secured so that cannot be altered:
- Access limited to those with job-related needs
- Protected via access control mechanisms, physical segregations
4.35 Audit Record Retention
4.35.1 Standard Owner: IT
4.35.2 Standard References
NIST: AU-11
GLBA: Draft
GDPR:
ISO27001: A.12.4.1, A.16.1.7
HIPAA:
PCI-DSS: 10.5.3, 10.5.4, 10.5.5
4.35.3 Standard
Logs will be sent to a central log server and retained for a minimum of 3 months online, 9 months offline (total of 1 year available). Log files will be monitored for change.
4.36 Monitoring for Information Disclosure
4.36.1 Standard Owner: IT
4.36.2 Standard References
NIST: AU-13
GLBA: On Hold
GDPR:
ISO27001: --
HIPAA:
PCI-DSS: 10.6, 10.6.1, 10.6.2, 10.6.3
4.36.3 Standard
Logs will be monitored and security events investigated, at a minimum, daily. If a security incident has occurred, the incident response procedures will be executed and followed.
4.37 Security Awareness and Training Policy and Procedures
4.37.1 Standard Owner: Information Security
4.37.2 Standard References
NIST: AT-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA: 164.308(a)(5)(i)
PCI-DSS: 12.6, 12.6.1
4.37.3 Standard
The organization will:
- Develop, document, and disseminate security awareness and training standards that addresses purpose, scope, roles, responsibilities, and management commitment, coordination among organizational entities, and
- Develop procedures to facilitate the implementation of the
- Review and update Policies every year
- Review and update the standards and associated procedures, as
4.38 Security Awareness Program
4.38.1 Standard Owner: Information Security
4.38.2 Standard References
NIST: AT-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA: 164.308(a)(5)(i)
PCI-DSS: 12.6, 12.6.1
4.38.3 Standard
The organization will develop, implement, and regularly review a formal, documented program for providing, at a minimum on-hire and thereafter annually, appropriate security training and awareness to workforce members
4.39 Security Awareness Training
4.39.1 Standard Owner: Information Security
4.39.2 Standard References
NIST: AT-2
GLBA: Effective
GDPR:
ISO27001: A.7.2.2, A.12.2.1
HIPAA: 164.308(a)(5)(i), 164.308(a)(5)(ii)(A), 164.308(a)(5)(ii)(B)
PCI-DSS: 3.7, 4.3, 8.4, 12.6, 12.6.1
4.39.3 Standard
Employees training and security reminder communications, at a minimum, will address:
- The importance of keeping creating, using, and safeguarding authentication credentials
- Ensuring that organization workforce members understand that all activities involving their user identification and password will be attributed to
- Security policies, procedures, and standards for protecting the confidentiality, integrity, and availability of information and systems
- Significant risks to organization information systems and data
- Information security legal and business responsibilities
- How, and to whom an incident shall be reported
- How to identify, report, and avoid malicious software, other forms of suspicious electronic communication and social engineering attempts
4.40 Role-Based Security Training
4.40.1 Standard Owner: Information Security
4.40.2 Standard References
NIST: AT-3
GLBA: Effective
GDPR:
ISO27001: A.7.2.2* HIPAA: 164.308(a)(5)(i) PCI-DSS:
4.40.3 Standard
The organization provides role-based security training to personnel with assigned security roles and responsibilities:
4.41 Role-Based Security Training
4.41.1 Standard Owner: Information Security | Finance* | Compliance*
4.41.2 Standard References
NIST: AT-3
GLBA: Effective
GDPR:
ISO27001: A.7.2.2*
HIPAA: 164.308(a)(5)(i)
PCI-DSS: 3.7, 4.3, 8.4, 9.9, 9.9.3, 12.6, 12.6.1
4.41.3 Standard
Employees who access, store, process, or protect credit cardholder data will receive, at a minimum on-hire and thereafter annually, training on appropriate procedures for safeguarding credit cardholder data
4.42 Security Training Records
4.42.1 Standard Owner: Information Security
4.42.2 Standard References
NIST: AT-4
GLBA: Effective
GDPR:
ISO27001: --
HIPAA: 164.308(a)(5)(i)
PCI-DSS: 12.6.1 12.6.2
4.42.3 Standard
After training has been conducted, each organization workforce member will verify that he or she has received the training, understood the material presented, and agrees to comply with it
4.43 Configuration Management Policy and Procedures
4.43.1 Standard Owner: IT
4.43.2 Standard References
NIST: CM-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA:
PCI-DSS: 12.1, 12.1.1
4.43.3 Standard
The organization will:
- Develop, document, and disseminate configuration management standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities and
- Develop procedures to facilitate the implementation of these
- Review and update these standards and associated procedures, at a minimum,
4.44 Baseline Configuration
4.44.1 Standard Owner: IT
4.44.2 Standard References
NIST: CM-2
GLBA: Draft
GDPR:
ISO27001: --
HIPAA:
PCI-DSS: 1.1.1, 1.1.5, 1.1.6, 1.2.2, 1.5, 2.2, 2.2.2, 2.2.4, 2.2.5, 2.5, 3.7, 4.3, 5.4, 6.7, 7.3, 8.1.4, 8.1.6, 8.1.7, 8.1.8,
10.4.3,12.1,12.1.1, 12.3
4.44.3 Standard
Management procedures will be created that address:
- The documentation of Hardening Configuration Standards, by operating system. These configuration controls will be based industry accepted standards (e.g., Center for Internet Security or CIS).
- System account configurations
- Groups, roles, and responsibilities for management of network components
- Documented business justification for all ports, protocols, ports allowed/disallowed, and any security features implemented for those protocols considered insecure
- For routers, securing and synchronization of configuration files
- Documentation of security parameters that prevent misuse
- Secure coding techniques in the software development lifecycle
- Synchronizations with industry accepted time sources
4.45 Baseline Configuration
4.45.1 Standard Owner: IT
4.45.2 Standard References
NIST: CM-2 CM-6
GLBA: Effective
GDPR:
ISO27001: --
HIPAA:
PCI-DSS: 1.4, 2.2
4.45.3 Standard
Organization owned laptops and employee owned user devices are prohibited from storing, processing, or transmitti ng credit cardholder data. Desktops and mobile devices (e.g., tablets, smartphones) may be used to process cardholder transactions only if equipped with P2PE-compliant devices and are authorized by IT.
4.46 Baseline Configuration
4.46.1 Standard Owner: IT
4.46.2 Standard References
NIST: CM-2 CM-6
GLBA: Draft
GDPR:
ISO27001: --
HIPAA:
PCI-DSS: 2.2,2.2.4
4.46.3 Standard
All systems that access, store, process, or transmit non-Public Information will be configured to:
- Not display information system or application identifying information until the log-in process has been successfully completed
- Where supported, display a logon banner
- Not provide help messages during the log-in procedure that would assist an unauthorized user If an error arises during authentication, the system will not indicate which part of the data is correct or incorrect
4.47 Configuration Change Control | Security Impact Analysis
4.47.1 Standard Owner: IT
4.47.2 Standard References
NIST: CM-3 CM-4
GLBA: Effective
GDPR:
ISO27001: A.12.1.2, A.14.2.2, A.14.2.3, A.14.2.4 A.14.2.3
HIPAA:
PCI-DSS: 1.5,2.2.4, 2.5, 3.7, 4.3, 5.4, 6.3.1, 6.3.2, 6.4, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.5.1, 6.4.5.2, 6.4.5.3, 6.4.5.4, 6.7,
7.3, 8.8, 9.10, 10.8, 11.6
4.47.3 Standard
The organization will develop, document, implement, and maintain a change management process for managing changes to production systems containing Clarkson-Restricted data.
This process will address:
- Documentation of security impact analysis, functionality testing, back out procedures
- The documentation and retention of change records
- Review and authorization of changes with explicit consideration for security impact analyses
- Coordination and communication of changes
- Oversight for proposed configuration-controlled changes
- If a new application or changed application that stores non-Public Information, the system will store evidence of a vulnerability scan
- The removal of development, test and/or custom application accounts, user IDs, and passwords before the application become active or are released into production
- The removal of custom code prior to production release
- Where possible, separate development, test, and production systems
- Separation of duties between development/test and production systems
- Credit cardholder data is not being stored
- Removal of test data
4.48 Access Restrictions for Change
4.48.1 Standard Owner: IT
4.48.2 Standard References
NIST: CM-5
GLBA: Effective
GDPR:
ISO27001: A.9.2.3, A.9.4.5, A.12.1.2, A.12.1.4, A.12.5.1
HIPAA:
PCI-DSS: 2.2.4
4.48.3 Standard
IT administrators or authorized vendors will be the only groups who have administrator access to servers
4.49 Configuration Setti ngs
4.49.1 Standard Owner: IT
4.49.2 Standard References
NIST: CM-6
GLBA: Draft
GDPR:
ISO27001: --
HIPAA:
PCI-DSS: 2.2,2.2.4, 8.1.8
4.49.3 Standard
Where technically feasible, computing devices will be electronically locked when they are no longer in use:
- Servers: 10 minutes
- Laptops and Desktops: 15 minutes
- Mobile Devices (smart phones, tablets): 3 minutes
- Network Devices: 10 minutes
Exceptions to this standard will be granted and must be approved by the Director of Network Svcs and Information Security.
4.50 Configuration Setti ngs
4.50.1 Standard Owner: IT
4.50.2 Standard References
NIST: CM-6
GLBA: On Hold
GDPR:
ISO27001: --
HIPAA:
PCI-DSS:
4.50.3 Standard
Configuration-controlled computing devices will be sampled and scanned every 6 months to identify, document, implement, and approve any deviations to the configuration setti ngs in accordance with the Hardening Configuration Standards.
4.51 Least Functionality
4.51.1 Standard Owner: IT
4.51.2 Standard References
NIST: CM-7
GLBA: Effective
GDPR:
ISO27001: A.12.5.1*
HIPAA:
PCI-DSS: 2.2.1
4.51.3 Standard
Where economically feasible, only one primary function can be assigned to a production server to prevent functions that require different security levels from co-existing on the same server (For example, web servers, database servers, and DNS will be implemented on separate servers). This includes one primary function per virtualized system instance.
4.52 Information System Component Inventory
4.52.1 Standard Owner: IT
4.52.2 Standard References
NIST: CM-8
GLBA: On Hold
GDPR:
ISO27001: A.8.1.1, A.8.1.2
HIPAA: 164.310(d)(1), 164.310(d)(2)(iii)
PCI-DSS: 2.2.4,2.4, 7.2.1, 9.7.1, 9.9.1, 11.1.1, 12.2
4.52.3 Standard
In order to maintain an inventory of all information systems, approved technologies, and electronic media, and to ensure computing assets comply with configuration standards, the Change Management process will identify and update asset inventories.
4.53 Software Usage Restrictions
4.53.1 Standard Owner: IT
4.53.2 Standard References
NIST: CM-10
GLBA: Effective
GDPR:
ISO27001: A.18.1.2
HIPAA:
PCI-DSS:
4.53.3 Standard
All software usage will be tracked, and controlled in accordance with contract requirements and copyright laws.
4.54 Software Usage Restrictions
4.54.1 Standard Owner: IT
4.54.2 Standard References
NIST: CM-10
GLBA: Effective
GDPR:
ISO27001: A.18.1.2
HIPAA:
PCI-DSS:
4.54.3 Standard
Peer to Peer software is prohibited.
4.55 User-Installed Software
4.55.1 Standard Owner: IT
4.55.2 Standard References
NIST: CM-11
GLBA: Effective
GDPR:
ISO27001: A.12.5.1, A.12.6.2
HIPAA:
PCI-DSS: 12.3, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.6, 12.3.7
4.55.3 Standard
Software programs will not be installed on workstations or servers without prior authorizations. Only approved software will be installed on organizational assets.
4.56 Contingency Planning Policy and Procedures
4.56.1 Standard Owner: Operations
4.56.2 Standard References
NIST: CP-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA: 164.308(a)(7)(i)
PCI-DSS: 12.1, 12.1.1
4.56.3 Standard
The organization will:
- Develop, document, and disseminate standards and an emergency operations center (EOC) contingency plan that addresses the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
- Develop procedures to facilitate the implementation of the
- Review and update the standards and the EOC contingency plan and associated procedures, at a minimum,
- Ensure that contingency plans have adequately addressed safeguarding critical information during a serious outage or
4.57 Contingency Plan
4.57.1 Standard Owner: Operations
4.57.2 Standard References
NIST: CP-2
GLBA: Effective
GDPR:
ISO27001: A.6.1.1, A.17.1.1, A.17.2.1
HIPAA: 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.310(a)(2)(i), 164.312(a)(2)(ii)
PCI-DSS:
4.57.3 Standard
The organization develops and maintains a Business Impact Assessment process to identify and regularly analyze the criticality of organization information systems.
4.58 Contingency Plan
4.58.1 Standard Owner: Operations
4.58.2 Standard References
NIST: CP-2
GLBA: Effective
GDPR:
ISO27001: A.6.1.1, A.17.1.1, A.17.2.1
HIPAA: 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.310(a)(2)(i), 164.312(a)(2)(ii)
PCI-DSS:
4.58.3 Standard
The organization will have a Continuity Plan both preparing for and effectively responding to emergencies and disasters that may damage the confidentiality, integrity, or availability of its information systems. At a minimum, the plan will address:
- Identification of significant processes and controls that protect the confidentiality, integrity, and availability of Non-Public Information on organization information
- Identification and prioritization of emergencies that may impact organization information systems containing Non-Public Information.
- Documenting procedures for how organization will respond to specific emergencies that impact information systems containing Non-Public
- Define procedures for how organization, during and immediately after a crisis situation, will maintain the processes and controls that ensure the availability, integrity and confidentiality of Non-Public Information on organization information systems.
- Define a procedure that ensures that authorized employees can enter organization facilities to enable continuation of processes and controls that protect Non-Public Information while organization is operating in emergency
- Return to normal procedures
4.59 Contingency Plan
4.59.1 Standard Owner: Operations
4.59.2 Standard References
NIST: CP-2
GLBA: Effective
GDPR:
ISO27001: A.6.1.1, A.17.1.1, A.17.2.1
HIPAA: 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.310(a)(2)(i), 164.312(a)(2)(ii)
PCI-DSS:
4.59.3 Standard
IT will create and document a disaster recovery plan to support the BCP. The plan will be reviewed regularly and revised as necessary. At a minimum, the recovery plan will include:
- The conditions for activating the
- Identification and definition of organization workforce member
- Resumption procedures (manual and automated) which describe the actions to be taken to return organization information systems to normal operations within required time
- Notification and reporting
- Procedure(s) for allowing appropriate employees physical access to organization facilities so that they can implement recovery procedures in the event of a
4.60 Contingency Plan
4.60.1 Standard Owner: Operations
4.60.2 Standard References
NIST: CP-2
GLBA: Effective
GDPR:
ISO27001: A.6.1.1, A.17.1.1, A.17.2.1
HIPAA: 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.310(a)(2)(i), 164.312(a)(2)(ii)
PCI-DSS:
4.60.3 Standard
4.61 Contingency Plan
4.61.1 Standard Owner: Operations
4.61.2 Standard References
NIST: CP-2
GLBA: Effective
GDPR:
ISO27001: A.6.1.1, A.17.1.1, A.17.2.1
HIPAA: 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.310(a)(2)(i), 164.312(a)(2)(ii)
PCI-DSS:
4.61.3 Standard
The organization’s contingency plans will be kept current. Examples of events that will result in an update of the plan include, but are not limited to:
- Change in disaster recovery
- Change in contact information for disaster recovery
- Significant change(s) to organization’s technical or physical
- Change in key suppliers or
- Significant change in threats to organization facilities or information
4.62 Contingency Training
4.62.1 Standard Owner: Operations
4.62.2 Standard References
NIST: CP-3
GLBA: On Hold
GDPR:
ISO27001: A.7.2.2* HIPAA: 164.308(a)(7)(ii)(D) PCI-DSS:
4.62.3 Standard
Organization workforce members will receive training and awareness on organization’s disaster preparation and disaster and emergency response processes
4.63 Contingency Plan Testing
4.63.1 Standard Owner: IT
4.63.2 Standard References
NIST: CP-4
GLBA: Effective
GDPR:
ISO27001: A.17.1.3 HIPAA: 164.308(a)(7)(ii)(D) PCI-DSS:
4.63.3 Standard
The Disaster Recovery plan will be tested for select systems, at a minimum, annually.
4.64 Contingency Plan Testing
4.64.1 Standard Owner: IT
4.64.2 Standard References
NIST: CP-4
GLBA: Effective
GDPR:
ISO27001: A.17.1.3 HIPAA: 164.308(a)(7)(ii)(D) PCI-DSS:
4.64.3 Standard
Backup & Recovery Procedure will be tested at least annually.
4.65 Contingency Plan Testing
4.65.1 Standard Owner: IT
4.65.2 Standard References
NIST: CP-4
GLBA: On Hold
GDPR:
ISO27001: A.17.1.4 HIPAA: 164.308(a)(7)(ii)(D) PCI-DSS:
4.65.3 Standard
The results of the DRP test will be formally documented and presented to appropriate organization management. The contingency plan will be revised as necessary to address issues or gaps identified in the testing process
4.66 Alternate Storage Site
4.66.1 Standard Owner: IT
4.66.2 Standard References
NIST: CP-6
GLBA: Effective
GDPR:
ISO27001: A.11.1.4, A.17.1.2, A.17.2.1 HIPAA: 164.308(a)(7)(ii)(B), 164.310(a)(2)(i) PCI-DSS: 9.5.1
4.66.3 Standard
Backup copies of Clarkson-Restricted Information will be stored at a secure, remote location at a minimum of 100 miles from the system of record for which the backups were made.
4.67 Alternate Processing Site
4.67.1 Standard Owner: IT
4.67.2 Standard References
NIST: CP-7
GLBA: Effective
GDPR:
ISO27001: A.11.1.4, A.17.1.2, A.17.2.1 HIPAA: 164.308(a)(7)(ii)(B), 164.310(a)(2)(i) PCI-DSS:
4.67.3 Standard
The organization and/or its cloud-based vendors will provide at least one alternative processing site should the primary site become unavailable.
4.68 Information System Backup
4.68.1 Standard Owner: IT
4.68.2 Standard References
NIST: CP-9
GLBA: Effective
GDPR:
ISO27001: A.12.3.1, A.17.1.2, A.18.1.3
HIPAA: 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(B), 164.310(d)(2)(iv)
PCI-DSS:
4.68.3 Standard
The organization will have a formal, documented backup plan for its information systems. At a minimum, the plan will:
- Identify information systems and electronic media to be backed
- Provide a backup
- Identify where backup media are stored and who may access
- Outline restoration
- Identify who is responsible for ensuring the backup of information systems and electronic media
4.69 Information System Backup
4.69.1 Standard Owner: IT
4.69.2 Standard References
NIST: CP-9
GLBA: Effective
GDPR:
ISO27001: A.12.3.1, A.17.1.2, A.18.1.4
HIPAA: 164.308(a)(7)(ii)(B)
PCI-DSS:
4.69.3 Standard
Backup copies of all non-Clarkson-Public Information on organization electronic media and information systems will be made regularly. This includes both Non-Public Information received by organization and created within organization
4.70 Identification and Authentication Policy and Procedures
4.70.1 Standard Owner: Tech Services
4.70.2 Standard References
NIST: IA-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA:
PCI-DSS: 12.1, 12.1.1
4.70.3 Standard
The organization will:
- Develop, document, and disseminate identification and authentication standards that addresses the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
- Develop procedures to facilitate the implementation of these
- Review and update these standards and associated procedures, at a minimum,
4.71 Identification and Authentication (Organizational Users)
4.71.1 Standard Owner: HR
4.71.2 Standard References
NIST: IA-2
GLBA: Draft
GDPR:
ISO27001: A.9.2.1
HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)
PCI-DSS: 8.8,12.6,12.6.1
4.71.3 Standard
All new organization employees will receive appropriate security training before being provided with account credentials that would allow access to organizational information systems.
4.72 Identification and Authentication (Organizational Users)
4.72.1 Standard Owner: HR
4.72.2 Standard References
NIST: IA-2
GLBA: Effective
GDPR:
ISO27001: A.9.2.1
HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)
PCI-DSS: 8.1.1, 8.2, 8.5,12.5.3
4.72.3 Standard
Each user and system account will have a unique user ID. Every account will be required to have a password. Shared accounts are prohibited. All exceptions must be approved by the Director of Network Services and Information Security.
4.73 Identification and Authentication (Organizational Users)
4.73.1 Standard Owner: Tech Services
4.73.2 Standard References
NIST: IA-2
GLBA: On Hold
GDPR:
ISO27001: A.9.2.1
HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)
PCI-DSS: 8.5,12.5.3
4.73.3 Standard
Group accounts will not be used. All exceptions must be approved by the CSO.
4.74 Identification and Authentication (Organizational Users)
4.74.1 Standard Owner: Tech Services
4.74.2 Standard References
NIST: IA-2
GLBA: Effective
GDPR:
ISO27001: A.9.2.1
HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)
PCI-DSS: 8.2.6
4.74.3 Standard
To the extent practicable, all new user accounts will have a randomly generated first time password.
4.75 Identification and Authentication (Organizational Users)
4.75.1 Standard Owner: HR
4.75.2 Standard References
NIST: IA-2
GLBA: Effective
GDPR:
ISO27001: A.9.2.1
HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)
PCI-DSS: 8.5.1,12.5.3
4.75.3 Standard
Authentication credentials and methods will not be shared or revealed to others. Sharing an authentication method means the authorized user assumes responsibility for actions that another party takes with the disclosed method.
4.76 Identifier Management
4.76.1 Standard Owner: Tech Services
4.76.2 Standard References
NIST: IA-4
GLBA: Effective
GDPR:
ISO27001: A.9.2.1
HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)
PCI-DSS: 12.5.3
4.76.3 Standard
User IDs will be unique to individuals.
4.77 Authenticator Management
4.77.1 Standard Owner: Tech Services
4.77.2 Standard References
NIST: IA-5
GLBA: Effective
GDPR:
ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3
HIPAA: 164.308(a)(5)(ii)(D)
PCI-DSS: 8.2.6
4.77.3 Standard
Where practicable, initial use of an account, a password reset will be required. For this password reset, the user will be authenticated by a combination of unique information provided by the individual and information provided by Clarkson University
4.78 Authenticator Management
4.78.1 Standard Owner: Tech Services
4.78.2 Standard References
NIST: IA-5
GLBA: Effective
GDPR:
ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3
HIPAA: 164.308(a)(5)(ii)(D)
PCI-DSS:
Standard
User IDs and passwords will never be distributed in the same communication
4.79 Authenticator Management
4.79.1 Standard Owner: Tech Services
4.79.2 Standard References
NIST: IA-5
GLBA: Effective
GDPR:
ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3
HIPAA: 164.308(a)(5)(ii)(D)
PCI-DSS: 8.2.2
4.79.3 Standard
A formal, documented process for authenticating identities will exist for users needing a password reset
4.80 Authenticator Management
4.80.1 Standard Owner: Tech Services
4.80.2 Standard References
NIST: IA-5
GLBA: On Hold
GDPR:
ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3
HIPAA: 164.308(a)(5)(ii)(D)
PCI-DSS: 8.2.4
4.80.3 Standard
Passwords will be changed every 180 days. Accounts used to process, transmit, or store credit cardholder data will be changed every 60 days.
4.81 Authenticator Management
4.81.1 Standard Owner: Tech Services
4.81.2 Standard References
NIST: IA-5
GLBA: Draft
GDPR:
ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3
HIPAA: 164.308(a)(5)(ii)(D)
PCI-DSS: 8.2.5
4.81.3 Standard
Passwords will not be allowed to be re-used based on the previous 20 passwords which were used prior to the password reset.
4.82 Authenticator Management
4.82.1 Standard Owner: Tech Services
4.82.2 Standard References
NIST: IA-5
GLBA: Effective
GDPR:
ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3
HIPAA: 164.308(a)(5)(ii)(D)
PCI-DSS: 8.2.3
4.82.3 Standard
Passwords will conform to a minimal complexity standard. That standard mandates a mix of numeric, alphabetical, and special characters. Passwords will be a minimum length of 10 characters
4.83 Authenticator Management
4.83.1 Standard Owner: Tech Services
4.83.2 Standard References
NIST: IA-5
GLBA: Effective
GDPR:
ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3
HIPAA: 164.308(a)(5)(ii)(D)
PCI-DSS: 8.2.3
4.83.3 Standard
Passwords will not be based on something that can be easily guessed or obtained using personal information (e.g., names, favorite sports team, etc.)
4.84 Authenticator Feedback
4.84.1 Standard Owner: Tech Services
4.84.2 Standard References
NIST: IA-6
GLBA: Effective
GDPR:
ISO27001: A.9.4.2
HIPAA: 164.308(a)(5)(ii)(D)
PCI-DSS:
4.84.3 Standard
All password and PIN based authentication systems will be masked, suppressed, or otherwise obscured so that unauthorized persons are not able to observe them
4.85 Cryptographic Module Authentication
4.85.1 Standard Owner: Tech Services
4.85.2 Standard References
NIST: IA-7
GLBA: Effective
GDPR:
ISO27001: A.18.1.5 HIPAA: 164.308(a)(5)(ii)(D) PCI-DSS: 8.2.1
4.85.3 Standard
Passwords will be encrypted, in storage, using a one-way encryption algorithm.
4.86 Identification and Authentication (Non- Organizational Users)
4.86.1 Standard Owner: Tech Services
4.86.2 Standard References
NIST: IA-8
GLBA: Effective
GDPR:
ISO27001: A.9.2.1
HIPAA:
PCI-DSS: 8.2.1
4.86.3 Standard
Methods (e.g., password or PIN) for authentication to organization information systems will not be built into logon scripts.
4.87 Identification and Authentication (Non- Organizational Users)
4.87.1 Standard Owner: Tech Services
4.87.2 Standard References
NIST: IA-8
GLBA: Effective
GDPR:
ISO27001: A.9.2.1
HIPAA:
PCI-DSS: 2.1, 2.5
4.87.3 Standard
Vendor provided default accounts will be changed.
4.88 Identification and Authentication (Non- Organizational Users)
4.88.1 Standard Owner: Tech Services
4.88.2 Standard References
NIST: IA-8
GLBA: Effective
GDPR:
ISO27001: A.9.2.1
HIPAA:
PCI-DSS: 8.1.5
4.88.3 Standard
Guest access will be limited to minimal functions to bridge the need for a secure environment with the need to provide courtesy services to visitors.
4.89 Identification and Authentication (Non- Organizational Users)
4.89.1 Standard Owner: Tech Services
4.89.2 Standard References
NIST: IA-8
GLBA: Effective
GDPR:
ISO27001: A.9.2.1
HIPAA:
PCI-DSS: 8.1.5.12.5.3
4.89.3 Standard
Where possible, guest accounts will not be created.
4.90 Service Identification and Authentication
4.90.1 Standard Owner: Tech Services
4.90.2 Standard References
NIST: IA-9
GLBA: Effective
GDPR:
ISO27001: --
HIPAA:
PCI-DSS:
4.90.3 Standard
Service accounts will be requested and provisioned via the Access Control Procedure.
4.91 Adaptive Identification and Authentication
4.91.1 Standard Owner: Tech Services
4.91.2 Standard References
NIST: IA-10
GLBA: Validate GDPR: ISO27001: -- HIPAA:
PCI-DSS: 8.1.5, 8.3
4.91.3 Standard
Two-factor authentication is required for:
- Where supported by the system, all Privileged User access
- All use of the VPN
- All remote access to systems processing credit card information (PCI-DSS Requirement)
4.92 Policy & Procedures
4.92.1 Standard Owner: Information Security
4.92.2 Standard References
NIST: IR-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1 A.18.1.1, A.18.2.2
HIPAA: 164.308(a)(6)(i)
PCI-DSS: 11.1.2,12.1,12.1.1,12.5.3 12.10.1
4.92.3 Standard
The organization will:
- Develop, document, and disseminate incident response standards and an incident response plan that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities and
- Develop and document a process for escalating reported incidents (e.g., automated, non-automated, service providers) in accordance with the Incident Response Plan
- Develop procedures to facilitate the implementation of these
- Review and update this policy and associated procedures, at a minimum,
4.93 Information Security
4.93.1 Standard Owner: Information Security
4.93.2 Standard References
NIST: IR-2
GLBA: On Hold
GDPR:
ISO27001: A.7.2.2* HIPAA: 164.308(a)(6)(i) PCI-DSS: 12.10.4
4.93.3 Standard
Regular training and awareness will be provided for organization workforce members who have been assigned a role in the Incident Response Plan or Incident Response Procedures
4.94 Incident Response Plan Testing
4.94.1 Standard Owner: Information Security
4.94.2 Standard References
NIST: IR-3
GLBA: Effective
GDPR:
ISO27001: --
HIPAA: 164.308(a)(6)(i)
PCI-DSS: 12.10.2
4.94.3 Standard
The Incident Response Plan and Incident Response Procedures will be tested annually.
4.95 SIRT: authority to operate
4.95.1 Standard Owner: Information Security
4.95.2 Standard References
NIST: IR-4
GLBA: Effective
GDPR:
ISO27001: A.16.1.4, A.16.1.5, A.16.1.6
HIPAA: 164.308(a)(6)(ii)
PCI-DSS: 11.1.2
4.95.3 Standard
When responding to an incident, the Security Incident Response Team (SIRT) will take all appropriate actions to ensure that the confidentiality, integrity, and availability of organization information systems has not been compromised. Such actions can include, but are not limited to, temporarily removing an information system from the organization network, or blocking the building in which the incident occurred, requesting access to an information system or viewing data.
4.96 Monitoring & tracking incidents
4.96.1 Standard Owner: Information Security
4.96.2 Standard References
NIST: IR-5
GLBA: Effective
GDPR:
ISO27001: --
HIPAA: 164.308(a)(1)(ii)(D), 164.308(a)(6)(ii)
PCI-DSS: 12.10.6
4.96.3 Standard
The organization will have mechanisms for quantifying and monitoring the types, volumes and costs of security incidents. This information should be used to identify the need for improved or additional security controls
4.97 Security event escalation
4.97.1 Standard Owner: Information Security
4.97.2 Standard References
NIST: IR-6
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1 A.18.1.1, A.18.2.3
HIPAA: 164.308(a)(1)(ii)(D), 164.308(a)(6)(ii)
PCI-DSS: 11.1.2
4.97.3 Standard
Security events identified through logging and monitoring services will be escalated in accordance with Incident Response Procedures
4.98 Response to alarms
4.98.1 Standard Owner: Information Security
4.98.2 Standard References
NIST: IR-6
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1 A.18.1.1, A.18.2.3
HIPAA: 164.308(a)(1)(ii)(D), 164.308(a)(6)(ii), 164.314(a)(2)(i)
PCI-DSS: 12.10.5
4.98.3 Standard
Incident Response Procedures will address the occurrence of alarms and appropriate escalation.
4.99 Compromised credentials
4.99.1 Standard Owner: Information Security
4.99.2 Standard References
NIST: IR-6
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1 A.18.1.1, A.18.2.3
HIPAA: 164.308(a)(1)(ii)(D), 164.308(a)(6)(ii)
PCI-DSS: 12.10, 12.10.1
4.99.3 Standard
The loss, theft, or inappropriate use of organization access credentials (e.g., passwords, FOBs or security tokens), assets (e.g., laptop, cell phones), or information will be reported to the IT Help Desk
4.100 Security Incident Response Plan (SIRP)
4.100.1 Standard Owner: Information Security
4.100.2 Standard References
NIST: IR-8
GLBA: Effective
GDPR:
ISO27001: A.16.1.1
HIPAA:
PCI-DSS: 11.1.2, 12.10, 12.10.1, 12.10.3
4.100.3 Standard
The organization will have a formal, documented process for quickly and effectively detecting and responding to security incidents that may impact the confidentiality, integrity, or availability of organization information systems. At a minimum, the process will include the following:
- A security incident response team (SIRT), whose membership may vary depending on the security
- Formal procedure enabling organization workforce members to report a security incident to appropriate persons including potential reporting to the organization Security Officer.
- Formal process for analyzing and identifying the cause(s) of a security
- References to emergency access procedures
- Formal process for activation of the
- Formal procedure for communication with all organization workforce members affected by or responding to a security incident.
- Formal procedure for collecting evidence of a security
- Formal mechanisms for evaluating security incidents and implementing appropriate mitigations to prevent further recurrence.
- Data breach protocols
- Quantifying incident types and frequency
- Designating specific personnel who receive alerts on a 24/7 basis
4.101 Information Security
4.101.1 Standard Owner: Information Security
4.101.2 Standard References
NIST: IR-9
GLBA: On Hold
GDPR:
ISO27001: --
HIPAA:
PCI-DSS:
4.101.3 Standard
Standard templates for breach notification will be developed and maintained.
4.102 SIRT membership roster
4.102.1 Standard Owner: Information Security
4.102.2 Standard References
NIST: IR-10
GLBA: Effective
GDPR:
ISO27001: --
HIPAA:
PCI-DSS: 12.1,12.1.1,12.10.1
4.102.3 Standard
The SIRT will be defined in the Incident Response Plan, and updated at a minimum, annually.
4.103 System Maintenance Policy and Procedures
4.103.1 Standard Owner: IT
4.103.2 Standard References
NIST: MA-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA: 164.310(a)(2)(iv)
PCI-DSS: 12.1, 12.1.1
4.103.3 Standard
The organization will:
- Develop, document, and disseminate maintenance standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
- Develop procedures to facilitate the implementation of these
- Review and update these standards and associated procedures, at a minimum,
4.104 Controlled Maintenance
4.104.1 Standard Owner: IT
4.104.2 Standard References
NIST: MA-2
GLBA: Effective
GDPR:
ISO27001: A.11.2.4*, A.11.2.5*
HIPAA: 164.310(a)(2)(iv)
PCI-DSS:
4.104.3 Standard
System Maintenance will be done in the safest method possible. If it requires bringing a system down to avoid an accidental crash, that is the method which will be used
4.105 Controlled Maintenance
4.105.1 Standard Owner: Facilities; | IT |
4.105.2 Standard References
NIST: MA-2
GLBA: Effective
GDPR:
ISO27001: A.11.2.4*, A.11.2.5*
HIPAA: 164.310(a)(2)(iv)
PCI-DSS:
4.105.3 Standard
The organization will document all repairs and modifications to the physical components of its facilities that are related to security of Non-public Information. Physical components include, but are not limited to, automated physical access systems, locks, doors and walls.
4.106 Maintenance Personnel
4.106.1 Standard Owner: IT
4.106.2 Standard References
NIST: MA-5
GLBA: Effective
GDPR:
ISO27001: --
HIPAA: 164.308(a)(3)(ii)(A)
PCI-DSS: 9.4.1
4.106.3 Standard
When being performed by external vendors, maintenance personnel will be escorted into the location where the work is to be performed and monitored while the work is being performed
4.107 Timely Maintenance
4.107.1 Standard Owner: IT
4.107.2 Standard References
NIST: MA-6
GLBA: Effective
GDPR:
ISO27001: A.11.2.4 HIPAA: 164.310(a)(2)(iv) PCI-DSS:
4.107.3 Standard
Where possible and cost-effective, replacement parts will be kept on site for faster remediation (such as hard drives)
4.108 Timely Maintenance
4.108.1 Standard Owner: Facilities; | IT |
4.108.2 Standard References
NIST: MA-6
GLBA: Effective
GDPR:
ISO27001: A.11.2.4 HIPAA: 164.310(a)(2)(iv) PCI-DSS:
4.108.3 Standard
Malfunctioning alarms will be repaired within 5 business days or as soon as possible, based on the determination of their malfunction.
4.109 Media Protection Policy and Procedures
4.109.1 Standard Owner: Information Technology
4.109.2 Standard References
NIST: MP-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA: 164.310(d)(1)
PCI-DSS: 12.1, 12.1.1
4.109.3 Standard
The organization will
- Develop, document, and disseminate media protection standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
- Develop procedures to facilitate the implementation of these
- Review and update these standards and associated procedures, at a minimum,
4.110 Media Access
4.110.1 Standard Owner: Information Technology
4.110.2 Standard References
NIST: MP-2
GLBA: Effective
GDPR:
ISO27001: A.8.2.3, A.8.3.1, A.11.2.9
HIPAA: 164.308(a)(3)(ii)(A) , 164.310(c), 164.310(d)(1), 164.312(c)(1)
PCI-DSS: 3.1, 3.2, 3.2.1, 3.2.2, 3.2.3, 3.4, 3.4.1, 3.5, 9.5
4.110.3 Standard
It is prohibited to store any information that is not Clarkson-Public on home computers or personal devices.
4.111 Media Marking
4.111.1 Standard Owner: Information Technology
4.111.2 Standard References
NIST: MP-3
GLBA: On Hold
GDPR:
ISO27001: A.8.2.2
HIPAA: 164.310(c), 164.310(d)(1)
PCI-DSS: 9.6.1
4.111.3 Standard
All organization information will be classified and marked in accordance with the Data Classification Policy
4.112 Media Storage
4.112.1 Standard Owner: Information Technology
4.112.2 Standard References
NIST: MP-4
GLBA: Effective
GDPR:
ISO27001: A.8.2.3, A.8.3.1, A.11.2.9
HIPAA: 164.310(c), 164.310(d)(1), 164.310(d)(2)(iv)
PCI-DSS: 3.1,4.2
4.112.3 Standard
The writing or storage of information classified as 'Clarson Private' on personal-liable mobile devices (phones, tablets, USB drives) and removable media is prohibited.
4.113 Media Storage
4.113.1 Standard Owner: Information Technology
4.113.2 Standard References
NIST: MP-4
GLBA: On Hold
GDPR:
ISO27001: A.8.2.3, A.8.3.1, A.11.2.9
HIPAA: 164.310(c), 164.310(d)(1), 164.310(d)(2)(iv)
PCI-DSS:
4.113.3 Standard
Workstations (laptops and desktops) that store Non-Public Information will be encrypted using a pre-boot, full disk configuration
4.114 Media Storage
4.114.1 Standard Owner: Finance | Compliance
4.114.2 Standard References
NIST: MP-4
GLBA: Validate
GDPR:
ISO27001: A.8.2.3, A.8.3.1, A.11.2.9
HIPAA: 164.310(c), 164.310(d)(1), 164.310(d)(2)(iv)
PCI-DSS: 3.1, 3.2, 3.2.1, 3.2.2, 3.2.3, 3.4, 3.4.1, 3.5, 9.5
4.114.3 Standard
Storing electronic cardholder information is prohibited. This includes:
- Any information on the front of the credit card (or PAN)
- Sensitive authentication data (during credit cardholder processing)
- Any contents of any track on a credit card (the magnetic stripe)
- The card verification code (CVV/CID)
- Personal Identification Numbers (PINs)
4.115 Media Storage
4.115.1 Standard Owner: Finance
4.115.2 Standard References
NIST: MP-4
GLBA: Validate
GDPR:
ISO27001: A.8.2.3, A.8.3.1, A.11.2.9
HIPAA: 164.310(c), 164.310(d)(1), 164.310(d)(2)(iv)
PCI-DSS: 3.1, 3.2, 3.2.1, 3.2.2, 3.2.3, 9.5, 9.6, 9.8, 9.8.1
4.115.3 Standard
Storing of non-electronic cardholder data is permissible, provided the following exist:
- Only the information on the front of the credit card (or PAN) is retained
- The card verification code on the back of the card is not retained (CVV/CID)
- Personal Identification Numbers (PINs) are not retained
- Retention schedules have been defined and documented
- A documented process for destroying non-electronic information is being followed and compliant with Data Destruction Procedures
- Information has appropriate physical safeguards in place
4.116 Media Storage
4.116.1 Standard Owner: Information Technology |
4.116.2 Standard References
NIST: MP-4
GLBA: Effective
GDPR:
ISO27001: A.8.2.3, A.8.3.1, A.11.2.9
HIPAA: 164.310(c), 164.310(d)(1), 164.310(d)(2)(iv)
PCI-DSS: 3.1
4.116.3 Standard
The retention period for backups of Non-Clarkson-Public Information will be defined and documented in accordance with state, federal, and other regulatory requirements
4.117 Media Storage
4.117.1 Standard Owner: Information Technology |
4.117.2 Standard References
NIST: MP-4
GLBA: Effective
GDPR:
ISO27001: A.8.2.3, A.8.3.1, A.11.2.9
HIPAA: 164.310(c), 164.310(d)(1), 164.310(d)(2)(iv)
PCI-DSS: 9.5,9.5.1
4.117.3 Standard
All backups of electronic Non-Public Information, in storage, will be encrypted. All backups of non-electronic Non-Public Information, in storage, will be physically secured.
4.118 Media Transport
4.118.1 Standard Owner: Information Technology |
4.118.2 Standard References
NIST: MP-5
GLBA: Effective
GDPR:
ISO27001: A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.5, A.11.2.6
HIPAA: 164.310(d)(1), 164.310(d)(2)(iii), 164.312(c)(1)
PCI-DSS: 4.2
4.118.3 Standard
Transmission of Non-Clarkson-Public Information by non-corporate messaging technologies (for example, personal e-mail, instant messaging, SMS, chat, etc.) is prohibited.
4.119 Media Transport
4.119.1 Standard Owner: Information Technology |
4.119.2 Standard References
NIST: MP-5
GLBA: Effective
GDPR:
ISO27001: A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.5, A.11.2.6
HIPAA: 164.310(d)(1), 164.310(d)(2)(iii), 164.312(c)(1)
PCI-DSS:
4.119.3 Standard
Removable media used for backups will be kept secure while in transit
4.120 Media Transport
4.120.1 Standard Owner: Information Technology |
4.120.2 Standard References
NIST: MP-5
GLBA: On Hold
GDPR:
ISO27001: A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.5, A.11.2.6
HIPAA: 164.310(d)(1), 164.310(d)(2)(iii), 164.312(c)(1)
PCI-DSS: 9.6.3
4.120.3 Standard
All movement of organization information systems and media containing Non-Public Information into and out the facilities must be authorized
4.121 Media Transport
4.121.1 Standard Owner: Information Technology |
4.121.2 Standard References
NIST: MP-5
GLBA: Effective
GDPR:
ISO27001: A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.5, A.11.2.6
HIPAA: 164.310(d)(1), 164.310(d)(2)(iii), 164.312(c)(1)
PCI-DSS: 9.6.2
4.121.3 Standard
All media containing Non-Clarkson-Public Information that will be mailed offsite will be transported using a secure carrier or via an encrypted device.
4.122 Media Transport
4.122.1 Standard Owner: Information Technology |
4.122.2 Standard References
NIST: MP-5
GLBA: On Hold
GDPR:
ISO27001: A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.5, A.11.2.6
HIPAA: 164.310(d)(1), 164.310(d)(2)(iii), 164.312(c)(1)
PCI-DSS: 9.6.3
4.122.3 Standard
- Date and time of movement of system or media
- Brief description of person using or sending Non-Public Information on system or media
- Brief description of where Non-Public Information is to be sent or how used
- Name of person authorizing such transaction
4.123 Media Sanitization
4.123.1 Standard Owner: Information Technology |
4.123.2 Standard References
NIST: MP-6
GLBA: Draft
GDPR:
ISO27001: A.8.2.3, A.8.3.1, A.8.3.2, A.11.2.7
HIPAA: 164.310(d)(1), 164.310(d)(2)(i), 164.310(d)(2)(ii)
PCI-DSS: 3.1, 9.8, 9.8.1, 9.8.2
4.123.3 Standard
All Non-Public Information must be destroyed in a manner compliant with NIST 800-88 or utilizing a NAID certified supplier. Documented procedures for destroying Non-Public Information must address:
- The destruction of data when storage media is end-of-life or has failed
- When retention schedules have been met
4.124 Media Use
4.124.1 Standard Owner: Information Technology |
4.124.2 Standard References
NIST: MP-7
GLBA: Effective
GDPR:
ISO27001: A.8.2.3, A.8.3.1
HIPAA:
PCI-DSS: 3.1, 3.2, 3.2.1, 3.2.2, 3.2.3, 3.4, 3.4.1, 3.5, 9.5
4.124.3 Standard
Whenever practical, all workforce members and service providers will use approved workstations or devices to access organizational data, systems, or networks.
4.125 Media Use
4.125.1 Standard Owner: Information Technology |
4.125.2 Standard References
NIST: MP-7
GLBA: Effective
GDPR:
ISO27001: A.8.2.3, A.8.3.1
HIPAA:
PCI-DSS:
4.125.3 Standard
All workforce members who use organization workstations will take all reasonable precautions to protect the confidentiality, integrity, and availability of Non-Public Information contained on the workstations
4.126 Media Use
4.126.1 Standard Owner: Information Technology |
4.126.2 Standard References
NIST: MP-7
GLBA: Effective
GDPR:
ISO27001: A.8.2.3, A.8.3.1
HIPAA:
PCI-DSS:
4.126.3 Standard
Workforce members will not use organization workstations to engage in any activity that is either illegal under local, state, federal, or international law or is in violation of organization policy
4.127 Media Use
4.127.1 Standard Owner: Information Technology |
4.127.2 Standard References
NIST: MP-7
GLBA: On Hold
GDPR:
ISO27001: A.8.2.3, A.8.3.1
HIPAA:
PCI-DSS:
4.127.3 Standard
Organization employees and affiliates who authorize the movement of electronic media, non-public information, or information systems containing Non-Public Information are responsible for the subsequent use of such items and will take all appropriate and reasonable actions to protect them against damage, theft, and unauthorized access
4.128 Media Use
4.128.1 Standard Owner: Information Technology |
4.128.2 Standard References
NIST: MP-7
GLBA: On Hold
GDPR:
ISO27001: A.8.2.3, A.8.3.1
HIPAA:
PCI-DSS:
4.128.3 Standard
Organization workstations will be used only for authorized business purposes. Such use demonstrates respect for intellectual property, ownership of data, security controls, and individuals' rights to privacy.
4.129 Media Use
4.129.1 Standard Owner: Finance
4.129.2 Standard References
NIST: MP-7
GLBA: Effective
GDPR:
ISO27001: A.8.2.3, A.8.3.1
HIPAA:
PCI-DSS: 3.3
4.129.3 Standard
Credit cardholder data (the PAN) must be masked when displayed (the first six and last four digits are all that can be displayed).
4.130 Personnel Security Policy and Procedures
4.130.1 Standard Owner: HR
4.130.2 Standard References
NIST: PS-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(3)(ii)(C)
PCI-DSS: 12.1, 12.1.1