State of New Mexico Department of Labor Information Technology Services Security Policy

Dated: 7/14/2005

Table of Contents
Chapter 1 INTRODUCTION 1.1 Purpose and Goals 1.2 Requirements for Security 1.2.1 Requirement for physical and computer security 1.2.2 Objectives of the security plan and its implementation 1.2.3 Security policies to be carried out. 1.2.4 Security controls necessary to maintain those standards. 1.2.5 Methodology Chapter 2 PERIMETER SECURITY. 2.1 Internet Firewall. 2.1.1 DMZ and NMDOL access 2.1.2 Load Balancing Web Services 2.1.3 Access between NMDOL Web and Application Services 2.2 Internet Routers. 2.3 External Organizations CHAPTER 3 INTER-AGENCY CONNECTIVITY CHAPTER 4 DATA PROTECTION AND CONFIDENTIALITY (Non-disclosure agreements) CHAPTER 5 MONITORING OF THE INTERNAL NETWORK 5.1 Intrusion Detection/Prevention 5.2 Vulnerability Scanning CHAPTER 6 HOSTS AND ACCESS PROCESS (Protection and testing of NMDOL resources) CHAPTER 7 REMOTE ACCESS CHAPTER 8 INFRASTRUCTURE SECURITY 8.1 Physical Devices 8.2 Server/PC Patch Management 8.3 Virus Protection 8.4 Secure Devices Access 8.5 Secure router configuration files CHAPTER 9 CUSTOMERS RESPONSIBILITY 9.1 Password Control 9.2 NMDOL Assistance CHAPTER 10 CHANGE CONTROL

1.

Introduction

The Internet and the shared State of New Mexico backbone provide the opportunity to decrease cost, increase productivity and ease the sharing of information between State agencies and the public. In doing so, however, there is a risk to the confidentiality and integrity of data held both publicly and privately. With the changes to current business practices outlined in the New Mexico Department of Labor (NMDOL) Strategic Plan, measures should be implemented to provide the security necessary to instill the confidence of information sharing to all stakeholders. Such measures are not possible without a centralized security policy designed to support the E-business and Egovernment objectives of the State. 1.1 Purpose and Goals

The purpose of this document is to outline policy directives for the State of New Mexico, Department of Labor (NMDOL), Information Technology Services (ITS) staff for network computer security. The purpose of this policy is not intended to be a technical statement on the implementation of these, but rather a set of administrative guidelines to set the technical direction. This policy is designed to meet the following objectives: • Support DOL business requirements with the highest quality practical methods • Reduce both legal and security risks • Define protection for DOL maintained shared assets • Define limited and consistent level of protection for agency resources • Define training for employees in maintaining security • Implement a ‘protect and proceed’ policy, rather than a ‘pursue and prosecute’ policy. 1.2 Requirements for Physical and computer Security

This document defines physical and logical methods that are to be implemented and maintained to provide appropriate and effective physical and computer security measures for the data processing and communications services of the New Mexico Department of Labor. This section provides an introduction to the requirement for (a) physical and (b) computer security Requirements for Physical Security The requirements for physical security include protection of the following: • • • • The Information Technical Services Department (ITS) facilities in Albuquerque that house NMDOL data processing assets. The data processing and data communication equipment provided and maintained by NMDOL and/or the General Services Information Systems Division (GSD/ISD) within NMDOL facilities. The data, supplies, and documentation pertaining to the use of that equipment. Public property

• • • •

Requirements for Computer Security The requirements for computer security include the following: Prevention, deterrence, and detection of fraud and abuse, Maintenance of privacy and confidentiality for individuals on whom data is collected, processed, and stored, Protection of public rights, Protection of the confidentiality of proprietary management and planning information.

1.2.2 Objectives of the security plan and its implementation 1.2.3 Security policies to be carried out 1.2.4 Security controls necessary to maintain those standards 1.2.5 Methodology

The DOL security policy will do the following: • Perform a risk assessment • Identify Networked assets to protect-Networked hosts, networking devices, and data that travels across the network. • Know thy enemy: Determine what we are going to protect it from. Determine most vulnerable points and who may try to exploit them. • Assess risks • Implement cost effective action. • Define continuously improving security procedure

This policy will document methods to achieve these steps.

2.

Perimeter Security
The perimeter of the network is defined as those connections outside of the NMDOL network, such as connections to the Internet and other ‘uncontrolled’ networks. The functional system will be divided into three layers; a DMZ layer to allow access by users from outside to utilize business services, an application layer where the business logic will take place, and a general user layer where applications will reside for daily business functions (file services, printing services, email etc). Each of the layers will be physically and logically isolated for security purposes by means of network segmentation. That is, each layer will reside within it’s own secure sub-network. The presentation layer will allow traffic only between the user and the application layer. The application layer will allow traffic only between the application and the database. Firewalls and routers will allow traffic only through designated ports allowing limited protocols at each layer. Firewalls and routers will allow traffic only from designated IP addresses at each layer.

2.1

Internet Firewall and Zones A Firewall will exist at the boundaries between the DOL network and the State’s network, the global Internet and any other un-trusted external networks. NMDOL will implement three distinct zones. All traffic to each zone within NMDOL should be routed through the internal firewall where policy determining access and traffic patterns is assessed. The zones are defined as such: DMZ: Publicly accessible servers, such as WWW servers, will reside in the DMZ and will be isolated from other computer systems and protected. NMDOL Intranet Zone: DOL hosts both local and remote will access main Local Area Network through here. Application Zone: The area hosting applications required for NMDOL business needs. Access from non-NMDOL agencies will be permitted when it is necessary for business purposes. A minimal level of protection will be maintained in accordance with the goals of this policy.

• • • •

2.1.1 DMZ and NMDOL Access The DMZ will be established between the Internet (public network) and the NMDOL Secure intranet zones. Within the DMZ will reside the Web based services. These services are available to the general public typically available upon registration. There should be no direct connectivity from an external public address to any NMDOL service without proper authority. Direct access must be tightly controlled using routing and firewall policies and eliminated as soon as access in no longer required. • Within the DMZ: Services provided through the Internet (Web-enabled applications, FTP, Mail, DNS, VoIP, etc.) shall be deployed on a Demilitarized Zone (DMZ) or proxied from the DMZ. • • • • All communication from servers within the DMZ to internal applications and services shall be controlled. Remote or dial-in access to networks shall be authenticated at the firewall, or through internal authentication services within the VPN concentrator placed in the DMZ. The DMZ is the appropriate location for web servers, external DNS servers, Virtual Private Networks (VPNs), and dial-in servers. All remote access users shall be considered external and therefore should be subjected to the firewall rule set. VPNs should terminate on the external segment or outside of the firewall.

2.1.2 Load Balancing Web Services External (internet) customers utilizing services within NMDOL must be restricted from connection to the Web Services residing within the NMDOL DMZ directly. NMDOL utilizes a Server Load Balancing device configured to balance traffic between web services. Customers utilizing NMDOL services connect via the Load Balancer to the desired Web Server. In turn, these Web Servers communicate to Application Servers in the private, server network of NMDOL. At no time should the application servers be accessible directly from a non-secured zone.

2.1.3

Access between Web and Application Servers

Access to Application services is to be strictly limited to authorized protocols and will be enforced and monitored continuously via log reports and real time statistics. Customers are required to register prior to receiving access to UI and WIA services. Connection between Web Services and Application Servers is allowed only after proper authentication and secure connection has been established. Direct connectivity between Application services and the general network should be prevented. A firewall shall exist between all NMDOL Application Services and the general DOL network. Accessibility for these services should be available via TCP ports 80 (HTTP) and 443 (HTTPS). There should be no other protocols opened for this connection. 2.2 • • • Internet Routers Access to Internet routers will be limited to given administration hosts and/or networks. Appropriate authentication will be used on all methods of access. No default strings or passwords will be retained on any publicly visible router. Passwords on publicly visible routers should be changed on quarterly basis or when suspicion of unauthorized entry has occurred.

Access Control Lists (ACL’s) are to be used to control telnet/SNMP access, TACACS+ for authentication, IOS level policies. ACL’s are to be implemented on interfaces to control/eliminate undesirable network traffic coming into or leaving department. Tools such as CiscoWorks should be in place to monitor router activity, IOS levels and other administrative procedures. 2.3 External Organization

Access shall be granted to NMDOL services for external organizations such as contractors based on business needs. This access will, however, be controlled and limited to that required by agreements and contracts with the NMDOL. It the intention of this policy to provide the minimal access possible to allow business to be conducted. • • Wherever possible, this access will be through a single controlled point. Virtual Private Networking (VPN) will be used whenever required for external connectivity to the NMDOL infrastructure. This will provide the encryption and maintain the integrity of the NMDOL infrastructure. VPN access will be granted with Information Technical Support Department (ITS) approval and only after the VPN security access form has been completed and approved. Transport Layer Security (TLS) or Secure Socket Layer (SSL) shall be employed between a web server and browser to authenticate the web server and, optionally, the user’s browser. Implementations of TLS and SSL shall allow for client authentication support using the services provided by Certificate Authorities. External connections shall be removed promptly when no longer required. Key network components shall be disabled or removed to prevent inadvertent reconnection.

It is the responsibility of the external agency to meet and comply with section 7 and section 8 of this policy.

Contractors on site: Vendors/Visitors should not be left unattended within NMDOL. Access (Physical and networked) for contractors should be kept at a minimum and checked on a regular basis

3.

Inter-agency connectivity

The following measures will be implemented at the DOL boundaries. • DOL core network will be monitored against well-known intrusions from inside sources. • Connections out of the State’s network will be monitored for well-known intrusions. • Intrusions from agency to agency will be monitored or detected. • Anti-virus software will be in place and up to date to limit incoming malicious email. • Policies will be in place to limit access for single external hosts. In the event of an intrusion, appropriate steps will be taken by DOL personnel and agency IT staff will be notified. In extreme circumstances, all connectivity to outside agencies could be terminated to prevent further spread of virus/worm or possible intrusion.

4.

External-agency connectivity - Protection of confidentiality
The following measures will be implemented for data sharing between NMDOL and a external agency. The Parties will safeguard shared information as follows:

A.

Access to the records sought and to any records created with the information disclosed under this Agreement containing the name, SSN, or other identifiable information of the individual, will be restricted to authorized employees who require the information to perform their official duties in connection with the use of the information authorized by the agreement. All personnel who have access to the information or to the records containing information disclosed under this Agreement that identify any individual by name, SSN, or otherwise, will be advised of the confidential nature of the information and the civil and criminal sanctions contained in applicable state and federal laws for divulging the information unlawfully. All non-NMDOL personnel having access to the information under this Agreement shall be identified in writing. The outside agency shall notify NMDOL in writing of any changes or additions to personnel having access. Security and confidentiality requirements and policies will be established, maintained and enforced in accordance with state and federal law governing the handling and disclosure of participant information. The information disclosed and records created with the disclosed information will be processed and maintained in a manner that will protect the confidentiality of

B.

C.

D.

E.

the disclosed information, and in a manner that will prevent unauthorized individuals from retrieving or accessing the information. This requirement includes access to computers, terminals and electronic on-line access as well as printed or paper copies of the information. F. The shared data will be used and accessed only for purposes of compliance with respective department’s governing federal and state statutes, rules and regulations. Any person who knowingly and willfully requests or obtains shared information under false pretenses, or who knowingly and willfully discloses such information in a manner or to a person not authorized by law to receive it, shall be immediately denied access to shared information and shall be subject to all appropriate federal and state criminal and civil penalties. The affected party shall immediately: (1) notify the other of any known or suspected improper disclosures of data files or other confidential information; (2) promptly furnish the full details of the unauthorized possession, use, or knowledge of data files or other confidential information; and (3) assist in an investigation of the matter and take steps to prevent a recurrence. NMDOL and external organization may make on-site inspections or other provisions to assure that the safeguards described above are being maintained by DOL or agency respectively. Signed agreement forms from External Agency employees shall be submitted to DOL’s Internal Security and Audit Unit within 10 days of the execution of this Amendment. Upon the termination of this Agreement for any reason, any information received under the terms of this Agreement or subsequent amendments or revisions shall remain subject to the confidentiality provisions indefinitely.

G.

H.

I.

J.

K.

Non-disclosure agreements:
External Agencies sharing data with NMDOL are required to sign statements of nondisclosure and should be part of the Memorandum of Understanding (MOU). Chapter4 External-agency connectivity – Protection of confidentiality of the NMDOL Information Technology Services Security Policy, fulfills this requirement and should be part of each MOU. It must be verified that external agencies requiring the sharing of data with NMDOL have internal non-disclosure policies in place for their employees. It is further recommended that a copy be placed with the MOU.

5.

Monitoring of the Internal Network

While appropriate perimeter protection provides a solid first line of defense against intruders, it is felt that critical resources require further measures. As such, DOL will use automated monitoring tools to continuously watch segments network deemed to house critical hosts or resources. This monitoring will accomplish the following: • Detection of well-known intrusions, regardless of source. • Automatic protection of hosts under attack. • Automatic alerting of personnel as required by the severity of the detected attack. • Detection of intrusions to restricted areas from internal users. • Monitoring of internet activity and providing periodic reports of all activity. 5.1. Intrusion Detection/Prevention

Intrusion detection mechanisms or intrusion prevention tools should be incorporated into all servers connected to Wide Area Network (WAN) and to all internetworking devices that serve as gateways between WAN network segments. • When used, intrusion detection systems shall be installed both external and internal to firewall technology protecting the network to monitor, block, and report unauthorized activity. Logs should be reviewed by agency authorized personnel and all incidents, violations, etc., reported and resolved. Intrusion detection mechanisms for servers shall include the use of software and review procedures that scan for unauthorized changes to files, including system files. Software and review procedures shall examine network traffic for known, suspicious attack signatures or activities and look for network traffic indicative of devices that have been configured improperly. Vulnerability Scanning Network and host vulnerability scanners should be used to test for the vulnerabilities of internal systems and of network perimeter defenses, as well as adherence to security policy and standards. Vulnerability scanners should be components of the State’s comprehensive network security solutions. Such components allow security administrators to measure security, manage risk, and eliminate vulnerabilities, providing a more secure network environment. Scanners should have the ability to do the following: • • • • Identify security holes by confirming vulnerabilities Provide effective analysis if vulnerability data using browsing techniques, and enforcing valid security policies when used during security device installation and certification. Provide comprehensive reports and charts for effective decision making and improved security, and Define and enforce valid security policies when used during security device installation and certification. It is the intent of NMDOL to provide adequate monitoring and provide training to staff on internal monitoring tools.

• •

5.2

6.

Hosts and Access Process

While NMDOL hosts will be behind the Enterprise maintained firewall, the responsibility for protecting such hosts (All enterprise servers) will be held by host administration, and measures to be taken will be documented both administratively and technically in a separate set of policy documents. Access rights for all users will be reviewed on a continual basis by the networking staff. Users will be granted minimal access to the network resources. Any additional access rights must be pre-approved in writing by the their supervisor. Access required for other department resources must be approved by the department supervisor. An access form must be submitted by authorizing supervisor or Human Resources via the ITS helpdesk for any changes to, additions, termination of access privileges. NMDOL will make every effort to disallow contradictory access roles and privileges. Contradictory roles are defined as providing access for an individual which will provide both the capability to submit and approval a transaction. It is the responsibility of the Internal Security and Audit (IS&A) unit to review access privileges on a continuous basis. Account management: All access should be removed immediately for terminated or discharged staff. The Human Resources and the Legal departments within NMDOL should direct access for personnel whom administrative action is/has been taken. Note: The suspension and termination of access is covered in Policy Issuance 26

7.

Remote Access

It is vital for access to State resources to be available from outside of State facilities. However, this is also a potential avenue for attack, and steps must be taken to prevent this potential becoming a reality. • Modems attached to critical network assets will be connected by on request and disconnected after service is completed. • Modems attached to personal computers will be configured for dial out only. • All UNIX hosts come with native security and well know security issues. A technical level policy will be developed for every operating system. This policy will be a provided and implemented by the administrator. • VPN access will be granted on an as need basis and to users requiring access to the DOL network for business purposes only. VPN access will be granted only when the proper forms and signatures have been obtained and approved. (See Virtual Private Network Policy) • It is the intent of the ITS Bureau to provide access to NMDOL resources to Staff and approved contractors via VPN access when requiring access during other than normal business hours. This access will be on an as needed basis.

8.
8.1

Infrastructure Security
Physical Device Security

• • •

Physical barriers will control access to critical hardware. Access to critical infrastructure will be secured behind a controlled environment allowing only authorized personnel. Control direct access to all network equipment. Best efforts should be implemented to provide a secured environment for all networked devices. Ensure a comprehensive disaster recovery plan is written and stored off-site in a secure location. Patch Management (Servers/PC’s)

8.2

To better protect the NMDOL infrastructure and resources from potential vulnerabilities, NMDOL Administrative Staff and externally connected agencies. will actively monitor for and respond to any Operating System/Security patch updates released. Patches should be installed on production environment only after proper testing in a controlled environment. Installation of system/security patches should be performed on the NMDOL networked resources servers, staff personal computers and externally connected computers as soon as testing is completed. It is the responsibility of externally connected and remote dial-up connected personnel to provide, install and run the latest operating and security patches. • Patches shall be installed (use of an automated tool is recommended) on all affected internetworking devices. Designated employees or contractors shall monitor the status of patches once they are deployed. • Patches make changes to the configuration of an internetworking device and are designed to protect and secure internetworking devices and attached IT devices and systems from attack, and shall be controlled and documented. 8.3 Virus Protection

The principal concern of this computer virus protection policy is effective and efficient prevention of network virus outbreaks and network security attacks involving computers associated with New Mexico Department of Labor. The primary focus is to ensure that NMDOL users are aware of and take responsibility for the proper use of the NMDOL provided virus protection software. NMDOL will maintain an up to date anti-virus process to be distributed to all NMDOL staff. This policy is intended to ensure: • • •

The integrity, reliability, and good performance of NMDOL computing resources. That the resource-user community operates according to a minimum of safe computing practices. That the NMDOL licensed virus software is used for its intended purposes. Processes should be in place for the purpose of automating the scanning process for each removable media (floppy disk, CD, DVD, etc..) for possible virus. It is the responsibility of all staff to ensure the scanning of all removable media type prior to opening media. Secure Devices Access No default console passwords, Passwords changed on a quarterly basis or if suspicion of device having been compromised Use enable and enable secret passwords. Passwords changed on a quarterly basis or if suspicion of device having been compromised

8.4 • •

• •

Timeouts for unattended console or vty ports (Timeout is 10 minute by default) Encrypt all passwords in router configurations. At no time shall a configuration be sent with password unencrypted. For non-NMDOL technical support, e.g. Cisco Support, a temporary account or user level password shall be enabled to grant access to supporting technician.

8.5 Secure router configuration files • Protect and limit access to TFTP servers containing router configuration files. • Protect any host in which the TFTP service is running on. • Only authorized staff should have access to router configurations

9.

Customer Responsibility

There is a fine balance to providing the optimum security to the network and allowing personnel to perform their duties in the most timely and easy as possible manner. In order to make social as well as technical attacks more difficult, training will be implemented on computer security for all DOL employees. The goal will be to make them aware of the most common social attacks used and the simplest means for protecting against them, as well as some simple procedures they can follow in order to make an attack more difficult. Customer passwords shall be changed on a regular schedule, passwords shall be unique and will require a minimum of six characters. 9.1 Password Controls Passwords must be controlled to prevent their disclosure to or discovery by unauthorized persons. Managers should plan ahead and notify Information Systems Department of new hires or other personnel changes prior to the effective date of the employee needing system access. Each individual user will have their own password(s), which should never be shared with another person; passwords should not be written down; User passwords will be changed every 90 days. passwords will be changed every 60 to 90 days as appropriate to the sensitivity of the information on the system in question; passwords for critical resources e.g. server Administrative passwords, must be changed on a 90 cycle or if suspicious activity is suspected. the user sign-on will (on systems supporting this function) be disabled for at least 15 minutes after three (3) unsuccessful login attempts; multiple sign-on authority must be authorized by the user's department manager; user passwords will be at least 6 characters in length. On systems not allowing at least 6 characters, passwords will be not less than the minimum allowed. Users should be encouraged to include numbers and/or punctuation marks. Words published in a dictionary should be avoided; common or group passwords will be used only in cases where the system or software does not support multiple users; system supervisor, super user, and administrator passwords must be recorded in writing, sealed in a labeled envelope, and deposited in a locked receptacle in either the agency head’s office or a vault. Keys to the receptacle will be kept by the ISO

• • • • • • •

• •

and Chief Information Officer. In case of an emergency, the envelopes can be accessed, after which the password(s) are changed and resealed; temporary employees will have passwords set by IS and the temp's supervisor and accounts will expire at the end of the temp's contracted time. Supervisors must authorize renewal of such user accounts when they expire. NMDOL Assistance NMDOL staff and business partners should contact the Help Desk for any assistance concerning suspicious activity such as viruses, hoaxes, scams which may affect security of the NMDOL infrastructure.

9.2

10. Change Control of the security policy.
As technology and procedure demands change in this policy appropriate and safe modification of this policy will be implemented. It is the responsibility of every ITS employee to be aware of security issues and bring them to the attention of the Information Systems Security and Network Administration. Any such issues that will affect security policy should be directed to the Networking staff who will maintain responsibility to update this document. Any such changes will be agreed upon by the NMDOL Information Technical Support staff and Chief Information Officer. Change management of all servers will be the responsibility of the ITS staff. All changes affecting configuration, applications and hardware will be logged. Changes to production resources should be installed and verified in a test environment prior to any changes being conducted in the production environment.