CFS Information Security Strategic Plan

Last Revised: DRAFT

06/15/10

CFS Information Security Strategic Plan DRAFT REVISION CONTROL Document Title: Author: File Reference: Revision History Revision Date 03/02/10 04/06/10 05/05/10 05/07/10 05/10/10 06/15/10 Revised By Y Hepperle D Raghu Y Hepperle Y Hepperle Y Hepperle Y Hepperle Summary of Revisions Release of New Document Revised and added Section 5.0 Added Section 5. Last Revised: 06/15/10 Page ii .0 and 7.0 Final Revisions Added sections Corrections made to sections 6.3 Application Timeout settings Section(s) Revised All All All Sections 6. 7 Section 5. 7 Sections 6.docx Review / Approval History Review Date March 2010 April 2010 May 2010 Reviewed By CFS Steering Committee Campus Cheryl Washington Senor Director of Information Security Jessie Lum Senior Director CMS Action (Reviewed.3 CFS Information Security Strategic Plan CFS Project Team CFS Security Strategic Plan_20100615. Recommended or Approved) Strategy Approved for Release Reviewed Review and recommend for approval May 2010 Reviewed and approved.

..................................................3 Authentication ......................................................................................................................................................................................................3 2........1 5... 10 8......2 5......................................................... 8 Access Control ..................................................................................................0 8........ 5 Central Security Review Team ....................................................................................................................................................................................................................................................................................4 2...... 4 1.................2..........................................0 7....... 10 CFS Infrastructure ...............................1 2............................................. 9 ApplicationTimeout settings ....................................................................................................................................... 10 CFS Business Continuity and Disaster Recovery ......................................................................... 7 Access to Confidential Data .........................................................0 CFS Governance Structure ......... 8 5........................................................CFS Information Security Strategic Plan DRAFT Table of Contents 1............................................................... 8 Password Management ........................................................................ 4 Document Scope............. 6 2..................................0 CFS Security Training........................................3 Document Purpose.................................................................................................................2 2....................... 5 2.1 2...................1 Database Management System................................2..........................................2 CFS Steering Committee ............ 6 Campus Roles and Responsibilities........ 6 Campus Application Owner (or Lead) .0 Page Introduction ........................................................................... 5 2..............................................1 System-wide Roles and Responsibilities.............................0 4.........1..................................................................................2 Distributed Security Administrators...........................................................................................................................1 1...... 7 3.................................. 6 CMS Technical Services ................................................................................2 1.......................................................1..............1...............................................0 CFS Security Incident Management ........................................... 10 Last Revised: 06/15/10 Page iii .............................. 10 6............................ 5 Central Security Administrator.......................................1....................................................................................................... 5 2..............0 5................................... 4 Assumptions .............................................................

The CMS Executive Committee (EC) determined that CMS is not sustainable in its current state. The Executive Council approved the CFS Project which encompasses an enriched common financial application code. reduce costs and improve performance. 2008. The major reasons to adopt a common financial system are to: y y y y Enable adoption of a system-wide financial model that facilitates the timely adoption of best business practices across all campuses. and production databases for each application. The CMS EC proposed the Consolidated Financial System (CFS) initiative to achieve CMS¶ stated goals. development. Security within CFS will be addressed throughout the software development life cycle and within the environment supporting CFS. Contain costs associated with managing CMS. integrity and availability of CFS information assets. CMS goals are to achieve best business practices. Campuses have a minimum of seven test.CFS Information Security Strategic Plan DRAFT 1. with a financial reporting solution. The CFS design team will develop additional documents to support the implementation of this strategic plan. The strategic plan is not intended to be a procedural document or an operational guide. including but not limited to the network. operating system. Smaller campuses do not have the resources to maintain and enhance the system. 1. 1. database. Provide the CSU with a comprehensive reporting system via a system-wide Finance Reporting Environment and Data Warehouse The findings of the CFS Advisory Group were presented to the Technology Steering Committee (TSC) and the Executive Council on December 9. Last Revised: 06/15/10 Page 4 of 10 . common configuration on a single platform. Allow all campuses to take full advantage of a feature rich financial system. The CFS Advisory Group was established to research the feasibility of adopting a common financial system. This document defines a security model from the network to the application levels.1 Document Purpose This document describes a strategy for securing the Common Financial System (CFS). The protection measures described in this document were designed to ensure CFS complies with CSU System-wide Information Security Standards and Policies governing information technology and information security. A recent study of CMS recommended the CSU consider consolidating applications to provide opportunities for cost savings to the CSU.2 Document Scope This strategy was developed to ensure the confidentiality. and application levels.0 Introduction The Common Management System (CMS) currently supports CSU campuses and the CO operational databases.

y y y y This is by no means a definitive list of assumptions.1. responsibilities. the CFS Steering Committee serves as the application owner during the implementation phase.1. 2.3 Assumptions A core security design will be developed for CFS. Campuses users will only be permitted to view their campus data.1 2. Campuses will comply with all CSU policies governing information security including the CSU¶s Segregation of Duties policies. 2. Access to CFS will be based on the principle of ³need-to-know´ and least privileges. The Central Security Review Team will recommend approval or denial of requested CFS roles and permission lists. This team will be responsible for recommending and/or reviewing CFS¶ security structure. and authorities of committees and individuals that support CFS. Postimplementation responsibility is under discussion. The Central Security Administrator will report to the CSU Senior Director of Information Security to ensure security within CFS is managed by a subject matter expert and complies with CSU System-wide Information Security Standards and Policies governing information security. relationships. The CFS Steering Committee is responsible for reviewing and approving the CFS information security strategic plan. Last Revised: 06/15/10 Page 5 of 10 .2 Central Security Review Team A review team. This core design will include the following elements: y A Central Security Administrator will be assigned to CFS to support the security management activities at the Central and Campus offices. based on guidelines and delivered roles from CFS Central team.0 CFS Governance Structure The CFS governance structure defines the functions. The Central Security Review team will develop a security matrix that describes what access each end-user needs. will be created to support CFS information security requirements and initiatives. 2. CFS roles and campus custom roles will be reviewed by the Central Security Review Team to identify if existing roles can fulfill the request and comply with CSU information security and SoD policies. Additional assumptions will be added to this list as the project moves forward.CFS Information Security Strategic Plan DRAFT 1. comprised of personnel from campuses and CMS Central.1 System-wide Roles and Responsibilities CFS Steering Committee Currently. Authentication controls will be managed by the CSU Portal.

3 Central Security Administrator The Central Security Administrator (CSA) will work with CO and campus staffs and the Central Security Review Team to validate security design and provide post-implementation support. 2.1. Consult with the project team to ensure CFS compliance with CSU System-wide Information Security Standards and Policies. CMS Technical Services will also support the campus non-production environments as this now requires central control and coordination. The Distributed Security Administrator is responsible for working with the Campus Application Owner/Leads to ensure that the end-user security they have designed has been implemented. and installation. This includes all tasks associated with application server setup. process scheduler setup.CFS Information Security Strategic Plan DRAFT 2.2 2. The DSA will ensure that the owning Application Software Lead has approved any change of access to a system object regardless of access mechanism (application.1. The CSA will report to the CSU Senior Director of Information Security manager to ensure security within CFS is managed by a subject matter expert and complies with CSU policies governing information security. and web server setup configuration and management. configuration and management. CMS Technical Services is responsible for ensuring appropriate resources at the web and application tier and include responsibilities for capacity planning. 2. They will be given Role Grant access giving them the capability of assigning roles restricted to those in their Role Grant domain. tuning. or server).1 Campus Roles and Responsibilities Distributed Security Administrators To highlight the collaborative nature of CFS. Provide support to campuses and CMS during audits Create/Maintain Distributed Security Administrators User Accounts Review CFS security to insure compliance with SoD policies. configuration and management.2. The DSA¶s will be established using PeopleSoft¶s delivered Distributed User Profiles functionality. If an individual requests access to objects that are owned by multiple Application Leads. campus security administrators will be referred to as Distributed Security Administrators (DSA). database. then each Application Lead Last Revised: 06/15/10 Page 6 of 10 . The CSA¶s duties include but are not limited to the following: y y y y y y Consult with campus and Chancellor¶s Office staffs to meet security operational needs.4 CMS Technical Services CMS Technical Services will manage the production infrastructure associated with the application and web tiers supporting the CFS environment with direction from the Central Security Administrator. Evaluate user security requests and consult with Central Security Review team to ensure requests comply with CFS security policies and audit guidelines. The DSA¶s will provide security support for operational activities at the campus within the boundaries of the access provided to them.

Establish and maintain user profiles in CFS for their respective campuses.0 CFS Security Training Efforts are underway to develop a system-wide campus CFS implementation support program that will include training for the CFS security model.. roles and permission lists) within their modules that grant privileges to users within their granted authority.2. page or tool within CFS. as part of the implementation support program.g.) Coordinate security tasks with the Distributed Security Administrator. The Campus Application Owner/Lead has the authority to create or modify campus security objects. component. Maintain documentation related to users requests for their respective campuses. 3. Such requests are forwarded to the Central Security Administrator based on approval from Campus Application Owner In accordance with CSU information security policies. AP. This role provides the ability to administer the rights to any menu. Review and approving user access to any system resource within their module (e. they participate in audits of user accounts in CFS De-provision accounts when the user has separated from the university by locking them.. CMS is assuming that the campuses are exercising the requisite security training and awareness. Accept and review user requests to access non-campus based security objects. 2. per the California State University System-wide Information Security Policy. again delineated by the role granted through the Role Grant functionality. Process user requests by assigning privileges to user accounts based on approval from Campus Application Owners. The Distributed Security Administrator and their backups can grant any level of access or responsibility within the roles granted to them for the CFS PeopleSoft Application. CFS will leverage existing security experience and reinforce security awareness. The duties of the Distributed Security Administrator include but are not limited to the following: y y y y y y y Evaluate and act upon user access requests for their respective campuses. and therefore should be deployed sparingly.g.g. GL.. Accounts Payable or General Ledger).CFS Information Security Strategic Plan DRAFT must approve the applicable request.. Accounts Payable or General Ledger lead) is responsible for understanding the CFS Application modules under their control (e. Last Revised: 06/15/10 Page 7 of 10 . Their primary responsibilities include but are not limited to: y Manage security objects (e. to other staff performing duties within those same modules. within the limitations of their roles. This responsibility includes providing limited administrative capabilities to Application Leads.g. etc. These leads can in turn grant access. y y The Campus Application Owner/Lead is accountable to CFS Central through the DSA.2 Campus Application Owner (or Lead) The Campus Application Owner/Lead (e.

The following authentication methods are supported by the CSU Portal: y y y Shibboleth Authentication Campus portal Single Sign On (Currently PeopleSoft Enterprise Portal and uPortal are supported) LDAP Authentication Last Revised: 06/15/10 Page 8 of 10 . 5. CFS PeopleSoft system has SSO with CSU Portal.0 5. a custom role will be developed to meet the request needs. For these requests. CFS PeopleSoft system will be front-ended by the CSU Portal. which will be responsible for primary authentication. Data for tables containing these columns can be provided by requesting a view built without the Level 1 column. Access to data in these level 1 columns would be processed based on specific requests. Database access through any standard role will not be allowed. A process to request access to Level 1 data to extract the information for campus-specific third party applications is under development. Users that are successfully logged into CSU Portal can access resources in CFS PeopleSoft application based on Roles defined in CFS. Included in this process will be references to the California State University System-wide Information Security Policy and the direction described therein regarding the protection of confidentiality of personally identifiable information.CFS Information Security Strategic Plan DRAFT 4.1 Access Control Authentication CFS has implemented a custom Authentication mechanism.0 Access to Confidential Data Access to tables containing the level 1 data fields will be only allowed through PeopleSoft application security.

2 Password Management PeopleSoft Password Management feature will NOT be used in CFS.CFS Information Security Strategic Plan DRAFT CFS Authentication Model Authentication Activity in CFS 1. User Profile Syncs with CSU super directory 6. Since campuses are responsible for managing their respective campus user passwords they are encouraged to use strong passwords and follow the password management guidelines per The California State University System-wide Information Security Standards document. Users will utilize Campus Authentication provider credentials to login to CFS. Significant changes made to the CFS Security model will be appropriately reviewed and approved by the designated change control authority. Users access main page or CSU Links (CSU Portal or Campus Portal) and enter campus credentials 2. FS Security Change Control Significant changes that are to be implemented in the shared CFS will be appropriately reviewed and approved by the Central Security Review Team. It is important that campuses identify and communicate acceptable password criteria to their CFS users. A custom CFS SSO Module will authenticate with respective Campus authentication provider 3. Authenticated users will be authorized to view protected CFS contents 5. For Shibboleth. Access to CFS Application 5. Campus Identity provider will validate with Campus Directory 4. Last Revised: 06/15/10 Page 9 of 10 .

CFS will comply with the information security incident management polices as defined in the California State University System-wide Information Security Policy. The Office of the University Auditor (OUA) was consulted and did not have any firm recommendations other than to defer to the campus business needs. Business continuity for the CO and CMS is the responsibility of the CPDC Facilities and Administration. To date two successful disaster recovery exercises have completed in the last three years. 8. Productivity is lost when a short timeout requires them to frequently go through the login process. is managed and coordinated within the boundaries of the Unisys data center contract. 6. This section covers only areas where CFS is different from current CMS environments. 5. Campuses have learned that anything less than 45 minutes is much too short.0 CFS Infrastructure This section describes differences to the CMS security infrastructure made to support the CFS application environment.3 ApplicationTimeout settings The CFS application idle timeout will initially be set to 45 minutes. Users working in the system tend to answer the phone and switch between windows. IDS. including CFS. This documents the migration process and describes the delineation of responsibilities in compliance with SoD policies. Introduction Last Revised: 06/15/10 Page 10 of 10 .1 Database Management System Access to the CFS production database for technical support and service accounts will be allowed using Oracle accounts that by default have no access to level 1 tables. Campuses. CO. This includes all current security components such as VPN. The standard CSU_SELECT role as outlined in the Validating Oracle Users and Roles document will not include any tables that contain level 1 data. 8. They must ensure the continuity of essential functions and operations in the event following a catastrophic event per the California State University Systemwide Information Security Policy.0 CFS Security Incident Management CMS is assuming that the campuses are incident management response programs in place. and Firewalls that are in place for the CMS environment. Industry standards are not available for an appropriate idle timeout setting. 7. The risk was reviewed and this setting is considered appropriate as there is not an abundance of level1 data in CFS.0 CFS Business Continuity and Disaster Recovery Disaster recovery for all of CMS. policies and procedures will be in place for CFS. All current CMS security practices. Additionally the CSU_UPDATE role will not exist within the CFS environment.CFS Information Security Strategic Plan DRAFT Any approved changes will be migrated into CFS production per the CFS Release Management Guide. and CMS access CFS at the Unisys data center.

Sign up to vote on this title
UsefulNot useful