8/28/2022 SnowBe Online

Security Plan

Jesus Luna
SNOWBE ONLINE
 TABLE OF
CONTENTS

INTRODUCTION.........................................................1

SCOPE........................................................................ 1

DEFINITIONS.............................................................1

STATEMENT OF POLICIES, STANDARDS AND

PROCEDURES.............................................................4

WAIVER..................................................................... 5
VERSION STATUS APPROVED BY DESC. DATE

1.0 DRAFT J LUNA INITIAL CREATION APRIL 2022

1.1 DRAFT J LUNA ADDED IDENTITY MANAGEMENT APRIL 2022

POLCIES

2.0 DRAFT J LUNA ADDED CYBERSECURITY AND APRIL 2022

ENCRYPTION BASED POLCIES

2.1 DRAFT J LUNA ADDED SECURE SYSTEM POLICES AUGUST 2022

INTRODUCTION

SBO is making a demonstrated commitment to improve information security throughout

the organization. To this end, SBO is in process of developing several information
security policies that will form the governance and foundation for the SBO Information
Security Program (*see Appendix for a preliminary list of polices to be developed). For
the information security policies to provide value they must be approved by
management and adopted throughout the organization. To ensure that all aspects of
Information Security are covered in the new Information Security Program, the program
will be based on the international standard for Information Security Code of Practice for
Information Security Management (ISO/IEC 27002:2013).

This document provides a conceptual plan towards adoption and full implementation,
and some general guidance regarding what works and what does not. The plan is based
on experiences with hundreds of other organizations across a spectrum of sizes and
industries.

SCOPE

The standards and procedures set down in the SBO Security Plan apply to all information
systems and resources connecting to the SBO System network.

DEFINITIONS
Authentication: Is the process of determining whether someone or something is, in fact,
who or what it is declared to be. Depending on the transactions, a more stringent
authentication process may be required

Application Administration Account: Any account that is for the administration of an

application (i.e., SQL database administrator, etc.).

CMMC - The Cybersecurity Maturity Model Certification (CMMC) is an assessment framework

and assessor certification program designed to increase the trust in measures of compliance to a
variety of standards published by the National Institute of Standards and Technology.

Credentials – a combination of a username and password that prove the identity of the user

Electronic commerce: Electronic financial services delivered via electronic means

including, but not limited to, the Internet or other electronic delivery vehicles.

Encryption or encrypted data – The most effective way to achieve data security. To read an
encrypted file, you must have access to a secret key or password that enables you to decrypt it.
Unencrypted data is called plain text.

Eavesdropping - Eavesdropping is simply listening to a private conversation which may reveal

information which can provide access to a facility or network.

Firewall: Any hardware and/or software designed to examine network traffic using policy
statements (ruleset) to block unauthorized access while permitting authorized
communications to or from a network or electronic equipment.

Hacker – A slang term for a computer enthusiast, i.e., a person who enjoys learning
programming languages and computer systems and can often be considered an expert on the
subject(s).

Hash Function - An algorithm that computes a value based on a data object thereby mapping
the data object to a smaller data object.

Information Resource - The data and information assets of an organization, department, or

unit.

Intranet: A private network for communications and sharing of information that, like the
Internet, is based on Transmission Control Protocol/Internet Protocol (TCP/IP), but is accessible
only to authorized employees within an organization. An organization’s intranet is usually
protected from external access by a firewall

Internet: A global system interconnecting computers and computer networks. The computers
and networks are owned separately by a host of organizations, government agencies,
companies, and colleges.

LDAP (Lightweight Directory Access Protocol) - A software protocol for enabling anyone to
locate organizations, individuals, and other resources such as files and devices in a network,
whether on the public Internet or on a corporate Intranet.

2
Man-in-the-middle Attack - An attack in which an attacker is positioned between two
communicating parties in order to intercept and/or alter data traveling between them

Module – a separate unit of software or hardware

Multi-Factor Authentication: A method of computer access control in which a user is granted

access only after successfully presenting several separate pieces of evidence to an authentication
mechanism – typically at least two of the following categories:

 Knowledge (something they know)

 Possession (something they have)
 Inherence (something they are)

Password: A string of characters which serves as authentication of a person’s identity, which

may be used to grant or deny access to private or shared data.

Personally Identifiable Information (PII) - Any data that could potentially identify a specific
individual. Any information that can be used to distinguish one person from another and can be
used for de-anonymizing anonymous data can be considered

Plain text – Unencrypted data.

Protected data - See PII and PHI

Protected Health Information (PHI) - Under US law is any information about health status,
provision of health care, or payment for health care that is created or collected by a "Covered
Entity" (or a Business Associate of a Covered Entity) and can be linked to a specific individual.

Safeguards - Countermeasures, controls put in place to avoid, detect, counteract, or minimize

security risks to physical property, information, computer systems, or other assets. Safeguards
help to reduce the risk of damage or loss by stopping, deterring, or slowing down an attack
against an asset.

Sensitive data - Data that is encrypted or in plain text and contains PII or PHI data. See PII and
PHI above.

Split-tunneling - Simultaneous direct access to a non-SBO network (such as the Internet, or a

home network) from a remote device (PC, PDA, WAP phone, etc.) while connected into SBO’s
corporate network via a Virtual Private network (VPN) tunnel. VPN is a method for accessing a
remote network via “tunneling”: through the Internet.

SDLC - The software development life cycle (SDLC) framework maps the entire development
process. It includes all stages—planning, design, build, release, maintenance, and updates, as
well as the replacement and retirement of the application when the need arises.

Strong Encryption - Strong cryptography or cryptographically strong are general terms applied
to cryptographic systems or components that are considered highly resistant to cryptanalysis

3
Strong Password: A strong password is a password that is not easily guessed. It is normally
constructed of a sequence of characters, numbers, and special characters, depending on the
capabilities of the operating system. Typically, the longer the password, the stronger it is. It
should never be a name, dictionary word in any language, an acronym, a proper name, a
number, or be linked to any personal information about the password owner such as a birth
date, social security number, and so on.

User - An individual or automated application or process that is authorized access to the

resource by the system owner, in accordance with the system owner’s procedures and rules.

User Authentication: A method by which the user of a system can be verified as a legitimate
user independent of the computer or operating system being used

World Wide Web (www) - A system of Internet hosts that supports documents formatted in
Hypertext Markup Language (HTML) that contains links to other documents (hyperlinks) and to
audio, video, and graphic images. Individuals can access the Web with special applications called
browsers, such as Microsoft Internet Explorer.

Virtual Private Network (VPN) - A private network that extends across a public network or
internet. It enables users to send and receive data across shared or public networks as if their
computing devices were directly connected to the private network. Some VPNs allow employees
to securely access a corporate intranet while located outside the office

ROLES AND RESPONSIBILITIES

These are specific individuals or groups within the SBO System and their responsibilities in
relation to SBO Health information security standards and procedures.

Chief Information Officer (CIO)/Assistant Vice President for Information Technology –

responsible for providing information technology management, development, planning,

procurement, and implementation activities related to the delivery of quality information
services and products for both the business and educational/academic environment.

Director, Office of Information Security, Information Technology (OIS Director)– responsible

for SBO wide efforts related to data and information system security, such as the development
of SBO data security policies, negotiation and evaluation of site licenses for security-related
software, training, coordination of efforts to improve data security controls, and dissemination
of security-related information and incidents, which could affect the availability, and integrity of
computing resources on company. The Director maintains communications with the other IT
Directors, Academic Affairs, Business Systems Reengineering, SBO Health IS, Sarasota and St.
Pete Directors of Computing, regularly updating them on information security issues that need
to be addressed.

Information Security Workgroup (ISW) – a steering committee responsible for recommending

policies and assisting in the overall coordination of the SBO information security program.

4
Chaired by the OIS Director, the ISW advises the ISM on the development and maintenance of
standards and guidelines that help other SBO users and administrators maintain the
confidentiality, integrity, and availability of the data they handle. It also assists the OIS Director
in evaluating risk analysis surveys completed by individual SBO units and is responsible for
incorporating methods for a systematic, SBO-wide, risk assessment framework through which
appropriate changes in policy, standards, and guidelines are implemented and enforced.

Incident Response Team (IRT) – with a primary goal of protecting the overall computing
infrastructure of SBO, the IRT is responsible for responding quickly to identify threats to the data
infrastructure, assess the level of risk, and take immediate steps to mitigate risks considered
significant and harmful to the integrity of SBO information system resources. IRT members
notify the appropriate department leads of any Page 7 of 14 incident involving their resources.
The IRT consists of the OIS Director and key members of the company network administration
and security staff.

STATEMENT OF POLICIES, STANDARDS AND

PROCEDURES

Change Management Policy (5009-CMP) - Applications and systems are increasingly more
complex in their function, interaction, and form. There is an increasing dependency between
resources and applications that can negatively impact operations if not managed and
orchestrated in an organized fashion.

Data Breach policy (5004-DBP)- The purpose of the policy is to establish the goals and the vision
for the breach response process. This policy will clearly define to whom it applies and under
what circumstances, and it will include the definition of a breach, staff roles and responsibilities,
standards, and metrics (e.g., to enable prioritization of the incidents), as well as reporting,
remediation, and feedback mechanisms

Database Credential Policy (5010-DCP) - Database authentication credentials are a necessary

part of authorizing application to connect to internal databases. However, incorrect use,
storage and transmission of such credentials could lead to compromise of very sensitive assets
and be a springboard to wider compromise within the organization.

E-Commerce Policy (5003-ECP) - SBO recognizes the importance of electronic commerce (e-
commerce) activities to its present-day operations. SBO is committed to using e-commerce
activities in a cost-effective manner that promotes accuracy, safety, security, and efficiency.
These activities bring automation and efficiencies to traditional manual tasks and allow quicker
access to information resulting in improved member service

5
Information Flow Policy (5014-IFP) - This policy will work alongside other information flow
policies to ensure that information is communicated effectively through any communication
equipment.

Internet Usage Policy (5002-IUP) - Internet connectivity presents the company with new risks
that must be addressed to safeguard the facility’s vital information assets.

Log Management Policy (5008-LMP) - Logging from critical systems, applications, and services
can provide key information and potential indicators of compromise and is critical to have for
forensics analysis.

Patch Management Policy (5015-PMP) - Regular application of vendor-issued critical security

updates and patches are necessary to protect SBO data and systems from malicious attacks and
erroneous function. All electronic devices connected to the network including servers,
workstations, firewalls, network switches and routers, tablets, mobile devices, and cellular
devices routinely require patching for functional and secure operations.

Password Policy (5001-PPP) - Passwords are an important aspect of computer security. A

poorly chosen password may result in unauthorized access and/or exploitation of our resources.

PCI Policy Plan (5006-PCI) – The purpose of this policy plan is to ensure that we have other
policies in place to ensure PCI Compliance. If the company is not PCI Compliant, then we are
unable to make transactions and store customer data which would result in SBO losing revenue
and ultimately going under.

Privacy Engineering Policy Plan (5013-PEP) - Privacy engineering is the practice of building tools
and processes that apply privacy protections to personal data.

Remote Access Policy (5005-RAP) - Remote access to our corporate network is essential to
maintain our Team’s productivity, but in many cases this remote access originates from
networks that may already be compromised or are at a significantly lower security posture than
our corporate network.

Secure Software Development Policy (5016-SSDLP) - While considered a separate process

by many, information security is a business requirement to be considered throughout the
System Development Life Cycle (SDLC). This Secure System Development Life Cycle
Standard defines security requirements that must be considered and addressed within
every SDLC.

Security Maturity Policy (5017-SMP) - This paper proposes an Information Security Policy
Maturity Model (ISPMM) inspired by the Security Systems Engineering Capability Maturity
Model (SSE-CMM)’s Process Areas and Capability Maturity levels.

Systems Audit Policy (5011-SAP) - Audit controls and effective security safeguards are part of
normal operational management processes to mitigate, control, and minimize risks that can
negatively impact business operations and expose sensitive data.

6
Systems Integrity Policy (5012-SIP) - Systems Integrity is essential for company trust and the
well-being of the company’s system. Furthermore, by having a policy in place that ensures the
integrity of a system, we can prevent data from being altered.

VPN Policy (5007-VPNP) - This policy is to protect SBO’s electronic information from being
inadvertently compromised by authorized personnel connecting to the SBO network locally and
remotely via VPN

WAIVER

Waivers from certain policy provisions may be sought following the SBO Waiver Process.

RESOURCES

SANS Template Library

PurpleSecure Library

USF Template Library

FRSecure

CDE State

Utah State

Research Gate

CisSecurity