Professional Documents
Culture Documents
reference guide
ROUTING
TITLE: DESCRIPTION OF SECURITY STANDARDS Administrators
FOR NETWORKED COMPUTER SYSTEMS
HOUSING CONFIDENTIAL INFORMATION
DEFINITIONS
Data Users: Individuals for whom the systems are designed. Data
users may include students, parents/guardians, certified District
employees, classified District employees, District vendors, and
members of the public at large. Data users access system resources
to achieve some benefit, in terms of their education, job duties, or
citizen participation in District governance. Depending on the
nature of the system, data users may or may not be individually
identifiable.
Physical Controls – Equipment Housing Physical Controls – Equipment Housing Physical Controls – Equipment Housing
P-EH-1 Servers housing public NP-EH-1 Servers housing public PRO-EH-1 Servers housing public information
information must be supervised during information must be supervised during must be supervised during normal business hours
normal business hours normal business hours
P-EH-2 Servers must be kept in a locked NP-EH-2 Servers must be kept in a locked PRO-EH-2 Servers must be kept in a locked room
room or cabinet room or cabinet or cabinet
PRO-EH-3 Servers must be kept in a secured
facility having specific physical protections defined
by PRO-EH-3A through PRO-EH-3B
PRO-EH-3A Individually assigned access codes
must be maintained, so that all facility access is
individually accountable
PRO-EH-3B Hardcopy records must be kept of all
facility access, listing the individual's identity, data
and time of access and areas of the facility access
PRO-EH-3C Visitors must sign in, and provide
acceptable identification
PRO-EH-3D Visitors must always accompanied by
escorts
PRO-EH-3E Intrusion alarms must be installed and
must provide immediate response and/or data center
facilities must be supervised 24 hours per day
PRO-EH-3F Surveillance cameras must be installed
and monitored by designated individuals or 24 hour
supervision is required
PRO-EH-3G Environmental systems must include
fire suppression, uninterruptible power supplies,
temperature and humidity controls, emergency
lighting, and smoke and fire alarms
Physical Controls – Backup Media Physical Controls – Backup Media Physical Controls – Backup Media Handling
Handling Handling
P-BMH-1 Backup media stored on-site NP-BMH-1 Backup media stored on-site PRO-BMH-1 Backup media stored on-site must be
must be kept in a locked room or cabinet must be kept in a locked room or cabinet kept in a locked room or cabinet
P-BMH-2 Backup media stored off-site NP-BMH-2 Backup media stored off-site PRO-BMH-2 Backup media stored off-site must be
must be kept only in locations authorized must be kept only in locations authorized kept only in locations authorized by the data owner
by the data owner by the data owner
NP-BMH-3 Backup media must be erased PRO-BMH-3 Utilities approved by the ITD
before disposal Security Director must be used to erase media prior
to disposal
PRO-BMH-4 When transporting data storage media
off District premises, either all data must be
encrypted using strong commercial encryption or an
courier service approved by the Data Owner must
be used
Physical Controls – Storage Media Physical Controls – Storage Media Physical Controls – Storage Media Handling
Handling Handling
n/a NP-SMH-1 Computer hard drives must be PRO-SMH-1 Computer Hard drives must be
reformatted before disposal physically removed and destroyed before disposing
of obsolete systems
ADMINISTRATIVE CONTROLS - ADMINISTRATIVE CONTROLS - ADMINISTRATIVE CONTROLS - Operating
Operating System /Application Operating System /Application System /Application Configuration and
Configuration and Maintenance Configuration and Maintenance Maintenance
P-OSA-1 Servers and associated NP-OSA-1 Servers and associated PRO-OSA-1 Servers and associated applications
applications must be hardened on initial applications must be hardened on initial must be hardened on initial installation to security
installation to security standards as installation to security standards as standards as provided by the ITD Information
provided by the ITD Information Security provided by the ITD Information Security Security Director and tested by the ITD Security
Director Director Office.
P-OSA-2 Patches to the operating system NP-OSA-2 Patches to the operating PRO-OSA-2 Patches to the operating system and
and applications must be applied to fix system and applications must be applied to applications must be applied to fix critical security
critical security flaws before server fix critical security flaws before server flaws before server implementation
implementation implementation
P-OSA-3 Operating System and NP-OSA-3 Operating System and PRO-OSA-3 Operating System and application
application vendors must be consulted at application vendors must be consulted at vendors must be consulted at least every 30 days to
least every 30 days to determine if new least every 30 days to determine if new determine if new patches must be applied
patches must be applied patches must be applied
P-OSA-4 Patches pertaining to non-critical NP-OSA-4 Patches pertaining to non- PRO-OSA-4 Patches pertaining to non-critical
security flaws must be evaluated by the critical security flaws must be evaluated security flaws must be evaluated by the server
server administrator and the ITD by the server administrator and the ITD administrator and the ITD Information Security
Information Security Director for Information Security Director for Director for applicability. Patches deemed
applicability. Patches deemed applicable applicability. Patches deemed applicable applicable must be applied in a timely manner as
must be applied in a timely manner as must be applied in a timely manner as determined by the ITD Information Security
determined by the ITD Information determined by the ITD Information Director
Security Director Security Director
P-OSA-5 Server configuration must be NP-OSA-5 Server configuration must be PRO-OSA-5 Server configuration must be
periodically reviewed by the ITD Security periodically reviewed by the ITD Security periodically reviewed by the ITD Security Director
Director or designee for compliance with Director or designee for compliance with or designee for compliance with security standards
security standards security standards
NP-OSA-6 A documented configuration PRO-OSA-6 A documented configuration control
control plan for operating system and plan for operating system and application
application configuration standards must configuration standards must be approved by the
be approved by the ITD Security Director ITD Security Director
PRO-OSA-7 Server configuration must be
periodically reviewed by an independent party for
compliance with security standards
ADMINISTRATIVE CONTROLS - ADMINISTRATIVE CONTROLS - ADMINISTRATIVE CONTROLS - User
User Account Maintenance User Account Maintenance Account Maintenance
P-UAM-1 Where Account Holders having NP-UAM-1 All users must have PRO-UAM-1 Where Account Holders having
individually assigned access exist, account individually assigned accounts for which individually assigned access exist, account
provision must conform to the standards they are responsible provision must conform to the standards specified
specified in requirements P-AUM-1A in requirements PRO-AUM-1A through 1D.
through 1D.
P-UAM-1A Account Holders must have NP-UAM-1A Written management PRO-UAM-1A Account Holders must have an
an individually assigned account for which approval must be obtained prior to setting individually assigned account for which they are
they are responsible. Shared, group, or up individual user accounts responsible. Shared, group, or guest accounts must
guest accounts must not be used not be used
P-UAM-1B System access must be NP-UAM-1B System access must be PRO-UAM-1B System access must be removed
removed immediately where the Account removed immediately where the Account immediately where the Account Holder has
Holder has terminated their relationship Holder has terminated their relationship terminated their relationship with the District or
with the District or changed locations with the District or changed locations changed locations within the District
within the District within the District
P-UAM-1C Account Holder access NP-UAM-1C Account Holder access PRO-UAM-1C Account Holder access privileges
privileges must be assigned based on privileges must be assigned based on must be assigned based on regular job duties
regular job duties regular job duties
P-UAM-1D Account Holder access NP-UAM-1D Account Holder access PRO-UAM-1D Account Holder access privileges
privileges must be changed when job privileges must be changed when job must be changed when job duties change. If a
duties change. If a privilege is no longer duties change. If a privilege is no longer privilege is no longer required, it must be revoked
required, it must be revoked required, it must be revoked
P-TAC-1E Account Holder access to files, NP-TAC-2D Passwords must not be a PRO-TAC-2D Passwords must not be a word found
commands, and application functions must word found in a dictionary in a dictionary
be based on job requirements and enforced
using system access control lists (ACLs).
At a minimum, system software and
application executables should provide
write, update, and delete access only to
Technical Administrators
P-TAC-1F Only individually assigned NP-TAC-3 Accounts must be disabled PRO-TAC-3 Accounts must be disabled after one
system administrators may have privileged after one quarter of inactivity quarter of inactivity
accounts, permitting operating system and
security configuration
NP-TAC-4 Accounts must be PRO-TAC-4 Accounts must be automatically
automatically disabled after 5 unsuccessful disabled after 5 unsuccessful login attempts
login attempts
NP-TAC-5 Password changes must be PRO-TAC-5 Password changes must be required at
required at least every 90 days least every 60 days
NP-TAC-6 Account Holder access to files, PRO-TAC-6 Application access must time out after
commands, and application functions must an idle time of 30 minutes. This timeout must be
be based on job requirements and enforced independent of any workstation or network access
using system permissions or access control timeout.
lists (ACLs).
NP-TAC-7 Default read access to PRO-TAC-7 Account Holder access to files,
confidential data must be set to none" via commands, and application functions must be based
system permissions or ACLs on job requirements and enforced using system
permissions or access control lists (ACLs).
NP-TAC-8 Only individually assigned PRO-TAC-8 Default read access to confidential
system administrators may have privileged data must be set to none" via system permissions or
accounts, permitting operating system and ACLs
security configuration
PRO-TAC-9 Only individually assigned system
administrators may have privileged accounts,
permitting operating system and security
configuration