|
Illinois State Police "Information Services Security"
Policy
Document #: 547131
Title: "Information Services Security"
Author:
Attributed To: Illinois State Police
Last Updated: 09/09/1999
Summary:
This policy is an excerpt from the Illinois State Police's Administrative
Directives Manual. This document contains the department's policy regarding
Information Services Security.
Document Text:
Illinois State Police Directive
ADM-027, Information Services Security
RESCINDS: ADM-022, 94-001, issued 12-01-94; ADM-025, 95-009, issued 11-01-95;
ADM-026, 96-072, issued 10-01-96
REVISED: 08-01-97 97-034
RELATED DOCUMENTS: None
DISTRIBUTION: All employees maintaining an ISP Directives Manual, Office/desk
copy
RELATED CALEA STANDARDS: 82.1.1, 82.1.4
I. POLICY
The Illinois State Police will establish and disseminate to department
employees security procedures for the use of all ISP computer resources
including data processing equipment and the information system, an electronic
message system (e-mail), local area networks (LANs), the Internet and dial
communications capabilities.
II. DEFINITIONS
A. Authorized users - ISP employees and external users who are granted
use or administrative access to ISP information system resources.
B. Computer resources - resources, including but not limited to mainframe
systems, PC's, LANs, E-mail, Dial Communications and the Internet.
C. Internet Configurations - The hardware, software and communications
media used in creating a web site and establishing access levels to that
web site.
D. Evaluation copy - software provided by a vendor for ISP to evaluate
for a specified period of time at no charge. The evaluation will test the
functionality and capabilities of the software on ISP PC's.
E. File server - a computer that controls the sharing of files and printers.
Not all LANs will have a file server.
F. Information Services Security Steering Committee
1. A committee comprised of ISB staff and representatives from other ISP
divisions.
2. The committee is responsible for the review and update of security procedures
for ISP computer resources.
G. Password - a unique string of characters a program, computer operator
or user must supply to meet security requirements before gaining access
to data.
1. The password is confidential and must not be displayed upon a computer
terminal, should not be written down nor shared with anyone.
2. The password should not be easily deciphered, not be trivial in nature
nor should the password reflect inappropriate language.
H. Risk analysis - an on-going process conducted by the Information Services
Bureau to identify:
1. system resources,
2. threats to system resources - external attacks, internal attacks and
other threats and
3. hardware and software change management procedures.
I. Security Administration - a unit within ISB which is responsible for
maintaining the security of ISP's computer resources.
J. Supervisors - the individual in the chain of command to whom the user
normally reports.
K. System/Security Administrators - ISP employees authorized by a deputy
director or their designee to maintain day-to-day operations of ISP's protected
resources.
III. RESPONSIBILITIES
A. Supervisors will:
1. approve, update, deny and remove access to users within their area of
responsibility
2. establish procedures for users in their area of responsibility for backing
up software and data on user PCs and
3. provide immediate notification to system/security administrators of
changes in user access.
B. The Information Services Bureau will:
1. establish computer resource security policy and procedures.
2. establish password requirements which must be followed by all users.
C. The Information Center (IC) is responsible for providing training in
the use of E-mail.
D. System/security administrators will establish and remove users to the
system.
E. Individuals must comply with procedures listed in the Book Manager file
ISB-027, "Information Services Security" pertaining to security,
use of anti-virus software, down-loading of software and backup of data.
IV. PROCEDURES
A. Computer Resources Use
1. The Information Services Security Steering Committee, consisting of
ISB staff and representatives from each ISP division, will meet annually
to review security policy and procedures and recommend needed changes or
revisions.
2. Security policy violations will be investigated according to the procedures
listed in ISB-027, "Information Services Security."
3. Security policy training will be conducted for all authorized users
by ISB staff and by each division or bureau.
4. Specific laws and policies regarding computer resource use are included
in ISB-027, "Information Services Security."
B. Dial Communications
1. Authorized users (including off-site vendors who provide software maintenance)
should contact ISB for procedures to be used in accessing ISP computer
resources from off-site locations.
2. Unapproved access to any ISP computer resource is prohibited and will
subject the violator to appropriate discipline up to, and including termination
and/or criminal prosecution.
3. Detailed procedures on dial communications are included in ISB-027,
"Information Services Security."
C. E-mail
1. Security Administration will ensure the security of the E-mail system
and the compliance of individual users of the system.
2. The chain of command will be used to notify ISB Security Administration
of the need for access to an E-mail library.
3. The use of E-mail must not violate any of the prohibitions listed in
ISB-027, "Information Services Security."
4. E-mail retention schedules are included in ISB-027, "Information
Services Security."
5. Detailed procedures on e-mail use are included in ISB-027, "Information
Services Security."
D. LAN Administration
1. Hardware
a. All hardware, both for LANs and stand alone PCs, will be configured
and ordered by ISB.
b. File servers and any peripheral equipment must remain on at all times.
c. Computers left on at all times must be secured when unattended so as
to deny unauthorized access.
2. Software
a. All software for LANs (or stand alone PCs) will be ordered, purchased,
approved or developed and installed by ISB.
b. Users are responsible for keeping the original software media, manuals
and licenses, when provided.
c. ISB provides assistance when supported software fails.
d. The Help Desk receives all calls for assistance and forwards the calls
to the appropriate area.
e. Any user who desires to obtain an evaluation copy of software must contact
the Help Desk, which will determine if previous evaluations of the software
exist.
3. Local Area Network Security
a. All servers must be located in a room, closet or secured area with access
limited to authorized administrators of the servers.
1) All servers will be protected by a console password at all times. Where
technology allows, the console password will be encrypted.
2) All servers must be connected to an uninterruptable power supply which
allows sufficient time to close the server normally in the event of a power
failure to ensure critical data is not lost.
b. Detailed LAN security procedures are included in ISB-027, "Information
Services Security."
4. Back-up and Recovery Requirements
a. Approved back-up hardware and software will be used to back-up all servers.
b. A full LAN back-up will be performed on all file servers each weekday
night.
c. LAN administrators will check the back-up log daily to determine if
the evening back-up was successful.
d. A minimum of two weekly cycles should be retained (one off-site and
one on-site).
1) At least one set of back-up media for each file server must be stored
at an off-site facility.
2) The off-site facility will have a means for securing back-ups from unauthorized
access.
e. In the case of a file server hard disk failure, the LAN administrator
with the assistance of network management personnel will restore the server
hard disk from the back-up media.
5. Detailed LAN administrative procedures are included in the Book Manager
file, ISB-022, Personal Computers and LAN Administration..
E. The Internet
1. ISP must acquire Internet access from CMS. Due to security considerations,
there are no exceptions unless written approval is granted by the director
of CMS.
2. Internet User Access
a. There are two types of users:
1) users seeking information about ISP services (external users) and
2) users authorized to access ISP's protected information environment (internal
users).
b. A detailed list of procedures for internal and external users is included
in ISB-027, "Information Services Security."
3. Scope of Internet Use
a. Use of ISP's Internet service is limited to state business.
b. Internet access must not be used to communicate illegal information.
c. A detailed list of acceptable uses, unacceptable uses and user responsibilities
for the Internet is included in ISB-027, "Information Services Security."
4. System and Security Administration
a. ISP is responsible for protecting the information resident at its locations.
b. Network owners, managers of the organization which have established
the local computing unit, are responsible for internal controls and separation
of duties.
c. ISP Internet system/security administrators are responsible for maintaining
the security of their configurations (which have been previously approved
by CMS) and must continuously monitor their configurations for any unauthorized
access or changes.
d. Specifications for future changes affecting security (e.g., firewalls)
must be submitted to CMS for review and approval prior to implementation.
5. Internet Policy and Procedure Distribution
a. CMS will provide Internet security orientation sessions and distribute
copies of the State Internet Security Policy and related procedures to
the ISP for internal distribution.
b. ISP will distribute ISP Internet Security Policies and Procedures in
ISB-027, "Information Services Security."
F. Wireless communications
Security procedures for wireless communications are being developed during
the pilot phase and will be included in this directive as they are implemented.
Contact Information:
Jim Rush
Accreditation Coordinator
Inspection & Audits
Illinois State Police
201 East Adams Street
Suite 300
Springfield, IL 62701
Phone: (217) 782-0492
Fax: (217) 782-1466
Email: jrush@pop.state.il.us
|