Data Classification and Security Checklists

 

Information, whether written, spoken, or electronic must be:

 

§  Properly classified.

 

§  Only shared with others who have a legitimate business need to know.

 

§  Protected from unauthorized use, disclosure, modification, or destruction.

 

This policy applies to all Xxx employees, agents, computers, contingency sites, office areas, and service bureau environments.

 

Physical, logical, and operational controls for computer local area network systems, minicomputer systems, electronic mail systems, fax and image systems, applications, and networks must provide reasonable assurance that sensitive information is protected, information integrity is maintained, and information is made available only to authorized users.

 

Breaking any of these policies may lead to disciplinary actions up to and including termination.

 

Information about any Xxx activity must not be conveyed to the news media or investment analysts unless authorized by appropriate.

 

Managers and supervisors are expected to:

 

§  Promote employee awareness.

 

§  Provide for adequate training and compliance with the Information Security standards of Xxx.

 


Information Security Classifications

 

Classification

 

The remainder of this section defines the categories for classifying all printed, spoken, and electronic information. The objective of the classification requirement is to ensure that others who might come in contact with the information are aware of its classification so that they can afford it proper protection. The four classifications that have been established within Xxx to help implement the Information Security policy are:

 

·       Public

·       Internal

·       Confidential

·        Restricted

 

Public

 

Public information is intended for distribution outside Xxx. It is generally informational in nature and is often directed to customers or investors. Examples of Public information are:

 

 

·        Customer information brochures in branches marketing materials

·        News releases

·        Security and Exchange Commission and regulatory filings

 

Internal

 

Internal information is intended for use only within Xxx. Its unauthorized disclosure, modification, or destruction would not significantly impact Xxx, nor any of its customers or employees. It requires no special protections other than those deemed reasonable to prevent unintended external disclosure. It may be shared outside Xxx only if there is a legitimate business need, and it is approved by Division Management. Examples of Internal information are:

 

·        Administrative, Procedural and System Refer­ence manuals

·        Meeting minutes (where the topic was not deemed to be sensitive)

·        Most routine correspondence, interoffice memos, etc.

 


 Confidential

 

Confidential information is also intended for use only within Xxx. However, it differs from Internal information in that its unauthorized disclosure, modification, or destruction could significantly impact Xxx, its customers, or employees. Confidential information must be protected according to the form it takes, as specified in Chapter 4 of this manual. Examples of confidential information are:

 

·       Customer account information including name and address, account balance, etc.

·       Budget and profit and loss information for an individual unit

·       Employee records, salary plans

 

Restricted

 

Restricted is the highest security classification for information used within Xxx. It is intended for information whose unauthorized disclosure, modification, or destruction is likely to cause significant damage, embarrassment, or penalties to Xxx, its customers, or employees. Restricted information must be protected according to the form it takes, as specified in Chapter 4 of this manual. Responsibility for ensuring Restricted information assets are protected and securely stored when not in use resides with the named individuals to whom this information is assigned. Examples of Restricted information are:

 

·       Money Transfer

 

·       Pre-announcement information about major new products or services

 

·       Pre-announcement information about financial results

 

·       Computer access codes such as memorized (static) passwords

 

·       Pre-announcement information about mergers, acquisitions, or other capital markets activities not available to the general public


·       Other

 

Attorney/Client Privilege may be used for labeling sensitive legal documents in some circumstances under the direction of the Legal Department.

 

Most information will fall into the Internal or Confidential categories.

 

Security Standards Checklist 

 

R        =        Restricted use only

C        =        Confidential use only

I         =        Internal use only

All systems should be classified: based on the sensitivity of the data. See section above for definition and samples on how to determine the data classification.

 

Logon/Logoff Standards

 

 

Policy Logon/Logoff

R

C

I

1.     Identification (a user ID) and authentication (a password) are required before any system access is permitted, including re-connections. 

 

x

 

x

 

x

1.     The maximum number of consecutive attempts over one or more sessions to sign on with an invalid user ID/password combination must be limited to 4.  After the threshold has been reached, the user is disconnected and the user ID is suspended. Intervention by the security manager is required to activate the user ID.  If access to both internal and restricted data is required, restricted access rules apply. 

x

x

 

2.     Procedures must be in effect to suspend logon IDs for employees who are on inactive status or who terminate or transfer (and no longer need this capability). 

x

x

x

3.     Employee IDs must be uniquely identifiable by either social security number or employee number. Non‑employee IDs must also be identifiable e.g.: contractor,  production IDs, customers, etc.

x

x

x

4.     Controls will be provided to identify and deactivate the IDs that belong to customers who no longer have authorization to use the network. (The control used for identification may be a contractual agreement with the customer.)

x

x

N/a

5.     Administration Ids should be stored in a safe place and not used unless in an emergenct situation.

 

 

 

 


 

Policy Logon/Logoff

R

C

I

6.     Controls will be provided that can detect a sign on attempt to the network using an ID already validated and in session, and prevent access. This event must be logged. 

x

 

 

7.     The security manager or security officer has the capability to suspend logon IDs. 

x

x

x

8.     The company name and logo are not disclosed on the user's screen or terminal until after the user has successfully logged onto the network. A trespass message should be displayed at logon time.

x

x

x

9.     Access can be limited by the hour (i.e. 8am to 5pm) and/or by the day of the week and holidays. These controls should be effective across time zones (the computer in one time zone, the user in another).

x

 

 

10.  Corporate policy must state that IDs and passwords cannot be shared.  Audit trails of session activity (logon, logoff, connect time, resources, and type of access) are created and retained for a minimum of one year. 

x

x

x

11.  Controls exist to display to the user the last time the user's logon ID and password were logged onto the system so that unauthorized use of user IDs can be detected (i.e., When user logs on, a message will be displayed: “Last logon”...).

x

x

x

12.  Attempts to logon without a valid user identification / verification combination must be failed only after both items have been entered. There must be no error messages stating the reason for failure.

x

x

 

13.  The system should not display any functions the user is not authorized to use in the current session.

x

x

 

14.  Non-employee IDs can be set to expire at a predefined date.

x

x

x

15.  Is the default ID or GROUP deactivated?

x

x

x

16.  WEB access is limited to authorized users only.

x

x

 

17.  WEB users can only access authorized data.

x

x

 

18.  Telecommuting access/remote access will in addition use smart token security for authentication

x

x

x

 


Password controls

 

Policy Password

R

C

I

1.     The minimum password length must be 7 characters or longer. Passwords can be up to 240 characters long. Best is to use Password Phrases. I.E. “My first Dog Tasso died age 12”. Easy to remember, but hard to guess. Use something you know, but nobody else.

x

x

x

2.     The maximum number of consecutive password violations before suspension occurs must be four. 

x

x

 

3.     Password values must be changed periodically.  For restricted systems passwords must be changed every 30 days, for Confidential and internal use, 90 days. The password cannot be changed back to itself (i.e., the new valid password supplied must be different from the last 23 passwords used). The password value should not be easy to guess. The password must be complex, I.E. contain a mixture of alphanumeric and special characters.  A warning message will be issued 5 days prior to the password expiration date. 

x

x

x

4.     A procedure will be in place to suspend a user ID 14 days after the password expiration date if no password change has been made. 

x

x

x

5.     Access to password datasets must be restricted to the minimum number of authorized personnel required to maintain the system. 

x

x

x

6.     Initial password must be unique and communicated to user in a secure manner.

x

x

x

7.     A password change must be forced during the initial sign on. 

x

x

x

8.     The security administrator can reset the password.  When the reset password is issued to the user, it must be changed during the initial sign on session. 

x

x

x

9.     Passwords are never displayed on the terminal screen during session sign on, or in clear text on any other media. 

x

x

x

 


 

Policy Password

R

C

I

10.  Passwords are stored one way encrypted (that is, decryption is not possible). 

x

x

x

11.  Passwords in clear text are destroyed in storage after encryption.

x

x

x

12.  An audit trail must exist for password changes and violations. The audit trail must be retained for a minimum of one year. 

x

x

x

13.  Password violation count is stored and reset only after a valid entry. 

x

x

x

14.  At the time the user is forced by the system to change password values, a message is displayed stating that it is the company corporate policy that IDs/passwords are not to be shared.

x

x

x

 

 

 

 

 

Session controls

 

Policy Session

R

C

I

1.     Users may not leave terminals logged on unattended. A user is automatically disconnected or logged off from the system if no activity has occurred within a specified period of 15 minutes. Reconnections require revalidation. 

x

x

x

2.     A user must be limited to authorized applications.

x

x

x

 


 

Computer environmental controls

 

Policy Computer Environmental

R

C

I

1.  See audit trails

 

 

 

2.     Exception reports of unauthorized access attempts will be generated such as:

·       Reporting of all unauthorized attempts to access system (sign-on).

·       Reporting of all unauthorized attempts to access system resources.

·       Reporting of all unauthorized attempts to view or change security definitions and rules.

·       Reporting of all resource access privileges by user ID

The proponent or his/her delegate will define the extent of exception reporting. Department managers of persons attempting unauthorized access and the proponent of the denied resources must review the exception reports and take corrective action.

x

x

 

3.     The company must initiate vendor connection from remote locations for diagnostics and maintenance.

x

x

x

4.     Suspiciously high levels of unauthorized access attempts must be brought to the attention of attendant technicians by an alarm mechanism.

x

x

x

5.     The unauthorized alteration or bypassing of security facilities must be prevented.

x

x

x

6.     Control software must prevent application programs from attaining privileged status.

x

x

x

7.     The application must beY2k compliant.

x

x

x

 

Transmission controls

 

Policy Transmission

R

C

I

1.     GUI – passwords must be done in an approved secure manner, I.E. encrypted

x

x

x

2.     API – passwords must be done in an approved secure manner, I.E. encrypted

x

x

x

3.     EDI – passwords must be done in an approved secure manner, I.E. encrypted

x

x

x

4.     Client to Application Server passwords must be encrypted

x

x

x

5.     Application Server to SQL server passwords must be encrypted

x

x

x

 

  

Logon/Logoff Audit trails

 

Policy Logon/Logoff Audit trails

R

C

I

1. Contains User ID

x

x

x

2. Contains time and date of logon/logoff.

x

x

x

3. Retention period minimum of one year.

x

x

x

4. Exception reporting must be done in an approved manner.

x

x

x

 

Transaction Audit trail

 

Policy Transaction Audit trail

R

C

I

1. Contains User ID.

x

x

x

2. Contains time and date of logon/logoff.

x

x

x

3. Retention period minimum of one year.

x

x

x

4. Exception reporting, see above

x

x

 

5. Identifies Transaction

x

x

 

6. Unique transaction number

x

x

 

7. All access events can be reconstructed

x

x

 

 

Transaction log

 

Policy Transaction log

R

C

I

1. There must be a transaction log

 

 

 

2. Audit trail used can be as transaction log if it contains approved information

 

 

 

3. Before and after image should be done for updates

x

x

 

4. Contains User ID

x

x

 

5. Contains time and date of logon/logoff

x

x

 

6. Retention period minimum of one year

x

x

 

7. Exception reporting, see above

x

x

 

8. Identifies transaction

x

x

 

9. Unique transaction number

x

x

 

10. All access events can be reconstructed

x

x

 

 


Recovery of the Servers

C= Critical uptime, L=Less critical, N=Not Critical

 

Policy Recovery of the Servers

C

L

N

1. Real time recovery - different location

x

 

 

2. Real time recover - same location

x

x

 

3. Back up and restore of data bases & software.

x

x

x

4. Apply transactions from transaction log - real time

x

x

 

5. Apply transactions from transaction log - off-line

x

x

x

6. Backup of data bases - off site storage

x

x

x

7. Backup of transaction log- off site storage

x

x

x

 

Security data bases should include personnel employee numbers.

All personnel’s IDs should be compared with HR personnel’s data base to insure current employee status. Terminated employees should be suspended in the security system on a daily bases by the system.