Information Technology Security Management

Ohio Public Library Information Network (OPLIN)

OPLIN shall exercise due diligence to ensure that all OPLIN computer and telecommunications systems and services are secure, and that the information contained within those systems and services is protected from unauthorized disclosure, modification or destruction, whether accidental or intentional.

This document outlines a plan to accomplish that goal through implementation of individual policies covering Risk Assessment and Data Classification, Recovery Preparation, Boundary Security, Password Security, Malicious Code Security, Internet Security, Remote Access Security, Portable Computing Security, Intrusion Prevention and Detection, Security Incident Response, Security Notifications, Security Practices, and Security Education and Awareness. In any case where these policies conflict with the Information Technology Security Policies of the Ohio Office of Information Technology (OIT), OIT's policies shall prevail.

OPLIN shall admonish all employees, contractors, temporary personnel and other agents of the state to adhere to these policies.

Risk Assessment and Data Classification

OPLIN shall annually conduct a risk assessment of system assets, threats, and organizational priorities. The assessment shall be prepared by the OPLIN Director, or a staff member designated by the Director, with input from all staff. This assessment will be reviewed at the end of every fiscal year to ensure that it is current.

The assessment shall be stored in a secure location and shall include current information regarding:

• the nature of the information and the systems;
• the business purpose;
• the operating environment;
• the existing protections;
• the impact of a security breach; and
• the likelihood of a breach occurring.

In conjunction with this risk assessment, OPLIN staff shall review the classification of OPLIN data. The data shall be labeled for both confidentiality ("public," "limited access," or "restricted") and criticality ("low," "medium," "high," or "very high"). Any data that could efficiently be replaced rather than protected will also be identified.

Concurrent with this annual assessment, OPLIN shall notify OIT Risk Management Services of the current primary and secondary incident response points of contact, which will typically be the Director and the Technology Projects Manager.

[top of document]

Recovery Preparation

OPLIN shall take the following steps to ensure that critical tools, data and equipment are available to facilitate containment and recovery in the event of a security breach:

• System back-ups. OPLIN shall create and maintain trusted system, data and application back-ups. Back-ups shall be tested semi-annually to maintain a high confidence of a successful recovery. Back-ups shall be created on a regular and frequent basis and securely maintained.
• System and application software versions. OPLIN shall maintain verified copies of all critical system and application installation software. OPLIN shall ensure the system and application software versions and security related patches are current and securely maintained.
• Configuration redundancy. Redundant configurations can facilitate the recovery of information technology systems or assets while preserving evidence of a compromised information technology asset. OPLIN shall assess the value and need for maintaining redundant system configurations; mission-critical systems shall have redundant configurations.

[top of document]

Boundary Security

OPLIN shall acquire, install, operate and manage a boundary security capability in cooperation with OIT to allow authorized network traffic and deny everything else.

• Servers and firewalls shall be configured specifically to limit access to ports and services required to support OPLIN business processes.
• Servers and firewalls shall enable activity logging using a common, standardized network time source to monitor attempted probes, attacks or intrusions, including all repeated attempts from non-authorized entities to breach the boundary.
• Strong authentication appropriate to the data being protected shall be used to limit access to systems.
• A demilitarized zone (DMZ) shall be used to isolate World Wide Web services and external e-mail entry points, and to hide vulnerable systems and information from the Internet.

[top of document]

Password Security

All OPLIN staff using passwords to access OPLIN-operated information technology or to access data in any way related to OPLIN business, including vendor data related to OPLIN accounts, shall use passwords that conform to these requirements:

• Composition. Passwords shall be composed of both upper and lower case letters and shall include at least one number or special character.
• Length. Passwords shall be at least eight (8) characters in length, except for administrative passwords on systems that are publicly accessible, which shall be at least twelve (12) characters in length.
• Aging. Passwords shall be changed at least once every two (2) months.
• History. Passwords shall not be re-used for a period of six months.
• Uniqueness. Staff shall not intentionally choose a password identical to the password of another staff person. Each staff member shall have their own individual password for accessing OPLIN-operated information technology.
• Transmission. Passwords to OPLIN-operated information technology shall not be transmitted electronically in clear text.

The following requirements pertain to password administration on OPLIN-operated information technology:

• Administration privileges. Passwords and password administration on each OPLIN server or network device shall be managed by the OPLIN Director and the OPLIN Technology Projects Manager (TPM), or other OPLIN staff person designated by the Director. Passwords shall grant the minimum system privileges necessary to complete assigned tasks.
• System lockout. The password administrator(s) shall, where possible, set each server and device to suspend the access of any user who exceeds three unsuccessful attempts at entering a password. After the password administrator(s) confirms that the attempts were actually initiated by an authorized staff person, the system lockout can be reset.
• Storage. The password administrator(s) shall maintain and safeguard system password files in a manner to prevent unauthorized access. Password files will be backed-up to facilitate recovery from system failures, security breaches, disasters, accidents and like events with the potential to affect systems. All password backup files shall be stored on media in a locked storage location.
• Deactivation. The TPM or back-up shall deactivate passwords of employees, contractors, temporary personnel and other agents of the state who have terminated or transferred to other work units within one (1) week of the termination or transfer. Passwords that have been compromised maliciously or by accident shall be deactivated within one (1) day of discovery of the compromise. Inactive user IDs shall be deactivated after six (6) months of no activity.
• Default passwords. Default application and system passwords shall be reset before deployment of any system or application.

[top of document]

Malicious Code Security

OPLIN shall deploy malicious code security ("anti-virus") capability. Anti-virus software shall be installed and operating properly on all OPLIN-owned, OPLIN-operated or OPLIN-authorized information systems. The anti-virus software shall be configured to:

• Check daily for updates and begin installing all updates immediately.
• Scan in real time for malicious code in all attachments and downloaded files from e-mail, web-sites, and instant messaging transmitted from both the Internet and intranet.
• Check all removable media such as diskettes and CD-ROM for malicious code.
• Check all system assets for malicious code at least monthly.

OPLIN staff must report any malicious code incidents to the Technology Projects Manager (TPM) as soon as possible. The TPM shall maintain a record of malicious code incidents for auditing purposes.

OPLIN shall evaluate its anti-virus software annually and at the same time ensure that each employee receives initial or refresher training on malicious code security, including how to use the anti-virus software selected by OPLIN.

Nothing in this policy shall be construed to require that OPLIN is responsible for installation, maintenance and support of anti-virus software on privately owned computers.

[top of document]

Internet Security

OPLIN shall secure connections to the Internet from OPLIN-controlled assets against unauthorized access and malicious code. Participation in chat rooms, open forum discussion groups or interactive messaging shall be permitted only when organized or approved by OPLIN. An individual approved to participate in any of these forms of communication shall be aware of methods to avoid inadvertent disclosure of sensitive information, as well as practices to avoid that could harm the security of state computer systems and networks.

[top of document]

Remote Access Security

OPLIN shall permit all staff to access OPLIN servers remotely, but shall ensure that the following conditions are met:

• All remote users shall be authenticated by a user-ID and password conforming to OPLIN Password Security requirements; passwords that are transmitted shall be encrypted.
• The remote connection shall be secured against unauthorized access and malicious code.
• Remote access shall not provide the user with more system privileges than they would otherwise have.
• Wireless access to OPLIN servers shall use the wireless encryption standard currently approved by OIT.
• Remote access host servers shall be protected in accordance with the OPLIN Boundary Security requirements.

[top of document]

Portable Computing Security

OPLIN shall permit staff use of portable computing devices, either OPLIN-owned or privately owned and authorized for state use. Users of portable computing devices shall adhere to these requirements:

• Physical security. OPLIN and users shall protect state-owned and state-authorized portable computing devices, removable storage components and removable computer media from unauthorized access. Such devices shall not be left unattended without employing adequate safeguards such as cable locks, restricted access environments or lockable cabinets. When possible, portable computing devices, computer media and removable components shall remain under visual control while traveling. OPLIN shall maintain an inventory for all OPLIN-owned, privately owned and contractor-owned portable devices authorized for work use with state systems.
• Operation and maintenance. The OPLIN Technology Projects Manager is authorized to prepare portable devices for use on state computer, network or telecommunications systems. Portable computing devices shall be equipped with anti-virus software and shall be maintained with appropriate security patches and updates. The user is responsible for any personal software added to the device and must ensure that all such software is properly licensed. OPLIN-owned portable computing devices shall be returned to the OPLIN TPM or Director when the user's employment or contract terminates; the user is responsible for removing all non-state data and software. All state data and software shall be recovered, deleted and securely overwritten as appropriate from privately owned and contractor-owned portable computing devices when the user's employment or contract terminates or when the portable computing device is no longer authorized for official state business.
• Password control. Whenever possible, access to portable computing devices and to device system settings shall be protected by passwords conforming to the OPLIN Password Security requirements.
• Lost and stolen devices. Loss or theft of a portable computing device, either OPLIN-owned or privately owned and authorized for state use, shall be reported to both the OPLIN TPM and the OPLIN Director within three (3) days of the loss.

[top of document]

Intrusion Prevention and Detection

OPLIN shall maintain a capability to prevent and detect successful attempts to breach security measures for the purpose of system intrusions or misuse.

• Implementation of intrusion prevention and detection capabilities. OPLIN shall deploy intrusion prevention and detection capabilities compatible with OPLIN's infrastructure, policies and resources to prevent unauthorized use, anomalies or attacks on computer, network or telecommunications systems. In addition, intrusion detection capabilities shall be in place to provide information relating to unauthorized or irregular behavior on any OPLIN computer, network or telecommunication system. The OPLIN Technology Projects Manager and the staff of the OPLIN Support Center shall be trained to interpret and maintain agency intrusion prevention and detection capabilities.
• Monitoring, review and detection. OPLIN staff shall review information technology security audit logs and intrusion prevention and detection system alerts on a regular basis to determine if a successful intrusion or other type of security incident has occurred. Designated OPLIN staff shall continuously monitor OPLIN Internet connections for suspicious activity during business hours. Web and e-mail server access logs shall be reviewed weekly for suspicious activity. OPLIN staff shall also work with OIT staff to identify suspicious activity on OPLIN Internet connections provided to public libraries and shall work with OIT staff to determine the nature of the suspicious activity and take all necessary steps to end any activity that is illicit.
• Alarms and alerts. Any increase in network activity that clearly and significantly exceeds normal activity for a given time of day and day of week shall be considered suspicious until further review determines otherwise. Any pattern of repeated attempts by unauthorized users to access protected areas of web and e-mail servers shall be considered suspicious until further review determines otherwise.
• Incident response. Any detected incident of successful intrusion shall be recorded according to the requirements of the OPLIN Security Incident Response policy.

[top of document]

Security Incident Response

OPLIN shall assess all security incidents to determine the severity of the incident and how it should be handled. Security incidents may be classified as either critical or threatening, and the OPLIN response shall vary accordingly. The OPLIN Technology Projects Manager or the OPLIN Director shall have responsibility for classifying security incidents; these two individuals and the OPLIN Support Center staff shall be responsible for completing responses to incidents.

Threatening incidents do not impact the security of any OPLIN resources that have either been determined to be critical in the annual risk assessment or contain confidential information, and they do not require that any systems be recovered or restored. Such incidents shall be recorded in a secure file and the record shall include: a description of the incident; how the incident was identified; who identified the incident; an inventory of all actions taken, when they were taken and who performed them; and any correspondence associated with the incident. The record shall be retained for at least one (1) year.

Critical incidents impact the security of OPLIN resources determined to be critical in the annual risk assessment or containing confidential information, and/or they require that systems be recovered or restored. These incidents require a more extensive response:

• Incident evidence file. OPLIN staff shall create an evidence file to log and maintain an inventory of all actions taken, action timestamps and correspondence associated with a security incident. If appropriate, OPLIN staff shall also create a forensic back-up file of affected systems. The security incident evidence file(s) shall be securely maintained and safeguarded throughout the incident response actions to ensure that evidence is not altered or lost. At the completion of the incident response actions a copy of the file(s) shall be sent to OIT and the passage of this evidence shall be documented.
• Incident containment. OPLIN staff shall, as required to contain the security breach: ensure that redundant systems and data have not been compromised; monitor system and network activity; disable access to compromised shared file systems; disable specific compromised system services; change passwords or disable compromised accounts; temporarily shut down the compromised or at risk systems; and disconnect compromised or at risk systems from the network.
• Incident elimination. OPLIN staff shall eliminate unauthorized access and remove unauthorized modifications prior to returning compromised systems to service. Elimination methods may include, but are not limited to: changing passwords on compromised systems; disabling compromised accounts; reinstalling compromised systems from trusted back-ups; identifying and removing an intruder's access methods such as backdoors; installing system patches for known weaknesses or vulnerabilities; reinstalling system user files from trusted versions; reinstalling system settings from trusted sources; reinstalling system start-up routines from trusted versions; and adjusting firewall or intrusion detection system technologies to detect access and intrusion methods.
• Recovery. OPLIN staff shall evaluate and determine when to return compromised systems to normal operations. Access to compromised system assets shall be limited to authorized personnel until the security incident has been contained and root cause of the incident eliminated. Once that is done, systems may be restored and OPLIN staff shall validate the restored systems through system or application regression tests, user verification, penetration tests, vulnerability testing and test result comparisons.
• Lessons learned. In order to reduce the possibility for similar incidents and thereby enhance its overall information technology security posture, OPLIN staff shall convene a post-incident analysis and review meeting within three to five days of completing the incident recovery. This review will assess the effectiveness of the security response system and determine how these procedures might be expanded or improved.

[top of document]

Security Notifications

OPLIN shall notify public library users of OPLIN web-based applications, such as the Support Center web page, that:

• The system is designated for official state use.
• Access to the system may be logged.
• System activity may be monitored and logged.
• Users shall comply with OPLIN information technology policies.
• Users shall have no expectation of personal privacy unless explicitly stated.
• Illegal or unauthorized attempts to access the system and information could lead to criminal penalties and civil liability.

This notification shall appear at the bottom of the first web page that provides access to the web-based application.

This policy shall not apply to e-mail services supplied to public libraries by OPLIN.

[top of document]

Security Practices

OPLIN shall abide by the policies and procedures of the State Library of Ohio in regard to basic security practices that are not covered elsewhere in this document, such as:

• Disposal, servicing, and transfer of information technology equipment.
• Staff use of Internet, e-mail and other information technology resources.
• Storage and retention of electronic records.

[top of document]

Security Education and Awareness

All OPLIN staff shall meet annually to review these policies and the current risk assessment. New OPLIN employees, contractors, and temporary personnel shall also review the policies and risk assessment as part of their orientation to OPLIN. OPLIN staff directly involved with maintenance of OPLIN security capability shall be encouraged to acquire, at OPLIN's expense, appropriate technical training, certifications, formal course work, and/or conferences for information technology security technologies and practices, such as firewalls, wireless devices, routers, switches, virtual private networks, encryption, public key infrastructure, data protection, and audit logging.

Approved by the OPLIN Board on October 12, 2007; minor revisions August 1, 2011 to conform with state policy ITS-SEC-02