URP: I.19.n Information Security System Communications Protection

Tags techurp

STATEMENT OF PURPOSE
This document establishes the information system communications protection regulations and procedures. The purpose of these regulations and procedures are to manage Texas Woman’s University’s (TWU) risks from vulnerable system configurations, denial of service, data communication and transfer through the establishment of an effective system communications protection program

DEFINITIONS
Information System Communications are data transmissions and system-to-system communications, including analyzing the identity of communicators (e.g., over the Internet, within the organization, private networks, etc.).
Explicit Indication of Use includes, for example, signals to local users when cameras and/or microphones are activated, or remote desktop notification that they user is logged in.
Denial of Service is when an attacker attempts to prevent legitimate users from accessing information or services.
Cryptographic Key is a string of bits used by a cryptographic algorithm to transform plain text into cipher text or vice versa.
Name/Address Resolution Service serves to translate a name address, like a computer name, in a network into an address that a machine or network understands.

SCOPE
The scope of these regulations and procedures are applicable to all information resources owned or operated by TWU. All users are responsible for adhering to this policy. If needed or appropriate, information regarding roles, responsibilities, management commitment, and coordination among organizational entities are embedded within these procedures.

REGULATIONS AND PROCEDURES
The State of Texas has chosen to adopt the information security system communication principles established in NIST SP 800-53 “System and Communication Protection,” Control Family guidelines. The following subsections outline the system and service acquisition standards that constitute TWU’s regulations and procedures.
SC-1 System and Communications Protection:
 Regulations:
▪ TWU must develop, document, disseminate information system and communications protection regulations and procedures that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.

 Procedures:
▪ The Office of Technology (OOT) will maintain regulations and procedures for information system and communications protection that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
SC-5 Denial of Service Protection:
 Regulations:
▪ TWU information systems must have protections against or reduce the effects of denial of service attacks.
 Procedures:
▪ OOT Security Team and OOT Network Team employ various systems, architecture, and techniques to protect against denial of service attacks (e.g., DMZ, firewall, intrusion detection and/or other prevention systems).

SC-7 Boundary Protection:
 Regulations:
▪ TWU must
• Monitor and control communications at the external boundary of the network system and at key internal boundaries within the network system;
• Implements subnetworks for publicly accessible communication devices that are separated from internal organizational networks; and
• Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with University security architecture.
 Procedures:
▪ OOT Security Team and Network Team install information systems on TWU’s network into zones. There must be a firewall between any of the zones. The firewall should be the only device to allow traffic between zones. Types of zones defined are as follows:
• Administrative;
• Core business;
• Wireless/dorms; and
• Internet accessible.
▪ As new services are implemented within TWU, they must undergo an assessment as where they best fit on the network using the following checklist:
• Define zone list;
• Define zone hardening policy; and
• New systems must be classified to fit in zones.

SC-8 Transmission Confidentiality and Integrity:
 Regulations:
▪ TWU information systems must secure confidential information during transition.
 Procedures:
▪ Users must ensure that confidential information that is transmitted over a public network (e.g., the Internet) must be encrypted.

SC-12 Cryptographic Key Establishment and Management:
 Regulations:
▪ TWU must establish and managed cryptographic keys when cryptography is required by an information systems.
 Procedures:
▪ OOT Security Team generates and manages cryptographic keys when needed by an information system owner.

SC-12 Cryptographic Protection:
 Regulations:
▪ TWU must implement cryptographic keys in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
 Procedures:
▪ OOT Security Team implements cryptographic keys in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
▪ Confidential information stored in a public location that is directly accessible without compensating controls in place (e.g., FTP without access control) must be encrypted.)
▪ Confidential information must be encrypted if copied to, or stored on, a portable computing device, removable media, or a non-state organization owned computing device. The minimum algorithm strength for protecting confidential information is 128-bit.

SC-15 Collaborative Computing Devices:
 Regulations:
▪ TWU must prohibit remote activation of collaborative computing devices unless users authenticate using TWU defined VPN and the computing device provides an explicit indication of use to users physically present at the devices.
 Procedures:
▪ Users may not remotely activate a computing device unless they:
• Are physically present; or
• Authenticate using TWU defined VPN and the computing device provides an explicit indication of use to users physically present at the devices.
▪ Any TWU purchased network enabled collaboration device must be assessed prior to purchase and evaluated through the risk assessment process and determined what controls are necessary at that time. If devices cannot meet the requirements of the control it will be noted in the risk assessment with recommendations from the OOT security team for reducing the risk.

SC-20 Secure Name/Address Resolution Service (Authoritative Source):
 Regulations:
▪ TWU information systems, specifically DNS, must:
• Provide additional data origin and integrity artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and
• Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.
 Procedures:
▪ OOT Network Team manages TWU DNS information systems that meet the standards set forth in this control.

SC-21 Secure Name/Address Resolution Service (Recursive or Caching Resolver):
 Regulations:
▪ TWU information systems, specifically DNS, requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.
 Procedures:
▪ OOT Network Team manages TWU DNS information systems that meet the standards set forth in this control.

SC-22 Architecture and Provisioning for Name/Address Resolution Service:
 Regulations:
▪ TWU must operate information systems that collectively provide name/address resolution service that are fault-tolerant and implement internal/external role separation.
 Procedures:
▪ OOT Network Team maintains internal DNS at all locations and external DNS at more than one location.

SC-39 Process Isolation:
 Regulations:
▪ TWU information systems must maintain a separate execution domain for each executing process.
 Procedures:
▪ TWU uses modern operating systems that support process isolation.

APPLICABILITY TWU Students, Faculty, Staff, and Guest 

COMPLIANCE
Violation of this policy may result in disciplinary action, which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; termination of access; legal action; termination for interns and volunteers; disciplinary review; suspension or expulsion (in the case of a student).

SPECIAL NOTES
Department of Information Resources Security Standards Catalog http://publishingext.dir.texas.gov/portal/internal/resources/DocumentLibrary/Security%20Control%20Standards%20Catalog.pdf

Owner:Associate Provost for Technology

Details

Article ID: 56383
Created
Fri 6/22/18 11:13 AM
Modified
Mon 3/25/19 11:20 AM