This information security policy is a set of rules enacted by Northeast Data to ensure that all users of networks or the IT structure within the organization’s domain abide by the prescriptions regarding the security of data stored digitally within the boundaries the organization stretches its authority.
The Purpose of this policy is to provide guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively. Additionally, this policy provides direction to ensure that Federal regulations are followed, and legal authority is granted for the dissemination and use of encryption technologies outside of the United States.
This policy applies to all Northeast Dataemployees and affiliates.
Ciphers in use must meet or exceed the set defined as "AES-compatible" or "partially AES-compatible" according to the IETF/IRTF Cipher Catalog, or the set defined for use in the United States National Institute of Standards and Technology (NIST) publication FIPS 140-2, or any superseding documents according to the date of implementation.
The use of the Advanced Encryption Standard (AES) is strongly recommended for symmetric encryption.
Algorithms in use must meet the standards defined for use in NIST publication FIPS 140-2 or any superseding document, according to date of implementation. The use of the RSA and Elliptic Curve Cryptography (ECC) algorithms is strongly recommended for asymmetric encryption.
| Algorithm | Key Length(min) | Additional Comment |
|---|---|---|
| ECDSA | P-256 | Consider RFC6090to avoid patent infringement. |
| RSA | 2048 | Must use a secure padding scheme. PKCS#7 padding scheme is recommended. Message hashing required. |
| LDWM | SHA256 | Refer to LDWM Hash-Based Signatures Draft |
In general, Northeast Data adheres to the NIST Policy on Hash Functions.
Key exchanges must use one of the following cryptographic protocols: Diffie-Hellman, IKE, or Elliptic curve Diffie-Hellman (ECDH). End points must be authenticated prior to the exchange or derivation of session keys.
Public keys used to establish trust must be authenticated prior to use. Examples of authentication include transmission via cryptographically signed message or manual verification of the public key hash.
All servers used for authentication (for example, RADIUS or TACACS) must have installed a valid certificate signed by a known trusted provider.
All servers and applications using SSL or TLS must have the certificates signed by a known, trusted provider.
The Information Security team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the Information Security team in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
National Institute of Standards and Technology (NIST) publication FIPS 140-2, NIST Policy on Hash Functions
The following definition and terms can be found in the SANS Glossary located at:https://www.sans.org/security-resources/glossary-of-terms/ProprietaryEncryption
Encryption Key Management, if not done properly, can lead to compromise and disclosure of private keys use to secure sensitive data and hence, compromise of the data. While users may understand it’s important to encrypt certain documents and electronic communications, they may not be familiar with minimum standards for protection encryption keys.
This policy outlines the requirements for protecting encryption keys that are under the control of end users. These requirements are designed to prevent unauthorized disclosure and subsequent fraudulent use. The protection methods outlined will include operational and technical controls, such as key backup procedures, encryption under a separate key and use of tamper-resistant hardware.
This policy applies to any encryption keys listed below and to the person responsible for any encryption key listed below. The encryption keys covered by this policy are:
The public keys contained in digital certificates are specifically exempted from this policy.
All encryption keys covered by this policy must be protected to prevent their unauthorized disclosure and subsequent fraudulent use. Any user accessing or using encryption keys will need approval from 2 company officers ahead of time and will be vetted for knowledge of accepted industry standard encryption key handling protocols prior to implementation and use.
Keys used for secret key encryption, also called symmetric cryptography, must be protected as they are distributed to all parties that will use them. During distribution, the symmetric encryption keys must be encrypted using a stronger algorithm with a key of the longest key length for that algorithm authorized in Northeast Data’s Encryption Policy. If the keys are for the strongest algorithm, then the key must be split, each portion of the key encrypted with a different key that is the longest key length authorized and each encrypted portion is transmitted using different transmission mechanisms. The goal is to provide more stringent protection to the key than the data that is encrypted with that encryption key.
Symmetric encryption keys, when at rest, must be protected with security measures at least as stringent as the measures used for distribution of that key.
Public key cryptography, or asymmetric cryptography, uses public-private key pairs. The public key is passed to the certificate authority to be included in the digital certificate issued to the end user. The digital certificate is available to everyone once it issued. The private key should only be available to the end user to whom the corresponding digital certificate is issued.
The public-private key pairs used by the Northeast Data’s public key infrastructure (PKI) are generated on the tamper-resistant smart card issued to an individual end user. The private key associated with an end user’s identity certificate, which are only used for digital signatures, will never leave the smart card. This prevents the Information Security Team from escrowing any private keys associated with identity certificates. The private key associated with any encryption certificates, which are used to encrypt email and other documents, must be escrowed in compliance withNortheast Data policies.
Access to the private keys stored on a Northeast Dataissued smart card will be protected by a personal identification number (PIN) known only to the individual to whom the smart card is issued. The smart card software will be configured to require entering the PIN prior to any private key contained on the smart card being accessed.
Other types of keys may be generated in software on the end user’s computer and can be stored as files on the hard drive or on a hardware token. If the public-private key pair is generated on smartcard, the requirements for protecting the private keys are the same as those for private keys associated with Northeast Data’s PKI. If the keys are generated in software, the end user is required to create at least one backup of these keys and store any backup copies securely. The user is also required to create an escrow copy of any private keys used for encrypting data and deliver the escrow copy to the local Information Security representative for secure storage.
The Information Security Team shall not escrow any private keys associated with identity certificates. All backups, including escrow copies, shall be protected with a password or passphrase that is compliant with Northeast Data’s Password Policy. Information Security representatives will store and protect the escrowed keys as described in the Northeast Data Certificate Practice Statement Policy.
In working with business partners, the relationship may require the end users to use public-private key pairs that are generated in software on the end user’s computer. In these cases, the public-private key pairs are stored in files on the hard drive of the end user. The private keys are only protected by the strength of the password or passphrase chosen by the end user.
For example, when an end user requests a digital certificate from a commercial PKI, such as VeriSign or Thawte, the end user’s web browser will generate the key pair and submit the public key as part of the certificate request to the CA. The private key remains in the browser’s certificate store where the only protection is the password on the browser’s certificate store. A web browser storing private keys will be configured to require the user to enter the certificate store password anytime a private key is accessed.
If the business partner requires the use of PGP, the public-private key pairs can be stored in the user’s key ring files on the computer hard drive or on a hardware token, for example, a USB drive or a smart card. Since the protection of the private keys is the passphrase on the secret keying, it is preferable that the public-private keys are stored on a hardware token. PGP will be configured to require entering the passphrase for every use of the private keys in the secret key ring.
Hardware tokens storing encryption keys will be treated as sensitive company equipment, as described in Northeast Data’s Physical Security policy, when outside company offices. In addition, all hardware tokens, smartcards, USB tokens, etc., will not be stored or left connected to any end user’s computer when not in use. For end users traveling with hardware tokens, they will not be stored or carried in the same container or bag as any computer.
All PINs, passwords or passphrases used to protect encryption keys must meet complexity and length requirements described in Northeast Data’s Password Policy.
The loss, theft, or potential unauthorized disclosure of any encryption key covered by this policy must be reported immediately to The Information Security Team. Information Security personnel will direct the end user in any actions that will be required regarding revocation of certificates or public-private key pairs.
The Information Security team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thru, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the Information Security Team in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
The following definition and terms can be found in the SANS Glossary located at:https://www.sans.org/security-resources/glossary-of-terms/
Logging from critical systems, applications and services can provide key information and potential indicators of compromise. Although logging information may not be viewed on a daily basis, it is critical to have from a forensics standpoint.
The purpose of this document attempts to address this issue by identifying specific requirements that information systems must meet in order to generate appropriate audit logs and integrate with an enterprise’s log management function.
The intention is that this language can easily be adapted for use in enterprise IT security policies and standards, and also in enterprise procurement standards and RFP templates. In this way, organizations can ensure that new IT systems, whether developed in-house or procured, support necessary audit logging and log management functions.
This policy applies to all production systems on Northeast Data’s and our clientele’s Network.
All systems that handle confidential information, accept network connections, or make access control (authentication and authorization) decisions shall record and retain audit-logging information sufficient to answer the following questions:
Therefore, logs shall be created whenever any of the following activities are requested to be performed by the system:
Such logs shall identify or contain at least the following elements, directly or indirectly. In this context, the term “indirectly” means unambiguously inferred.
The system shall support the formatting and storage of audit logs in such a way as to ensure the integrity of the logs and to support enterprise-level analysis and reporting. Note that the construction of an actual enterprise-level log management mechanism is outside the scope of this document. Mechanisms known to support these goals include but are not limited to the following:
The Information Security team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thru, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the Information Security team in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
None.
None.
Information Security’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to Northeast Data’s established culture of openness, trust, and integrity. Information Security is committed to protecting Northeast Data's employees, partners, and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.
Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of Northeast Data. These systems are to be used for business purposes in serving the interests of the company, and of our clients and customers during normal operations. Please review Human Resources policies for further details.
Effective security is a team effort involving the participation and support of every Northeast Dataemployee and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly.
The purpose of this policy is to outline the acceptable use of computer equipment at Northeast Data. These rules are in place to protect the employee and Northeast Data. Inappropriate use exposes Northeast Data and our clients to risks including virus attacks, compromise of network systems and services, and legal issues. Scope
This policy applies to the use of information, electronic and computing devices, and network resources to conduct Northeast Data business or interact with internal networks and business systems, whether owned or leased by Northeast Data, the employee, or a third party. All employees, contractors, consultants, temporary, and other workers at Northeast Data and its subsidiaries are responsible for exercising good judgment regarding appropriate use of information, electronic devices, and network resources in accordance with Northeast Data policies and standards, and local laws and regulation. Exceptions to this policy are documented below:
This policy applies to employees, contractors, consultants, temporaries, and other workers at Northeast Data, including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by Northeast Data.
Northeast Data and clientele proprietary information stored on electronic and computing devices whether owned or leased by Northeast Data or our clientele, the employee or a third party, remains the sole property of Northeast Data and our clientele. You must ensure through legal or technical means that proprietary information is protected in accordance with the Data Protection Standard.
You have a responsibility to promptly report the theft, loss, or unauthorized disclosure of Northeast Dataproprietary information.
You may access, use, or share Northeast Data proprietary information only to the extent it is authorized and necessary to fulfill your assigned job duties.
Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by departmental policies on personal use, and if there is any uncertainty, employees should consult their supervisor or manager.
For security and network maintenance purposes, authorized individuals within Northeast Datamay monitor equipment, systems, and network traffic at any time, per Information Security's Audit Policy.
Northeast Data reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
All mobile and computing devices that connect to the internal network must comply with the Minimum Access Policy.
System level and user level passwords must comply with the Password Policy. Providing access to another individual, either deliberately or through failure to secure its access, is prohibited.
All computing devices must be secured with a password-protected screensaver with the automatic activation feature set to 10 minutes or less. You must lock the screen or log off when the device is unattended.
Postings by employees from a Northeast Dataor clientele email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of Northeast Data, unless posting is during business duties.
Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain malware.
The following activities are, in general, prohibited. Employees may be exempted from these restrictions during their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).
Under no circumstances is an employee of Northeast Dataauthorized to engage in any activity that is illegal under local, state, federal or international law while utilizing Northeast Data owned resources.
The lists below are by no means exhaustive but attempt to provide a framework for activities which fall into the category of unacceptable use.
The following activities are strictly prohibited, with no exceptions:
When using company resources to access and use the Internet, users must realize they represent the company. Whenever employees state an affiliation to the company, they must also clearly indicate that "the opinions expressed are my own and not necessarily those of the company". Questions may be addressed to the IT Department:
Blogging by employees, whether using Northeast Data’s property and systems or personal computer systems, is also subject to the terms and restrictions set forth in this Policy. Limited and occasional use of Northeast Data’s systems to engage in blogging is acceptable, provided that it is done in a professional and responsible manner, does not otherwise violate Northeast Data’s policy, is not detrimental to Northeast Data’s best interests, and does not interfere with an employee's regular work duties. Blogging from Northeast Data’s systems is also subject to monitoring.
The Information Security team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the Information Security team in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
The following definition and terms can be found in the SANS Glossary located at:https://www.sans.org/security-resources/glossary-of-terms/
Bluetooth enabled devices are exploding on the Internet at an astonishing rate. At the range of connectivity has increased substantially. Insecure Bluetooth connections can introduce a number of potential serious security issues. Hence, there is a need for a minimum standard for connecting Bluetooth enable devices.
The purpose of this policy is to provide a minimum baseline standard for connecting Bluetooth enabled devices to the Northeast Datanetwork or Northeast Data owned devices. The intent of the minimum standard is to ensure sufficient protection Personally Identifiable Information (PII) and confidential Northeast Datadata.
This policy applies to any Bluetooth enabled device that is connected to Northeast Datanetwork or owned devices. Policy
No Bluetooth Device shall be deployed on Northeast Dataequipment that does not meet a minimum of Bluetooth v2.1 specification without written authorization from the Information Security Team. Any Bluetooth equipment purchased prior to this policy must comply with all parts of this policy except the Bluetooth version specifications.Pins and Pairing
When pairing your Bluetooth unit to your Bluetooth enabled equipment (i.e. phone, laptop, etc.), ensure that you are not in a public area where you PIN can be compromised.
If your Bluetooth enabled equipment asks for you to enter your pin after you have initially paired it, you must refuse the pairing request and report it to Information Security, through your Help Desk, immediately.
The Information Security Team may perform random audits to ensure compliancy with this policy. In the process of performing such audits, Information Security Team members shall not eavesdrop on any phone conversation.
The following is a list of unauthorized uses of Northeast Data-owned Bluetooth devices:
The Information Security Team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thru, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the Information Security Team in advance. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
None.
None.
A clean desk policy can be an import tool to ensure that all sensitive/confidential materials are removed from an end user workspace and locked away when the items are not in use or an employee leaves his/her workstation. It is one of the top strategies to utilize when trying to reduce the risk of security breaches in the workplace. Such a policy can also increase employee’s awareness about protecting sensitive information.
The purpose for this policy is to establish the minimum requirements for maintaining a “clean desk” – where sensitive/critical information about our employees, our intellectual property, our customers, and our vendors is secure in locked areas and out of site. A Clean Desk policy is not only ISO 27001/17799 compliant, but it is also part of standard basic privacy controls.
This policy applies to all Northeast Dataemployees and clientele.
The Information Security team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thru, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the Information Security team in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
None.
None.
The purpose of the policy is to establish the goals and the vision for the breach response process. This policy will clearly define to whom it applies and under what circumstances, and it will include the definition of a breach, staff roles and responsibilities, standards, and metrics (e.g., to enable prioritization of the incidents), as well as reporting, remediation, and feedback mechanisms. The policy shall be well publicized and made easily available to all personnel whose duties involve data privacy and security protection.
Northeast Data Information Security's intentions for publishing a Data Breach Response Policy are to focus significant attention on data security and data security breaches and how Northeast Data ’s established culture of openness, trust and integrity should respond to such activity. Northeast Data Information Security is committed to protecting Northeast Data's employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.
This policy mandates that any individual who suspects that a theft, breach, or exposure of Northeast DataProtected data or Northeast Data Sensitive data has occurred must immediately provide a description of what occurred via e-mail to nedatainfo@northeastdata.com by calling 570-996-6666. This e-mail address, phone number, are monitored by the Northeast Data ’s Information Security Administrator. This team will investigate all reported thefts, data breaches and exposures to confirm if a theft, breach, or exposure has occurred. If a theft, breach, or exposure has occurred, the Information Security Administrator will follow the appropriate procedure in place.
This policy applies to all whom collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle personally identifiable information or Protected Health Information (PHI) of Northeast Datamembers. Any agreements with vendors will contain language similar that protects the fund.
Policy Confirmed theft, data breach or exposure of Northeast Data Protected data or Northeast Data Sensitive data.
As soon as a theft, data breach or exposure containing Northeast DataProtected data or Northeast DataSensitive data is identified, the process of removing all access to that resource will begin.
The Owner will chair an incident response team to handle the breach or exposure.
The team will include members from:
Confirmed theft, breach, or exposure of Northeast Data.
The Owner will be notified of the theft, breach, or exposure. IT, along with the designated forensic team, will analyze the breach or exposure to determine the root cause.
As provided by Northeast Data cyber insurance, the insurer will need to provide access to forensic investigators and experts that will determine how the breach or exposure occurred; the types of data involved; the number of internal/external individuals and/or organizations impacted; and analyze the breach or exposure to determine the root cause.
Work with Northeast Data communications, legal and human resource departments to decide how to communicate the breach to: a) internal employees, b) the public, and c) those directly affected.
Any Northeast Data personnel found in violation of this policy may be subject to disciplinary action, up to and including termination of employment. Any third-party partner company found in violation may have their network connection terminated.
Encryption or encrypted data – The most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text
Plain text – Unencrypted data.
Hacker – A slang term for a computer enthusiast, i.e., a person who enjoys learning programming languages and computer systems and can often be considered an expert on the subject(s).
Protected Health Information (PHI) - Under US law is any information about health status, provision of health care, or payment for health care that is created or collected by a "Covered Entity" (or a Business Associate of a Covered Entity) and can be linked to a specific individual.
Personally Identifiable Information (PII) - Any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered.
Protected data - See PII and PHI
Information Resource - The data and information assets of an organization, department, or unit.
Safeguards - Countermeasures, controls put in place to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. Safeguards help to reduce the risk of damage or loss by stopping, deterring, or slowing down an attack against an asset.
Sensitive data - Data that is encrypted or in plain text and contains PII or PHI data. See PII and PHI above.
Database authentication credentials are a necessary part of authorizing application to connect to internal databases. However, incorrect use, storage and transmission of such credentials could lead to compromise of very sensitive assets and be a springboard to wider compromise within the organization.
This policy states the requirements for securely storing and retrieving database usernames and passwords (i.e., database credentials) for use by a program that will access a database running on one of Northeast Data's and clientele networks.
Software applications running on Northeast Data's and clientele networks may require access to one of the many internal database servers. To access these databases, a program must authenticate to the database by presenting acceptable credentials. If the credentials are improperly stored, the credentials may be compromised leading to a compromise of the database.
This policy is directed at all system implementer and/or software engineers who may be coding applications that will access a production database server on the Northeast Data’s and clientele Network. This policy applies to all software (programs, modules, libraries or API’s that will access a Northeast Data or Clientele, multi-user production database. It is recommended that similar requirements be in place for non-production servers and lap environments since they don’t always use sanitized information.
To maintain the security of Northeast Data’s and clientele internal databases, access by software programs must be granted only after authentication with credentials. The credentials used for this authentication must not reside in the main, executing body of the program's source code in clear text. Database credentials must not be stored in a location that can be accessed through a web server.
Storage of Data Base Usernames and Passwords
The Information Security team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the Information Security team in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
A violation of this policy by a temporary worker, contractor or vendor may result in the termination of their contract or assignment with Northeast Data and / or clientele.
Any program code or application that is found to violate this policy must be remediated within a 90-day period
See Purpose.
The purpose of this policy is to provide guidance on when digital signatures are considered accepted means of validating the identity of a signer in Northeast Data electronic documents and correspondence, and thus a substitute for traditional “wet” signatures, within the organization. Because communication has become primarily electronic, the goal is to reduce confusion about when a digital signature is trusted.
This policy applies to all Northeast Dataemployees and affiliates.
This policy applies to all Northeast Data employees, contractors, and other agents conducting Northeast Databusiness with a Northeast Data provided-digital key pair. This policy applies -only to intra-organization digitally signed documents and correspondence and not to electronic materials sent to or received from non-Northeast Data affiliated persons or organizations.
A digital signature is an acceptable substitute for a wet signature on any intra-organization document or correspondence.
The CFO’s office will maintain an organization-wide list of the types of documents and correspondence that are not covered by this policy.
Digital signatures must apply to individuals only. Digital signatures for roles, positions, or titles (e.g. the CFO) are not considered valid.
Digital signature acceptance requires specific action on both the part of the employee signing the document or correspondence (hereafter the signer), and the employee receiving/reading the document or correspondence (hereafter the recipient).
Signers must obtain a signing key pair from Northeast Data identity management group. This key pair will be generated using Northeast Data’s Public Key Infrastructure (PKI) and the public key will be signed by the Northeast Data’s Certificate Authority (CA).
Signers must sign documents and correspondence using software approved by Northeast DataIT organization.
Signers must protect their private key and keep it secret.
If a signer believes that the signer’s private key was stolen or otherwise compromised, the signer must contact Northeast Data Identity Management Group immediately to have the signer’s digital key pair revoked.
Recipients must read documents and correspondence using software approved by Northeast Data IT department.
Recipients must verify that the signer’s public key was signed by the Northeast Data’s Certificate Authority (CA), Northeast Data, by viewing the details about the signed key using the software they are using to read the document or correspondence.
If the signer’s digital signature does not appear valid, the recipient must not trust the source of the document or correspondence.
If a recipient believes that a digital signature has been abused, the recipient must report the recipient’s concern to Northeast DataIdentity Management Group.
The Information Security team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the Information Security team in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
None.
Note that these references were used only as guidance in the creation of this policy template. We highly recommend that you consult with your organization’s legal counsel, since there may be federal, state, or local regulations to which you must comply. Any other PKI-related policies your organization has may also be cited here.
American Bar Association (ABA) Digital Signature Guidelines http://www.abanet.org/scitech/ec/isc/dsgfree.html
Minnesota State Agency Digital Signature Implementation and Usehttp://mn.gov/oet/policies-and-standards/business/policy-pages/standard_digital_signature.jsp
Minnesota Electronic Authentication Act https://www.revisor.leg.state.mn.us/statutes/?id=325K&view=chapter -stat.325K.001
City of Albuquerque E-Mail Encryption / Digital Signature Policyhttp://mesa.cabq.gov/policy.nsf/WebApprovedX/4D4D4667D0A7953A87256E7B004F6720?OpenDocument
West Virginia Code §39A-3-2: Acceptance of electronic signature by governmental entities in satisfaction of signature requirement. http://law.justia.com/westvirginia/codes/39a/wvc39a-3-2.html
None.
Passwords are a critical component of information security. Passwords serve to protect user accounts; however, a poorly constructed password may result in the compromise of individual systems, data, or network. This guideline provides best practices for creating secure passwords.
The purpose of this guidelines is to provide best practices for the created of strong passwords.
This guideline applies to employees, contractors, consultants, temporary and other workers, including all personnel affiliated with third parties. This guideline applies to all passwords including but not limited to user-level accounts, system-level accounts, web accounts, e-mail accounts, screen saver protection, voicemail, and local router logins.
Strong passwords are long, the more characters you have the stronger the password. We recommend a minimum of 14 characters in your password. In addition, we highly encourage the use of passphrases, passwords made up of multiple words. Examples include “It’s time for vacation” or “block-curious-sunny-leaves”. Passphrases are both easy to remember and type; yet meet the strength requirements. Additional examples of strong passwords can be had by utilizing a definable random password generator such as found at LastPass. Poor, or weak, passwords have the following characteristics:
In addition, every work account should have a different, unique password. To enable users to maintain multiple passwords, we highly encourage the use of ‘password manager’ software that is authorized and provided by the organization. Whenever possible, also enable the use of multi-factor authentication.
The Information Security team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thru, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the Information Security team in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
None.
None.
Passwords are an important aspect of computer security. A poorly chosen password may result in unauthorized access and/or exploitation of our resources. All staff, including contractors and vendors with access to Northeast Data and clientele systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.
The purpose of this policy is to establish a standard for creation of strong passwords and the protection of those passwords.
The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Northeast Data facility, has access to the Northeast Data and clientele network, or stores any non-public Northeast Data information.
The Information Security team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thru, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the Information Security Team in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Password Construction Guidelines
Remote access to Northeast Data’s network is essential to maintain our Team’s productivity, but in many cases this remote access originates from networks that may already be compromised or are at a significantly lower security posture than our corporate network. While these remote networks are beyond the control of Northeast Data’s policy, we must mitigate these external risks the best of our ability.
The purpose of this policy is to define rules and requirements for connecting to Northeast Data's network from any host. These rules and requirements are designed to minimize the potential exposure to Northeast Data from damages which may result from unauthorized use of Northeast Dataresources. Damages include the loss of sensitive or company confidential data, intellectual property, damage to public image, damage to critical Northeast Data’s internal systems, and fines or other financial liabilities incurred as a result of those losses.
This policy applies to all Northeast Dataemployees, contractors, vendors and agents with a Northeast Data-owned or personally owned computer or workstation used to connect to the Northeast Datanetwork. This policyapplies to remote access connections used to do work on behalf of Northeast Data, including reading or sending email and viewing intranet web resources. This policy covers all technical implementations of remote access used to connect to Northeast Data n etworks.
It is the responsibility of Northeast Data employees, contractors, vendors, and agents with remote access privileges to Northeast Data's corporate network to ensure that their remote access connection is given the same consideration as the user's on-site connection to Northeast Data.
General access to the Internet for recreational use through the Northeast Datanetwork is strictly limited to Northeast Data employees, contractors, vendors, and agents (hereafter referred to as “Authorized Users”). When accessing the Northeast Data network from a personal computer, Authorized Users are responsible for preventing access to any Northeast Data computer resources or data by non-Authorized Users. Performance of illegal activities through the Northeast Data network by any user (Authorized or otherwise) is prohibited. The Authorized User bears responsibility for and consequences of misuse of the Authorized User’s access. For further information and definitions, see the Use Policy.
Authorized Users will not use Northeast Data networks to access the Internet for outside business interests.
For additional information regarding Northeast Data's remote access connection options, including how to obtain a remote access login, free anti-virus software, troubleshooting, etc., go to the Remote Access Services website (www.northeastdata.com).
The Information Security Team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thru, video monitoring, business tool reports, internal and external audits, and inspection, and will provide feedback to the policy owner and appropriate business unit manager.
Any exception to the policy must be approved by Remote Access Services and the Information Security Team in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Please review the following policies for details of protecting information when accessing the corporate network via remote access methods, and acceptable use of Northeast Data’s network:
Remote desktop software, also known as remote access tools, provide a way for computer users and support staff alike to share screens, access work computer systems from home, and vice versa. Examples of such software include LogMeIn, GoToMyPC, VNC (Virtual Network Computing), and Windows Remote Desktop (RDP). While these tools can save significant time and money by eliminating travel and enabling collaboration, they also provide a back door into the Northeast Data network that can be used for theft of, unauthorized access to, or destruction of assets. As a result, only approved, monitored, and properly controlled remote access tools may be used on Northeast Data computer systems.
This policy defines the requirements for remote access tools used at Northeast Data.
This policy applies to all remote access where either end of the communication terminates at a Northeast Datacomputer asset.
All remote access tools used to communicate between Northeast Data assets and other systems must comply with the following policy requirements.
Northeast Data provides mechanisms to collaborate between internal users, with external partners, and from non-Northeast Data systems. The approved software list can be obtained from SoftwareDeployment - Home (sharepoint.com). Because proper configuration is important for secure use of these tools, mandatory configuration procedures are provided for each of the approved tools.
The approved software list may change at any time, but the following requirements will be used for selecting approved products:
All remote access tools must be purchased through the standard Northeast Data procurement process, and the inf ormation technology group must approve the purchase
The Information Security team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thru, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the Information Security Team in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
None.
The following definition and terms can be found in the SANS Glossary located at:https://www.sans.org/security-resources/glossary-of-terms/Application layer proxy
Northeast Data is committed to protecting employees, partners, vendors, and the company from illegal or damaging actions by individuals, either knowingly or unknowingly. When Northeast Data addresses issues proactively and uses correct judgment, it will help set us apart from competitors.
Northeast Data will not tolerate any wrongdoing or impropriety at any time. Northeast Datawill take the appropriate measures act quickly in correcting the issue if the ethical code is broken.
The purpose of this policy is to establish a culture of openness, trust and to emphasize the employee’s and consumer’s expectation to be treated to fair business practices. This policy will serve to guide business behavior to ensure ethical conduct. Effective ethics is a team effort involving the participation and support of every Northeast Data employee. All employees should familiarize themselves with the ethics guidelines that follow this introduction.
This policy applies to employees, contractors, consultants, temporaries, and other workers at Northeast Data, including all personnel affiliated with third parties.
Northeast Data employees will treat everyone fairly, have mutual respect, promote a team environment, and avoid the intent and appearance of unethical or compromising practices.
Every employee needs to apply effort and intelligence in maintaining ethics value.
Employees must disclose any conflict of interests regard their position within Northeast Data
Employees will help Northeast Datato increase customer and vendor satisfaction by providing quality products and timely response to inquiries.
Employees should consider the following questions to themselves when any behavior is questionable:
The Northeast Data appointed resource team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback.
None.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
None.
None.
Electronic email is pervasively used in almost all industry verticals and is often the primary communication and awareness method within an organization. At the same time, misuse of email can post many legal, privacy and security risks, thus it is important for users to understand the appropriate use of electronic communications.
The purpose of this email policy is to ensure the proper use of Northeast Dataemail system and make users aware of what Northeast Data deems as acceptable and unacceptable use of its email system. This policy outlines the minimum requirements for use of email within the Northeast DataNetwork.
This policy covers appropriate use of any email sent from a Northeast Data email address and applies to all employees, vendors, and agents operating on behalf of Northeast Data
The Information Security team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thru, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the Information Security team in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Data Protection Standard
None.
A Security Response Plan (SRP) provides the impetus for security and business teams to integrate their efforts from the perspective of awareness and communication, as well as coordinated response in times of crisis (security vulnerability identified or exploited). Specifically, an SRP defines a product description, contact information, escalation paths, expected service level agreements (SLA), severity and impact classification, and mitigation/remediation timelines. By requiring business units to incorporate an SRP as part of their business continuity operations and as new products or services are developed and prepared for release to consumers, ensures that when an incident occurs, swift mitigation and remediation ensues.
The purpose of this policy is to establish the requirement that all business units supported by the Information Security team develop and maintain a security response plan. This ensures that security incident management team has all the necessary information to formulate a successful response should a specific security incident occur.
This policy applies any established and defined business unity or entity within the Northeast Data.
The development, implementation, and execution of a Security Response Plan (SRP) are the primary responsibility of the specific business unit for whom the SRP is being developed in cooperation with the Information SecurityTeam. Business units are expected to properly facilitate the SRP for applicable to the service or products they are held accountable. The business unit security coordinator is further expected to work with the Network Manager in the development and maintenance of a Security Response Plan.
The product description in an SRP must clearly define the service or application to be deployed with additional attention to data flows, logical diagrams, architecture considered highly useful.
The SRP must include contact information for dedicated team members to be available during non-business hours should an incident occur, and escalation be required. This may be a 24/7 requirement depending on the defined business value of the service or product, coupled with the impact to customer. The SRP document must include all phone numbers and email addresses for the dedicated team member(s).
The SRP must define triage steps to be coordinated with the security incident management team in a cooperative manner with the intended goal of swift security vulnerability mitigation. This step typically includes validating the reported vulnerability or compromise.
The SRP must include a defined process for identifying and testing mitigations prior to deployment. These details should include both short-term mitigations as well as the remediation process.
The SRP must include levels of response to identified vulnerabilities that define the expected timelines for repair based on severity and impact to consumer, brand, and company. These response guidelines should be carefully mapped to level of severity determined for the reported vulnerability.
Each business unit must be able to demonstrate they have a written SRP in place, and that it is under version control and is available via the web. The policy should be reviewed annually.
Any exception to this policy must be approved by the Information Security Team in advance and have a written record.
Any business unit found to have violated (no SRP developed prior to service or product deployment) this policy may be subject to delays in service or product release until such a time as the SRP is developed and approved. Responsible parties may be subject to disciplinary action, up to and including termination of employment, should a security incident occur in the absence of an SRP.
None.
None.
Unsecured and vulnerable servers continue to be a major entry point for malicious threat actors. Consistent Server installation policies, ownership and configuration management are all about doing the basics well.
The purpose of this policy is to establish standards for the base configuration of internal server equipment that is owned and/or operated by Northeast Data. Effective implementation of this policy will minimize unauthorized access to Northeast Data proprietary information and technology.
All employees, contractors, consultants, temporary and other workers at Northeast Data and its subsidiaries must adhere to this policy. This policy applies to server equipment that is owned, operated, or leased byNortheast Dataor registered under a Northeast Data-owned internal network domain.
This policy specifies requirements for equipment on the internal Northeast Datanetwork. For secure configuration of equipment external to Northeast Data, see the Internet Equipment Policy.
All internal servers deployed at Northeast Datamust be owned by an operational group that is responsible for system administration. Approved server configuration guides must be established and maintained by each operational group, based on business needs and approved by Information Security. Operational groups should monitor configuration compliance and implement an exception policy tailored to their environment. Each operational group must establish a process for changing the configuration guides, which includes review and approval by Information Security.
The following items must be met:
For security, compliance, and maintenance purposes, authorized personnel may monitor and audit equipment, systems, processes, and network traffic per the Audit Policy.
All security-related events on critical or sensitive systems must be logged and audit trails saved as follows:
Security-related events will be reported to Information Security, who will review logs and report incidents to IT management. Corrective measures will be prescribed as needed. Security-related events include, but are not limited to:
The Information Security team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thru, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the Information Security team in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
None.
Allowing employees to install software on company computing devices opens the organization up to unnecessary exposure. Conflicting file versions or DLLs which can prevent programs from running, the introduction of malware from infected installation software, unlicensed software which could be discovered during audit, and programs which can be used to hack the organization’s network are examples of the problems that can be introduced when employees install software on company equipment.
The purpose of this policy is to outline the requirements around installation software on Northeast Datacomputing devices. To minimize the risk of loss of program functionality, the exposure of sensitive information contained within Northeast Data’s computing network, the risk of introducing malware, and the legal exposure of running unlicensed software.
This policy applies to all Northeast Data employees, contractors, vendors and agents with a Northeast Dataowned mobile devices. This policy covers all computers, servers, smartphones, tablets, and other computing devices operating within Northeast Data.
Employees may not install software on Northeast Data’s computing devices operated within the Northeast Datanetwork.
Software requests must first be approved by the requester’s manager and then be made to the Information Technology department or Help Desk in writing or via email.
Software must be selected from an approved software list, maintained by the Information Technology department, unless no selection on the list meets the requester’s need.
The Information Technology Department will obtain and track the licenses, test new software for conflict and compatibility, and perform the installation.
The Information Security team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thru, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the Information Security team in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
None.
None.
Technology equipment often contains parts which cannot simply be thrown away. Proper disposal of equipment is both environmentally responsible and often required by law. In addition, hard drives, USB drives, CD-ROMs and other storage media contain various kinds of Northeast Data information, some of which is considered sensitive. To protect our clientele’s data, all storage mediums must be properly erased before being disposed of. However, simply deleting or even formatting data is not considered sufficient. When deleting files or formatting a device, data is marked for deletion, but is still accessible until being overwritten by a new file. Therefore, special tools must be used to securely erase data prior to equipment disposal.
The purpose of this policy it to define the guidelines for the disposal of technology equipment and components owned by Northeast Data.
This policy applies to any computer/technology equipment or peripheral devices that are no longer needed within Northeast Data including, but not limited to the following: personal computers, servers, hard drives, laptops, mainframes, smart phones, or handheld computers ( i.e., Windows Mobile, iOS or Android-based devices), peripherals (i.e., keyboards, mice, speakers), printers, scanners, typewriters, compact and floppy discs, portable storage devices (i.e., USB drives), backup tapes, printed materials.
All Northeast Data employees and affiliates must comply with this policy.
The Information Security team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the Information Security Team in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
None.
None.
Web application vulnerabilities account for the largest portion of attack vectors outside of malware. It is crucial that any web application be assessed for vulnerabilities and any vulnerabilities be remediated prior to production deployment.
The purpose of this policy is to define web application security assessments within Northeast Data. Web application assessments are performed to identify potential or realized weaknesses because of inadvertent misconfiguration, weak authentication, insufficient error handling, sensitive information leakage, etc. Discovery and subsequent mitigation of these issues will limit the attack surface of Northeast Data services available both internally and externally as well as satisfy compliance with any relevant policies in place.
This policy covers all web application security assessments requested by any individual, group or department for the purposes of maintaining the security posture, compliance, risk management, and change control of technologies in use at Northeast Data.
All web application security assessments will be performed by delegated security personnel either employed or contracted by Northeast Data. All findings are considered confidential and are to be distributed to persons on a “need to know” basis. Distribution of any findings outside of Northeast Data is strictly prohibited unless approved by the Information Officer.
Any relationships within multi-tiered applications found during the scoping phase will be included in the assessment unless explicitly limited. Limitations and subsequent justification will be documented prior to the start of the assessment.
Web applications are subject to security assessments based on the following criteria:
All security issues that are discovered during assessments must be mitigated based upon the following risk levels. The Risk Levels are based on the OWASP Risk Rating Methodology. Remediation validation testing will be required to validate fix and/or mitigation strategies for any discovered issues of Medium risk level or greater.
The following security assessment levels shall be established by the Information Security organization or other designated organization that will be performing the assessments.
Other tools and/or techniques may be used depending upon what is found in the default assessment and the need to determine validity and risk are subject to the discretion of the Security team.
The Information Security team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thru, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the Information Security team in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Web application assessments are a requirement of the change control process and are required to adhere to this policy unless found to be exempt. All application releases must pass through the change control process. Any web applications that do not adhere to this policy may be taken offline until such time that a formal assessment can be performed at the discretion of the Chief Information Officer.
None.
With the mass explosion of Smart Phones and Tablets, pervasive wireless connectivity is almost a given at any organization. Insecure wireless configuration can provide an easy open door for malicious threat actors.
The purpose of this policy is to secure and protect the information assets owned by Northeast Data. Northeast Data provides computer devices, networks, and other electronic information systems to meet missions, goals, and initiatives. Northeast Datagrants access to these resources as a privilege and must manage them responsibly to maintain the confidentiality, integrity, and availability of all information assets.
This policy specifies the conditions that wireless infrastructure devices must satisfy to connect to Northeast Datanetwork. Only those wireless infrastructure devices that meet the standards specified in this policy or are granted an exception by the Information Security Department are approved for connectivity to a Northeast Data network.
All employees, contractors, consultants, temporary and other workers at Northeast Data, including all personnel affiliated with third parties that maintain a wireless infrastructure device on behalf of Northeast Data must adhere to this policy. This policy applies to all wireless infrastructure devices that connect to a Northeast Datanetwork or reside on a Northeast Data site that provide wireless connectivity to endpoint devices including, but not limited to, laptops, desktops, cellular phones, and tablets. This includes any form of wireless communication device capable of transmitting packet data.
All wireless infrastructure devices that reside at a Northeast Datasite and connect to a Northeast Dataor customer network, or provide access to information classified as Northeast Data Confidential, or above must:
All wireless infrastructure devices that provide access to Northeast Data Confidential or above, must adhere to the above. Isolated wireless devices that do not provide general network connectivity to the Northeast Data network must:
The Information Security team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thru, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the Information Security team in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
The following definition and terms can be found in the SANS Glossary located at:https://www.sans.org/security-resources/glossary-of-terms/MAC Address
See Purpose.
This standard specifies the technical requirements that wireless infrastructure devices must satisfy to connect to a Northeast Data network. Only those wireless infrastructure devices that meet the requirements specified in this standard or are granted an exception by the Information Security Team are approved for connectivity to a Northeast Data network.
Network devices including, but not limited to, hubs, routers, switches, firewalls, remote access devices, modems, or wireless access points, must be installed, supported, and maintained by an Information Security (Information Security) approved support organization. Network devices must comply with the Security Policy.
All employees, contractors, consultants, temporary and other workers at Northeast Data and its subsidiaries, including all personnel that maintain a wireless infrastructure device on behalf of Northeast Data, must comply with this standard. This standard applies to wireless devices that make a connection the network and all wireless infrastructure devices that provide wireless connectivity to the network.
Information Security must approve exceptions to this standard in advance.
All wireless infrastructure devices that connect to a Northeast Data network or provide access to Northeast Data Confidential, Northeast Data Highly Confidential, or Northeast Data Restricted information must:
All home wireless infrastructure devices that provide direct access to a Northeast Data network, such as those behind Enterprise Teleworker (ECT) or hardware VPN, must adhere to the following:
The Information Security team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thru, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the Information Security Team in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
The following definition and terms can be found in the SANS Glossary located at:https://www.sans.org/security-resources/glossary-of-terms/
See Purpose.
The purpose of this policy is to provide guidance for workstation security for Northeast Data workstations in order to ensure the security of information on the workstation and information the workstation may have access to. Additionally, the policy provides guidance to ensure the requirements of the HIPAA Security Rule “Workstation Security” Standard 164.310(c) are met.
This policy applies to all Northeast Data employees, contractors, workforce members, vendors, and agents with a Northeast Data -owned or personal-workstation connected to the Northeast Data network.
Appropriate measures must be taken when using workstations to ensure the confidentiality, integrity, and availability of sensitive information, including protected health information (PHI) and that access to sensitive information is restricted to authorized users.
Appropriate measures include:
The Information Security team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thru, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the Information Security team in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
http://www.hipaasurvivalguide.com/hipaa-regulations/164-310.php
http://abouthipaa.com/about-hipaa/hipaa-hitech-resources/hipaa-security-final-rule/164-308a1i-administrative-safeguards-standard-security-management-process-5-3-2-2/
None.
End user device encryption, if not done properly, can lead to unauthorized access, loss or disclosure of sensitive data. While users may understand the importance of hardware encryption, they may not be familiar with modern methods.
This policy outlines the encryption requirements for end user devices that are under the control of end users. These requirements are designed to prevent unauthorized disclosure, loss and or subsequent fraudulent use of data contained on end user computing devices. The protection methods outlined will include operational and technical controls, such as backup procedures, and decryption key storage and management.
This policy applies to any end user computing device and the person responsible for the device The encryption keys covered by this policy are:
Any end user computing device issued by Northeast Data must have BitLocker activated before being deployed. The BitLocker recovery key will be collected and stored at the office in accordance with policies applicable elsewhere in this document. The end user may retain a copy of the BitLocker key however that key will not be stored on the device it decrypts. The possession and storage of the BitLocker key must be stored encrypted on an alternate platform or inside a secure enclave as provided by a password manager. Alternate storage options include inside a secure partition within a USB drive encrypted with VeraCrypt or similarly peer reviewed encryption software.
Note: Northeast Data reserves the right to modify this policy at any time.
Return Home