Administrative Security Policy
 

INFORMATION TECHNOLOGY

  

Administrative Security Policy
City of El Paso

Table of Contents

1. Introduction 
     1.1 Purpose
     1.2 Goals
2. Roles and Responsibilities
3. General Measures
     3.1 Authentication
     3.2 Banner Messages
     3.3 Incident Response
     3.4 Legal Response
     3.5 Physical Security
4. Perimeter Security
     4.1 Perimeter Definition
     4.2 Perimeter Control
     4.3 Devices outside the perimeter
5. Remote Access
     5.1 General
     5.2 Dial-in
     5.3 Dial-out
6. Monitoring
     6.1 Logs and log files
     6.2 Active Scans
7. Hosts & Servers
     7.1 General requirements
     7.2 Critical Servers
     7.3 External Servers
     7.4 Internal Servers
     7.5 Workstations
   7.5.1 Desktops
   7.5.2 Laptops
     7.6 Decommissioning Systems
8. User Management
     8.1 General guidelines
     8.2 Acceptable Use
     8.3 Training
     8.4 Termination
9. Change Management
     9.1 Systems
     9.2 Policy
10. Availability

1. Introduction

1.1 Purpose

The City of El Paso maintains a large information network to support the services it provides to the public. While elements of this data are a matter of public record, the availability of the systems and the ability to control the dissemination of information is the responsibility of the City. Handling of this information must be in accordance with appropriate policies and standards.

This document will provide an overview of how this policies and standards will be developed to insure security of vital information and access by the public. At the same time this document will provide a clear direction for the City. This document will be reviewed on a regular basis, as will all components for the City’s overall security policy. It will place security as a business problem to be faced and solved and as an issue to be presented by management as the business of every City employee.


1.2 Goals

This document is a non-technical outline of the measures to be taken to secure the City of El Paso’s critical data and information resources. It lays out policy directives; further detail will be provided in additional documentation for each area. This documentation will identify best of breed solutions to address the problems and mandates laid out in this policy.

In essence, this document provides executive level guidelines for the development of these additional technical policies and procedures. These policies will meet the following goals:

  • Define assets requiring protection

  • Define a methodology for identifying security threats and evaluating their potential impact

  • Define practical methods to protect these assets

  • Ensure that these measures are cost-effective

  • Support a ‘protect and proceed’ policy

  • Where the law has been violated, the City will consider prosecution

  • Allow employees to use the network effectively and safely

    • 2. Roles and Responsibilities

    A member of the City’s Information Technology (IT) staff will be designated by the IT Department Director to function as the Information Security Officer (ISO). The responsibilities of the ISO will include:

    • Ensuring that policies and procedures are in place for all aspects of the City’s functions
    • In cooperation with other IT staff members and other departments the ISO will:
      • Identify critical City functions and assets
      • Determine potential threats that might affect those functions.
      • Determine how those threats would impact each area. Identify ”best practices security” measures
      • Develop policies and procedures for these functions.
    • Ensure this policies and procedures are kept current with changes in City function and potential threats
      • Provide a central point for security issues and questions
      • Identify ownership of critical City information resources
      • Insure City employees are trained in current security policies and practices
      • Conduct regular security evaluation of City departments and functions.
    A committee composed of senior management or their delegates will aid this officer in performing his/her assigned responsibilities. This committee will meet quarterly to review the state of the City’s security and perform required high-level information security management activities. Additionally, each department will designate one person as their representative for matters related to security. These persons will work directly with the ISO to identify and resolve ongoing security issues.


    3. General Measures
    Several general measures apply to many systems and locations on the City’s network. These measures apply broadly to any organization and represent the core of an effective security program.

    3.1 Authentication

    The requirements for different systems for authentication will vary, but the following guidelines must be adhered to in all cases:
    • Passwords will be used on all hardware and software when access is to be limited
    • Passwords will be no less that 6 characters and composed of a combination of alpha and numeric characters
    • Passwords will be changed every 28 days and a password history of the last 6 passwords will be retained to avoid reuse
    • Save password features will be disabled on all functions unless approved by ISO
    • Passwords will not be saved in those applications that allow for that feature unless approved by ISO

    Where required specific policies and procedures for authentication will be published and made available to the users of these systems.

    3.2 Banner Messages

    All systems storing confidential data or allowing access to such data must present a banner – approved by the ISO and the City’s legal department covering: any logging performed on the system, a statement of security level for the information concerned, general statement of security policies, that usage of this system implies compliance with these policies, and potential consequences of failing to comply with those policies. Where a welcome banner is part of the system the security banner will appear immediately following the welcome banner.

    3.3 Incident Response

    To provide for the quick resolution of security violations or problems and to facilitate the investigation and resolution of the problem/incident two teams will be formed:
    The first will be the Computer Emergency Response Team (CERT) – This team will be responsible for immediate reaction to security violations and breaches. They will work to identify and limit the effect of security violations and preserve information for subsequent investigation. They will have the authority to deny user(s) access on a temporary basis based on current policies and procedures.
    The second will be the Security Incident Response Team (SIRT) – This team will be responsible for the investigation of security incidents. They will determine the cause and effect of an incident and make recommendations on how to prevent future occurrences. They will also have the authority to impose restrictions and limitations on users as described in current policies and procedures.

    3.4 Legal Response

    The City of El Paso shall exercise its options under criminal law, civil law, and administrative procedures to seek remedies from anyone who uses, abuses, or attacks any component of its information systems in violation of this policy or any policy derived from this document.

    3.5 Physical Security

    For information systems storing and providing access to confidential or mission critical information physical security is imperative. The ISO will develop a plan for the physical security of critical information resources, controlling access by visitors and city employees. In addition, appropriate environmental controls and fire suppression systems must be maintained in these areas. All critical hardware/software will be secure in this fashion, while remote servers and hardware/software and infrastructure must have limited access (such as a locket cabinet) at a minimum.


    4. Perimeter Security

    4.1 Perimeter Definition

    The City’s network is large, encompassing multiple facilities and departments. The perimeter will be defined by the principle of administrative control. Any point at which confidential or mission critical information systems leaves the physical or administrative control of the City’s central IT department will be considered the perimeter of the network.

    4.2 Perimeter Control

    A filtering device (or devices) will be deployed at all points where traffic crosses this perimeter. All traffic entering or leaving the City’s administrative domain must be passed through filters, which perform the following tasks:

    • Deny all incoming traffic except that specifically documented as allowed
    • Limit outgoing traffic by protocol
    • Log traffic as per Section 6.1
    • Provide physical security as required
    • Allow controlled, authenticated administration from defined locations only

    Further internal perimeters will be defined to protect servers defined as critical. (See
    Section 7.2)

    4.3 Devices outside the perimeter

    City information systems will normally not be outside the perimeter. Approval to do so must be obtained in writing from the ISO after coordination with all interested or affected departments within the City. Any City information system deployed outside the perimeter will be treated as suspect, and will be subject to the following restrictions and limitations:

    • Remote administration will only be from controlled points
    • Authentication above simple passwords will be enabled
    • No default authentication will be left enabled
    • Accounting will be enabled, logging changes made to the equipment
    • Errors on the equipment will be monitored
    • No unnecessary services will run
    • Control of Physical access

    5. Remote Access

    5.1 General

    All remote access to City information resources from outside of the perimeter shall be by means of an appropriately authenticated and encrypted protocol. Any access from outside of the perimeter will be controlled and limited to only those systems specifically required and any employee accessing systems remotely shall be bound by all security policies just as if they were working on the premises.

    5.2 Dial-in Access

    Dial-in access will only be allowed with specific written permission of the ISO. Information systems used to access City resources must comply with security requirements associated with that resource. These systems must be continually monitored and inspected for compliance with this requirement. The CERT in coordination with the ISO will have the authority to terminate any dial-in connection that fails to comply with current security procedures and policies. Once terminated the connection must be fully re-certified before access will be allowed.

    5.3 Dial-out Access

    Dial-out access will only be allowed with specific written permission of the ISO. Information systems used to access resources outside the City’s perimeter must comply with security requirements associated with all resources to which that system has access. These systems must be continually monitored and inspected for compliance with this requirement. The CERT in coordination with the ISO will have the authority to terminate any dial-out connection that fails to comply with current security procedures and policies. Once terminated the connection must be fully re-certified before access will be allowed.


    6. Monitoring

    6.1 Logs and log files

    All systems must keep logs for a period of at least 90 days, as appropriate for the system or device generating these logs. They will be reviewed by administrators on a regular basis, and will be protected to the degree necessary to prevent them from being deleted or modified or viewed by those not authorized to do so. Automated tools will be put into place to assist in the analysis of high traffic logs and to bring important events to administrators notice quickly.

    6.2 Active Scans

    No active scans (‘penetration testing’) will be performed without the knowledge and written consent of the ISO. Employees shall not attempt to discover systems vulnerabilities, decrypt passwords or perform other security related functions without this express permission. In order to insure compliance with documented policies and procedures disinterested third parties will perform periodic assessments to determine the level of security of the City’s network and to assure compliance. These will be complimented by internal assessments performed by City IT staff in accordance with ISO’s directives and guidelines.

    7. Application Hardware and Software

    Along with the network hardware and software used to run and access applications, storage devices which support those applications, and client devices which access applications and data must have an equal reliable and effective security system in place.

    7.1 General requirements

    All hosts must run a current version of software designed to detect and eliminate viruses. This will be updated at intervals of no more than two weeks. In addition, in the event of the compromise of any system, the system must be removed from service immediately in order to prevent the potential spread of the compromise. Data will be preserved, but applications and operating system may be replaced before the system is returned to service. The SIRT procedures (see Section 2) will be followed in full prior to the return of any compromised system to a production role.

    7.2 Critical Servers

    Critical servers will be expressly designated as requiring additional security protection and limited access. They will be protected either by a total air gap (they will not be connected to the general use network at all) or by an additional filtering perimeter that will limit the traffic to and from these servers.
    In all cases, these servers will not be directly accessed from outside the City’s perimeter, and additional scrutiny will be applied to externally accessible servers capable of accessing these systems.

    7.3 External Servers

    External servers are those capable of being directly accessed from outside of the City’s perimeter, such as WWW or E-mail servers. These systems are considered to be at the highest risk of compromise. These systems will not be connected to the same physical network segment as any internal City host or system. A filtering device similar to that defined in Section 4 will control access between these systems and the regular City network. In addition, the following precautions must be observed:

    • All security updates will be applied in a timely fashion.
    • Monitoring will be implemented to ensure data and software consistency
    • Access will be controlled and limited
      • No clear text access will be permitted
      • Strong authentication will be required
      • No default access will be left enabled
    • Known clean copies of data and operating software will be maintained.
    • No internal services will run on an external server

    7.4 Internal Servers

    Internal servers are City systems that are accessed by multiple internal users (file and print, intranet, e-mail and application servers are examples of these systems). They store and handle critical data and thus require a high degree of protection.
    · Security updates will be tested and applied in a timely manner

    • Data will be backed-up
    • Electronic access will be authenticated
    • Access to an unattended server will be automatically limited
    • E-mail will be filtered for appropriate content prior to delivery to the mail server

    7.5 Workstations

    7.5.1 Desktops

    As a rule, desktops used to access confidential or mission critical information systems should not leave the City’s premises. Permission to do so must be obtained in writing from the ISO. Desktop devices that access this type of information will be fully hardened against potential security breaches in accordance with established requirements before being released to the field. Any repair or replacement of hardware or software on the devices that affects its security features will be documented. This replacement or repair may be done in the field.

    • No confidential or mission critical data will be stored on desktop systems without the written permission of the ISO
    • Security updates will be applied after testing
    • Access to unattended workstations will be limited by software and physical security measures appropriate for the system being accessed
    • Only software authorized by IT (in accordance with the ISO direction) should be installed on these desktops

    7.5.2 Laptops

    Laptops that are used outside City premises to allow employees to work remotely will not normally have access to confidential or mission critical information. Prior to being allowed such access users must provide to the ISO written justification why such access is required. Data should be stored on a laptop only as a temporary measure while off-site. On return to site, this data should be checked by anti-virus measures and stored on a file server. Security updates will be applied after testing. Access to unattended workstations will be limited. Only software authorized by IT (in accordance with the ISO direction) should be installed on these systems.

    7.6 Decommissioning Systems

    Appropriate measures will be taken when a system is removed from service to ensure that no City data remains on any storage medium on that system.

    8. User Management

    8.1 General guidelines

    Any conduct which adversely affects the ability of others to use City’s systems and networks or which can harm of offend others will not be permitted.


    8.2 Acceptable Use

    The City will maintain an Acceptable Use Policy, detailing what the employees may do on the City’s telecommunications systems. This document will be reviewed by the City’s Legal Department to ensure validity, and will be signed by all employees before access to the telecommunications system is granted. Regular review of this document will be required. City management has the right to terminate the contract of an outside contractor or vendor, or terminate the employment of an employee for violation of these policies or disruption of any part of the telecommunications system.

    8.3 Training

    Telecommunications System security training must be provided to all City employees within 3 months of their hiring date and prior to access of any confidential or mission critical information systems. This will be of a high level, and will include review of appropriate policy documentation, requirements and the needs for security. Access to systems must not be granted until appropriate information security policies have been reviewed and the City is satisfied that the employee has retained this information. This training will be provided internally and will be based on templates provided by the Information Security Officer.


    8.4 Termination

    Upon termination of an employee or of a contract with an outside resource, all access privileges to City resources must be immediately revoked. All resources, data, and applications used by that user will be archived. Further policies must define steps to be taken to ensure the integrity and availability of the archived data as well as the return of all physical and information property that belongs to the City.

    9. Change Management

    9.1 Systems

    A change and configuration management program shall be established for all information systems, covering configuration changes, operating systems, security controls, and off the-shelf software. All request for changes must be approved by the ISO in writing. Change request will include:

    • Written change requests including justification for the change
    • Users authorized to make changes
    • Testing of vendor supplied patches and security fixes
    • Policies for rolling back an installation or change if required


    9.2 Policy

    The Information Security Officer and supporting committee members will review this policy at least on an annual basis. Any changes will be reviewed and approved by executive management prior to the publication of the new version. This policy will also be reviewed in the event of a major change in technology or physical organization at the City. These reviews will be aimed at determining any new risks introduced either by time or by changes in the City’s operating procedure.

    10. Availability

    While this policy shall be held to be confidential to City. It will be made available to all City employees for review. All employees will be bound by it.

     



    | Disclaimer | Accessibility | Privacy Policy | Security Policy | Link Policy |
    | Tools | Contact Us | Directions to City Hall | Employees | © 2008 City of El Paso | Webmail |

    THE CITY OF EL PASO, TEXAS Home Government Residents Business Visitors Departments Online Services Meetings Search THE CITY OF EL PASO, TEXAS - www.elpasotexas.gov