Information Security Policy

C. Risk Management Control Set The state has established guidance with respect to baseline security controls, which are consistent with NIST Moderate systems. These controls are located in POL-Information Security Policy Appendix A (Baseline Security Controls) – State of Montana. Agencies may implement additional controls beyond listed controls. Agencies will evaluate and categorize information systems as part of their respective information security management programs to determine appropriate baseline controls based on the criticality and sensitivity of the information managed by each system. Baseline controls should be evaluated as part of a risk-based security process and tailored POL-Information Technology Security Risk Management Policy appropriately to achieve cost-effective, riskbased security that supports agency mission/business needs.


Roles and Responsibilities
POL-Information Security Policy -Appendix B (Security Roles and Responsibilities) is provided as a guide for the roles and responsibilities structure recommended for State of Montana Information Security Program management.At a minimum each department head is responsible for ensuring an adequate level of security for all data within that department and shall designate an Information Security Manager (ISM) to administer the department's security program for data (2-15-114, MCA, Security responsibilities of departments for data).

E.
Cybersecurity Framework Core Functions:

F.
Cybersecurity Framework Core Requirements: All agencies, staff and all others, including outsourced third-parties (such as contractors, or other service providers), who have access to, or use or manage information assets subject to the policy and standard provisions of 2-17-524(3), MCA, shall: 1.

IDENTIFY (Back to Functions of Framework)
1.1.Maintain an inventory of information system components.Inventory of systems is conducted annually and reviewed for any unauthorized components.Unauthorized components are removed.
1.2.1.Approving flow of information between information systems; 1.2.2.Requiring an Interconnection Security Agreement for all information systems directly connected to external systems; 1.2.3.Outlining connections with other information systems within the system security plan; 1.2.4.Employing a permit-by documented request (exception) policy for allowing agency and other information systems to connect to external information system; and 1.2.5.Ensuring that all internal connections for an information system are documented within the system security plan.1.3.Maintain agreements with external entities when using external information systems to use, process, store, or transmit state data that includes the following: 1.3.1.Ensuring compliance with access requirements; 1. 3.2.Requiring that providers of external information system services comply with organizational information security requirements and employ appropriate security in accordance with applicable state laws, Executive Orders, policies, standards, and guidance; 1.3.3.Defining and documenting state oversight and user roles and responsibilities with regard to external information systems; 1.3.4.Monitoring security control compliance by external service providers; and 1.3.5.Requiring providers of information system services to identify the functions, ports, protocols, and other services required for the use of such services.1.4.Establish cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners).1.5.Establish dependencies, critical functions, and requirements, for delivery of critical services.1.6.Establish and maintain information security policies that provide the following: 1. cross-organization information-sharing capability.1.9.Conduct risk assessments that include the following: 1.9.1.The likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification, or destruction of information systems and the information it processes, stores, or transmits; 1.9.2.Documentation of the risk assessment results in a risk assessment report; 1.9.3.Annual review of the risk assessment results; and 1.9.4.Annual updates or whenever there are significant changes to information systems or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may affect the security state of the system.1.10.Establishes security categorizations that: 1.10.requirements.1.12.Develop and implement a comprehensive and consistent strategy to manage risk to organizational operations and assets, individuals, other organizations, and the state associated with the operation and use of information systems that includes the following: 1.12.1.Establishing and communicating priorities for organizational mission, objectives and activities; 1.12.2.A determination of organizational risk tolerance that is clearly expressed and communicated; 1.12.3.A definition of mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the state; 1.12.4.A determination of information protection needs arising from the defined mission/business processes and revision to the processes as necessary, until an achievable set of protection needs is obtained; and 1.12.Requires that privileged users understand and acknowledge their roles and responsibilities 2.9.Manage information and records consistent with the organization's risk strategy to protect confidentiality, integrity, and availability that: 2.9.1.Employs appropriate security technologies for data-at-rest; 2.9.2.Employs cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures; 2.9.3.Requires assets are formally managed by: 2.9.3.1.Maintaining an inventory of information system components; 2.9.3.2.Conducting annual reviews of information system inventory; 2.9.3.3.Removing unauthorized components; 2.9.3.4.Sanitizing sensitive information system media (both digital and non-digital), with sanitization mechanisms that are commensurate with the classification or sensitivity of the information, prior to disposal, release of organizational control, or reuse; and 2.9.3.5.Authorizing, monitoring, and controlling servers, server racks, hard drives, workstations, network arrays, network equipment, and any other pertinent equipment entering and exiting secured data center facilities and maintaining records of those items.2.9.4.Maintains adequate capability and capacity to ensure availability by: 2.9.4.1.Allowing flexibility in audit storage capacity; and 2.9.4.2.Protecting against or limiting the effects of denial of service attacks.2.9.5.Protects against data leaks by: 2.9.5.1.Approving flow of information between information systems; 2.9.5.2.Documenting separation of duties; 2.9.5.3.Employing the principle of least privilege according to mission/business functions; 2.9.5.4.Screening individuals prior to authorizing access to information systems and rescreening individuals according to the following conditions: 2.9.5.4.1.Job Transfer/Hire into a position that require additional security/privileged access; and 2.9.5.4.2.Every three (3) years.2.9.5.5.Ensuring that individuals who have access to organizational sensitive information, sign appropriate access agreements prior to being granted access; 2.9.5.6.Reviewing and updating access agreements every two (2) years; 2.9.5.7.Employing boundary protection mechanisms; 2.9.5.8.Employing cryptographic mechanisms, protections, and modules that comply with applicable state laws, executive orders, policies, standards and guidance; 2.9.5.9.Monitoring events by: 2.9.5.9.1.Utilizing security incident and event monitoring objectives to detect information system attacks; and 2.9.5.9.2.Identifying unauthorized use of information systems; 2.9.6.Detects unauthorized changes to software and information, and reassesses the integrity of software and information by performing integrity scans of the information system on an annual basis; and 2.9.7.Maintains separate development and testing environments along with baseline configuration for rollback support.2.12.1.Provides for the following emergency shutoff capabilities: 2.12.1.1.Shutting off power to sensitive information systems or individual system components in emergency situations; 2.12.1.2.Placement of emergency shutoff switches or devices in appropriate locations within secured facilities to facilitate safe and easy access for personnel; 2.12.1.3.Protection of emergency power shutoff capability from unauthorized activation; 2.12.2.Provides a short-term uninterruptible power supply to facilitate an orderly shutdown of information systems in the event of a primary power source loss; and 2.12.3.Employs automatic emergency lighting for information systems that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within facilities; 2.12.4.Provides for the following fire protection capabilities: 2.12.4.1.Fire suppression and detection systems for sensitive information systems that are supported by an independent energy source; 2.12.4.2.Fire detection systems for sensitive information systems that activates automatically and notifies authorized personnel and emergency responders in the event of a fire; 2.12.4.3.Fire suppression systems for sensitive information systems that provides automatic notification for any activation state emergency responders; and 2.12.4.4.Automated fire suppression system for sensitive information systems in unstaffed facilities.2.12.5.Maintains temperature and humidity levels within the facilities where sensitive information resides between 68-71 degrees Fahrenheit and humidity can be anywhere from 28% to 54%; temperature and humidity levels are monitored 24/7; 2.12.6.Protects sensitive information systems from damage resulting from water leakage by ensuring a master shutoff valve is accessible, working properly, and known to key personnel; and 2.12.7.Authorizes, monitors, and controls servers, server racks, hard drives, workstations, network arrays, network equipment, and any other pertinent equipment entering and exiting secured data center facilities and maintains records of those items.2.13.Sanitize sensitive information system media (both digital and non-digital) prior to disposal, release of organizational control, or reuse.NOTE: Employed sanitization mechanisms (strength and integrity) must be commensurate with the classification and sensitivity of the information.2.14.Continuously improve protection processes by: 2.14.1.Creating a formal System Security Plan that: 2.14.1.1.Is consistent with the organization's enterprise architecture; 2.14.1.2.Explicitly defines the authorization boundary for the system; 2.14.1.3.Describes the operational context of the information system in terms of mission and business processes; 2.14.1.4.Provides the security categorization of the information system including supporting rationale; 2.14.1.5.Describes the operational environment for the information system and relationships with or connections to other information systems; 2.14.1.6.Provides an overview of the security requirements for the system; 2.14.1.7.Identifies any specific statutory and/or regulatory requirements (above and beyond Moderate Baseline Controls), if applicable; 2.14.1.8.Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation decisions; and 2.14.1.9.Is reviewed and approved by the authorizing official or designated representative prior to plan implementation.2.14.2.Distributing copies of the System Security Plan and communicating changes to the plan to appropriate personnel; 2.14.3.Reviewing the System Security Plan for the information system at least once every year; 2.14.4.Updating the System Security Plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; 2.14.5.Protecting the System Security Plan from unauthorized disclosure and modification; 2.14.6.Planning and coordinating security-related activities with other organizational entities before conducting such activities in order to reduce the impact on enterprise operations, for example, security assessments, audits, hardware and software maintenance, patch management, and contingency plan testing.2.14.12.Ensuring that cybersecurity is included in human resources practices that: 2.14.12.1.Assigns a risk designation to all positions and establishes screening criteria for individuals filling those positions; 2.14.12.2.Reviews and revises position risk designations every two years; 2.14.12.3.Upon termination of individual employment, the agency shall: 2.14.12.3.1.Terminate all information system access; 2.14.12.3.2.Conduct exit interviews; 2.14.12.3.3.Retrieve all security-related organizational information system-related property; and 2.14.12.3.4.Retain access to organizational information and information systems formerly controlled by terminated individual.2.14.12.4.Upon reassigning or transferring agency personnel to other positions within the state, agencies shall conduct a review of logical and physical access authorizations to information systems/facilities within three business days of beginning the new position to ensure access is limited to authorized and required systems/facilities.2.14.12.5.Establishes third-party personnel security requirements that: 2.14.12.5.1.Includes security roles and for the providers; 2.14.12.5.2.Documents personnel security requirements; and 2.14.12.5.3.Monitors provider compliance.2.14.12.6.Employs a formal sanctions process for personnel failing to comply with established information security policies and procedures.2.14.13.Developing and implementing a vulnerability management plan.2.15.Maintain and repair organization assets by: 2.15.1.Utilizing a formalized change management process; 2.15.2.Performing maintenance on major equipment that contains sensitive information on-site; 2.15.3.Performing security checks that are performed after maintenance is completed; 2.15.4.Approving, controlling, monitoring the use of, and maintaining on an ongoing basis, information system maintenance tools; 2.15.5.Checking information system maintenance tools prior to admittance into a secured data center facility; 2.15.6.Checking all media for virus or malicious code before it is used on an information system; 2.15.7.Establishing a process for maintenance personnel authorization by maintaining a current list of authorized maintenance organizations or personnel; and 2.15.8.Ensuring that personnel performing maintenance on an information system that contains sensitive information have had a background check.2.16.Perform remote maintenance of organizational assets in a secure manner by: 2.17.10.Accessing audit information and tools is limited to those whose job duties require access or the staff members who are performing the audit function; 2.17.11.Maintaining audit records for minimum of seven (7) years to meet regulatory requirements; and 2.17.12.Ensuring that information systems can provide audit record generation capability for the auditable events defined in this section 2.18.Protect removable media by: 2.18.1.Restricting access to raised-floor areas that contain critical network, data backup, and server functions to authorized users, vendors, and customers using automated physical security restrictions and biometrics (where deployed); 2.18.2.Controlling and storing failed or retired hard drives and tape media that contains sensitive information within designated secure areas within facilities using physical control restrictions; 2.18.3.Protecting sensitive information system media until the media is destroyed or sanitized using approved equipment, techniques, and procedures; 2.18.4.Protecting and controlling sensitive information media during transport outside of controlled areas using authorized personnel and secured transport; 2.18.5.Maintaining accountability for sensitive information system media during transport outside of controlled areas; 2.18.6.Restricting the activities associated with transport of such media to authorized personnel; 2.18.7.Documenting activities associated with the transport of sensitive information system media; 2.18.8.Employing cryptographic mechanisms to protect the confidentiality and integrity of sensitive information stored on digital media during transport outside of controlled areas; and 2.18.9.Prohibiting the use of portable storage devices in organizational information systems when such devices have no identifiable owner.

DETECT (Back to Functions of Framework)
3.1.Develop, identify, and manage a baseline of normal operations and procedures for each major information system that: 3.1.1.Establishes a documented, formally reviewed, and agreed-upon set of specifications for the information system or configuration items within the system; and 3.1.2.Conducts configuration reviews on a bi-annual basis or as needed based on changes to the environment of operations.3.2.Implement network and information system monitoring that: 3.2.1.Employs automated tools to support near real-time analysis of events, with SITSD providing daily review of the audit logs during the workweek; 3.2.2.Monitors inbound and outbound communications for unusual or unauthorized activities or conditions, (SITSD will notify agencies within 24 hours when their portion of the network is involved in any breaches of network security); Manage identities and credentials for authorized devices and users that: 2.1.1.Provides unique identification and authentication to information systems; 2.1.2.Employs the use of multifactor authentication for access to privileged accounts; 2.1.3.Provides unique identification and authentication to all network attached devices compatible with the 802.1X protocol prior to establishing a network connection; 2.1.4.Provides unique information system identifiers (UserID)s by: 2.1.4.1.Requesting the identifier from SITSD; 2.1.4.2.Receiving authorization from an authorizing manager; 2.1.4.3.Selecting an identifier that identifies an individual, group role, or device; 2.1.4.4.Assigning the identifier to the intended individual group, role, or device; and 2.1.4.5.Prohibiting the reuse of identifiers.2.1.5.Requires the following of identifiers: Assigns account managers for information system accounts; 2.1.13.Establishes conditions for group and role membership; 2.1.14.Specifies authorized users of the information system, group and role memberships, and access authorizations (i.e., privileges) and other attributes (as required) for each account; 2.1.15.Requires approvals by system owners, a contract manager, or business manager for requests to create information system accounts; 2.1.16.Creates, enables, modifies, disables, and removes information system accounts in accordance with account managers; 2.1.17.Monitors the use of, information system accounts; 2.1.18.Employs automated mechanisms to support the management of information system accounts; 2.1.19.Automates the disabling of temporary and emergency accounts after sixty (60) days; 2.1.20.Automates the disabling of inactive accounts and identifiers after ninety (90) days; and 2.1.21.Automates the auditing and provides notification to account Routes traffic through SITSD enterprise designated control points; 2.5.7.Restricts the use of privileged commands to system administrators; 2.5.8.Maintains terms and conditions for the use of mobile device to access state information systems; and 2.5.9.Requires that agreements are established with external entities when utilizing external information systems to use, process, store or transmit state data.Includes basic security awareness training to new employees prior to provisioning access to systems or performance of duties; 2.8.2.Requires annual security awareness training to all other staff members including managers, senior executives, and contractors; and 2.8.3.
Authenticates wireless access for users and devices; and 2.20.2.3.Encrypts wireless access 2.20.3.Maintaining alternate telecommunication services for essential mission and business functions at primary and alternate processing and storage sites.
Back POL-Information Security Policy 3.2.3.Provides near real-time alerts when the following indications of compromise or potential occur: 3.2.3.1.account privilege escalation, 3.2.3.2.authentication, 3.2.3.3.antivirus/antimalware software, 3.2.3.4.user changes, 3.2.3.5.log errors, 3.2.3.6.system failures, 3.2.3.7.and other network failures; 3.2.4.Monitors events in accordance with security incident and event monitoring objectives; 3.2.5.Identifies unauthorized use of information systems; 3.2.6.Deploys monitoring devices to strategically collect organizationdetermined essential information and at ad hoc locations, to track specific types of transactions of interest to the state; 3.2.7.Heightens the level of monitoring activity whenever there is an indication o f increased risk to operations and assets, individuals, other organizations, or the state based on law enforcement information, intelligence information, or other credible sources of information; 3.2.8.Incorporates legal opinion with regard to monitoring activities in accordance with applicable federal and state laws, executive orders, directives, policies, or regulations.NOTE: There are no expectations of privacy when using state computing resources unless specifically indicated by law.4.8.Develop an ISIRT (Information Systems Incident Response Team) Manual that: 4.8.1.Provides a roadmap for implementing its incident response capability; 4.8.2.Describes the structure and organization of the incident response capability; 4.8.3.Provides a high-level approach for how incident response capability fits into agency processes, 4.8.4.Meets the requirements of mission, size, structure, and functions of the agency; 4.8.5.Defines reportable incidents; 4.8.6.Provides metrics for measuring the incident response capability for the agency; 4.8.7.Defines the resources and management support needed to effectively maintain and mature an incident response capability; 4.8.8.Establishes management review and approval of the ISIRT on a quarterly basis or to address system/organizational changes or problems encountered during implementation, execution, or testing; 4.8.9.Ensures distribution of updated versions is delivered to ISIRT members; and 4.8.10.Protects the ISIRT from unauthorized disclosure and modification.
Back POL-Information Security Policy