Académique Documents
Professionnel Documents
Culture Documents
reference guide
ROUTING
TITLE: Description of Security Standards for School Site
Networked Computer Systems Housing Administrators
Confidential Information Central Office
Administrators
NUMBER: REFERENCE GUIDE NO. 3757.0
DEFINITIONS
Data Users: Individuals for whom the systems are designed. Data
users may include students, parents/guardians, certified District
employees, classified District employees, District vendors, and
members of the public at large. Data users access system resources
to achieve some benefit, in terms of their education, job duties, or
citizen participation in District governance. Depending on the
nature of the system, data users may or may not be individually
identifiable.
Physical Controls – Equipment Housing Physical Controls – Equipment Housing Physical Controls – Equipment Housing
P-EH-1 Servers housing public NP-EH-1 Servers housing public PRO-EH-1 Servers housing public information
information must be supervised during information must be supervised during must be supervised during normal business hours
normal business hours normal business hours
P-EH-2 Servers must be kept in a locked NP-EH-2 Servers must be kept in a locked PRO-EH-2 Servers must be kept in a locked room
room or cabinet room or cabinet or cabinet
PRO-EH-3 Servers must be kept in a secured
facility having specific physical protections defined
by PRO-EH-3A through PRO-EH-3G
PRO-EH-3A Individually assigned access codes
must be maintained, so that all facility access is
individually accountable
PRO-EH-3B Hardcopy records must be kept of all
facility access, listing the individual's identity, data
and time of access and areas of the facility access
PRO-EH-3C Visitors must sign in, and provide
acceptable identification
PRO-EH-3D Visitors who are not under contract
with the District to perform specific tasks in the
data facility must be accompanied by escorts
PRO-EH-3E Intrusion alarms must be installed and
must provide immediate response or data center
facilities must be supervised 24 hours per day
PRO-EH-3F Surveillance cameras must be
installed. These cameras must be monitored by
designated individuals or data center facilities must
be supervised 24 hours per day
PRO-EH-3G Environmental systems must include
fire suppression, uninterruptible power supplies,
temperature and humidity controls, emergency
lighting, and smoke and fire alarms
Physical Controls – Backup Media Physical Controls – Backup Media Physical Controls – Backup Media Handling
Handling Handling
P-BMH-1 Backup media stored on-site NP-BMH-1 Backup media stored on-site PRO-BMH-1 Backup media stored on-site must be
must be kept in a locked room or cabinet must be kept in a locked room or cabinet kept in a locked room or cabinet
P-BMH-2 Backup media stored off-site NP-BMH-2 Backup media stored off-site PRO-BMH-2 Backup media stored off-site must be
must be kept only in locations authorized must be kept only in locations authorized kept only in locations authorized by the Data
by the Data Owner and/or the Director of by the Data Owner and/or the Director of Owner and/or the Director of IT Security
IT Security IT Security
NP-BMH-3 Backup media must be erased PRO-BMH-3 Utilities approved by the Director of
before disposal IT Security must be used to erase media prior to
disposal
PRO-BMH-4 When transporting data storage media
off District premises, either all data must be
encrypted using strong commercial encryption or an
courier service approved by the Data Owner and/or
the Director of IT Security must be used
Physical Controls – Storage Media Physical Controls – Storage Media Physical Controls – Storage Media Handling
Handling Handling
n/a NP-SMH-1 Computer hard drives must be PRO-SMH-1 Computer Hard drives must be
reformatted before disposal, with a physically removed and destroyed before disposing
minimum of 1 pass of pseudorandom data of obsolete systems
overwriting each drive
ADMINISTRATIVE CONTROLS - ADMINISTRATIVE CONTROLS - ADMINISTRATIVE CONTROLS - Operating
Operating System /Application Operating System /Application System /Application Configuration and
Configuration and Maintenance Configuration and Maintenance Maintenance
P-OSA-1 Servers and associated NP-OSA-1 Servers and associated PRO-OSA-1 Servers and associated applications
applications must be hardened on initial applications must be hardened on initial must be hardened on initial installation to security
installation to security standards as installation to security standards as standards as provided by the Director of IT Security
provided by the Director of IT Security provided by the Director of IT Security and tested by the ITD Security Office.
P-OSA-2 Patches to the operating system NP-OSA-2 Patches to the operating PRO-OSA-2 Patches to the operating system and
and applications must be applied to fix system and applications must be applied to applications must be applied to fix critical security
critical security flaws before server fix critical security flaws before server flaws before server implementation or mitigating
implementation, or mitigating controls implementation or mitigating controls controls approved by the Director of IT Security
approved by the Director of IT Security approved by the Director of IT Security must be applied for each known security issue
must be applied for each known security must be applied for each known security resolved by unapplied patches.
issue resolved by unapplied patches. issue resolved by unapplied patches.
P-OSA-3 Operating System and NP-OSA-3 Operating System and PRO-OSA-3 Operating System and application
application vendors must be consulted at application vendors must be consulted at vendors must be consulted at least every 30 days to
least every 30 days to determine if new least every 30 days to determine if new determine if new patches must be applied
patches must be applied. patches must be applied.
P-OSA-4 Patches pertaining to security NP-OSA-4 Patches pertaining to security PRO-OSA-4 Patches pertaining to security flaws
flaws must be evaluated by the server flaws must be evaluated by the server must be evaluated by the server administrator and
administrator and the Director of IT administrator and the Director of IT the Director of IT Security for applicability.
Security for applicability. Patches deemed Security for applicability. Patches deemed Patches deemed applicable must be applied in a
applicable must be applied in a timely applicable must be applied in a timely timely manner as determined by the Director of IT
manner as determined by the Director of manner as determined by the Director of Security
IT Security IT Security
P-OSA-5 Server configuration must be NP-OSA-5 Server configuration must be PRO-OSA-5 Server configuration must be
periodically reviewed by the Director of IT periodically reviewed by the Director of IT periodically reviewed by the Director of IT Security
Security or designee for compliance with Security or designee for compliance with or designee for compliance with security standards
security standards security standards
NP-OSA-6 Documented configuration PRO-OSA-6 Documented configuration control
control practices for operating system and practices for operating system and application
application configuration must be configuration must be approved by the Director of
approved by the Director of IT Security IT Security
PRO-OSA-7 Server configuration must be
periodically reviewed by an independent party for
compliance with security standards
ADMINISTRATIVE CONTROLS - ADMINISTRATIVE CONTROLS - ADMINISTRATIVE CONTROLS - User
User Account Maintenance User Account Maintenance Account Maintenance
P-UAM-1 Where Account Holders having NP-UAM-1 Account provision must PRO-UAM-1 . Account provision must conform to
individually assigned access exist, account conform to the standards specified in the standards specified in requirements PRO-UAM-
provision must conform to the standards requirements NP-UAM-1A through 1D. 1A through 1D.
specified in requirements P-UAM-1A
through 1D.
P-UAM-1A Written management approval NP-UAM-1A Account Holders must have PRO-UAM-1A Account Holders must have an
must be obtained prior to setting up an individually assigned account for which individually assigned account for which they are
individual user accounts they are responsible. Shared, group, or responsible. Shared, group, or guest accounts must
guest accounts must not be used not be used
P-UAM-1B System access must be NP-UAM-1B System access must be PRO-UAM-1B System access must be removed
removed immediately where the Account removed immediately where the Account immediately where the Account Holder has
Holder has terminated their relationship Holder has terminated their relationship terminated their relationship with the District or
with the District or changed locations with the District or changed locations changed locations within the District
within the District within the District
P-UAM-1C Account Holder access NP-UAM-1C Account Holder access PRO-UAM-1C Account Holder access privileges
privileges must be assigned based on privileges must be assigned based on must be assigned based on regular job duties
regular job duties regular job duties
P-UAM-1D Account Holder access NP-UAM-1D Account Holder access PRO-UAM-1D Account Holder access privileges
privileges must be changed when job privileges must be changed when job must be changed when job duties change. If a
duties change. If a privilege is no longer duties change. If a privilege is no longer privilege is no longer required, it must be revoked
required, it must be revoked required, it must be revoked
P-OV-1 Service provider (outsourcer) NP-OV-1 Service provider (outsourcer) PRO-OV-1 Service provider (outsourcer) security
security practices must be evaluated by the security practices must be evaluated by the practices must be evaluated by the Data Custodian
Data Custodian for compliance with Data Custodian for compliance with for compliance with District standards and with
District standards for physical, District standards for physical, applicable regulatory requirements. Compliance
administrative and technical controls. administrative and technical controls. criteria must be developed in consultation with
District General Counsel and the Director of IT
Security
TECHNICAL CONTROLS - Account TECHNICAL CONTROLS - Account TECHNICAL CONTROLS - Account Control
Control Control
P-TAC-1 Where account holders having NP-TAC-1 The system must be configured PRO-TAC-1 The system must be configured to
individually assigned access exist, they to prohibit any anonymous or prohibit any anonymous or unauthenticated access
must conform to requirements P-TAC-1A unauthenticated access
through 1F.
P-TAC-1A Non-trivial passwords must be NP-TAC-2 The system must be configured PRO-TAC-2 The system must be configured to
enforced by technical measures. For to enforce strong password selection for all enforce strong password selection for all user
example, in Windows 2000 an Account user access via technical measures to meet access via technical measures to meet requirements
Policy may be defined to require minimum requirements NP-TAC-2A through 2D. PRO-TAC-2A through 2D.
password length and password complexity
requirements
P-TAC-1B Accounts must be disabled NP-TAC-2A Passwords must be non- PRO-TAC-2A Passwords must be non-trivial
after 180 days of inactivity trivial
P-TAC-1C Accounts must be NP-TAC-2B Passwords must be at least 8 PRO-TAC-2B Passwords must be at least 8
automatically disabled after 10 characters in length characters in length
unsuccessful login attempts
P-TAC-1D Password changes must be NP-TAC-2C Passwords must consist of a PRO-TAC-2C Passwords must consist of a mix of
required at least every 365 days mix of alphabetic and numeric characters alphabetic and numeric characters
P-TAC-1E Account Holder access to files, NP-TAC-2D Passwords must not be a PRO-TAC-2D Passwords must not be a word found
commands, and application functions must word found in a dictionary in a dictionary
be based on job requirements and enforced
using system access control lists (ACLs).
At a minimum, system software and
application executables should provide
write, update, and delete access only to
Technical Administrators
P-TAC-1F Only individually assigned NP-TAC-3 Accounts must be disabled PRO-TAC-3 Accounts must be disabled after 180
system administrators may have privileged after 180 days of inactivity days inactivity
accounts, permitting operating system and
security configuration
NP-TAC-4 Accounts must be PRO-TAC-4 Accounts must be automatically
automatically disabled after 5 unsuccessful disabled after 5 unsuccessful login attempts
login attempts
NP-TAC-5 Password changes must be PRO-TAC-5 Password changes must be required at
required at least every 180 days least every 180 days. The system shall be
configured to disallow reusing passwords
successively.
NP-TAC-6 Account Holder access to files, PRO-TAC-6 Application access must time out after
commands, and application functions must an idle time of 30 minutes. This timeout must be
be based on job requirements and enforced independent of any workstation or network access
using system permissions or access control timeout.
lists (ACLs).
NP-TAC-7 Default read access to PRO-TAC-7 Account Holder access to files,
confidential data must be set to none" via commands, and application functions must be based
system permissions or ACLs on job requirements and enforced using system
permissions or access control lists (ACLs).
NP-TAC-8 Only individually assigned PRO-TAC-8 Default read access to confidential
system administrators may have privileged data must be set to none" via system permissions or
accounts, permitting operating system and ACLs
security configuration
PRO-TAC-9 Only individually assigned system
administrators may have privileged accounts,
permitting operating system and security
configuration
PRO-TAC-10 If feasible, end users should be
restricted to only a single application session, to
discourage sharing IDs and passwords.