Central Agency for Information Technology

(1)

Central Agency for

Information Technology

Kuwait National IT Governance Framework

(2)

Agenda

Agenda

Manage security policy

1

Access management procedure

4

Manage security services policy

3

Information security management system procedure

(3)

Page 3 Central Agency for Information Technology

Objective and scope

Establish a basic minimum set of requirements that should be adopted by all Kuwait government ministries to better protect their information assets

Objective

All IT services being managed by the IT departments of government ministries

(4)

Roles and responsibilities

Role Responsibility

Senior Management of government ministries

Shall be responsible to ensure that commitment towards best practices and processes are adopted and sustained towards managing the ISMS.

Management Forum/Steering Committee

Shall be responsible for establishing, implementing, operating, monitoring, reviewing, maintaining and improving the ISMS. The committee shall be the owner of this policy. The owner shall be responsible for maintaining and reviewing the applicability of the policy based on a defined review mechanism.

Information Security Manager (ISM)

Shall be responsible for the initiation, implementation and follow up of all measures related to information security within IT department. ISM shall ensure adherence to this policy within the IT department. ISM shall provide security advice and analyze, review and resolve all issues related to information security. ISM will give direction and manage the processes related to information security management.

Information Security Task Force (ISTF)

Shall assist the ISM for the smooth implementation and functioning of the ISMS.

Audit Committee Shall be responsible for scheduling and conducting independent internal audits.

Independence and confidentiality shall be maintained by auditors irrespective nature of their jobs.

Human Resource department

(5)

Information security management system

Policy An ISMS policy shall be defined supported and authorized by_{senior management. Roles and responsibilities shall be defined}

(6)

Risk management

Policy Risk Management shall be performed periodically in high risk

(7)

Risk management (contd)

Introduction

► Risk Management includes task and activities associated with assessing, mitigating and preventing threats to the organization. A systematic approach to information security risk management is necessary to identify

organizational needs regarding information security requirements and to create an effective information security management system

Approach

► The Information Security Risk Management comprises of following stages:

► Risk identification

► Risk estimation and analysis

► Risk treatment

► Risk communication

(8)

Risk management process flow

Risk Identification Risk Analysis Risk Evaluation Is Risk Treatment Completed? Risk Accepatance Risk Monitoring, Review and Communication Establish Context No No Yes Yes Risk Reduction Risk Avoidance Risk Transfer

Is Risk Assessment completed?

(9)

Monitor and review ISMS

Policy Execute monitoring and reviewing procedures and other control_{to determine whether the actions taken to resolve a breach of}

(10)

Manage Security Services

Protection against malware

Manage network and connectivity security Manage endpoint security

Manage user identity and logical access Manage physical access to IT assets

Manage sensitive documents and output devices Audit logging and monitoring

(11)

Protection against malware

Policy Establish protection tools against all form of malware, control

their proper function, train users on appropriate behaviour.

► Regular system patching of the network devices, servers and all workstations

► Servers, networks and email systems should be installed with anti-virus to detect malicious software and file attachments

► Real-time scanning to be enabled on all system and servers/workstations and network devices to detect malicious software during non-peak traffic hours

(12)

Manage network and connectivity security

Policy Design, establish and operate the network in a way that it_{prohibits unauthorized access and provides the necessary}

provisions against external attacks.

► General Network Security

► Virtual Private Network Security

► Network Routing Security

► Remote Access Security

► Router, Switch and Firewall Security

► Mobile Computing Security

(13)

General network security

► The network configuration details should be restricted to authorized personnel only

► Computers and network devices should be protected by password protected User ID's based on business needs, and role requirements

► All network services including privileges required for access must be reviewed on a periodic basis

(14)

Virtual private network security

► All VPN traffic shall be protected using strong encryption and all VPN users will authenticate to the VPN server using their ID and password

► VPN access should be given to vendors, only after obtaining sufficient approval

(15)

Network routing security

► Access Control Lists (ACL) should be configured to ensure only legitimate inbound and outbound network traffic are enabled and also to prevent

unauthorized access of resources

► Firewall or routers should be used for external routing to hide internal IP addresses

► Capabilities of Layer3 switch should be used to route traffic between all logical subnet networks

(16)

Router, switch and firewall security

► Physical access to network room should be properly restricted

► Routers, switches and firewalls should be configured to use AAA to control access to these devices

► Ensure that version of OS/firmware loaded on all devices are latest and stable ► Network devices should be tested for proper operation after upgrade before

being put to production environment

► Session timeout should be set on all network devices

► Logs on network devices should be examined on a weekly basis

► Device software, configuration data, database files, etc., should be backed up

(17)

Manage endpoint security

Policy Establish the necessary endpoint security on all devices,_{implement appropriate deployment processes and control}

(18)

Manage endpoint security procedure

Ensure endpoint security solution is updated for latest definitions

Install and configure end-point security solution to enable encryption

(19)

Manage user identity and logical access

Policy Manage access of all users based on need-to-know principles

and control adherence to access control policies.

► User ID Management

► User ID Nomenclature

► Privileged User ID maintenance Procedure

► Secure Log-on Procedures

► Use of System Utilities

► Limitation of Connection Time

Sub-processes under identity and access management

► Session Time-out

► User ID Management

► Information access restriction

(20)

User ID Management

Disable accounts if inactive more than 90 days

Issue unique User Id and restrict sharing

Revoke user IDs of resigned employees

Default accounts must be renamed

(21)

User ID Nomenclature

User ID creation shall follow a defined nomenclature

(22)

Privileged user ID maintenance procedure

Administrator accounts shall not be used for normal daily activities

Privileged user IDs should be restricted

Requests for privileged user ID creation and modification shall follow approval process

(23)

Secure log-on procedures

Display proper login banner

Hide previous logged-on user

information All login information must be

logged

Implement lock-out

for more than 3 successive login failures

(24)

Use of system utilities

Segregate system utilities from application software

Unnecessary system utilities should be removed

(25)

Manage user identity and logical access

Limitation of connection time

► Users are allowed to connect to sensitive/high risk applications only during certain period

► User are also forced to re authenticate at certain intervals to prevent users

from holding sessions

Session time-out

► An idle session to an information system should be terminated after 10 minutes of user inactivity

(26)

Information access restriction

Access to system functions restricted via ‘Menu and interface’ structure design

Set up security groups based on user role and access

to data

Applications should only access production and configuration data

(27)

Sensitive system isolation

(28)

Manage physical access to IT assets

Procedure

► Identification Card (ID card) issuance to permanent staff

► Reissuing Identification Card (ID card) to existing staff/lost card

► Access card issuance to permanent and temporary staff

► Reissuing access card to existing staff/lost card

► Access card issuance to new third party contract staff and service providers

► Reissuing of access card to existing third party contract staff and service providers staff/lost card

Policy Put physical controls in place to ensure that access to premises_{is restricted to the authorized persons, manage access tokens}

(29)

Manage sensitive documents and output devices

Sub-processes under sensitive document management ► Information identification, classification, and labelling

► Handling and storage of information

► Distribution of information

► Disposal of information

► Downgrading/declassification of information

Policy Establish procedures to identify sensitive documents_{and media and enforce the application of suitable protection}

(30)

Audit logging and monitoring

Sub-processes under Audit logging & monitoring ► Audit logging

► Protection of log information

► Administrator and operator logs

► Fault logging

► Clock synchronization

Policy Deploy the necessary system capabilities to log security

(31)

Audit logging and monitoring (contd)

Audit logging

► Monitoring should be enabled for applications/systems

► Audit logs and system logs should be reviewed and kept for an agreed period

Protection of log information

► Access to log files should be restricted to authorized users

(32)

Clock synchronization

► A network time server should be implemented

(33)

Cryptography and digital signature security

Sub-processes under Cryptography & digital signature ► General cryptography and digital signature

► Key management

► Data-in-transit

► Data-at-rest

► Asymmetric key lifetime

Policy

(34)

General cryptography and digital signature

Access to encryption software should be given to personnel

who handle confidential information

Secret information in email and password must be encrypted when data is in rest

or transmitted over network

Must deploy unique digital certificates to transfer information in all internet

commerce servers

(35)

Key management

► All symmetric cryptographic keys must be randomly generated

(36)

Data-in-transit

Master keys must be changed once a year

128-bit encryption standard must be used

Key-encrypting keys must be changed once a fortnight

(37)

Data-at-rest

Key-encrypting keys must be changed every six

months

Master keys must be changed every year

Data encrypting keys must be changed every year

Master keys for In-active data must be changed every two

(38)

Asymmetric key lifetime

Cryptographic keys must be encrypted or stored on

security token

The lifetime of asymmetric keys dictated by certificate

policy document

Encryption keys must be strictly protected from

unauthorized access

Key associated with archived data must be archived

(39)

Password policy

► Ensure that passwords are used securely. Only strong passwords are used and passwords are only known to the respective user

(40)

Password reset procedure

► Password reset request initiation ► Request recording

► Request acceptance and user verification ► Request execution

(41)

Password reset procedure (contd)

Password reset request initiation

► The User must initiate the password reset request by contacting the Service Desk via email/phone/in person

Request recording

► The Service Desk must record the password reset request and note the requestor details

Request acceptance and user verification

(42)

Media handling

Sub-processes under media handling ► Management of removable media

► Disposal of media

► Security of system documentation

Policy

Electronic and paper based information storage media need to be handled according to established procedures.

(43)

Media handling (contd)

Management of removal media

► Removable media should be identified, classified, labelled, stored and handled according to asset management procedure document

Disposal of media

► Media should be disposed safely and securely as per Asset Management Procedure document

Security of system documentation

(44)

(45)

Objective and scope

Objective

► The objective of this procedure is to establish security requirements to have a controlled access to information resources and access rights granted to users are limited to their business roles

Scope

(46)

(47)

Other key policy statements

► Security awareness

► Basic security awareness training shall be provided to all information system users including third party users and contractors

► Compliance management

► Comply with regulatory, contractual, and statutory requirements by using technical controls, system audits, and legal awareness.

► Data protection and privacy of personal information

(48)

Other key policy statements (contd)

► Human resources security

► Reduce risks that are inherent in human interaction by screening employees, defining roles and responsibilities, training employees properly, and

documenting the ramifications of not meeting expectations

► Third party service delivery management

► Controls must be in place to ensure all third party services shall comply with the agreed service level agreements. Government Ministry shall ensure that all the security controls, service definitions, and delivery levels included in the third party service provider’s contracts are implemented, operated, and

maintained by the service provider

► Clear screen and clear desk

(49)

Metrics

Metrics serve to provide transparency on the compliance with security policies

► Example metrics are:

► Number of security related incidents reported, logged, tracked and resolved on timely manner

► Number of identified vulnerabilities or threats not adequately addressed in the previous risk assessment report

► Number of internal audit conducted and the results discussed during management review meetings

(50)

Critical success factors

► Commitment and support from senior management

► Adequate financial and human resources for success

► Distribution of guidance on information security policy and standards to all managers, employees and other parties

► Roles and responsibilities for ISMS are allocated and clearly communicated

► Periodic risk assessment carried out as planned and/or prior to any change

► Implementation of controls in line with risk treatment plan/security plan.

(51)