Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Cybersecurity Subcommittee March 2020 Page 1 of 1
Cybersecurity Subcommittee Meeting Agenda
March 5, 2020
1:15 – 2:30
Omni Jacksonville
Florida Ballroom C & DSecond Floor
I. Welcome – Judge Scott Stephens, Chair
A. Roll call
II. Cyber-Review Subgroup Update – Robert Adelardi
A. Draft Model Circuit Cybersecurity Policies
i. Email
ii. Password
iii. Mobile Device
iv. VPN
v. Media Protection
vi. Wireless Access
vii. Acceptable Use and User Agreement
viii. Incident Reporting
B. Subgroup motion recommending approval of proposed policies
III. Cybersecurity Subcommittee – Judge Stephens
A. Subcommittee motion recommending approval to the FCTC as 1st Reading
IV. Next Steps – Group Discussion
A. Security Technical Standards Subgroup
B. Next FCTC meeting: June 18-19, 2019 in Orlando
Agenda Item II A.Draft Cybersecurity
Policies
i. Email
Version 1.0 Policy Number►
CONFIDENTIAL 1
Policy Number
INFORMATION SECURITY POLICY
Version 1.0 Revised: 03/05/20
I. Introduction
Electronic mail (email) is the primary communication and awareness method within the courts. Misuse of email can post many legal, privacy and security risks, making it vitally important for users to understand the appropriate use of electronic communications. This policy outlines expectations for appropriate, safe, and effective email use.
A. Purpose: The purpose of this policy is to detail the Court's guidelines for email. This policy will help the Court reduce risk of email-related security and privacy incidents, foster good business communications, both internal and external to the Court, and provide for consistent and professional application of the Court's email principles.
B. Applicability: This policy shall apply to all court system users.
II. Policy
A. Policy Statement:
This policy covers appropriate use of any email sent from the court’s email address and applies to all system users.
B. Procedure or Standard: Users are asked to exercise caution when sending or receiving email from court accounts. Additionally, the following applies to the proper use of the court’s email system.
• All use of email must be consistent with the court’s policies and procedures of ethical conduct, safety, compliance with applicable laws and proper business practices;
• Personal usage of court email systems is permitted as long as A) such usage does not negatively impact the court computer network, and B) such usage does not negatively impact the user's job performance;
• The following is never permitted: spamming, harassment, communicating threats, solicitations, chain letters, or pyramid schemes. This list is not exhaustive, but is included to provide a frame of reference for types of activities that are prohibited;
• Email that is identified as a business record shall be retained according to the Court’s Record Retention Schedule;
Version 1.0 Policy Number►
CONFIDENTIAL 2
• Users shall have no expectation of privacy in anything they store,
send or receive on the court’s email system;
• Users must use care when opening email attachments. Malware can be easily delivered as an email attachment;
• Users should: ❖ Never open email attachments from an unexpected or unknown
source; and ❖ Never click links within email messages unless certain of the
link's safety. It is often best to copy and paste the link into your web browser, or retype the URL, as specially-formatted emails can hide a malicious URL.
• Users should be advised the court owns and maintains all legal and intellectual rights to its email systems, network, and content. Any email passing through these systems is owned by the courts;
• Users should be advised that email sent to or from public or governmental entities may be considered public record;
• Users should not open email messages that, in the user's opinion, seem suspicious. If the user is particularly concerned about an email, or believes it contains illegal or improper content, he or she should notify his or her supervisor;
• Users are not to access, or attempt to access, the court’s email system from a non-court issued device without the permission of his or her CTO/CIO, or agency designee; and
• The use of strong passwords is mandatory.
III. Exceptions Exceptions to this policy are to be submitted in writing to the CTO/CIO for evaluation and approval by the designee.
V. Enforcement
Violation of this policy may result in disciplinary action, up to and including termination.
VI. References NIST Cybersecurity Framework
VI. Revisions
DATE DESCRIPTION 03/05/20 Original
Version 1.0 Policy Number►
CONFIDENTIAL 3
VII. Approval ___________________________ Name Trial Court Administrator XXX Judicial Circuit of Florida
* * *
Agenda Item II A.Draft Cybersecurity
Policies
ii. Passwords
Version 1.0 Policy Number►
CONFIDENTIAL 1
Policy Number
INFORMATION SECURITY POLICY
Passwords
Version 1.0 Revised: 03/05/20
I. Introduction
A solid password policy is perhaps the most important security control a Court System can employ. In today’s climate it is more important than ever to have a strong password on accounts and devices and not share the password with anyone.
A. Purpose: The purpose of this policy is to specify guidelines for use of passwords.
B. Applicability: This policy shall apply to all court system users.
II. Policy
A. Policy Statement: Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in a compromise of a Court System’s entire network. As such, employees (including contractors and vendors with access to systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their password.
B. Minimum Standards:
Court system user account password standards must comply with one of the following:
1. NIST Digital Identity Guidelines (800-63B) or current version; 2. FDLE/FBI Criminal Justice Information Services “CJIS” Security
Policy current version (5-8); or 3. Alternative court established minimum standards as defined below:
• Passwords must be a minimum of 8 characters;
• Passwords must be strong passwords i.e., passwords comprised of a mix of letters, numbers and special characters (punctuation marks and symbols) or pass-phrases longer than 12 characters in length;
• Passwords must be comprised of a mix of upper and lower case;
• Passwords must not be comprised of, or otherwise utilize, words that can be found in a dictionary;
• Passwords must not be comprised of an obvious keyboard sequence (i.e., qwerty);
Version 1.0 Policy Number►
CONFIDENTIAL 2
• Passwords should not include "guessable" data such as personal information about yourself, your spouse, your pet, your children, birthdays, addresses, phone numbers, locations, etc.;
• Users must not disclose their passwords to anyone;
• Users must not write down their passwords;
• Passwords for court accounts must be different than personal accounts;
• Users must not send passwords via email;
• Users must not re-use the past ten passwords; and
• At a minimum, users must change passwords every 90 days. The System Administrator/Password Administrator may use software that enforces this policy by expiring users' passwords after this time period.
C. Incident Reporting:
It is the user’s responsibility to immediately report any suspicious activity involving his or her passwords to the System Administrator, Security Officer, or Agency designee. Any request for passwords over the phone or email, whether the request came from organization personnel or not, should be expediently reported. When a password is suspected to have been compromised they will request that the user, or users, change all his or her applicable passwords.
III. Exceptions
Exceptions to this policy are to be submitted in writing to the CTO/CIO for evaluation and approval by the appropriate designee.
IV. Enforcement Violation of this policy may result in disciplinary action, up to and including termination.
V. References NIST Cybersecurity Framework
VI. Revisions
DATE DESCRIPTION 03/05/20 Original
VII. Approval
Version 1.0 Policy Number►
CONFIDENTIAL 3
___________________________ Name Trial Court Administrator XXX Judicial Circuit of Florida
* * *
Agenda Item II A.Draft Cybersecurity
Policies
iii. Mobile Device
Version 1.0 Policy Number►
CONFIDENTIAL 1
Policy Number
INFORMATION SECURITY POLICY
Mobile Device Management
Version 1.0 Revised: 03/05/20
I. Introduction
As mobile technology becomes more ever-present in our environment, it is imperative to minimize security risks to the court network that are introduced by these devices. As the Court System expands the use of mobile technology for day-to-day operations, ensuring access to the court network is governed by a comprehensive mobile device management policy will help mitigate security risks.
A. Purpose:
The purpose of this policy is to specify standards for the use and security of mobile devices that access the secure court network.
B. Applicability:
This policy shall apply to all court system users.
II. Policy
A. Policy Statement: All mobile devices that access the secure court network, are governed by this mobile device security policy.
B. Procedure or Standard:
1. Physical Security
Users should carefully consider the physical security of mobile devices and take appropriate protective measures, including the following:
• Care should be given when transporting mobile devices;
• Mobile devices should be adequately protected at all times;
• Lost or stolen devices must be reported to the CTO/CIO, or appropriate designee immediately.
2. Data Security
If a mobile device is lost or stolen, the data security controls that were implemented on the device are the last line of defense for protecting circuit data. The following sections specify the court’s requirements for data security as it relates to mobile devices.
• The device must be password/passcode protected;
• Court issued devices must be encrypted;
• Users connected to court networks via in an unsecured network open environment must use an encrypted connection, e.g., VPN,
Version 1.0 Policy Number►
CONFIDENTIAL 2
VDI, etc.;
• Court owned mobile device(s) may only contain approved programs and data essential to their role;
• Only court owned mobile devices will be allowed to connect directly to the internal secure court network;
• Court owned devices must be kept up to date with manufacturer or network provided patches;
• Devices must not be connected to a PC which does not have up to date and enabled anti-malware protection;
• The use of personal owned devices must be approved by the IT department before accessing court email or programs;
• Users must be cautious about the merging of personal and work email accounts on their devices. They must take particular care to ensure that court data is only sent through the court email system; and
• Users must be aware of and comply with retention policies.
III. Exceptions Exception to this policy are to be submitted to the CTO/CIO for evaluation and approval by the appropriate designee.
IV. Enforcement Violation of this policy may result in disciplinary action, up to and including termination.
V. References
NIST Cybersecurity Framework
VI. Revisions
DATE DESCRIPTION 03/05/20 Original
VII. Approval
___________________________ Name
Version 1.0 Policy Number►
CONFIDENTIAL 3
Trial Court Administrator XXX Judicial Circuit of Florida
* * *
Agenda Item II A.Draft Cybersecurity
Policies
iv. VPN
Version 1.0 Policy Number ►
1
CONFIDENTIAL
Policy Number
INFORMATION SECURITY POLICY
Virtual Private Network
Version 1.0 Revised: 03/05/20
I. Introduction
Court staff will be required to use a Virtual Private Network (VPN) to keep court information systems secure while providing remote access. VPN allows staff to access confidential and sensitive court information in a secure manner. However, VPN does pose a risk by granting court staff access, outside the standard security protocols. As such, access will only be provided to authorized court staff with appropriate approval, to ensure the access is restricted, audited, and secured.
A. Purpose:
The purpose of this policy is to establish the guidelines for Virtual Private Network (VPN) connections for authorized system users to court networks from any host. VPN connections provide a secure connection to court system resources while accessing from external networks. These requirements are meant to limit exposure of court networks from unauthorized use.
B. Applicability: This procedure shall apply to all court system users.
II. Policy
A. Policy Statement: Approved court employees and authorized third parties (external stakeholders, vendors, etc.) may be granted authorization for the use of VPNs.
B. Procedure or Standard:
1. VPN access will be permitted only to establish a secure remote connection to the court network for official court business only.
2. IT Contractors and vendors may only have access to Circuit devices (servers and pc’s) if a valid contract for the provision of services exists. During the provision of services, the remote connection may be monitored by a Circuit IT employee.
3. Requests to provide VPN access to the court network, for employees or consultants, must be processed by the court IT Department and approved by the CTO/CIO or designee.
4. It is the responsibility of employees with VPN privileges to ensure that
unauthorized users are not allowed access to the court’s internal networks. Access usernames and passwords are not to be shared.
Version 1.0 Policy Number ►
2
CONFIDENTIAL
5. Dual (split) tunneling is not permitted; only one network connection is
allowed at the same time. 6. VPN gateway(s) will be set up and managed by the court IT Department
network operational group. 7. The VPN gateway(s) must be configured to use robust and reliable
encryption protocols such as IPSec, TLS, and SSL. 8. All devices connected to the court’s internal networks via VPN must be up
to date on security patches including anti-virus software that is up to date. This includes personal or third-party computers.
9. VPN users will be automatically disconnected from the court’s network
after 30 minutes of inactivity. The user must then log on again to reconnect to the network. Artificial network processes are not to be used to keep the connection open.
10. Users of computers that are not property of the Circuit, must configure the equipment to comply with the local court’s information technology policies.
11. Only the court‘s IT Department approved VPN clients may be used. 12. While connected to the court’s network by means of a VPN connection,
users must comply with the same rules, regulations and policies as if physically working in a court facility.
13. Whenever possible, all VPN accounts for external vendors will remain
“inactive” in the system, while not in use, and the manager requesting activation of the remote access is responsible for monitoring its use in the related application’s logs, where applicable and available.
14. For Site-to-Site VPN connections, they should be approved by the
CTO/CIO. The requests must be properly documented.
III. Exceptions
Exceptions to this policy are to be submitted in writing to the CTO/CIO for evaluation and approval by the designee.
IV. Enforcement
Violation of this policy may result in disciplinary action, up to and including termination.
Version 1.0 Policy Number ►
3
CONFIDENTIAL
V. References
NIST Cybersecurity Framework
VI. Revisions
DATE DESCRIPTION 03/05/20
Original
VII. Approval
___________________________ Name Trial Court Administrator XXX Judicial Circuit of Florida
* * *
Agenda Item II A.Draft Cybersecurity
Policies
v. Media Protection
Version 1.0 Policy Number ► 1
CONFIDENTIAL
Policy Number
INFORMATION SECURITY POLICY
Media Protection
Version 1.0 Revised: 03/05/20
I. Introduction
Court systems have the capability to store sensitive or classified information on physical and electronic media devices. Information held on such devices can be compromised if not properly disposed of. It is essential to govern the proper sanitization of all court media devices to protect the court systems data.
A. Purpose:
The purpose of this policy is to outline how media is protected and disposed in a secure manner by authorized individuals of the court systems. Proper handling and disposal of media, whether in physical or digital form, is essential to protecting confidential and or sensitive information.
B. Applicability:
This policy shall apply to all court system users.
II. Policy
A. Policy Statement:
Throughout the daily operations of the court, information is transferred, created and consumed by system users. The information may be stored by means of digital or physical media. Safeguarding access, storage and destruction of all media containing sensitive or confidential court information is imperative. This policy seeks to establish the necessary controls to provide adequate safeguards against unwanted disclosure of information.
B. Procedure or Standard:
The court will ensure that only authorized individuals will be granted access to media containing sensitive or confidential information.
1. Handling and Disposal of Physical Media:
Sensitive or confidential physical media will be stored within a physicallysecure building. Physical media should be stored behind locked doorsand/or in locked cabinets.
When no longer needed, physical media shall be disposed of by one of thefollowing methods:
▪ Shredding using a cross-cut shredder. The shredding will be done byan authorized employee of the court;
Version 1.0 Policy Number ► 2
CONFIDENTIAL
▪ If the court enters into an agreement with a media disposal vendor, then the paper media shall be placed in locked shredding bins provided by the vendor for the private vendor to cross-cut shred onsite. This shall be witnessed by an employee of the court throughout the entire process.
2. Handling of Digital Media:
▪ Digital media containing sensitive or confidential data will be stored within a physically secure building. Any digital media that is transported outside the physically secure location should be encrypted. At no time will the digital media be released to an unauthorized person or left unattended without proper supervision;
▪ All digital media containing sensitive or confidential data shall be encrypted while at rest;
▪ Any device that had a physical storage device must have the storage device removed and destroyed or sanitized prior to decommission or transfer. Examples of said devices are multi-function devices, servers, personal computers, etc.;
▪ When the storage device for any reason is no longer of use or has reached its end of life, the storage media shall be inventoried and physically destroyed or sanitized;
▪ An authorized representative of the Circuit must be present during the destruction or sanitization of the digital media;
▪ Written documentation will be maintained of the steps taken to destroy or sanitize digital media.
III. Exceptions
Exceptions to this policy are to be submitted in writing to the CTO/CIO for evaluation and approval by the appropriate designee.
IV. Enforcement
Violation of this policy may result in disciplinary action, up to and including termination.
V. References
NIST Cybersecurity Framework
VI. Revisions
DATE DESCRIPTION 03/05/20 Original
Version 1.0 Policy Number ► 3
CONFIDENTIAL
DATE DESCRIPTION
VII. Approval
___________________________ Name Trial Court Administrator XXX Judicial Circuit of Florida
* * *
Agenda Item II A.Draft Cybersecurity
Policies
vi. Wireless Access
Version 1.0 Policy Number►
CONFIDENTIAL 1
Policy Number
INFORMATION SECURITY POLICY
Wireless Access
Version 1.0 Revised: 03/05/20
I. Introduction
Wireless communication is playing an increasingly important role in the workplace. In the past, wireless access was the exception; it has now become the norm in the court. Wireless access can increase mobility and productivity of users, it can also introduce security risks to the network.
A. Purpose: The purpose of this policy is to state the standards for wireless access to the court’s network.
B. Applicability: This policy shall apply to all court system users.
II. Policy
A. Policy Statement:
Wireless access provides mobile connectivity to the court’s network. This connectivity requires proper network administration practices to guarantee the security of the courts.
B. Procedure or Standard:
1. The wireless access point should utilize Mac address filtering so that only known wireless NICs are able to connect to the wireless network. If possible, join only domain authenticated computers;
2. Encryption shall be used to secure wireless communications; 3. Administrative access to wireless access points shall utilize strong
passwords; 4. Wireless networking should require users to authenticate against a
centralized server. These connections should be logged, with IT staff reviewing the log regularly for unusual or unauthorized connections;
5. Wireless LAN management software should be used to enforce wireless security policies. The software must have the capability to detect rogue access points;
6. Wireless devices should be installed only by the court’s IT department or partnered agency responsible for providing wireless services (e.g., county IT).
III. Exceptions
Version 1.0 Policy Number►
CONFIDENTIAL 2
Exceptions to this policy are to be submitted in writing to the CTO/CIO for evaluation and approval by the appropriate designee.
IV. Enforcement Violation of this policy may result in disciplinary action, up to and including termination.
V. References
NIST Cybersecurity Framework
VII. Revisions
DATE DESCRIPTION 03/05/20 Original
VIII. Approval
___________________________ Name Trial Court Administrator XXX Judicial Circuit of Florida
* * *
Agenda Item II A.Draft Cybersecurity
Policies
vii. Acceptable Use and User Agreement
Version 1.0 Policy Number►
CONFIDENTIAL 1
Policy Number
INFORMATION SECURITY POLICY
Acceptable Use and User Agreement
Version 1.0 Revised: 03/05/20
I. Introduction
There are a number of reasons to provide a user access to the court network. This access covers responsibilities regarding acceptable use and gives guidelines to proper user practices.
A. Purpose:
The purpose of this policy is to outline the acceptable use of computer equipment. These rules are in place to protect the employee and court information. Inappropriate use exposes the court to risks including malware, compromise of network systems and services, and legal issues.
B. Applicability:
This policy shall apply to all court system users.
II. Policy
A. Policy Statement: Access to the court’s network, including but not limited to, computer systems, email, and the provided internet connection, carries certain responsibilities and obligations. Inappropriate use of systems exposes the court to risk. This policy covers acceptable and prohibited uses of the court’s electronic resources.
B. Procedure or Standard:
1. Monitoring and Privacy Users should expect no privacy when using the court network or resources. Such use may include but is not limited to: transmission and storage of files, data, and messages. The Court reserves the right to monitor any and all use of the computer network, including use of the network by personal devices that are not owned, issued, or approved by the Court. To ensure compliance with Court policies this may include the interception and review of any emails, or other messages sent or received, inspection of data stored on personal file directories, hard disks, and removable media. This monitoring is necessary to maximize the security of the Court’s network and resources
2. Personal Usage
Version 1.0 Policy Number►
CONFIDENTIAL 2
Personal usage of the Court’s computer systems is permitted as long as such usage follows pertinent guidelines elsewhere in this document and does not have a detrimental effect on the Court or on the user's job performance. Personal usage, as with usage for job functions, will be subject to monitoring for the purpose of security.
3. Bandwidth Usage
Excessive use of the court’s bandwidth or other computer resources for non-court related activities is not permitted. Large file downloads or other bandwidth-intensive tasks that may degrade network performance must not interfere with court operations. Please contact your IT department for help with large files.
4. Blogging, Social Networking, and Instant Messaging
Personal blogging and social networking sites are very risky and prone to malware. Access to these sites through the court’s network is highly discouraged. Court employees should avoid impropriety and the appearance of impropriety in all activities. Employees’ activities within the workplace, as well as outside the workplace and outside the scope of work-related duties, should not:
• Be done in an unprofessional and irresponsible manner;
• Interfere with the performance of job responsibilities;
• Adversely impact the operation of the court;
• Lend the prestige of the court to advance private interests.
While commenting about issues in the workplace is generally not prohibited, employees should not post or display comments about co-workers, supervisors, judges, or the court system where the post or comment may be unlawful; is vulgar, obscene (including use of profanity), threatening (including references to violence or physical harm), intimidating, or harassing; or is a violation of the Civil Rights policies against discrimination, harassment, or hostility on account of age, race, religion, sex, nationality, disability, or other protected class, status, or characteristic. Furthermore, employee posts or comments should never use or disclose confidential information including personal health or family information about other employees.
The user assumes all risks associated with blogging and/or social networking.
5. Circumvention of Security
The circumvention of any security systems, authentication systems, user-based systems, or escalating privileges is expressly prohibited. Knowingly taking any actions to bypass or circumvent security is expressly prohibited.
Version 1.0 Policy Number►
CONFIDENTIAL 3
6. Confidentiality Confidential data must not be:
• Shared or disclosed in any manner to any unauthorized party;
• Should not be posted on the internet or any publicly accessible systems; and
• Should not be transferred in any insecure manner.
7. Copyright Infringement The court's computer systems and networks must not be used to download, upload, or otherwise handle illegal and/or unauthorized copyrighted content. Any of the following activities constitute violations of acceptable use policy, if done without permission of the copyright owner:
• Copying and sharing images, music, movies, or other copyrighted material if it violates the license agreement;
• Posting or plagiarizing copyrighted material in violation of its original license agreement; and
• Downloading copyrighted files which an employee has not legally procured.
This list is not meant to be exhaustive. Copyright law applies to a wide variety of works and applies to much more than is listed above.
8. E-mail Use
Personal usage of the Court’s email systems should not negatively impact the court’s computer network and the user’s job performance..
• The following is never permitted: spamming, harassment, communicating threats, solicitations, chain letters, or pyramid schemes. This list is not exhaustive but is included to provide a frame of reference for types of activities that are prohibited;
• The user is prohibited from forging email header information or attempting to impersonate another person;
• It is the user’s responsibility to exercise caution before opening email attachments from unknown senders, or when such attachments are unexpected;
• Email systems were not designed to transfer large files and as such emails should not contain attachments of excessive file size.
9. Mobile Devices
Mobile devices that are capable of storing circuit data, including, but not limited to, laptops, notebooks, smart phones, and USB drives regardless of whether they are court owned or personal equipment must adhere to the following standards:
a. Physical Security:
Version 1.0 Policy Number►
CONFIDENTIAL 4
By nature, a mobile device is susceptible to loss or theft.. Users should carefully consider the physical security of mobile devices and take appropriate protective measures. Caution should be exercised when transporting mobile devices in unsecured environments.
b. Connecting to Unsecured Networks:
Users should exercise caution when connecting court-issued devices to an unsecured network. Court-issued devices should be kept up to date with security patches and anti-malware software. When remotely accessing the court network the VPN client must be used.
c. General Guidelines:
The following guidelines apply to the use of court issued mobile devices:
• Loss, theft, or other security incident related to a mobile device must be reported to the IT department immediately, and not more than 24 hours after the incident; and
• Confidential data should not be stored on mobile devices unless it is absolutely necessary to perform required work activities.
10. Access of Information
The user should take reasonable efforts to avoid accessing network data, files, and information that are not directly related to his or her job function. The fact that you have access to information does not imply permission to use this access. Users should not access or attempt to access files or emails that belong to another user unless specifically required by their job.
11. Non-Court-Owned Equipment
Non-Court-provided software and hardware is prohibited on the network unless expressly approved by the Trial Court Administrator or designee.
12. Overuse
Actions detrimental to the computer network or other court resources, or that negatively affect job performance are not permitted.
13. Passwords
Password policies are required to keep the network secure from people who want to do harm by gathering information that will allow them access to data that could do harm to the Court’s System, other agencies, and individuals personally. Password requirements are
Version 1.0 Policy Number►
CONFIDENTIAL 5
outlined in the court’s Security Password policy. Additional tips on creating strong passwords are as follows:
a. Keep passwords unique. Do not use passwords from other accounts such as Facebook, Twitter, bank accounts, personal email, or any other personal account;
b. Do not write down your password and store it in a location where it may be accessed and used by another person;
c. Do not use family member names such as children or spouse;
d. Examples:
Bad Password
What’s wrong Good password
123456 Missing a lowercase and uppercase letter and a symbol. Also it is less than 8 characters in length.
one2THREE4five6
honesty Missing a number, uppercase letter and symbol. Also it is less than 8 characters in length.
Hone$tyisg00d
Umbrella1 This is a single dictionary word starting with an uppercase letter and followed by a 1. It is an example of barely meeting the password policy and can be easily guessed.
I l0ve my blue umbrella!
Pa$$w0rd Although this meets the password policy it is very commonly used. Avoid using common modifications to simple passwords by coming up with a phrase instead.
How will I remember this passw0rd?
14. Peer-to-Peer File Sharing
Peer-to-Peer (P2P) networking is not allowed on the court network under any circumstance unless for official court business.
15. Remote Desktop Access
Use of non-court supplied remote desktop software and/or services (such as Citrix, VNC, GoToMyPC, etc.) is prohibited.
16. Reporting of Security Incident
If a security incident or breach of any security policies is discovered or suspected, the user must immediately notify his or her supervisor and/or follow any applicable guidelines as detailed in the court’s Security Incident Response Policy. Examples of incidents that require notification include:
• Suspected compromise of login credentials (username, password, etc.);
Version 1.0 Policy Number►
CONFIDENTIAL 6
• Suspected virus/malware/Trojan infection;
• Loss or theft of any device that contains Court information;
• Loss or theft of ID badge or keycard;
• Any attempt by any person to obtain a user's password over the telephone or by email; and
• Any other suspicious event that may impact the Court’s information security.
Users must treat a suspected security incident as confidential information, and report the incident only to his or her supervisor. Users must not withhold information relating to a security incident or interfere with an investigation.
17. Software Installation
Installation of non-Court-approved programs is prohibited. Numerous security threats can masquerade as innocuous software - malware, spyware, and Trojans can all be installed inadvertently through games or other programs. Alternatively, software can cause conflicts or have a negative impact on system performance. Exceptions must be approved by the Trial Court Administrator or designee and installed by court IT personnel.
18. Streaming Media
Streaming media (the use of the internet to listen to live radio or video) can use a great deal of network resources and is therefore permitted only for business use when using the court network.
19. Unacceptable Use
The following actions shall constitute unacceptable use of the court resources. This list is not exhaustive, but is included to provide a frame of reference for types of activities that are deemed unacceptable. The user may not use the court network and/or systems to:
• Engage in activity that is illegal under local, state, federal, or international law;
• Engage in any activities that may cause embarrassment, loss of reputation, or other harm to the Court;
• Disseminate defamatory, discriminatory, vilifying, sexist, racist, abusive, rude, annoying, insulting, threatening, obscene or otherwise inappropriate messages or media;
• Engage in activities that cause an invasion of privacy;
• Engage in activities that cause disruption to the workplace environment or create a hostile workplace;
• Make fraudulent offers for products or services;
• Install, share, or distribute unlicensed or "pirated" software, music, or videos in violation of copyright laws; and
Version 1.0 Policy Number►
CONFIDENTIAL 7
• Reveal personal or network passwords to others, including family, friends, or other members of the household when working from home or remote locations.
20. Non-approved Activities
No court-owned or court-provided computer systems may be knowingly used for activities that are considered illegal under local, state, federal, or international law. Such actions may include, but are not limited to, the following:
• Unauthorized Port Scanning;
• Unauthorized Network Hacking;
• Unauthorized Packet Sniffing;
• Unauthorized Packet Spoofing;
• Unauthorized Denial of Service;
• Unauthorized Wireless Hacking;
• Any act that may be considered an attempt to gain unauthorized access to or escalate privileges on a computer or other electronic system;
• Acts of Terrorism;
• Identity Theft;
• Spying; and
• Downloading, storing, or distributing violent, perverse, obscene, lewd, or offensive material as deemed by applicable statues.
The courts will take all necessary steps to report and prosecute any violations of this policy.
21. Web Browsing
Personal Use: The court recognizes that the Internet can be a tool that is useful for both personal and professional purposes. Personal usage of court computer systems to access the Internet is permitted as long as such usage follows pertinent guidelines elsewhere in this document and does not have a detrimental effect on the court or on the user's job performance. The court monitors all use of the Internet, regardless of whether it is personal or professional.
III. Exceptions
Exceptions to this policy are to be submitted in writing to the CTO/CIO for evaluation and approval by the appropriate designee.
IV. Enforcement
Version 1.0 Policy Number►
CONFIDENTIAL 8
Violation of this policy may result in disciplinary action, up to and including termination.
V. References
NIST Cybersecurity Framework
VII. Revisions
DATE DESCRIPTION 03/05/20 Original
VIII. Approval ___________________________ Name Trial Court Administrator XXX Judicial Circuit of Florida
* * *
Agenda Item II A.Draft Cybersecurity
Policies
viii. Incident Reporting
Version 1.0 Policy Number►
CONFIDENTIAL 1
Policy Number
INFORMATION SECURITY POLICY
Incident Reporting Version: 1.0 Revised: 03/05/20
I. Introduction
In the event of a suspected security breach, early detection and a quick, comprehensive response is one of the key components to mitigating risk and a fast recovery.
A. Purpose: This policy is intended to ensure that the Court System is prepared if a security incident were to occur. It details exactly what must occur if an incident is suspected, covering both electronic and IT physical security incidents. Note that this policy is not intended to provide a substitute for legal advice and approaches the topic from a security practices perspective.
B. Applicability: This policy shall apply to all court system users.
II. Policy
A. Policy Statement: This policy is pursuant to and in accordance with Federal, State, and law enforcement agency regulations and guidelines for responding to and reporting electronic data security incidents related to the Court System’s electronic data security. In the case of an electronic data security incident, this policy will be utilized to establish reasonable measures to protect the security, confidentiality and integrity of protected data and data systems on the Court System’s infrastructure during the entire life cycle of an incident. All reported incidents will be investigated and fully documented. A security incident, as it relates to the Court System's information assets, can take one of two forms. For the purposes of this policy a security incident is defined as one of the following:
Electronic: This type of incident can range from an attacker or user accessing the network for unauthorized/malicious purposes, to a virus outbreak, to a suspected Trojan or malware infection or data loss through a physical incident.
Physical: A physical IT security incident involves the loss, theft or damage to any court system technology devices and infrastructure.
B. Procedure or Standard:
Version 1.0 Policy Number►
CONFIDENTIAL 2
Electronic or Physical Incidents When an incident is suspected, the Court System's goal is to recover as quickly as possible, limit the damage done, secure the network data and digital resources, and preserve evidence of the incident. The following steps should be taken in order:
1. Report the incident to the CTO/CIO, or agency designee; 2. Remove the compromised device from the network by unplugging
or disabling network connection. Do not power down the machine;
3. Disable the compromised account(s) as appropriate; 4. Physically secure the compromised system; 5. Change or disable compromised usernames, passwords, and
account information; 6. If prosecution of the incident is desired, chain-of-custody and
preservation of evidence are critical; 7. Create a detailed event log documenting each step taken during
this process; 8. Determine how the attacker gained access and disable this
access; 9. Restore any required data from the last known good backup and
put the system back online; 10. Take actions, as possible, to ensure that the vulnerability (or
similar vulnerabilities) will not reappear; 11. Notify applicable authorities if prosecution is desired and possible
based on the evidence collected; 12. Notify appropriate vendors, insurance companies or government
partners; 13. Perform a vulnerability assessment to spot any other
vulnerabilities before they can be exploited; and 14. Any incidents should be completely and thoroughly documented
and reviewed for lessons learned.
III. Exceptions
Exceptions to this policy are to be submitted in writing to the CTO/CIO for evaluation and approval by the appropriate designee.
IV. Enforcement
Violation of this policy may result in disciplinary action, up to and including termination.
Version 1.0 Policy Number►
CONFIDENTIAL 3
V. References NIST Cybersecurity Framework
VI. Revisions
DATE DESCRIPTION 03/05/20 Original
VII. Approval ___________________________ Name Trial Court Administrator XXX Judicial Court System of Florida
* * *