Cybersecurity Subcommittee Meeting Agenda · Exception to this policy are to be submitted to the CTO/CIO for evaluation and approval by the appropriate designee. IV. Enforcement Violation

Cybersecurity Subcommittee March 2020 Page 1 of 1

Cybersecurity Subcommittee Meeting Agenda

March 5, 2020

1:15 – 2:30

Omni Jacksonville

Florida Ballroom C & DSecond Floor

I. Welcome – Judge Scott Stephens, Chair

A. Roll call

II. Cyber-Review Subgroup Update – Robert Adelardi

A. Draft Model Circuit Cybersecurity Policies

i. Email

ii. Password

iii. Mobile Device

iv. VPN

v. Media Protection

vi. Wireless Access

vii. Acceptable Use and User Agreement

viii. Incident Reporting

B. Subgroup motion recommending approval of proposed policies

III. Cybersecurity Subcommittee – Judge Stephens

A. Subcommittee motion recommending approval to the FCTC as 1st Reading

IV. Next Steps – Group Discussion

A. Security Technical Standards Subgroup

B. Next FCTC meeting: June 18-19, 2019 in Orlando

Agenda Item II A.Draft Cybersecurity

Policies

i. Email

Version 1.0 Policy Number►

CONFIDENTIAL 1

Policy Number

INFORMATION SECURITY POLICY

Email

Version 1.0 Revised: 03/05/20

I. Introduction

Electronic mail (email) is the primary communication and awareness method within the courts. Misuse of email can post many legal, privacy and security risks, making it vitally important for users to understand the appropriate use of electronic communications. This policy outlines expectations for appropriate, safe, and effective email use.

A. Purpose: The purpose of this policy is to detail the Court's guidelines for email. This policy will help the Court reduce risk of email-related security and privacy incidents, foster good business communications, both internal and external to the Court, and provide for consistent and professional application of the Court's email principles.

B. Applicability: This policy shall apply to all court system users.

II. Policy

A. Policy Statement:

This policy covers appropriate use of any email sent from the court’s email address and applies to all system users.

B. Procedure or Standard: Users are asked to exercise caution when sending or receiving email from court accounts. Additionally, the following applies to the proper use of the court’s email system.

• All use of email must be consistent with the court’s policies and procedures of ethical conduct, safety, compliance with applicable laws and proper business practices;

• Personal usage of court email systems is permitted as long as A) such usage does not negatively impact the court computer network, and B) such usage does not negatively impact the user's job performance;

• The following is never permitted: spamming, harassment, communicating threats, solicitations, chain letters, or pyramid schemes. This list is not exhaustive, but is included to provide a frame of reference for types of activities that are prohibited;

• Email that is identified as a business record shall be retained according to the Court’s Record Retention Schedule;

https://www.flcourts.org/content/download/217909/1973400/Florida-Rules-of-Judicial-Administration.pdf


CONFIDENTIAL 2

• Users shall have no expectation of privacy in anything they store,

send or receive on the court’s email system;

• Users must use care when opening email attachments. Malware can be easily delivered as an email attachment;

• Users should: ❖ Never open email attachments from an unexpected or unknown

source; and ❖ Never click links within email messages unless certain of the

link's safety. It is often best to copy and paste the link into your web browser, or retype the URL, as specially-formatted emails can hide a malicious URL.

• Users should be advised the court owns and maintains all legal and intellectual rights to its email systems, network, and content. Any email passing through these systems is owned by the courts;

• Users should be advised that email sent to or from public or governmental entities may be considered public record;

• Users should not open email messages that, in the user's opinion, seem suspicious. If the user is particularly concerned about an email, or believes it contains illegal or improper content, he or she should notify his or her supervisor;

• Users are not to access, or attempt to access, the court’s email system from a non-court issued device without the permission of his or her CTO/CIO, or agency designee; and

• The use of strong passwords is mandatory.

III. Exceptions Exceptions to this policy are to be submitted in writing to the CTO/CIO for evaluation and approval by the designee.

V. Enforcement

Violation of this policy may result in disciplinary action, up to and including termination.

VI. References NIST Cybersecurity Framework

VI. Revisions

DATE DESCRIPTION 03/05/20 Original


CONFIDENTIAL 3

VII. Approval ___________________________ Name Trial Court Administrator XXX Judicial Circuit of Florida

* * *


Policies

ii. Passwords


CONFIDENTIAL 1

Policy Number


Passwords


I. Introduction

A solid password policy is perhaps the most important security control a Court System can employ. In today’s climate it is more important than ever to have a strong password on accounts and devices and not share the password with anyone.

A. Purpose: The purpose of this policy is to specify guidelines for use of passwords.


II. Policy

A. Policy Statement: Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in a compromise of a Court System’s entire network. As such, employees (including contractors and vendors with access to systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their password.

B. Minimum Standards:

Court system user account password standards must comply with one of the following:

1. NIST Digital Identity Guidelines (800-63B) or current version; 2. FDLE/FBI Criminal Justice Information Services “CJIS” Security

Policy current version (5-8); or 3. Alternative court established minimum standards as defined below:

• Passwords must be a minimum of 8 characters;

• Passwords must be strong passwords i.e., passwords comprised of a mix of letters, numbers and special characters (punctuation marks and symbols) or pass-phrases longer than 12 characters in length;

• Passwords must be comprised of a mix of upper and lower case;

• Passwords must not be comprised of, or otherwise utilize, words that can be found in a dictionary;

• Passwords must not be comprised of an obvious keyboard sequence (i.e., qwerty);


CONFIDENTIAL 2

• Passwords should not include "guessable" data such as personal information about yourself, your spouse, your pet, your children, birthdays, addresses, phone numbers, locations, etc.;

• Users must not disclose their passwords to anyone;

• Users must not write down their passwords;

• Passwords for court accounts must be different than personal accounts;

• Users must not send passwords via email;

• Users must not re-use the past ten passwords; and

• At a minimum, users must change passwords every 90 days. The System Administrator/Password Administrator may use software that enforces this policy by expiring users' passwords after this time period.

C. Incident Reporting:

It is the user’s responsibility to immediately report any suspicious activity involving his or her passwords to the System Administrator, Security Officer, or Agency designee. Any request for passwords over the phone or email, whether the request came from organization personnel or not, should be expediently reported. When a password is suspected to have been compromised they will request that the user, or users, change all his or her applicable passwords.

III. Exceptions

Exceptions to this policy are to be submitted in writing to the CTO/CIO for evaluation and approval by the appropriate designee.

IV. Enforcement Violation of this policy may result in disciplinary action, up to and including termination.

V. References NIST Cybersecurity Framework

VI. Revisions


VII. Approval


CONFIDENTIAL 3

___________________________ Name Trial Court Administrator XXX Judicial Circuit of Florida

* * *


Policies

iii. Mobile Device


CONFIDENTIAL 1

Policy Number


Mobile Device Management


I. Introduction

As mobile technology becomes more ever-present in our environment, it is imperative to minimize security risks to the court network that are introduced by these devices. As the Court System expands the use of mobile technology for day-to-day operations, ensuring access to the court network is governed by a comprehensive mobile device management policy will help mitigate security risks.

A. Purpose:

The purpose of this policy is to specify standards for the use and security of mobile devices that access the secure court network.

B. Applicability:

This policy shall apply to all court system users.

II. Policy

A. Policy Statement: All mobile devices that access the secure court network, are governed by this mobile device security policy.

B. Procedure or Standard:

1. Physical Security

Users should carefully consider the physical security of mobile devices and take appropriate protective measures, including the following:

• Care should be given when transporting mobile devices;

• Mobile devices should be adequately protected at all times;

• Lost or stolen devices must be reported to the CTO/CIO, or appropriate designee immediately.

2. Data Security

If a mobile device is lost or stolen, the data security controls that were implemented on the device are the last line of defense for protecting circuit data. The following sections specify the court’s requirements for data security as it relates to mobile devices.

• The device must be password/passcode protected;

• Court issued devices must be encrypted;

• Users connected to court networks via in an unsecured network open environment must use an encrypted connection, e.g., VPN,


CONFIDENTIAL 2

VDI, etc.;

• Court owned mobile device(s) may only contain approved programs and data essential to their role;

• Only court owned mobile devices will be allowed to connect directly to the internal secure court network;

• Court owned devices must be kept up to date with manufacturer or network provided patches;

• Devices must not be connected to a PC which does not have up to date and enabled anti-malware protection;

• The use of personal owned devices must be approved by the IT department before accessing court email or programs;

• Users must be cautious about the merging of personal and work email accounts on their devices. They must take particular care to ensure that court data is only sent through the court email system; and

• Users must be aware of and comply with retention policies.

III. Exceptions Exception to this policy are to be submitted to the CTO/CIO for evaluation and approval by the appropriate designee.


V. References

NIST Cybersecurity Framework

VI. Revisions


VII. Approval

___________________________ Name


CONFIDENTIAL 3

Trial Court Administrator XXX Judicial Circuit of Florida

* * *


Policies

iv. VPN

Version 1.0 Policy Number ►

1

CONFIDENTIAL

Policy Number


Virtual Private Network


I. Introduction

Court staff will be required to use a Virtual Private Network (VPN) to keep court information systems secure while providing remote access. VPN allows staff to access confidential and sensitive court information in a secure manner. However, VPN does pose a risk by granting court staff access, outside the standard security protocols. As such, access will only be provided to authorized court staff with appropriate approval, to ensure the access is restricted, audited, and secured.

A. Purpose:

The purpose of this policy is to establish the guidelines for Virtual Private Network (VPN) connections for authorized system users to court networks from any host. VPN connections provide a secure connection to court system resources while accessing from external networks. These requirements are meant to limit exposure of court networks from unauthorized use.

B. Applicability: This procedure shall apply to all court system users.

II. Policy

A. Policy Statement: Approved court employees and authorized third parties (external stakeholders, vendors, etc.) may be granted authorization for the use of VPNs.


1. VPN access will be permitted only to establish a secure remote connection to the court network for official court business only.

2. IT Contractors and vendors may only have access to Circuit devices (servers and pc’s) if a valid contract for the provision of services exists. During the provision of services, the remote connection may be monitored by a Circuit IT employee.

3. Requests to provide VPN access to the court network, for employees or consultants, must be processed by the court IT Department and approved by the CTO/CIO or designee.

4. It is the responsibility of employees with VPN privileges to ensure that

unauthorized users are not allowed access to the court’s internal networks. Access usernames and passwords are not to be shared.


2

CONFIDENTIAL

5. Dual (split) tunneling is not permitted; only one network connection is

allowed at the same time. 6. VPN gateway(s) will be set up and managed by the court IT Department

network operational group. 7. The VPN gateway(s) must be configured to use robust and reliable

encryption protocols such as IPSec, TLS, and SSL. 8. All devices connected to the court’s internal networks via VPN must be up

to date on security patches including anti-virus software that is up to date. This includes personal or third-party computers.

9. VPN users will be automatically disconnected from the court’s network

after 30 minutes of inactivity. The user must then log on again to reconnect to the network. Artificial network processes are not to be used to keep the connection open.

10. Users of computers that are not property of the Circuit, must configure the equipment to comply with the local court’s information technology policies.

11. Only the court‘s IT Department approved VPN clients may be used. 12. While connected to the court’s network by means of a VPN connection,

users must comply with the same rules, regulations and policies as if physically working in a court facility.

13. Whenever possible, all VPN accounts for external vendors will remain

“inactive” in the system, while not in use, and the manager requesting activation of the remote access is responsible for monitoring its use in the related application’s logs, where applicable and available.

14. For Site-to-Site VPN connections, they should be approved by the

CTO/CIO. The requests must be properly documented.

III. Exceptions

Exceptions to this policy are to be submitted in writing to the CTO/CIO for evaluation and approval by the designee.

IV. Enforcement



3

CONFIDENTIAL

V. References


VI. Revisions

DATE DESCRIPTION 03/05/20

Original

VII. Approval


* * *


Policies

v. Media Protection

Version 1.0 Policy Number ► 1

CONFIDENTIAL

Policy Number


Media Protection


I. Introduction

Court systems have the capability to store sensitive or classified information on physical and electronic media devices. Information held on such devices can be compromised if not properly disposed of. It is essential to govern the proper sanitization of all court media devices to protect the court systems data.

A. Purpose:

The purpose of this policy is to outline how media is protected and disposed in a secure manner by authorized individuals of the court systems. Proper handling and disposal of media, whether in physical or digital form, is essential to protecting confidential and or sensitive information.

B. Applicability:


II. Policy


Throughout the daily operations of the court, information is transferred, created and consumed by system users. The information may be stored by means of digital or physical media. Safeguarding access, storage and destruction of all media containing sensitive or confidential court information is imperative. This policy seeks to establish the necessary controls to provide adequate safeguards against unwanted disclosure of information.


The court will ensure that only authorized individuals will be granted access to media containing sensitive or confidential information.

1. Handling and Disposal of Physical Media:

Sensitive or confidential physical media will be stored within a physicallysecure building. Physical media should be stored behind locked doorsand/or in locked cabinets.

When no longer needed, physical media shall be disposed of by one of thefollowing methods:

▪ Shredding using a cross-cut shredder. The shredding will be done byan authorized employee of the court;


CONFIDENTIAL

▪ If the court enters into an agreement with a media disposal vendor, then the paper media shall be placed in locked shredding bins provided by the vendor for the private vendor to cross-cut shred onsite. This shall be witnessed by an employee of the court throughout the entire process.

2. Handling of Digital Media:

▪ Digital media containing sensitive or confidential data will be stored within a physically secure building. Any digital media that is transported outside the physically secure location should be encrypted. At no time will the digital media be released to an unauthorized person or left unattended without proper supervision;

▪ All digital media containing sensitive or confidential data shall be encrypted while at rest;

▪ Any device that had a physical storage device must have the storage device removed and destroyed or sanitized prior to decommission or transfer. Examples of said devices are multi-function devices, servers, personal computers, etc.;

▪ When the storage device for any reason is no longer of use or has reached its end of life, the storage media shall be inventoried and physically destroyed or sanitized;

▪ An authorized representative of the Circuit must be present during the destruction or sanitization of the digital media;

▪ Written documentation will be maintained of the steps taken to destroy or sanitize digital media.

III. Exceptions


IV. Enforcement


V. References


VI. Revisions



CONFIDENTIAL

DATE DESCRIPTION

VII. Approval


* * *


Policies

vi. Wireless Access


CONFIDENTIAL 1

Policy Number


Wireless Access


I. Introduction

Wireless communication is playing an increasingly important role in the workplace. In the past, wireless access was the exception; it has now become the norm in the court. Wireless access can increase mobility and productivity of users, it can also introduce security risks to the network.

A. Purpose: The purpose of this policy is to state the standards for wireless access to the court’s network.


II. Policy


Wireless access provides mobile connectivity to the court’s network. This connectivity requires proper network administration practices to guarantee the security of the courts.


1. The wireless access point should utilize Mac address filtering so that only known wireless NICs are able to connect to the wireless network. If possible, join only domain authenticated computers;

2. Encryption shall be used to secure wireless communications; 3. Administrative access to wireless access points shall utilize strong

passwords; 4. Wireless networking should require users to authenticate against a

centralized server. These connections should be logged, with IT staff reviewing the log regularly for unusual or unauthorized connections;

5. Wireless LAN management software should be used to enforce wireless security policies. The software must have the capability to detect rogue access points;

6. Wireless devices should be installed only by the court’s IT department or partnered agency responsible for providing wireless services (e.g., county IT).

III. Exceptions


CONFIDENTIAL 2



V. References


VII. Revisions


VIII. Approval


* * *


Policies

vii. Acceptable Use and User Agreement


CONFIDENTIAL 1

Policy Number


Acceptable Use and User Agreement


I. Introduction

There are a number of reasons to provide a user access to the court network. This access covers responsibilities regarding acceptable use and gives guidelines to proper user practices.

A. Purpose:

The purpose of this policy is to outline the acceptable use of computer equipment. These rules are in place to protect the employee and court information. Inappropriate use exposes the court to risks including malware, compromise of network systems and services, and legal issues.

B. Applicability:


II. Policy

A. Policy Statement: Access to the court’s network, including but not limited to, computer systems, email, and the provided internet connection, carries certain responsibilities and obligations. Inappropriate use of systems exposes the court to risk. This policy covers acceptable and prohibited uses of the court’s electronic resources.


1. Monitoring and Privacy Users should expect no privacy when using the court network or resources. Such use may include but is not limited to: transmission and storage of files, data, and messages. The Court reserves the right to monitor any and all use of the computer network, including use of the network by personal devices that are not owned, issued, or approved by the Court. To ensure compliance with Court policies this may include the interception and review of any emails, or other messages sent or received, inspection of data stored on personal file directories, hard disks, and removable media. This monitoring is necessary to maximize the security of the Court’s network and resources

2. Personal Usage


CONFIDENTIAL 2

Personal usage of the Court’s computer systems is permitted as long as such usage follows pertinent guidelines elsewhere in this document and does not have a detrimental effect on the Court or on the user's job performance. Personal usage, as with usage for job functions, will be subject to monitoring for the purpose of security.

3. Bandwidth Usage

Excessive use of the court’s bandwidth or other computer resources for non-court related activities is not permitted. Large file downloads or other bandwidth-intensive tasks that may degrade network performance must not interfere with court operations. Please contact your IT department for help with large files.

4. Blogging, Social Networking, and Instant Messaging

Personal blogging and social networking sites are very risky and prone to malware. Access to these sites through the court’s network is highly discouraged. Court employees should avoid impropriety and the appearance of impropriety in all activities. Employees’ activities within the workplace, as well as outside the workplace and outside the scope of work-related duties, should not:

• Be done in an unprofessional and irresponsible manner;

• Interfere with the performance of job responsibilities;

• Adversely impact the operation of the court;

• Lend the prestige of the court to advance private interests.

While commenting about issues in the workplace is generally not prohibited, employees should not post or display comments about co-workers, supervisors, judges, or the court system where the post or comment may be unlawful; is vulgar, obscene (including use of profanity), threatening (including references to violence or physical harm), intimidating, or harassing; or is a violation of the Civil Rights policies against discrimination, harassment, or hostility on account of age, race, religion, sex, nationality, disability, or other protected class, status, or characteristic. Furthermore, employee posts or comments should never use or disclose confidential information including personal health or family information about other employees.

The user assumes all risks associated with blogging and/or social networking.

5. Circumvention of Security

The circumvention of any security systems, authentication systems, user-based systems, or escalating privileges is expressly prohibited. Knowingly taking any actions to bypass or circumvent security is expressly prohibited.


CONFIDENTIAL 3

6. Confidentiality Confidential data must not be:

• Shared or disclosed in any manner to any unauthorized party;

• Should not be posted on the internet or any publicly accessible systems; and

• Should not be transferred in any insecure manner.

7. Copyright Infringement The court's computer systems and networks must not be used to download, upload, or otherwise handle illegal and/or unauthorized copyrighted content. Any of the following activities constitute violations of acceptable use policy, if done without permission of the copyright owner:

• Copying and sharing images, music, movies, or other copyrighted material if it violates the license agreement;

• Posting or plagiarizing copyrighted material in violation of its original license agreement; and

• Downloading copyrighted files which an employee has not legally procured.

This list is not meant to be exhaustive. Copyright law applies to a wide variety of works and applies to much more than is listed above.

8. E-mail Use

Personal usage of the Court’s email systems should not negatively impact the court’s computer network and the user’s job performance..

• The following is never permitted: spamming, harassment, communicating threats, solicitations, chain letters, or pyramid schemes. This list is not exhaustive but is included to provide a frame of reference for types of activities that are prohibited;

• The user is prohibited from forging email header information or attempting to impersonate another person;

• It is the user’s responsibility to exercise caution before opening email attachments from unknown senders, or when such attachments are unexpected;

• Email systems were not designed to transfer large files and as such emails should not contain attachments of excessive file size.

9. Mobile Devices

Mobile devices that are capable of storing circuit data, including, but not limited to, laptops, notebooks, smart phones, and USB drives regardless of whether they are court owned or personal equipment must adhere to the following standards:

a. Physical Security:


CONFIDENTIAL 4

By nature, a mobile device is susceptible to loss or theft.. Users should carefully consider the physical security of mobile devices and take appropriate protective measures. Caution should be exercised when transporting mobile devices in unsecured environments.

b. Connecting to Unsecured Networks:

Users should exercise caution when connecting court-issued devices to an unsecured network. Court-issued devices should be kept up to date with security patches and anti-malware software. When remotely accessing the court network the VPN client must be used.

c. General Guidelines:

The following guidelines apply to the use of court issued mobile devices:

• Loss, theft, or other security incident related to a mobile device must be reported to the IT department immediately, and not more than 24 hours after the incident; and

• Confidential data should not be stored on mobile devices unless it is absolutely necessary to perform required work activities.

10. Access of Information

The user should take reasonable efforts to avoid accessing network data, files, and information that are not directly related to his or her job function. The fact that you have access to information does not imply permission to use this access. Users should not access or attempt to access files or emails that belong to another user unless specifically required by their job.

11. Non-Court-Owned Equipment

Non-Court-provided software and hardware is prohibited on the network unless expressly approved by the Trial Court Administrator or designee.

12. Overuse

Actions detrimental to the computer network or other court resources, or that negatively affect job performance are not permitted.

13. Passwords

Password policies are required to keep the network secure from people who want to do harm by gathering information that will allow them access to data that could do harm to the Court’s System, other agencies, and individuals personally. Password requirements are


CONFIDENTIAL 5

outlined in the court’s Security Password policy. Additional tips on creating strong passwords are as follows:

a. Keep passwords unique. Do not use passwords from other accounts such as Facebook, Twitter, bank accounts, personal email, or any other personal account;

b. Do not write down your password and store it in a location where it may be accessed and used by another person;

c. Do not use family member names such as children or spouse;

d. Examples:

Bad Password

What’s wrong Good password

123456 Missing a lowercase and uppercase letter and a symbol. Also it is less than 8 characters in length.

one2THREE4five6

honesty Missing a number, uppercase letter and symbol. Also it is less than 8 characters in length.

Hone$tyisg00d

Umbrella1 This is a single dictionary word starting with an uppercase letter and followed by a 1. It is an example of barely meeting the password policy and can be easily guessed.

I l0ve my blue umbrella!

Pa$$w0rd Although this meets the password policy it is very commonly used. Avoid using common modifications to simple passwords by coming up with a phrase instead.

How will I remember this passw0rd?

14. Peer-to-Peer File Sharing

Peer-to-Peer (P2P) networking is not allowed on the court network under any circumstance unless for official court business.

15. Remote Desktop Access

Use of non-court supplied remote desktop software and/or services (such as Citrix, VNC, GoToMyPC, etc.) is prohibited.

16. Reporting of Security Incident

If a security incident or breach of any security policies is discovered or suspected, the user must immediately notify his or her supervisor and/or follow any applicable guidelines as detailed in the court’s Security Incident Response Policy. Examples of incidents that require notification include:

• Suspected compromise of login credentials (username, password, etc.);


CONFIDENTIAL 6

• Suspected virus/malware/Trojan infection;

• Loss or theft of any device that contains Court information;

• Loss or theft of ID badge or keycard;

• Any attempt by any person to obtain a user's password over the telephone or by email; and

• Any other suspicious event that may impact the Court’s information security.

Users must treat a suspected security incident as confidential information, and report the incident only to his or her supervisor. Users must not withhold information relating to a security incident or interfere with an investigation.

17. Software Installation

Installation of non-Court-approved programs is prohibited. Numerous security threats can masquerade as innocuous software - malware, spyware, and Trojans can all be installed inadvertently through games or other programs. Alternatively, software can cause conflicts or have a negative impact on system performance. Exceptions must be approved by the Trial Court Administrator or designee and installed by court IT personnel.

18. Streaming Media

Streaming media (the use of the internet to listen to live radio or video) can use a great deal of network resources and is therefore permitted only for business use when using the court network.

19. Unacceptable Use

The following actions shall constitute unacceptable use of the court resources. This list is not exhaustive, but is included to provide a frame of reference for types of activities that are deemed unacceptable. The user may not use the court network and/or systems to:

• Engage in activity that is illegal under local, state, federal, or international law;

• Engage in any activities that may cause embarrassment, loss of reputation, or other harm to the Court;

• Disseminate defamatory, discriminatory, vilifying, sexist, racist, abusive, rude, annoying, insulting, threatening, obscene or otherwise inappropriate messages or media;

• Engage in activities that cause an invasion of privacy;

• Engage in activities that cause disruption to the workplace environment or create a hostile workplace;

• Make fraudulent offers for products or services;

• Install, share, or distribute unlicensed or "pirated" software, music, or videos in violation of copyright laws; and


CONFIDENTIAL 7

• Reveal personal or network passwords to others, including family, friends, or other members of the household when working from home or remote locations.

20. Non-approved Activities

No court-owned or court-provided computer systems may be knowingly used for activities that are considered illegal under local, state, federal, or international law. Such actions may include, but are not limited to, the following:

• Unauthorized Port Scanning;

• Unauthorized Network Hacking;

• Unauthorized Packet Sniffing;

• Unauthorized Packet Spoofing;

• Unauthorized Denial of Service;

• Unauthorized Wireless Hacking;

• Any act that may be considered an attempt to gain unauthorized access to or escalate privileges on a computer or other electronic system;

• Acts of Terrorism;

• Identity Theft;

• Spying; and

• Downloading, storing, or distributing violent, perverse, obscene, lewd, or offensive material as deemed by applicable statues.

The courts will take all necessary steps to report and prosecute any violations of this policy.

21. Web Browsing

Personal Use: The court recognizes that the Internet can be a tool that is useful for both personal and professional purposes. Personal usage of court computer systems to access the Internet is permitted as long as such usage follows pertinent guidelines elsewhere in this document and does not have a detrimental effect on the court or on the user's job performance. The court monitors all use of the Internet, regardless of whether it is personal or professional.

III. Exceptions


IV. Enforcement


CONFIDENTIAL 8


V. References


VII. Revisions


VIII. Approval ___________________________ Name Trial Court Administrator XXX Judicial Circuit of Florida

* * *


Policies

viii. Incident Reporting


CONFIDENTIAL 1

Policy Number


Incident Reporting Version: 1.0 Revised: 03/05/20

I. Introduction

In the event of a suspected security breach, early detection and a quick, comprehensive response is one of the key components to mitigating risk and a fast recovery.

A. Purpose: This policy is intended to ensure that the Court System is prepared if a security incident were to occur. It details exactly what must occur if an incident is suspected, covering both electronic and IT physical security incidents. Note that this policy is not intended to provide a substitute for legal advice and approaches the topic from a security practices perspective.


II. Policy

A. Policy Statement: This policy is pursuant to and in accordance with Federal, State, and law enforcement agency regulations and guidelines for responding to and reporting electronic data security incidents related to the Court System’s electronic data security. In the case of an electronic data security incident, this policy will be utilized to establish reasonable measures to protect the security, confidentiality and integrity of protected data and data systems on the Court System’s infrastructure during the entire life cycle of an incident. All reported incidents will be investigated and fully documented. A security incident, as it relates to the Court System's information assets, can take one of two forms. For the purposes of this policy a security incident is defined as one of the following:

Electronic: This type of incident can range from an attacker or user accessing the network for unauthorized/malicious purposes, to a virus outbreak, to a suspected Trojan or malware infection or data loss through a physical incident.

Physical: A physical IT security incident involves the loss, theft or damage to any court system technology devices and infrastructure.



CONFIDENTIAL 2

Electronic or Physical Incidents When an incident is suspected, the Court System's goal is to recover as quickly as possible, limit the damage done, secure the network data and digital resources, and preserve evidence of the incident. The following steps should be taken in order:

1. Report the incident to the CTO/CIO, or agency designee; 2. Remove the compromised device from the network by unplugging

or disabling network connection. Do not power down the machine;

3. Disable the compromised account(s) as appropriate; 4. Physically secure the compromised system; 5. Change or disable compromised usernames, passwords, and

account information; 6. If prosecution of the incident is desired, chain-of-custody and

preservation of evidence are critical; 7. Create a detailed event log documenting each step taken during

this process; 8. Determine how the attacker gained access and disable this

access; 9. Restore any required data from the last known good backup and

put the system back online; 10. Take actions, as possible, to ensure that the vulnerability (or

similar vulnerabilities) will not reappear; 11. Notify applicable authorities if prosecution is desired and possible

based on the evidence collected; 12. Notify appropriate vendors, insurance companies or government

partners; 13. Perform a vulnerability assessment to spot any other

vulnerabilities before they can be exploited; and 14. Any incidents should be completely and thoroughly documented

and reviewed for lessons learned.

III. Exceptions


IV. Enforcement



CONFIDENTIAL 3

V. References NIST Cybersecurity Framework

VI. Revisions


VII. Approval ___________________________ Name Trial Court Administrator XXX Judicial Court System of Florida

* * *

Documents

Cybersecurity Subcommittee Meeting Agenda · Exception to this policy are to be submitted to the CTO/CIO for evaluation and approval by the appropriate designee. IV. Enforcement Violation