CIO-105 System and Information Integrity Policy

Office of the Chief Information Officer Enterprise Policy

CIO-105: System and Information Integrity Policy

                                                                                                                                   Effective Date: 7/20/2018
Policy Statement:  This policy establishes controls related to system and information integrity.  The policy provides guidance for decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.
·         Data Integrity – The accuracy and consistency of data, indicated by the absence of any unauthorized alteration between data record updates since it was created, transmitted, or stored.  Data integrity is imposed within a database during its design stage through the use of standard rules and procedures.  It is maintained through the use of error checking and validation routines.
·         Information Integrity – The assurance that the data being accessed or read has neither been tampered with nor altered, whether intentionally or accidentally, or damaged through a system error, since the time of the last authorized access. 
·         System Integrity – The state of a system where it performs its intended functions without being degraded or impaired by unauthorized changes or disruptions in its internal or external environments, whether intentional or accidental.  System integrity is maintained by incorporating protection, detection, reaction, and restoration capabilities in information systems
This policy outlines a framework of COT enterprise system and information integrity measures, largely aimed at managing risks from system flaws, vulnerabilities, malicious code, unauthorized code changes, and inadequate error handling.   
Flaw Remediation
Each Agency must:
  • Identify, report, and correct information system flaws.
  • Test and install security-related software and firmware updates and upgrades, within established timeframes following the release of a system change or update.
  • Incorporate flaw remediation into the Configuration Management process.  Employ automated mechanisms, at a pre-determined interval (i.e., daily, weekly, monthly), to determine the state of components with respect to flaw remediation.
Malicious Code Protection
Each Agency must:
  • Employ malicious code protection at system entry and exit points to detect and eradicate malicious code and address any false positives.  Specifically, configure malicious code protection to:
-       Perform periodic scans of the system and real-time scans of files from external sources at endpoints and network entry/exit points, as the files are downloaded, opened, or executed, in accordance with Agency policy.
-       Block or quarantine malicious code and alert the administrator in response to detection.
  • Centrally manage and automatically update malicious code protection whenever new releases of a protection are available, in accordance with appropriate office-level procedures.
Information System Monitoring
COT must:
·         Monitor the information system to detect attacks or indicators of potential attacks, as well as unauthorized use of local, network, and remote connections.
·         Deploy monitoring devices strategically and at ad hoc locations within the information system, to collect information about specific types of transactions of interest to the organization.
·         Protect information obtained from intrusion-monitoring tools, against unauthorized access, modification, and deletion of that information.
·         Heighten the level of information system monitoring activity whenever there is an indication of increased risk to operations, assets, individuals, other organizations, or the nation, based on law enforcement information, intelligence or other credible sources.
·         Obtain legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, executive orders, directives, policies, or regulations.     
·         Employ automated mechanisms to alert security personnel of inappropriate or unusual activities with security implications.  Provide monitoring information to designated Agency officials as needed.
·         Analyze inbound and outbound communications traffic at the external boundary of the information system, and at selected interior points within the network (e.g. subnetworks or subsystems), to detect anomalies.  For example, large file transfers, long-time persistent connections, unusual protocols or ports in use, and attempted communications with suspected malicious external addresses.
·         Alert key personnel, such as system administrators, business/process/system owners, or information security officers when indications of a compromise or a threat of a compromise have occurred.
Security Alerts, Advisories, and Directives
COT must:
  • Receive information system security alerts, advisories and directives from reliable industry sources, such as the US Computer Emergency Readiness Team (US-CERT), Microsoft Safety and Security Center, Homeland Security Cyber Security or other relevant organizations or vendors.
  • Generate internal security alerts, advisories and directives as deemed necessary and disseminate to appropriate personnel, such as management, system administrators, business/process owners, information system security officers, etc.
  • Implement security directives in accordance with established time frames or notifies the issuing organization of the degree of noncompliance.
Software, Firmware, and Information Integrity
COT must:
  • Deploy integrity verification tools to detect unauthorized changes to software, firmware and information.  Incorporate the detection of unauthorized security-relevant changes to the infrastructure into the Enterprise Incident Response capability.
  • Perform integrity checks of infrastructure hardware, software, firmware and services at startup, shutdown, and restart; and on demand by the system administrator.
Spam Protection
COT must:
  • Employ spam protection at information system entry and exit points to detect and take action on unsolicited messages.
  • Centrally manage and automatically update spam protection when new protection releases are available, in accordance with Configuration Management policy and procedures.
Information Input Validation
Each Agency must check the integrity and validity of information being input into the system.
Error Handling
COT and each Agency must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. Reveal error messages to only to designated Agency personnel.
Information Handling and Retention
Each Agency must handle and retain information within the system and output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.
Memory Protection
Each Agency must implement security safeguards to protect memory from unauthorized code execution.
Authority: KRS 42.726 authorizes the Commonwealth Office of Technology (COT) to develop policies and compliance processes to support and promote the effective applications of information technology within the executive branch of state government.
Applicability:  All executive branch agencies and non-executive branch agencies using COT-managed infrastructure or services must adhere to this policy.  This includes employees, contractors, consultants, temporaries, volunteers, and other workers within state government.
Responsibility for Compliance:  Each agency must ensure that staff within their organizational authority are made aware of and comply with this policy. The agency is responsible for enforcing it.  Unauthorized and/or neglectful actions regarding this policy may result in disciplinary action up to and including dismissal.  COT may require additional service charges for remediation efforts due to non-compliance with this policy.
Maintenance:  COT’s Office of IT Architecture & Governance and the Office of the Chief Information Security Officer share responsibility for maintaining this policy.  Organizations may modify this policy to fulfill their responsibilities, but must obtain approval through an exception request.  Staff should refer to their internal policy, which may have additional information or clarification.
Review Cycle:  COT’s Office of IT Architecture & Governance and the Office of the Chief Information Security Officer will review this policy at least every two years.  
This page was last modified 11/13/2018 7:41 AM