ITP.1.3.040 Controls Implementation
The following security controls shall be implemented as available:
(a) Access rights admin. The Tribe shall have an effective process to administer access to system resources. The Tribe shall strive to identify and restrict access to any system resource to the minimum required for work to be performed. The process shall include the following controls:
(1) Assign end-users and system resources only the access required to perform their required functions;
(2) Update access rights based on personnel or system changes;
(3) Periodically review users' access rights based on the risk to the application or system; and
(4) Design appropriate acceptable-use and end-user policies.
(b) Authentication. The Tribe shall use effective authentication methods appropriate to the level of risk by:
(1) Selecting authentication mechanisms based on the risk associated with a particular application or service;
(2) Considering whether multiple forms of authentication are appropriate for each application, considering that multi-forms authentication is increasingly necessary for many forms of electronic communication and electronic payment activities; and
(3) Encrypting the transmission and storage of authenticators (e.g., passwords, PINs).
(c) Network access. The Tribe shall secure access to their computer networks through multiple layers of access controls to protect against unauthorized access. Access control measures shall include:
(1) Group network servers, applications, data, and users into security domains;
(2) Require use of unique user IDs and strong passwords;
(3) Establishing appropriate access requirements within and between each security domain; and
(4) Implementing appropriate controls to meet those access requirements consistently
(d) Operating System access. The Tribe shall secure access to the operating systems of all system components by:
(1) Securing access to system utilities;
(2) Restricting and monitoring privileged access;
(3) Logging and monitoring user or program access to sensitive resources;
(4) Updating the operating systems with security patches; and
(5) Securing the devices that can access the operating system through physical and logical means
(e) Application access. The Tribe shall control access to applications by:
(1) Using authentication and authorization controls appropriate for the risk of the application;
(2) Monitoring access rights to ensure they are the minimum required for the user's current business needs;
(3) Using time of day limitations on access as appropriate; and
(4) Logging access and security events
(f) Remote access. The Tribe shall secure remote access to and from their systems by:
(1) Controlling access through management approvals;
(2) Implementing controls over configuration to disallow potential malicious use;
(3) Monitoring remote access;
(4) Securing remote access devices; and
(5) Using strong authentication and encryption to secure communications.
(g) Physical Security. The Tribe shall implement appropriate preventative and detective controls to protect against the risk to physical security.
(h) Encryption. The Tribe shall employ encryption to mitigate the risk of disclosure or alteration of sensitive information and storage transit. Encryption implementations shall include:
(1) Encryption strength sufficient to protect the information while in transit between unsecure systems;
(2) Effective encryption key management practices; and
(3) Appropriate protection of the encrypted communication's endpoints.
(4) USB storage devices shall not be authorized for general use. If a USB storage device is needed to store sensitive or confidential information, then something like "bit locker" with encryption that requires a username and password shall be used.
(i) Malicious code. The Tribe shall protect against the risk of malicious code by:
(1) Using anti-virus products on clients and servers;
(2) Using an appropriate blocking strategy on the network perimeter;
(3) Filtering input to applications; and
(4) Educating staff in appropriate computing policies and procedures
(j) Systems development, acquisition, and maintenance. The Tribe shall ensure that systems are developed, acquired, and maintained with appropriate security controls. These steps shall include:
(1) Defining security requirements before developing or acquiring new systems;
(2) Incorporating recognized standards in developing security requirements;
(3) Incorporating appropriate security controls, audit trails, and logs for data entry and data processing;
(4) Implementing an effective change control process;
(5) Hardening systems before deployment;
(6) Establishing an effective patch process for new security vulnerabilities; and
(7) Overseeing vendors to protect the integrity and confidentiality of application source code.
(k) Personnel security. The Employee Handbook and Human Resources policies shall discuss risk mitigation posed by internal users
(l) Virtualization. The Virtual environment and the Virtualization of servers shall be the responsibility of the IT Department.
(m) Electronic and paper-based media handling. The Tribe shall control and protect access to paper, film, and computer-based media to avoid loss or damage. The Tribe shall:
(1) Establish and ensure compliance with policies for handling and storing information;
(2) Ensure safe and secure disposal of sensitive media and
(3) Secure media in transit or transmission to third parties.
(4) Employees are instructed to save data to "shared drives" or other network drives for security and backup purposes.
(n) Logging and data collection. The Tribe shall take reasonable steps to ensure that sufficient data is collected from secure log files to identify and respond to security incidents and to monitor and enforce policy compliance. The Tribe shall have appropriate logging controls to ensure that security personnel can review and analyze log data to identify unauthorized access attempts and security violations, provide support for personnel actions, and aid in reconstructing comprised systems.
(o) Service provider oversight. The Tribe shall review security responsibilities for outsourced operations through
(1) Appropriate due diligence in service provider research and selection;
(2) Contractual assurances regarding security responsibilities, controls, and reporting;
(3) Nondisclosure agreements regarding the Tribe's systems and data; and
(4) Third-party review of the service provider's security through appropriate audits and tests.
(p) Intrusion detection and response. The Tribe shall strive to detect and respond to an information system intrusion commensurate with risk. Risk mitigation practices shall include:
(1) Preparation. Analysis of data flows, decisions on the nature and scope of monitoring, consideration of legal factors, appropriate procedures governing detection and response; and
(2) Response to an intrusion. Containment and restoration of systems and appropriate reporting.
(q) Business continuity considerations. The Tribe shall develop a plan that includes:
(1) Identification and training of personnel with key security roles during continuity plan implementation; and
(2) Security needs for back-up sites and alternate communications.
(r) Insurance. The Tribe shall evaluate the extent and availability of coverage in relation to the specific risks they are seeking to mitigate.
(s) Equipment disposal/destruction. When equipment is retired from use, the hard drive shall be removed and stored or deleted and cleaned with software of a Department of Defense grade. Other equipment such as copiers, printers, and multi-function machines Shall have memory or other data storage devices deleted or destroyed. Equipment shall then be recycled, disposed of, or donated with no software or data.