The purpose of this Policy is to describe the security guidelines that Door must consider when protecting the confidentiality, integrity and availability of Door owned information.
Door supports and utilizes industry leading cybersecurity practices within the Policy, to include ISO/IEC 27001 and the Federal National Institute of Standards and Technology (NIST) Cybersecurity Framework. The NIST Framework is a collection of nationally recognized security standards and covers cybersecurity functional areas that offers guidance on the identification, protection, detection, response and recovery mechanisms used to protect an organization’s infrastructure and assets.
This Policy establishes the general requirements and responsibilities for protecting Door systems and information.
This Policy applies to anyone provided access to Door technology assets including but not limited to information that is generated, received, stored, transmitted or printed.
The policy encompasses all activities and operations required to ensure data security. This includes facility design, physical security, disaster preparedness and business continuity planning, use of hardware and operating systems or application software, data disposal, and protection of copyrights and other intellectual property rights.
The Information Security Manager is the establishing authority for this Policy with the advice and guidance of the Executive Committee. The Information Security Manager has the authority to exempt a category of users from any requirement of this Policy.
Information and information technology (IT) systems are essential assets of Door. All information created with Door resources for Door operations is the property of Door. All users of the Door’s IT assets, including contractors and other third parties, are responsible for protecting those assets from unauthorized access, modification, disclosure, damage and destruction. This Policy sets forth a minimum level of security controls that, when implemented, will provide for the confidentiality, integrity and availability of Door IT assets.
In general, Door will adopt information security leading practice standards and guidelines. This Policy developed to secure Door’s IT assets will, where appropriate, refer to a particular standard. Door security procedures will be documented to ensure compliance with the Policy. The Policy will be reviewed on an annual basis.
This Policy sets the minimum level of responsibility for the following individuals and/or groups:
The Information Security Committee will serve as the governing body to oversee this Policy. The Information Security Committee will be responsible for reviewing this Policy annually and for reporting findings and recommendations to the Executive Committee at least annually. The Executive Committee will provide guidance and recommendations regarding IT security to the Information Security Committee.
The Information Security Manager shall:
All users of Door’s IT assets are responsible to:
An inventory of all critical IT assets is required as directed by the Information Security Manager. Accountability for assets helps to ensure that appropriate protection is maintained. Designated owners shall be identified (Data Owners and Custodians) for all critical assets and assigned responsibility for the maintenance of appropriate controls.
Compiling an inventory of assets is an important aspect of risk management. Door needs to be able to identify Door IT assets and the relative values and importance of these assets. Based on this information, Door can then provide appropriate levels of protection. Inventories of the critical assets associated with each information system should be documented and maintained. Asset inventories shall include, at a minimum, a unique system name, a designated owner and a description of the physical location of the asset. Examples of assets associated with information systems are:
This Policy pertains to all information within Door’s IT systems that is processed, stored, transmitted or shared. Data Owners and Custodians must adhere to this Policy and educate users who may have access to confidential information for which they are responsible.
All Door IT information is categorized into two main classifications with regards to criticality, severity and business value:
Public information is information that has been declared publicly available by law or rule. Public records are any records that are made or received by a covered public agency in connection with the transaction of public business.
Confidential information is non-public information that is defined by law or rule that must be withheld from public access. This may include, but is not limited to, Personally Identifiable Information (PII), sealed information and Parties Only information. Personally Identifiable Information (PII): Personally Identifiable Information is defined as an individual’s first name or first initial and last name, personal mark, or unique biometric or genetic print or image, in combination with any one of the following:
If a user is uncertain of the classification of a particular piece of information, the user should contact their manager for clarification. To the extent required by law or rule, all confidential information should be clearly identified as such and will be subject to marking and handling guidelines.
To the extent required by law or rule, Door confidential information shall be protected and marked in accordance with the data sensitivity. Users shall not electronically store data that cannot be adequately secured against unauthorized access.
Door will classify systems consistent with the classification of the data within the system. When an IT System is shared between Door and external parties, the most sensitive level of data classification will determine the classification of the IT System.
This section defines requirements that must be met by Door to properly protect assets. All Door IT assets (hosted on the Door network or a 3rd party offsite premise) used for receiving, processing, storing and transmitting Door data must be protected in accordance with these controls. Information systems include the equipment, facilities, and people that handle or process Door data.
These security controls are categorized into three types:
Managerial security controls focus on managing organizational risk and information system security and devising sufficient countermeasures for mitigating risk to acceptable levels.
Managerial security controls include, but are not limited to, risk management and project management.
Operational security controls focus on mechanisms primarily implemented by people as opposed to systems. These controls are established to improve the security of a group, a specific system, or a group of systems. Operational security controls require technical or specialized expertise and often rely on managerial and technical controls. Operational security controls include awareness and education, configuration management, service interface agreements, contingency planning, incident response, maintenance, media protection, physical and personnel security, system and information integrity, and system development life cycle methodology (SDLC).
Technical security controls focus on operations executed by the computer system through mechanisms contained in the hardware, software and firmware components of the system. Technical security controls include access control, audit and accountability, authentication and authorization, user authentication and password requirements, and system and communications.
Risk Management refers to the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. A risk management program is an essential management function and is critical for Door to successfully implement and maintain an acceptable level of security. A risk management process must be implemented to assess the acceptable risk to Door IT systems. As part of a risk-based approach used to determine adequate security for its IT assets, Door shall implement a process to assess the acceptable risk to Door IT assets. Door shall analyze threats and vulnerabilities and select appropriate, cost-effective controls to achieve and maintain an acceptable level of risk. In the event an identified risk cannot be fully remediated, mitigation steps must be taken to reduce the risk. The risk and steps taken to mitigate the risk must be formally documented, accepted, and approved by the Information Security Officer. All Risk Acceptances will be reviewed annually or until the identified risk no longer exists.
Door Information Technology projects, including system development, enhancement, maintenance, and infrastructure activities shall be managed to ensure that delivered solutions are consistent with this Policy. Plans for executing IT projects should include a general process for addressing IT security controls. Door shall ensure that all major IT development or infrastructure projects have a corresponding project plan that addresses the security control requirements within this Policy. Information Security shall be an integral part of this planning process.
Door is responsible for educating users on security threats that may impact secure operations of the Door network and provide information on mechanisms to protect against these threats. All active internal Door users must regularly participate in a formal security education and awareness training program. The program must have the ability to track completion of required security training assignments and report on non-compliance. The formal program must also include learning opportunities for users to independently explore information on safe computing practices.
System hardening procedures shall be created and maintained to ensure up-to-date security leading practices are deployed for all IT operating systems, applications, databases, network, and hardware devices. All default system administrator passwords must be changed. Door shall implement an appropriate change management process to ensure changes to systems are controlled by:
External network connections shall be permitted only after all approvals are obtained consistent with this Policy and shall be managed as agreed to by Door and the untrusted entity. Specific criteria should be included in the system that includes:
Door shall develop, implement, and test an IT Disaster Preparedness plan for all Door systems determined to be essential for ongoing business. Creation, maintenance, and annual testing of a plan will minimize the impact of interruptions of information technology service delivery caused by events ranging from a single disruption of business to a disaster. Disaster Preparedness Plan maintenance should be incorporated into the Door architecture review and change management processes to ensure plans are kept current.
Primary Components of an IT Disaster Preparedness Plan are:
Incident Management refers to the processes and procedures Door implements for identifying, responding to, documenting and managing information security incidents. A security incident within the Door managed networks is defined as a violation of computer security policies, acceptable use policies, or standard computer security practices.
Door must identify, approve, control, and routinely monitor the use of information system maintenance tools and remotely executed maintenance and diagnostic activities. Only authorized personnel are to perform maintenance on information systems. Door must ensure that system maintenance is scheduled, performed, and documented in accordance with manufacturer or vendor specifications and this Policy.
The purpose of this section is to ensure proper precautions are in place to protect confidential information stored on media. Removable media containing sensitive or confidential information must be encrypted at the device or file level. Door shall restrict access to system media containing confidential information to authorized individuals. Media containing confidential information shall be physically controlled and securely stored. Door must protect and control confidential system media during transport outside of controlled areas and restrict the activities associated with transport of such media to authorized personnel. Throughout the lifecycle of IT equipment, there are times when Door will be required to relinquish custody of the asset. The transfer of custody may be temporary, such as when equipment is serviced or loaned, or the transfer may be permanent; examples being a donation, trade-in, lease termination or disposal. To eliminate the possibility of inadvertently releasing residual Door confidential information, Door will have a formal procedure for media sanitization.
Physical access to information technology processing equipment, media storage areas, and mass media storage devices and supporting infrastructure (communications, power, and environmental) must be controlled to prevent, detect, and minimize the effects of unauthorized access to these areas.
Door must:
Access to data centers and secured areas should be limited to those employees, contractors, technicians and vendors who have legitimate business responsibilities in those areas.
Authorization should be:
The Administrative Official or designee for each data center or secured area is responsible for:
Door shall implement system and information integrity security controls including vulnerability remediation, information system logging and monitoring, information input restrictions and information output handling and retention.
Door must protect against malicious code, virus or malware by implementing procedures and solutions that, to the extent possible, includes a capability for automatic updates. Intrusion detection/prevention tools and techniques must be employed to log, monitor and review system events, detect attacks, and identify unauthorized use of information systems and/or confidential information.
Door systems must restrict information input to authorized personnel (or processes acting on behalf of such personnel) responsible for receiving, processing, storing, or transmitting confidential information.
Door shall utilize mechanisms to validate the integrity of the data sent to partners in justice and receive acknowledgement of successful transmission and delivery. Files containing confidential information may be removed from the system once the receiving party acknowledges receipt of the transmitted information. Acknowledgements for transmission and delivery must be stored for internal/external inspection as outlined in section 7.2, Audit & Accountability Controls.
Information system security alerts/advisories for critical software must be regularly reviewed and applied as appropriate by the person(s) assigned responsibility for software administration.
Periodic external and internal vulnerability assessments must be performed to verify security controls are working properly and to identify risks.
All Door systems must include IT security as part of the Door system development life cycle (SDLC) management process. The Door SDLC policy applies to all Door approved projects. This process must include:
The following minimum set of events/actions on systems that are categorized as critical or confidential, shall be logged and kept as required by all applicable State and Federal laws or regulations:
Passwords must meet the following construction, usage and change requirements:
System exceptions to user authentication and password requirements must be formally approved and documented. Functional/System accounts may have unique authentication and password requirements that cannot comply with these requirements. Mitigating security controls must be in place that reduces risk to an acceptable level. These controls must be formally approved and documented.
Door must install, configure and deploy virtualization solutions to ensure that the virtual environment is as secure as a non-virtualized environment and in compliance with all relevant Door Policy and Procedures.
Door implementation of a cloud-based solution must be implemented to ensure the solution is as secure as on premise and follows relevant Door Security Policy and Procedures.
All cloud service provider contracts should establish terms and conditions for services which includes, but is not limited to:
Contracts shall be written to ensure vendor agrees to adhere to Door Security Policy and Procedures and all applicable Rules, State and Federal laws or regulations.
Any user receiving Door data or connecting a mobile device to the Door network must comply with the Door Security Policy and Procedures and all applicable Rules, State and Federal laws or Regulations.
All users of Door information systems must acknowledge and comply with the Electronic Communications System Usage Policy and are bound to modifications as posted to the Employee Handbook.
Data loss prevention (DLP) refers to a comprehensive approach covering people, processes, and systems that identify, monitor, and protect data in use, data in motion and data at rest. DLP controls are based on policy and include classifying sensitive data, discovering that data across an enterprise, enforcing controls and reporting and auditing to ensure policy compliance. A comprehensive DLP solution should include the following controls:
Unless specifically approved by the Information Security Manager, a user’s personal or a contractor’s business PC or laptop shall not have Door proprietary or licensed software installed and shall not be used to process or transmit proprietary or confidential information. Only Door owned and authorized computer software is to be used on Door owned machines. Users are not authorized to download or install software on a Door owned PC or laptop. All users of Door information systems must comply with copyright laws.
Policies and Procedures supporting the use of wireless technology used in the Door managed network shall: