On June 8, a number of IT related University Standard Administrative Procedures were updated and one new one was added.
The following University Standard Administrative Procedures have been extensively revised. As best as possible, this document will attempt to summarize the changes. However, it is advisable that you read the SAPs yourself to become familiar with the changes.
Information Resources – Crisis Management – http://rules-saps.tamu.edu/PDFs/29.01.03.M1.09.pdf
Security Life Cycle for Information Systems – http://rules-saps.tamu.edu/PDFs/29.01.03.M1.21.pdf
Information Resources – Compromises and Vulnerabilities – http://rules-saps.tamu.edu/PDFs/29.01.03.M1.23.pdf
Encryption of Confidential, Sensitive and Protected Health Information – http://rules-saps.tamu.edu/PDFs/29.01.03.M1.31.pdf
Project Management – http://rules-saps.tamu.edu/PDFs/29.01.03.M1.34.pdf
Information Systems – Crisis Management
The University SAP previously identified as Information Resources Incident Management has been renamed to Information Resources – Crisis Management – http://rules-saps.tamu.edu/PDFs/29.01.03.M1.09.pdf . The most obvious change is the differentiation between a security incident and a crisis. However, a number of other changes are also included. The revised elements include
- employee roles
- preparation and planning
- when to initiate the process
- how to initiate the process
- after action activities
As the SAP has been extensively revised from the previous version, a comprehensive summary cannot be provided here. It is recommended that each AgriLife System Administrator review and become familiar with the content themselves.
Security Life Cycle for Information Systems
The University SAP previously identified as System Development and Acquisition has been renamed to Security Life Cycle for Information Systems – http://rules-saps.tamu.edu/PDFs/29.01.03.M1.21.pdf . The body of the document is much more extensive and includes a section for responsibilities in addition to the required procedures.
The responsibilities section now includes specific procedures that are to be performed when a system has been compromised; including reporting the condition to the University CISO.
Section 3.1 of the Security Life Cycle for Information Systems SAP specifies that all information systems should implement a recognized risk mitigation framework.
Section 3.2 of the Security Life Cycle for Information Systems SAP specifies that the data stored on the system should be classified. Section 3.2 also specifies that the security controls of the information system shall comply with the security and privacy requirements specified in the various state and federal regulations including: TAC202, Sarbanes-Oxley, Payment Card Industry Data Security Standard (PCI-DSS), and others. Other requirements added to section 3.2 include the requirement to document the design, development and implementation details for the security controls. In addition to the implementation of security controls, they are to be assessed, monitored for effectiveness, and revised as required to improve control effectiveness, changes to the system or environment and or changes in legislation, policies, regulations, rules and procedures.
Section 3.4 of the Security Life Cycle for Information Systems SAP specifies that security reviews are to be performed when the information system is modified or updated to ensure security is maintained.
Information Resources – Compromises and Vulnerabilities
The University SAP previously identified as Information Resources – Malicious code has been renamed to Information Resources – Compromises and Vulnerabilities – http://rules-saps.tamu.edu/PDFs/29.01.03.M1.23.pdf .
Section 2 applicability – unchanged
Section 3 Prevention and Detection – unchanged except where noted
Section 3.4 – changed to storage devices from the previous version which specified diskettes and mass storage devices.
Section 3.5 – the following statement was added – where possible, the automatic update feature of the software that safeguards against malicious code shall be enabled.
Section 4 Response and Recovery – With the exception of sections 4.7 and 4.8, no new procedures were added to section 4. The numbering was revised to make more granular the requirements associated with 4.1. All procedures identified in sections 4.1-4.4 of the previous SAP are also present in sections 4.1-4.3 of the new SAP.
Section 4.7 – Section 4.7 was renumbered from the previous version and now includes a requirement to notify the Texas A&M University System CISO about the compromise and provide all available information known about the infection as well as measures taken to remediate the infection.
Section 4.8 – Section 4.8 was renumbered from the previous version and now includes the requirement for the Texas A&M University System CISO to inform the Texas State Department of Information Resources (DIR) about virus infections as maybe appropriate.
Section 4.9 – unchanged
Section 5 Authority – section five is entirely new over the previous version. It is provided below in its entirety.
5.1 The Texas A&M Chief Information Security Officer (CISO) has the authority to disable access to any network or network device that:
- is in violation of this policy;
- has demonstrated an operational hindrance or compromise to the Texas A&M network; or
- is a threat to the Internet community in general.
In such cases, the CISO shall notify a resource owner, IT custodian (listed in ISAAC), or local IT administrator (listed in NIM or ITAC) of the intent to disable from the network. In non-critical situations, the CISO will contact a resource owner, IT custodian, or local network administrator and inform them of specific actions that must be taken to avoid being disabled from the network. In any situation where the device is blocked from the network, the CISO shall use reasonable means to identify the information owner, custodian, or user. If corrective actions are not implemented, the CISO may disable service to the network.
5.2 Active Infection – Critical
5.2.1 When the CISO observes an active infection or threat that has the immediate potential to adversely affect the university network or that will result in immediate loss of confidential data, the affected network or device will be immediately disabled from the university network. The CISO will then contact resource owners, IT custodians, local network administrators, or users to advise them of the action. Access to the network will be restored when the compromise is contained or the vulnerability is closed.
5.3 Active Infection – Non-critical
5.3.1 Resource owners, IT custodians, local network administrators or users will be contacted as soon as an active infection is observed by the CISO. If no action is taken to remediate the infection, access to the Texas A&M network shall be disabled within twenty-four hours (24) after notification.
5.4 Open Vulnerability. When a vulnerability is discovered and no action is taken to remediate the situation within seventy-two (72) hours after notification, access to the Texas A&M network may be disabled. The CISO will use reasonable means to notify resource owners, IT custodians, local network administrators, or users.
5.5 Noncompliance. The CISO has the authority to disable access to the Texas A&M network for noncompliance with this SAP.
Encryption of Confidential, Sensitive and Protected Health Information
The University SAP previously identified as Encryption of Confidential and Sensitive Information has been renamed to Encryption of Confidential, Sensitive and Protected Health Information – http://rules-saps.tamu.edu/PDFs/29.01.03.M1.31.pdf . The most obvious change is the inclusion of the Protected Health Information data for encryption.
Section 4.1 has been revised to lower the minimum standard for encryption to AES128 bit from the previous minimum of AES256 bit.
Section 4.2 unchanged
Section 4.3 unchanged
Section 4.4 was revised to state that confidential or PHI stored in a public location and directly accessible without compensating controls will also require encryption.
Section 4.4.1 has been added to state that within three years from the publication of the SAP all student grade information retained longer than twelve months must be encrypted regardless of where it resides.
Section 4.5 has been revised to include Protected Health Information (PHI).
Section 4.5.1 has been added to state that transfer of Confidential Information, PHI or sensitive documents and data is permitted using secure transfer protocols.
Section 4.6 has been revised to include PHI data encryption for content transmitted via email.
Section 4.6.1 has been added to indicate that email stores that retain communication that could include PHI or confidential/sensitive information are not required to be encrypted as a whole. However, individual messages with data classified as such will require encryption.
Section 4.6.2 has been added to indicate that email content transferred within the campus network maybe exempted provided all other state and federal requirements are addressed.
Section 4.7 in the new SAP is basically what was identified as section 4.8 from the previous version. Section 4.7 from the previous version (the prohibition of transmitting CI or sensitive info via email programs) has been removed.
Section 4.8 in the new SAP is basically the same content as section 4.4 from the previous document. The specific section deals with the sanitization process associated with retirement of computer hard drives.
Section 4.8.1 in the new SAP details how hard drives can be securely disposed of via shredding by transferring them to Texas A&M University Logistics using the E-Scrap Disposal Form
A Standard Administrative Procedure for Project Management of Information Resources was recently adopted. This new SAP is required per Texas Administrative Code 216 and applies to all unit heads and employees responsible for information resource projects at TAMU. Please see the following URL for additional details – http://rules-saps.tamu.edu/PDFs/29.01.03.M1.34.pdf.