Purpose
The purpose of this guideline is to describe information security standards for the System and Information Integrity processes relevant to Anne Arundel Community College ("College") Information and Instructional Technology (“IIT”) Resources, as defined by the System and Information Integrity Information Technology Requirement (ITR).
Scope
This guideline is adopted to implement the System and Information Integrity ITR.
This guideline applies to system custodians and authorized users of AACC systems. Users are responsible for reading, understanding and behaving in a manner consistent with these guideline and other related requirements pertaining to the College’s Information Technology Resources.
Definitions
Definitions contained in the System and Information Integrity Information Technology Requirements (ITR) apply to this guideline.
System and Information Integrity Guidelines
1. Identify, report and correct system flaws in a timely manner.
1.1 Identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws.
1.2 Reports identified system flaws to the security team and appropriate remediation team.
1.3 Hold standing meetings for servers, workstation and phone system to remediate identified system flaws.
1.4 Security-relevant updates include patches, service packs, hot fixes and antivirus signatures will be implemented on the set downtime schedules.
1.5 Report and remediate flaws discovered during security assessments, continuous monitoring, incident response activities and system error handling to the security team and appropriate remediation team.
1.6 Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation.
1.7 Install security-relevant software and firmware updates within one month of the release of the updates or flaw identification.
1.8 Incorporate flaw remediation into the configuration management process.
1.9 Execute the appropriate incident response measures.
2. Provide protection from malicious code
2.1 AACC will detect malicious code at system entry, within the system, and system exit points. Tools for malicious code detection include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, and mobile devices.
2.2 Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography.
2.3 Malicious code can be inserted into systems in a variety of ways including web accesses, email, email attachments and portable storage devices. Malicious code insertions can occur through the exploitation of system vulnerabilities.
2.4 Malicious Code Protection
2.4.1 Implement signature-based and nonsignature-based malicious code protection mechanisms, as appropriate, at system entry and exit points to detect and eradicate malicious code.
2.4.2 Automatically update malicious code protection mechanisms on endpoints (servers, workstations, mobile devices).
2.4.3 Configure malicious code protection mechanisms to:
2.4.4 Perform periodic scans of the endpoints: weekly for a full scan and real-time scans as the files are downloaded, opened, or executed.
2.4.5 Block or quarantine malicious code and send alert to the Security Team, in response to malicious code detection.
2.4.6 Analyze false positives and the impact on the availability of the endpoint.
2.5 Memory Protection
2.5.1 Implement signature-based and nonsignature-based malicious code protection mechanisms, as appropriate, at system entry and exit points to detect and eradicate malicious code.
2.6 Traditional malicious code protection mechanisms cannot always detect such code. In these situations, the College will rely instead on other safeguards including:
2.6.1 Secure coding practices
2.6.2 Configuration management and control
2.6.3 Trusted procurement processes
2.6.4 Monitoring practices to help ensure that software does not perform functions other than the functions intended
2.7 Spam Protection
2.7.1 Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages.
2.7.2 Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy/requirement and procedures/guidelines.
2.8 Execute the appropriate incident response procedures.
3. Monitor Security Alerts, Advisories and Directives.
3.1 AACC will utilize various publicly available sources of system security alerts and advisories. At a minimum, AACC will monitor:
3.1.1 The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness across the federal government and in nonfederal organizations.
3.1.2 Software vendors, subscription services and industry Information Sharing and Analysis Centers (ISACs) also provide security alerts and advisories.
3.1.3 Receive system security alerts, advisories and directives from a system’s manufacturer on an ongoing basis.
3.1.4 Disseminate security alerts, advisories, and directives to the IIT organization, as required. Inform the college users, as necessary.
3.1.5 Implement security directives in accordance with recommended time frames in a risk-based manner.
3.1.6 IIT personnel will monitor automated system security and error alerts distributed through email and text notifications.
3.1.7 Systems will generate error messages, displayed to the users, that provide information necessary for corrective actions without revealing information that could be exploited.
3.2 Execute the appropriate incident response measures.
4. Perform scans of organizational systems
4.1 Conduct periodic scans of College systems using Tenable system.
4.1.1 Servers will be scanned for vulnerabilities by Tenable systems twice a month, whether on premise or in Azure.
4.1.2 Workstations on premise will be scanned twice a month for vulnerabilities by Tenable systems.
4.1.3 Tablets used by faculty, staff and students will not be scanned, unless brought to the campus and plugged into the wired network during a normal scanning window.
4.1.4 Mobile devices will not be scanned.
4.1.5 Websites will be scanned using SSLLabs and third-party contracted services.
4.1.6 As required, systems will be scanned for compliance with configurations using Tenable or other suitable tools.
4.1.7 As required, scans will include PCI compliance.
4.2 Conduct periodic scans to detect malicious code using the selected desktop antimalware suite.
4.2.1 Microsoft Defender will conduct a full system scan at least weekly.
4.2.2 Microsoft Defender will provide device vulnerability information to administrative dashboards.
4.3 Conduct real-time scans of files from external sources using the selected desktop antimalware suite.
4.3.1 Microsoft Defender will conduct scans for files on removable media when the media is inserted into the computer.
4.3.2 Microsoft Defender will conduct on-demand scans on files when the file is read or written to media.
4.4 Execute the appropriate incident response measures.
5. Monitor AACC systems to detect attacks and indicators of potential attacks.
5.1 Configure each system to collect and report essential information.
5.2 Monitor status of systems and components using Solarwinds, MECM, JAMPF, or other appropriate tools.
5.3 Monitor systems to detect:
5.3.1 High CPU utilization
5.3.2 Out of memory conditions
5.3.3 Services not running
5.3.4 UP/DOWN
5.3.5 Not communicating
5.3.6 Unauthorized local, network and remote connections
5.4 Where applicable, configure systems to invoke internal monitoring capabilities or deployed monitoring devices.
5.5 Store log data for one year for analysis of system operating performance.
5.6 Send log data to appropriate SIEMs and log analytic tools.
5.7 Analyze detected events and anomalies.
5.8 Execute the appropriate incident response measures.
5.9 Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the nation.
5.10 Consult with AACC legal counsel regarding system monitoring for ediscovery requirements.
6. Identify unauthorized use of AACC systems.
6.1 Use monitor data and alerts to identify unauthorized use of systems.
6.2 Use SIEM reports to compare with authorized activity to identify unauthorized use.
6.3 Report unauthorized use to the security team.
6.4 Execute the appropriate incident response measures.
7. Implement risk-based security controls that ensure the confidentiality, integrity, availability and resilience of the College systems, from NIST 800-171 and 800-172.
7.1 Implement the concept of Least Privilege
7.1.1 Implement role-based privileges.
7.1.2 User accounts do not perform functions and operations that require elevated privileges.
7.1.3 Administrative privileges are limited to the minimum number of accounts.
7.1.4 Accounts with higher privilege are different for on premise systems and cloud-based systems.
7.2 Change Management
7.2.1 Follow approved AACC Change Management process identified in PRO-ChangeManagementSOP.pdf
7.3 Information Input Validation
7.3.1 AACC developed code and forms will check the validity of the following information inputs:
7.3.1.1 Format for Name
7.3.1.2 UserID
7.3.1.3 AACC ID
7.3.1.4 Password
7.3.1.5 Format of Date of Birth
7.3.1.6 Format of SSN
7.3.1.7 Format of Address, City, State, Zip
7.3.1.8 Format of IP Address
7.3.1.9 Age
7.3.1.10 Sex
7.4 Predictable Failure Prevention
7.4.1 Determine mean time to failure (MTTF) for critical systems.
7.4.2 Have maintenance contracts for critical systems with less than 24 hour repair and on-site support.
7.4.3 For critical systems, have substitute system components on hand and a means to exchange active and standby components.
7.5 Security and Privacy Function Verification
7.5.1 Verify the correct operation of security and privacy functions.
7.5.2 Perform, as needed, the verification of the functions specified upon command by user with appropriate privilege.
7.5.3 Alert the director of Information Security to failed security and privacy verification tests.
7.5.4 Shut the system down, restart the system, or quarantine the system when anomalies are discovered
7.6 Information Output Filtering
7.6.1 Validate information output from the following software programs and/or applications to ensure that the information is consistent with the expected content:
7.6.1.1 Tenable vulnerability results with defender vulnerability results
7.6.1.2 MECM system status with defender system status
7.6.1.3 Solar Winds with system reports
7.6.1.4 Active Directory with Azure Entra
7.6.1.5 Fischer database with Active Directory
7.6.1.6 Fischer database with Colleague database
7.6.1.7 Active Directory with Colleague database
7.7 Tainting
7.7.1 Configure Varonis to determine if College data has been exfiltrated or improperly removed from the organization.
7.7.2 Configure Varonis to categorize sensitivity of stored data.
7.7.3 Configure Varonis to identify file modifications (changes, copy, rename, delete)
Exemptions
Exceptions to these guidelines should be submitted to the director of Infrastructure Services. If an exception is granted a compensating control or safeguard should be documented and approved.
Contingencies
None
Review Process
Information Technology Requirements will be reviewed every 12 months or sooner, if required. Guidelines and Processes will be reviewed every 24 months or sooner, if required.
Guideline Title: System and Information Integrity Guideline
Guideline Owner: Vice President for Information and Instructional Technology
Guideline Administrator: Director, Infrastructure Services
Contact Information: Michael Rees, marees@aacc.edu
Approval Date: Jan. 8, 2024
Effective Date: Jan. 8, 2024
History: Adopted November 2023
Applies to: Faculty and Staff
Related Policies: Acceptable Use of Information Technology Resources Policy
Related Procedures: Acceptable Use of Information Technology Resources Procedures
Related Guidelines:
Forms: N/A
Relevant Laws: