MCN(ORGANIZATIONS NAME)GuidelinePolicy005.11030.01
Information TechnologyChangeIntrusion Detection Management DRAFTDRAFT
Subsections: 005.11030.01.011 – 005.030.01.043
DisseminationScheduled Change, AmendmentUnscheduled Change, Roles of Board and ManagementEmergency Change, Disciplinary Actions
Area: / Approved By: / Most Recent Approval Date:Corporate Governance Policy / Board of Directors / NEW
Corporate Functions Guideline / CEO / Aug 28, 2007NEW
Financial Functions Guideline / CFO
Clinical Functions Guideline / CMO
First Approval Date: Aug 28, 2007 / Next Review Due: 20097
Dates Reviewed: / Dates Revised:
Dates Revisions Announced to Staff: December 10, 2007
Purpose: / Intrusion detection provides two important functions in protecting information resources:
- Feedback: information as to the effectiveness of other components of the security system. If a robust and effective intrusion detection system is in place, the lack of detected intrusions is an indication that other defenses are working.
- Trigger: a mechanism that determines when to activate planned responses to an intrusion incident.MCN uses information technologies to support employees and other authorized users to work efficiently in delivering services.The purpose of the Change Management policy is to manage changes in a rational and predictable manner so that staff and clients can plan accordingly. Changes require serious forethought, careful monitoring, and follow-up evaluation to reduce negative impact to the user community and to increase the value of Information Resources.
Mandated by: / Funding Sources, Internal Controls
Applies to: / MCN(ORGANIZATIONS NAME) corporate financial functions
Definitions: /
- Information Resources (IR): Any and all computer printouts, online display devices, magnetic storage media, and all computer-related activities involving any device capable of receiving email, browsing Web sites, or otherwise capable of receiving, storing, managing, or transmitting electronic data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, personal digital assistants (PDA), pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (i.e. embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and service bureaus. Additionally, it is the procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.
- Security Incident: In information operations, an assessed event of attempted entry, unauthorized entry, or an information attack on an automated information system. It includes unauthorized probing and browsing; disruption or denial of service; altered or destroyed input, processing, storage, or output of information; or changes to information system hardware, firmware, or software characteristics with or without the users' knowledge, instruction, or intent.
- Information Attack: An attempt to bypass the physical or information security measures and controls protecting an IS. The attack may alter, release, or deny data. Whether an attack will succeed depends on the vulnerability of the computer system and the effectiveness of existing countermeasures.
- Information Operations: Actions taken to affect adversary information and information systems while defending one’s own information and information systems.
- Information Resources Manager (IRM): Responsible for management of MCN(ORGANIZATIONS NAME)’s information resources. The designation of a Center information resources manager is intended to establish clear accountability for setting policy for information resources management activities, provide for greater coordination of MCN(ORGANIZATIONS NAME)’s information activities, and ensure greater visibility of such activities within and between agencies. The IRM has been given the authority and the accountability to implement Security Policies, Procedures, Practice Standards and Guidelines to protect the Information Resources of MCN(ORGANIZATIONS NAME). If MCN(ORGANIZATIONS NAME) does not designate an IRM, the title defaults to the MCN(ORGANIZATIONS NAME)’s CEO, and the CEO is responsible for adhering to the duties and requirements of an IRM.
- Server: A computer program that provides services to other computer programs in the same, or another, computer. A computer running a server program is frequently referred to as a server, though it may also be running other client (and server) programs.
- Host: A computer system that provides computer service for a number of users.
- Information Security Manager (ISM): Responsible to the IRM for administering the information security functions within MCN(ORGANIZATIONS NAME). The ISO is MCN(ORGANIZATIONS NAME)’s internal and external point of contact for all information security matters.
- Information Services (IS): The name of the MCN(ORGANIZATIONS NAME) department responsible for computers, networking and data management.
For more information: / n/a
Text of PolicyGuideline:
The number of computer security incidents and the resulting cost of business disruption and service restoration continue to escalate. Implementing solid security policies and guidelines, blocking unnecessary access to networks and computers, improving user security awareness, and early detection and mitigation of security incidents are some of the actions that can be taken to reduce the risk and drive down the cost of security incidents.
All users of MCN's information and technology resources must take responsibility for, and accept the duty to, actively protect information and technology assets. This includes taking responsibility to be aware of, and adhere to, all relevant policies and standards. MCN uses information technologies to support employees and other authorized users to work efficiently in delivering services. Proper use of these technologies assists in the daily management of information, saves time and money, reduces administrative overhead and improves service delivery. The technologies include, but are not limited to, information systems, services (e.g., web services; messaging services); computers (e.g., hardware, software); and telecommunications networks and associated assets (e.g., telephones, facsimiles, cell phones, laptops). Improper use may jeopardize the confidentiality, integrity and availability of MCN's information and technology assets, and may put personal information protection, security or service levels at risk.The MCN Change Management Policy applies to all individuals that install, operate or maintain Information Resources. From time to time each Information Resource element requires an outage for planned upgrades, maintenance or fine-tuning. Additionally, unplanned outages may occur that may result in upgrades, maintenance or fine-tuning.
Intrusion Detection Guideline
- Operating system, user accounting, and application software audit logging processes must be enabled on all host and server systems.
- Alarm and alert functions of any firewalls and other network perimeter access control systems must be enabled.
- Audit logging of any firewalls and other network perimeter access control system must be enabled.
- Audit logs from the perimeter access control systems must be monitored/reviewed daily by the system administrator.
- System integrity checks of the firewalls and other network perimeter access control systems must be performed on a routine basis.
- Audit logs for servers and hosts on the internal, protected, network must be reviewed on a weekly basis. The system administrator will furnish any audit logs as requested by the ISO.
- Host based intrusion tools will be checked on a routine.
- All trouble reports should be reviewed for symptoms that might indicate intrusive activity.
- All suspected and/or confirmed instances of successful and/or attempted intrusions must be immediately reported according to the Incident Management Guideline.
- Users shall be trained to report any anomalies in system performance and signs of wrongdoing to the ISM.
005.11.01.01 - Disciplinary Actions
Violation of this guideline may result in disciplinary action that may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of MCN(ORGANIZATIONS NAME) Information Resources access privileges, civil, and criminal prosecution.
Change Management: The process of controlling modifications to hardware, software, firmware, and documentation to ensure that Information Resources are protected against improper modification before, during, and after system implementation.
Change:
Any implementation of new functionality
Any interruption of service
Any repair of existing functionality
Any removal of existing functionality
Change Management Policy
Every change to a MCN Information Resources resource such as: operating systems, computing hardware, networks, and applications is subject to the Change Management Policy and must follow the Change Management Procedures.
All changes affecting computing environmental facilities (e.g., air-conditioning, water, heat, plumbing, electricity, and alarms) need to be reported to or coordinated with the COO.
A Change Management Committee, appointed by IS Leadership, will meet regularly to review change requests and to ensure that change reviews and communications are being satisfactorily performed.
A formal written change request must be submitted for all changes, both scheduled and unscheduled.
All scheduled change requests must be submitted in accordance with change management procedures so that the Change Management Committee has time to review the request, determine and review potential failures, and make the decision to allow or delay the request.
Each scheduled change request must receive formal Change Management Committee approval before proceeding with the change.
The appointed leader of the Change Management Committee may deny a scheduled or unscheduled change for reasons including, but not limited to, inadequate planning, inadequate back-out plans, the timing of the change will negatively impact a key business process such as year end accounting, or if adequate resources cannot be readily available. Adequate resources may be a problem on weekends, holidays, or during special events.
Customer notification must be completed for each scheduled or unscheduled change following the steps contained in the Change Management Procedures.
A Change Review must be completed for each change, whether scheduled or unscheduled, and whether successful or not.
A Change Management Log must be maintained for all changes. The log must contain, but is not limited to:
Date of submission and date of change
Owner and custodian contact information
Nature of the change
Indication of success or failure
All MCN information systems must comply with an Information Resources change management process that meets the standards outlined above.
005.03.01.01 - Scheduled Change: Formal notification received, reviewed, and approved by the review process in advance of the change being made.
005.03.01.02 - Unscheduled Change: Failure to present notification to the formal process in advance of the change being made. Unscheduled changes will only be acceptable in the event of a system failure or the discovery of a security vulnerability.
005.03.02.03 - Emergency Change: When an unauthorized immediate response to imminent critical system failure is needed to prevent widespread service disruption.
005.03.01.04 - Disciplinary Actions
Violation of this policy may result in disciplinary action that may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of MCN Information Resources access privileges, civil, and criminal prosecution.
005.00.01.01 – Dissemination of IT Policies & Guidelines
MCN IT policies and guidelines will be posted in an online format on the MCN website. New staff members who are required to read the IT policies and guidelines within two weeks (fourteen working days) of their start with MCN. The online system will record which policies have been accessed by the employee. Accessing a policy infers that the staff member has read and agrees with the policy. Staff members who are required to review the financial policies and do not do so within two weeks (fourteen working days) of their start with MCN may face disciplinary procedures.[T1]
When policies are added or modified, existing MCN financial staff will be notified through two mechanisms:
Announcement of the new or modified policy at a meeting of the administrative or financial team
Announcement of the new or modified policy via an email sent to the administrative or financial team
In order to document which staff were notified, a copy of the meeting minutes (including names of all staff present) and a copy of the email (including names of all staff to whom it was sent) will be attached to the official copy of the policy stored in the MCN CEO’s office.
Modified policies will be posted to the secure section of the web site and applicable staff members will[T2] be required to review them within two working days. Staff members who do not review the new or revised policy / guideline within two working days may face disciplinary procedures.
003.00.01.02 – Amendment or Addition of Financial Policies & Guidelines
Financial policies are reviewed on a regular basis. The most recent policies / guidelines supersede and rescind all previous financial policy and guideline statements, and become the official policy statements of MCN. Financial policies and guidelines are reviewed every two years (24 months from the date of last review or amendment). Policies and guidelines are reviewed by the board of directors or member of management who approved the previous version of the policy.
Amendments or additions to corporate governance policies may be recommended at any regular meeting of the Board, the Executive Committee, or its designated committee.
After study by the Board, the Executive Committee or its designated committee, and after the CEO has had the opportunity to review and comment, the amendment or addition may be passed by a simple majority of the Board at any regular meeting or through the online Board Forum
Amendments or additions to corporate function guidelines are made at the discretion of the CEO in consultation with the staff Senior Management team, the Board, employees and/or contractors, as necessary.
Amendments or additions to Information Technology guidelines are made at the discretion of the CFO, in consultation with the CEO, the Board, employees and/or contractors, as necessary.
003.00.01.03 – Roles of Board and Management
The Board of Directors is responsible for the financial soundness of the MCN programs, including the provision of financial support and the oversight of program expenditures. The Board approves the annual operating budget, as recommended by the Chief Financial Officer (CFO) and reviews and approves financial reports prepared by the Chief Financial Officer (CFO) twice a year. In addition, the Executive Committee of the Board reviews and approves the monthly financial reports. The expenditure of funds for the acquisition or rehabilitation of real estate is subject to prior specific Board approval.
The Board is responsible for initiating, promoting, and participating in the development of financial support for MCN programs.
The Board appoints an Audit / Financial Committee to oversee MCN’s financial operations (see policy 003.11.01, “Audit / Financial Committee”).
The responsibility for implementing the Information Technology policies lies with the administrative staff, the CEO, and the Executive Committee of the Board of Directors.
[T1]Al, Is this true ?
[T2]Al, Is this true?