Transcription

State of MaineDepartment of Administrative and Financial ServicesOffice of Information TechnologyAccess Control Policy and Procedures (AC-1)

Table of Contents1.0. Document Purpose . 32.0. Scope . 33.0. Policy Conflict . 34.0. Roles and Responsibilities . 35.0. Management Commitment . 36.0. Coordination Among Agency Entities . 47.0. Compliance . 48.0. Procedures . 49.0. Document Details. 910.0. Review . 911.0. Records Management. 1012.0. Public records Exceptions . 1013.0. Definitions. 1014.0. Abbreviations . 11Appendix A for Approved Warning Banner Language . 12ii

Access Control Policy and Procedures (AC-1)1.0.2.0.2.1.3.0.4.0.4.1.4.2.4.3.5.0.Document PurposeThe purpose of this document is to define the State of Maine policy and proceduresfor implementing and maintaining appropriate access controls (see Definitions) forState information assets (see Definitions). This document corresponds to the AccessControl Control Family of National Institute of Standards and Technology (NIST)Special Publication 800-53 (Rev. 4).ScopeThis policy applies to all State of Maine employees and contractors (collectivelyreferred to as personnel in this document) with access to:2.1.1. Executive Branch Agency information assets, irrespective of location; and2.1.2. Information assets from other State government branches that use the Statenetwork.Policy ConflictIf this policy conflicts with any law or union contract in effect, the terms of theexisting law or contract prevail.Roles and ResponsibilitiesAgencies4.1.1. Ensure that any contracts for vendor hosted or -managed agency informationassets adhere to any pertinent Federal regulations, State regulations, andOffice of Information Technology (OIT) policies, procedures, and standards.4.1.2. Develop and implement agency-level policy and procedures to meetadditional Federal statutory requirements pertinent to agency informationasset access controls.4.1.3. Ensure that the access of any authorized user (see Definitions) to agencyinformation assets is based on the principle of least privilege (seeDefinitions) and separation of duties (see Definitions).4.1.4. Assign an agency data custodian (see Definitions) for agency informationassets.4.1.5. Develop and maintain security plans for agency information assets.OIT4.2.1. Assigns an owner for each information asset supported by OIT.OIT Information Asset Owners4.3.1. Ensure that authorized personnel access to assigned assets is based on theprinciple of least privilege.Management CommitmentThe State of Maine is committed to following this policy and the procedures thatsupport it.Page 3 of 12

Access Control Policy and Procedures 8.2.1Coordination Among Agency EntitiesOIT coordinates with agencies to implement and maintain security controls thatsafeguard agency information assets from unauthorized access by individuals ordevices. Active Directory accounts are established through Footprints User Requesttickets.Agencies work with their OIT application development managers, accountmanagers, and the OIT Information Security Office to determine how access ismanaged and who, and under what circumstances, may access agency informationassets.Application development managers serve as owners for the agency applicationsystems that their teams support. Requests for application access for support gothrough the application development managers.Access to particular parts of the network for administrative work is approved by theinformation asset owners.ComplianceFor State of Maine employees, failure to comply with this document may result inprogressive discipline, up to and including dismissal.For State of Maine contractors and non-State of Maine personnel, failure to complymay result in removal of the individual’s ability to access, and use, State of Mainedata and systems. Employers of contractors will be notified of any violations.Personnel are also subject to any applicable penalties for statutory requirementscompliance violations. Depending on the requirement, and the nature of theviolation, penalties could include fines and/or criminal charges.ProceduresThe following procedures serve as the base requirements for State of Maineinformation assets. They represent the security controls established to provide anacceptable level of protection from unauthorized system access.Access Control Procedures for Users8.1.1. User access control procedures are identified separately in Access ControlProcedures for Users (AC-2). 1 They include account management (AC-2),access enforcement (AC-3), separation of duties (AC-5), least privilege (AC6), remote access (AC-17), wireless access (AC-18), and access control formobile devices (AC-19).Information Flow Enforcement (AC-4)8.2.1. Agencies must ensure that agency information assets enforce approvedauthorizations for controlling the flow of information within the system andbetween interconnected systems that are consistent with applicable Federallaws, Executive Orders, directives, policies, regulations, standards, essControlProceduresForUsers.pdfPage 4 of 12

Access Control Policy and Procedures (AC-1)8.2.1.1. The flow of information traverses OIT-managed infrastructureassets (firewall, virtual private network (VPN), multilayer switches,and router devices) that employ protocols restricting informationasset services.8.2.1.2. The flow of information within systems and between systems ispartially controlled through OIT-managed firewalls, with rules that,by default, deny all outside traffic entry to the State network.8.2.1.2.1. OIT, in collaboration with external entities, establishesdedicated VPNs to control the flow of information to andfrom approved foreign networks and cloud providers.8.2.1.2.2. OIT implements demilitarized zones (see Definitions) tolimit inbound traffic to information assets that provideauthorized, publicly accessible services, protocols, andports. Inbound internet traffic is limited to internetprotocol addresses within the demilitarized zone.8.2.1.3. The flow of information within systems and between systems iscontrolled, in part, through OIT-managed routers and multilayerswitches that use protocols to, by default, deny information assetaccess.8.2.1.3.1. Access control lists are utilized to filter and controlnetwork traffic and as the basis for flow control decisions.8.2.1.3.2. Network diagrams that document information asset flowand interconnected systems on the State network aredeveloped and maintained by OIT.8.3.8.2.2. By default, auto-forwarding any Maine.Gov email to a domain other thanMaine.Gov is prohibited. Should there be a compelling business reason to doso, the request must be processed through a waiver.Unsuccessful Logon Attempts (AC-7)8.3.1. Agencies must ensure that agency information assets enforce the followingrules, with the number, time-period, and duration of events defined inaccordance with applicable Federal laws, Executive Orders, directives,policies, regulations, standards, and guidance:8.3.1.1. A limit of (a defined number) consecutive invalid login attempts by auser, during (a defined time period); and8.3.1.2. The user is locked out of the account (for a defined duration) whenthe maximum number of login attempts is exceeded.8.3.2. OIT enforces a limit of three consecutive invalid login attempts by a user(over any time period). Accounts are automatically locked for 15 minuteswhen Active Directory users exceed the maximum number of login attempts.8.3.2.1. These standards are enforced by group policy for all ActiveDirectory users and extend to information assets that utilize ActiveDirectory.Page 5 of 12

Access Control Policy and Procedures (AC-1)8.4.8.5.8.6.8.3.2.2. Agency information assets that do not leverage Active Directorymust use alternative mechanisms to ensure compliance with thesestandards.System Use Notification (AC-8)8.4.1. Agencies must ensure that a system use notification is displayed to users andthat it is consistent with applicable Federal laws, Executive Orders,directives, policies, regulations, standards, and guidance,8.4.1.1. OIT requires an Acceptable Use of State Resources banner (ActiveDirectory banner) be displayed that identifies usage considerationsfor all local and remote State of Maine domain users.8.4.1.1.1. The State of Maine requires notice that the system maycontain Maine State and U.S. Government information,notice of the pornography restriction, and notice of theincidental-use policy to be in the Active Directory banner.8.4.1.1.2. The Active Directory banner remains displayed until theuser acknowledges the usage conditions prior to Statedomain access being granted. Acknowledgment can be byclicking an OK button or by pressing the Enter key.8.4.1.1.3. Where required, OIT systems that do not use ActiveDirectory will display a warning banner that contains thesame content as the Active Directory banner. SeeAppendix A for Approved Warning Banner Language.8.4.1.2. Agencies define required banners, banner content, and useracknowledgement for their agency information assets (includingpublicly accessible systems) and associated components to beconsistent with applicable Federal laws, Executive Orders,directives, policies, regulations, standards, and guidance.8.4.1.2.1. OIT asset owners implement, where technically possibleand to the extent possible, identified agency banners,banner content, and user acknowledgement.8.4.1.2.2. This includes banners for end users (such as businessapplication users) and banners for privileged users (seeDefinitions) (for example, database, server, operatingsystem, and network administrators).Concurrent Session Control (AC-10)8.5.1. Agencies must identify any required concurrent session controls for agencyinformation asset end users that are consistent with applicable Federal laws,Executive Orders, directives, policies, regulations, standards, and guidance.Session Lock (AC-11, AC-11(1))8.6.1. Agencies must ensure that required device-lock controls for agencyinformation assets are implemented and are consistent with applicableFederal laws, Executive Orders, directives, policies, regulations, standards,and guidance.Page 6 of 12

Access Control Policy and Procedures (AC-1)8.6.2. OIT initiates a device lock after 15 minutes of inactivity, or upon receiving arequest from a user. This standard is enforced by group policy for all ActiveDirectory users.8.6.2.1. The device lock is maintained until the user reestablishes access byproviding identification and authentication credentials.8.6.3. Agencies must ensure that the information asset device lock concealsinformation visible on the display by replacing it with a publicly viewableimage.8.7.8.6.4. OIT implements a screen saver group policy for all Active Directory users,whereby the information visible on the screen is concealed and replaced witha publicly viewable image when the device lock is activated.Session Termination (AC-12)8.7.1. Agencies must define session termination requirements for their agencyinformation assets that are consistent with applicable Federal laws,Executive Orders, directives, policies, regulations, standards, and guidance.8.7.2. OIT implements user session termination at the information asset level. Forexample, secure file transfer protocol, Unix, and network all have sessiontermination controls in place, whereby all processes associated with a user’slogical session (except processes specifically created by the user to continueafter the session) are terminated after fifteen minutes of inactivity.8.8.8.7.3. OIT application owners implement required agency-identified sessiontermination controls at the application level.Permitted Actions Without Identification or Authentication (AC-14)8.8.1. Agencies must identify and appropriately document actions that can beperformed on agency information assets and agency websites withoutidentification or authentication that are consistent with organizationalmissions and business functions and with applicable Federal laws, ExecutiveOrders, directives, policies, regulations, standards, and guidance.8.8.2. The following do not currently require identification or authentication:8.8.2.1. By statute, the Maine.gov portal is open to the public by default.8.8.2.1.1. Depending on the sensitivity of content and functionalityoffered, agencies may elect to require authenticationand/or identification for access to agency informationassets and agency websites.8.8.2.2. OIT manages three sets of publicly accessible devices:8.8.2.2.1. Department of Health and Human Services - My MaineConnection public devices;8.8.2.2.2. Maine State Library public devices; andPage 7 of 12

Access Control Policy and Procedures (AC-1)8.9.8.8.2.2.3. Department of Labor Career Center public devices.8.8.2.3. OIT does not verify phone calls. The State of Maine does not transactbusiness based solely on caller identity.Use of External Information Assets (AC-20, AC-20(1), AC-20(2), AC-20(3))8.9.1. Agencies must ensure that terms and conditions established are consistentwith any trust relationships established with other organizations owning,operating, and/or maintaining external information assets, allowingauthorized individuals to:8.9.1.1. Access the information asset from external information assets; and8.9.1.2. Process, store, or transmit agency-controlled information, usingexternal information assets.8.9.1.3. OIT has a detailed Remote Hosting Policy 2 that establishesrequirements and responsibilities for remote-hosted State of Maineinformation assets.8.9.2. Agencies must permit authorized individuals to use an external informationasset to access the information asset or to process, store, or transmit agencycontrolled information only when the implementation of required securitycontrols is verified or when approved information asset connection orprocessing agreements are in place that are consistent with applicableFederal laws, Executive Orders, directives, policies, regulations, standards,and guidance.8.9.2.1. OIT has a detailed Remote Hosting Policy2 that establishes defaultrequirements and responsibilities for remote-hosted State of Maineinformation assets.8.9.3. Agencies must restrict the use of agency-controlled portable storage devicesby authorized individuals on external information assets, as consistent withapplicable Federal laws, Executive Orders, directives, policies, regulations,standards, and guidance.8.9.3.1. By default, OIT does not implement portable storage devicerestrictions but has the capability to implement agency-definedrestrictions for the information assets it manages.8.9.4. Agencies must restrict the use of nonorganizationally owned informationassets, or devices to process, store, or transmit agency information, as isconsistent with applicable Federal laws, Executive Orders, directives,policies, regulations, standards, and guidance.8.9.4.1. The OIT Mobile Device Policy 3 prohibits State of Maine employeesand contractors from connecting any new personal devices (seeDefinitions) not owned by the State of Maine or an approved /MobileDevicePolicy.pdfPage 8 of 12

Access Control Policy and Procedures (AC-1)to any State of Maine system for any reason (for example, charging,data transfer, internet access).8.10. Information Sharing (AC-21)8.10.1. Agencies must ensure any information sharing includes protectionsconsistent with applicable Federal laws, Executive Orders, directives,policies, regulations, standards, and guidance.8.10.2. Authorized users of a particular data type may share data only with otherindividuals, groups, and organizations authorized to receive that data type.8.11. Publicly Accessible Content (AC-22)8.11.1. In managing publicly accessible content, agencies:8.11.1.1. Designate personnel authorized to post information onto a publiclyaccessible agency information asset;8.11.1.2. Train authorized individuals to ensure that publicly accessibleinformation does not contain nonpublic information;8.11.1.3. Review the proposed content of information prior to posting ontothe publicly accessible information asset to ensure that nonpublicinformation is not included; and8.11.1.4. Review the content on the publicly accessible information asset fornonpublic information at agency-defined intervals and remove anynonpublic . Agencies designate webmasters or web coordinators to manage the publiclyaccessible content on their agency websites.8.11.2.1. Agencies authorize these individuals, and InforME grants agencyauthorized access for agency personnel who manage publiclyaccessible content on the Maine.gov portal.Document DetailsInitial Issue Date: August 19, 2019Latest Revision Date: September 17, 2021Point of Contact: [email protected] By: Chief Information Officer, OITLegal Citation: Title 5, Chapter 163: Office of Information Technology 4Waiver Process: Waiver Policy 5Distribution: Internet 610.0. ReviewThis document will be reviewed annually, and when substantive changes are madeto Policies, Procedures, or other authoritative regulations affecting this s/maine.gov.oit/files/inline-files/waiver.pdf6 https://www.maine.gov/oit/policies-standards45Page 9 of 12

Access Control Policy and Procedures (AC-1)11.0. Records ManagementOIT security policies, plans, and procedures fall under the Routine AdministrativePolicies and Procedures and Internal Control Policies and Directives recordsmanagement categories. They will be retained for 3 years and then destroyed inaccordance with guidance provided by Maine State Archives. Retention of thesedocuments will be subject to any future State Archives General Schedule revisionsthat cover these categories.12.0. Public records ExceptionsUnder the Maine Freedom of Access Act (FOAA), certain public records exceptionsmay limit disclosure of agency records related to information technologyinfrastructure and systems, as well as to security plans, procedures, or riskassessments. Information contained in these records may be disclosed to the MaineState Legislature or, in the case of a political or administrative subdivision, tomunicipal officials or board members under conditions that protect the informationfrom further disclosure. Any aggrieved person seeking relief for an alleged violationof the FOAA may bring suit in any Superior Court in the State.13.0. Definitions13.1. Access control: The process of granting or denying specific requests to: 1) obtainand use information and related information processing services; and 2) enterspecific physical facilities (for example, Federal buildings, military establishments,border crossing entrances).13.2. Agency data custodian: Agency official, who, based on his or her position, isfiduciary owner of specific agency information assets. For instance, the LaborBureau of Unemployment Compensation Director (or designee) is the Agency DataCustodian for Unemployment Compensation Information Assets, and theDepartment of Health and Human Services Office of Family Independence Director(or designee) is the Agency Data Custodian for Benefits Information Assets.13.3. Authorized user: An individual who has approved access to an information asset toperform job responsibilities.13.4. Demilitarized Zone: A host or network segment inserted as a “neutral zone”between an organization’s private network and the Internet.13.5. Information assets: The full spectrum of all information technology products,including business applications, system software, development tools, utilities,appliances, and so forth.13.6. Personal Devices: Include the following categories:13.6.1. Portable cartridge or disk-based, removable storage media (for example,floppy disks, compact disks, USB flash drives, external hard drives, and otherflash memory cards or drives that contain nonvolatile memory);Page 10 of 12

Access Control Policy and Procedures (AC-1)13.6.2. Portable computing and communication devices with information storagecapability (for example, notebook/laptop computers, personal digitalassistants, cellular telephones, digital cameras, and audio recording devices);and13.6.3. Any other mobile computing device small enough to be easily carried by anindividual, able to wirelessly transmit or receive information, and havinglocal, nonremovable data storage and a self-contained power source.13.7. Personally Identifiable Information (PII): information that can be used todistinguish or trace the identity of an individual (for example, name, social securitynumber, biometric records, and so forth) by itself or when combined with otherpersonal or identifying information that is linked or linkable to a specific individual(such as date and place of birth, mother’s maiden name, and so on). It also includespersonal information protected from disclosure under Federal or State privacylaws. 713.8. Principle of Least Privilege: A security principle whereby users are assigned theminimum access necessary to perform their job responsibilities. Access is grantedfor the shortest duration possible.13.9. Privileged User: A user who is granted rights that go beyond those of a typicalbusiness user to manage and maintain IT systems. Usually, these rights includeadministrative access to networks and devices and are separate from users’administrative access to their own workstations.13.10. Sensitive information: Information that has the potential to cause great harm to anindividual, government agency, or program if abused, misused, or breached.Sensitive information may include PII, which is protected against unwarranteddisclosure. Violations typically carry specific criminal and civil penalties for anindividual convicted of unauthorized access, disclosure, or misuse of sensitiveinformation (for example, Federal tax, protected health, criminal justice, or socialsecurity information). Protection of sensitive information usually involves specificclassifications or legal precedents that provide special protection for legal andethical reasons.13.11. Separation of duties: A security principle that divides critical functions among staffmembers to ensure that no one individual has enough information or accessprivilege to perpetrate damaging fraud (i.e., no user should be given enoughprivileges to misuse the system on their own).14.0.14.1.14.2.14.3.7AbbreviationsFOAA: [Maine] Freedom of Access ActOIT: Office of Information TechnologyVPN: virtual private networkhttps://csrc.nist.gov/glossaryPage 11 of 12

Access Control Policy and Procedures (AC-1)Appendix A for Approved Warning Banner LanguageUsed for systems that do not have space constraints for the banner. Banner displayed atsign-on to a State of Maine computer:This is a Maine State Government computer system. It may contain Maine State andU.S. Government information. This system, and all related equipment and network,including access to the Internet, are provided for authorized Maine StateGovernment use ONLY. Any personal use must be of an incidental nature, and notinterfere with Maine State Government business. Unauthorized access, use, misuseor modification of this system is strictly prohibited and may subject you to state andfederal criminal prosecution and penalties, as well as civil penalties and otheradverse administrative action. These systems are monitored and audited for manypurposes, including protecting against unauthorized usage, and ensuring thesecurity and optimal functioning of the Maine State Government network. At anytime, the government may intercept, search, and seize any communication or datatransiting or stored on this system. By using this system, you are consenting tosystem monitoring for law enforcement and other purposes.State employees shall NOT use Maine State Government computer systems to access,or download, or otherwise view, or transmit, pornographic material. Thisprohibition applies irrespective of whether the employee is on or off-duty, andregardless of whether the access is incidental in nature. Violation of this work ruleconstitutes just cause for dismissal from employment.SELECTING PROCEED CONSTITUTES ACCEPTANCE OF TERMS OF USE.Banner for systems that have limited display space:WARNING! THIS SYSTEM CONTAINS U.S. GOVERNMENT INFORMATION. BYACCESSING AND USING THIS COMPUTER SYSTEM, YOU ARE CONSENTING TO SYSTEMMONITORING FOR LAW ENFORCEMENT AND OTHER PURPOSES. UNAUTHORIZED USEOF, OR ACCESS TO, THIS COMPUTER SYSTEM MAY SUBJECT YOU TO STATE ANDFEDERAL CRIMINAL PROSECUTION AND PENALTIES AS WELL AS CIVIL PENALTIES.Page 12 of 12

8.4.1.1.2. The Active Directory banner remains displayed until the user acknowledges the usage conditions prior to State domain access being granted. Acknowledgment can be by clicking an OK button or by pressing the Enter key. 8.4.1.1.3. Where required, OIT systems that do not use Active Directory will display a warning banner that contains the