Oversight Committee Meeting Agenda January 16, 2013 – 2:30 p.m. Jesse Lowe Conference Room – 3 rd Floor Civic Center 1819 Farnam Street, Omaha, NE 68183 As required, please be advised that a copy of the rules of the Open Meetings Act as amended by LB898 is located in the folder on the north wall of the Jesse Lowe Conference Room and assistance will be provided for anyone needing help. 1. Call to Order 2. Approval of minutes from December 13, 2012 meeting 3. Standing Business • IT Service Management – Stangl • Master Service Agreement Update o Small Group Working Sessions Scheduled • Projects – Svevad • Security – Kruse • Financial – Kruse/Schaefer • Organization – Kruse • Innovation – Kruse 4. New Business • Coventry 2013 Renewal (Resolution for Ratification) – Kruse • Scanning Policy (Request for Approval) – Kruse • Password Policy (Request for Approval) – Kruse 5. Public Comments 6. Next Regular Meeting – February 20, 2013 (2:30-4:00 p.m.) Jesse Lowe Conference Room, Civic Center 7. Executive Session for the purpose of discussing personnel and legal issues in conformance with Nebraska Rev. Stat. 84-1410(d). 8. Adjourn PDF processed with CutePDF evaluation edition www.CutePDF.com
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Oversight Committee Meeting Agenda
January 16, 2013 – 2:30 p.m.
Jesse Lowe Conference Room – 3rd
Floor Civic Center
1819 Farnam Street, Omaha, NE 68183
As required, please be advised that a copy of the rules of the Open Meetings Act as amended by LB898 is located in the
folder on the north wall of the Jesse Lowe Conference Room and assistance will be provided for anyone needing help.
1. Call to Order
2. Approval of minutes from December 13, 2012 meeting
3. Standing Business
• IT Service Management – Stangl
• Master Service Agreement Update
o Small Group Working Sessions Scheduled
• Projects – Svevad
• Security – Kruse
• Financial – Kruse/Schaefer
• Organization – Kruse
• Innovation – Kruse
4. New Business
• Coventry 2013 Renewal (Resolution for Ratification) – Kruse
• Scanning Policy (Request for Approval) – Kruse
• Password Policy (Request for Approval) – Kruse
5. Public Comments
6. Next Regular Meeting – February 20, 2013 (2:30-4:00 p.m.) Jesse Lowe Conference Room, Civic
Center
7. Executive Session for the purpose of discussing personnel and legal issues in conformance with
Nebraska Rev. Stat. 84-1410(d).
8. Adjourn
PDF processed with CutePDF evaluation edition www.CutePDF.com
Summary Update: Overall StatusParking page is nearing completion.Sewer Mainteance Page schedule nextTraffic is next in Queueintermediate schedule is being updated.No risk to Project.
Project Status Report
Gas of: January 2, 2013
Status Legend: G = as planned Y = corrective action plan R = Management attention required
Major Milestones: Org Date New Est % Comp Status Risk Key
1 Parking Web Page 12/27/12 01/07/13 90% G A, B
2 Sewer Maintenance 01/11/13 01/15/13 90% G A, B
3 Traffic - Proposed Change 01/24/13 0% G A, B
4 Fleet Maintence - VMF 02/07/13 0% G A, B
5 Street Maintenance - Proposed Change 02/21/13 0% G A, B
6 Design 03/07/13 0% G A, B
7 Facilities 03/21/13 0% G A, B
8 Construction 04/04/13 0% G A, B
9 UAT 04/24/13 0% G A, B
10 Closure 05/08/13 0% G A, B
11 End 06/13/13 0% G A, B
Major Risks / Issues: Mitigation / Action:
A R - Dependent upon a Primary Webmaster. Priorities and unplanned events
B R - Deparmental (Client) Readiness
DOT.Comm December 2012 Training
(Areas that we focused on in December)
Business Intelligence: Webfocus
Project Management
Desktop Support
Server Support
Service Desk
January 16, 2013 Resolved by the Douglas-Omaha Technology Commission (DOT.Comm):
WHEREAS, DOT.Comm provides group health insurance benefits to its full-time employees; and
WHEREAS, the current contract with Coventry Healthcare to which DOT.Comm is subject shall expire December 31, 2012; and
WHEREAS, the 2013 monthly premiums, guaranteed for a 12 month period are: Employee: $497.42 Employee + Spouse: $1,082.10 Employee + Child(ren): $928.35 Family: $1,542.87 WHEREAS, DOT.Comm recommends Coventry as the service provider; and WHEREAS, the CIO requests approval to ratify his signature to the revised
contract with Coventry providing group health insurance from January 1, 2013 to December 31, 2013; and
NOW THEREFORE, BE IT FURTHER RESOLVED, that the signature of the
CIO of DOT.Comm on the attached contract between Coventry Healthcare and DOT.Comm for the term January 1, 2013 to December 31, 2013 is hereby ratified.
APPROVED 1/16/2013
Deb Sander Date Acting Chair, DOT.Comm Oversight Committee
ITOversight
CommitteePolicy
Enterprise IT Security –
Internal/External Network
Vulnerability Scanning Policy
Owner: Service Owner, DOT.Comm IT Security
Effective Date: 1/16/2013
Review Schedule: Annual
Last Review Date: 12/26/2012
Last Revision Date: 12/18/2012
Approved by: City/County IT Oversight Committee
Purpose:
This policy grants authorization to appropriate members of DOT.Comm technical teams and its
authorized vendors to conduct internal and external vulnerability assessments on a regularly
scheduled basis and as deemed necessary by that same staff for reasons not limited to: audits,
security assessments, network hardening, remediation checking, and penetration testing.
This document contains IT terminology; a short glossary has been included in Appendix A.
Scope:
This policy applies to all equipment attached to the Enterprise Network: personal computers,
servers, routers, switches, printers, wireless “smart” devices, and all other network-connected
equipment. This includes equipment (irrespective of ownership) attached to the network via:
• Internal wired and wireless networks
• External networks and DMZ
• Virtual Private Network (VPN)
• Any other connection
Policy:
1. Vulnerability scanning will only be performed by designated employees and designated
vendors.
2. Vulnerability scanning may be scheduled or ad hoc.
3. Penetration Testing may be intrusive and will only be performed as scheduled and
approved through the Change Management process.
4. The DOT.Comm Network Vulnerability Handling Procedure document will be used in
conjunction with this policy; this procedure defines the steps that will be performed
throughout the vulnerability lifecycle. If an identified system or application with a risk
profile “CVSS Rating” of 9 or 10 is not able to be remediated or risk-accepted, the
system will be removed from the Enterprise Network.
Scheduled Scans
• Monthly Internal vulnerability scanning
• Quarterly External vulnerability scanning
Ad hoc Scans
• Adding new equipment to the data center or Enterprise network (As needed)
• Validating remediation steps
• Testing high-risk or questionable systems
• Testing against newly found security vulnerabilities
Penetration Testing
Needs for penetration testing may include:
• Server and network hardening
• Regular or ad hoc testing of critical or private systems
• Audit requirements
Enforcement:
Any scanning performed by unauthorized personnel may be interpreted to be malicious and
action will be taken to enforce appropriate use policies and appropriate security policies
according to respective organizational policies, including, but not limited to:
• City of Omaha: City Personnel Policy #32 – Computer and Network Use – Employee
Rights and Privileges
• Douglas County Civil Service Commission – Personnel Policy Manual – Article 21:
Internet, Computer, and Software Usage
• DOT.Comm – Computer and Network Use Policy
• IT Oversight Committee Security Policies
Appendix A: IT Terminology Definitions
Demilitarized Zone / DMZ (NIST Glossary)
A host or network segment inserted as a “neutral zone” between an organization’s
private network and the Internet.
Penetration Testing (NIST Glossary)
Security testing in which evaluators mimic real-world attacks in an attempt to identify
ways to circumvent the security features of an application, system, or network.
Penetration testing often involves issuing real attacks on real systems and data, using the
same tools and techniques used by actual attackers. Most penetration tests involve
looking for combinations of vulnerabilities on a single system or multiple systems that
can be used to gain more access than could be achieved through a single vulnerability.
Common Vulnerability Scoring System / CVSS (NIST VND)
The Common Vulnerability Scoring System (CVSS) provides an open framework for
communicating the characteristics and impacts of IT vulnerabilities. Its quantitative
model ensures repeatable accurate measurement while enabling users to see the
underlying vulnerability characteristics that were used to generate the scores. Thus,
CVSS is well suited as a standard measurement system for industries, organizations, and
governments that need accurate and consistent vulnerability impact scores. Two common
uses of CVSS are prioritization of vulnerability remediation activities and in calculating
the severity of vulnerabilities discovered on one's systems. The National Vulnerability
Database (NVD) provides CVSS scores for almost all known vulnerabilities.
Revision History:
January 16, 2013 – Adopted
ITOversight
CommitteePolicy
Enterprise IT Security –
Network Password Policy
Owner: Service Owner, DOT.Comm IT Security
Effective Date: 4/8/2013
Review Schedule: Annual
Last Review Date: 1/2/2013
Last Revision Date: 1/2/2013
Approved by: City/County IT Oversight Committee
Purpose:
Establish an enterprise network password standard enforced through Active Directory software for the use of complex passwords, frequency of change, and the protection of those passwords. The Active Directory account (network login) is the gateway to the Enterprise Network through Windows logon, VPN, and Wireless access. The intent is to increase the security of our enterprise systems and create a centralized document to establish password standards following the SANS (System Administration, Network, and Security) Institute best practice. Scope:
Passwords administered through Active Directory (network passwords).
Policy:
Password Complexity
• Password must contain at least three of the four following character classes: o Lower case characters o Upper case characters o Numbers o Other characters (e.g. @#$%^&*()_+|~-=\`{}[]:";'<>/ etc)
• Password must contain at least eight characters
• Password must not be same as last ten passwords Password Change Frequency
• Password must be changed at least every 90 days, can be changed more frequently if desired
o Two weeks prior to password expiration, user will be prompted to change password at network login.
o When password has expired, the account will be locked. o If the account needs unlocked, it will require a call to the DOT.Comm Service
Desk
Password Protection
• Account will be locked after 5 failed login attempts o Account will automatically unlock after 30 minutes o If unable to wait 30 minutes, the account will have to be manually unlocked
through the DOT.Comm Service Desk
• Do not share passwords with anyone o All passwords are to be treated as sensitive, confidential information
• Passwords should never be written down
• Do not reveal a password in email, chat, or other electronic communication
• If someone demands a password, refer them to this document.
• If an account or password compromise is suspected, report the incident to the DOT.Comm Service Desk
For more tips on how to make a harder to guess password, please refer to Appendix A:
Strong Password Creation Tips
Exception Process:
Any requests for exception to this policy can be sent to your IT coordinator.
Enforcement:
An employee violating this policy may be subject to disciplinary action according to respective organizational policies, including, but not limited to:
• City of Omaha: City Personnel Policy #32 – Computer and Network Use – Employee Rights and Privileges
• Douglas County Civil Service Commission – Personnel Policy Manual – Article 21: Internet, Computer, and Software Usage
• DOT.Comm – Computer and Network Use Policy
• IT Oversight Committee Security Policies
Revision History:
January 16, 2013 – Adopted
Appendix A: Strong Password Creation Tips
Try to create stronger passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation. (NOTE: Do not use either of these examples as passwords!)
• Always decline the use of the "Remember Password" feature of applications (e.g., Firefox, Eudora, Outlook, Netscape Messenger).
• Always use different passwords for work accounts from other non-work access (e.g., personal ISP account, option trading, benefits, etc.).
• Always use different passwords for various work access needs whenever possible. For example, select one password for systems that use directory services (i.e. LDAP, Active Directory, etc.) for authentication and another for locally authenticated access.
Weak passwords have the following characteristics:
• The password is a word found in a dictionary (English or foreign)
• The password is a common usage word such as: o Names of family, pets, friends, co-workers, fantasy characters, etc. o Computer terms and names, commands, sites, companies, hardware, software. o Birthdays and other personal information such as addresses and phone numbers. o Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc. o Any of the above spelled backwards. o Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
DOT.Comm
Procedure
DOT.Comm IT Security –
Internal/External Network
Vulnerability Handling Procedure
Owner: Service Owner, DOT.Comm IT Security
Effective Date: 1/16/2012
Review Schedule: Annual
Last Review Date: 12/26/2012
Last Revision Date: 12/18/2012
Approved by: DOT.Comm CIO / City and County IT Coordinators
Purpose:
This document puts in place accountabilities and defines the process for internal and external
vulnerability scanning, remediation of identified risks and exception handling in order to
increase the security and integrity of enterprise systems, and promote risk awareness.
The intent of this document is to:
1. Outline the active vulnerability lifecycle: identification, prioritization, remediation and
exception handling
2. Identify roles and responsibilities
Scope: This DOT.Comm procedure defines the steps of the active vulnerability lifecycle. Authorization
to perform this work is defined in the Network Vulnerability Scanning Policy, which is an
Enterprise (IT Oversight Committee) policy.
Systems or applications that are malicious or causing outages on the Enterprise Network will be
handled with greater urgency and will be classified as a Priority 1 or Priority 2 incidents. These
time-critical incidents which are not in scope for this policy will be addressed by the
DOT.Comm Service Desk.
Procedure: Identification of Vulnerabilities
1. Initiate vulnerability scan
2. Create preliminary list of vulnerabilities
3. Identify and remove false positives, cleanup raw data, and update existing Vulnerability
Tracking Spreadsheet (VTS)
Prioritization and Assignment of Identified Vulnerabilities
1. Prioritize scan results by CVSS score
2. Review vulnerabilities with impacted technical teams, service owners, or business
process owners to perform further false positive removal and evaluate business impact
3. Assign remediation task through Service Desk (ticketing) software to responsible teams.
Service requests will be placed with the following priorities:
a. CVSS High 9.0 to 10.0 – Priority 2/3 Service Request (based on risk assessment)
b. CVSS High 7.0 to 8.9 – Priority 4 Service Request
c. CVSS Medium 4.0 to 6.9 – Priority 5 Service Request
d. CVSS Low 0 to 3.9 – Noted on master list, no ticket created
4. Review VTS monthly with the IT Security Stakeholders from DOT.Comm, City, and
County
Remediation
1. Service Owner determines and implements remediation effort which may include:
a. Modify or patch operating system or application
b. Replace current application with compliant application version
c. Move the application to different hardware or platform
d. Other mitigation efforts to reduce risk
e. Remove system or application from Enterprise Network
2. Use IT Change Management Process to implement remediation
3. Request re-scan to ensure remediation efforts have removed or minimized vulnerabilities
All requests for additional resources or funding will be escalated through the Manager of IT
Security.
Exception Handling
If a system or application has an identified vulnerability and cannot be remediated through best
efforts, one of the following remediation actions will be implemented:
1. Add identified system or application to the vulnerability exception list
• The respective service owner / business process owner, IT Coordinators, and the
DOT.Comm CIO must all agree
• The vulnerability exception list is maintained by the Manager of IT Security and
includes the following attributes: vulnerability name, date identified, list of
systems affected, risk description, expiration date, and tracking notes
• The exception list will be reviewed with IT Coordinators and the DOT.Comm
CIO on a monthly basis
2. Removal of a system or application from the network
• If the addition to the vulnerability exception list is not agreed to by the respective
service owner / business process owner, IT Coordinators, and the DOT.Comm
CIO then the system or application must be removed from the network. A
recommendation will be made to the IT Oversight Committee
• The IT Oversight Committee approves the removal of the application or system
from the network or accepts the risk of the vulnerability
A flow chart of this process is included in Appendix A.
Roles and Responsibilities
Manager of IT Security (DOT.Comm)
• Responsible to identify and resolve system and application vulnerabilities
• Vendor manager of external scanning providers
• Network Vulnerability Process Owner
IT Service Owner
• Responsible for determining the appropriate action needed to address a vulnerability
• Utilizes the IT Change Management process during remediation
• Informs the Manager of IT Security of changes in risk status
CIO / Service and/or Business Process Owner / IT Coordinators
• Makes executive exception handling decisions, including acceptation of risk