Cybersecurity Subcommittee Meeting Agenda€¦ · Cybersecurity Subcommittee August 2019 Page 1 of...

26
Cybersecurity Subcommittee August 2019 Page 1 of 1 Cybersecurity Subcommittee Meeting Agenda August 8, 2019 4:15 5:15 To join by teleconference: 1-888-585-9008 Conference room #: 253-282-019 Naples Grand Resort Orchid Ballroom I. Welcome Judge Scott Stephens, Chair a. Roll call II. Cybersecurity Breaches Judge Stephens III. Cyber-Review Subgroup Update Robert Adelardi a. Draft Cybersecurity Framework b. Cybersecurity Policy Template c. Draft Cybersecurity Policies i. Password Policy ii. Incident Reporting Policy iii. User Awareness Training Policy IV. Cybersecurity Subcommittee Judge Stephens a. Security Technical Standards Review Subgroup b. Cybersecurity Education & Awareness Subgroup Next FCTC meeting: November 14-15, 2019 Orlando Omni ChampionsGate

Transcript of Cybersecurity Subcommittee Meeting Agenda€¦ · Cybersecurity Subcommittee August 2019 Page 1 of...

Page 1: Cybersecurity Subcommittee Meeting Agenda€¦ · Cybersecurity Subcommittee August 2019 Page 1 of 1 Cybersecurity Subcommittee Meeting Agenda August 8, 2019 4:15 – 5:15 To join

Cybersecurity Subcommittee August 2019 Page 1 of 1

Cybersecurity Subcommittee Meeting Agenda

August 8, 2019

4:15 – 5:15

To join by teleconference: 1-888-585-9008 Conference room #: 253-282-019

Naples Grand Resort

Orchid Ballroom

I. Welcome – Judge Scott Stephens, Chair

a. Roll call

II. Cybersecurity Breaches – Judge Stephens

III. Cyber-Review Subgroup Update – Robert Adelardia. Draft Cybersecurity Framework

b. Cybersecurity Policy Template

c. Draft Cybersecurity Policies

i. Password Policy

ii. Incident Reporting Policy

iii. User Awareness Training Policy

IV. Cybersecurity Subcommittee – Judge Stephens

a. Security Technical Standards Review Subgroup

b. Cybersecurity Education & Awareness Subgroup

Next FCTC meeting: November 14-15, 2019 Orlando Omni ChampionsGate

Page 2: Cybersecurity Subcommittee Meeting Agenda€¦ · Cybersecurity Subcommittee August 2019 Page 1 of 1 Cybersecurity Subcommittee Meeting Agenda August 8, 2019 4:15 – 5:15 To join

Agenda Item III a.

Draft Cybersecurity Framework

Page 3: Cybersecurity Subcommittee Meeting Agenda€¦ · Cybersecurity Subcommittee August 2019 Page 1 of 1 Cybersecurity Subcommittee Meeting Agenda August 8, 2019 4:15 – 5:15 To join

Cybersecurity Framework Florida Courts

VERSION 1.0

DATE August 5, 2019

Page 4: Cybersecurity Subcommittee Meeting Agenda€¦ · Cybersecurity Subcommittee August 2019 Page 1 of 1 Cybersecurity Subcommittee Meeting Agenda August 8, 2019 4:15 – 5:15 To join

Cybersecurity Framework Florida Courts

i

Table of Contents

1.0 Introduction ...................................................................................................................................... 1

2.1 Florida Courts Cybersecurity Framework

2.2 Scope .................................................................................................................................... 1

2.3 Organizational Characteristics ............................................................................................. 2

2.4 Documentation Structure ..................................................................................................... 2

4.0 Information Security Controls .......................................................................................................... 4

5.0 Using the Framework ....................................................................................................................... 4

6.0 Recommended Controls for Florida Courts ...................................................................................... 6

Page 5: Cybersecurity Subcommittee Meeting Agenda€¦ · Cybersecurity Subcommittee August 2019 Page 1 of 1 Cybersecurity Subcommittee Meeting Agenda August 8, 2019 4:15 – 5:15 To join

3

1.0 INTRODUCTION

The purpose of this document is to provide a framework that acts as a reference for the Florida

Courts to assist them with establishing local policies, technical solutions and procedures based

upon the recommendations of the Florida Courts Technology Committee (FCTC) Cybersecurity

Workgroup. The framework was developed to establish a basic security approach at the branch

level, with the intent is to encourage Florida Courts to develop security policies, implement

technical solutions, or introduce processes appropriate to their court’s unique requirements. It is

intended to be used as a guide of what should be done.

2.0 FLORIDA COURTS CYBERSECURITY FRAMEWORK

2.1 SCOPE

The Florida Courts Cybersecurity Framework (FCCF) has been developed for the

establishment of a standard security approach within the Judicial Branch of Florida. In

order to produce the framework, input was solicited from state and circuit courts so that a

comprehensive framework could be developed that is suitable to all entities within the

judicial branch. The framework is designed to set a direction, identify and address areas of

concern expressed by entities within the judicial branch, and to document policies, technical

solutions and practices that can assist judicial branch entities with their cybersecurity

concerns.

The goals of the framework are:

• To recommend an overall information security policy, governance and compliance

model for the judicial branch to leverage in building their security programs including

roles, responsibilities, and major activities.

• To provide a holistic information security framework that the judicial branch entities can

leverage in creating local policies.

• To provide guidance to all members of the judicial branch on the proper handling of

sensitive information.

• To provide a basis for security training and educational awareness programs

developed by judicial branch entities.

Page 6: Cybersecurity Subcommittee Meeting Agenda€¦ · Cybersecurity Subcommittee August 2019 Page 1 of 1 Cybersecurity Subcommittee Meeting Agenda August 8, 2019 4:15 – 5:15 To join

4

2.2 ORGANIZATIONAL CHARACTERISTICS

The framework establishes how information is to be handled and secured within individual

judicial branch entities, how it is exchanged between the judicial branch and local and state

justice partners and with the public. Therefore, security controls (administrative and

technical) related to access management are of importance.

2.3 DOCUMENTATION STRUCTURE

An information security program is supported by a collection of documentation capturing

differing levels of detail while maintaining consistent guidance for all participants. The

information security program will consist of the following categories of documents:

• Organizational Policy – Expresses management’s expectations with regard to security

and data protection. Generally limited to identification of base principles, roles and

responsibilities, and the security framework. This framework provides the organizational

policy for individual judicial branch entities.

• Implementing Policy – Further refines management’s expectations; usually issued by a

subordinate business or organizational unit for the purpose of interpreting the

organizational policy to local entity practices. These policies will be developed as

needed by the local entity.

• Standards – Identify specific hardware and software functionality whose use has been

determined to be in support of policy. Standards may be established by local entities as

needed to support policy objectives but should not be lesser than those identified within

the policies provided.

• Procedures – Support standards and policy by providing step-by-step instructions for

the execution of a security process. Judicial branch entities will develop and document

procedures to ensure the quality and repeatability of security processes.

• Guidelines – Provide recommendations which can be used when other guidance has not

been established. Guidelines are usually created at lower operational levels such as

departments to address immediate needs until consensus is reached on broader direction.

Page 7: Cybersecurity Subcommittee Meeting Agenda€¦ · Cybersecurity Subcommittee August 2019 Page 1 of 1 Cybersecurity Subcommittee Meeting Agenda August 8, 2019 4:15 – 5:15 To join

5

4.1 INFORMATION SECURITY CONTROLS

Information is one of the core, mission-critical components supporting the judicial process. The

custodians of relevant judicial information typically comprise multiple participating agencies in a

given jurisdiction. To secure information and information systems, adequate and effective security

controls must be put in place to mitigate potential risk or loss due to:

• Intentional acts by third-parties inside or outside the organization.

• Inappropriate access by individuals or groups untrained in correct local policies or procedures.

• Accidental loss of a portable device containing confidential information.

• Accidents, natural disasters, or other force majeure.

5.1 USING THE FRAMEWORK

The FCCF developed by the FCTC Cybersecurity Workgroup is a model that courts can leverage

to enhance their security posture. The framework is designed to be modular so that courts can refer

only to the sections that are relevant to them.

A local court can utilize the framework in the following manner:

1. Review this document and determine which of the recommended controls for Florida

Courts listed in the next section are relevant to the court’s business environment.

2. If the local court has a policy for a recommended control, they should compare it to the policy

examples provided by the FCCF to determine if standards are met. If the local court does not

have a policy, they can utilize the example provided by the FCCF and modify accordingly.

3. The local court identifies options for implementing the policy.

4. The local court determines if resources exist to implement the local policy.

If a court does not have the necessary resources to implement the local policy, steps 1-3 are still

useful for documenting a roadmap and plan for when resources become available.

Page 8: Cybersecurity Subcommittee Meeting Agenda€¦ · Cybersecurity Subcommittee August 2019 Page 1 of 1 Cybersecurity Subcommittee Meeting Agenda August 8, 2019 4:15 – 5:15 To join

6

Here is an example of how the framework could be used:

Domain: Access Control for Mobile Devices

Recommendation

Source of

Recommendation

Step 1:

Determine relevant control Establish mobile device security policy

Framework

Step 2:

Set local policy according to

standards

▪ Mobile devices must enforce a lock screen

PIN.

▪ Only email and calendar synchronization

allowed.

▪ Direct access to court network and other

court applications prohibited.

Local court

Step 3:

Identify implementation

options

Option 1: Court IT configures court mobile

devices per policy

Option 2: Software and configuration settings

downloaded by end-user

Option 3: Mobile device management software

manages device remotely

Local court

Step 4:

Determine available

resources

No resources available to implement at this

time.

Local court

Page 9: Cybersecurity Subcommittee Meeting Agenda€¦ · Cybersecurity Subcommittee August 2019 Page 1 of 1 Cybersecurity Subcommittee Meeting Agenda August 8, 2019 4:15 – 5:15 To join

7

6.1 RECOMMENDED CONTROLS FOR FLORIDA COURTS

The following chart summarizes the sections of the FCCF that are most relevant to the Florida

courts. Courts are encouraged to review the entire framework to determine if other sections could

apply to their local business environment.

Each section has been categorized to indicate the primary focus for each section:

• Process – this item generally involves the implementation of a business process if one does

not already exist

• Policy – this item generally involves the creation of a policy if one does not already exist

• Technical – this item generally involves the implementation or configuration of technology

Some sections may involve multiple categories of activity. In those cases, the section has been

categorized based upon the primary focus for that area.

When creating a set of local IT policies, courts can decide if they prefer a single document that

contains all the selected sections relevant to their local environment or if they prefer to publish

individual policy documents for a particular section or group of sections. Individual documents

may make it easier to update a section without the need to republish the entire policy document

while a single document can used as an all-inclusive publication.

FCCF Section Title Summary Category Function

Access Control

1.1 Password Policy Document a password policy Policy Protect

Awareness and Training

2.1 Awareness and

Training Policy

Document an awareness and training

policy

Policy Protect

Response Planning

3.1 Incident Reporting

Policy

Document an incident reporting policy Policy Respond

Page 10: Cybersecurity Subcommittee Meeting Agenda€¦ · Cybersecurity Subcommittee August 2019 Page 1 of 1 Cybersecurity Subcommittee Meeting Agenda August 8, 2019 4:15 – 5:15 To join

Agenda Item III b.

Draft Cybersecurity Policy Template

Page 11: Cybersecurity Subcommittee Meeting Agenda€¦ · Cybersecurity Subcommittee August 2019 Page 1 of 1 Cybersecurity Subcommittee Meeting Agenda August 8, 2019 4:15 – 5:15 To join

LOGO Policy Name

Policy Number ► 1

CONFIDENTIAL

Policy Number

INFORMATION SECURITY POLICY

Policy Name

Revised: Date

I. Introduction

a. Purpose

b. Applicability

c. Definitions

TERM DEFINITION

Page 12: Cybersecurity Subcommittee Meeting Agenda€¦ · Cybersecurity Subcommittee August 2019 Page 1 of 1 Cybersecurity Subcommittee Meeting Agenda August 8, 2019 4:15 – 5:15 To join

LOGO Policy Name Policy Name

Policy Number ► 2

CONFIDENTIAL

II. Policy

a. Policy Statement

b. Procedure or Standard

III. Exceptions

IV. Enforcement

V. References

VI. Revisions

DATE DESCRIPTION

VII. Approval

___________________________

Name Trial Court Administrator XXX Judicial Circuit of Florida

* * *

Page 13: Cybersecurity Subcommittee Meeting Agenda€¦ · Cybersecurity Subcommittee August 2019 Page 1 of 1 Cybersecurity Subcommittee Meeting Agenda August 8, 2019 4:15 – 5:15 To join

Agenda Item III. c.

Draft Password Policy

Page 14: Cybersecurity Subcommittee Meeting Agenda€¦ · Cybersecurity Subcommittee August 2019 Page 1 of 1 Cybersecurity Subcommittee Meeting Agenda August 8, 2019 4:15 – 5:15 To join

Version 1.0 Policy Number►1.1CONFIDENTIAL 1

Policy Number

INFORMATION SECURITY POLICY

Password Policy

Version 1.0 Revised: 08/05/19

I. Introduction A solid password policy is perhaps the most important security control a Court System can employ. In today’s climate it is more important than ever to have a strong password on accounts and devices, to change it regularly, and not sharing with anyone.

a. PurposeThe purpose of this policy is to specify guidelines for use of passwords.

b. ApplicabilityThis document is part of the Court System’s cohesive set of securitypolicies. Other policies may apply to the topics covered in this documentand as such the applicable policies should be reviewed as needed.

c. Definitions

TERM DEFINITION

Authentication

Password

Two Factor Authentication

Brute Force

CTO

A security method used to verify the identity of a user and authorize access to a system or network.

A sequence of characters that is used to authenticate a user to a file, computer, network, or other device. Also known as a passphrase or passcode.

A means of authenticating a user that utilizes two methods: something the user has, and something the user knows. Examples are smart cards, tokens, or biometrics, in combination with a password.

Programmatic “guessing” of passwords.

Court Technology Officer

Page 15: Cybersecurity Subcommittee Meeting Agenda€¦ · Cybersecurity Subcommittee August 2019 Page 1 of 1 Cybersecurity Subcommittee Meeting Agenda August 8, 2019 4:15 – 5:15 To join

Version 1.0 Policy Number►1.1

CONFIDENTIAL 2

II. Policy

a. Policy StatementPasswords are an important aspect of computer security. They are the frontline of protection for user accounts. A poorly chosen password may result in acompromise of a Court System’s entire network. As such, employees(including contractors and vendors with access to systems) are responsiblefor taking the appropriate steps, as outlined below, to select and secure theirpassword.

b. Procedure or Standard

• Passwords should be at least 8 characters;

• Passwords should be comprised of a mix of letters, numbers and specialcharacters (punctuation marks and symbols);

• Passwords should be comprised of a mix of upper and lower case;

• Passwords should not be comprised of, or otherwise utilize, words that canbe found in a dictionary;

• Passwords should not be comprised of an obvious keyboard sequence (i.e.,qwerty);

• Passwords should not include "guessable" data such as personalinformation about yourself, your spouse, your pet, your children, birthdays,addresses, phone numbers, locations, etc.;

• Users must not disclose their passwords to anyone;

• Users must not share their passwords with others (co-workers, supervisors,family, etc.);

• Users must not write down their passwords;

• Users must not check the "save password" box when authenticating toapplications;

• Users must not use the same password for different systems and/oraccounts-Passwords must be unique for all court systems;

• Users must not send passwords via email;

• Users must not re-use passwords;

• In order to maintain good security, passwords should be periodicallychanged. This limits the damage an attacker can do as well as helps tofrustrate brute force attempts. At a minimum, users must changepasswords every 90 days. The System Administrator/PasswordAdministrator may use software that enforces this policy by expiring users'passwords after this time period.

c. Incident ReportingIt is the user’s responsibility to immediately report any suspicious activityinvolving his or her passwords to the System Administrator, Security Officer,or Agency designee. Any request for passwords over the phone or email,whether the request came from organization personnel or not, should beexpediently reported. When a password is suspected to have been

Page 16: Cybersecurity Subcommittee Meeting Agenda€¦ · Cybersecurity Subcommittee August 2019 Page 1 of 1 Cybersecurity Subcommittee Meeting Agenda August 8, 2019 4:15 – 5:15 To join

Version 1.0 Policy Number►1.1

CONFIDENTIAL 3

compromised they will request that the user, or users, change all his or her applicable passwords.

III. ExceptionsException to this policy are to be submitted to Helpdesk, System Administrator,Security Officer, or Agency Designee for evaluation.

IV. EnforcementThis policy will be enforced by the System Administrator, Security Officer, orAgency designee. Violations may result in disciplinary action, which may includesuspension, restriction of access, or more severe penalties up to and includingtermination of employment. Where illegal activities or theft of company property(physical or intellectual) are suspected, the Court System may report suchactivities to the applicable authorities.

V. References

VI. RevisionsDATE DESCRIPTION 7/29/19 Original Draft

VII. Approval

___________________________

Name Trial Court Administrator XXX Judicial Circuit of Florida

* * *

Page 17: Cybersecurity Subcommittee Meeting Agenda€¦ · Cybersecurity Subcommittee August 2019 Page 1 of 1 Cybersecurity Subcommittee Meeting Agenda August 8, 2019 4:15 – 5:15 To join

Agenda Item III c.

Draft Incident Reporting Policy

Page 18: Cybersecurity Subcommittee Meeting Agenda€¦ · Cybersecurity Subcommittee August 2019 Page 1 of 1 Cybersecurity Subcommittee Meeting Agenda August 8, 2019 4:15 – 5:15 To join

Version 1.0 Policy Number►31CONFIDENTIAL 1

Policy Number

INFORMATION SECURITY POLICY

Incident Response/Reporting

Version: 1.0 Revised: 08/05/19

I. Introduction

a. PurposeThis policy is intended to ensure that the Court System is prepared if a securityincident were to occur. It details exactly what must occur if an incident issuspected, covering both electronic and physical security incidents. Note thatthis policy is not intended to provide a substitute for legal advice and approachesthe topic from a security practices perspective.

b. Applicability All Departments

c. Definitions

TERM DEFINITION

Security

Incident

The term “incident" refers to any attempted or successful

unauthorized access, use, disclosure, modification, or

destruction of information or interference with system

operations t h a t have an adverse effect on the

confidentiality, integrity, or availability of the technology

infrastructure, or electronic information. Examples

include, but are not limited to:

• Unauthorized access or disclosure of an

individual's personal information (PI), including

Protected Health Information;

• Loss of confidential information (data theft);• Compromise of information integrity (damage to data

or unauthorized modification);• Theft of physical IT assets, including computers,

storage devices, printers, VPN's, smart phones,

etc.;

• Damage to physical IT assets, including computers, storage devices, printers, etc.;

• Unwanted disruption in or denial of service• Misuse of services, information, or assets;• Infection of systems by unauthorized or hostile

software;• An attempt at unauthorized access;• Unauthorized use of a system for the processing or

storage of data;

Page 19: Cybersecurity Subcommittee Meeting Agenda€¦ · Cybersecurity Subcommittee August 2019 Page 1 of 1 Cybersecurity Subcommittee Meeting Agenda August 8, 2019 4:15 – 5:15 To join

Version 1.0 Policy Number►3.1

CONFIDENTIAL 2

Encryption

Malware

Mobile Device

PDA

Smartphone

Trojan

Virus

WEP

WPA

• Unauthorized changes to organization's hardware,software, or configuration.

The process of encoding data with an algorithm so that it is unintelligible without the key. Used to protect data during transmission or while stored.

Short for "malicious software." A software application designed with malicious intent. Viruses and Trojans are common examples of malware.

A portable device that can be used for certain applications and data storage. Examples are Laptops, Tablets, PDAs, or Smartphones.

Stands for Personal Digital Assistant. A portable device that stores and organizes personal information, such as contact information, calendar, and notes.

A mobile telephone that offers additional applications, such as PDA functions and email.

Also called a "Trojan Horse." An application that is disguised as something innocuous or legitimate but harbors a malicious payload. Trojans can be used to covertly and remotely gain access to a computer, log keystrokes, or perform other malicious or destructive acts.

Also called a "Computer Virus." A replicating application that attaches itself to other data, infecting files similar to how a virus infects cells. Viruses can be spread through email or via network-connected computers and file systems.

Stands for Wired Equivalency Privacy. A security protocol for wireless networks that encrypts communications between the computer and the wireless access point. WEP can be cryptographically broken with relative ease.

Stands for WiFi Protected Access. A security protocol for wireless networks that encrypts communications between the computer and the wireless access point. Newer and considered more secure than WEP.

Page 20: Cybersecurity Subcommittee Meeting Agenda€¦ · Cybersecurity Subcommittee August 2019 Page 1 of 1 Cybersecurity Subcommittee Meeting Agenda August 8, 2019 4:15 – 5:15 To join

Version 1.0 Policy Number► 3.1

CONFIDENTIAL 3

II. Policy

a. Policy StatementThis policy is pursuant to and in accordance with the following Federal, State,and law enforcement agency regulations and guidelines for responding toand reporting electronic data security incidents related to the Court System’selectronic data security: In the case of an electronic data security incident,this policy will be utilized to establish reasonable measures to protect thesecurity, confidentiality and integrity of protected data and data systems onthe Court System’s infrastructure during the entire life cycle of an incident.All reported incidents will be investigated and fully documented. A securityincident, as it relates to the Court System's information assets, can take one oftwo forms. For the purposes of this policy a security incident is defined as oneof the following:

Electronic: This type of incident can range from an attacker or user accessing the network for unauthorized/malicious purposes, to a virus outbreak, to a suspected Trojan or malware infection.

Physical: A physical IT security incident involves the loss or theft of a laptop, mobile device, PDA/Smartphone, portable storage device, or other digital apparatus that may contain Court System information.

b. Procedure or Standard

1. Electronic IncidentsWhen an electronic incident is suspected, the Court System's goal is torecover as quickly as possible, limit the damage done, secure the networkdata, and digital resources, and preserve evidence of the incident. Thefollowing steps should be taken in order:

1) If a suspected incident occurs, contact the Helpdesk immediately;2) Remove the compromised device from the network by unplugging or

disabling network connection. Do not power down the machine;3) Disable the compromised account(s) as appropriate;4) Report the incident to the Helpdesk, System Administrator, Security

Officer, or Agency Designee;5) Physically secure the compromised system;6) Depending of severity and/or breadth of incident, contact the

CIO/CTO/Court Administrator and report. If prosecution of the incident isdesired, chain-of-custody and preservation of evidence are critical;

7) Create a detailed event log documenting each step taken during thisprocess;

Page 21: Cybersecurity Subcommittee Meeting Agenda€¦ · Cybersecurity Subcommittee August 2019 Page 1 of 1 Cybersecurity Subcommittee Meeting Agenda August 8, 2019 4:15 – 5:15 To join

Version 1.0 Policy Number►3.1

CONFIDENTIAL 4

8) Determine how the attacker gained access and disable this access;9) Rebuild the system using new hardware;10) Restore any needed data from the last known good backup and put the

system back online;11) Take actions, as possible, to ensure that the vulnerability (or similar

vulnerabilities) will not reappear;12) Notify applicable authorities if prosecution is desired and possible based

on the evidence collected;13) Reflect on the incident. What can be learned? How did the Incident

Response team perform? Was the policy adequate? What could bedone differently?;

14) Perform a vulnerability assessment as a way to spot any othervulnerabilities before they can be exploited;

15) Any incidents should be completely and thoroughly documented.

2. Physical IncidentsPhysical security incidents are challenging, since often the only actions thatcan be taken to mitigate the incident must be done in advance. One of thebest ways to prepare is to mandate the use of strong encryption to securedata on mobile devices. Applicable polices, such as those coveringencryption and confidential data, should be reviewed.

Physical security incidents are most likely the result of a random theft of inadvertent loss by a user, but they must be treated as if they were targeted at the Court System.

The Court System must assume that such a loss will occur at some point, and periodically survey a random sampling of laptops and mobile devices to determine the risk if one were to be lost or stolen.

3. Loss ContainedFirst, change any usernames, passwords, account information, WEP/WPAkeys, passphrases, etc., that were stored on the system. Replace the losthardware and restore data from the last backup. Immediately do a bit levelbackup. Notify the applicable authorities if a theft has occurred. Immediatelydo a bit level backup.

4. Data Loss SuspectedFirst, notify the Helpdesk who will contact the CIO/CTO, the CourtAdministrator/Marshal, and/or Administrative Services and DivisionManagers so that each can evaluate and prepare a response in their area.

Change any usernames, passwords, account information, WEP/WPA keys, passphrases, etc., that were stored on the system. Replace the lost hardware and restore data from the last backup. Notify the applicable authorities as needed if a theft has occurred and follow disclosure guidelines

Page 22: Cybersecurity Subcommittee Meeting Agenda€¦ · Cybersecurity Subcommittee August 2019 Page 1 of 1 Cybersecurity Subcommittee Meeting Agenda August 8, 2019 4:15 – 5:15 To join

Version 1.0 Policy Number►3.1

CONFIDENTIAL 5

specified in the notification section.

Review procedures to ensure that risk of future incidents is reduced by implementing stronger physical security controls.

5. NotificationIf an electronic or physical security incident is suspected to have resulted inthe loss of court data, immediately notify the Helpdesk, System Administrator,Security Officer, or Agency Designee. If breach warrants notification to thepress, indicate a person who will be the point to handle media.

III. ExceptionsException to this policy are to be submitted to Helpdesk, System Administrator,Security Officer, or Agency Designee for evaluation.

IV. Enforcement

All employees are required to immediately notify their

Supervisor/Manager/Director of any actual or suspected electronic data security

incident. If employees are uncertain whether there has been an incident, they

should still report it to their Supervisor/Manager/Director who will immediately

alert t h e Helpdesk, System Administrator, Security Officer, or Agency Designee

for evaluation.. Justice Partners and Vendors should either contact the Court

System’s Help Desk or primary point of contact within the IT Department to

report a known or suspected incident. If the Court System’s IT Help Desk is

unavailable, the Court System CTO/CIO should be contacted immediately.

V. References

VI. RevisionsDATE DESCRIPTION 7/29/19 Original Draft

VII. Approval

___________________________

Name Trial Court Administrator XXX Judicial Court System of Florida

* * *

Page 23: Cybersecurity Subcommittee Meeting Agenda€¦ · Cybersecurity Subcommittee August 2019 Page 1 of 1 Cybersecurity Subcommittee Meeting Agenda August 8, 2019 4:15 – 5:15 To join

Agenda Item III c.

Draft User Awareness Training Policy

Page 24: Cybersecurity Subcommittee Meeting Agenda€¦ · Cybersecurity Subcommittee August 2019 Page 1 of 1 Cybersecurity Subcommittee Meeting Agenda August 8, 2019 4:15 – 5:15 To join

Version 1.0 Policy Number►2.1

CONFIDENTIAL 1

Policy Number

INFORMATION SECURITY POLICY

User Security Awareness

Version: 1.0 Revised: 8/05/19

I. Introduction As each staff member has the ability to unknowingly give out their credentials and cause a major security incident organization-wide, security awareness is key to protecting data and informational assets of the Court System. It involves:

• Programs to educate employees

• Promoting Individual responsibility for Court System assets

• Steps to take if compromised

a. Purpose:To promote organization-wide security awareness about individual andexternal entity responsibility for protecting Court System Information and toauthorize and require agreements with individuals and external entities toacknowledge accountability for protecting information when using court dataand assets, email or internet resources.

b. Applicability:All Court System users including employees, vendors, and volunteers whohave been granted access to Court System network, email, and internet.

c. Definitions

TERM DEFINITION

Phishing The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.

Ransomware A type of malicious software designed to block access to a computer system until a sum of money is paid.

PI (personal information)

Personal data, also known as personal information, personally identifying information (PII), or sensitive personal information (SPI), is any information relating to identifying a person.

Page 25: Cybersecurity Subcommittee Meeting Agenda€¦ · Cybersecurity Subcommittee August 2019 Page 1 of 1 Cybersecurity Subcommittee Meeting Agenda August 8, 2019 4:15 – 5:15 To join

Version 1.0 Policy Number►2.1

CONFIDENTIAL 2

II. Policy

• Every Court System shall establish and maintain a formal security awarenessprogram to make all personnel aware of the importance of information security.

• The program shall provide multiple methods of communicating awareness andeducating personnel;

• Personnel must complete security awareness training during new employeeorientation and at least annually thereafter;

• Court Systems should provide a compliant solution to facilitate securityawareness training for all entities;

• Court Systems may authorize employee access accounts be disabled ifsecurity awareness training is not completed in accordance with this policy;

• Personnel that do not complete training in compliance with this policy may besubject to disciplinary action;

• Personnel may incur loss of financial or personal data that could have impactto the employees outside the scope of their employment if they disclose theirusername and password to an unknown third party or malicious actor;

• Staff will be trained on how to identify, report, and prevent securityincidents and data breaches;

• Appropriate security policies, procedures, and manuals are readilyavailable for reference and review;

• Regularly scheduled Phishing tests should be implemented;

• Users sign an acknowledgement stating they have read andunderstand acceptable use requirements regarding computer andinformation security policies and procedures;

• Staff will be provided with sufficient training and supporting referencematerials to allow them to protect data and assets.

a. Policy StatementInformation security awareness is essential to protect Court Systemcomputers, devices, networks, and data resources. Employees shouldreceive regular training on how to properly use and protect the informationtechnology resources entrusted to them. A lack of training may allowunauthorized individuals to gain access to Court System computer and dataresources. Security awareness training policies and procedures shall bedeveloped, documented, disseminated, and updated as necessary to facilitatethe implementation of security awareness requirements.

b. Standard

III. Exceptions:Exception to this policy are to be submitted to CTO, TCA, or Security Committeefor exceptions.

Page 26: Cybersecurity Subcommittee Meeting Agenda€¦ · Cybersecurity Subcommittee August 2019 Page 1 of 1 Cybersecurity Subcommittee Meeting Agenda August 8, 2019 4:15 – 5:15 To join

Version 1.0 Policy Number►2.1

CONFIDENTIAL 3

IV. Enforcement:Violations of this policy could lead to disciplinary measures up to and includingtermination of employment or business relationship.

V. References

VI. RevisionsDATE DESCRIPTION 9/29/19 Original Draft

VII. Approval

___________________________

Name Trial Court Administrator XXX Judicial Court System of Florida

* * *