Department of Corrections and Rehabilitation - Operations Manual

Cancel

Chapter 4 – Information Technology

Article 53 – Server Configuration Policy

XXXX XX, XXXX

View All Sections >

49100.4 Policy Directives

  • CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall:

    • Only create server service accounts when necessary.

    • Use the Principle of Least Privileged (POLP) to limit user access rights to a minimum.

    • Not use administrative accounts (e.g., root, administrator, O365 Global) when a non-privileged account will suffice.

    • Disable/lock/delete all accounts except those required to provide necessary services.

    • Change the default passwords for all accounts and follow password security best practices outlined in SIMM 5300-A, Org-Defined Standards, (NIST IA-5(1)).

    • Limit access to administrative accounts to only those who have operational need and have been authorized.

    • Ensure service accounts are not part of Local Administrators or Domain Administrator accounts.

    • Authorize and document all administrative (privileged) accounts.

    • Encrypt all passwords and all sensitive and confidential data while in transit. Passwords shall adhere to State Org-Defined Policy. (See SAMState Administrative Manual 5350.1, SIMM 5300-B and NIST SP 800-63B, FIPS 140-2).

    • Authenticate users over encrypted protocols.

    • Log all access to the server and services that are protected through access control methods.

    • Establish and implement controls to ensure that service account functions are authorized using service account credentials only.

  • Systems Configuration and Maintenance

    • Servers shall be patched and hardened before attaching them to the network.  Security patches shall be installed on the system not less than monthly. If an intelligence source advises of an imminent threat, patches shall be installed according to documented information technology standards.

    • Servers shall be physically secured in locations accessible only to authorized personnel.

    • Only required services shall be enabled or installed on the server. Services that are not required shall be uninstalled or disabled.

    • Regular back-ups of the server shall be completed according to the back-up and retention policy and tested on a periodic schedule.

    • Monitoring

    • The server shall capture and archive critical user, network, system, and security event logs to enable review of system data for forensic and recovery purposes.

    • Security-related events shall be reviewed and investigated. Events include, but are not limited to:

    • Account lockouts

    • Failed user account logins

    • Evidence of unauthorized access to privileged accounts

    • Anomalous occurrences that are not related to specific applications on the server

    • Security incidents shall be handled immediately in accordance with SAMState Administrative Manual and SIMM and reported to the CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Information Security Officer (ISOInformation Security Officer), the data owners or their designees.