CDC & ATSDR Standard for Individual Access To/From CDC Internal IT Resources

Background:

Information Protection and Systems Security (IPASS) is a fundamental component of providing integrity, confidentiality and appropriate access to electronic data and systems; however, it is not adequate to limit consideration to the boundaries of the existing CDC-Net. Rather, one must consider the movement of information out of and into the CDC-Net domain as well as the granting of access to / from CDC-Net connected devices. The remainder of this document establishes a set of standards for the movement of information and the granting of access via selected mechanisms.

A series of events outside of CDC & ATSDR has had, and will continue to have, significant influence on our approach to information protection and systems security. Primary among these is Presidential Decision Directive 63 (PDD 63), which emphasizes and expands on the Computer Security Act of 1987 and the policy references distilled into the OMB Circular A-130 to focus attention on the protection of public and private critical infrastructures. The rules required under HIPPA have been disseminated and are soon to become fully effective, and the rules for conduct of research and operation of IRB reviews are under review. Collaborators, both governmental and private, are reviewing their own stance and their own relationships with us, and are asking for more specific assurances of our intent and our ability to protect information shared by them. Finally, in November 2000, new legislation was signed that alters the character of A-130 language and increases oversight.

Out Going Services:

Modem Dial-Out: Internet access to external IT resources has become the de facto means of communications at CDC and ATSDR. Nevertheless, direct access from a CDC-Net connected device to an external IT resource, via a dial-out modem connection, is sometimes required to perform mission activities in an efficient manner. When dial-out access is required, the connection shall be established through a dial-out facility, established and operated by a CDC organization from within a properly secured IRM equipment area (e.g., computer room), unless an exception is authorized in writing.

When a CDC/ATSDR component organization determines that both of the following conditions apply, the IRM Coordinator may authorize installation or continued connection of an analog telephone line for modem dial-out service from a specific device, i.e., an exception to normal operation. The two conditions are:

• The need is linked to a critical mission activity.

• A modem pool that can serve the need is not available.

In the written notice establishing / continuing the authorization, the IRM Coordinator shall notify the ISSO of the organization to which the primary user is assigned, the organization’s ISSO (if not the IRM Coordinator) and the CDC ISSO.

Appropriate steps shall be taken to preclude operation of the modem in an auto-answer mode, unless separate authorization for direct dial-in access has been provided, according to the standard specified below.

The authorization shall lapse, and the telephone line shall be rendered inactive, at the end of 1 year, unless the authorization is continued.

The CIO ISSO shall maintain a record of all such authorizations, including which lines are assigned to modem use under authorized exceptions, the intended use and assigned user of the line, and the authorizing official. The CIO ISSO shall notify the authorizing official one month prior to the expiration of the authorization, and, if subsequent authorization for continuation of the exception has not been received by the expiration date, shall notify IRMO/NTB, within one week of the expiration date, to terminate the line immediately.

Modems of any kind (including digital line modems and wireless), whether individually purchased orgovernment provided, may not be connected to an individual device without a written authorization. Unauthorized installation or use of a modem is a serious breach of IPASS policy and is to be reported to the CIO ISSO.

Physical Transport of Information: Transport of any moderately or highly sensitive files, of any moderately or highly critical information, or of any limited access / proprietary information outside of the CDC-Net environment by electronic means or by physical means, such as a disk, diskette, laptop, desktop, tape, PDA or other device or media, is expressly prohibited, unless the following conditions are satisfied:

• authorized in writing to do so by an appropriate authority,

• operating on an established legal basis, and

• in compliance with an authorized security plan.

Internet-based Services: In certain instances, it is necessary to block out-bound Internet activity. For example, an activity may be blocked when the destination is not authorized due to content or system loading potential (WebSense), when the service is not authorized due to the potential for virus transmission, network probing, and/or denial-of-service attacks (POP-Mail, ICMP traffic, etc.), or when there is unreasonable risk of bypassing established control mechanisms, creating alternate file sharing mechanisms or bypassing firewall protections (Gnutella, etc.).

Assumed Violation of Policy: Any attempted or successful movement of sensitive / critical / protected data from CDC to an outside point, which does not conform to these standards, is a serious breach of IPASS policy and is to be reported to the CIO ISSO.

In Coming Services:

Authorization for direct access to internal, non-public IT resources from a location outside of the CDC-Net may be granted to individuals who have a clear business need and an established legal basis, such as an employment agreement, contract, memorandum of understanding, grant, CRADA, etc. All access to CDC’s non-public IT resources from an external location should be in compliance with an established and appropriate security plan. All such access is subject to the Employee Use of CDC Information Resources policy, and, unless authorized in writing and within the terms of the controlling security plan, shall be regarded as an intrusion.

Dial-in Via Modem to an Individual Device: Direct access to a CDC-Net-connected device from an external IT resource, via a dial-in modem connection, remains an important and efficient means of communication to meet certain agency needs. When such dial-in access is required, the connection shall be established through a common dial-in facility, such as a CISCO Access Server, established and operated by a CDC or ATSDR organization from within a properly secured IRM equipment area (e.g., computer room), unless a written exception is authorized.

When a CDC/ATSDR component organization determines that all three of the following conditions apply, the IRM Coordinator may authorize installation or continued connection of a telephone line for modem dial-in service to a specific desktop device, i.e., an exception to normal operation. The three conditions are:

• The need is linked to a critical mission activity.

• A dial-in facility that can serve the need is not available.

• An effective means exists to control access to and use of the connection*.

In the written notice establishing / continuing the authorization, the IRM Coordinator shall notify the ISSO of the organization to which the primary user is assigned, the organization’s ISSO (if not the IRM Coordinator) and the CDC ISSO.

* Each machine which is party to the dial-in connection shall have a CDC-approved product configured to CDC standards which provide the following services:

• Authentication with, at minimum, an ID/Password pair compliant with CDC standard; an additional authentication mechanism is encouraged

• Anti-virus protection

• Personal Firewall

The authorization shall lapse, and the telephone line shall be rendered inactive, at the end of 1 year, unless the authorization is continued.

The CIO ISSO shall maintain a record of all such authorizations, including which lines are assigned to modem use under authorized exceptions, the intended use and assigned user of the line, and the authorizing official. CIO ISSO shall notify the authorizing official one month prior to the expiration of the authorization, and, if subsequent authorization for continuation of the exception has not been received by the expiration date, shall notify IRMO/NTB, within one week of the expiration date, to terminate the line immediately.

Modems of any kind (including digital line modems and wireless), whether individually purchased or government provided, may not be connected to an individual device without a written authorization. Unauthorized installation or use of a modem is a serious breach of IPASS policy and is to be reported to the CIO ISSO.

Internet Connection (ISP, D.L., etc.): All such connections shall be authorized and configured using the CDC Policy for High Speed Internet Access, ADSL/Cable Modem (D.L.), see http://intranet.cdc.gov/irmo/ntb/ADSLpolicy.pdf

Physical Transport of Information: Transport of any moderately or highly sensitive files, any moderately or highly critical information, or any limited access/proprietary information from an outside source into the CDC-Net environment by electronic or physical means, such as a disk, diskette, laptop, desktop, tape, PDA or other device or media, is expressly prohibited, unless all five of the following conditions are satisfied:

• Agency mission activity requires access to the information.

• Authenticity of the data can be easily and unequivocally established.

• Authorization in writing to do so is provided by appropriate authority.

• An established legal basis exists.

• Use conforms to an authorized security plan.

"Wireless" Communication Devices: The use of such devices in our environment exists already. Protection of information in transit, via robust encryption, is a fundamental enabler of such devices and a function required for its use in our environment. Because there are so many forms of wireless implementation, a separate standard will be created to address them, and the ISSO will convene a group to draft a standard.

General Conditions:

Authentication for inbound traffic: At minimum, authentication of identity, for access to internal non-public CDC IT resources or to sensitive information via externally available services such as WebMail, shall be by means of a one-time passcode-generating device, currently SecurID, for general use, and S-Key, for special circumstances of single use. A digital certificate may be required in addition, under certain circumstances.

If necessary for specific situations, such as overseas travel, the dependence on the generated passcode may be temporarily waived in lieu of a SecurID static password (higher degree of protection than current alternates); however, as soon as possible, authentication shall revert to the passcode generated by the SecurID device. Unless justified to and authorized by the CIO ISSO, no waiver shall exceed 14 days, and the CIO ISSO shall notify the CDC ISSO whenever such an extended waiver is authorized.

Virus Protection: The device from which access to internal non-public CDC IT resources is made shall have installed an agency-approved anti-virus product which has the following characteristics:

• in compliance with agency configuration standards for that product

• no more than 7 calendar days older than the currently available scan pattern for that product

• the scan engine is appropriate for the required scan pattern and not more than 14 days older that the current engine for that product

• be active at the time of and during the connection

Encryption: Under no circumstances shall an individual or an organizational component introduce into the CDC production environment any encryption process or tool without the written authorization from the CIO ISSO and concurrent registration with the IRMO/NTB Network Security Team. An arrangement for key escrow must be worked out before any production use of the product/tool may begin.

Devices connected to a so-called "always on" internet connection, such as D.L. or cable modem, shall have installed an agency-approved encryption product, specifically Not the internal Microsoft NT (4.x or 2000) encryption facility, which has the following characteristics:

• in compliance with agency configuration standards for that product

• has an approved key-recovery process for which an approved authority holds necessary information and tools

• is used to protect all sensitive and critical data or processes

• is active at the time of and during the connection

Devices not connected to "always on" internet connections but housed outside of an agency-controlled space, such as home or travel devices, are strongly urged to use an encryption product.

Encryption is required when any moderately or highly sensitive files, any moderately or highly critical information, or any limited access/proprietary information is to be transmitted either electronically or physically.

Firewall: Devices connected to a so-called "always on" internet connection, such as D.L. or cable modem, shall have installed an agency-approved Personal Firewall product, currently defined in the CDC Policy for High Speed Internet Access, ADSL/Cable Modem (D.L.), which has the following characteristics:

• in compliance with agency configuration standards for that product

• has up-line reporting capabilities (to alert CDC-Net devices/authorities of intrusion activity) installed and tested

• is active at the time of and during the connection

Devices not connected to "always on" internet connections but housed outside of an agency-controlled space, such as home or travel devices, are strongly urged to use a Personal Firewall product when connecting to ISP sources.

Without written authorization from the CIO ISSO, an individual shall not introduce into the CDC production environment any personal firewall product or tool. Configuration shall be mutually agreed upon between the individual and the CIO ISSO, but in no case may the configuration block authorized device scanning or interrogations.

Vulnerability Scanning: Any device connecting to internal non-public CDC IT resources may be scanned by automated tools to detect known vulnerabilities of the device and/or threats to the CDC-Net during a connection. Reports of any vulnerabilities/threats found shall be made automatically to the CIO ISSO and the Network Security Team, IRMO. Under certain conditions, access to non-public CDC IT resources may be blocked or terminated, if already established, due to detected vulnerabilities.

Collection and Use of "Logging Data": Any device connecting to internal non-public CDC IT resources may have so-called "logging data", such as caller-id, D.L. Account Number, etc., collected as a matter of routine. Under certain circumstances, network activity, including network packets, may be monitored to detect activity potentially harmful to the CDC-Net itself, to CDC-Net connected resources, or to other computing resources. Observed network activity may be stored for use in resolving network issues and for reference to appropriate authorities, where activity warrants. In compliance with CDC policy, activity reasonably thought to be a violation of law will be referred to the appropriate law enforcement agency.

Collateral Users Prohibited: Any device connecting to internal non-public CDC IT resources may be used only by the person authorized by CDC or ATSDR. Use by any other person, such as a spouse, partner, child, relative, friend, etc., unless also authorized by CDC/ATSDR and authenticating under his/her own identity, is not authorized and is a serious violation of IPASS policy. Note: Actual access to highly sensitive data during a particular session is not necessary to activate this prohibition, rather it is the potential access granted to the authenticated user which is controlling.

Security Plan Required: Any device connecting to internal non-public CDC IT resources must be operating in compliance with an approved and appropriate security plan, suited to the sensitivity/criticality of the information and systems accessed, as well as the authorities vested in the authorized users.

Issues Not Covered:

Time and attendance will need to be addressed through another mechanism. This is particularly germane when a subordinate claims to have worked "N" hours of overtime in a given week (and the logs show that it is true) and therefore wants to be paid or have compensatory time credited. This issue should be explored to identify and illuminate the risks and obligations on both sides.

There may be a time, perhaps sooner than later, at which a policy will need to be established, limiting connection to internal non-public CDC IT resources to only federally issued machines and user-owned machines that have been set-up and tested by the agency, based on a requirement to know the operational characteristics of all such devices permitted access.

The conditions under which servicing of machines, which connect to internal non-public CDC IT resources or house sensitive/critical data, may need to be specifically defined, particularly to limit such servicing only to CDC authorized mechanisms. If done, this likely would be very similar to our internal policy restricting release of devices for repair with sensitive/critical data on the local drive.

This page last reviewed December 5, 2000.

Originally Posted: http://intranet.cdc.gov/irmo/standards/itaccess.htm