Security Policy for Privileged Account Management and Security HISPOL 016.0 The United States House of Representatives Information Security Policy for Privileged Account Management and Securlty Version: 1.0 Approved: September 2015 Approval Authority: The United States House of Representatives Committee on House Administration Security Policy for Privileged Account Management and Security Security Policy for Privileged Account Management and Security Table of Contents Introduction 3 1 Scope 3 2 Definitions 3 3 Policy 4 3.1 MINIMIZATION OF PRIVILEGED ACCOUNTS 4 3.1.1 Minimization of Administrative Accounts 4 3.2 LEAST PRIVILEGES 5 3.3 PRIVILEGED ACCOUNT MANAGEMENT 5 3.3.1 Privileged Account Authorization 5 3.3.2 Designating an Authorizing Of?cial 5 3.3.3 Authorizing Privileged Accounts 6 3.3.4 Temporary Privileged Accounts 6 3.3.5 Sharing Accounts 7 3.3.6 Disabling, Removing, and Restricting Privileged Accounts 7 3.3.7 Administrative Account Use 7 3.3.8 Shared Service Accounts 7 3.3.9 Enterprise Administration and HIR Privileged Accounts 7 3.3.10 Vendor Call Centers 7 3.3.1 1 Training Requirements 7 3.3.12 Background Checks 8 3.3.13 Retention of Authorization Records 8 3.4 PRIVILEGED ACCOUNT AUTHENTICATION 8 3.5 PRIVILEGED ACCOUNT RECORD REVIEW AND MONITORING 8 3.5.1 Privileged Account Records Review 8 3.5.2 Privileged Account Monitoring 9 4 Exceptions 9 5 Roles and Responsibilities 9 5.1 HOUSE OFFICES 9 5.2 AUTHORIZING OFFICIALS 10 5.3 HIRING AUTHORITY 10 5.4 OFFICE OF THE CISO 10 5.5 PRIVILEGED USERS 11 6 Related Documents 11 6.1 HOUSE OF REPRESENTATIVES POLICIES, PUBLICATIONS, STANDARDS 1 1 6.2 NATIONAL LAWS, BEST PRACTICES, STANDARDS 12 7 Consequences Of Non-Compliance 12 Security Policy for Privileged Account Management and Security Security Policy for Privileged Account Management and Security Introduction Privileged user accounts (Privileged Accounts) are accounts that extend access to the US. House of Representatives? (House?s) information systems beyond what is granted to normal users. Misuse or mismanagement of Privileged Accounts significantly increases the risk to the Houses information systems and information. As such, it is imperative that Privileged Accounts are rigorously managed and monitored, that the capabilities of Privileged Accounts are limited wherever possible to the functions necessary to accomplish assigned tasks, and that the rigor of security and access controls to Privileged Accounts are commensurate with the risk to which their existence exposes House information and the House?s information system. 1 Scope This policy applies to any and all individuals that use Privileged Accounts associated with any information systems attached to any part of the House network, including House systems owned and operated by House Officers, House Committees, House Member Offices, other House entities, and vendors and contractors that provide services to the House community. 2 Definitions Authorization: The act of granting access privileges to a user, program, or process. Authorizing Official (A0): An official with the authority to formally assume responsibility for providing access to an information system at an acceptable level of risk to House operations (including mission, functions, image, or reputation), House assets, or individuals. Hiring Authority: The head of an employing office and the person with final authority to appoint, hire, discharge, and set the terms, conditions, or privileges of the employment of an employee of that employing office. House Information System: A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of House information. House Office: The personal office of a Member of the House of Representatives; a committee or joint committee of the House of Representatives, including any subcommittees; or any other office headed by a person with the final authority to appoint, hire, discharge, and set the terms, conditions, or privileges of the employment of an employee of the House of Representatives. Least Privileges: The security objective of granting users only those accesses they need to perform their official duties. Personally Identifiable Information (PII): For the purposes of this document only, Personally Identifiable Information (PH) is information that may be used to distinguish or trace the identity of an individual name, social security number, biometric records, etc.) alone, or when combined with other personal or Security Policy for Privileged Account Management and Security 3 Security Policy for Privileged Account Management and Security identifying information which is linked or linkable to a specific individual date and place of birth, mother?s maiden name, etc.). Privileged Account: An information system account with approved authorizations of a user who is authorized (and, therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform. 3 Policy To reduce the risk associated with Privileged Accounts, all House Offices using Privileged Accounts associated with information systems attached to the House network shall, in accordance with all House policies, procedures, standards, and guidelines: 1. Have rigorous Privileged Account management requirements capable of accounting for the inherent risk of Privileged Accounts; 2. Incorporate separation of duties and principles of Least Privilege for Privileged Accounts; 3. Implement account security measures capable of mitigating the inherent risk of Privileged Accounts as outlined in privileged access security standards and procedures; 4. Implement a minimum of two-factor authentication for access to Privileged Accounts (no later than 180 days following promulgation of standards and procedures to secure Privileged Accounts); Monitor all usage for potential misuse; 6. Ensure that Privileged Accounts are only used for the purposes for which they are created administration); and 7. Ensure non-privileged user accounts are used in all cases except when Privileged Accounts are required. .01 3.1 Minimization of Privileged Accounts No House Offices shall create a Privileged Account unless there is a specific business need necessitating the creation of a Privileged Account. All House Offices shall immediately disable and remove any unnecessary Privileged Accounts for which they are responsible, including local administrative accounts. 3.1.1 Minimization of Administrative Accounts Member Offices and Committee Offices may not have more than four Privileged Accounts within the Organizational Unit Administrative Group (OU Admin Group) that consists of vendors or shared staff. This limitation does not apply to permanent staff in Member Offices and Committee Offices. All HIR personnel with access to the OU Admin Group for Member and Committee Offices shall have a documented business need and written authorization in order to gain or maintain access to the OU Admin Group in accordance with this policy and Security Policy for Privileged Account Management and Security 4 Security Policy for Privileged Account Management and Security associated standards and procedures. Any HIR personnel within an OU Admin Group do not count against the four OU Admin account limit. Member Offices and Committee Offices may exceed four accounts with administrative privileges that do not belong to the OU Admin Group. Member and Committee Offices shall ensure that all administrative accounts are necessary and that unnecessary or inactive accounts are immediately disabled or removed. 3.2 Least Privileges In accordance with principle of Least Privileges, House Offices shall assign all Privileged Accounts the least amount of privileges necessary to perform the functions for which the account exists. In cases where House Offices cannot tailor Privileged Accounts, the House Office shall grant the Privileged Account the least amount of functions offered by the information system with which the Privileged Account is associated. At a minimum, Privileged Accounts shall: 1. Not have access to email or electronic messaging services that have direct communication outside the House network; 2. Not have access to the Internet; and 3. Only have networked access to information systems and devices to which the responsibility of the Privileged Account applies. 3.3 Privileged Account Management Users may only receive access to an information system to perform actions beyond those associated with typical users through an authorized Privileged Account. 3.3.1 Privileged Account Authorization House Offices shall only create Privileged Accounts on an as-needed basis. House Offices shall scrutinize users requiring Privileged Accounts to a greater degree than normal system users. House Offices should create Privileged Accounts only by authorization from their particular office?s Authorizing Official or Hiring Official. 3.3.2 Designating an Authorizing Official The Hiring Authority of a House Office shall designate an Authorizing Official to create and use the House Office?s Privileged Accounts. The Authorizing Official is responsible for taking all appropriate measures to ensure that the risk associated with the existence of a Privileged Account does not exceed the risk tolerances of the House and the House Office. An Authorizing Official designated by a Hiring Authority should: 1. Have sufficient responsibility to ensure that all appropriate measures are taking to reduce risk associated with Privileged Accounts for his her House Office; Security Policy for Privileged Account Management and Security 5 Security Policy for Privileged Account Management and Security 2. Be a House employee (not a contractor or vendor); Be employed by the office for which they serve as an Authorizing Official; and 4. Not have the ability to authorize himself herself as a user of a Privileged Account. .03 House Offices may designate more than one Authorizing Official provided he she meets the requirements enumerated above and throughout this policy. Authorizing Officials will serve as a point of contact between their House Office- and the Office of the Chief Information Security Officer (CISO) for matters related to its Privileged Accounts. 3.3.3 Authorizing Privileged Accounts When making a decision to authorize a Privileged Account, an Authorizing Official shall: 1. Examine the documented business need for the creation of a new Privileged Account to ensure that the new Privileged Account is necessary; 2. Examine user qualifications and abilities to determine that the user has been trained appropriately and does not present a risk to the system; Ensure that the user of the Privileged Account has reviewed, accepted, and signed all applicable rules of behavior forms in accordance with applicable House policies and procedures (see, for example, Appendix A: US. House of Representatives Rules of Behavior for Privileged Account Users); 4. As authorized to do so by the Hiring Officer or his or her designee, examine user background for elements that may make trustworthiness of a user questionable. 5. Review the intended privileges associated with the Privileged Account to ensure that the account has only necessary privileges; and 6. Notify the Office of the C180 when authorizing elevated privileges within active directory or local administrator groups. O) In accordance with House policies, standards, and procedures, the Office of the C180 shall: 1. Maintain a copy of the authorization form of Privileged Accounts for House Offices for purposes of administration; and 2. Ensure that only authorized Privileged Accounts exist on the House network. 3.3.4 Temporary Privileged Accounts House Offices may create and use temporary Privileged Accounts in accordance with House policy, standards, and procedures. House Offices may have temporary Privileged Accounts for no longer than 14 days. House Offices may create temporary accounts for a number of reasons, including, but not limited to: 1. Administrative redundancy during vacations or emergencies; 2. Limited application installation; and Security Policy for Privileged Account Management and Security 6 Security Policy for Privileged Account Management and Security 3. To satisfy a critical business need prior to authorization of a Privileged Account. The House Office?s Authorizing Officials must approve any temporary accounts prior to creation. House Offices shall set temporary Privileged Accounts to expire within 14 days. House Offices shall remove or disable temporary accounts when they are no longer needed, or after 14 days. 3.3.5 Sharing Accounts Multiple users shall not share access to an individual Privileged Account. 3.3.6 Disabling, Removing, and Restricting Privileged Accounts If a Privileged Account is unneeded or inactive, the House Office shall remove or disable the Privileged Account in accordance with House standards and procedures. 3.3.7 Administrative Account Use House Offices shall provide Privileged Users with two accounts, one that provides Privileged Access, and one that provides normal system user functionality. Privileged Users may not use Privileged Accounts for functions associated with general user accounts. Privileged Account use is limited to laptop or desktop computers issued by the House. 3.3.8 Shared Service Accounts Wherever possible, users shall only use one Privileged Account to administer systems across all House Offices for which the user is an authorized administrator. Privileged Accounts used to administer systems across multiple House Offices may not extend to any House Office that have not authorized the Privileged Account. 3.3.9 Enterprise Administration and HIR Privileged Accounts All Privileged Accounts affiliated with duties that extend across the entire House, and Privileged Accounts associated with HIR personnel, shall operate only with the written authorization of the C150. 3.3.10 Vendor Call Centers Vendors operating call centers that provide services to multiple House Offices shall only use Privileged Accounts with the written authorization of the associated Contracting Officer's Representative. 3.3.11 Training Requirements No user shall have access to a Privileged Account without having a current HIR Security and Privacy Awareness Training certificate granted by the Office of the C180. Users shall also receive and pass HIR-provided role-based trainings for Privileged Account users upon receiving access to a Privileged Account. Privileged Users shall retake the HIR?provided role-based trainings for Privileged Account users every twelve Security Policy for Privileged Account Management and Security 7 Security Policy for Privileged Account Management and Security months thereafter. All Privileged Accounts shall expire twelve months after the date of the last completion of the HIR-provided role?based trainings for Privileged Accounts. 3.3.12 Background Checks The Hiring Officer or his or her designee must assess the trustworthiness of each Privileged User prior to that person receiving authorization to use a Privileged Account. The Office of the CISO suggests that Hiring Officers and their designees use the rigorous criminal history records search services provided by the United States Capitol Police before authorizing an individual to be a Privileged User. Individuals under consideration for a Privileged User role should be notified in advance that placement in such a role is contingent on the Hiring Officer?s determination that the individual is suitable for a Privilege User role. 3.3.13 Retention of Authorization Records House Offices shall retain in its records the authorization form for a Privileged Account, as well as all associated documentation Rules of Behavior forms, background check documents, etc.) for no less than one year after an employee who used the assigned Privileged Account separates from the House Office. Any documentation associated with the authorization of a Privileged Account that contains Personally Identifiable Information (PII) should be destroyed by shredding it once it is no longer required for record-keeping purposes. 3.4 Privileged Account Authentication 0 later than 180 days following promulgation of standards and procedures to secure Privileged Accounts, House Offices? with the support of shall restrict access to Privileged Accounts using multifactor authentication. House Offices shall establish authentication for Privileged Accounts, consisting of a minimum of two discrete authentication measures that are commensurate with the risk that the Privileged Account poses to the information system. 3.5 Privileged Account Record Review and Monitoring House Offices and the Office of the CISO shall collaborate to monitor and regularly review Privileged Accounts in a manner consistent with this House policy. 3.5.1 Privileged Account Records Review To promote the accuracy of the Office of the and a House Office?s Privileged Account records, the Office of the CISO and the House Office shall collaborate to review Privileged Accounts at least quarterly as defined in this House policy and its associated standards and procedures. Unless otherwise set forth in this House policy, the Office of the C180 may not access the content of the Privilege Account without the authorization of the Hiring Official or Authorizing Official. Security Policy for Privileged Account Management and Security 8 Security Policy for Privileged Account Management and Security 3.5.2 Privileged Account Monitoring The Office of the shall implement automated tools to monitor the use of Privileged Accounts where possible, consistent with the requirements of this House policy and its associated standards and procedures. Unless otherwise set forth in this House policy, the Office of the C180 may not access the content of the Privilege Account Without the authorization of the Hiring Official or Authorizing Official. 4 Exceptions The C180, in consultation with a House Office?s Hiring Authority, may grant exceptions to this policy that do not exceed 180 days in length. The C180 may also provide a termination date for the exception that is shorter than 180 days. 5 Roles and Responsibilities House Offices, Authorizing Officials, Hiring Authority, the Office of the C180, and Privileged Account users all have significant roles and responsibilities in mitigating the risks to House information systems inherent to Privileged Accounts. 5.1 House Offices House Offices shall: 1. Maintain an internal, written authorization process for the creation and use of Privileged Accounts; 2. Ensure that all user information associated with Privileged Accounts within the House Office has been submitted to the Office of the Conduct a quarterly review of Privileged Accounts within the House Office to ensure that all Privileged Accounts within the House Office have current authorization from the organization?s Authorizing Official for the information system to which they belong; 4. Conduct a quarterly review of Privileged Accounts within the House Office to ensure Privileged Users only have access rights privileges required to do their assigned work; Conduct a quarterly review of Privileged Accounts within the House Office to ensure they are active and still needed; 6. Ensure that Privileged Accounts within the House Office comply with the security requirements enumerated in House policy, standards, and procedures; 7. Disable or remove all Privileged Accounts within the House Office that are used in a risky or atypical manner, or that have been compromised; 8. Immediately report to the Hiring Official all Privileged Accounts that are used in a risky or atypical manner and all Privileged Accounts that are potentially compromised. The Hiring Official, or his or her designee, must report such instances to the Office of the DJ .01 Security Policy for Privileged Account Management and Security 9 Security Policy for Privileged Account Management and Security 9. Ensure background checks, as defined in this policy, have been conducted on all Privileged Users within the House Office; and 10. Create, enable, modify, disable, and remove Privileged Accounts only in accordance with applicable House policies. 5.2Authorizing Officials Authorizing Officials shall: 1. 2. 3. Authorize Privileged Users within the House Office; Authorize the creation and activation of Privileged Accounts within the House Office; Maintain records of written authorization of Privileged Users and Privilege Accounts within the House Office; Ensure that Privileged Users within the House Office have appropriate role? based training for the system with which the Privileged Account is associated, and ensure that Privileged Users have obtained current HIR Security and Privacy Awareness Training certificates; lf designated to do so by the Hiring Authority, review Privileged Users? backgrounds and, to the best of their ability, attest to the trustworthiness of Privileged Users; Ensure that Privileged Accounts within the House Office comply with requirements of separation of duties enumerated in this policy; Ensure that Privileged Accounts within the House Office comply with requirements of Least Privileges enumerated in this policy; and Ensure that the House Office immediately reports to the Hiring Official all Privileged Accounts used in a risky or atypical manner and all Privileged Accounts that may be potentially compromised. The Hiring Official, or his or her designee, must report such instances to the Office of the C180. 5.3 Hiring Authority Hiring Authorities shall: 1. 2. 3. Designate an Authorizing Official for their House Office; Monitor proper creation and management of privileged accounts; and report all Privileged Accounts used in a risky or atypical manner, or Privileged Accounts that are potentially compromised, to the Office of the C180. 5.4 Office of the CISO The Office of the C150 shall: 1. Assist House Offices in establishing oversight of Privileged Accounts in accordance with the requirements enumerated in House policies and procedures; Security Policy for Privileged Account Management and Security 10 Security Policy for Privileged Account Management and Security U3 10. 11. Assist House Offices in limiting the access of Privileged Accounts to only the devices to which the responsibility of the Privileged Account applies; Maintain records of Privileged Users authorized to exist within the House IT environment; Conduct quarterly reviews of Privileged Accounts in accordance with House standards and procedures; Monitor the House network for unauthorized Privileged Accounts; Monitor the network for accounts associated with Privileged Users who do not have current HIR Security and Privacy Awareness Training and appropriate role based training; Develop and maintain standards, guidelines, procedures, and templates associated with the Privileged Account authorization process; Develop and maintain standards, guidelines, procedures, and templates to secure Privileged Accounts; Access and review risks, and grant exceptions to policy when required; Oversee the remediation of risks caused by misuse or compromise of Privileged Accounts when detected; and Authorize enterprise-Wide Privileged Accounts and Privileged Accounts that support call centers. 5.5 Privileged Users Privileged Users shall: 1. Use or access Privileged Accounts only to perform the intended functions for which the Privileged Account was created; Use only a House issued laptop or desktop to access Privileged Accounts; Use only their user account to perform general user functions; Protect access to Privileged Accounts, including any physical devices associated with identification and authentication; Report to the Hiring Authority compromising or atypical behaviors associated with Privileged Accounts. The Hiring Authority must report such instances to the Office of the Review, accept, and sign the US. House Rules of Beimniorfor Privileged Users (Rules of Behavior); and Complete HIR role-based training for Privileged Account users upon receiving access to a Privileged Account and at least every twelve months thereafter. 6 Related Documents 6.1 House of Representatives Policies, Publications, Standards 1. HISPOL 001.0 - The United States House of Representatives Information Security Policy Structure and Organization Security Policy for Privileged Account Management and Security ii Security Policy for Privileged Account Management and Security 2. HISPOL 002.0 - The United States House of Representatives Information Security Policy for Protecting Systems from Unauthorized Use 3. HISPUB 0XX.X - The United States House of Representatives Privileged Account Management Procedures 4. HISPUB 07.1.58 - OU Account Management 5. House IT Policy 004.0 The United States House of Representatives Information Technology Policy for Active Directory Naming Conventions 6. House IT Policy 005.0 The United States House of Representatives Information Technology Policy for Organizational Unit Admin Security Group Membership 7. HIR Publication User and Email Administration Recommended Practices (Active Directory Exchange): Version 3.0, January 28, 2013 6.2 National Laws, Best Practices, Standards 1. NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations: Security Controls (Access Controls, Security Assessment and Authorization; Risk Assessment, and Systems and Service Acquisition) 2. NIST Interagency Report 7298 - Glossary of Key Information Security Terms: All technical terminology taken from Glossary 7 Consequences of Non-Compliance The Office of the CISO may disable Privileged Accounts that fail to meet House policies, standards, and procedures. In cases where a Privileged Account poses a risk to House information or House information systems, the Office of the CISO may disable the Privileged Account without notice, except as required herein and by House policies, standards, and procedures. The Office of the CISO must provide notice to the House Office?s Hiring Authority when disabling a Privileged Account. In non-emergencies, the Office of the CISO shall provide the House Office reasonable notice prior to disabling the Privileged Account. The House Office shall have five business days from receipt of the notice to concur or contest the removal of the Privileged Account. All entities and or personnel covered by this House policy that do not to comply with any part of this policy, or fail to take prompt action to remediate vulnerabilities, risks, or negative actions associated with Privileged Accounts, as directed by the Office of the CISO, may have some or all of their information systems and or access to information systems blocked from the rest of the House network until compliance is once again achieved. The Office of the CISO shall report to the Committee on House Administration (CHA) any House Office intentionally violating House security policy as well as any House Office that fails to remediate known vulnerabilities or non-compliance within five business days of receiving notice from the Office of the CISO. Additionally, any House Security Policy for Privileged Account Management and Security 12 Security Policy for Privileged Account Management and Security Office that fails to remediate known vulnerabilities or non-compliance within seven days of notification. Additionally, a House Office that has not taken actions to remediate known vulnerabilities or non-compliance within five business days of receiving notice from the Office of the C180 may have its access to the House network suspended, consistent with this policy. If exigent circumstances due to imminent danger exist, House Offices may immediately have their network access suspended, with parallel notification to their Hiring Authority and CHA. All Privileged Users covered by this House policy who fail to comply with any part of this policy or the Rules of Behavior referenced herein, or who fail to reasonably take prompt action to remediate vulnerabilities, risks, or negative actions associated with Privileged Accounts as directed by their House Office pursuant to this policy, may be subject to the administrative suspension or cancellation of their Privileged Account and or (ii) disciplinary action by their Hiring Authority, up to and including termination of employment. Security Policy for Privileged Account Management and Security Rules of Behavior for Privileged Account Users and Remote Access HISFORM 016.02 US. House of Representatives Rules of Behavior for Privileged Account Users and Remote Access Individual: Enter lr"agili?svidual?s Narrie Date: Click here to enter a date Rules of Behavior for Privileged Account Users and Remote Access Rules of Behavior for Privileged Account Users and Remote Access U.S. House of Representatives Rules of Behavior for Privileged Account Users In accordance with the security policies of the US. House of Representatives (?House?) and to protect the confidentiality, integrity, and availability of data processed and owned by the House, Privileged Users of House information systems must accept and follow the US. House of Representatives Rules ofBeluirriorfor Privileged Account Users. This document provides common rules on the appropriate use of House information technology resources for Privileged Users, including House employees and contractors. Privileged User account roles have elevated privileges above those in place for general user accounts regardless of account scope including both local and domain administrator accounts). Potential compromise of Privileged Accounts carries a risk of substantial damage and therefore Privileged Accounts require additional safeguards. All users of Privileged Accounts must read these rules, initial beside each rule, and sign the accompanying acknowledgement form before accessing House information, systems, and or networks in a privileged role. I understand and acknowledge that, as a Privileged User, I shall: 1. Use my Privileged Account(s) for official administrative actions only; 2. Protect all Privileged Account credentials (passwords, tokens, etc.) at a security level commensurate with the highest level of data that the Privileged Account can access on the associated information system; 3. Protect the administrative or root-level authentication information at the highest level demanded by the sensitivity of the system; 4. Comply with all system/ network administrator responsibilities in accordance with House policies; 5. Use special access privileges only when they are needed to carry out a specific system function that requires elevated privileges on assigned systems; 6. Use a non?privileged general user) account whenever administrative privileges are not required e-mail, web browsing); 7. Log on to my non?privileged account and then subsequently login to my Privileged Account to perform actions requiring privileges (to the maximum extent possible). For example, I understand that on a UNIX operating system, the user must login to a non?privileged account before logging in as ?root," and on a Microsoft Windows computer, the user must login to a non-privileged account before performing a privileged function that requires authentication as a Privileged User; Rules of Behavior for Privileged Account Users and Remote Access Rules of Behavior for Privileged Account Users and Remote Access 8. Notify the respective Hiring Official and or Authorizing Official immediately when privileged access is no longer required; 9. Use precautionary procedures to protect a Privileged Account from fraudulent use; 10. Watch for signs of inappropriate or illegal hacker) activities or other attempts at unauthorized access and immediately report them to my Hiring Official and or Authorizing Official upon discovery. My Hiring Official, or his or her designee, must report such instances to the Office of the Chief Information Security Officer and 1 1. Complete any specialized role?based security training as required before receiving privileged system access. I understand and acknowledge that, as a Privileged User, I shall not: i. Share Privileged User account(s) or password(s); 2. Create or logon to a group or shared user account that is not authorized by policy; 3. Remove or destroy a system audit, security, event, or other type of log; 4. Acquire, possess, trade, or use hardware or software tools that could be employed to evaluate, compromise, or bypass information systems security controls; 5. Introduce unauthorized or malicious code into House information systems or networks; 6. Knowingly write, code, compile, store, transmit, or transfer malicious software code, including, but not limited to, viruses, logic bombs, worms, and macro viruses; 7. Use Privileged Account(s) for day?to-day communications (to include accessing the Internet); 8. Use Privileged Account(s) to access data or other information unless I am explicitly authorized to do so as part of my official duties; 9. Elevate the privileges of any user without prior approval from the Authorizing Official; 10. Use special privileges for personal business, gain, or entertainment; 1. Use privileged access to circumvent House policies or security controls; or 12. Use a Privileged User account for Web access. Rules of Behavior for Privileged Account Users and Remote Access Rules of Behavior for Privileged Account Users and Remote Access As a user of a Privileged Account, I understand and acknowledge that I HAVE NO REASONABLE EXPECTATION OF PRIVACY, while using any Privileged Account on an information system that processes, transmits, or stores House data. I understand and acknowledge that all Privileged Account activity on information systems in support of the House may be monitored, intercepted, recorded, read, copied, or captured by my Hiring Authority or by authorized House personnel, only as enumerated in HISPOL 016.0, or by my Hiring Authority. My Hiring Authority may give law enforcement officials any potential evidence of crime, fraud, or misconduct found on House information systems. I understand and acknowledge that such Privileged Account monitoring by House personnel may consist of: a. review of audit logs of any Privileged Accounts on IT devices used to support the House; b. review of access and use of the Internet by Privileged Account users while on the House network; I understand and acknowledge that I shall successfully complete HIR Information Security and Privacy Awareness training on an initial and annual basis as required or risk having my access to House information systems suspended. I understand and acknowledge that I may have access to sensitive information depending on my job duties. I shall protect the confidentiality, integrity, and availability of House information in a manner consistent with its sensitivity. I understand and acknowledge that, if I access Personally Identifiable Information or sensitive information as a requirement of my duties, I will PII or sensitive information as required by House policy. This includes, but is not limited to, PII or sensitive information that is a. downloaded from House or House organization information systems onto a House authorized portable storage device; or b. e?mailed to any entity external to the House organization (to a non- email address). Approved levels are AES 256 or greater. Any questions concerning should be directed to the Office of the C180. Rules of Behavior for Privileged Account Users and Remote Access Rules of Behavior for Privileged Account Users and Remote Access I understand and acknowledge that I will delete PII and sensitive data downloaded from House information systems immediately when its official use is no longer required. I understand and acknowledge that I will immediately report a security breach, password compromise, or anomaly in system performance to my Hiring Official and that my Hiring Official or his or her authorized representative must report such instances to the Office of the CISO. I understand and acknowledge that I will protect my passwords and or authentication tokens from disclosure and loss at all times. I will take all efforts to avoid disclosing my passwords. I will not construct my password from obvious personal data social security number, telephone numbers, relatives? names, or pet's name, etc). I understand and acknowledge that I am accountable for all actions taken under my User ID. I will not allow others to use my Privileged Account?s User ID and I will not access other users1 accounts, unless required to as part of my official duties. I will not attempt to access accounts or data that I am not expressly authorized to use. I understand and acknowledge that when logged on, I will lock my workstation prior to leaving my workstation. I understand and acknowledge that I may not install, use, or reproduce unauthorized or illegally obtained software on House information systems. Privately owned software is strictly prohibited on House information systems. I understand and acknowledge that I shall not connect unauthorized devices to House information systems under any circumstance. I understand and acknowledge that changes in my employment status or changes in my job responsibilities may require modification or termination of my access to House information systems. I understand and acknowledge that I am using an unclassified information system. This system is not designed and secured for the handling of classified information. I am NEVER authorized to originate or knowingly process, and or store classified information on an unclassified system. Rules of Behavior for Privileged Account Users and Remote Access Ruies of Behavior for Privileged Account Users and Remote Access I understand and acknowledge that this agreement shall not nullify or limit in any manner any other confidentiality, nondisclosure, or computer use agreement that have executed or may execute with the Office of the C180 and my Hiring Authority. I understand and acknowledge that I shall never attempt to tamper with, circumvent, or otherwise impede the security of any House system. I understand and acknowledge that I shall never install or utilize any tools designed to assist in doing the same. I understand and acknowledge that if I do not comply with these rules, I am subject to the administrative suspension or cancellation of my access privileges by the Office of the C180 or my Hiring Authority, and or (ii) disciplinary action by my Hiring Authority, up to and including the termination of my employment. I understand and acknowledge that this agreement shall not serve to create an actual or implied contract of employment between myself and the Office of the C180 or my Hiring Authority, or to confer any right to remain an employee of my Hiring Authority, or otherwise to change in any reSpect the employment-at-will relationship between myself and my Hiring Authority. Rules of Behavior for Privileged Account Users and Remote Access Rules of Behavior for Privileged Account Users and Remote Access My signature below is my acknowledgement that I understand and acknowledge my responsibilities under the US. House of Representatives Rules ofBelmm'or for Privileged Account Users and that I will comply with these rules of behavior and will reaffirm this acknowledgement annually in writing. Printed Name, Title Signature Date Rules of Behavior for Privileged Account Users and Remote Access Rules of Behavior for Privileged Account Users and Remote Access U.S. House of Representatives Rules of Behavior for Remote Access In accordance with House policies, and to protect the confidentiality, integrity and availability of data processed and owned by the House, users must accept and follow the House Rules of Behavior for Remote Access in order to be permitted to perform House duties from a remote location. House Rules of Belmoz'orfor Remote Access apply to all users of House information systems (which includes House employees, contractors, vendors, and agents with a House? owned computer or workstation used to connect to the House network.) House Rules of Behavior for Remote Access apply to remote access connections used to do work on behalf of the House, including reading or sending email and viewing Intranet web resources. 1. Users (which includes House employees, contractors, vendors, and agents) with remote access privileges to the House?s network are responsible for ensuring that their remote access connection is given the same security considerations as the user's on-site connection when connecting to the House. For example, if an individual is processing sensitive personnel information via remote access, he she must not process that information from a public facility such as a coffee shop or bookstore. 2. The user is responsible for ensuring, to the best of his her ability, unauthorized users do not access the House network, do not perform illegal activities, and do not use the access for outside business interests. The user may bear responsibility for the consequences if the user?s access is misused. Misuse of the user?s access by an unauthorized user may result in revocation of the user?s network access by the user?s Hiring Authority or the Office of the Chief Information Security Officer (C180) and or (ii) disciplinary action against the user by his or her Hiring Authority. LJJ Users are prohibited from sharing any House network passwords (email, administrative account, etc.) with any other person or entity other than the user?s Hiring Authority. 4. Users with remote access privileges must ensure that their House?owned or personal computer is not connected to any other network at the same time they are logged into the House?s network. 5. Users with remote access privileges to the House?s network should not use non- House email accounts Hotmail, Yahoo, AOL), or other external resources to conduct House business, thereby ensuring that official documents and correspondence are appropriately protected and are maintained separately from non?official documents and correspondence. 6. By way of example, users should avoid being logged into the House network via a local Ethernet connection and then dialing into AOL or another Internet Rules of Behavior for Privileged Account Users and Remote Access Rules of Behavior for Privileged Account Users and Remote Access Service Provider; or being on a House-provided VPN tunnel and then connecting into another person?s remote access tunnel provided to them by a non-House employer or service. 7. All hosts (which may include but are not limited to laptops, desktops, workstations, etc.) that are connected to the Houses internal networks via remote access technologies must use the most up-to-date anti-virus software and definitions, as approved by the Office of the USO. have read the US. House of Representatives Rules of Behavior for Remote Access. My signature below is my acknowledgement that I understand and acknowledge my responsibilities and that I will comply with these Rules of Behavior. Printed Name, Title Signature Date Rules of Behavior for Privileged Account Users and Remote Access This Frequently Asked Questions document relates only to privileged account policy, standards, and procedures at the U.S. House of Representatives. This document is instructional only. As such, this document is not authoritative, and is superseded by any applicable policies, standards, or procedures. Privileged Accounts Q: What is a privileged account? A privileged account is defined in HISPOL 16 as “an information system account with authorizations of a privileged user.” Privileged users can use privileged accounts to “perform security-relevant functions that ordinary users are not authorized to perform. “ The definition is based on the National Institute of Standards and Technology’s guidance on privileged account maintenance. The main goal in creating a privileged account policy is to maintain a strategy of separation of duties and least privileges. Q: What are the risks associated with privileged accounts? Recent cyber-attacks demonstrate that privileged accounts, when compromised by an attacker, pose a significant risk to the confidentiality, integrity, and availability of information and information systems. If a privileged account becomes compromised, an attacker could have the capability to:          Access/alter/delete data on user’s computers; Access/alter/delete user’s email and email accounts; Hide malicious account activities by deleting log files; Create new accounts; Alter or remove other user’s accounts; Install malicious programs; Uninstall legitimate programs; Steal or change other user’s passwords; and Access other user’s accounts. Least Privileges and Separation of Duties Q: What is the concept of least privileges and separation of duties? The National Institute of Standards and Technologies defines least privilege as the “security objective of granting users only those accesses they need to perform their official duties.” By adhering to least privilege, organizations can mitigate the amount of risk associated with privileged accounts. Separation of duties is defined as, “dividing roles and responsibilities so that a single individual cannot subvert a critical process.” Q: What if I can’t tailor all privileges associated with a privileged account? In some cases, creating an account with only the privileges or permissions the account must have is not possible. When an organization cannot give an account only the privileges or permissions the account must have, the organization should ensure that the account has the least privileges the information system will allow the account to have. Organizations must also ensure that the authorization official has accepted the risk associated with granting the account the non-tailored privileges prior to implementing the privileged account. Authorization Process Q: Why do we have an authorization process for privileged accounts? House organizations require privileged accounts to efficiently execute business processes. Unfortunately, privileged accounts also introduce risk to both the House organization and the House as a whole. The authorization process enables House organizations to evaluate the risks associated with a given privileged account in relation to the business needs of the House organization. The authorization process requires House organizations to either accept or reject the risk to the Organization and the House associated with privileged accounts. For an illustration of these processes, see Processes Diagram 1. Q: What is the authorization package? An Authorization Package is a collection of all information required for an authorization of a privileged account. Authorization officials review the authorization package to make a risk based decision about adding a privileged account to an information system. HIR will issue a template for authorization packages that organizations may choose to use. At a minimum, authorization packages must consist of the following information for each user associated with the Authorization Package: 1. Copies of current, signed, U.S. House of Representatives Rules of Behavior for Privileged Accounts 2. Copies of current HIR Security and Privacy Awareness Training certificates; 3. Copies of current certificates for HIR role based training for users of privileged accounts; 4. Results of any background check performed (e.g. through the United States Capitol Police). This information should not be submitted to HIR, rather it should be maintained by the employing office using their existing procedures for handling sensitive information; and 5. The signature and date of the authorizing official indicating acceptance of the risk associated with the privileged account. It is recommended that the organization also record: 1. Any user qualifications the organization chooses to examine (i.e. certificates or educational records); and 2. A brief explanation of the business need for which the organization is using privileged accounts. Q: Who can be an Authorizing Official? The organization’s employing authority may designate an authorization official provided that the designee: 1. Has sufficient responsibility to accept risk for the organization; 2. Is a Federal employee; and 3. Is employed by the organization for which the designee will authorize privileged accounts. For instance, an authorization official can be a Member or Chief of Staff, or another Federal employee with sufficient responsibility to accept risk for the organization. Q: What does the Authorizing Official do? The authorizing official reviews the information in the authorizing package and chooses to accept or decline the risk associated with implementing a privileged account. If the authorizing official chooses to accept the risk, the authorization official will sign and date a record that indicates that the authorization official accepts risk for the House organization and the House. Q: Do we have to review and update authorizations? Yes. Organizations have to review all authorization packages at least once quarterly to ensure that the accounts are still needed, active, and have the least privileges required to perform the job function with which the privileged account is associated. If the privileges associated with the account expand, the authorization authority must review and reauthorize the privileged account. Authorization officials may elect to review, or remove the authorization of a privileged account at their discretion. Q: What are the requirements for record keeping? Organizations must keep documentation associated with privileged accounts for 2 years after the account is permanently removed. Organizations will record a privileged account’s removal in the privileged account’s authorization package. Organizations should be aware that authorization packages may contain personally identifiable information (PII). As such, organizations must store all PII associated with authorization packages in accordance with House policy, standards, and procedures. Background Checks Q: Why require a background check? As privileged accounts have a greater potential impact on information and information systems than general user accounts, organizations must promote trustworthiness of users of privileged accounts. Authorization officials must check the backgrounds of users of privileged accounts for elements that might make trustworthiness of a user questionable. Q: What type of background check do organizations need to have for system administrators? Policy does not define any single type of background check. The Office of the CISO recommends that background checks be consistent with those offered by the Unites States Capitol Police. For greater details of how to initiate the USCP background check process, including copies of forms required, please reach out to USCP directly. Q: Can I use other background check processes in lieu of the USCP process? Yes. Background checks may be obtained from the Sargent at Arms’ ID Services or through private companies as well. If you have questions about whether another form of background check would be adequate, contact HIR at, Randal.Vickers@mail.house.gov. Training Q: What are the training requirements for a user of privileged accounts? HIR provides two trainings that are required for privileged account users. All users of privileged accounts must complete current HIR Security and Privacy Awareness Training. Privileged account users must also take and pass the HIR provided role-based training for privileged users prior to having access to a privileged account. No user may have access to a privileged account without a current HIR Security and Privacy Awareness Training and HIR provided role based training for privileged users. Q: How do we know if a user has current training? HIR will provide dated certificates to all users who complete HIR Security and Privacy Awareness Training and HIR provided role based training. Users must print the certificates and provide them to the House organization as proof of training. Training certificates should be kept with all authorization packages for privileged accounts with which the user is associated and must be available upon request. Q: How frequently do users of privileged account have to be trained? All users of House information systems have to receive and pass HIR Security and Privacy Awareness Training once every 12 months. Users of privileged accounts must also complete and pass HIR provided role-based training for privileged users once every 12 months. Where possible, privileged accounts should be set to automatically deactivate within 12 months from the last date the user has passed HIR provided role based training for privileged users. Multifactor Authentication Q: When will we need to have multifactor authentication? Organizations must implement multifactor authentication no later than 180 days after the Office of the CISO publishes standards and/or procedures for securing House information systems with Multifactor Authentication. Q: Will HIR help identify and implement a solution for multifactor authentication? HIR is currently evaluating capabilities to help organizations implement multifactor authentication. When a solution or solutions are identified, HIR will provide guidance in the form of standards, and implementation procedures. Organizations will have 180 days to implement multifactor authentication after the standards, and implementation procedures are published. Emergency Accounts Q: What if we have an emergency and our systems administrator is away? Organizations may implement a temporary privileged account for a period not to exceed 14 days. The temporary account must be approved by the organization’s authorization official prior to creation. Organizations should remove or disable the account as soon as the account is no longer needed or after 14 days. Account Restrictions Q: What restrictions will be placed on privileged accounts? Privileged Accounts will have limited access to email and Web for security purposes. Additional restrictions may be placed on privileged accounts if deemed necessary by individual system administrators. Account and Email Administration Local Administrator Accounts Q: What should we do about local administrator accounts? House policy states that organizations must remove all non-required local administrative accounts. General users should not have local administrative accounts unless there is a business need for them to have one. If a user has a local administrative account, the user may only use their local administrative accounts for administrative purposes, and not for general purposes like word processing, email, or Internet browsing. Exceptions Q: What if we can’t meet a requirement of privileged accounts policy, standards, or procedures? The Chief Information Security Officer (CISO) of the Office of the Chief Administrative Officer (CAO) may grant exceptions to this policy that do not exceed 180 days in length. At the CISO’s discretion, exceptions may include terms and conditions, or an exception termination date. Processes Diagram 1 Designating Authorizing Officials Authorizing Privileged Accounts Identify potential Privileged Account holder Member Office completes Authorizing Official Designation Forms Submits Authorized Requestor Form (USCP form) to HIR Creating Privileged Accounts Individual accesses and completes Roles Based Training Individual downloads and signs Rules of Behavior Create the actual account (sysadmin or other, as needed) Background Check Process Initiated Submit form to HIR Individual fills out USCP 491 and submits to their Member Office for signature HIR submits to USCP on behalf of Member Office (Member Office may submit to USCP themselves if they prefer) Member signs and gives back to individual Individual presents signed forms to USCP and gets fingerprinted (must be in person) Background Check results sent (by USCP) to Authorized Requestor Submit Privileged Account Authorization Form to HIR Request token to be issued for this account Provide Privileged Account Holder with account info and token Phili G. Kiko - ChiefliI-?xdministrative Officer DE tlj? . ?bministmtine @Efirel it . -. 03 111301152 nf ?Representatihea CITY. 3 PH Bit'l I180: 20515-6860 2 3 APPROVED MEMORANDUM Committee on HouseAdministration FEB 5 20l7 To: The Honorable Gregg Harper 'rman; Committee on House Administration GteggHalper, Stafflni?als Fr m: Philip G. Kiko Chief Administrative Officer Subject: United States House of Representatives Information Technology Policy for Of?cial Domain Names (House IT Policy 0030), Version 2.0 Date: February 9; 2017 Abstract: The CAO requests Committee approval of House IT Policy 003.0 for Official Domain Names; Version 2.0, which replaces the original policy approved by CHA in December 2008. House IT Policy 003.0 has been updated to reflect the current standards and conventions established as best practices for the House. The following items are addressed in this update: 0 Re-defined ?House entity? to be an organization that utilizes a House approved IT infrastructure (in preparation for the Cloud); 0 Updated to reflect HIR CIO approval is required in the extreme cases where web sites are hosted on non-House IT infrastructure; 0 Added requirement that domain names be SSL enabled and use the protocol; 0 Created a section to reflect naming conventions based on the House office (for readability); 0 Updated verbiage to indicate domain names not conforming to conventions will be vetted with CHA by Web Systems rather than the House Entity; 0 Added requirement CHA approval is required for Joint Committees and House Commissions since these URLs do not follow a consistent pattern; I Added Eligible Congressional Member Organizations (ECMO) domain name pattern specifications; 0 Provided generic examples for conventions being established throughout the document (such as memberName.house.gov). Time Sensitivity Routine Staff Contacts: Steen Hambric, ChiefTechnology Of?cer; 6-6011 Kalpana Abuja; Director of Web Systems, 6?1488 Attachment: House IT Policy 003.0 (Version 2.0) The United States House of Representatives Information Technology Policy for Official Domain Names (dated January 2017) House IT Policy 003.0 (Version 1.0) - The United States House of Representatives Information Technology Policy for Official Domain Names (dated December 2008) House IT Policy 0030 The United States House of Representatives Information Technology Policy for Official Website Domain Names Version: 2.0 Approved: January 2017 Approval Authority: The United States House of Representatives Committee on House Administration House IT Policy 003,0 Official Website Domain Names January 2017 Table of Contents 1 2 Introduction 3 1.1 SCOPE 3 Definitions 3 2.1 HOUSE ENTITY 3 2.2 EMFLOYINO AUTHORITY 3 2.3 WEBSITE 3 2.4 DOMAIN NAMES 4 2.5 HOUSEGOV DOMAIN 4 2.6 VIRTUAL DIRECTORIES 4 2.7 POINT OF CONTACT FOR DOMAIN REGISTRATIONS 4 Policy 4 3.1 DOMAIN NAME CONVENTIONS 4 3.2 DOMAIN NAME RESTRICTIONS 5 3.3 LOCATION OF THE HOUSEOOY DOMAIN AND HOUSE WEBSITES 5 3.4 SECURE SOCKETS LAYER (SSL) 5 Requesting House Domain Names 5 4.1 JOINT COMMITTEES AND HOUSE COMMISSIONS 6 4.2 SUBCOMMITTEES 6 4.3 MINORITY COMMITTEE OFFICES 6 4.4 MEMBER AND STAFF ORGANIZATIONS 6 4.5 INTERNAL DOMAIN NAMES 7 Compliance '7 Authority 7 House IT Policy 003.0 Official Website Domain Names January 2017 1 Introduction The purpose of this policy is to establish a standard naming convention for all official US. House of Representatives (House) domains names. This policy affects website domain names for Members, Committees, Leadership and other House entities. This policy supplements regulations issued by the Committee on House Administration, such as the Member?s Congressional Handbook, the Committee Handbook, and the Eligible Congressional Member Organizations Handbook. 1.1 Scope This document sets forth requirements for the creation and use of website domain names in the House. This policy is applicable to all House entities as defined in section 2.1 regardless of the service or intended use. 2 Definitions 2.1 House Entity As it relates to this policy, a ?House entity" is any organization that uses House authorized information technology (IT) infrastructure to deliver services either internally to the House or externally to constituents or the general public. These organizations generally include all Members, Committees, Leadership, Officers and Officials of the House. 2.2 Employing Authority As it relates to this policy, an ?Employing Authority" includes any personal Office of a Member of the House, a Committee of the House, or any other House Entity headed by a person with the final authority to appoint, hire, discharge, and set the terms, conditions, or privileges of the employment of an employee of the House of Representatives. 2.3 Website A website is a collection of files or information on a particular topic that includes a default location called a home page. For example, most organizations that operate a website publish a single address that directs visitors to their home page. Navigation on the home page provides a mechanism to browse all of the information and files on the site. For example, the website for US. House of Representatives has the home page address of House IT Policy 0030 Official Website Domain Names January 2017 2.4 Domain Names Domain names provide a user friendly, easy to remember name to help locate services or resources over the internet or network. Domains can also be subdivided into smaller domains, often called subdomains. Examples of domain names used in the House include house. gov and sauhousegov. The samhousegov site would also be considered a subdomain of the broader housegov domain. 2.5 house.gov Domain The House of Representatives has registered the domain house. gov with the General Services Administration (GSA), which is the organization responsible for managing the top?level .gov domain. The House has full control over the house. gov domain and can create any number of subdomains that reflect the various entities and organizations that encompass the House. For example, the House has created the domain names cha.h0use.gov for the Committee on House Administration and cauhousagov for the Office of the Chief Administrative Officer. 2.6 Virtual Directories Virtual directories are shortcuts created on a web server to assist with subdividing a website into different entities or subordinate sites. In the housegov domain, virtual directories perform a similar function as subdomains by helping to uniquely identify an Office?s website. For example, the House created the virtual directory gov cha for the Committee on House Administration. For the purpose of this policy, virtual directories created immediately under House. gov must adhere to the same conventions and restrictions as domain names. 2.7 Point of Contact for Domain Registrations The CAO shall provide to the domain registration authority an Administrative, Technical and Billing Point of Contact (POC) for all domain name registrations and SSL Certificates for House offices. 3 Policy 3.1 Domain Name Conventions All domains created under this policy shall be in the form of officeNamehouse. gov or serviceName.house. gov. For example: House IT Policy 0030 Official Website Domain Names January 2017 - cao?ousegov - n-zemberName.housegov clieliousegov I peoplesofthousegov Domain names may be further subdivided into subdomains provided those names are compliant with the restrictions and polices outlined within this document and are subdivided by using a dash between the subdomain names. For example: - or; 3.2 Domain Name Restrictions All domain names created under this policy must: a be recognizably derivative or representative of the name of the entity requesting the domain; 0 not be a slogan; - not imply in any manner that the House endorses or favors any specific commercial product, commodity, or service. 3.3 Location of the house.gov Domain and House Websites The housegov and all subdomains must be located within the House?s approved internet protocol (IP) range. The external hosting of House. gov domains is not permitted except in very limited circumstances and require pro?approval by the CA0 Chief Information Officer (CIO). All House websites must be located within the housegov domain. 3.4 Secure Sockets Layer (SSL) and Subdomains Per the House Information Security Publication (HISPUB) 0071.15, all public House websites must be SSL enabled and accessible only by the protocol. 4 Requesting House Domain Names Any Employing Authority may request a unique domain name within housegov to provide an address for their website and associated services. The Committee on House Administration must approve all requests for a domain name that does not conform to the standard naming convention. The CAO will coordinate the exception request on behalf of the employing authority upon request. House IT Policy 003.0 Official Website Domain Names January 2017 4.1 Joint Committees and House Commissions Joint Committees and Commissions that encompass a membership beyond just the House institution require CHA approval. 4.2 Subcommittees Under this policy, Subcommittees are not considered Employing Authorities. The Chair of the full Committee may request a domain in the following format that is clearly derivative of the existing Committee domain name that identifies the Subcommittee as part of the full Committee. For example: 1? su bcommi tteeName? Commi tteeName . housegov 4.3 Minority Committee Offices Under this policy, Minority Committee Offices are not considered Employing Authorities. However, Ranking Members of the full Committee may request a domain in the following format that is clearly derivative of the existing Committee domain and identifies the Minority office as part of the Full Committee. For example: - - 4.4 Member and Staff Organizations For the purposes of this policy, Eligible Congressional Member Organizations are considered employee authorities. CHA recognized Eligible Congressional Member Organizations may request domain names in the following format: I ECMOName.House. gov CHA recognized Congressional Member Organizations and Congressional Staff Organizations are not permitted to request a unique domain name directly under house. gov. However, Members may request a subdomain of their existing domain name to support a CMO or CSO they have sponsored. Such as when a Member requires a section of their website be dedicated to caucus activities. For example: 1 are limited by House Rules. Please review the Eligible Congressional Member Organizations Handbook at the Committee on House Administration website at /cha.house.gov or contact the Committee at 202 225-8281 for more information. House IT Policy 0030 Official Website Domain Names January 2017 cancuchme?MemberNan-zehousegoo 4.5 Internal Domain Names Some House Entities may wish to deploy Intranets or other services that are only accessible internally Within the House network using an internal domain name. The same policies that apply to external domain names also apply to internal domain names, with the following exceptions. 1. Officers of the House may deploy Intranet websites and services that use domain names derivative of the service they are providing. For example: service NameJrousegov 2. CHA recognized and approved Congressional Member Organizations and Congressional Staff Organizations may request unique internal domain names directly under the house. gov domain for internal use. For example: 5 Compliance All official House domain names, excluding previously approved domain name exceptions, must comply with this policy. 6 Authority The Office of the Chief Administrative Officer, House Information Resources (HIR) serves as implementing authority for all House domain name requests. HISPOL 000.0 _________________________________________________________________ The United States House of Representatives Information Security Policy Master Index _________________________________________________________________ Version: Approved: Approval Authority: 2.0 January 2010 The United States House of Representatives Committee on House Administration HISPOL 000.0 – Master Index The United States House of Represntatives Information Security Policies - HISPOLs. HISPOLs are used to identify all general policies as developed to address information security items. The numbering system for approved policies will be identified as HISPOL 001.0, HISPOL 002.0, etc. Policies that have been developed but not yet approved will be annotated as PENDING. Policies that are in process will be designated as UNDER DEVELOPMENT. DOCUMENT # TITLE DATE HISPOL 000.0 The United States House of Representatives Information Security Policy Master Index 1/20/2010 HISPOL 001.0 The United States House of Representatives Information Security Policy Structure and Organization 1/20/2010 HISPOL 002.0 The United States House of Representatives Information Security Policy for Protecting Systems from Unauthorized Use 1/20/2010 HISPOL 003.0 The United States House of Representatives Information Security Policy for Connecting to the House Local Area Network 1/20/2010 HISPOL 004.0 The United States House of Representatives Security Policy for Information System Security Incidents 1/20/2010 HISPOL 005.0 The United States House of Representatives Information Security Policy for Remote Access to the House Network 1/20/2010 2 HISPOL 000.0 – Master Index DOCUMENT # TITLE DATE HISPOL 006.0 The United States House of Representatives Information Security Policy for Wireless Network Security Rescinded 1/20/2010 HISPOL 007.0 The United States House of Representatives Information Security Policy for the Information Security Certification Program 1/20/2010 HISPOL 008.0 The United States House of Representatives Information Security Policy for Wireless Handheld Devices 1/20/2010 HISPOL 009.0 The United States House of Representatives Information Security Policy for Password Protection 1/20/2010 HISPOL 010.0 The United States House of Representatives Information Security Policy for the Protection of Sensitive Information 1/20/2010 HISPOL 011.0 The United States House of Representatives Information Security Policy for Telecommuting 1/20/2010 3 HISPOL 001.0 _________________________________________________________________ The United States House of Representatives Information Security Policy Structure and Organization _________________________________________________________________ Version: 1.1 Approved: Approval Authority: August 2006 The United States House of Representatives Committee on House Administration HISPOL 001.0 – Policy Structure and Organization Table of Contents 1 Introduction ........................................................................................ 3 1.1 2 SCOPE ................................................................................................. 3 Policy Guidelines ............................................................................... 3 2.1 2.2 2.3 2.4 POLICIES ............................................................................................. 3 PUBLICATIONS .................................................................................... 3 FORMS ................................................................................................ 3 DOCUMENT STATUS ............................................................................ 4 2 HISPOL 001.0 – Policy Structure and Organization 1 Introduction The purpose of the United States House of Representatives (House) Information Security Policy Structure and Organization is to provide users of House information resources with a comprehensive set of policies, procedures, guidelines, and supporting documentation that address information security requirements. The goal of these publications is to provide an overall information security program that establishes an information security strategy for the House that meets or exceeds established government and industry security best practices. 1.1 Scope The scope of this policy includes all House Offices and employees, contractors, and vendors that connect to the House network. 2 Policy Guidelines 2.1 Policies Policies address general requirements for implementing an effective information security program for the House. Each policy will be designated as a House Information Security Policy (HISPOL) with a unique number (e.g., HISPOL 009.0 “United States House of Representatives Information Security Policy for Password Protection”) for tracking and reference purposes. HISPOL 000.0 is the Master Index of all policy documents. Approval authority for HISPOLs resides with the Committee on House Administration (CHA). 2.2 Publications Publications address specific information security requirements used to support the implementation of the information security policies. Each procedural document will be designated as a House Information Security Publication (HISPUB) with a unique number starting with the same number of the supporting policy (e.g., HISPUB 002.1 “The United States House of Representatives Information Security Publication – Guidelines for the Physical Security of Computer Equipment” where HISPOL 002.0 is the supporting policy) for tracking and reference purposes. HISPUB 000.0 is the Master Index of all procedural documents. HISPUBs will be submitted to the CHA for coordination and review prior to publication. As necessary, HISPUBs may also be coordinated with the Office of Inspector General prior to implementation. Approval authority for HISPUBs resides with the Director, Information Systems Security Office (ISSO). 2.3 Forms Forms include all documents that are developed and used to support and audit various aspects of the House Information Security Program. Each Form will be designated as a 3 HISPOL 001.0 – Policy Structure and Organization House Information Security Form (HISFORM) with a unique number (e.g., HISFORM 007.0 “HIR Communications Group Work Request Form”) for tracking and reference purposes. HISFORM 000.0 is the Master Index of all forms. Approval authority for HISFORMs resides with the Director, ISSO. 2.4 Document Status Each of the policies, publications, and forms will be further designated as follows    “Approved” - Date of Issue by Approval Authority, if approved, “PENDING” - Document has been completed but not yet approved, “UNDER DEVELOPMENT” - Document is in-process. Once the document has been submitted to the approval authority for approval, the “UNDER DEVELOPMENT” designation will be changed to “PENDING.” Once the document has been approved, the “PENDING” designation will be deleted, the Date of Issue will be added to identify the approval date on all matrices, and the document will be issued as approved. 4 HISPOL 002.0 _________________________________________________________________ The United States House of Representatives Information Security Policy for Protecting Systems from Unauthorized Use _________________________________________________________________ Version: 3.0 Approved: Approval Authority: January 2010 The United States House of Representatives Committee on House Administration HISPOL 002.0 – Protecting Systems From Unauthorized Use Table of Contents 1 Introduction ........................................................................................ 3 1.1 2 Principles of Behavior for Use of House Information Systems .. 3 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 3 SCOPE ................................................................................................. 3 OFFICIAL BUSINESS ............................................................................ 3 ACCESS ............................................................................................... 4 ACCOUNTABILITY ............................................................................... 5 INTEGRITY .......................................................................................... 5 AVAILABILITY .................................................................................... 6 CONTRACTORS .................................................................................... 6 HARDWARE ......................................................................................... 7 SOFTWARE .......................................................................................... 7 SECURITY AWARENESS ....................................................................... 8 REPORTING ......................................................................................... 9 Consequences of Non-Compliance ................................................. 9 2 HISPOL 002.0 – Protecting Systems From Unauthorized Use 1 Introduction This policy provides a comprehensive set of guidelines for the responsible and secure use of United States House of Representatives (House) information systems. The secure use of these systems requires individual responsibility, knowledgeable users, and an effective security program to ensure a safe and secure computing environment. 1.1 Scope All House Offices and employees that connect to the House network must follow this policy since improper use potentially can put the entire House network at risk. The implementation of information systems security at the House focuses not only on the protection of information and network systems but also on the protections necessary for safeguarding information in general. This document addresses all forms of computer-generated information including hardcopy and electronic formats. 2 Principles of Behavior for Use of House Information Systems The following principles apply to all users of House information systems. Because written guidance cannot be generated for every system contingency, the user community is encouraged to contact the Information Systems Security Office (INFOSEC) when unusual circumstances occur. 2.1 Official Business House information systems and information gained through employment at the House may not be used contrary to public law, House Rules, and Committee on House Administration regulations. House Offices are responsible for following and enforcing guidelines set forth in the House information security policies and, where applicable, their own internal security policies. Users must comply with the following guidelines: 1) House information must remain on House equipment at all times. 2) In accordance with specific House Office policies, incidental personal use of House systems is permitted only when such use is negligible in nature, frequency, time consumed, and expense. 3) Do not initiate or forward harassing e-mail, chain letters, or other inappropriate use of electronic communication systems. 4) Do not send electronic mail that causes any House user to be flooded with unwanted, irrelevant, or inappropriate electronic messages, which could be construed as spam. 3 HISPOL 002.0 – Protecting Systems From Unauthorized Use 5) Ensure all House-sponsored automated mailing list servers (“listservs”) are protected with a confirmation mechanism to verify that each user has submitted a subscription request. 6) Use only House email accounts to conduct House business and transmit House information. 7) Implement a logon Warning Banner on all systems, notifying individuals that House systems are to be used for official business only and unauthorized use may violate House rules. 8) Do not conduct vulnerability scans or penetration tests without notification to INFOSEC. 2.2 Access Users shall access and use only information for which they have official authorization. The concepts of need-to-know and least privilege are important tenets of information security. Need-to-know means only authorized individuals who have a demonstrated need to access information will have access to such House information. Least privilege means each information user is provided only those rights necessary to access information or services needed to carry out job responsibilities. Users must comply with the following guidelines: 1) Follow established procedures for accessing information, including use of User Identification (UserID), user authentication, passwords, and other physical and logical control measures. 2) Follow established channels for requesting and disseminating information. 3) Do not attempt to perform actions or processing on a computer for which authority has not been granted, including system risk assessments, vulnerability scans, or penetration tests. 4) Do not store sensitive files on a fixed hard drive if access to that particular computer cannot be limited to authorized users. 5) Screensaver password should be set to lock after ten minutes of inactivity. Mobile devices should be set to lock after 30 minutes of inactivity. 6) Users must take measures to limit who can access files and printed information; only those who need the information should be able to get it. 7) Watch for unauthorized use of information systems, including signs of hacker activity and the presence of unauthorized software and data. Notify INFOSEC if such activity occurs. 4 HISPOL 002.0 – Protecting Systems From Unauthorized Use 2.3 Accountability House Offices and their employees are accountable for their actions and responsibilities related to information systems entrusted to them. Organizations can only build partial accountability through structure and procedural controls. Largely, the benefits of accountability depend on the trustworthiness of each employee. It is each employee’s responsibility to behave ethically, develop technical proficiency, and stay informed about issues and systems related to his or her job. Users must comply with the following guidelines: 1) Agree to and participate in accountability controls, such as automated transaction logging and manual logs. 2) Acknowledge actions and accept responsibility for correcting errors and rectifying problems. 3) Do not attempt to override internal controls. 4) Be alert to threats and vulnerabilities to information security from both internal and external sources. 5) Sign and adhere to the HISFORM 010.1 - Affirmation of Non-Disclosure if required by the job function. 6) Employees should ensure that no single person has sole access or control over sensitive information. 7) Employees must prevent others from using his/her accounts by observing procedures such as: a. Logging off when leaving the vicinity of the workstation. b. Enabling screensaver password and mobile device lock settings. c. Password-protecting or encrypting sensitive files and software. 8) Employees should help remedy security breaches. 2.4 Integrity Employees must protect both the integrity and quality of information. Information integrity can be corrupted by intentional alteration or accidental damage. Information is of high quality if it is accurate, complete, and up-to-date. Quality of information is dependent on its source; it must be correct when created and maintained in that same manner. Users must comply with the following guidelines: 1) Protect information against viruses and malicious code by using virus detection and correction software. 5 HISPOL 002.0 – Protecting Systems From Unauthorized Use 2) Review information as it is collected, generated, and used to make sure it is accurate, complete, and up-to-date. 3) Prevent unauthorized alteration, damage, destruction, or tampering of information. 4) Use protective measures such as backups to ensure against accidental loss of information integrity. 5) Avoid using unofficial software such as shareware and public domain software. 6) Take appropriate training before using a system to learn how to correctly enter and change the data. 7) Discontinue use of a system at the first sign of a virus infection and seek technical assistance. 2.5 Availability Employees should protect the availability of information and systems. Computer systems and all media should be protected from environmental factors such as fire, water, heat, and food spills, as well as theft, unauthorized alteration, and careless handling. With preparation, employees can minimize the impact of contingencies such as natural disasters, loss of information, and disclosure of information. It is each employee’s responsibility to be rehearsed in recovery activities associated with their systems. Users must comply with the following: 1) Use physical and logical protective measures to prevent loss of availability of information and systems, such as: a. perform and protect good backups, never storing backups in the same location as primary copies. b. use Uninterruptible Power Supplies (UPS) on servers to ensure no loss of data in the event of power outage. c. protect media that store information. d. maintain an inventory of files and programs. 2) Store backups in a metal cabinet where they will be safe from fire and water damage, and keep hardware away from direct sunlight or extreme temperatures. 3) Take appropriate action to restore availability when information or systems become unavailable due to disaster, damage, or unplanned shutdown. 2.6 Contractors Contractors must follow the same standards and rules of conduct with regard to the support of House information systems as House employees. Contractor personnel may 6 HISPOL 002.0 – Protecting Systems From Unauthorized Use perform in the same capacity as House system support personnel and as such must adhere to the guidelines contained herein. Additionally, all contracts will explicitly state that Contractor personnel: 1) Must be eligible for a Federal government security clearance if access to sensitive information is required.* Individual House Offices may require an Office of Personnel Management (OPM) Extended Background Investigation or other security clearance as deemed necessary. 2) Must not remove sensitive information from House offices. 3) Must sign an Affirmation of Non-Disclosure prior to conducting House business. * Upon written request, INFOSEC can grant exceptions to this requirement when access to House information is limited in scope and contract duration, and when the Employing Office proposes sufficient compensating controls to protect House information. Written requests should address the specific circumstances, the rationale for the exception, compensating controls, and the resulting risk to House information. 2.7 Hardware Each employee has a duty to protect and conserve House property either owned or under evaluation. Employees have access to many kinds of office and computing equipment and must handle such equipment carefully to protect against hazards. Further, employees must prevent problems by performing regular maintenance. Users must comply with the following guidelines: 1) Protect computer equipment from damage, abuse, theft, sabotage, and unauthorized use. 2) Disconnect or deactivate modems, unless attached to a fax machine. 3) Follow established procedures by using a property pass when removing equipment from House premises, if appropriate. 4) Protect computer equipment from hazards, including extreme temperatures, water and fire, static electricity, and spills from food and drink. 5) Keep an inventory of all equipment assigned. 6) When equipment requires repair by service personnel, employees should ask to see the service person’s identification and keep records of the work performed. 2.8 Software Computer users must utilize only appropriate software on House-provided computer systems and must protect those systems from viruses. Software downloaded from the Internet presents the greatest potential vulnerability associated with virus infections to House computing systems. 7 HISPOL 002.0 – Protecting Systems From Unauthorized Use It is the policy of the House to comply fully with all copyright laws pertaining to computer software. Accordingly, the House prohibits the illegal duplication or use of any software or related documentation. Users must comply with the following guidelines: 1) Use the House-provided or an equivalent current anti-virus program to scan software prior to installing on any office computers. 2) Do not use, install, or download software that allows an individual workstation to act as a server permitting other users to connect to that workstation and share files. 3) Do not use third-party applications that circumvent approved House remote access policy. 4) Do not use, install, or download hacker or cracker software or scanning tools on House computer systems without notification to INFOSEC. 5) Do not alter or use software such that the network is vulnerable to damage or abuse. 6) Use only authorized software that has current patches installed. 7) Maintain up-to-date and protected back-ups. Store back-ups in a different location from the primary copy, preferably under lock and key. 2.9 Security Awareness Employees must make a conscientious effort to avert security breaches by staying alert to potential vulnerabilities to House information and systems. Employees are in a position to see how security measures are used and where potential problems exist. Certain human factors and activities may suggest that fraud or negligence may occur within the organization. All users of the House network must complete information security and privacy awareness training annually. INFOSEC has developed security and privacy awareness materials that are available to all users. Users must comply with the following guidelines: 1) Be alert to human factors that may indicate a security risk including: a. employees with gambling or substance abuse problems, b. employees who do not take leave as they are possible candidates for increased levels of stress or potential involvement in external coercion, c. low morale, d. poor relationships between management and staff. 8 HISPOL 002.0 – Protecting Systems From Unauthorized Use 2) Be alert to clues of abuse: a. unauthorized computer products in the office (e.g., sports pools, personal business software), b. possession of unauthorized equipment, c. unscheduled programs running on a recurring basis. 3) Challenge unauthorized personnel in the work area. 4) Participate in security training as required. 5) Use security training programs and materials. 6) Attend in-house workshops and exhibitions. 2.10 Reporting It is each employee’s responsibility to report all security violations in accordance with House Office policy. It is important to contact INFOSEC in cases of computer-related emergencies and violations so that immediate action is taken to contain the exposure and minimize the impact to the House. Violations include non-compliance with established in-office procedures as well as approved House policies. In cases where laws may have been broken, employing authorities should also take action to contact law enforcement. Users must comply with the following guidelines: 1) Report security vulnerabilities and violations as quickly as possible to proper authorities so that corrective action can be taken. 2) Report emergency security incidents to INFOSEC. 3) Take reasonable action (e.g., isolate equipment involved and do not use it until it has been analyzed) immediately upon discovering a violation to prevent additional damage. 4) Cooperate with official action plans for handling security violations. 3 Consequences of Non-Compliance Non-compliance with any element of this document may subject the violator to appropriate disciplinary action including, but not limited to the following: 1) suspension of access privileges, 2) warning (verbal or written), 3) reprimand, 4) suspension from employment, 5) demotion from job position, 6) termination of employment, 9 HISPOL 002.0 – Protecting Systems From Unauthorized Use 7) financial liability for actual, consequential and incidental damages, 8) criminal and civil penalties, including prison terms and fines. These disciplinary actions are merely suggestions that can be used depending on the severity of the violation. The list is not exhaustive and does not imply that disciplinary actions are mandatory. It is within each employing authority’s discretion to determine appropriate disciplinary measures for each circumstance. However, under the scope of House Rules and Committee on Standards of Official Conduct jurisdiction, certain violations may result in action by the House. The consequences for non-compliance should be fully disclosed to all users and each user should sign an acknowledgement that they have received, understand, and agree to abide by the policies. 10 HISPOL 003.0 _________________________________________________________________ The United States House of Representatives Information Security Policy for Connecting to the House Local Area Network _________________________________________________________________ Version: Approved: Approval Authority: 3.0 January 2010 The United States House of Representatives Committee on House Administration HISPOL 003.0 – Connecting to the House Local Area Network Table of Contents 1 Introduction ........................................................................................ 3 1.1 2 SCOPE ................................................................................................. 3 Policy Guidelines ............................................................................... 3 2 HISPOL 003.0 – Connecting to the House Local Area Network 1 Introduction The goal of this policy is to minimize internal and external security threats to House information systems while allowing House Offices to use the campus Intranet, Internet, and other external networks to the maximum extent feasible. 1.1 Scope This document provides all users of House information systems with guidance governing permanent connections to the House network. All House Offices, employees, and contractors that connect to the House network and utilize House information systems must follow this guidance since improper use of information systems may put the entire House network at risk. 2 Policy Guidelines All House Offices must notify the Information Systems Security Office (INFOSEC) when connecting systems to the House network. Systems will be reviewed to determine compliance with security policy and technical controls as described in House Information Security Policies (HISPOLs) and Publications (HISPUBs). . If significant vulnerabilities are identified, corrective action must be taken within the time period specified by INFOSEC. The following guidelines apply: 1) Any device or component with a permanent connection to the House network shall be used for authorized purposes, only, and may not be used for campaign, political, or commercial activities. Use of such devices and components must comply with House Rules and the guidance of the Committee on Standards of Official Conduct. 2) Any device or component with a permanent connection to the House network, or to the overall House infrastructure must be reviewed and approved to minimize the potential for security risks and violations. 3) Permanent connections to the Internet outside of the House infrastructure must be reviewed and approved by INFOSEC. All Internet access and servers attached to the House network must comply with House policies, procedures, technical specifications, and guidelines and must pass through the House maintained security infrastructure. 4) All wireless connections must follow the technical and procedural guidelines contained in HISPUB 6.1. 5) Only Members, Officers, and employees are authorized to connect to the House network using a permanent connection, as defined in this policy. 3 HISPOL 003.0 – Connecting to the House Local Area Network 6) Modems are not permitted for use at the House, except when connected to a fax machine, unless authorized by INFOSEC, . The devices may be used to bypass security features such as firewalls designed to keep unauthorized users from accessing the network. 7) All House Office information systems connecting to the House network infrastructure must be physically and logically isolated from vendors external to the House and all other non-House networks, unless explicitly validated by INFOSEC. 8) All House offices must ensure that servers are located within areas of minimal public and visitor traffic. 9) All House Offices authorized with a permanent connection to the network and access to the Internet must designate a central point of contact (POC) for all matters pertaining to their connection. In most cases, the system administrator is the designated POC. 10) All new public web sites for Members or Committees must be hosted on a server managed by HIR, or by an authorized vendor if the server is located on the House Campus. 11) A mail server may only use approved House mail relay servers if the message originates from a computer physically connected to the House network. No mail server shall be allowed to utilize third party mail systems for any Simple Mail Transfer Protocol (SMTP) traffic outside of the House domain. This policy is enforced at the House firewalls. 12) All programs used on the system must be checked prior to installation for viruses or other malicious forms of code. This is especially important for programs received from outside sources, including the Internet. Each House Office must have the House-provided or an equivalent current anti-virus program installed on their systems. 13) It is the responsibility of each House Office to contact INFOSEC and report security incidents such as unauthorized access or unusual system activities to the House Computer Incident Response Team (House CIRT). The House CIRT will conduct an investigation, provide recommendations to resolve the incident, and follow up with the designated POC to ensure corrective actions are completed. 4 HISPOL 004.0 _________________________________________________________________ The United States House of Representatives Information Security Policy for Information System Security Incidents _________________________________________________________________ Version: Approved: Approved by: 2.0 January 2010 The United States House of Representatives Committee on House Administration HISPOL 004.0 – Information System Security Incidents Table of Contents 1 Introduction ........................................................................................ 3 1.1 2 SCOPE ................................................................................................. 3 Policy Guidelines ............................................................................... 3 2.1 TYPES OF ACTIVITY THAT COULD PRESENT A SECURITY RISK TO THE NETWORK ....................................................................................................... 3 2.2 SECURITY INCIDENT INVESTIGATION AND RESPONSE .......................... 4 2.3 SECURITY INCIDENT REPORTING ......................................................... 4 2.4 SECURITY INCIDENT TRAINING ........................................................... 5 2 HISPOL 004.0 – Information System Security Incidents 1 Introduction The network-centric initiatives of the United States House of Representatives (House) will continue to result in an environment where open and expedient access to a wide range of information and information services is made possible. As technology becomes more pervasive, information systems become more vulnerable to attack from both inside and outside the House. Security policies and technological solutions have been and will continue to be enacted to provide protection for House information systems. The focus of these safeguards includes network perimeter defense solutions mitigating the threat of attack from external sources, and host-based solutions that minimize external and internal threats. Because all types of attacks are escalating in their level of sophistication, information systems security within the House thrives and will continue to be a top priority. As new information systems and capabilities grow, so do individual responsibilities relative to the security of these systems. At the core of these responsibilities is the need for all users of House information systems to respect and protect the privacy of information resident on all systems connected to the House enterprise network, including systems within Member, Committee, Leadership, and other House Offices. 1.1 Scope The purpose of this policy is to identify the types of computer activities that could present a risk to the continued security of the House network, and to outline the reporting structure when such incidents occur. 2 Policy Guidelines 2.1 Types of Activity that Could Present a Security Risk to the Network The following is a list of computer activities that apply to both internal and external system attacks. The list includes but is not limited to: 1) Attempts to intentionally gain access to, probe, or penetrate systems on which there is not an authorized account. 2) Malicious or mischievous tampering (i.e., unauthorized viewing, modification, intentional introduction of malicious code/virus, deletion, etc.) of systems, data, and information resident on House systems. 3) Unauthorized monitoring of aggregate network traffic for intelligence or information gathering purposes. 4) Intentionally interfering with, shutting down, or impeding normal system operations. 5) Using House information systems in a wasteful, fraudulent, or abusive manner. 3 HISPOL 004.0 – Information System Security Incidents 6) Abusing House information systems in a manner that could cause embarrassment to the House. 7) Theft or adverse modification of physical or intellectual property including copyright infringement. 8) Any other actions that would circumvent House Rules, Federal law, or other security policies and procedures established for House information systems. These types of activities will be pursued by authorities as serious matters and will not be tolerated at the House. Such actions are investigated by the Information Systems Security Office (INFOSEC) to determine the severity of the activity and the security risk to the House network. The Committee on House Administration will be notified on any activity that presents an immediate high security risk to the House network. Some of these activities will be considered, at a minimum, unethical conduct while others could possibly violate Federal law. Depending on the nature and severity of the infraction, disciplinary actions may range from reprimand to dismissal and include criminal prosecution if deemed appropriate. 2.2 Security Incident Investigation and Response The Chief Administrative Officer has established the House Computer Incident Response Team (CIRT), an entity that responds to and investigates suspected and actual computer security activity as defined above in Section 2.1. The CIRT operates under the management direction of INFOSEC. Members of the CIRT are representatives from appropriate House Offices and may include contractors and vendors as needed to resolve the specific incident under investigation. 2.3 Security Incident Reporting House information system users need to be vigilant for unusual system behavior that may indicate a security incident has occurred. They should promptly report any suspected computer security incident to INFOSEC. Depending on the nature of the incident, user assistance may be required to efficiently resolve the incident. The process for reporting actual or suspected incidents is found in corresponding House of Representatives Information Security Publications (HISPUBs). All information regarding investigations and resolution of security incidents shall be considered House sensitive information and protected accordingly. When such information is confidential to a specific Member, Committee, or Support Office, it will be protected at all times and in all forms; disclosure will be strictly limited to authorized individuals. House CIRT management shall report to the Chief Administrative Officer (CAO) and other House Officers and Committees as required. Coordination with outside authorities and reporting organizations shall be conducted at the discretion of House CIRT and CAO management. 4 HISPOL 004.0 – Information System Security Incidents 2.4 Security Incident Training To assist House information system users, training is provided in identifying and reporting security incidents. This information is included in the annual security awareness training available to House employees. In addition, system-specific incident training is provided to system owners and administrators upon request to the House CIRT. 5 HISPOL 005.0 _________________________________________________________________ The United States House of Representatives Information Security Policy for Remote Access to the House Network _________________________________________________________________ Version: Approved: 3.0 January 2010 Approval Authority: The United States House of Representatives Committee on House Administration HISPOL 005.0 – Remote Access to the House Network Table of Contents 1 Introduction ........................................................................................ 3 1.1 2 3 SCOPE ................................................................................................. 3 Remote Access Guidelines ............................................................... 3 Vendor Requirements ....................................................................... 4 3.1 EXTENSION OF THE HOUSE NETWORK TO VENDORS ........................... 4 2 HISPOL 005.0 – Remote Access to the House Network 1 Introduction Organizations large and small have increased the use of networked computers. Information exchange within or among organizations has expanded well beyond electronic mail (email) to include intellectual property, product information, procurement records, human resources data, etc. traveling over these networks. Networked information systems have become critical to the business operations at the United States House of Representatives (House). With the expansion of the Internet and the increasing use of information technology within the House, an increasingly number of information systems have been connected to networks that can potentially be reached both from outside and inside the House environment. As connectivity increases, so does the risk of attack on network resources. Two principles should guide and govern a network security system maintaining the integrity of data communications and protecting information assets. This policy addresses those principles and provides guidelines for connectivity to House information systems and networks. 1.1 Scope The purpose of this policy is to provide the House community with a policy governing secure remote access to the House network. All House Offices, employees, contractors, and vendors that connect to the House network must follow this policy guidance since improper use of information resources can potentially put the entire House network at risk. This policy also provides rules, regulations, and audit mechanisms for vendors that require remote access to the House network for support and maintenance actions. This policy does not supersede requirements of House Rules that govern the acts of all employing authorities of the House. 2 Remote Access Guidelines Currently there are two solutions supported to accommodate secure remote access to the House network. One solution – Secure Modem Bank – is suitable for limited, lowerend support, while the other – Virtual Private Network (VPN) – provides for a high level of support. While both these choices are technically secure, the human element will always be present as an underlying threat to system security. These two solutions require the use of SecurID two-factor authentication. SecurID twofactor authentication is based on “something the user knows” (e.g., User ID and PIN) and “something the user has” (e.g., SecurID). Successful authentication permits an authorized user access to the network. The following requirements for connectivity to the House networks must be observed to ensure the integrity of House-wide information systems. All requests and accompanying justifications for network connectivity shall be reviewed and approved by the Information Systems Security Office (INFOSEC) prior to implementation. 3 HISPOL 005.0 – Remote Access to the House Network 1) Modems, except when connected to a fax machine, are not permitted for use at the House unless explicitly authorized by INFOSEC. The devices may be used to bypass security features, such as firewalls, designed to keep unauthorized users from accessing the network. 2) Two central services for remote access are provided to the House community dial-in and Virtual Private Network (VPN) - both of which require the use of secure, two-factor authentication (SecurID). Offices with a compelling business need to utilize modems must contact INFOSEC for assistance in migrating to these central services. Guidance for the secure use of modems is provided in the corresponding United States House of Representatives Information Security Publications (HISPUBs). 3) Each Member, Officer, employee, contractor, or vendor must ensure his or her system(s) connected to the House network are protected from unauthorized access, disclosure, transmission, modification, destruction, and bypassing of security measures. New systems must not adversely impact the confidentiality, integrity, availability, or accountability of security services for House systems. 4) Computer systems may utilize direct connections to the House network only if utilizing House-authorized security authentication standards and procedures. The currently approved remote access method is two-factor authentication via SecurID. Procedures for obtaining and using SecurID are found in corresponding HISPUBs. 3 Vendor Requirements Member, Committee, Leadership, and other House Office information systems face an environment of escalating integration complexity and the need for fiscal constraint. To remain competitive, system integration vendors (hereafter referred to as vendors) that support these systems face the challenge of providing better service and support with the same or fewer personnel. Secure technical solutions designed to facilitate vendor support must be established to meet the needs of both the House and the vendors themselves. The technical issues at hand involve the methods by which vendors may remotely access the House network for support and maintenance actions. 3.1 Extension of the House Network to Vendors Some vendors require a higher bandwidth connection in order to provide a better grade of service to their House accounts and more efficient utilization of their human resources. In these cases, it is possible to extend the House network to include a direct, point-to-point connection to the vendor. The conditions outlined below must be met for a connection of this nature to be employed. 4 HISPOL 005.0 – Remote Access to the House Network 3.1.1 Vendor Internal Network Controls 1) The network being connected to the House for performing contractual work is physically separated from all other internal vendor networks. If the network is the only network at the vendor site, then its sole function must be in support of House contracts. 2) All fileservers (including UNIX hosts) attached to the vendor’s internal network are subject to the same secure configuration set up, audit controls, and policies as are enforced on House systems. 3) No Internet connections (or outside network connections) are permitted on any vendor network that is connected to the House network, except as specifically authorized by the House. If the vendor network requires access to the Internet, it must be authorized by the House via the House network and therefore, will be within the security model and control of the House’s firewall protection. 4) No direct dial-in (modem) access to the vendor internal network is permitted. Dial-in access by vendor personnel to the vendor’s internal network will be accomplished by using the House’s secure modem bank and SecurID. 3.1.2 Transmission Medium 1) Direct connections to the House network must be via dedicated, point-to-point, non-switched telecommunication lines. 2) The vendor assumes all costs incurred with the installation, termination, maintenance, and leasing of the telecommunication line. 3.1.3 Personnel Issues 1) All vendor personnel involved in system support and maintenance of House information systems, including Committee, Member, Leadership, and Support Offices are subject to the rules, regulations, and sanctions as outlined in House information security policies. 3.1.4 House Network 1) House Information Resources (HIR) shall provide and control the routed interface. 2) Vendor access to House information systems is limited to systems within the vendor’s customer base, only. Attempts to access information systems outside the vendor’s cognizance will be considered a breach of security and handled accordingly. 3) Vendors shall not engage in any network monitoring or management activities without prior approval of INFOSEC. 5 HISPOL 005.0 – Remote Access to the House Network 3.1.5 Management, Audit, and Control 1) The vendor shall provide either a diagram or a descriptive listing of all computing resources (e.g., workstations, servers, routers, etc.) attached to the vendor network. The House will use this information as the basis for determining connectivity authorization. 2) The vendor’s internal network will be subject to periodic audits and reviews conducted by INFOSEC personnel or their designees. These audits may be announced or unannounced visits to the vendor facility for inspection of the physical network plant, procedures, and controls; network-oriented audits; and office audits. 6 HISPOL 007.0 _________________________________________________________________ The United States House of Representatives Information Security Policy for the Information Security Compliance Program _________________________________________________________________ Version: 2.0 Approved: Approval Authority: January 2010 The United States House of Representatives Committee on House Administration HISPOL 007.0 – Information Security Compliance Program Table of Contents 1 Introduction ........................................................................................ 3 1.1 2 3 Policy Guidelines ............................................................................... 3 Roles and Responsibilities ................................................................ 4 3.1 3.2 3.3 4 SCOPE ................................................................................................. 3 INFORMATION SYSTEMS SECURITY OFFICE......................................... 4 RESPONSIBLE HOUSE OFFICES AND PERSONNEL ................................. 5 SYSTEM ADMINISTRATOR ................................................................... 5 Certification ........................................................................................ 5 4.1 4.2 4.3 4.4 APPLICATIONS .................................................................................... 6 NETWORK-AWARE DEVICES ............................................................... 6 ENTERPRISE-WIDE SECURITY ASSESSMENTS ...................................... 7 SECURITY REMEDIATION PROCESS ..................................................... 7 2 HISPOL 007.0 – Information Security Compliance Program 1 Introduction Securing information systems is an effort built on the premise that information - in all forms and development phases - must be protected from unauthorized access, modification, disclosure, destruction, and denial of service, whether intentional or accidental. In order to protect information, the systems and applications that process, store, and transmit the information must be adequately protected. How one defines “adequately” depends on the sensitivity of the information, the degree of risk faced by the system/application, and the security controls and safeguards put in place to reduce that risk to an acceptable level. The United States House of Representatives (House) Information Systems Security Program (ISSP) provides a strategy for ensuring adequate security is established and maintained throughout the system development life cycle (SDLC) for all House information systems. This policy complements the ISSP by presenting guidance on what constitutes adequate security in terms of minimum-security requirements, and describes how compliance with those requirements will be achieved and monitored. Security requirements for House information systems differ based on the type of system. For the purposes of this policy, information systems are categorized as applications or network-aware devices. Applications may consist of one software system or a combination of hardware and software that support a function of House operations . Network-aware devices typically include, but are not limited to, wireless access points, servers, workstations, modems, printers, and multi-function devices that are capable of connecting to the House network. Throughout the remainder of this policy, a network-aware device is referred to as a “device” or “devices”. Security requirements for the House network are established and maintained by the Information Systems Security Office (INFOSEC) in accordance with the ISSP. 1.1 Scope This document has relevance to all House Offices and provides policy governing security and compliance requirements applicable to all information systems. 2 Policy Guidelines The following policy guidelines address security requirements for House information systems: 1) House applications and devices shall be protected commensurate with the risk and magnitude of harm resulting from the loss, misuse, unauthorized access to, modification or destruction of information processed, stored, or transmitted. 2) Financial applications; i.e., systems of record that are significant to the financial reporting of the House, that are developed and implemented by the Chief Administrative Officer (CAO), the House network, and other applications as 3 HISPOL 007.0 – Information Security Compliance Program requested (hereafter referred to as “affected applications”) shall undergo certification to ensure appropriate security controls and safeguards have been implemented and are functioning. 3) Certification of affected applications will be conducted at least every three years. Reviews of devices will be conducted at least once every two years. These reviews may be conducted more frequently when a significant change occurs or at the discretion of INFOSEC. 4) Security requirements and controls for affected applications shall be identified and documented in a System Security Plan (SSP). SSPs shall be reviewed annually, updated as required, and include device-related security controls and documents as appropriate. 5) Security requirements and controls for each device shall be identified in the appropriate security standard(s). 3 Roles and Responsibilities Individuals with key roles in the successful implementation of this policy, and their associated responsibilities, are described below. 3.1 Information Systems Security Office The Information Systems Security Office (INFOSEC) provides oversight and guidance regarding the security of all House information systems. INFOSEC will: 1) Assess the adequacy, and coordinate the implementation, of security controls and safeguards. 2) Review and approve System Security Plans. 3) Conduct certification activities for affected systems prior to implementation and every three years thereafter; compliance reviews of devices every two years; and out-of-cycle reviews when a significant system change occurs or at the discretion of INFOSEC. 4) Provide security planning and risk management guidance and assistance to System Owners and Administrators. 5) Provide guidance in the appropriate security training for affected personnel in accordance with their responsibilities. 6) Establish, implement, and maintain appropriate security controls and safeguards on the House network. 4 HISPOL 007.0 – Information Security Compliance Program 3.2 Responsible House Offices and Personnel House Offices are responsible for the procurement, development, integration, modification, operation, maintenance, and oversight of an information system. The responsible personnel, typically a designated System Owner, will: 1) Designate a primary point of contact for security-related issues. 2) Ensure a SSP is developed, reviewed annually, and maintained for affected applications. 3) Ensure the appropriate security standards are applied to applications and devices. 4) Ensure that information systems are deployed and operated according to agreedupon security requirements. 5) Ensure users and support personnel receive appropriate security instruction. 6) Determine the sensitivity of information processed by, and ensure a risk assessment is conducted for, each affected application. 7) Implement appropriate controls for the generation, collection, processing, dissemination, storage, and disposal of information. 3.3 System Administrator System Administrator roles are assigned to each device and are responsible for ensuring the appropriate operational security posture for each asset is maintained. The System Administrator will: 1) Serve as the INFOSEC primary point of contact for all matters related to security of devices. 2) Apply the appropriate security standard (s) for the device as part of the compliance review process. 3) Comply with applicable security policy requirements. 4) Work with INFOSEC to resolve security deficiencies and issues. 4 Certification Certification is the process of defining and assessing security controls in an information system to determine the extent to which the controls are correctly implemented, operating as intended, and producing the required outcome with respect to meeting the protection requirements. Certification supports the risk management process by providing important information necessary to make credible, risk-based decisions on whether to place an application or device into operation or to continue their current operation. 5 HISPOL 007.0 – Information Security Compliance Program The certification process for applications and devices is described below. They shall be certified prior to their initial implementation, and the process shall be repeated in the form of a compliance review whenever a significant system change occurs, or at least once every two years for devices, and once every three years for applications. 4.1 Applications The certification of an affected application (CAO financial application, House network, other applications as requested) shall be based on:  A review of the sensitivity of the application.  A risk assessment identifying: o o o threats and vulnerabilities; the potential impact and magnitude of harm to operations, assets, or individuals that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and the information system;, and the effectiveness of current or proposed security controls.  A review of the application’s SSP.  Compliance with the appropriate security standard(s). Any security deficiencies found or issues identified shall be corrected or sufficiently addressed prior to receiving authority to operate from INFOSEC. Applications not included in the defined “affected applications” shall be reviewed for compliance with the appropriate security standard(s) prior to implementation. Security deficiencies found in these applications will be addressed through the remediation process listed below. 4.2 Network-Aware Devices Certification of devices shall be based on:  Application and review of the appropriate security standard(s).  Vulnerability assessment results. High-risk devices (e.g., outward-facing servers), or those containing, processing, or transmitting highly sensitive data, may be subject to a more rigorous certification process and more frequent compliance reviews. Any security deficiencies found or issues identified shall be corrected or sufficiently addressed as directed by INFOSEC. 6 HISPOL 007.0 – Information Security Compliance Program 4.3 Enterprise-Wide Security Assessments In addition to assessing major and support applications and devices, INFOSEC conducts enterprise-wide security assessments of the House network. There are two classes of enterprise-wide security assessments:  Quarterly vulnerability assessments.  Immediate needs vulnerability assessments. Approximately once every quarter, the House network is assessed to determine if devices contain network-based vulnerabilities. Enterprise-wide assessments are designed to identify common vulnerabilities that pose significant risk to the House network. Immediate needs vulnerability assessments are conducted across the House network on an as-needed basis. These assessments are conducted when a software vendor releases a security bulletin concerning newly discovered, high-risk vulnerabilities that may exist on House devices. When technically possible, INFOSEC will devise a method to inspect all House devices for the existence of this specific vulnerability. 4.4 Security Remediation Process Vulnerabilities identified during the review process of an application or device are documented and prioritized based on the risk each poses. The level of risk each vulnerability poses is based on the sensitivity of the information processed and the type of access provided. In general, Internet-accessible devices and applications are given higher priority for remediation than those that are only accessible from the House internal network. Once a vulnerability is identified, a corrective action is formulated and a timeframe established for its implementation. INFOSEC will coordinate with the Systems Owner or Administrator to ensure corrective action has taken place. Upon completion, INFOSEC will confirm the vulnerability has been mitigated. For those vulnerabilities that have either no known corrective action or the implementation of a corrective action will seriously impair the functionality of the application, other compensating controls may be developed or a risk acceptance plan may be formulated. 7 HISPOL 008.0 _________________________________________________________________ The United States House of Representatives Information Security Policy for Wireless Handheld Devices _________________________________________________________________ Version: 2.0 Approved: Approval Authority: January 2010 The United States House of Representatives Committee on House Administration HISPOL 008.0 – Wireless Handheld Devices Table of Contents 1 Introduction ........................................................................................ 3 1.1 2 SCOPE ................................................................................................. 3 Policy Guidelines ............................................................................... 3 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 AUTHENTICATION ............................................................................... 3 ENCRYPTION ....................................................................................... 4 ACCESS CONTROL ............................................................................... 4 ANTIVIRUS SOFTWARE........................................................................ 5 PERSONAL FIREWALLS ........................................................................ 5 PHYSICAL SECURITY ........................................................................... 5 INVENTORY, MONITORING AND AUDIT ............................................... 5 SYSTEM ADMINISTRATION RESPONSIBILITIES..................................... 6 USER RESPONSIBILITIES ...................................................................... 6 2 HISPOL 008.0 – Wireless Handheld Devices 1 Introduction The purpose of this policy is to provide guidance for the secure operation and implementation of Internet-enabled handheld devices throughout the United States House of Representatives (House) environment. Ensuring sufficient security is a vital concern when deploying and managing wireless devices. When introducing wireless technologies into the House environment, special care and consideration must be exercised since they introduce comparable vulnerabilities as in the wired world as well as unique vulnerabilities due to their electromagnetic and portable characteristics. 1.1 Scope This document provides the House with guidance for implementing Internet-enabled handheld devices (e.g., Personal Digital Assistant [PDA], BlackBerry, Tablet PC, or Smart Phone), whether standalone or connected as an extension of the House network. All offices that use wireless handheld devices that connect to the House network must follow this policy since the improper introduction of wireless devices in one office can create a backdoor and make not only their data and resources vulnerable but potentially put the entire House network at risk. 2 Policy Guidelines It is essential that the following guidelines for wireless connectivity to the House network be observed to ensure the security and integrity of House-wide systems. All wireless network devices and technologies that provide a bridge between the House network and the wireless network, or any device that is designed to communicate with such a device via the wireless network, that do not comply with this policy shall not be permitted to operate. As part of the overall defense-in-depth strategy of the Information Systems Security Office (INFOSEC), both the wired and wireless networks will be monitored for unauthorized use or devices. 2.1 Authentication Authentication is used to verify the identity of the user and provides access control to the network. The following guidelines apply: 1) All wireless device users must be authenticated to access wireless devices and/or the desktop PC synchronization software. 2) Wireless handheld devices and synchronization software must require a strong password, a token, or both to authenticate access to the device or software. Users are required to authenticate when operating locally and remotely. If voice authentication is used, password authentication must also be utilized. 3) If available, unique device identifiers should be used to authenticate the user for network access to a handheld device. 3 HISPOL 008.0 – Wireless Handheld Devices 4) The “Power On” password must be enabled on handheld devices. 5) Wireless device authentication must not be disabled. 6) Timeout mechanisms that automatically prompt the user for a PIN code or password after a period of inactivity must be employed. 2.2 Encryption 1) All wireless handheld devices should encrypt information leaving the device for an adequate level of protection. 2) Wireless device default settings must not be set to “no encryption.” 3) Sensitive data and application data files stored on handheld devices must be protected with robust encryption and password protection utilities. It is required that sensitive data files be deleted from the handheld device once they are no longer needed and archived on a desktop PC. 4) A virtual private network (VPN) solution should be used as a means of encrypting and authenticating the wireless traffic. If possible, all wireless communication should use strong cryptography, have robust key management, and have strong user authentication. 5) Data residing on external storage modules should be encrypted and stored in a secure manner. 2.3 Access Control 1) Data traversing wireless networks and data accessible via wireless entry must be protected from unauthorized access, use, modification, or deletion using access control methods. 2) Device lock settings must be enabled and set to lock after 30 minutes of inactivity. 3) To mitigate data leakage, Infrared (IR) ports must be disabled during periods of inactivity. The Bluetooth feature should be disabled when it’s not in use. Additionally, the default password for connecting to a Bluetooth-enabled device should be changed. 4) File sharing on wireless client devices shall be disabled. 5) Only House employees and approved vendors and contractors may have access to Wireless Local Area Networks (WLANs) that connect to the House network. 4 HISPOL 008.0 – Wireless Handheld Devices 2.4 Antivirus Software All handheld devices must, whenever possible, utilize antivirus software as directed in House Information Security Policy, specifically: 1) Antivirus software for handheld devices shall scan all entry ports (i.e., beaming, synchronizing, email, and Internet downloading) as data is imported into the device, provide online signature update capabilities, and prompt the user before it deletes any suspicious files. 2.5 Personal Firewalls Personal firewall software helps mitigate threats of confidentiality, integrity, and authenticity of information being transferred over the Internet. The following guidelines apply: 1) It is highly recommended that handheld devices utilize personal firewall software whenever possible. 2) Users that access public wireless networks (e.g., in airports, conference centers, coffee shops) should install personal firewall software on all handheld devices. A personal firewall protects against wireless network attacks and rogue access points (e.g., Ad hoc networks, accidental or malicious association, soft access points) that can be easily installed in public areas. 2.6 Physical Security The physical security of all handheld devices is the first line of defense in WLAN security. It is essential that proper physical countermeasures be in place to mitigate risks such as theft of equipment and wireless network monitoring devices and: 1) Wireless handheld devices and Network Interface Cards (NICs) must be physically protected from loss and theft. 2) Wireless handheld devices, backup modules, and NICs (e.g., laptop computers) must be stored in a secure area, such as a desk with drawers that lock or a file cabinet that locks, when they are not being used. 2.7 Inventory, Monitoring and Audit 1) All wireless handheld devices must meet the current security configurations established byINFOSEC. 2) All wireless handheld devices may be routinely monitored and security audits performed to verify that security configurations comply with this policy, wireless devices are authorized, and to identify unauthorized activity. 3) Access logs and system audit trails shall be routinely monitored. 4) Procedures must be established and followed for the inventory and control of wireless handheld devices. 5 HISPOL 008.0 – Wireless Handheld Devices 2.8 System Administration Responsibilities 1) It is the System Administrator’s responsibility to ensure that wireless devices meet the technical standards outlined in this policy at all times. 2) System Administrators are required to operate wireless devices in a secure manner. 3) System Administrators are required to change factory default settings and use strong administrative passwords on all wireless devices to ensure a higher level of security. (On some wireless devices, the factory default password is blank.) 4) To the extent possible, System Administrators shall ensure that their wireless implementation and associated security technologies are up-to-date with evolving standards and best practices. Client NICs and handheld devices must support firmware upgrade so that security patches and upgrades may be fully tested and deployed as they become available. 5) System Administrators are required to maintain a list of authorized wireless device users to enable them to perform periodic inventory checks and security audits. 2.9 User Responsibilities 1) It is the wireless user's responsibility to comply with this policy. 2) Wireless users must only access information systems using approved wireless device hardware, software, solutions, and connections. 3) Wireless device hardware, software, solutions, and connections that do not meet the standards of this policy shall not be authorized for deployment. 4) Wireless users must act appropriately to protect information, network access, passwords, cryptographic keys, and wireless equipment. 5) Wireless users are required to report any misuse, loss, or theft of wireless devices or systems immediately to INFOSEC . 6 HISPOL 009.0 _________________________________________________________________ The United States House of Representatives Information Security Policy for Password Protection _________________________________________________________________ Approved: Approval Authority: October 2014 The United States House of Representatives Committee on House Administration HISPOL 009.0 - Password Protection Table of Contents 1 2 Introduction ........................................................................................ 3 1.1 SCOPE ................................................................................................. 3 Policy Guidelines ............................................................................... 3 2 HISPOL 009.0 - Password Protection 1 Introduction User Identifications (UserIDs) and passwords are the most widely used security controls for automated information systems. Passwords are the first line of defense for user accounts. When used properly, they are quite effective in preventing accidental or negligent damage and access. A poorly chosen password may result in the compromise of the United States House of Representatives (House) entire network. For UserIDs and passwords to be effective, all House staff, contractors, and vendors must follow these guidelines. 1.1 Scope The purpose of this policy is to provide all users of the House network with guidance in establishing strong passwords. The scope of this policy includes all House Offices and employees, contractors, and vendors that connect to the House network. 2. Policy Guidelines 2.1 Information must be protected through the effective use of UserIDs and passwords. 2.11 Passwords must be a minimum of ten characters in length and contain three out of the following four characteristics: • • • • Lower case characters (e.g. a-z); Upper case characters (e.g. A-Z); Numbers (e.g. 0-9); Special characters (e.g. !*&%$); 2.12 Obvious passwords that can be easily guessed should be avoided, such as variations of an employee’s name, address, Social Security Number, a personal hobby, or personal information; and 2.13 Do not use words associated with Members, Offices, Committees, Capitol Hill, etc. 2.2 All House user passwords must be changed to a new password at least every 60 days or immediately when compromised. 2.3 New passwords cannot be one of the previously used 20 passwords. Automated scripts or a series of manual password changes to circumvent the requirement for new passwords are not permitted. 3 HISPOL 009.0 - Password Protection 2.4 The minimum password age must be set to at least 1 for all House user accounts. The minimum password age determines the period of time in days that a password must be used before the user can change it again. System administrators may change passwords for auser if a password must be changed within one day after it is created due to special circumstances such as suspected compromise. 2.5 Login procedures must be followed without automating steps that insert passwords (e.g., the “Remember Password” feature of applications). 2.6 Do not share UserIDs and passwords with anyone. System audit logs identify users based on UserIDs. 2.7 Do not attempt to guess another person’s UserID or password. Guessing on the part of a legitimate user would falsely indicate suspicious activity to the system’s audit function. 2.8 When setting up new systems, system administrators must ensure that all accounts are password protected and default account (e.g., administrator, supervisor, etc.) passwords are changed. 2.9 PC power up and screensaver passwords must be used. 2.10 Mobile device lock settings must be enabled. 2.11 Passwords should be entered only when no one else is present or is watching entry on the keyboard. 2.12 Passwords must not be inserted into email messages or other forms of electronic communication. 2.13 Passwords should be safeguarded and memorized. Passwords should not be written down, posted, or stored on a computer without encryption. 2.14 Passwords should be unique and not one that has been used in the past. 2.15 Users should not use the same password on multiple systems; it is permissible to use the same UserID on multiple systems (e.g. Active Directory passwords should never be used for any other system or application). 4 HISPOL 009.0 - Password Protection 2.16 Unauthorized attempts to access House systems and suspected password compromises must be reported immediately to the Information Systems Security Office (INFOSEC). 5 HISPOL 010.0 _________________________________________________________________ The United States House of Representatives Information Security Policy for the Protection of Sensitive Information _________________________________________________________________ Version: 2.0 Approved: Approval Authority: January 2010 The United States House of Representatives Committee on House Administration HISPOL 010.0 – Protection of Sensitive Information Table of Contents 1 Introduction ........................................................................................ 3 1.1 2 SCOPE ................................................................................................. 3 Policy Guidelines ............................................................................... 3 2.1 2.2 2.3 2.4 2.5 DETERMINING INFORMATION SENSITIVITY ......................................... 3 PHYSICAL PROTECTION OF SENSITIVE INFORMATION ......................... 4 ELECTRONIC PROTECTION OF SENSITIVE INFORMATION ..................... 4 PERSONNEL PRECAUTIONS .................................................................. 5 DISPOSAL OF SENSITIVE INFORMATION .............................................. 5 2 HISPOL 010.0 – Protection of Sensitive Information 1 Introduction This policy addresses security concerns relating to information considered sensitive to the United States House of Representatives (House). All users of House sensitive information must protect the confidentiality of sensitive information from disclosure to unauthorized individuals or groups. Observance of this policy ensures that House sensitive information remains protected at all times in all forms. 1.1 Scope This policy applies to all House Offices, employees, contractors, and vendors that use House sensitive information in all forms, printed and electronic. 2 Policy Guidelines Access to sensitive information must be restricted to authorized individuals who need it to conduct their jobs. This entails not only refraining from intentional disclosure but also using measures to guard against accidental disclosure. When an employee changes positions or terminates employment with the House, they are still obligated to protect the confidentiality of information. Individual Members have a reasonable expectation of privacy with respect to all of their electronic communications in the performance of official duties (including but not limited to use of telephones, voice mail, facsimile transmissions and electronic mail), and may determine whether such communications are to be made available to third parties or to the public. Absent such a determination, unauthorized interception, use, or disclosure of electronic communications in the performance of official duties is a violation of Federal law and may lead to criminal prosecution, suit for invasion of privacy, or in the case of an House Office, employee, contractor, or vendor of the House of Representatives, discipline by the House. 2.1 Determining Information Sensitivity Data owners are responsible for determining the sensitivity of their information, in accordance with House Information Security Policy and Publications. It is the responsibility of the employing authority to determine the criticality and protective measures of Legislative Branch or other sensitive information that is not yet public. All users of House sensitive information must protect it accordingly. In general, the House considers the following types of House information sensitive: 3 HISPOL 010.0 – Protection of Sensitive Information  Legislative information that is not yet public or has been provided to the House with restrictions on its use;  Financial and procurement data that has not been made public;  Personally identifiable information of House Members, staff, constituents, contractors, or vendors, including any information that can be used to distinguish or trace an individual’s identity; ;  Information technology-related data, such as network configuration information, products in use, and security vulnerabilities and safeguards. This also includes non-sensitive data that, when combined with other non-sensitive data, can be assembled together to provide a sensitive result. For example, a roster of Security personnel combined with a list of training courses may reveal the specific security technology being used at the House. 2.2 Physical Protection of Sensitive Information 1) All documents and removable magnetic media containing House sensitive information should remain on House property. If such documents and media must be removed from House property, it must remain in the possession of a House employee. 2) Printed documents and media containing House sensitive information must be stored out of sight, preferably in a locked container. While in transit, they must be carried in a folder or envelope. 3) Sensitive data should not remain on a computer screen or be visible by someone who is not authorized to view the data. 4) House sensitive information should be marked accordingly. All printed documents and removable media containing sensitive information should be clearly marked “Confidential to the U.S. House of Representatives”. Their distribution must be limited to only those House Office staff, employees, contractors, and vendors with a clearly defined need to access the information. 2.3 Electronic Protection of Sensitive Information All House sensitive information: 1) Must be processed or stored on House owned equipment; 2) Must be encrypted when stored on mobile devices; and 3) Must not be transmitted on any public access system such as e-mail or via the Internet without protective measures (e.g., using encryption). 4 HISPOL 010.0 – Protection of Sensitive Information 2.4 Personnel Precautions 1) Unauthorized personnel must not be allowed access to facilities and resources that store or process sensitive information. 2) Contractors and vendors must sign a Non-Disclosure Agreement prior to receiving House sensitive information. 2.5 Disposal of Sensitive Information 1) Diskettes, compact disks (CDs), and disk drives must be disposed of using approved procedures. Printed documents containing House sensitive information must be shredded when no longer needed. Electronic media may be provided to the Information Systems Security Office (INFOSEC) who will degauss and destroy the media. 5 HISPOL 011.0 _________________________________________________________________ The United States House of Representatives Information Security Policy for Telecommuting _________________________________________________________________ Version: 2.0 Approved: Approval Authority: January 2010 The United States House of Representatives Committee on House Administration HISPOL 011.0 - Telecommuting Table of Contents 1 Introduction ........................................................................................ 3 1.1 2 SCOPE ................................................................................................. 3 Policy Guidance ................................................................................. 3 2.1 2.2 2.3 2.4 SENSITIVE INFORMATION .................................................................... 3 TELECOMMUTING USER REQUIREMENTS ............................................ 4 VIRTUAL PRIVATE NETWORK (VPN) USER REQUIREMENTS .............. 4 REMOTE USER REQUIREMENTS ........................................................... 4 2 HISPOL 011.0 - Telecommuting 1 Introduction This policy provides the House community a secure means for accomplishing work from a remote location. House employees utilize computers when they travel or need to accomplish work remotely after or during normal business hours. A higher level of responsibility for information security lies with remote users since the employee works unobserved, and the work environment falls outside the physical protection of a House facility. Telecommuting is a working arrangement, mutually agreed upon by the employee and the employing authority, whereby the employee works at an alternative work site on specified days or during specified hours. Such remote users must establish a standard of self-discipline and initiative that ensures secure use of information resources. This means staying up-to-date on all House security policies concerning remote access. 1.1 Scope The purpose of this document is to provide all users of the House network with guidance governing telecommuting. The scope of this policy includes all House Offices and employees that telecommute to the House. 2 Policy Guidance 2.1 Sensitive Information It is the responsibility of the employing authority, in conjunction with data owner, to review information sensitivity prior to authorizing employees to conduct House business in a telework arrangement. All House sensitive information should be marked accordingly. All printed documents and removable media containing sensitive information should be clearly marked “Confidential to the U.S. House of Representatives”. Their distribution must be limited to only those House Office staff, employees, contractors, and vendors with a clearly defined need to access the information. All House sensitive information:  Must be processed or stored on House owned equipment;  Must be encrypted1 when stored on mobile devices; and  Must not be transmitted on any public access system such as e-mail or via the Internet without protective measures (e.g., using encryption). Encryption is software or hardware that gives users the capability to convert/recover data that has been put into an unreadable format while it is in transit or in storage. ContactINFOSEC, (202) 226-4988, or the Call Center, (202) 225-6002 / (800) 447-8737, for details. 1 3 HISPOL 011.0 - Telecommuting 2.2 Telecommuting User Requirements The requirements in this section apply to all House telecommuters. 1) SecurID secure two-factor authentication must be used to access the House network. SecurID is the only method supported by the House to access the House network. SecurIDs may be obtained from the Information Systems Security Office (INFOSEC). 2) House information must remain on House equipment at all times. 3) Use only House email accounts to conduct House business and transmit House information. 4) If using personal computer equipment to perform House-related work, use House provided shared resources – not a local computer device – to save information. 2.3 Virtual Private Network (VPN) User Requirements The House provides a Virtual Private Network (VPN) service for District Offices, telecommuters, and House staff to access the House network via personal computers (PCs) and laptops using high-speed connections, SecurID, and the Internet. Secure use of this service requires that a personal firewall supported by the House VPN solution be installed on the system and operational at the time of each connection to the House network. 2.4 Remote User Requirements 1) Adequate security provisions must be implemented in the remote work environment to protect hardware, software, information, and infrastructure. 2) Special measures must be employed to protect information and access capabilities across dial-up lines, including changing passwords often. 3) Be alert for anomalies and vulnerabilities and report security incidents to INFOSEC. 4) Log off the client device when it is not in use. 5) Access only those House systems that are necessary to perform their job. 6) Establish a thorough understanding and agreement with supervisors regarding appropriate security responsibilities. 7) Avoid uploading and downloading House sensitive information. 8) Encrypt information when it is reasonable and worthwhile. 4 HISPOL 17 - Protecting House Data in Cloud and Non-House Technlogy Solutions HISPOL 17 _________________________________________________________________ The United States House of Representatives Information Security Policy for Protecting House Data in Cloud and NonHouse Technology Solutions _________________________________________________________________ Version: 1.0 Approved: Approval Authority: February, 2016 The United States House of Representatives Committee on House Administration HISPOL 17 - Protecting House Data in Cloud and Non-House Technology Solutions 1 HISPOL 17 - Protecting House Data in Cloud and Non-House Technlogy Solutions Table of Contents 1 2 3 4 5 6 7 Introduction........................................................................................... 3 Scope..................................................................................................... 3 Policy .................................................................................................... 3 3.1 Implementing Cloud and Non-House Solutions ................ 3 Phase I - Pre-Implementation ............................................. 4 Phase II - Authorization of Cloud Service ......................... 6 Phase III - Post-Implementation ......................................... 6 Exceptions............................................................................................. 6 Roles and Responsibilities .................................................................... 6 5.1 Committee on House Administration (CHA) ..................... 6 5.2 House Organizations........................................................... 6 5.3 Chief Administrative Officer (CAO).................................. 7 5.4 House Information Systems Security Office (ISSO) ......... 7 Related Documents ............................................................................... 7 Non-Compliance ................................................................................... 7 HISPOL 17 - Protecting House Data in Cloud and Non-House Technology Solutions 2 HISPOL 17 - Protecting House Data in Cloud and Non-House Technlogy Solutions 1 Introduction Cloud computing capabilities are becoming mainstream components of modern enterprise technology. House offices should consider these cost-effective capabilities, which can further optimize the efficiency and effectiveness of House operations. However, House offices must understand the risk associated with storing or processing House data in Cloud and other non-House systems as well as understand that the proper level of safeguards exist to protect House data. This policy establishes a framework for the protection of information stored on nonHouse systems or infrastructure. This framework provides the House with the flexibility to choose alternative information systems through a consistent approach by evaluating the risk for these systems. 2 Scope This policy applies to all unclassified information in both written1 and digital form that is handled, stored, or processed by any Member, staff, detailee, contractor, or vendor performing work on behalf of the House. This includes information originating within the House, as well as information originating beyond the House for which House personnel act as a steward (e.g. personally identifiable information of staff). This policy does not apply to classified information. House offices must protect classified information in accordance with applicable laws. 3 Policy Unclassified House data may be stored or processed on non-House controlled systems. However, all House offices should: 1. 2. Develop and maintain an understanding of the information types within their possession and control; and Safeguard House data with the appropriate physical, logical, and administrative controls. 3.1 Implementing Cloud and Non-House Solutions Risks are not always apparent and are sometimes present despite vendor claims. A House office seeking to use a Cloud or other non-House technology solution should exercise due diligence by ensuring they understand associated risks and implement adequate safeguards. The Cloud implementation process includes a pre- 1 This policy primarily addresses digital information, however it is important to ensure that sensitive House information in non-digital form also be protected by appropriate controls if stored by non-House organizations. HISPOL 17 - Protecting House Data in Cloud and Non-House Technology Solutions 3 HISPOL 17 - Protecting House Data in Cloud and Non-House Technlogy Solutions implementation phase, an approval phase, and a post-implementation phase. The requirements of these phases include the following components2: Phase I - Pre-Implementation 3.1.1.1 Sensitivity Assessment The sensitivity assessment includes two components, a data inventory and an impact assessment.  Data Inventory. The data owner 3and system owner 4will document the types of House information stored or processed in the proposed solution.  Impact Assessment. Once the data inventory is complete, the House Chief Information Security Officer (CISO) or designee will work collaboratively with the data owner and system owner to determine the confidentiality, integrity, and availability impacts of the information documented in the inventory. The Sensitivity Assessment is completed first. Subsequent sections of the evaluation process depend on the type of information involved and the impact of a breach of this information to the organization. 3.1.1.2 Suitability Review This review includes an evaluation of the suitability of the vendor and overall solution. This is jointly performed by the data owner and system owner with coordination by CAO House Information Resources’ (HIR) Vendor Management. The suitability review ensures the solution is capable of satisfying the business needs of the House office and basic standards required of all House vendors. The suitability review includes the below components:  Requirements Review. This review documents the business and technical requirements for the proposed solution.  Technical Review. Cloud services place unanticipated demands on technology resources such as Internet bandwidth. To ensure the service can operate as intended, a technical review documents the impact of the solution to House infrastructure, how the data is maintained, and how customer support is provided. 2 This process is outlined in more detail in HISPUB 17 – Protecting House Data in Cloud and Non-House Technology Solutions. The HISPUB may be consulted for more guidance on how this process is implemented. 3 The data owner is the end customer of the solution. The House office (i.e., Member, Committee Chair, Officer, or office Hiring Authority) is either the owner of the data or the primary House steward of the data. 4 The system owner is the office or individuals responsible for the operation and maintenance of the system. This may sometimes be the data owner, but does not have to be. This function will include the primary system administrators of the system. HISPOL 17 - Protecting House Data in Cloud and Non-House Technology Solutions 4 HISPOL 17 - Protecting House Data in Cloud and Non-House Technlogy Solutions  Vendor Fitness Review. Cloud solutions are still a new offering by many vendors. This review considers factors such as a vendor’s maturity, fiscal soundness, physical location of data centers, support model, previous work with government, etc. to determine if the vendor and solution are capable of being trusted to store and process House data.  Contract Review. CAO/HIR/Vendor Management assists with facilitating this review. The contract with a Cloud service provider is the most important aspect of the evaluation since the contract is what determines the requirements the vendor must meet. This review includes an examination of the terms of service to ensure the technical and support requirements are adequately documented, which includes a right to audit or obtain information about the implementation of security controls or any other applicable House terms and conditions, vendor and customer responsibilities, service level agreements, etc. as required.  Legal Review. CAO/HIR/Vendor Management in consultation with requesting offices must consult with the Office of General Counsel and the CAO Administrative Counsel on utilizing a specific Cloud service. This includes a review of the contract terms of service, any end user licensing agreements, or other agreements and licenses to ensure the House is adequately protected from a legal perspective. This may include provisions for response to subpoenas, support of e-discovery and evidence preservation orders, and ability to respond to a data spill. 3.1.1.3 Risk Assessment The risk assessment is the most time-consuming aspect of the pre-implementation review due to the volume of documents that need to be reviewed, research needed to determine the presence of security controls, and any testing to validate control effectiveness. Once a solution seems viable based on the prior reviews, the risk assessment is conducted by the CAO/HIR/ISSO as a final step before authorization is recommended. The House may use documentation of security controls as provided by the Federal Risk Management Authorization Program (FEDRAMP), but a risk assessment is still required. The risk assessment includes:  Testing of the existence and effectiveness of security controls, if applicable.  Identify known weaknesses in the solution that may affect the confidentiality, integrity, and availability of House data.  Generate recommendations to augment the security of the solution.  Identify the residual risk of the solution based on available information. HISPOL 17 - Protecting House Data in Cloud and Non-House Technology Solutions 5 HISPOL 17 - Protecting House Data in Cloud and Non-House Technlogy Solutions Phase II - Authorization of Cloud Service Once the pre-implementation reviews are complete and the solution is deemed viable by the CAO, the Committee on House Administration (CHA) may approve a formal authorization of the Cloud service. The authorization will identify data types that the Cloud service may process or store. Phase III - Post-Implementation Any known security-significant changes to the solution should be reported to CAO/HIR/Vendor Management and the Information Systems Security Office for immediate review. A security-significant change includes, but is not limited to, a change in the data types within the solution, a change in the administration model, a change in vendor controls, a major change in configuration, or a change in the vendor’s operating status. All approved solutions are reviewed annually by the appropriate units of the CAO as facilitated by CAO/HIR/Vendor Management, verifying the solution has not changed in a material way. The annual review will include a verification that all documentation produced during the initial review process is still relevant. 4 Exceptions CHA may grant exceptions in writing to this policy. 5 Roles and Responsibilities The roles and responsibilities for implementing this policy include the following: 5.1 Committee on House Administration (CHA) The CHA has an important oversight function, which includes the acceptance of risk to the House that comes with allowing an outside organization store and process House data. CHA serves as the Authorizing Official (AO) by granting authorization for all Cloud and non-House solutions. 5.2 House Organizations All House organizations should, in accordance with all House policies, procedures, standards, and guidelines: 1. Develop and maintain an understanding of the information types within their possession and control; 2. Ensure data is safeguarded with the appropriate physical, logical, and administrative controls by personnel within the organization; 3. Comply with this policy by ensuring CHA authorization is obtained for all Cloud and non-House systems used to store and process House data; and HISPOL 17 - Protecting House Data in Cloud and Non-House Technology Solutions 6 HISPOL 17 - Protecting House Data in Cloud and Non-House Technlogy Solutions 4. Ensure the proper reviews, approvals, and annual follow-ups are performed. 5.3 Chief Administrative Officer (CAO) The CAO/HIR/Vendor Management team will facilitate pre and post-implementation reviews with respective CAO offices. These offices may include CAO/Admin Counsel, CAO/Office of Acquisitions Management, CAO/House Information Resources, CAO/Human Resources/Privacy, and the CAO/HIR/Information Systems Security Office (ISSO). 5.4 House Information Systems Security Office (CAO/HIR/ISSO) The ISSO shall: 1. Assist House organizations with the identification and classification of its information; 2. Require FEDRAMP certification either as a final review or “in process” of data identified as “Moderate” level data; 3. Outline/clarify with requesting organizations the controls which should be implemented to protect stored or processed House data; 4. Provide a leadership role in the assessment and documentation of the information security risks associated with solutions where House data is stored on non-House systems; and 5. Advise the data owner, system owner, and House officials of changes in risk posture. 6 Related Documents The following are House policies, publications and standards referred to form this policy: HISPOL 02 – The United States House of Representatives Information Security Policy for Protecting Systems from Unauthorized Use 7 Non-Compliance The House Chief Information Security Officer will review activities that are noncompliant with the policy. Where there is a demonstrable and imminent risk to House data, the CISO may disable access to information stored on a non-House system, which fails to meet the requirements of this policy. The CISO will notify the Chief Information Officer, CAO, CHA, and the House organization in parallel when disabling access in such circumstances. HISPOL 17 - Protecting House Data in Cloud and Non-House Technology Solutions 7 Information Systems Security Program Chief Administrative Officer House Information Resources Information Systems Security Office August 7, 2000 . U.S. House of Representatives Information Systems Security Program This document establishes the framework for the Information Systems Security Program (ISSP) for the U.S. House of Representatives. The ISSP is the underpinning for the security policies that are the primary building blocks for every successful information security effort. In order to be successful, every information security effort needs to have a well-defined security program and a set of policies that provide clear instruction and establish management support. The security program must also provide education and training to the House community. This education and training is an integral part of the ISSP, providing users with the knowledge they need to actively participate in preventing security incidents. The ISSP also assures the consistent application of security policy and technical controls across House information systems. _______________________________________________ Louis A. Magnotti Director House Information Resources Information Systems Security Office Concurrence: _______________________________________________ Timothy A. Campen Associate Administrator House Information Resources EXECUTIVE SUMMARY This document establishes the Information Systems Security Program (ISSP) for the U.S. House of Representatives (hereafter referred to as “House”). The ISSP implements a security management strategy consisting of a variety of technical and procedural safeguards. Successful implementation of these safeguards ensures that data processed, stored, or transmitted by House information systems is available when it is needed and is protected from unauthorized disclosure or modification. The ISSP is vital to the successful acquisition, development, implementation, and sustainment of House automated systems and the information that the systems process. The program defines optimal security safeguards and provides guidelines for their implementation. It also provides a process for assessing the effectiveness of safeguards and for identifying and mitigating risks. Each Member, Committee, and Office has a unique role in supporting the mission of the House. Successful fulfillment of these roles requires an institutional approach to safeguarding information systems. Security policy and guidance concerning House information systems are developed by the Chief Administrative Officer (CAO) utilizing government and industry best practices. With the assistance of the CAO, implementation of such security practices is accomplished through the joint efforts of House Members, the Clerk of the House (Clerk), and the Sergeant-at-Arms (SAA). Within the House Offices of the Clerk and SAA, a central security point of contact or designee will be identified to coordinate the implementation of system security controls and audits of all systems connected to the House network. The House Officers will determine the responsibilities of each Office in implementing the ISSP. This combined effort ensures House operations are supported by state of the art, safe, and secure systems. The House Information Resources (HIR) Information Systems Security Office will provide oversight in accordance with House information systems security policy for House networked systems. The following diagram depicts a security methodology that is incorporated into the House information systems support and development process. Technology Technology Support Support Clerk Clerk CAO CAO SAA SAA Information Information Systems Systems Security Security House House Operations Operations Information Information Systems Systems Development Development Stateofofthe theArt, Art, State Safe,and andSecure Secure Safe, Systems Systems In support of the House-wide ISSP, the HIR Information Systems Security Office provides the following services: (1) develop and implement security policies and guidance, (2) design network security technical controls and administer data protection mechanisms, (3) conduct systems security certification and compliance audits to identify and mitigate risks, (4) develop and implement security awareness and training programs, (5) detect and resolve malicious incidents such as virus and intruder attacks. Effective execution of the aforementioned services will formally establish an information security strategy for the House. Once established, the House-wide ISSP will meet or exceed established government and industry security best practices. The security program will provide cost-effective, innovative, and appropriate safeguards commensurate with identified levels of risk and integrate information systems security into information systems initiatives. TABLE OF CONTENTS SECTION 1 - OVERVIEW .......................................................................................................................................1 1.1 PURPOSE ..........................................................................................................................................................1 1.2 BACKGROUND ..................................................................................................................................................1 1.3 INFORMATION SYSTEMS SECURITY IN THE HOUSE ENVIRONMENT ..................................................................2 1.4 ROLES AND RESPONSIBILITIES .........................................................................................................................4 1.4.1 Chief Administrative Officer (CAO) ......................................................................................................4 1.4.2 House Information Resources (HIR)......................................................................................................5 1.4.3 HIR Information Systems Security Office ..............................................................................................5 1.4.4 House Network Users ............................................................................................................................5 1.4.5 Vendors..................................................................................................................................................6 1.4.6 The Office of Inspector General (OIG)..................................................................................................6 1.4.7 The Office of the Clerk (Clerk) ..............................................................................................................6 1.4.8 The Sergeant at Arms (SAA) ..................................................................................................................6 SECTION 2 - INFORMATION SECURITY SERVICES ......................................................................................8 2.1 INFORMATION SYSTEMS SECURITY POLICY AND GUIDANCE............................................................................8 2.2 NETWORK SECURITY .......................................................................................................................................8 2.3 SYSTEMS SECURITY CERTIFICATION AND COMPLIANCE AUDITS .....................................................................9 2.4 SECURITY AWARENESS AND TRAINING ............................................................................................................9 2.5 INCIDENT MANAGEMENT .................................................................................................................................9 2.5.1 House Computer Incident Response Team ..........................................................................................10 2.5.2 Virus Team...........................................................................................................................................10 2.5.3 Information System Security Incident Detection..................................................................................10 SECTION 3 - INFORMATION SECURITY IMPLEMENTATION ..................................................................11 3.1 3.2 3.3 3.4 3.5 INFORMATION SYSTEMS SECURITY POLICY AND GUIDANCE..........................................................................11 NETWORK SECURITY .....................................................................................................................................11 SYSTEMS SECURITY CERTIFICATION AND COMPLIANCE AUDITS ...................................................................12 SECURITY AWARENESS AND TRAINING ..........................................................................................................12 INCIDENT MANAGEMENT ...............................................................................................................................13 SECTION 4 - SUMMARY.......................................................................................................................................14 APPENDIX – Glossary of Terms ............................................................................................... A-1 Exhibit 1 – Security in the House Environment ..............................................................................2 Exhibit 2 – SDLC and Security Services Relationship....................................................................3 i Section 1 OVERVIEW 1.1 Purpose This document establishes the Information Systems Security Program (ISSP) for the U.S. House of Representatives (House). Information systems include computers, communications networks, and software, as well as data that is stored, processed, retrieved, or transmitted by the House. The ISSP provides a security management strategy for the protection of House information systems, assuring Members, Committees, and other House offices that their systems are adequately protected and safeguarded. 1.2 Background Rapid advancements in computer technology have made the House increasingly dependent on information systems to store, process, and distribute vast quantities of valuable, sensitive, and critical data. Accordingly, the protection of information systems for the House community ensures the confidentiality, integrity, and availability of the data stored, processed, and distributed by those systems. The ISSP is a House-wide program developed by the Chief Administrative Officer (CAO) and managed by House Information Resources. Information systems security is defined as measures and controls that protect information systems against unauthorized access, modification, disclosure, destruction, or denial of service, whether accidental or intentional. There are four major goals of information systems security: · · · · Safeguard against unauthorized system access and disclosure of sensitive data, Ensure system controls are in place to identify, verify, and trace authorized and unauthorized user activity, Prevent unauthorized modification or destruction of House data, Evaluate effectiveness of security controls to maintain safe system operations. Meeting these goals provides a direct benefit to the House user community. Establishing an ISSP provides users with the confidence that their data is protected at all times. This confidence in the security of House information systems encourages users to utilize the systems to their fullest capacity. Full use of House systems contributes to greater staff productivity as well as efficiency of House operations. This document describes the elements of the ISSP that enable the House to meet these goals. 1 1.3 Information Systems Security in the House Environment The systematic process for securing House information systems involves administrative and technical control measures. House information – in all forms and development phases – must be protected from unauthorized access, modification, disclosure, destruction, or denial of service, whether intentional or accidental. Information resources requiring protection include, but are not limited to, computers and communication networks, communication facilities, interconnected computer peripheral equipment, software, and information that may be collected, distributed, stored, or transmitted. Information systems security is a specific effort to provide safeguards against threats and reduce system vulnerabilities. The ISSP utilizes government and industry best computer security practices, augmented by other traditional security disciplines (i.e., physical and communications security). The ISSP is important to the successful acquisition, development, implementation, and sustainment of House automated systems and the information that the systems process. The program defines optimal technical and procedural security safeguards and provides guidelines for their implementation. It provides a process for assessing the effectiveness of safeguards and for identifying and mitigating risks. Security policy and guidance concerning House information systems are developed by the Chief Administrative Officer (CAO) utilizing government and industry best practices. Successful implementation of the ISSP requires the active participation of Members, the Offices of the Clerk and the SAA, and House staff. This combined effort will ensure House operations are supported by state of the art, safe, and secure systems, as illustrated in Exhibit 1. Technology Support Information Systems Security Information Systems Development House Operations State of the Art, Safe, and Secure Systems Exhibit 1 – Information Systems Security in the House Environment 2 The HIR Information Systems Security Office ensures that information systems, both current and new, or major upgrades to existing systems employ effective and efficient security safeguards. Information security requirements are developed through the use of specific management controls and are validated in conjunction with the House System Development Life Cycle (SDLC) process. The SDLC process describes specific information system processes and control objectives accomplished during each phase. The ISSP describes five security services that ensure House information systems are safe and secure. These are: (1) develop and implement security policies and guidance; (2) design network security technical controls and administer data protection mechanisms; (3) conduct systems security certification and compliance audits to identify and mitigate risks; (4) develop and implement security awareness and training programs; and (5) detect and resolve malicious incidents such as virus and intruder attacks. Activities supporting the five security services occur at various points in the SDLC, as illustrated in Exhibit 2. This illustration does not modify or supercede the House SDLC process; rather, it depicts how security operates within the structure of the SDLC phases. SDLC PHASES SECURITY SERVICES Project Definition Information Security Policy and Guidance User Requirements Definition Network Security System / Data Requirements Definition Analysis and Design System Build / Prototype / Pilot System Certification & Compliance Audits Implementation and Training Information Security Awareness, Training Incident Management Sustainment Exhibit 2 – SDLC and Security Services Relationship 3 Recertification (every 2 years) Information security policy and guidance support the SDLC process beginning with the User Requirements Definition Phase by establishing the security safeguards that should be built into House systems. Policy and guidance documents for security activities throughout the remaining phases of the SDLC are published as needed. Network security, including technical controls and data protection mechanisms, supports the SDLC prior to System/Data Requirements Definition. Technical controls are hardware devices and software processes that a computer system executes to provide first-line defense against unauthorized access or misuse. These automated protection techniques include firewalls, access controls, virus protection, and intrusion detection. Network security also provides data protection mechanisms, such as strong passwords and encryption, to ensure electronic information is safeguarded against unauthorized access or modification. System certification and compliance audits are addressed during the System Build Phase. System certification audits are performed on the prototype and pilot versions of the system to validate security safeguards are operational. Compliance audits are also conducted throughout the Sustainment Phase. Awareness and training relating to House security requirements should be provided to the House user community during the Implementation and Training Phase. Security training provides instruction in security issues specific to the application being implemented, as well as guidance on general security concerns and procedures. Incident management occurs during the Sustainment Phase of the SDLC process and involves detecting and responding to unauthorized activity. Technical controls and procedures are put in place to detect unauthorized actions. Each occasion of unauthorized activity is investigated and appropriate remedial measures are completed in accordance with established House security policies. 1.4 Roles and Responsibilities The Committee on House Administration (CHA) provides policy direction to the Chief Administrative Officer on House information systems security matters, and also reviews and approves House-wide information security policies. Several House organizations have key roles and responsibilities in support of the successful implementation of the ISSP, as described below. 1.4.1 Chief Administrative Officer (CAO) The (CAO) provides non-legislative support services to the House community, including finance, information resources, media services, human resources, and procurement and purchasing. These operational and financial functions are assigned by the CHA and are described in the Rules of the House of Representatives, published by each Congress. The CAO performs as an executing body and coordinates the establishment of appropriate advisory councils and working groups, and coordinates participation of individuals or groups outside the CAO. The CAO has the following responsibilities: 4 · · Defines the direction of the ISSP based on the environment of the House and current needs of the Members and Committees, Coordinates the approval of all information security policies and guidelines with appropriate House organizations. 1.4.2 House Information Resources (HIR) The Divisions within HIR provide support in the design, development, and implementation of controls to ensure the continued security of House systems and information. HIR Offices will: · · · · Coordinate with the HIR Information Systems Security Office in the evaluation and implementation of House security mechanisms and procedures, Recommend potential technical controls to improve the security of House networks, Review and provide recommendations to improve security policies and publications, Recommend new security publications to be developed. 1.4.3 HIR Information Systems Security Office The HIR Information Systems Security Office, in direct coordination with other HIR Offices, will provide oversight and guidance in security related matters to the Members, Committees, and House Offices. The HIR Information Systems Security Office will: · · · · · Develop House-wide information systems security polices and guidelines based on best government and industry practices, Develop network security and data protection controls to be incorporated into all House information systems, Conduct certifications and security audits of House information systems and external connections, Develop and disseminate information systems security awareness and training programs, Detect, investigate, and respond to incidents of unauthorized activity on House networks. 1.4.4 House Network Users Users of House networks are a critical link in the successful protection of House information and systems. House users should: · · · · Follow security practices as defined by the House security policies, Stay abreast of updates to House security policies and procedures, Use a House provided or equivalent, current, anti-virus program to scan software prior to installing on any office computers, Report suspected incidents of unauthorized network activity to the HIR Information Systems Security Office or to the HIR Call Center. 5 1.4.5 Vendors Vendors are personnel who are retained to provide support to House automated operations, including hardware and software. Vendors must adhere to the same security policies as House network users and must specifically: · · · Ensure remote connections are established and approved according to House security policy, Implement adequate security provisions at the remote site to protect House software, hardware, and information, Be alert for anomalies and vulnerabilities and report security incidents to the HIR Information Systems Security Office. 1.4.6 The Office of Inspector General (OIG) As described in the Rules of the House of Representatives, the IG generally conducts periodic audits of financial, administrative, and other functions of the House as required. This broad authority permits the OIG to: · · Review the ISSP and related activities using government and industry best security practices as the baseline, Make recommendations to improve or enhance information systems security to meet the unique requirements of the House. 1.4.7 The Office of the Clerk (Clerk) Beyond the duties involved in organizing the House and presiding over its initial activities at the commencement of each Congress, the Clerk is charged with a number of legislative functions, as described in the Rules of the House of Representatives. In support of these legislative functions the Clerk employs various information systems. As a result, the Clerk is responsible for the security of those information systems under his purview and in support of the ISSP will: · · Designate a central security point of contact or alternate who will assist the HIR Information Systems Security Office in the responsibility for the security of the Clerk’s information systems connected to the House network, Ensure recommended technical and procedural security controls are in place according to House-wide security policy. 1.4.8 The Sergeant at Arms (SAA) The SAA ensures the safety of Members, staff, and the public on Capitol Hill and, in accordance with the Rules of the House of Representatives, maintains order during House sessions and enforces rules related to the privileges of the Hall of the House. Within the SAA, the divisions responsible for House Chamber security, parking, identification badges, police services, and special events and protocol utilize a variety of information systems in the performance of their 6 duties. The SAA is responsible for the security of those information systems under his purview and in support of the ISSP also will: · · Designate a central security point of contact or alternate who will assist the HIR Information Systems Security Office in the responsibility for the security of the SAA systems connected to the House network, Ensure recommended technical and procedural security controls are in place according to House-wide security policy. 7 Section 2 INFORMATION SECURITY SERVICES The management of House information security is accomplished through the five information security services provided by HIR. The combination of the security services ensures the four major goals of information systems security are achieved. As a result of meeting these goals, House systems maintain security integrity throughout their design, development, implementation, and lifecycle. This section of the ISSP describes the five information security services. 2.1 Information Systems Security Policy and Guidance Information systems in use at the House include Internet/Intranet, Correspondence Management System (CMS), messaging services, mainframes, and client server applications. Users of these systems must be knowledgeable in how to ensure a safe and secure computing environment. The primary mechanism for distributing this knowledge to House users is through information systems security policy and guidance. Policy and guidance are available from the HIR Information Systems Security Office staff or the House CAO web site. The HIR Information Systems Security Office develops information security policies for the House. The purpose of House Information Security Policy (HISPOL) documents is to outline security rules, regulations, and expectations according to the various roles that House users, contractors, system programmers, administrators, and managers have in the area of information system security. These HISPOLs provide comprehensive directions and guidance for the responsible and secure use of House information systems and network resources. Specific security requirements are derived from these HISPOLs and are documented in separate House publications called House Information Security Publications (HISPUBs). HISPUBs provide specific guidance and standards for implementing information security topics and measures as directed in the corresponding HISPOLs. Additionally, the HIR Information Systems Security Office is responsible for developing and documenting House-wide standards and procedures that address computer security awareness and training requirements, as well as resolutions to audit reports issued by the Office of Inspector General. These standards and procedures ensure well-defined information security practices are in place to form the operational baseline for information systems. 2.2 Network Security Effective administration of network operations is critical in maintaining overall House information and systems security. The Information Systems Security Office will develop guidelines and procedures to implement network security controls and data protection 8 mechanisms most appropriate for the House environment. In cooperation with other House Offices, the Security Office will evaluate, recommend, and implement technical controls as needed to improve the security of House networks. Technical controls will ensure that network access safeguards are in place, including user account identification, authentication, and access authorizations. The Security Office is involved in the prompt resolution of network and data security issues, including modification or removal of access for House employees who are transferred, promoted, terminated, or who retire. Strict technical and procedural controls are implemented to ensure access to information is specifically granted to authorized individuals. 2.3 Systems Security Certification and Compliance Audits Systems security certification ensures House systems contain an appropriate level of security, and comply with established policies and procedures. An independent certification review of technical and procedural controls is conducted on new systems before initial implementation. Compliance audits are conducted on existing systems every two years. Systems that undergo major modifications will also be reviewed prior to implementation. As a result of the inherent differences in each House Office’s information systems requirements, scope, mission, and risk, each office should conduct its own risk analysis to determine the types of threats and vulnerabilities faced by the Office. The HIR Information Systems Security Office provides guidance for protecting House systems and information; House Offices must implement security practices in a manner consistent with this guidance. Additionally, the Security Office will conduct periodic security reviews of external connections, as well as security compliance reviews of internal systems. Within the Offices of the Clerk and SAA, a security point of contact will be designated to assist the HIR Information Systems Security Office in conducting audits of their systems that are connected to the House network. 2.4 Security Awareness and Training Awareness and training programs assist in reducing the threats to House information systems. An educated user becomes a primary ally in the prevention of security incidents and maintaining the security integrity of House information systems. With proper security education, general users become aware of good information security practices. The HIR Information Systems Security Office provides security awareness training programs to meet the security needs of House Members, Committees, and Offices. The security awareness program is accomplished through security briefings designed for users, managers, vendors, and technical staff. To address specific information security issues, (e.g., virus warnings, hacker threats, system vulnerability) security awareness notifications will be broadcast via voice mail, e-mail, or on the HIR Security web page. Additional awareness may be provided to House Members and users by means of seminars, workshops, newsletters, conferences, and public dissemination of security guidelines. 2.5 Incident Management An issue of increasing importance is detection of and response to malicious information security incidents, such as virus attacks, hacker activities, spamming, assessment of new information 9 systems and technology for potential vulnerabilities, or other breaches of security. Incident management facilitates centralized reporting of incidents, coordinates response to incidents, and provides technical assistance as needed to recover. The growing use of interconnected computers and external networks has expanded the number of entry points into House systems, increasing the vulnerability of those systems to attacks. As a result, the potential for harm to House systems is greater, therefore the House has established a proactive security incident management process to counter the increased risk. The process includes continual gathering of data relating to vulnerabilities, threats, and appropriate security safeguards. The process establishes an inquiry and response mechanism to determine the potential impact to the House, identify remedial measures, and implement preventive actions. Incident inquiries are conducted by the House Computer Incident Response Team. An automated intrusion detection system supplements the incident management process by providing an additional measure of network protection. 2.5.1 House Computer Incident Response Team The House Computer Incident Response Team (CIRT) assists in planning for and resolving incidents, emergencies, and security violations that may compromise House information systems. In addition, the CIRT tracks and documents computer security incidents, determines the scope of problems, and provides appropriate technical assistance. The CIRT also conducts analyses of system vulnerabilities and provides recommendations for improving technical and procedural safeguards. 2.5.2 Virus Team To assure proper protection from viruses, the CIRT maintains a quick-response Virus Team. The Virus Team detects, contains, and recovers from virus incidents. In addition, the Virus Team actively monitors and maintains the process and procedures for continual updating of Houseprovided anti-virus software, and tracks the latest developments relating to viruses and other destructive software. 2.5.3 Information System Security Incident Detection The HIR Information Systems Security Office maintains dynamic intrusion detection and vulnerability assessment systems for the House. The Intrusion Detection System (IDS) monitors and responds to intruder activities, capturing real time data directly from the network, compiling the data for analysis, and has the capability to execute countermeasures that deny potential intrusions. The vulnerability assessment system scans, detects, provides analysis of network security vulnerabilities, and provides detailed reports to help manage House information security. 10 Section 3 INFORMATION SECURITY IMPLEMENTATION Information security implementation establishes system controls and processes to ensure that only authorized individuals have access to House information systems. The ISSP provides a control process to ensure appropriate administrative, physical, and technical safeguards are integrated into information systems. Successful implementation of the House ISSP is accomplished through a variety of activities that support the five security services. The activities are described in this section. 3.1 Information Systems Security Policy and Guidance Security policy is the foundation of the security program, providing the organization with direction on broad areas of information systems security and requirements to ensure House information and systems are protected. Security policy defines the major elements of the security program and identifies the organizations responsible for implementing and maintaining those elements. Security policies are published as House Information Security Policies (HISPOLs). House security policies are implemented by guidelines and procedure publications, known as HISPUBs within the House. HISPUBs provide detailed guidance on specific topics, such as network security issues, secure use of modems, conducting risk analyses, and security industry best practices. HISPOLs and HISPUBs are reviewed annually and revised as needed to reflect changing user requirements and advances in information technology. HISPOLs and HISPUBs are available from the HIR Information Systems Security Office or on the House CAO web site. 3.2 Network Security As part of the network security compliance procedures, the HIR Information Systems Security Office ensures that House information and systems are: 1) protected from unauthorized access, disclosure, transmission, modification, or destruction; 2) protected against denial of service, bypassing of security measures, or improper use and abuse of systems; and 3) protected against physical, personnel, telecommunication, and administrative security violations. To ensure protection of the House network, the HIR Information Systems Security Office will: · · · Design technical controls and data protection mechanisms to ensure House systems and information are safeguarded at all times, Implement and manage remote access control mechanisms, Conduct on-site visits to inspect requesting external networks’ processes and controls, 11 · · · · · 3.3 Review remote systems’ internal network controls for compliance with House security requirements, Install and run network intrusion detection software, Analyze intrusion detection results and take appropriate action or implement countermeasures, Conduct vulnerability assessment activities to ensure that House systems are in compliance with established security requirements, Provide recommendations for House Offices in appropriate technical and procedural safeguards. Systems Security Certification and Compliance Audits Systems security certification ensures data is protected from accidental or malicious alterations and provides assurance that information systems meet established security requirements. Compliance audits are independent reviews of technical and procedural controls conducted on systems before implementation and every two years thereafter. The Offices of the Clerk and SAA will designate a security point of contact to assist the HIR Information Systems Security Office in conducting audits for their systems that are connected to the House network. Certification and audits consist of the following activities: · · · · · · 3.4 Determination of security requirements applicable to the system under review, Review and analyze system technical controls and documentation to determine compliance with security requirements, Recommend system-specific corrective actions as necessary, Evaluation of security vulnerabilities, Provide recommendations for minimizing system vulnerabilities, Re-certifications to ensure system technical controls remain in compliance with House security policies. Security Awareness and Training The Chief Administrative Officer places a high priority on awareness and training and is committed to the protection of all House assets. Continual security awareness training will be provided to all users, administrators, vendors, and developers of House information systems. This ensures that all system users are aware of their security responsibilities. Training includes the following topics: · · · · · · · House information security, House policies and guidelines, Threats and vulnerabilities, Sources of threats, Roles and responsibilities, Password protection, Anti-virus procedures, 12 · · Computer incident identification and reporting, Security Office contact information. New employees and contractors should receive this awareness training as part of the orientation process. All users should be given refresher training annually. Methods of delivering this information vary according to the environment and may include classroom lectures, videotaped presentations, web site articles, newsletters, and broadcast e-mail. 3.5 Incident Management The Incident Management Program involves detection and response to unauthorized activity on the House network. It includes procedures to manage the immediate effects of a security incident on the infrastructure and identifies the steps necessary to restore the systems. Typical incident management tasks include staffing a Computer Incident Response Team to: · · · · Coordinate responses to system attacks with CAO departments, House Offices, and other security organizations and law enforcement agencies as appropriate, Detect, investigate, and resolve malicious incidents or security violations, Gather evidence and maintain the chain of custody for the safeguarding of evidence, Provide technical testimony if required. Additional tasks include staffing a Virus Team to: · · · · · Detect and recover from virus attacks, Research anti-virus technology, Test all anti-virus upgrades before implementation, Provide a mechanism for upgrading anti-virus software as needed, Provide advice and guidance to the House regarding virus protection. 13 Section 4 SUMMARY Information systems security protects an organization’s valuable resources, including information, hardware, and software. Through the selection and application of appropriate safeguards, security protects those resources, thus providing vital support to the organization’s mission. To be successful, security safeguards are evaluated to ensure the cost of the control is less than the expected benefits, and fit the specific organizational environment. The House ISSP provides direction for information systems security within CAO and the House community at large. This program is based on the premise that assuring the availability, confidentiality, and integrity of House information resources is essential to ensuring successful House operations. Providing policy and guidance to the House community ensures that system users are aware of their responsibility to continually protect House resources, including hardware, software, and data. The security program focuses on how to safeguard House information systems while implementing cost-effective security solutions. Successful implementation of the ISSP is the foundation of a comprehensive information security strategy for the House. The HIR Information Systems Security Office will build on this foundation by providing specific technical and procedural safeguards most appropriate to the House. Other HIR Offices, including Information Management, Communications, and Client Services, provide support and coordination in ensuring House information systems are continuously protected through increasingly complex and effective security safeguards. While these safeguards are virtually transparent to House network users, each user is responsible for observing good security procedural and administrative practices and maintaining security awareness and knowledge. Once established, the House ISSP will meet or exceed established government and industry security best practices. The security program will provide cost-effective, innovative, and appropriate technical and procedural safeguards commensurate with identified levels of risk. It will provide guidance (i.e., the tools, techniques, and practices) for implementing local security programs and integrate information systems security into information systems initiatives. Finally, it will provide the structure for determining House security compliance through reviews at House sites, Committees, and Offices. The result will be safe and secure House information systems that operate within a technical architecture continuously protected against unauthorized activity. 14 Appendix GLOSSARY Access: A specific type of interaction between a subject and an object that results in the flow of information from one to the other. The capability and opportunity to gain knowledge of, or to alter information or materials including the ability and means to communicate with, or otherwise make use of any information, resource, or component in a computer system. Access Control: The process of limiting access to the resources of a system to only authorized persons, programs, processes, or other systems. Synonymous with controlled access and limited access. Authentication: The process of verifying the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system. Automated System: An assembly of computer hardware, software and/or firmware configured to collect, create, communicate, compute, disseminate, process, store, and/or control data information. Availability: The property of being accessible and usable upon demand by an authorized entity. Security constraints must make information system services available to authorized users and unavailable to unauthorized users. Best Computer Security Practices: The collection of most effective and comprehensive actions and procedures by leading government and industry professionals engaged in protecting information systems. Client Server: Computing that involves splitting an application into tasks and putting each task on a platform where it can be handled most efficiently. Confidentiality: Concerns the protection of sensitive information from unauthorized disclosure. Data: A representation of facts, concepts, or instructions, in a formalized manner suitable for communication, interpretation, or processing by manual or automatic methods. External Connections: Sending and receiving data to and from a computer not directly controlled by the House or controlling a computer with terminals or PCs connected through nonnetwork based communication devices, i.e., phone links. Hacker: One who attempts to break into information systems by circumventing software security safeguards. A-1 Hardware: Consists of all the physical elements in the information system, such as computers, printers, wires, and keyboards. Information Systems: Computers, communications facilities, communications networks, and data and information that may be recorded, processed, stored, shared, transmitted, or retrieved by them, including programs, specifications, and procedures for their operation, use, and maintenance. Information System Security: The protection of information against unauthorized access or modification, whether in storage or transit, including those measures necessary to detect, document, and counter such threats. Integrity: The ability of the information system to protect information from unauthorized or unintentional modification to ensure the data retains its original level of accuracy. Internet: Open system protocols that allow a collection of networks access to an environment with potentially any other network. Intranet: Interconnected or internal network that looks and feels like the Internet but is limited to an organization’s internal access only. Intrusion Detection: The process, which identifies exploitable system weaknesses and allows the information system personnel to produce reports that provide detailed information concerning each vulnerability. Malicious Incidents: Events that may lead to bypassing of information system security measures and have a potentially damaging impact on the confidentiality, integrity, and availability of House information resources. Network: A communications medium and all components attached to that medium whose responsibility is the processing of information. Such components may include Information systems, packet switches, telecommunications controllers, key distribution centers, and technical control devices. Physical Security: The application of physical barriers and control procedures as preventive measures against threats to information systems resources, information, and facilities. Security Risk: The probability that a particular threat will exploit a particular vulnerability of the Information System. Software: Instructions executed by a computer, and documentation related to those instructions. Security Breach: An event which may result in disclosure of information to unauthorized individuals, or that results in unauthorized modification or destruction of system data, loss of computer system processing capability, or loss or theft of any computer system resources. A-2 Unauthorized Disclosure: A communication or physical transfer of information to an unapproved recipient. Virus: Code imbedded within a program that causes a copy of itself to be inserted in one or more other programs and perform some unwanted function that adversely affects the availability or efficiency of computer resources. Vulnerability: A flaw or weakness within a system that may be exploited by a threat to cause harm. A-3 House IT Policy 001.0 The United States House of Representatives Information Technology Policy for House Email Version: 1.0 Approved: May 2008 Approval Authority: The United States House of Representatives Committee on House Administration House IT Policy 001.0 House Email May 2008 Table of Contents 1 2 Introduction 3 1.1 SCOPE 3 Definitions 3 2.1 CONTRACTOR 3 2.2 EMAIL ACCOUNT (MAILB OX) 3 2.3 HIRING AUTHORITY 3 Use Of Email 3 3 .1 AUTHORIZED USERS 3 3 .2 PURPOSE OF USE 4 3.3 PROHIBITED USES OF ELECTRONIC MAIL 4 Mailbox Administration and Management 4 4.1 CREATION OF EMAIL ACCOUNTS FOR HOUSE STAFF 4 4.2 CREATION OF EMAIL ACCOUNTS FOR HOUSE SUPPORT CONTRACTORSS 4.3 ACCESS AND DISCLOSURE 6 4.4 MAILB OX SIZE MANAGEMENT 6 4.5 RETENTION AND DELETION OF EMAIL ACCOUNTS FOR HOUSE STAFF 6 4.6 RETENTION AND DELETION 0F EMAIL ACCOUNTS FOR HOUSE SUPPORT CONTRACTORS 6 4.7 ADHERENCE TO CORPORATE DEFAULT SETTINGS AND WAIVERS 7 Policy Enforcement 7 House IT Policy 001.0 House Email May 2008 Introduction House Information Resources provides electronic mail resources to support the legislative process and administrative services of the US. House of Representatives (House). This document sets forth the policy for appropriate use and administration of the House?s enterprise mail system. 1 .1 Scope The purpose of this document is to establish the House?s policy pertaining to email usage and mailbox administration and management for: 0 official use of; 0 access to; mailbox creation, deletion, and retention; 0 mailbox management, and; disclosure of electronic mail 2 Definitions 2.1 Contractor For the purpose of this policy, ?Contractor? is defined as any House contracted staff, vendor, or consultant. 2.2 Email Account (Mailbox) An e-mail account (mailbox) is any mail?enabled resource in Active Directory such as Contacts, Public Folders, User Accounts, and Groups. 2.3 Hiring Authority A Hiring Authority is any entity or group Within the House with the speci?c authority to hire House staff. Specific examples include Member Offices, Committee Offices, Leadership Offices, and House Support Of?ces. 3 Use of Email The following principles apply to all users of the House?s enterprise mail system. 3.1 Authorized Users Only US. House of Representative Members, Of?cers, Employees, Fellows, Interns and Contractors who have received permission under the appropriate Hiring Authority are authorized users of the House?s electronic mail systems and resources. House IT Policy 001.0 House Email May 2008 The House may extend use of the House electronic mail system to liaison offices, support staff from other Legislative Branch agencies when it is determined that benefit accrues to the House in support of the legislative process or administrative services with CHA approval. 3.2 Purpose of Use The use of any House resources for electronic mail must be related to House business. Incidental and occasional personal use of electronic mail is authorized in that such use does not generate a direct cost for the House. Individual Hiring Authorities may choose more restrictive policies for incidental use. Any such incidental and occasional use of House electronic mail resources for personal purposes is subject to the provisions of this policy. 3.3 Prohibited Uses of Electronic Mail The following uses of House email are prohibited: 0 Personal use that creates a direct cost for the House of Representatives. 0 Use for personal monetary gain or for commercial purposes that are not directly related to House business. 0 In accordance with statute, use for campaign purposes. 0 Use of electronic mail to harass or intimidate others or to interfere with the ability of others to conduct House business. 0 Use of electronic mail systems for any purpose restricted or prohibited by laws, regulations, or the rules of the House. 0 "Spoofing", which is defined as constructing an electronic mail communication so it appears to be from someone else. 0 "Snooping", which is de?ned as obtaining access to the ?les or electronic mail of others for the purpose of satisfying idle curiosity, with no substantial House business purpose. 0 Attempting unauthorized access to electronic mail or attempting to breach any security measures on any electronic mail system, or attempting to intercept any electronic mail transmissions without proper authorization. 4 Mailbox Administration and Management The following applies to all House Hiring Authorities and their designated staff with mailbox administration responsibilities. 4.1 Creation of Email Accounts for House Staff Hiring Authorities are responsible for ensuring the creation of email accounts in the Hiring Authority?s designated office active directory container is for legitimate and authorized users. House IT Policy 001.0 House Email May 2008 4.1.1 Populating House Staff E-Mail Accounts In populating staff e-mail accounts, it is important that mailbox accounts are easily identifiable. At a minimum, all House staff email accounts must include the following attributes: Title Office Member Name, Committee Name, Leadership Office Name) Phone Number Address SMTP address with the following naming convention: Iane.Doe@mail.house.gov 0 Approved Mail Names: mail.house.gov or housemail.house. gov Note: Speci?c requirements for deletion of House email accounts can be found in section 4.5. 4.2 Creation of Email Accounts for House Support Contractors Hiring Authorities are responsible for ensuring requests for creation of House email accounts for support contractors is for legitimate and authorized House business. Based on this determination, Hiring Authorities must submit a request in writing to House Information Resources, within the Office of the Chief Administrative Of?cer, requesting the creation of these specific contractor email accounts. These accounts will reside in the House Information Resources? maintained Contractor Organizational Unit. 4.2.1 Populating House Contractor E-mail Accounts In populating House contractor e-mail accounts, it is important that mailbox accounts are easily identifiable. At a minimum, All contractor email accounts must include the following attributes: 0 Contractor Organization clearly identi?ed in the Display Name Jane Doe, Smith Company) 0 Contractor Phone Number 0 Contractor Address 0 SMTP address with the following naming convention: Contr.FirstName.LastName Contr.Iane.Doe@mail.house.gov) 0 Approved Mail Names: mail.house.gov or housemail.house.gov Note: Speci?c requirements for deletion of contractor email accounts can be found in section 4.6. House IT Policy 001.0 - House Email May 2008 4.3 Access and Disclosure The Hiring Authority reserves the right to access and disclose the contents of staff electronic mail without the consent of the user. Employees of the House and Contracted Staff are advised that the House?s electronic mail systems should be treated like a shared ?ling system, with the expectation that communications sent or received on House business or with the use of House resources may be made available for review by the Hiring Authority for purposes related to House business. When required to respond to legal processes and to ful?ll the House?s obligations to third parties court subpoenas, investigations), the House will inspect and disclose the contents of electronic mail with as minimal intrusion as possible. 4.4 Mailbox Size Management Hiring Authorities are responsible for ensuring email account users comply with House limits for mailbox sizes. House Information Technology Policy entitled ?Mailbox Size Limits? is the governing document for established House mailbox limits. 4.5 Retention and Deletion of Email Accounts for House Staff Hiring Authorities are responsible for the deletion of mailboxes of the authorized user upon their departure. As a courtesy to departing staff, offices may leave the mailbox in existence with an automatic reply directing communications to the appropriate designated replacement for a period not to exceed 60 days. Disposition of the content for departing users is subject to policies of the Hiring Authority. The Hiring Authority shall export, destroy or archive data content as deemed necessary or appropriate. User accounts must be deleted no later than 60 days after the departure of the authorized user to prevent an accumulation of unused mailboxes that may degrade the performance of the House electronic email system. The Committee on House Administration authorizes the Chief Administrative Of?cer to permanently delete all mailboxes of terminated, authorized users 60 days after their of?cial termination date. 4.6 Retention and Deletion of Email Accounts for House Support Contractors The Hiring Authority Of?ce, with one or more departing support contractor, is required to provide three days (3) advance notice to House Information Resources when contractor service is being terminated. Upon notification of termination, all affected contractor accounts will be disabled or deleted immediately based on Hiring Authority?s preference. If initially disabled for archival purposes, the Hiring Authority has 60 days to complete their review, archival and mailbox deletion activities. After 60 days, House Information Resources will delete affected accounts. 6 House IT Policy 001.0 - House Email May 2008 4.7 Adherence to Corporate Default Settings and Waivers Hiring Authorities are responsible for ensuring that all user accounts comply with the corporate default settings for Exchange. During the creation or modi?cation of a user account, changes to the corporate defaults for retention of deleted items and mailbox size limits are not permitted. The Exchange corporate default setting for deleted item retention is four days. In special circumstances, a hiring authority on behalf of an authorized user may request a temporary waiver to the mailbox size limit due to extended travel, absence, or a stated emergency. The hiring authority must submit a written request to the Assistant CAO, House Information Resources, 630 Ford House Office Building, Washington, DC. 20515. The requested waiver must state the purpose and a period required, not to exceed 60 days. After the requested period or 60 days, whichever is less, the CA0 will re-set the mailbox size limits back to the size established by House Information Technology Policy 002.0. 5 Policy Enforcement The Committee on House Administration authorizes the Chief Administrative Of?cer to enforce this policy. This includes revoking administrative privileges of any House Of?ce in violation of this policy. House IT Policy 004.0 The United States House of Representatives Information Technology Policy for Active Directory Account Naming Conventions Version: 1.0 Approved: December 2008 Approval Authority: The United States House of Representatives Committee on House Administration House IT Policy 004.0 AD Naming Conventions October 2008 Table of Contents 1 Introduction 1 1.1 SCOPE 1 2 Definitions 1 2.1 ACTIVE DIRECTORY (AD) 1 2.2 STANDARD USER ACCOUNT I 2.3 GENERIC ACCOUNT I 2.4 RESOURCE ACCOUNT 1 2.5 SERVICE ACCOUNT 2 3 Policy Statement 2 3.1 IDENTIFYING INFORMATION 2 3.2 ACCOUNTS 2 3 .3 REQUIRED ATTRIBUTES 2 4 Utilization of AD Accounts 2 4.1 STANDARD USER ACCOUNTS 3 4.2 GENERIC ACCOUNTS 3 4.2.1 Resource Accounts 3 4.2.2 Service Accounts 3 5 Enforcement 4 House IT Policy 004.0 - AD Naming Conventions October 2008 1 Introduction House Information Resources (HIR) provides network authentication services via Microsoft Active Directory (AD) to support the legislative process and administrative services of the US. House of Representatives (House). This document sets forth the policy for appropriate AD account naming conventions and establishes that all AD accounts shall be associated with a named individual. The House Member and Committee handbook will always supersede this policy and any forthcoming policies. 1 .1 Scope The purpose of this document is to describe the various types of AD accounts and establish the House?s policy pertaining to the naming and utilization of AD accounts. There are two principal types of AD accounts. They are standard user accounts and generic accounts. Generic accounts are further divided into resource accounts and service accounts. This document will describe each type and detail the attributes required to accurately associate each account with a named individual. 2 Definitions 2.1 Active Directory (AD) Active Directory (AD) is the primary authentication platform for the House. It consists of Organizational Units (OUs) that may contain User, Group, Computer, or Contact objects. 2.2 Standard User Account An AD user account for an individual (staff, contractor, vendor, etc.) to access the House AD system. 2.3 Generic Account An AD user account that cannot be directly related to an individual g. ?Xerox9257?, ?District Office Weekly Calendar", ?AppService?). 2.4 Resource Account A type of AD generic account used to support a resource such as a group mailbox or group calendar. This type of account is not used for casual network access by an individual. House IT Policy 004.0 AD Naming Conventions October 2008 2.5 Service Account A type of AD generic account used to support a process or application only and not for casual network access by an individual. 3 Policy Statement ALL AD accounts shall be implemented as described in section 4 of this document. Additionally, the following principles apply to all users of the Houses AD system. 3.1 Identifying Information All accounts in the House AD system must clearly be associated with a named individual. 3.2 Resource Accounts If an account is not used for authentication (Le. nobody logs onto the network with the account) and is only used as a mailbox or calendar ?holder? then aside from containing the identifying information for the account owner, it shall be disabled for security purposes. This does not adversely affect operations since people access the associated resource through secondary rights granted to their personal accounts. 3.3 Required Attributes At a minimum, all House AD accounts must include the following attributes: 0 Title 0 Office g. Member Name, Committee Name, Leadership Office Name) a Phone Number 0 Address 0 Description (for Generic Accounts) I Responsible Party Name (for Generic Accounts) . Responsible Party Phone (for Generic Accounts) It is the responsibility of the office to ensure all attribute information is properly maintained and accurate. 4 Utilization of AD Accounts The following section describes how the different types of AD accounts shall be employed and provides examples where appropriate. House IT Policy 004.0 - AD Naming Conventions October 2008 4.1 Standard User Accounts Standard User Accounts must contain at a minimum the First and Last name of the individual for whom the account is created, and be formatted in the following manner: 0 The ?User logon name (Pre-Windows 2000)" or ?UserID? ?eld should be the first letter of the individual?s First name followed by the Last name. For example, an individual named ?John Doe? would be ?IDoe". In the event that the UserID is already in use, then a numeric identifier is appended to the UserID until there is no longer a con?ict g. ?JDoel", ?JDer?, etc). I The ?User logon name" or ?User Principle Name field should be the individual?s first name, followed by a dot followed by the last name and the UPN suffix should be ?@mailhousegov?. For example, an individual named ?John Doe? would be In the event that the UPN is already in use, then a numeric identifier is appended to the last name portion of the UPN until there is no longer a con?ict g. etc.) If there are questions about determining the name for a user account, HIR is available to assist. 4.2 Generic Accounts Generic accounts must contain contact information (a name and phone number at a minimum) for the primary responsible party for that account this person is responsible for any actions taken by this account. These account names shall contain an identifier that helps associate the account with a particular office, committee, etc. as well as a description of the purpose for the account. There are two primary types of generic accounts: Resource accounts and Service accounts. 4.2. 1 Resource Accounts Resource accounts are those accounts that represent a resource instead of a ?normal" user. Examples of resource accounts are group mailbox accounts or group calendars where the associated AD account is not used for regular authentication and is created solely to be associated with (or ?to hold?) the mailbox or calendar. 4.2.2 Service Accounts Service accounts are those accounts that provide authentication for an application or service instead of a ?normal? user. Examples of these may include accounts that provide data lookup information to applications. Service account names should contain an identifier that ties it to a particular office, project, and or application. Like other generic type accounts, service accounts must also contain contact information for the person acting as the primary responsible party for the account. House IT Policy 004.0 AD Naming Conventions October 2008 5 Enforcement Any account found without appropriate identifying information is subject to disabling and potential removal from AD by HIR. House IT Policy 005.0 The United States House of Representatives Information Technology Policy for Organizational Unit Admin Security Group Membership Version: 1.0 Approved: December 2008 Approval Authority: The United States House of Representatives Committee on House Administration House IT Policy 005.0 AD OU Administration October 2008 Table of Contents 1 2 Introduction 1 1.1 SCOPE 1 Definitions 1 2.1 CONTRACTOR 1 22 OFFICE 1 2.3 1 Policy Statement 2 3.1 GROUP MEMBERSHIP 2 3.2 ELEVATION OF PRIVILEGES 2 Description of Administrative Security Groups 3 4.1 OU ADMINS MAXIMUM AUTHORITY 3 4.2 OU EXADMINS 3 4.3 OU LEVEL 3 SUPPORT 3 4.4 0U LEVEL 2 SUPPORT 3 4.5 OU LEVEL 1 SUPPORT 3 Enforcement 4 House IT Policy 005.0 AD 0U Administration October 2008 1 Introduction House Information Resources (HIR) provides centralized authentication through Microsoft Active Directory (AD) for the US. House of Representatives (House). Each office is represented in the AD tree structure by an organizational unit (0U). Within each office OU there is a sub-structure that contains four subordinate OUs. These are 11 "Users Computers?, and "Servers? for asset and resource management and ?Admin Groups" for OU management. This document sets forth the policy for appropriate administration of the security groups contained in the Admin Groups OU. The House Member and Committee handbook will always supersede this policy and any forthcoming policies. 1. 1 Scope The purpose of this document is to establish the House?s policy for management of Specific administrative security groups in each office. These administrative security groups include: Admins ExAdmins 0 Level 1 Support 0 Level 2 Support 0 Level 3 Support These groups are present in all office OUs and cannot be renamed or removed. A complete description of each group and its function is detailed in Section 3. 2 Definitions 2. 1 Contractor For the purpose of this policy, ?Contractor" is any House contracted staff, vendor, or consultant. 2.2 Office As de?ned in Section 1.1, the scope of this document is at the of?ce level. For the purposes of this policy, ?office" refers to a Member, Committee, Leadership, or Support Office that has a presence in AD. 2.3 Code? The code" refers to the State District Code for a Member Office or the AD Code for a Committee, Leadership, or Support office g. House IT Policy 005.0 AD OU Administration October 2008 ?MajWhip?, These codes are unique to every office OU structure within the directory. When the document refers to a group as Admins?, ExAdmins", etc. it is referring generically to the ?Admins ExAdmins", etc. group for each office OU structure. 3 Policy Statement 3.1 Admins? Group Membership Permanent membership within the Admins" group shall consist of named individuals employed by the office staff). As deemed necessary by the office, named individuals (other House staff or support contractors) may be temporarily ?elevated" to this group to perform OU Admin functions and then removed upon completion of the assigned work. To ensure transparency and visibility of OU Admin group membership Within each office, at no time will subgroups of individuals be allowed within the OU Admins group. There are a small number of highly sensitive operations that are restricted to the Admins" group. The execution of these highly sensitive operations should only be performed with the full knowledge and consent of the of?ce. These highly sensitive operations include e-mail ?Send As? and ?Alternate Recipient? functions which could allow an individual to send an e-mail as though they were someone else or to have a copy of an individual?s e-mails sent to someone else. Limiting membership in the OU Admins group significantly reduces the risk of an unintended execution of a highly sensitive operation. The vast majority of daily administrative tasks can be completed through membership in one of the other support groups described in section 3 of this document. The ability to perform daily administrative tasks from the Level 1, Level 2 and Level 3 support groups ensures continued support to the office from vendors, TSRs and other support personnel. Accounts groups who are currently in the Admins? group but do not meet the above criteria shall be moved into the Level 3 Support group if, after analysis, they require that level of administrative privileges. 3.2 Elevation of Privileges The Principle of Least Privilege should be followed at all times in the House AD environment. This means that user accounts should have the minimum level of rights that are required for the legitimate actions required by a person?s job function. If a singular action is to be performed by an individual that requires that account to have elevated privileges, then that account should be added to the appropriate higher level group only long enough for the action to be carried out and then the account should be removed from the higher level group. House IT Policy 005.0 AD OU Administration October 2008 4 Description of Administrative Security Groups The following security groups are located in the ?Admin Groups? section of each office?s Organizational Unit structure. The of?ce Admins? security group is the only group granted rights to modify membership to these security groups. This is done to preserve a standardized AD structure for the organization. 4.1 OU Admins maximum authority This Security Group grants full access to the AD objects for the given OU structure (user accounts, groups, workstations), and those group members act as the Office OU Administrators. The group membership should be controlled in order to better protect the user accounts and data for the office. Maximum authority to make changes to your office?s user accounts, computers and servers is given to members of this security group. 4.2 OU ExAdmins This Security Group grants its members permission to perform Microsoft Exchange mailbox related activities for the office. This group only works in conjunction with one of the other Administrative Groups as it does not grant access to any non email related attributes of the user account where the mailbox is associated. This group should have a limited membership as email is the most widely used method of transferring and storing information inside the House environment. 4.3 cu Level 3 Support This Security Group grants all of the OU Level 2 Support privileges; in addition it grants its members full control over computer accounts, groups (distribution and security), printers, and shared folders. This group has full control over user accounts except for the mailbox attributes that are granted through the OU ExAdmins group. 4.4 OU Level 2 Support This Security Group grants all of the OU Level 1 Support privileges; in addition it grants its members permission to create and administer user and computer accounts. However, this group has no deletion capabilities. 4.5 OU Level 1 Support This Security Group grants its members permission to perform the following functions: create user accounts, set/ modify logon scripts, unlock user accounts, and reset user account passwords. This role is used to grant helpdesk personnel the ability to provide the most common support requests with a minimal level of permissions in the office OU. Minimum authority to make changes to your office?s user accounts, computers and servers is given to members of this security group. House IT Policy 005.0 - AD OU Administration October 2008 5 Enforcement Offices are responsible for ensuring that the Admin? group membership complies with the above criteria. has responsibility for initiating and coordinating a periodic review and certification process for each office in order to ensure their OU meets the criteria stated in this policy. House IT Policy 007.0 -- House Bulk Email List Management October 2014 House IT Policy 007.0 _________________________________________________________________ The United States House of Representatives Information Technology Policy for Bulk Email List Management _________________________________________________________________ Version: Approved: Approval Authority: 1.0 October 2014 Committee on House Administration The United States House of Representatives House IT Policy 007.0 -- House Bulk Email List Management October 2014 Contents 1 Introduction ............................................................................................................................................... 1 1.1 Goal ............................................................................................................................................... 1 1.2 Scope ............................................................................................................................................. 1 1.3 Authority and Enforcement .......................................................................................................... 1 2 Definitions ............................................................................................................................................. 2 3 List Validation and Cleaning Requirements .......................................................................................... 4 4 3.1 List Validation Services.................................................................................................................. 4 3.2 List Validation Triggers .................................................................................................................. 5 3.3 List Cleaning .................................................................................................................................. 5 Bounce Handling ................................................................................................................................... 5 4.1 Bounce Acceptance ....................................................................................................................... 5 4.2 Bounce Address Removal.............................................................................................................. 5 5 Complaints Handling ............................................................................................................................. 5 6 Unsubscribe Handling ........................................................................................................................... 6 7 References ............................................................................................................................................ 6 House IT Policy 007.0 -- House Bulk Email List Management October 2014 1 Introduction The Chief Administration Officer (CAO) provides a shared physical infrastructure for the outbound bulk email requirements of Member, Committee, Leadership, and support offices. These House entities create and manage mailing lists for sending bulk email to their intended audiences. This document sets forth the House policy for managing the bulk mailing lists. 1.1 Goal Poor mailing list management practices can lead to a poor delivery success rate of bulk mail. At its extreme, poor mailing practices can lead to the wholesale blocking of email delivery by email recipient organizations (e.g., internet service providers). Recipient organizations may block, reduce the rate of delivery, or junk messages from the House bulk email servers if they perceive the sender doesn’t adhere to best practices. These recipient organization actions are largely, if not entirely, beyond the ability of the CAO to affect. As a result, the House entities sending bulk email must follow this policy and CAO must have the authority to take action in order to help ensure successful delivery of bulk email to Members’ constituents. The goal of this policy is to promote successful bulk email delivery from the House infrastructure. The policy specifies mailing list management requirements, organizational responsibilities, and related authorized actions. 1.2 Scope This policy is intended for all users of the House email infrastructure, including House offices, staffers, contractors, and vendors. This policy targets email sent from House infrastructure. External email service providers (ESPs) typically have their own requirements, which may be more stringent than those specified here. Sending bulk email from the House Exchange system is not permitted. 1.3 Authority and Enforcement Authority for creation and approval of this policy lies with the Committee on House Administration. Authority for enforcement of this policy resides with the Chief Information Officer (CIO) within the Office of the Chief Administration Officer (CAO), subject to the conditions and approval of the Committee. If an office is transmitting email messages in a manner jeopardizing the House’s overall ability to successfully deliver bulk email, the CAO is authorized to take immediate action to enforce this policy. This action is limited to altering the outbound path of the sending IP address or source email addresses. This alternative outbound path is designed to separate out those bulk email senders who have not achieved good email list management practices from the senders who have. Further restrictions may be necessary to preserve the House’s ability to deliver bulk email. If further corrective action is needed, the 1 House IT Policy 007.0 -- House Bulk Email List Management October 2014 CAO shall immediately submit a proposed course of action to the Committee for approval. The Committee will not unreasonably withhold approval. In all instances, the CAO will immediately notify the Committee and the noncompliant office if action is taken as soon as practicable. The CAO will also provide consultative assistance to the noncompliant office in order to improve their mailing list management practices and remediate any policy transgression. This consultative service area may include but is not limited to: Non-Deliverable Receipts (NDRs), spamtrap avoidance, bounced email, recipient complaints, block requests, and the risks of buying lists. 2 Definitions Bulk Email For the purpose of this policy, bulk email is defined as any outbound communication of more than 100 uniquely addressed messages of substantially similar content. Note that this number is cumulative, and that sending of the communications is not necessarily limited to a discreet period of time. Generally, bulk communications sent to government officials, the media, and most institutional organizations are not considered bulk email. Bulk email may include both solicited and unsolicited communications, as defined by Franking Commission regulations. Correspondence Management Systems (CMS) CMS systems are the IT systems that manage office constituent databases. Disposable Address Disposable addresses are temporary addresses used to protect a recipient from unwanted mail. They can also be used as spam traps. Email Address Harvesting Email harvesting is the process of obtaining lists of email addresses using various methods for use in bulk email or other purposes. This can be accomplished through special software that gathers email addresses from public web pages, mailing list archives, or internet forums. Email Bounce An email bounce (or “bounced email”) is an email message returned to the sender by the receiving mail server. Email Campaign An email campaign is a series of emails from one sender to one or more mailing lists, containing similar subject and content. Note: “campaign” in this context is not related to elections. Email Service Providers A company which offers email marketing or bulk mail services. 2 House IT Policy 007.0 -- House Bulk Email List Management October 2014 Engagement For the purposes of this policy, engagement from a potential bulk mail recipient is considered to occur when that person initiates a transactional email sent to the House, a phone call, an office visit, social media interaction, or similar communication. House Infrastructure House infrastructure refers to IT assets owned and operated by House entities within the House firewall. Invalid Address An invalid address is an SMTP email address which cannot receive email due a permanent issue such as the account being closed. Addresses that were once valid may become invalid over time. List Cleaning List cleaning refers to the process of removing undesirable target addresses from a mailing list. List cleaning is typically performed by the list owner using the results of a list validation. List Validation List validation is the process of identifying email addresses in a list which are not desirable targets for mailing. List validation is typically performed by a third-party service. Mailing List A mailing list is a collection of SMTP email addresses. Often a list contains additional metadata. Lists may contain internal addresses (mail.house.gov, housemail.house.gov or jct.gov) and external addresses (e.g. yahoo.com). The restrictions in this policy cover external addresses. A mailing list may be stored in a constituent database in a Correspondence Management System (CMS), or it may be stored in a listserv, or in any other types of systems. Non-Delivery Receipt (NDR) An NDR is an email from a mail system informing the sender of another message about a delivery problem. Synonyms include: bounce, Non-Delivery Report, Delivery Status Notification (DSN), NonDelivery Notification (NDN) Opt-In This term is used when someone is given the option to receive "bulk" email. Bulk email is typically a mailing list, newsletter, or advertising. Email sent to recipients who have not granted permission (optedin) is unsolicited bulk email. There are several methods of opt-in, including unconfirmed opt-in where an email address is submitted to a list but not verified and confirmed opt-in where a verification email is sent to the submitter to validate that they indeed subscribed to the list. Within the House of Representatives, the Franking Commission has authority to determine what constitutes opt-in. Role-based Address Role-based addresses are addresses set aside for functions, not individuals. Examples include sales@domain.com and postmaster@domain.com. 3 House IT Policy 007.0 -- House Bulk Email List Management October 2014 Spam The IT industry generally defines spam as “unsolicited bulk mail”. Several online definitions exist, for example from Wikipedia, “Email spam, also known as unsolicited bulk Email (UBE), junk mail, or unsolicited commercial email (UCE), is the practice of sending unwanted email messages, frequently with commercial content, in large quantities to an indiscriminate set of recipients.” Spam Complaint A spam complaint is a report from a mailbox provider to a sending entity that indicates when a recipient marked an email as spam. The CAO collects spam complaint reports and makes them available to senders for the purpose of list management. Complaints are also known as a “Feedback Loop Report”. Spamtraps Spamtraps are usually email addresses created not for communication, but rather to lure spam. In order to prevent legitimate email from being invited, the email address is typically published such that only an automated email address harvester (used by spammers) can find the email address. Since no email is solicited by the owner of this spamtrap email address, any email messages sent to this address are immediately considered unsolicited. 3 List Validation and Cleaning Requirements Since acquired lists are primary sources of both invalid addresses and spam trap addresses, acquiring or purchasing a mailing list from third parties is the greatest risk to bulk email delivery success. Any list acquired by a third party must be validated and cleaned by the CAO or an appropriate service prior to being transmitted on the House bulk email infrastructure. The list validation and cleaning service will identify email addresses which should not be used in electronic communication. 3.1 List Validation Services Any list validation service used by a House sender must identify, at a minimum: • • • known invalid addresses role-based addresses disposable addresses Any list validation service used by a House sender must not attempt to send email from within the House network or use a House domain in the sending address. Any list validation service used by a House sender must have a published privacy policy which states submitted addresses will not be: sold or provided to a third party for any reason, stored for any length of time for any reason, used by the service for any reason other than to complete the validation process, or made accessible to any individuals without a valid business need to know. The CAO may establish one or more centralized list validation services. 4 House IT Policy 007.0 -- House Bulk Email List Management 3.2 October 2014 List Validation Triggers If a House sender acquires a list, the senders must utilize a list validation service to validate the list after acquisition and before the list is loaded into House systems (e.g., CMS) or used for a mailing. House senders must validate their lists on an annual basis. 3.3 List Cleaning House office bulk email senders should clean (remove) the following from their lists before using the House’s bulk email infrastructure: • • • known invalid addresses role-based addresses disposable addresses The CAO may establish one or more centralized list cleaning services. 4 Bounce Handling Bulk email senders should note invalid or non-deliverable addresses will still be encountered even if lists are developed and cleaned as described above. This will result in “bounced” emails. 4.1 Bounce Acceptance All bulk email mailings must include a valid return-path (envelope-from) address that can accept bounce messages generated from inside or outside the House network. This address must point to a mailbox or similar container that can accept messages (e.g. is not full, is not restricted, etc.). 4.2 Bounce Address Removal All bulk email senders must remove “bounced” addresses from the associated list(s) prior to re-sending the list(s) on the House bulk email infrastructure. When a permanent “hard” bounce is received, identified by Delivery Status Notification (DSN) code of 5.x.x, and the remote MTA returns a status of “user unknown”, the recipient address must be removed from the bulk mailing list prior to sending . Additional 5.x.x bounces may be removed as desired. CMS systems and Listservs must provide automated bounce processing as part of their service offering. Other sending systems should automate where possible, but may use manual methods. 5 Complaints Handling All bulk email senders should address complaint handling. Many mailbox providers operate feedback loop services to send data back to the CAO when their customers mark messages as spam. House senders should suppress further mailings from the same sender to the complaining recipient, until the recipient requests further engagement. 5 House IT Policy 007.0 -- House Bulk Email List Management October 2014 The House office bulk email sender could send complainers an “engagement” email to determine their exact preferences so they receive only the mail they are interested in. 6 Unsubscribe Handling Bulk email must include an unsubscribe link in the body of the email under the conditions prescribed in the regulations of the Committee on House Administration. 7 References • • Simple Mail Transfer Protocol (SMTP) Enhanced Status Codes Registry http://www.iana.org/assignments/smtp-enhanced-status-codes/smtp-enhanced-status-codes.xhtml The Committee on House Administration places other restrictions on bulk email in the Member’s Congressional Handbook. 6 U.S. House of Representatives Standards for New Purchases of Computer-related Equipment March 2, 2017 A set of criteria established by the Committee on House Administration to ensure technical excellence and quality performance and to eliminate premature obsolescence. These are minimum standards for new purchases PC STANDARD Please note bold indicates a modification has been made Please consider using the Blanket Purchase Agreements with CDWG and Dell. when ordering equipment. CPU Intel Core I5 6000 series or higher AMD Athlon X4 or higher X4 or higher RAM 8GB Ports 2 USB v3.0 or higher Ports front side recommended 2 USB v3.0 or higher Ports backside DVD -/+ RW Drive 8x Speed recommended, not required Pointing Device USB pointing device Hard Disk Size 256 GB SSD or SATA drive. SSD recommended, not required Processor Cache 3MB L2 Cache Keyboard 101 key USB Keyboard Video Display Adapter 256 MB RAM Video Monitor 1024 x 768 non-interlaced resolution Network Interface IEEE 802.3 compliant; 10/100/1000 NIC connector Operating System PCs must come with a license for Windows. PCs on the House network must run Windows 7 Enterprise 64 bit or Windows 10.x Enterprise 64 bit. Windows 7 Professional and 10 Professional are not supported and must upgrade to the Enterprise version. *Beginning October of 2018 Office 365/2016 will be the only supported Microsoft Office Suite due to U.S. House licensing agreements. 1 PC LAPTOP STANDARD Please note bold indicates a modification has been made. Please consider using the Blanket Purchase Agreements with CDWG and Dell. when ordering equipment. CPU Intel Core I3 6000 series or higher or AMD A6 or higher Expansion Slots 1 SD memory card reader RAM 4 GB Minimum. 8 GB Recommended Ports 1 USB v3.0 or higher Ports Pointing Device Stylus, TouchPad or Touchscreen Battery 3 hour operating time Hard Disk Size 256 GB SSD or SATA drive. SSD recommended, not required Video Display 11" color display (13." Recommended, external HDMI or SVGA port recommended) Video Adaptor 256 MB Network Interface IEEE 802.3 compliant; 10/100/1000 NIC connector (Bluetooth and 802.11 a/b/g/n, 802.11ac recommended) Operating System PCs must come with a license for Windows. PCs on the House network must run Windows 7 Enterprise 64 bit or Windows 10.x Enterprise 64 bit. Windows 7 Professional and 10 Professional are not supported and must upgrade to the Enterprise version. *Beginning October of 2018 Office 365/2016 will be the only supported Microsoft Office Suite due to U.S. House licensing agreements. 2 PRIMARY FILE/PRINT/DATABASE SERVER STANDARD Please note bold indicates a modification has been made Member Offices electing to join the House Cloud File Service (HCFS) will not be required to purchase new server hardware. Applications sold by CMS Providers may require hardware with higher capabilities than those outlined herein. Offices are encouraged to consult with their vendor before purchase. Operating system Windows Server 2008 R2 Standard Edition or greater Processor Intel® Xeon® E3 1200 v3 4 Core 2.3GHz Bus Type 2 PCI Express 3.0 x8 or x16 RAM 4 GB expandable to 8 GB Ports 1 Serial with 16550 UART (Optional) 1 Parallel (Optional) 4 USB Ports (6 Recommended if using external hard drive backup systems) DVD +/- RW Drive 8X speed Data Storage Minimum 100 GB (consult with your vendor and TSR to ensure adequate space for operating systems and server based applications in addition the 100 GB minimum free space for data.) Hard Disk Speed 10,000 RPM (interface must be compatible with the drive speed) Keyboard 101 key enhanced (USB) Optional Video Display Adapter SVGA with 64 MB VRAM and 1024x768x256 color support Video Monitor Optional Network Interface 10/100/1000 NIC on the system board; IEEE 802.3 compliant Protocol Support TCP/IP compliant as specified in RFC 1122 and RFC 1123 Backup Must be able to backup all hard disk space. If drives are added later, the backup solution must be upgraded to accommodate the additional drives. Uninterruptible Power Supply (UPS) 1400 watt (UPS must provide appropriate backup for the system) 3 NETWORK CAPABLE PRINTER STANDARD Please note bold indicates a modification has been made Please consider using the Blanket Purchase Agreements with CDWG and Dell. when ordering equipment. Printing Languages PCL or Postscript Printing Resolution 600x600 dpi Networking Ethernet connectivity option with TCP/IP support RAM If purchasing a postscript printer, the requirement is a minimum of 16 MB of RAM Hard disks and non-volatile dynamic memory devices are not recommended. 4 SUPPLEMENTAL COMPUTER EQUIPMENT STANDARDS Please consult with your CAO Technology Support Representative (TSR) to ensure equipment compatibility and appropriateness prior to purchase of any computer related equipment. Optical Scanner 2400x2400 dpi resolution Networked Scanners, Digital Senders, or Multifunction Devices (New) Devices with e-mail and LDAP functionality must allow the entry of a host name for the SMTP Relay and/or the LDAP server. Printers and copiers Printers and copiers using Thermal Film Transfer or Dye-Sublimation technologies are not authorized. Apple Macintosh Apple Laptop and Desktop computers must meet or exceed to the current minimum specifications offered directly from Apple for iMacs, Mac Mini, MacPro, MacBooks and MacBook Pros. Televisions/TV cards Other Computer Related Equipment    Must be able to receive ATSC, Clear QAM and Analog signals (NTSC) TVs and TV tuner adapters must have a 75 ohm antennae ‘F’ type connector “Smart” or internet connected TVs will work with the House provided TV signals, but the embedded browsers, wireless connectivity and entertainment applications and are not supported and may not function properly. Members’ offices are required to receive approval from a CAO Technical Support Representative (TSR) before purchase. 5