Policies, Standards and Guidelines

The NYS Office of Cyber Security (OCS) is responsible for developing and distributing policies, standards and guidelines regarding cyber security, critical infrastructure and geographic information systems coordination.

Cyber Incident Reporting Policy

• P03-001 - V3.1 - May 3, 2011
  This Policy defines a process and procedure for New York State governmental entities to report cyber security incidents to the New York State Office of Cyber Security.

Information Security Policy

• P03-002V3.4 - July 30, 2010
  This Policy sets forth the minimum requirements, responsibilities and accepted behaviors to establish and maintain a secure environment and achieve the State's information security objectives. This Policy documents many of the security practices already in place in some State entities.

Publically Available Standards for the Information Security Policy:

• Role and Responsibilities of the State Entity Information Security Officer Standard (P03-002, Part 4. Organizational Security Policy)-
  S10-001 - V1.1 - July 30, 2010
  This Standard defines the annual Continuing Professional Education (CPE) credit requirements for Information Security Officers in the State.
• Monitoring System Access and Use Standard (P03-002, Part 10. Access Control Policy) - S10-005 - V1.1 - July 30, 2010
  This Standard defines audit log requirements for State systems and applications
• Cryptographic Controls Standard (P03-002, Part 11. Systems Development and Maintenance Policy)- S10-006 - V1.1 - July 30, 2010
  This Standard defines the requirements for encryption of data at rest and data in transit. Included in the Appendix of this Standard is guidance in selecting FIPS 140 validated products.
• Key Management Standard (P03-002, Part 11. Systems Development and Maintenance Policy)S10-007 - V1.1 - July 30, 2010
  This Standard defines the requirements for management of encryption.

Information Classification and Control Policy and Standard (with Appendices)

• PS08-001 - V1.2 - February 7, 2012
  This Policy and Standard defines a classification scheme for information, provides procedures for classifying information and supplies baseline controls to protect the confidentiality, integrity and availability of information.
  • Exemption Request Form PS08-001 - Appendix A - V1.2 - February 7, 2012
    This form is for use in limited situations where a State entity determines that a particular control can not be implemented due to technical constraints or business limitations.
  • Information Asset Classification Worksheet - PS08-001 - Appendix C - V1.2 - February 7, 2012
    This worksheet is provided as a tool to assist State entities in inventorying and classifying their information.
  • Information Control Charts and Glossary - PS08-001 Appendices D & E - V1.2 - February 7, 2012
    The information control charts contain the baseline controls for the protection of the confidentiality, integrity and availability (CIA) of information. The charts are arranged by CIA classification rating. The glossary provides clarification on each control.
  Please note Appendices C, D and E are available in an automated tool called the Information Asset Classification System (IACS). This application is available to all New York State governmental entities utilizing NYS Directory Services. For further information, contact the Office of Cyber Security at ocs.info@dhses.ny.gov

Cyber Security Policies, Standards and Guidelines - Definitions & Acronyms - V1.2 - September 24, 2010

This document includes definitions and acronyms for the above listed cyber security policies, standards and guidelines. Defined terms appear in italics.

Secure Use of Social Media Guideline G10-001 - V1.1 - February 6, 2012

This guideline is designed to educate State government entities on the risks associated with social media and provide best practices for the secure use of social media in New York State government.

GIS Data Sharing 97-6* - (July 17, 1997)

Computerized geographic data that is created, collected, processed, disseminated, and stored by public agencies in New York State is a valuable information resource. This policy will facilitate the sharing of Geographic Information System (GIS) data and improve access to computerized geographic data across all levels of government.

Statewide Geographic Information Systems - 96-18* - (September 17, 1996)

The purpose of this bulletin is to establish a framework for the development of a Statewide GIS Program.

NYS GIS Strategic Plan - (August, 2008)

The intent of this plan was to evaluate New York's statewide GIS environment, and then to establish strategies that will help encourage intergovernmental cooperation and coordination in maintaining the data layers most commonly needed. The overall aim was to improve GIS data quality, currency, and accessibility through data sharing.

*These policies were issued by the New York State Office for Technology.

Reports

2011 Internet Crime Report

The Internet Crime Complaint Center (IC3) 2011 Internet Crime Report is an overview of the latest data and trends of online criminal activity. According to the report, 2011 marked the third year in a row that the IC3 received more than 300,000 complaints. The 314,246 complaints represent a 3.4 percent increase over 2010. The reported dollar loss was $485.3 million. As more Internet crimes are reported, IC3 can better assist law enforcement in the apprehension and prosecution of those responsible for perpetrating Internet crime.

 

 

2012 Verizon Business Data Breach Investigations Report

The 2012 Verizon Business Data Breach Investigations Report (DBIR) series, conducted by the Verizon RISK Team with cooperation from the United States Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, the Irish Reporting & Information Security Service, and the Police Central e-Crime Unit (PCeU) of the London Metropolitan Police.

With the addition of Verizon's 2011 caseload and data contributed from the organizations listed above, the DBIR series now spans eight years, well over 2000 breaches, and greater than one billion compromised records.

 

 

Blueprint for a Secure Cyber Future

The Blueprint for a Secure Cyber Future builds on the Department of Homeland Security Quadrennial Homeland Security Review Report's strategic framework by providing a clear path to create a safe, secure, and resilient cyber environment for the homeland security enterprise. With this guide, stakeholders at all levels of government, the private sector, and our international partners can work together to develop the cybersecurity capabilities that are key to our economy, national security, and public health and safety. The Blueprint describes two areas of action: Protecting our Critical Information Infrastructure Today and Building a Stronger Cyber Ecosystem for Tomorrow. The Blueprint is designed to protect our most vital systems and assets and, over time, drive fundamental change in the way people and devices work together to secure cyberspace. The integration of privacy and civil liberties protections into the Department's cybersecurity activities is fundamental to safeguarding and securing cyberspace.

 

Symantec Global Internet Security Threat Report

The Symantec Global Internet Security Threat Report provides an annual overview and analysis of worldwide Internet threat activity, a review of emerging trends in attacks, malicious code activity, phishing, and spam. The Symantec Internet Security Threat Report gives organizations, enterprises and consumers the essential information to secure their systems effectively now and into the future.

 

 

 

 

McAfee/Center for Strategic and International Studies (CSIS) Report

The report is a follow up to a report released in 2010 called "In the Crossfire: Critical Infrastructure in the Age of Cyberwar," that found that many of the world's critical infrastructures lacked protection of their computer networks, and revealed the staggering cost and impact of cyberattacks on these networks. More than 200 IT executives in the energy, oil/gas and water sectors, responsible for information technology security, general security and industrial control systems in 14 countries were surveyed for the report. CSIS then analyzed the quantitative results, conducted additional research and authored the report.

 

 

 

Cybersecurity Management in the States: The Emerging Role of Chief Information Security Officers

A research team at the University of Kansas conducted a study concerning state-level Chief Information Security Officers, Chief Information Officers and their collaborations, particularly in the area of cyber and information security.

 

 

 

 

 

Sixty-Day Cyberspace Policy Review

Protecting cyberspace requires strong vision and leadership and will require changes in policy, technology, education, and perhaps law. The 60-day cyberspace policy review, ordered by President Obama and led by Melissa Hathaway summarizes conclusions and outlines the beginning of a way forward in building a reliable, resilient, trustworthy digital infrastructure for the future.

 

 

 

 

Securing Cyberspace for the 44th Presidency

In December 2008, the Center for Strategic & International Studies' Commission on Cybersecurity for the 44th Presidency released its final report, "Securing Cyberspace for the 44th Presidency." The Commission was co-chaired by Representative James R. Langevin, Representative Michael T. McCaul, Mr. Scott Charney, Microsoft, and Lt. General Harry Raduege, USAF (Ret). Mr. James A. Lewis was Project Director. The Commission comprised more than thirty cyber security experts from government and industry to identify recommendations for the next administration in improving the nation's cyber security.

 

 

Brochures

• Cyber Security Awareness Brochure
• Home Personal Computer Maintenance for Windows Operating Systems
• Securing a Wireless Network
• Why Cyber Security is Important

Relevant Laws, Guidelines, Regulations and Cyber Security Policies

The following is a list of various sources of laws, regulations, and guidelines intended to assist State agencies.

New York State Laws

• NYS Information Security Breach and Notification Act
• Public Officers Law
  (After the page loads click PBO from list)
  Personal Privacy Protection Law, Article 6-A,
  §92(9) - definition of "record"
  §95(b) - denial of access to records
• Penal Law §156
  (After the page loads click PEN from list; then click Article 156- "Offenses involving computers; definition of terms.")

• NYS Electronic Equipment Recycling and Reuse Act

  The NYS Electronic Equipment Recycling and Reuse Act (Article 27, Title 26 of the Environmental Conservation Law) was signed into law on May 28, 2010 with the bulk of the Act being effective as of April 1, 2011. The Act, among other things, addresses a very important data privacy and security issue related to the storage of "personal or confidential information" on certain "covered electronic equipment" as defined by the Act.

  Many of our networked multifunctional devices such as printers, faxes and copiers actually contain hard drives or internal memory capable of storing data about the document being printed, copied and/or faxed. If we do not take precautions to wipe or delete the information from this internal memory when the devices are sold, repaired, recycled or surplused, there is potential for the information to fall into the wrong hands which could lead to identity theft or fraud. The Act requires manufacturers of these covered devices to make information on how to delete the information from this memory available to consumers.

  General information on Erasing Information and Disposal of Electronic Media.

State Archives and Records Administration

• §57.05 of the Arts and Cultural Affairs Law (ACAL)
  "Archives and Records Management Law for the Records of New York State Government."

Health and Human Services: Health Insurance Portability and Accountability Act of 1996

• The HIPAA Law and Related Information
  

Federal Laws

• Requirements for Governmental Access
• Title 17 U.S.C. §506
  The No Electronic Theft ("NET") Act § 506 Criminal Offense, (a) Criminal Infringement
• Title 18 U.S.C. §1029, 1030, 2511
  Fraud and related activity in connection with access devices; computers; and interception and disclosure of wire, oral or electronic communications prohibited, respectively
• Title 18 U.S.C. §1030 Fraud and Related Activity in Connection with Computers
  
• Title 18 U.S.C. §2701 Criminal infringement of a copyright
  Unlawful Access to Stored Communications
• USA Patriot Act
• www.cybercrime.gov

  Web site for the U.S. Department of Justice Computer Crime and Intellectual Property Division.

Related Sites

Government Security Sites

• Department of Homeland Security
• United States Computer Emergency Readiness Team (US-CERT)
• Department of Defense Computer Emergency Response Team
• Federal Computer Incident Response Center
• Department of Justice
• United States Computer Emergency Readiness Team (US-CERT) - Control Systems Security Program

National Information Sharing and Analysis Center

• Multi-State Information Sharing and Analysis Center (MS-ISAC)

Security Resources

• Center for Education and Research in Information Assurance and Security
• Center for Internet Security
• CERT Coordination Center (CERT/CC)
• Computer Security Institute
• CVE - Common Vulnerabilities and Exposures (CVE)
• Dartmouth Institute for Security Technology Studies News Feed
• Federal Communications Commission - Cybersecurity for Small Business
• Forum of Incident Response and Security Teams
• Institute for Security, Technology and Society
• Internet Crime Complaint Center Scam Alerts
• Internet Storm Center
• IWS - The Information Warfare Site
• McAfee Virus Information Library
• National Institute of Standards and Technology (NIST) - Computer Security Resource Center
• Netscreen Security Alerts
• The Network Reliability and Interoperability Council (NRIC) Cyber Security Preventive and Recovery Practices
• Norman Antivirus Warnings
• RedHat Linux Alerts & Advisories
• Sans Free Security Resources
• SANS Top 20 Controls
• Secunia
• Securely Speaking
• Security Focus - News, advisories, vulnerablities and Library
• Shadow Server
• Sophos Virus Info
• Trend Micro Virus Information
• Zero Day Initiative