Transcription of Computer Compliance Guide (CCG) - Norfolk Southern Railway
1 Computer Compliance Guide January 15, 2017. Computer Compliance Guide (CCG). Revision June 1, 2017. CONFIDENTIAL. Not for disclosure outside Norfolk Southern except by approval of VP Information Technology Computer Compliance Guide June 1, 2017. Table of Contents Section Page 1 Computer Compliance Guide (CCG) .. 1. 1. GENERAL CCG 1. ROLES AND 3. Senior Management ..3. Information Risk Management Advisory Council ..4. Computer Security Committee (CSC) ..4. Information Security Management ..4. Department Information Asset Owner ..5. System Internal Audit ..7. Security Point of Contact (SPOC).
2 7. Users ..8. 2 Information Security Policies & Procedures .. 10. SYSTEM ACCESS SECURITY .. 10. Identification and 10. Authorization and Access Control .. 10. System Logging Capability and Requirements .. 11. Digital Certificates and Encryption .. 11. Unauthorized Software and Malicious Code Prevention .. 12. Security Monitoring Guidelines .. 13. COMMUNICATIONS AND NETWORK SECURITY .. 13. Network Access .. 14. Click Agreement and Warning/Notice 14. Dial-in 14. Nonstandard Access Paths .. 15. Modems in the Computing 15. Network 15. Connecting to External Networks .. 16. Electronic 16.
3 Internet Connections and Other Online Services .. 19. Downloading and Uploading Files .. 20. Intranet Services .. 21. ADMINISTRATIVE CONTROLS .. 22. Personnel and 22. User Administration .. 23. Security Awareness and Training .. 24. Systems Documentation .. 24. CONFIDENTIAL. Not for disclosure outside Norfolk Southern except by approval of VP Information Technology Page ii Computer Compliance Guide June 1, 2017. PHYSICAL ACCESS SECURITY .. 24. General Physical Security 25. General Security 25. Physical Security Review Requirements .. 26. Communications & Computer Equipment Resource Rooms.
4 26. DISTRIBUTED Computer PROCEDURES .. 27. General Guidelines .. 27. 28. 28. Information Security .. 29. User Responsibilities .. 30. 3 Violations and 31. VIOLATION REPORTING GUIDELINES .. 31. VARIANCE REQUESTS .. 32. 4 Risk Assessment and Treatment .. 33. ASSESSING SECURITY RISKS .. 33. TREATING SECURITY RISKS .. 33. 5 Security 33. INFORMATION SECURITY POLICY .. 33. Information Security Policy Document .. 33. Review of Information Security Policy .. 33. 6 Organization of Information Security .. 33. INTERNAL 33. Management Commitment to Information Security .. 33. Information Security Coordination.
5 33. Allocation of information security 33. Authorization process for Information Processing 33. Confidentiality 34. Contact with special interest groups .. 34. EXTERNAL 34. Identification of risk related to external parties .. 34. Addressing security when dealing with customers .. 34. Addressing security in third party agreements .. 34. 7 Human Resource 35. PRIOR TO 35. Roles and Responsibilities .. 35. 35. Terms and conditions of employment .. 35. DURING EMPLOYMENT .. 35. Management 35. CONFIDENTIAL. Not for disclosure outside Norfolk Southern except by approval of VP Information Technology Page iii Computer Compliance Guide June 1, 2017.
6 Information security awareness, education and training .. 35. Disciplinary process .. 35. TERMINATION OR CHANGE OF 35. Termination responsibility .. 35. Return of assets .. 35. Removal of access 35. 8 Asset 35. RESPONSIBILITY OF ASSETS .. 35. Inventory of Assets .. 35. Ownership of Assets .. 36. Acceptable use of assets .. 36. INFORMATION 36. 36. Confidentiality .. 36. Data Storage 37. Destruction and Disposal 38. Availability .. 38. Availability Procedures .. 38. 9 Access Control .. 39. BUSINESS REQUIREMENTS FOR ACCESS CONTROL .. 39. Access Control 39. USER ACCESS MANAGEMENT.
7 39. User Registration .. 39. Privilege Measurement .. 39. User password management .. 39. Review of User Access Rights .. 39. USER RESPONSIBILITIES .. 40. Password 40. Unattended User Equipment .. 40. Clear Desk and Clear Screen Policy .. 40. NETWORK ACCESS CONTROL .. 40. Policy on Use of Network Services .. 40. User Authentication for External Connections .. 40. Segregation in Networks .. 40. Network Connection Control .. 41. Network Routing Control .. 41. OPERATING SYSTEM ACCESS CONTROL .. 41. Secure Log-On Procedures .. 41. User Identification and 41. Password Management System.
8 41. Use of System Utilities .. 41. Session Time-Out .. 41. CONFIDENTIAL. Not for disclosure outside Norfolk Southern except by approval of VP Information Technology Page iv Computer Compliance Guide June 1, 2017. APPLICATION ACCESS CONTROL .. 41. Information Access Restriction .. 41. MOBILE COMPUTING AND TELEWORKING .. 42. Mobile Computing and Communication .. 42. 10 Cyptography .. 42. POLICY ON THE USE OF CRYPTOGRAPHIC 42. ENCRYPTION .. 42. 11 Physical and Environmental Security .. 43. SECURE AREAS .. 43. Physical security Perimeter .. 43. Physical entry 43. Securing offices, rooms and facilities.
9 43. Protecting against external and environmental 43. Working in secure areas .. 43. Public access, delivery and loading 43. EQUIPMENT 43. Equipment sitting and protection .. 43. Support 43. Equipment 43. Security of equipment off-premises .. 43. Secure disposal or reuse of 44. Removal of Property .. 44. 12 Operations security .. 44. OPERATIONAL PROCEDURES AND 44. Documented operating 44. Change 44. Segregation of Duties .. 44. Separation of development and Operations facilities .. 44. SYSTEM PLANNING AND ACCEPTANCE .. 44. Capacity 44. PROTECTION AGAINST MALICIOUS AND MOBILE 44.
10 CONTROLS AGAINST MALICIOUS 45. Controls against Mobile 45. 45. Information Backup .. 45. MONITORING .. 45. Audit logging .. 45. Monitoring system use .. 46. Protection of log 46. Administrator and operator logs .. 46. Fault 46. CONFIDENTIAL. Not for disclosure outside Norfolk Southern except by approval of VP Information Technology Page v Computer Compliance Guide June 1, 2017. 13 Communications 47. NETWORK SECURITY 47. Network 47. Security of Network services .. 47. MEDIA 47. Management of removable media .. 47. Disposal of Media .. 48. Information handling 48. Security of system documentation.
