Statewide-Information Security Manual
Statewide-Information Security Manual
Statewide-Information Security Manual
INTRODUCTION
PURPOSE
The purpose of this policy is to establish a statewide security policy for North Carolina State agencies and the State
network. This policy also establishes principles to ensure a secure network infrastructure that integrates
confidentiality, availability, and integrity into the infrastructure design, implementation, and maintenance, in order
to do the following:
a. Protect the State’s infrastructure and the citizen’s data, whether hosted by external entities or within
State data centers, from both internal and external threats.
b. Provide a consistent and repeatable framework for which IT assets can be securely connected to the
State network.
c. Support the State’s initiative to establish standards to manage technology, risks and increase
consistency and accessibility.
OWNER
State Chief Risk Officer
SCOPE
The Statewide Information Security Manual is the foundation for information technology security in North
Carolina. It sets out the statewide information security standards required by N.C.G.S. §143B-1376, which directs
the State Chief Information Officer (State CIO) to establish a statewide set of standards for information technology
security to maximize the functionality, security, and interoperability of the State’s distributed information
technology assets, including, but not limited to, data classification and management, communications, and
encryption technologies. These standards apply to all executive branch agencies, their agents or designees subject
to Article 15 of N.C.G.S. §143B. Use by local governments, local education agencies (LEAs), community colleges,
constituent institutions of the University of North Carolina (UNC) and other executive branch agencies is
encouraged to the extent allowed by law.
POLICY
The State has adopted the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 –
Guide for Applying Risk Management Framework (RMF) for Federal Information Systems, as the standard for
managing information security risk in State IT resources. The RMF provides a disciplined and structured process
that integrates information security and risk management activities into the system development life cycle. The
NIST RMF utilizes NIST SP 800-53 as the foundation for identifying and implementing security controls. NIST 800-
53 Rev 4 organizes these security controls into (17) Control Families. Table 1 identifies the control family names
which will be utilized within the State security policies.
2
DocuSign Envelope ID: E5CB13AF-9709-43DE-A395-44FC852E1C0C
ID FAMILY ID FAMILY
SECURITY CATEGORIZATION
There are two levels of security categorization to be used within the State: Low and Moderate. Security controls
must be selected based on the data classification and security categorization of the information system and/or
requirements for the specific operating environment.
Low Systems: Systems that contain only data that is public by law or directly available to the public via
such mechanisms as the Internet. In addition, desktops, laptops and supporting systems used by agencies
are Low Risk unless they store, process, transfer or communicate Restricted or Highly Restricted data.
Moderate Systems: Systems that stores, process, transfer or communicate Restricted or Highly Restricted
data or has a direct dependency on a Moderate system. Any system that stores, processes, or transfers or
communicates PII or other sensitive data types is classified as a Moderate system, at a minimum.
Agencies may tailor the baseline controls, as needed to enhance the security posture, based on their unique
organizational needs. An example of such enhancement may occur due to additional requirements mandated by
Federal agencies such as Internal Revenue Service (IRS) and other. All agencies are required to implement and
comply with the baseline controls within the Statewide Information Security Manual, unless otherwise prescribed
by Federal or State statute.
Agencies must evaluate each system and identify those that fall within the above listed control types. This step is
crucial in facilitating and understanding roles and responsibilities as it pertains to audits and assessments. The
following Table 2 - Security Control Baseline identifies those controls that will be implemented if a system is
3
DocuSign Envelope ID: E5CB13AF-9709-43DE-A395-44FC852E1C0C
categorized as Low or Moderate. The table is based on NIST 800-53 Rev 4 and has been modified to meet State of
North Carolina use.
Note: Optional controls which have brackets, e.g. (X) are enhanced controls above the baseline requirement.
Controls listed as “Optional” may be utilized to enhance the security posture of the information system. These
controls are NOT to be considered mandatory. Agencies should understand that with the implementation of these
controls may require additional funding. The description of these controls may be found at the following link:
https://web.nvd.nist.gov/view/800-53/Rev4/home.
Access Control
AC-1 Access Control Policy and Procedures AC-1 AC-1
AC-2 Account Management AC-2 AC-2 (1) (2) (3) (4)
AC-3 Access Enforcement AC-3 AC-3
AC-4 Information Flow Enforcement AC-4 AC-4
AC-5 Separation of Duties AC-5 AC-5
AC-6 Least Privilege AC-6 AC-6
AC-7 Unsuccessful Logon Attempts AC-7 AC-7
AC-8 System Use Notification AC-8 AC-8
AC-9 Previous Logon (Access) Notification Optional Optional
AC-10 Concurrent Session Control Optional Optional
AC-11 Session Lock AC-11 AC-11 (1)
AC-12 Session Termination AC-12 AC-12
AC-14 Permitted Actions without Identification or AC-14 AC-14
Authentication
AC-16 Security Attributes Optional Optional
AC-17 Remote Access AC-17 AC-17 (1) (2) (3) (4)
AC-18 Wireless Access AC-18 AC-18 (1)
AC-19 Access Control for Mobile Devices AC-19 AC-19 (5)
AC-20 Use of External Information Systems AC-20 AC-20 (1) (2)
AC-21 Information Sharing Optional AC-21
AC-22 Publicly Accessible Content AC-22 AC-22
AC-23 Data Mining Protection Optional Optional
AC-24 Access Control Decisions Optional Optional
AC-25 Reference Monitor Optional Optional
Awareness and Training
AT-1 Security Awareness and Training Policy and AT-1 AT-1
Procedures
AT-2 Security Awareness Training AT-2 AT-2 (2)
AT-3 Role-Based Security Training AT-3 AT-3
AT-4 Security Training Records AT-4 AT-4
Audit and Accountability
AU-1 Audit and Accountability Policy and AU-1 AU-1
Procedures
4
DocuSign Envelope ID: E5CB13AF-9709-43DE-A395-44FC852E1C0C
5
DocuSign Envelope ID: E5CB13AF-9709-43DE-A395-44FC852E1C0C
6
DocuSign Envelope ID: E5CB13AF-9709-43DE-A395-44FC852E1C0C
7
DocuSign Envelope ID: E5CB13AF-9709-43DE-A395-44FC852E1C0C
8
DocuSign Envelope ID: E5CB13AF-9709-43DE-A395-44FC852E1C0C
9
DocuSign Envelope ID: E5CB13AF-9709-43DE-A395-44FC852E1C0C
10
DocuSign Envelope ID: E5CB13AF-9709-43DE-A395-44FC852E1C0C
This Manual is the foundation for information technology security in state government and is required for all
executive branch agencies to follow in order to comply with statewide information security standards. To be
successful, Agency leadership must continue to emphasize the importance of information security throughout
their organizations and at their discretion, implement additional supplementary controls as deemed necessary.
When considering the supplementary controls not included in the State’s policies, agencies should refer to NIST SP
800-53 Rev 4 and industry security practices related to information technology implementation. Agencies are also
required to ensure ongoing compliance by implementing continuous monitoring activities.
Agencies must implement appropriate safeguards as defined in the supporting policy documents (such as
identification and authentication, encryption, data filtering, tagging, Multi-factor authentication or segregation) to
ensure Restricted and Highly Restricted information, including Personally Identifiable Information (PII), Federal Tax
Information (FTI), Payment Card Industry (PCI) is protected from inappropriate disclosure, misuse, or other security
breaches, in accordance with State, Federal and other security standards and requirements.
Agencies must ensure an appropriate response in the event of a breach of sensitive PII consistent with Federal and
Agency standards and requirements.
Continuous monitoring, automatic alerting, and auditing with corresponding tracking capabilities and reporting are
required for devices connected to the State infrastructure or supporting State business (e.g. cloud services).
Agencies must also have procedures in place to ensure robust incident response to unauthorized accesses and
activities. The State CIO has the authority to require the installation of monitoring or auditing agents on devices
connected to the network.
Agencies must implement appropriate information safeguards (such as encryption, data filtering, tagging, or
segregation) to ensure highly restricted information, including Personally Identifiable Information (PII), Federal Tax
Information (FTI), Payment Card Industry (PCI) is protected from inappropriate disclosure, misuse, or other security
breaches, in accordance with State, Federal and other security standards and requirements.
Agencies must ensure an appropriate response in the event of a breach of sensitive PII consistent with Federal and
Agency standards and requirements.
SECTION 4 – REFERENCES
The following policies in the Statewide Information Security Manual provide additional details for the
implementation of State information technology resources.
12