Guidelines & Best Practices
IPSC Guidelines
IPSC Guidelines & Best Practices for Breach
IPSC Guideline for Security of Laptops, Removable Data Storage Devices, and Communication Devices
IPSC Best Practices
A quick reference to many industry best practices, tools, and resources for information security as identified by the Information Privacy and Security Council.
Personal Data Privacy Guideline
Multi-Function Copier/Printer Procurement Guidelines
The purpose of this document is to provide basic guidelines for all State and County agencies for protection of sensitive information on multi-function Copier/Printer (MFP) devices.
IPSC Best Practices
A quick reference to many industry best practices, tools, and resources for information security as identified by the Information Privacy and Security Council.
Overview of IPSC Best Practices
Revised July 2018
This purpose of this web page is to provide a quick reference to many industry best practices, tools, and resources for information security as identified by the Information Privacy and Security Council. The majority of links on this page are external to the State of Hawai’i web pages as indicated by this globe icon . The intent is to update this page frequently to provide current information on tools, practices, and standards. No endorsement is implied or intended by the State of Hawai’i by the listing or omission of vendors and/or commercial products on this page.
Vulnerability Advisories
Standards & Guidelines
- Helpful information from the State of Hawai’i ICSD Cyber Security Team https://ags.hawaii.gov/icsd/cyber-security/cyber-security-resources/
- https://ags.hawaii.gov/icsd/cyber-security/cyber-security-toolkit/
- https://ags.hawaii.gov/icsd/cyber-security/cyber-security-videos/
- Hawaii State Department of Education Privacy and Security Resources: https://www.hawaiipublicschools.org/VisionForSuccess/SchoolDataAndReports/HawaiiEdData/Pages/data-quality.aspx
- Hawaii Revised Statutes 487-N: https://www.capitol.hawaii.gov/hrscurrent/vol11_ch0476-0490/HRS0487N/HRS_0487N-.htm
Technical Guidelines
- Log Management (NIST SP 800-92)
- Protecting Confidentiality of PII (NIST SP 800-122 https://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf)
Federal Trade Commission Resources
- FTC’s “one-stop” resource for identity theft victims
https://IdentityTheft.gov
U.S. Department of Health & Human Services Resources
- https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html
- https://www.hhs.gov/hipaa/for-professionals/privacy/
Department of Homeland Security Resources
- Awareness: Stop.Think.Connect. https://dhs.gov/stopthinkconnect
- C3VP (Critical infrastructure Cyber Community Voluntary Program) https://www.us-cert.gov/ccubedvp
- Maps NIST Cybersecurity Framework to existing cyber risk management capabilities
- CRR: Cyber Resilience Review Self Assessment: https://www.us-cert.gov/sites/default/files/c3vp/csc-crr-method-description-and-user-guide.pdf
- RVA: Risk and Vulnerability Assessment (for state and local government agencies only)
- Full-Scope Red Team/Penetration Testing
- Services are tailored to fit agency requirements
- Remote and On-Site
- Vulnerability Scanning and Testing
- Penetration Testing
- Social Engineering (Phishing)
- Wireless Discovery & Identification
- Web Application Scanning & Testing
- Database Scanning
- Operating System Scanning for compliance checks
- CH: Cyber Hygiene (for state and local government agencies only)
- Remote assessment which broadly analyzes Internet accessible systems for known vulnerabilities and configuration errors on a frequently recurring basis.
- Network Mapping
- Network Vulnerability Scanning
- Configuration Scanning
- Recurring assessment
- Reports on vulnerability and configuration errors
Free/Open Source Tools
- Vulnerability Scanning
- OpenVAS: https://www.openvas.org/
- Microsoft Baseline Security Analyzer: https://www.microsoft.com/en-us/download/details.aspx?id=7558
- Qualys FreeScan (online vulnerability scanner – need to sign up): https://www.qualys.com/forms/freescan/
General Consumer Security Information
- Microsoft https://www.microsoft.com/security
- US-CERT Home and Business https://www.us-cert.gov/home-and-business
Browser Plug-Ins & Web Safety Tools
A listing of free plug-ins useful for safe web browsing. Be sure to carefully read the FAQs before implementing any of these plug-ins.
Useful Firefox Plug-ins
- NoScript Prohibits potentially harmful scripts from being executed within a web page
Website Safety Rating
The following are web-based tools to help identify if a site is safe or unsafe.
- McAfee Web Advisor adds visible safety ratings to searches and sites visited
- Norton (Symantec) Safe Web allows you to enter a web address (URL) and will return a rating based on safety and security issues
Browser Plug-in Check
Web-based, simple to use, free tool to check your browser for outdated plug-ins.
- The Qualys Browser Check will identify your outdated plug-ins that may be vulnerable to attacks
Training
This section provides information about computer (web-based) training modules for new employees and any mandatory annual refreshers. Examples are Civil Rights, LEP, Privacy, Security, DHRD modules, etc.
General Security Training:
- TEEX Domestic Preparedness Campus DHS/FEMA Certified Cyber Security Training: https://teex.org/Pages/Program.aspx?catID=607&courseTitle=Cybersecurity
- OnguardOnline.gov provides tips from the Federal Government
- Information Assurance and security training provided by DISA
- National Cyber Security Alliance
Phishing Training:
- Defense Information Systems Agency (DISA) class on Phishing
Personal Information Education:
Reports
This section provides links to various public reports on data breaches and the number of individuals affected by each breach.
- Data Breaches: https://www.privacyrights.org/
- Verizon Breach Investigations: https://www.verizonenterprise.com/DBIR/
- Ponemon/IBM Cost of Data Breach Study: https://www.ibm.com/security/data-breach
Applicable Standards
This section outlines many well-known standards and provides links to additional information about each.
Federal Standards
- NIST (National Institute of Standards and Technology) Cyber Security Framework
- NIST (National Institute of Standards and Technology) Computer Security Division
- NIST 800-53: Security and Privacy Controls for Federal Information Systems and Organizations
- ISO (International Standards Organization) 27002: Code of Practice for Information Security:
- CoBIT Executive Summary
- PCI DSS (Payment Card Industry Data Security Standards)
- HIPAA (Health Insurance Portability and Accountability Act)
- FISMA (Federal Information Security Management Act) Overview
- FIPS (Federal Information Processing Standards) Publications
- FIPS 140-2: Security Requirements for Cryptographic Modules
State of Hawai’i Standards
- Hawaii Revised Statutes: HRS 487N:
- HR 2221: Data Accountability and Trust Act (summary):
- HR 2221: Data Accountability and Trust Act (full text)
- Information and Communication Services Division (ICSD) Policies (State Intranet access only)
Disclaimer: The information posted on the State of Hawaii website includes hypertext links or pointers to information created and maintained by other public and/or private organizations. The State of Hawai’i provides these links and pointers solely for your information and convenience. When you select a link to an outside website, you are leaving the State of Hawai’i site and are subject to the privacy and security policies of the owners/sponsors of the outside website. The State of Hawaii provides multiple channels through which all individuals can have access to the same information and data. The State of Hawai’i does not control or guarantee the accuracy, relevance, timeliness or completeness of information contained on a linked website. The State of Hawai’i does not endorse the organizations sponsoring linked websites and does not endorse the views they express or the products/services they offer. The State of Hawai’i cannot authorize the use of copyrighted materials contained in linked websites. Users must request such authorization from the sponsor of the linked website. The State of Hawai’i is not responsible for transmissions users receive from linked websites.