Information Privacy & Security Council

Overview of IPSC Best Practices

This purpose of this web page is to provide a quick reference to many industry best practices, tools, and resources for information security as identified by the Information Privacy and Security Council.  The majority of links on this page are external to the State of Hawai’i web pages as indicated by a globe icon. The intent is to update this page frequently to provide current information on tools, practices, and standards. No endorsement is implied or intended by the State of Hawai’i by the listing or omission of vendors and/or commercial products on this page.

Table of Contents

Vulnerability Advisories

• MS-ISAC Vulnerability Advisories

Automated Tools

• Software Licensing Audit
• Log Management Tools
• Penetration Testing
• Vulnerability Testing
• Malware Prevention & Scanning

Browser Plug-Ins & Web Safety Tools

• Useful Plug-Ins
• Web Safety Advisors
• Browser Check Tool

Training

• General Information Security Awareness Training
• Phishing
• Personally-Identifiable Information (PII) Training

Public Reports on Cyber Threats & Data Breaches

• Data Breaches

Applicable Standards

• Federal Standards
• State Standards

Helpful information from the State of Hawai’i ICSD Cyber Security Team https://ags.hawaii.gov/icsd/cyber-security/cyber-security-resources/ https://ags.hawaii.gov/icsd/cyber-security/cyber-security-toolkit/ https://ags.hawaii.gov/icsd/cyber-security/cyber-security-videos/

Vulnerability Advisories

The MS-ISAC vulnerability advisories can be used to identify potential software threats.

• • MS-ISAC (Multi-State Information Sharing & Analysis Center): Vulnerability Advisories

Automated Tools

This section provides more information about automated tools that can be used to provide a secure computing environment.

• • Software Licensing Audit: Business Software Alliance: Free Software Audit Tools

• • Log Management/Analysis and SIEM (Security Information and Event Management) The category involves working with large volumes of computer generated records (log files) which provide various types of information such as information about the computer, network, and when and by who information was accessed. And by sifting through the information and applying various rules, there is an automated determination if there are any security or operational issues that need to be addressed. The NIST Guide to Computer Security Log Management provides more information about this area.

• • Penetration testing Penetration testing is used to evaluate the security of computer systems and networks by simulating an attack as if from a malicious source. The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution.

• • Vulnerability Assessment Tools
    • Gibson Research Corporation ShieldsUP! benignly probes the target computer at your location for vulnerabilities.

• Anti-virus, Anti-spyware, malware scanners, personal firewalls, web scanners, etc.
  • AVG Anti-Virus Free edition (for personal use only)
  • Malwarebytes Anti-Malware Free scanner detects and removes malware like worms, Trojans, rootkits, rogues, spyware, and more.
  • Microsoft Security Essentials free anti-virus protection for Windows

Browser Plug-Ins & Web Safety Tools

A listing of free plug-ins useful for safe web browsing.  Be sure to carefully read the FAQs before implementing any of these plug-ins.

Useful Firefox Plug-ins

• Targeted Advertising Cookie Opt-Out (TACO)  Sets an opt-out flag for numerous advertising tracking cookies
• NoScript  Prohibits potentially harmful scripts from being executed within a web page

Website Safety Rating
The following are web-based tools to help identify if a site is safe or unsafe.

• McAfee Web Advisor adds visible safety ratings to searches and sites visited
• Norton (Symantec) Safe Web allows you to enter a web address (URL) and will return a rating based on safety and security issues

Browser Plug-in Check
Web-based, simple to use, free tool to check your browser for outdated plug-ins.

• The Qualys Browser Check will identify your outdated plug-ins that may be vulnerable to attacks

Training

This section provides information about computer (web-based) training modules for new employees and any mandatory annual refreshers. Examples are Civil Rights, LEP, Privacy, Security, DHRD modules, etc.

General Security Training:

• TEEX Domestic Preparedness Campus DHS/FEMA Certified Cyber Security Training
• OnguardOnline.gov provides tips from the Federal Government
• Information Assurance and security training provided by DISA
• National Cyber Security Alliance

Phishing Training:

• Defense Information Systems Agency (DISA) class on Phishing

Personal Information Education:

• NIST Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

Reports

• Data Breaches:  https://www.privacyrights.org/
• Verizon Breach Investigations: https://www.verizonenterprise.com/verizon-insights-lab/dbir/
• Ponemon/IBM Cost of Data Breach Study: https://www.ibm.com/security/data-breach

Applicable Standards

This section outlines many well-known standards and provides links to additional information about each.

Federal Standards

• NIST (National Institute of Standards and Technology) Cyber Security Framework
• NIST (National Institute of Standards and Technology) Computer Security Division
• NIST 800-53: Security and Privacy Controls for Federal Information Systems and Organizations
• ISO (International Standards Organization) 27002: Code of Practice for Information Security:
• CoBIT Executive Summary
• PCI DSS (Payment Card Industry Data Security Standards)
• HIPAA (Health Insurance Portability and Accountability Act)
• FISMA (Federal Information Security Management Act) Overview
• FIPS (Federal Information Processing Standards) Publications
• FIPS 140-2:  Security Requirements for Cryptographic Modules

State of Hawai’i Standards

• HR 2221: Data Accountability and Trust Act (summary):
• HR 2221: Data Accountability and Trust Act (full text)

Disclaimer: The information posted on the State of Hawaii website includes hypertext links or pointers to information created and maintained by other public and/or private organizations. The State of Hawai’i provides these links and pointers solely for your information and convenience. When you select a link to an outside website, you are leaving the State of Hawai’i site and are subject to the privacy and security policies of the owners/sponsors of the outside website. The State of Hawaii provides multiple channels through which all individuals can have access to the same information and data. The State of Hawai’i does not control or guarantee the accuracy, relevance, timeliness or completeness of information contained on a linked website. The State of Hawai’i does not endorse the organizations sponsoring linked websites and does not endorse the views they express or the products/services they offer. The State of Hawai’i cannot authorize the use of copyrighted materials contained in linked websites. Users must request such authorization from the sponsor of the linked website. The State of Hawai’i is not responsible for transmissions users receive from linked websites.