Approved Date – 02/22/2021
Published Date – 02/22/2021
Revised Date – 02/23/2023
Ensure the preservation and protection of the integrity of the District of Columbia Government (“District”) information system and data.
DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District government. This document can be found at: https://code.dccouncil.us/dc/council/code/sections/1-1402.html.
This policy applies to all District information systems, District Workforce members performing official functions on behalf of the District or any District agency or entity (e.g. subordinate and independent agencies, Council of the District of Columbia, D.C. Charter Schools, etc.) who receive enterprise services from the District of Columbia Office of the Chief Technology Officer (OCTO). In addition, this policy applies to any provider and third-party entity with access to District information, network, and applications.
District agencies and departments must develop or adhere to a strategy which demonstrates compliance with this policy and its related standards. The following outlines the requirements for this policy.
The District's agencies must develop and review or update annually and after change to the policy, a procedure in support of this policy with the following requirements:
4.1. Flaw Remediation
4.1.1. Regularly identify, report, and correct information system flaws (following the patching timeline).
4.1.2. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation.
4.1.3. Install security-relevant software and firmware updates within 24-48 hours of the release of the updates (or as soon as determined to be feasible).
4.1.4. Incorporate flaw remediation into the organizational configuration management process.
4.2. Malicious Code Protection
District agencies must:
4.2.1. Employ malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code.
4.2.2. Update malicious code protection mechanisms whenever new releases are available per organizational configuration management policy and procedures.
4.2.2. Configure malicious code protection mechanisms to:
- Perform periodic scans of the information system daily and real-time scans of files from external sources at all endpoints; network entry/exit points and network entry and exit appliances as the files are downloaded, opened, or executed per organizational security policy.
- Ensure Security Incident Event Monitoring (SIEM), firewalls, and endpoint anti-virus security block malicious code, quarantine malicious code; send alert to security engineers and system administrators near real-time in response to malicious code detection.
- Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.
4.3. Information System Monitoring
4.3.1. Monitor the information system to detect:
- Attacks and indicators of potential attacks through a variety of tools such as: IPS, SIEM, and firewall appliances in accordance with agencies information security policy and procedures.
- Unauthorized local, network, and remote connections.
4.3.2. Identify unauthorized use of the information system through agencies SIEM.
4.3.3. Deploy monitoring devices:
- Strategically within the information system to collect organization-determined essential information.
- At ad hoc locations within the system to track specific types of transactions of interest to District agencies.
4.3.4. Protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion.
4.3.5. Heighten the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information.
4.3.6. Obtain legal opinions concerning information system monitoring activities per applicable federal laws, Executive Orders, directives, policies, or regulations.
4.3.7. Provide agencies information system monitoring as an integral part of agencies' continuous monitoring, continuous diagnostics, and improvement and incident response programs.
4.4. Security Alerts, Advisories, and Directives
4.4.1. Receive information system security alerts, advisories, and directives from US-CERT, RedHat Linux, Microsoft, and other third parties on an ongoing basis.
4.4.2. Generate internal security alerts, advisories, and directives as deemed necessary.
4.4.3. Disseminate security alerts, advisories, and directives to Senior Management and the IT Security team, as applicable.
4.4.4. Implement security directives per established time frames or notify the issuing organization of the degree of noncompliance.
4.5. Spam Protection
4.5.1. Employ spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages.
4.5.2. Update spam protection mechanisms when new releases are available per organizational configuration management policy and procedures.
4.6. Error Handling
4.6.1. Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
4.6.2. Reveal error messages only to the IT Security team and other authorized personnel.
4.7. Information Handling and Retention
District agencies handle and retain information within the information system and information output from the system per applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.
Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.
The definition of the terms used in this document can be found in the Policy Definitions website.