Bet 309303 Lilly Client Platform Security Plan GITCS-PLN-400

If you are using a printed copy of this document, please check that it is consistent with the current, official
version.
GITCS-PLN-400 Lilly Client Platform Security Plan Version 2.0

Effective Date: Purpose: Scope: Areas Involved: Supersedes/Replaces: 01-Jan-2009 The purpose of this document is to describe the security plan (physical and logical controls) for Global IT Customer Services (GITCS). Current plan for providing and maintaining physical and logical security for Global IT Customer Services Global IT Customer Services GITCS-PLN-0400, Lilly Client Platform Security Plan, Version 1.0
Title: GITCS-PLN-400 Lilly Client Platform Security Plan Owner: Steven Seifert
Page 1 of 12 Normal Business
Version 2.0 Last Save Date: 02-Dec-2008
If you are using a printed copy of this document, please check that it is consistent with the current, official version.
ELI LILLY AND COMPANY Lilly Client Platform Security Plan
TABLE OF CONTENTS
1. INTRODUCTION ................................................................................................................................................. 3 2. SECURITY PLAN................................................................................................................................................ 5 2.1 PHYSICAL CONTROLS ..................................................................................................................................... 5 2.2 LOGICAL CONTROLS ....................................................................................................................................... 5 2.2.1 System Administrator Accounts for All Zone Builds. ........................................................................... 5 2.2.2 GITCS Data Areas ............................................................................................................................... 5 2.2.3 Single Click Executables...................................................................................................................... 5 2.2.4 System Administrator Accounts and Privileges ................................................................................... 5 2.2.5 Virus and Firewall Protection ............................................................................................................... 5 2.2.6 Vulnerability Patch Release Process ................................................................................................... 6 3. SECURITY RISKS AND COUNTERMEASURES .............................................................................................. 7 3.1 3.2 SECURITY RISK EXAMPLES .............................................................................................................................8 GIAMS GAP ASSESSMENT AND REMEDIATION ................................................................................................. 9
4. TRAINING IN THIS PROCEDURE ................................................................................................................... 10 APPENDIX ............................................................................................................................................................... 11 APPENDIX A: GLOSSARY/ACRONYMS/ABBREVIATIONS ......................................................................................... 11 REVISION HISTORY: .............................................................................................................................................. 12 PROCEDURE APPROVAL SIGNATURES: ............................................................................................................ 12
1. INTRODUCTION
The Global IT Customer Services (GITCS) organization, a part of Eli Lillys EIS organization, is responsible for the support services for Lilly computer systems. GITCS consists of the following teams located across the Lilly Corporate Center (LCC) and the Lilly Technology Center (LTC): Global Configuration Management This team works with our global GITCS counterparts in Zones 2 and 3 to deliver release management, services and support around our global hardware and software products. Additionally, the Global Configuration Management team has the responsibility for image creation for the client All Zones eBuilds as well as to work with our hardware providers to evaluate upcoming products and ensure global availability of those products. Customer Account Services, Deployment to Desktop Services and Software License and Compliance The Customer Account Services (CAS) group serves as the primary point of contact for customers regarding desktop hardware and software related issues. They ensure that those services are delivered to the satisfaction of the customer by focusing on Service Delivery Management. Software licensing and compliance stewards are responsible for all aspects of software licensing and maintenance. Aspects include vendor management with the preferred software vendor, purchasing nonstandard software, manage product codes/keys and stewarding of the Microsoft licensing website. The Desktop to Deployment group is responsible for the receiving, inventory management, configuration and deployment of computer hardware and software to the customer. Computer Hardware and Software Services and Support The GITCS Computer Hardware and Software Services and Support teams help business areas maintain computer assets and ensure that these assets are performing at a satisfactory level. Client Automated Management Services (CAMS) The CAMS team is primarily responsible for collaborating with Zone 1 Global IT Customer Services support teams as well as our Zone 2 and 3 counterparts in order to reduce the global Total Cost of Ownership (TCO) for Lilly's Computer Assets. The CAMS team also assists customers by developing time saving tools and utilities that automate diverse business processes. One example is the creation of single click executables (SCEs) that allow for the installation of software to a persons desktop computer without having to send a technician to the workstation.
Appendix A: Glossary/Acronyms/Abbreviations
CAMS CAS GIST GITCS LAN ID LCC Client Automated Management Services Customer Account Services Global Information Security Team Global IT Customer Services (Workplace Services Client team) Local Area Network Identity Lilly Corporate Center
Page 3 of 12 Normal Business Version 2.0 Last Save Date: 02-Dec-2008

LTC NTP QI SCE SOP WinCOE Lilly Technology Center Network Time Protocol Quality Integrator Single Click Executable Standard Operating Procedure Windows Center of Excellence
2.
2.1
SECURITY PLAN
Physical Controls
The Physical Security Controls in place for all of the GITCS teams are those already provided by Lilly Facilities Management and those in place for the Lilly Corporate Center and Lilly Technology Center. Teams that utilize storage areas or labs control the security by locking the areas during non-business hours, and limiting access during business hours. Equipment in the charge of the GITCS team will be properly secured from theft and other unintended removal. These areas are considered low risk. Details of each teams secured areas and related procedures are detailed in the GITCS-SOP-0400, Security Administration SOP.
2.2
2.2.1
Logical Controls
System Administrator Accounts for All Zone eBuilds.
The local system administrator account installed by default from the operating system manufacturer is generated and owned by Global Information Security Team. GIST supplies the password via email, at GITCS request via a CR. Only individuals who create builds have access to this password. A new password is generated with each new build.
2.2.2
GITCS Data Areas
Teams in Global IT Customer Services (GITCS) have team members assigned as Data Stewards to manage the access to LAN storage areas, and SharePoint portals assigned to their areas. These areas and portals are located on qualified servers secured in the Data Centers managed by the WinCOE teams. The Data Area Steward determines the allowed access level to GITCS data areas on a least privileged basis.
2.2.3
Single Click Executables
The CAMS team creates compressed program installations called single click executables (SCEs) that allow customers to control how they would like their packages to be created and delivered to the customers identified in the development process. The SCE packages are developed and stored on a qualified server under password protection. Password protection is designed to allow only authorized users of the executable access to install the application for the following reasons: During its development Distribution of the application Reinstall due to computer problems.
2.2.4
System Administrator Accounts and Privileges
A list of all System Administrator accounts, and their access, will be maintained by GITCS. System Administrator accounts and privileges are reviewed biannually to ensure that GITCS personnel are using the appropriate level of privilege needed to perform their job function. The GITCS Client Administration Analyst is responsible initiating the review by the Service Group Steward. All privileged account owners are responsible to take the appropriate training prior to being granted privileged access or accounts.
2.2.5
Information Access
Application stewards should ensure that all applications have access to Lilly information and Lilly information assets based on a business need, and at a need to know level. If functionality exists in applications that could cause information access beyond this recommendation, the functionality should be disabled. In the case where an application is accessing Personally Identifiable Information (PII) and/or privacy data, the System Custodian
Title: GITCS-PLN-400 Lilly Client Platform Security Plan Owner: Steven Seifert Page 5 of 12 Normal Business Version 2.0 Last Save Date: 02-Dec-2008

should identify and document where the PII resides, and document the flow of data in, through and out the application.
2.2.6
Virus and Firewall Protection
Malware (including anti-virus) protection, and host based firewall protection shall be provided for all desktop computers as either a part of the All Zone eBuild, or as a post installation to the All Zone eBuild. It is the responsibility of the Global Information Security Team to select and set the configuration of this software.
2.2.7
Vulnerability Patch Release Process
GITCS teams engage in constant review of vulnerability patch releases for the software products that GITCS stewards. The list of products that GITCS stewards manage is part of the GITCS LAM inventory list. All applications should be maintained to a level consistent with vendor level support for those applications, and should not be at a release level that is not supported by vulnerability patch releases. As the release of different patch is made available to the public from the publisher or vendor who owns the product, Lilly Client, Server and GIST analysts analyze the patch for risk and impact to the Lilly Computing environment. Once a patch is assigned a severity rating of one of the levels in the below table and approved by an approval body (EIS CAB or CCB), it is prepared for deployment for the following schedule; Urgent, High Medium, Low or Negligible Severity Level Urgent Standard Schedule for deployment 0-3 days for deployment 0-7 days for deployment
3.
SECURITY RISKS AND COUNTERMEASURES

Table 1: Risk Rating Definitions
If Then the risk is
Urgent
Rapid action required due to imminent or actual threat - Lilly is largely exposed Little or no knowledge or action required to expose assets Action strongly recommend due to increasing threat potential - Lilly assets are exposed The event can happen accidentally (that is, without intentional misuse or malicious intent) Knowledge, skills, or tools required to engage in the activity are minimal Action recommended proportionate to the importance of the information being protected - limited Lilly exposure Some specialized knowledge, skills, or tools are required to engage in the activity Action limited due to alternative risk mitigations or very limited Lilly exposure. Intentional misuse is required to trigger the event Highly specialized skills, knowledge, or tools are required to engage in the activity Few if any impacted platforms, very low exposure or risk
High
Medium
Low
Negligible
Table 2: Impact Ratings

If the impact is:
Low Medium High
Then
One or a few, regular users are affected as a result of the risk occurring. A small number of users are affected as a result of the risk occurring. A large number of users are negatively affected as a result of the risk occurring.
3.1
Security Risk Examples

Security Risk Risk Rating Low Impact Rating Med How to Minimize or Eliminate the Risk Data area stewards review and administer account access biannually or as needed. They provide training on the areas and their usage. Access to the area is granted by the data stewards and is reviewed annually and more frequently if needed.
Unauthorized Access gained to GITCS data areas Access to Configuration Management image share areas.
Low
Low
Unauthorized access to Single Click Executables Vulnerable computers on the Lilly network
Low
Low
The access to the Single Click Executable is limited to a minimum number of participants during the development of the executable. Patch for security is installed on each machine that connects to the Lilly network
Urgent
High
3.2
GIAMS Gap Assessment and Remediation

Remediate, or accept risk See section 2.2.7
GIAMS Gap System Custodians of Vendor-supplied software and hardware should ensure a documented security threat and vulnerability management process is followed. Vendor released security updates or mitigations for known threats should be applied at a minimum semiannually. System Custodians should ensure a documented process to treat malware threats is in place and followed. Approved non-standard Client Software when accessing any electronics information, assets, resources, and user accounts should have access to the assets based upon business need. System access should not be granted to entities unless they meet applicable training or a qualification. Controls should be in place to ensure acquired applications are free from viruses and other malicious code before being installed on the extended corporate network. All application based access to information assets other than the approved and documented access should be deleted or disabled before software is moved into production. Vendor supplied application software should be maintained at a level supported by the supplier. System Custodians should ensure that identification and documentation of where Personally identifiable Information resides within a system. System Custodians should ensure that the data flow of Personally Identifiable Information is captured within the system documentation. Regular review of the members of the deployment accounts should be performed.
See section 2.2.7
See section 2.2.5
See section 2.2.5
See section 2.2.4 See section 2.2.6
See section 2.2.5
See section 2.2.7 See section 2.2.5
See section 2.2.5
Accept. As the deployment account is a common account on all eBuilds and control of access is not possible. Additional controls are that the deployment account is disabled as a part of the deployment process. Accept see section 2.2.1 Accept
The local Administrator and deployment accounts password requirements are not changed regularly The local administrator and deployment account profiles are set to not lock. Local administrator and deployment account are only used by those authorized.
4.
TRAINING IN THIS PROCEDURE
Training will consist of reading this document and then recording the training electronically. In areas where electronic recording of training is not available, the student may need to print and sign a Training Acknowledgement Form. All personnel involved in Client Security must train on this document.
APPENDIX
Appendix B: Glossary/Acronyms/Abbreviations
CAMS CAS GIST GITCS LAN ID LCC LTC NTP QA SCE SOP TCO WinCOE Client Automated Management Services Customer Account Services Global Information Security Team Global IT Customer Services (Workplace Services Client team) Local Area Network Identity Lilly Corporate Center Lilly Technology Center Network Time Protocol Qualification Advocate Single Click Executable Standard Operating Procedure Total Cost of Ownership Windows Center of Excellence

Bet 309303 Lilly Client Platform Security Plan GITCS-PLN-400

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bet 309303 Lilly Client Platform Security Plan GITCS-PLN-400

Uploaded by

Copyright:

Available Formats

If you are using a printed copy of this document, please check that it is consistent with the current, official

GITCS-PLN-400 Lilly Client Platform Security Plan Version 2.0

Page 1 of 12 Normal Business

Version 2.0 Last Save Date: 02-Dec-2008

ELI LILLY AND COMPANY Lilly Client Platform Security Plan

Page 2 of 12 Normal Business

Version 2.0 Last Save Date: 02-Dec-2008

ELI LILLY AND COMPANY Lilly Client Platform Security Plan

ELI LILLY AND COMPANY Lilly Client Platform Security Plan

Page 4 of 12 Normal Business

Version 2.0 Last Save Date: 02-Dec-2008

ELI LILLY AND COMPANY Lilly Client Platform Security Plan

GITCS Data Areas

Single Click Executables

System Administrator Accounts and Privileges

ELI LILLY AND COMPANY Lilly Client Platform Security Plan

Virus and Firewall Protection

Vulnerability Patch Release Process

Page 6 of 12 Normal Business

Version 2.0 Last Save Date: 02-Dec-2008

ELI LILLY AND COMPANY Lilly Client Platform Security Plan

SECURITY RISKS AND COUNTERMEASURES

Table 2: Impact Ratings

Page 7 of 12 Normal Business

Version 2.0 Last Save Date: 02-Dec-2008

ELI LILLY AND COMPANY Lilly Client Platform Security Plan

Security Risk Examples

Page 8 of 12 Normal Business

Version 2.0 Last Save Date: 02-Dec-2008

ELI LILLY AND COMPANY Lilly Client Platform Security Plan

GIAMS Gap Assessment and Remediation

See section 2.2.7

See section 2.2.5

See section 2.2.5

See section 2.2.4 See section 2.2.6

See section 2.2.5

See section 2.2.7 See section 2.2.5

See section 2.2.5

Page 9 of 12 Normal Business

Version 2.0 Last Save Date: 02-Dec-2008

ELI LILLY AND COMPANY Lilly Client Platform Security Plan

TRAINING IN THIS PROCEDURE

Page 10 of 12 Normal Business

Version 2.0 Last Save Date: 02-Dec-2008

ELI LILLY AND COMPANY Lilly Client Platform Security Plan

Page 11 of 12 Normal Business

Version 2.0 Last Save Date: 02-Dec-2008

You might also like