141 - Securing Information Technology Assets

PublishedonOfficeoftheChiefInformationOfficer()

HomePolicies141-SecuringInformationTechnologyAssets

PURPOSE

Setrequirementsformaintainingsystemandnetworksecurity,dataintegrityandconfidentiality.

POLICYSTATEMENT

1.Agencieswillmaintainsystems,networks,andapplicationsinamannertoensure:Availabilityofinformationtechnology(IT)assets.

Accesstoinformationtechnologyassetsisallowedonlybyauthorizedindividuals.Integrityandprivacyofinformationtechnologyassetsismaintained.

Misuseorlossofinformationtechnologyassetsisprevented.

2.EachagencywilladheretothispolicyandcurrentsecuritystandardsadoptedbytheOfficeoftheChiefInformationOfficer.

3.Eachagencywilloperateandmaintaininformationtechnologyassetswithinanenvironmentthatprovidesalevelofsecuritycommensuratewith:

Thesensitivityandimportanceofeachasset'spurposeandfunction.Theprivacyandconfidentialityleveloftheinformationcontent.

4.Interactionwithagency'sITassetswillbethroughanarchitecturethatiscompliantwithalloftheOCIO'spoliciesandstandards.

5.Eachagencywillensureeveryemployeeisadequatelytrainedtoperformthesecurityproceduresforwhichtheyareresponsible.

6.Eachagencywillestablishandmaintainanagencysecurityprogramthatincludesinformationtechnologysecuritypolicies,procedures,andanyotherdocumentsnecessarytotheprogram.

6.1.Theagencywillreviewthisprogramatleastannually,andmakeappropriateupdatesafteranysignificantchangetoitsbusinessoperations,computing,ortelecommunicationsenvironment.

7.EachagencywillconductanInformationTechnologySecurityPolicyandStandardsComplianceAuditatleastonceeverythreeyears.

7.1.Theauditwillbeperformedbyaqualifiedpartyorpartiesindependentoftheagency'sinformationtechnologyorganization.

7.2.TheStateAuditormaydetermineanearlierauditofanagency'sinformationtechnologysecurityprogramiswarranted.

7.3.Thenatureandscopeoftheauditwillbecommensuratewiththeextentoftheagency'sdependenceonsecureinformationtechnologyassetstoaccomplishitscriticalbusinessfunctionsorassuchoperationsmayimpactthesecurityofotherstateagencies.

7.4.TheauditwillbeconductedusingauditstandardsdevelopedandpublishedbytheStateAuditor.

7.5.Uponcompletionoftheaudit,eachagencywillsubmittheresultsoftheauditandtheplanforcorrectingmaterialdeficienciestothestateChiefInformationOfficer.

8.AgencyheadswillprovideannualcertificationtotheOCIOthattheagencyisincompliancewiththispolicyandrelatedstandards,andthatanInformationTechnologySecurityProgramhasbeendeveloped,implemented,andtested.

8.1.Theannualsecurityverificationletterwillbeincludedintheagencyinformationtechnologyportfolio,whichisduetotheISBonthesamedatethattheagency'sbudgetsubmittalisduetotheOfficeofFinancialManagement.

8.2.Theverificationletterindicatesreviewandacceptancebytheagencyheadoftheagency'ssecuritypolicies,procedures,andanyothersecurityprogramdocuments,aswellasupdatestothemsincethelastapproval.

9.Entitiesnotgovernedbythispolicythatwishtoconnecttostatewidesystemsgovernedbythispolicymustsignastatementcertifyingthatapolicycomparabletothispolicyandrelatedstandardsareineffectandhasbeendeveloped,implemented,andtested.

RESPONSIBILITIES

Portionsofanagency'sITsecurityprogramandauditresultsmaycontainsensitiveorconfidentialinformation.Agencypolicyandproceduresforthedistributionofthisinformationshouldconsiderapplicablestatutesthatexemptspecificinformationfrompublicdisclosureandlimitdistributiontoauthorizedentitiesandindividualswithalegitimateneedtoknow.

ChiefInformationOfficer(ordesignee)

Interpretthepolicy.

Ensurepolicycontentiskeptcurrent.

Recommendupdatestothispolicyandrelatedresourcesasneeded.

Developanescalationprocessifanagencyisnotinagreementorcompliance.Reviewagencyprojectsforcompliancewiththesecuritypolicy.

Helpagenciesunderstandhowtocomplywiththepolicy.Monitorannualcompliancebyagencies.

TechnologyServicesBoard(TSB)

Reviewandapprovemajorpolicychanges.

StateAuditor

Develop,publish,andmaintainauditstandardsforinformationtechnologysecurityaudits.

AgencyHeads

Ensureandoverseeagency'sinformationtechnologysecurityandcompliancewiththispolicyandrelatedstandards.Ensureagencysecuritypolicies,proceduresandanyotherdocumentsnecessaryforthesecurityprogramaredeveloped,implemented,maintained,andtested.

Ensurestaffistrainedtofollowsecuritypolicies,standards,andprocedures.Submitannual,signedsecurityverificationletter.

DEFINITIONS

Informationtechnologyassetsaretheprocesses,procedures,systems,infrastructure,data,andcommunicationscapabilitiesthatalloweachagencytomanage,store,andshareinformationinpursuitofitsbusinessmission,includingbutnotlimitedto:

Applications.

AlldatatypicallyassociatedwithITsystemsregardlessofsource(agency,partner,customer,citizen,etc.).

AlldatatypicallyassociatedwithITsystemsregardlessofthemediumonwhichitresides(disc,tape,flashdrive,cellphone,personaldigitalassistant,etc.).

End-userauthenticationsystems.

Hardware(voice,video,radiotransmittersandreceivers,mainframes,servers,workstations,personalcomputers,laptops,andallendpointequipment).

Software(operatingsystems,applicationssoftware,middleware,microcode).Infrastructure(networks,connections,pathways,servers,wirelessendpoints).

Services(dataprocessing,telecommunications,officeautomation,andcomputerizedinformationsystems).Telecommunicationshardware,software,andnetworks.

Radiofrequencies.

Datacomputingandtelecommunicationsfacilities.

Securityisdefinedastheabilitytoprotect:

Theintegrity,availability,andconfidentialityofinformationheldbyanagency.

Informationtechnologyassetsfromunauthorizeduseormodificationandfromaccidentalorintentionaldamageordestruction.

Informationtechnologyfacilitiesandoff-sitedatastorage.Computing,telecommunications,andapplicationsrelatedservices.Internet-relatedapplicationsandconnectivity.

REVISIONHISTORY

Date / Actiontaken
October2011 / PolicyreformattedformigrationtoOfficeofChiefInformationOfficer.
January10,2008 / Addedstatement#9requiringcomparablesecuritypoliciesforentitieswishingtoconnecttostatesystems.
November2006 / Revisedformat;revisedAppliesTosectioncontent;addedrequirementtosubmitauditresultstotheISBinstatement#7;revisedannualcompliancefilingdatetomatchagency'sbudgetsubmittaldateinstatement
#8;removedlanguageredundantwithInformationTechnologySecurityStandards,PolicyNo.401-S3;simplifiedandclarifiedlanguagethroughout.
April2002 / Revisedformat;addedlanguagetopolicystatement#5onInternetapplications;addedlanguagetopolicystatement#8onagenciesprovidingannualcertificationtotheISB.
October6,2000 / Initialeffectivedate.

CONTACT INFORMATION

Forquestionsaboutthispolicy,pleasecontactyourOCIOInformationTechnologyConsultant.

APPROVING AUTHORITY

ChiefInformationOfficerDate

Chair,TechnologyServicesBoard

SourceURL:

Links:

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]