DCF Security Policy 16.3

Network Management

Policy Memorandum S16.3

/

Effective Date: 28 June 2010

Revised Date:

1.0 SUBJECT:Network Management

2.0 DISTRIBUTION: All DCF Workforce Members and Users

3.0 FROM:Chief Information Officer

4.0 PURPOSE:

To establish a common, uniform policy for all DCF staff regarding the acquisition, installation, management and use of Wired and/or Wireless Local Area Networks (WLAN) for use by DCF employees, hospitals, contractors, and vendors.

5.0 REFERENCES

Wireless Local Area Network Policy, State of Kansas Information Technology Executive Council (ITEC) Information Technology Policy 9500, 27 April 2006

Interim Wireless Local Area Networks Security and Technical Architecture, ITEC Guidelines, 6 October 2005

Default Security Requirements, Information Technology Executive Council (ITEC) Information Technology 7230A, January 2010.

State of Kansas Security Requirements, Info-Tech Consulting Services for the Information Technology Executive Council, 29 July 2009.

5.2 SIGNATURE BLOCK and EFFECTIVE DATE

Phyllis I Gilmore,
Secretary,
Department for Children and Families / Date
Ben Nelson,
Chief Information Officer
Department for Children and Families / Date

6.0 POLICY:

Policy Statement: Wireless networks are never to be considered an alternative to hard-wired networks. Wireless networks are inherently less secure than a comparable hard-wired network and should only be utilized in limited, special circumstances. OITS shall be the point of contact and responsible for the acquisition, installation, and management of all WLANs.(ITEC 9500). Unless secured by encrypted protocols, WLAN connections shall not be used to access private/internal DCF IT resources

6.1 Acquisition

The DCF Chief Information Officer must approve the acquisition and implementation of any wireless networks within DCF. Wireless networks shall not be installed without prior approval from the CIO.

A. Wireless LANS shall be acquired and implemented in coordination with the Division of Information Systems and Communications (OITS) to ensure adherence to the State of Kansas Technical Architecture, and the Wireless Interim Security and Technical Architecture (ITEC 9501).

6.2Network and Telecommunications Security and Management

All infrastructure devices that reside at a Kansas DCF site or connect to anDCF network, must:

  • Abide by the standards specified in ITEC Policy.
  • Beregistered,installed, supported, and maintained according to ITEC Policy (i.e. by OITS).
  • Must be located in a secured area, or disabled when unattended.

A. Network Configuration

DCF Management will direct the development of processes, procedures, and standards, which support this policy with the purpose of protecting data from unauthorized alteration or destruction while being transmitted or controlled during transmission. DCFITS shall design, implement, document, and maintain a network architecture that contains an appropriate level of administrative and technical security controls. A layered architecture design shall be implemented as a defense to isolate attacks and reduce the overall damage to the network environment.

1. Network Addressing - All network names and addresses shall be managed and approved by ITS. Internal network addresses shall be considered sensitive data and not be distributed to unauthorized personnel.

2. Network Services and Protocols - Only ITS approved network services and protocols will be implemented. All non-authorized protocols and services will be removed and/or disabled.

3. Network Perimeter - A clearly defined boundary shall be established to control traffic between DCF information resources and external entities. All inbound and outbound network traffic shall pass through appropriate access control devices, such as firewalls, prior to reaching DCF information resources. Traffic shall be limited to approved protocols and services and controlled using both ingress and egress filtering as supported by the device.

4. Network Availability and Redundancy – Where possible, the DCF network design shall provide adequate redundancies to reduce the likelihood of a single point of failure.

5. Network Integrity - ITS shall establish a system of controls to safeguard the data traffic and ensure transmission integrity throughout the system.

6. Network Technology - DCF shall implement and properly configure network security technology to protect sensitive information flowing across the network.

a. Network Devices – ITS shall be responsible for ensuring the proper implementation and configuration of all network devices such as routers, hubs, switches, and encryption devices deployed on the DCF network.

b. Network Servers - DCF servers shall be protected commensurate with the level of sensitivity and criticality of the information and function that they perform. This may require the implementation of network control devices to segment or protect the network where servers reside.

c. Network Firewall – ITS shall be responsible for configuring, maintaining, and monitoring all DCF firewalls. Only ITS approved traffic and services shall be permitted through DCF firewalls. Firewall documentation needs to include what resources are protected by the firewall.

d. Virtual Private Network (VPN) - DCF shall provide VPN solutions designed to provide authentication, authorization, encryption, and accounting capabilities. All DCF VPN solutions shall utilize approved software and contain an end-to-end security strategy.

e. Intrusion Prevention Systems (IPSs) – DCF shall employ Intrusion Prevention Systems perimeter devices to detect and prevent the intrusion of unauthorized persons into the DCF network.

f. Content or Stream Filtering - The DCF network shall provide content and/or stream filtering to reduce the risk of damage occurring from malicious email attachments, downloading or activation of malicious code from the Internet, or purposeful attacks against application vulnerabilities.

7. Message Security - Electronic mail is critical to performing DCF operations and delivering needed services to its client and partners. Some business needs may also require the secure use of instant messaging for communication. File transfers of sensitive information also occur between DCF and other entities.

a. Device Protection - DCF shall implement security processes and solutions that protect:

  • Message Servers or Devices – hosts or devices that deliver, forward and store mail, instant messaging, file transfers, or other network messaging in a secure, authorized and controlled manner.
  • Messaging clients – software that allows users to read, compose, send and store email messages, instant messages, or types of user communication tools.

b. Encryption- DCF Sensitive information transmitted over an external network, including the Internet, using email, instant messaging, or other protocols or applications must be securely encrypted when appropriate, or in accordance with management guidelines based on periodic assessment and management of the security risk for exposure of the information.

8. Third Party Network Connection Security - All third-party connections shall be evaluated by considering access, administration, confidentiality, and monitoring requirements. Network services provided over third-party connections shall be limited to those services necessary to perform the functions required. Third-party access shall be limited to those services and/or devices that are needed to perform the required business function.

9. Telecommunications Security - All DCF telecommunications lines shall be secured in a manner that ensures availability and prevents tampering. DCF locations shall provide the following:

a. Intrusion Detection – DCF shall implement a method to detect intrusion activity on its telecommunications lines depending on the risks associated with certain situations or technology.

b. Line security – All DCF telecommunication lines shall be secured in a manner that ensures availability and prevents tampering.

c. Telecommunication Equipment Security – All DCF telecommunication equipment, terminal boxes, and access points shall reside in secure, controlled areas with access by authorized personnel only.

d. Records - DCF shall maintain current configuration records on all telephone systems, including outside and inside wiring, cabling, telephone and wiring closets, and equipment.

B. Network Administration

The responsibility for providing an adequate level of network and telecommunications security within the DCF network lies with the Information Technology Services (ITS) Infrastructure Management Units and the Information Security Manager.

1. Roles and Responsibilities The following key roles and responsibilities have been identified for this policy:

a. Information Security Manager – provides security oversight and guidance to DCF entities and is responsible for security policy compliance.

b. ITS Infrastructure Manager – is responsible for maintaining network operations and ensuring an adequate level of security is provided.

c. Network Security Administrators – are responsible for ensuring network operations are conducted in a secure manner.

d. Facilities Managers – are responsible for maintaining the physical security of the network infrastructure and its associated operating environment

2. Network Security Management – All DCF networks shall be designed and implemented with a focus on network security that provides for network configuration management and implementation standards, continuity of operations, and provides an audit capability of traffic that flows through control devices on the network.

a. Network Incidents – Active network event monitoring and correlation shall be regularly performed to determine existence of a network incident. All network incidents shall be reported immediately upon determination using anDCF approved incident response process.

b. Physical Security – All DCF locations shall protect all network equipment from unauthorized physical access, and provide an acceptable operating environment for network connectivity equipment.

c. Access Security –

  • Each network security administrator must be uniquely identified to the network device. The use of shared administrative accounts is forbidden, except in cases where the device cannot support multiple admin accounts.
  • Passwords used for network devices must be as strong as the DCF LAN password, or as strong as the device is capable of supporting.
  • A secure portal for network configuration management must be used wherever possible. Telnet may not be used to access network devices for administration unless that is all the device is capable of.
  • A warning banner must be displayed at Sign-on (refer to SOP 16.1.1)

C. Network Maintenance

Network maintenance must follow the change control process so that changes are only made in a systematic fashion, after testing and approval.

6.3 General Network Access Requirements - Wireless

All wireless infrastructure devices that reside at a Kansas DCF site or connect to anDCF network, must:

  • Abide by the standards specified in ITEC Policy 9500.
  • Be registered, installed, supported, and maintained according to ITEC Policy 9500 (i.e. by OITS).
  • Must be located in a secured area, or disabled when unattended.

Not interfere with wireless access deployments maintained by other support organizations.

A. Public Hotspots

1. Any use of Public Hotspots to conduct DCF business or access private/internal DCF IT resources is prohibited.

2. DCF information resources (laptop, desktop, PDA, etc) shall not connect to the secure DCF wired network and an unsecured wireless network (like KS-Guest) at the same time.

6.4Home Wireless Device Requirements

Home wireless devices shall not be used to access private/internal DCF IT resources, as their security cannot be verified.

6.5Responsibility

All DCF employees, volunteers, contractors and business partners who have access to wireless networks must familiarize themselves and comply with the security policies, procedures and best practices related to their use. A failure to familiarize themselves does not relieve them of their responsibility to comply.

7.0 SANCTIONS

Anyemployee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. A violation of this policy by a temporary worker, contractor or vendor may result in the termination of their contract or assignment with DCF. Refer to SOP 04.3 Security Sanctions.

9.0 DEFINITIONS See Appendix A

10.0 VERSION HISTORY

This policy supersedes all policies written before the effective date of this policy. In addition, changes made to this policy will be reflected in an entirely new document with the revision date noted in the metadata for the document. The older document will be archived in its entirety for reference, and retained according to DCF records retention schedules.

Rev. 25 July 2012 Page 1 of 10