State Of Florida DEP 390 Department of Environmental Protection Effective: March 13,2012 Administrative Directive Approved by Secretary

Information Technology Security Policies and Standards

1.

Information is an asset that, like other important assets, is essential to an agency’s mission and consequently needs to be protected. Information can exist in many forms. It can be printed, written on paper, stored and transmitted electronically through interconnected business environments. As a result of increasing interconnectivity to share information, information is now exposed to a growing number and a wider variety of threats and vulnerabilities. Information security is the protection of information from a wide range of threats in order to ensure agency continuity, minimize risk to an acceptable level to management, and maximize agency’s opportunities. Information security is achieved by implementing a suitable set of controls, both physical and technical, and through policies.

Introduction

2.

The purpose of the Information Security Policy is to ensure that the security of DEP’s information resources is sufficient to reduce the risk of loss, modification or disclosure of those assets to a level acceptable to DEP management. The agency’s adherence to these policies ensures compliance with the State’s information security rules and offers DEP a set of best practices that assures the security of information under the agency’s responsibility to protect.

Purpose

3.

Authority is derived from Florida Statute 282.318: ‘Communications and Data Processing’ and from Agency for Enterprise Information Technology (AEIT), Office of Information Security (OIS) Rule 71A-1: ‘Information Technology Resource Security Policies and Standards’.

Authority

4.

Information security policies and standards apply to all agency employees. They also apply to contractors, vendors, private organizations and citizens that are provided account access to the agency network and computer systems regardless of how or where they connect to information technology. They also apply to agency computing devices when connected to non-agency networks. They apply to DEP automated information systems which access, process, or have custody of data.

Scope

DEP 390

Page 2 of 59

March 13, 2012

They apply to mainframe, minicomputer, microcomputer, distributed processing, and networking environments of the Department.

Organization of Information Security

Objective

Within the agency, a management framework needs to be established to develop and guide the implementation of information security. Management needs to approve the information security policies, assign security roles and coordinate and review the implementation of security across the agency.

:

Control

Management should actively support security within the agency through clear direction, demonstrated commitment, and acknowledgement of information security responsibilities.

:

Scope

DEP has developed, documented, and implemented an agency-wide information security program. The goal of the information security program is to ensure administrative, operational and technical controls are sufficient to reduce, to an acceptable level, risks to the confidentiality, availability, and integrity of agency information and information technology resources. An Information Security Manager (ISM) will be appointed to administer the agency information security program and the agency head shall send notification of the Information Security Manager appointment to the State Chief Information Security Officer. The agency Information Security Manager, in fulfilling these responsibilities below, shall follow the policies published by the Agency for Enterprise Information Technology Office of Information Security.

:

Policy

5.0

:

5.1.1 Development of a strategic information security plan and associated operational information security plan.

Responsibilities of the Information Security Manager (ISM)

DEP 390

Page 3 of 59

March 13, 2012

5.1.2 Development, implementation, and update of agency security policy,

procedure, standards, and guidelines.

5.1.3 Development and implementation of the agency security awareness program.

5.1.4 Coordination of the agency information security risk management process.

5.1.5 Coordination of or assisting the Inspector General in the coordination of the agency Computer Security Incident Response Team.

5.1.6 Coordination of Information Technology Disaster Recovery efforts in support of the agency Continuity of Operations Plan.

5.1.7 Taking an active role in the agency information technology monitoring and reporting activities.

5.1.8 Maintain information security program documents: The Strategic Information Security Plan, the Operational Information Security Plan, and Security Policies and Procedures.

5.1.9 Review and update the agency Strategic Information Security Plan (SSP) and the Information Security Operational Plan (OSP) annually and will submit an approved SSP and OSP to the State Chief Information Security Officer.

5.1.10 With approval of the Secretary, the ISM may choose to appoint individuals from agency offices, divisions and regional offices to be Information Security Representatives (ISR) for their respective business units. To ensure information systems under their respective divisions, offices, and districts meet minimum security requirements, the ISR duties will include, but are not limited to the following:

(a) Supporting implementation, enforcement, and reporting requirements of approved computer security directives, procedures, and practices.

(b) Ensuring user access is correct, current and reflects appropriate security levels.

(c) Ensuring the proper implementation of security controls and safeguards in the development of information systems.

DEP 390

Page 4 of 59

March 13, 2012

(d) Ensuring information security incidents are reported to the

Information Security Manager, through established notification procedures.

(e) Ensuring risk assessments are performed on new or major systems.

(f) Ensuring users obtain required security awareness training.

(g) Ensuring third parties comply with agency security standards.

5.2

5.2.1 Owners, custodians, and users of all information resources will be identified and the designation will be documented.

Owner, Custodian and User Identification

5.2.3 All information resources will be assigned a data owner.

5.2.4 The owner of information resource is the designated individual responsible for implementing the program that uses the resource. The owner is responsible for:

(a) Approving access and formally assigning custody of the asset.

(b) Judging the asset's value.

(c) Specifying data control requirements and conveying them to users and custodians.

(d) Ensuring compliance with applicable controls.

(e) Ensuring integrity and availability of data.

5.2.5 The custodian of an information resource is responsible for:

(a) Implementing the controls specified by the owner.

(b) Providing physical and procedural safeguards for the information resources in their possession or in their facility.

(c) Administering access to the information resources.

DEP 390

Page 5 of 59

March 13, 2012

(d) Providing for timely detection, reporting, and analysis of

unauthorized attempts to gain access to information resources.

(e) Assisting owners in evaluating the cost-effectiveness of controls.

5.2.6 The users of information resources are responsible for:

(a) Complying with controls established by the custodian.

(b) Preventing disclosure of confidential information.

5.3

5.3.1 Contracts and agreements involving the use of agency’s information technology resources will require compliance with the agency information technology security policies and procedures.

External Parties Contracts (Contractors, Vendors, and Partners)

5.3.2 Before any 3rd

5.3.3 The agency Chief Information Officer (CIO) or designee is responsible for maintaining network connection agreements.

party device is connected to the agency network, non-agency entities must execute a network connection agreement stating that the device has been recently scanned for viruses, malware and spyware, has current anti-virus protection, and the operating system is at appropriate patch level.

DEP 390

Page 6 of 59

March 13, 2012

Human Resources Security Policy

Objective

The Human Resources Security Policy is a policy that establishes protective measures for the use of DEP IT resources. This policy is to ensure the employees, contractors, vendors, and business partners understand their roles and responsibilities, and that they are suitable for the positions for which they are being considered.

:

During employment, to ensure that employees, contractors and third party users are aware of information security threats and concerns and their responsibilities and liabilities, an adequate level of awareness, education and training will be provided to all users of DEP IT resources to help minimize possible security risks.

Upon termination, this policy is in place to ensure the employee’s, contractors, and third party user’s exit from the agency or change in responsibilities is managed and that return of all equipment and the removal of all access rights are completed.

Control

Human Resources are responsible for providing accurate job descriptions and security responsibilities shall be addressed in the terms and conditions of employment. All candidates for employment will be adequately screened, especially for positions of trust. Furthermore, management will require employees, contractors and other users, to apply security in accordance with established policies and procedures of the agency.

:

Scope

This Human Resource Security Policy applies to all employees, contractors and anyone using agency IT resources.

:

Policy

6.0

:

Prior to Employment

DEP 390

Page 7 of 59

March 13, 2012

6.1.1 All information technology positions will be classified as positions of

special trust requiring background checks and level 2 screening in accordance with DEP 422, Background Investigations. Positions of special trust are set forth in Section 110.1127, and Chapter 435, Florida Statutes.

6.1.2 Contractors hired as information technology workers are subject to the same background investigation requirements as agency information technology workers.

6.1.3 Upon employment, employees and contracted staff shall acknowledge having read and understood their responsibilities as provided under this directive by signing a statement of understanding (SOU) electronically or on paper. The Bureau of Personnel Services will maintain the SOU until the individual agency employee terminates employment. The division obtaining the contracted services will keep the SOU with the work contract, and maintain a record of these documents.

6.2

6.2.1 Human Resources will identify special trust positions annually. Employees in these positions will receive additional training related to their level of security access.

During Employment

6.2.2 Contractors, vendors, and partners employed by agencies or acting on behalf of agencies shall comply with agency security policies and employ adequate security measures to protect agency information, applications, data, resources, and/or services.

6.3

6.3.1 Workers shall receive initial security awareness training within 30 days of employment start date.

Security Awareness and Training

6.3.2 Records of individuals who have completed security awareness training will be maintained.

6.3.4 Agency workers at a minimum shall receive security awareness training annually and include on-going education and reinforcement of security practices.

DEP 390

Page 8 of 59

March 13, 2012

6.3.5 Special Trust Positions will be adequately trained to carry out their

assigned information security-related duties and responsibilities.

6.3.6 Initial training shall include acceptable use restrictions, procedures for handling confidential information and computer security incident reporting procedures.

6.3.7 Security training specific to an application is the responsibility of the application owner or appropriate Information Security Representative.

6.3.8 Designated individuals will be trained to maintain computer environmental controls systems and properly respond in case these systems fail.

6.3.9 The ISM will ensure an ongoing information resource security awareness program is available to keep all users accessing computers systems up-to- date regarding new or changing security policies and responsibilities relating to their use of state information resources. ISR’s will ensure an ongoing awareness program for their systems/applications specific to their employees.

6.4

6.4.1 DEP shall have sole discretion to determine whether an information technology resource use is personal or business.

Acceptable Use of IT Resources and the Internet

6.4.2 Personal use shall not interfere with the normal performance of a worker’s duties.

6.4.3 Employees will access only information technology resources and information to which they have authorization or explicit consent.

6.4.4 Employees will refer to DEP Ethics Directive 202 regarding the use of IT resources for profit or political activities.

6.4.5 Detailed information about security configuration will only be released to authorized individual’s and\or groups.

6.4.6 Computer users shall have no expectation of privacy with respect to the contents of agency-owned or agency-managed information technology resources.

DEP 390

Page 9 of 59

March 13, 2012

6.4.7 Unencrypted and sensitive information placed on IT resources will have

appropriate security access controls in place to make sure only authorized users have access.

6.4.8 Computer users will adhere to agency computer security measures or other security controls, and will maintain the availability, integrity of information technology resources.

6.4.9 All users are expected to conduct themselves with the highest integrity in Internet communications. Use of the Internet is subject to monitoring by security and upper management. Use of the Internet is permitted as long as:

(a) Personal use of the internet will be limited to scheduled breaks and lunch hour.

(b) Employees are responsible for exercising good judgment regarding the web sites they visit.

(c) Personal use does not interfere with normal business activities.

(d) The user performs no activity that violates federal, state, or local laws or would otherwise be prohibited under rules in the Florida Administrative Code (F.A.C).

(e) The user does not deliberately use peer-to-peer file sharing, hacker web-site/software, or access web sites or chat rooms containing, material relating to gambling, weapons, illegal drugs, illegal drug paraphernalia, hate-speech, or violence; and pornography and sites containing obscene materials.

6.5

6.5.1 Access authorization shall be removed when the user’s employment is terminated or access to the information resource is no longer required.

Termination of Employment

6.5.2 Upon the voluntary or involuntary termination of an employee, or upon notification to the employee of impending termination, the owner will ensure all access authorizations are revoked and will take custody of, or ensure the safe return, modification, or destruction of all of the following items assigned, or relating, to the terminating or notified person:

DEP 390

Page 10 of 59

March 13, 2012

(a) Keys, change lock combinations, and identification badges.

(b) Change system passwords.

(c) Collect confidential data and documentation, along with operator procedures, and other program documentation and manuals.

(d) State owned computers, software, and any state issued assets\property.

DEP 390

Page 11 of 59

March 13, 2012

IT Asset Management Security Policy

Objective

To ensure accountability and maintain appropriate protection of the organization’s assets, all DEP IT assets will be accounted for and have a nominated owner. The implementation of specific controls for IT assets may be delegated by the owner as needed, but the owner remains responsible for the proper protection of the assets.

:

Control

All agency IT assets will be identified, classified, and inventoried for accountability and control of assets to catalog and track assets within the agency.

:

Scope

The scope of the IT Asset Management Security Policy applies to all employees and anyone responsible for agency IT resources and this policy includes the sections of: IT Asset Management, and Information Classification and Confidentiality.

:

Policy

7.0

:

7.1.1 To ensure information technology resources are properly maintained and accounted for, hardware and software inventories must be maintained by each division, district and office to allow ready access to the data by the respective technicians and managers. Mobile computing devices identified by the ISM must be tracked and users assigned these resources must sign a responsibility statement as established by the ISM.

Information Technology Asset Management

7.1.2 All hardware owned or managed is considered the property of the agency.

7.1.3 All data and information generated by employees for agency use is considered agency intellectual property legally owned by the agency.

DEP 390

Page 12 of 59

March 13, 2012

7.1.4 Only agency-owned/licensed and approved free-for-use software may be loaded on agency computers. Supervisors are responsible for justifying the need for standard and non-standard software requirements to their respective IT Coordinator for approval. The Service Desk must be contacted as well, to ensure the software can be supported. Software installations should only be performed by Service Desk personnel or a designee approved by the Service Desk. Trial, demo, or evaluation software temporarily installed by computer support personnel must be permanently removed within the time period specified by the vendor unless it is purchased.

7.1.5 Software, licenses, proofs of purchase, and media should be controlled by the designated software asset custodian within the respective owner of the software, in accordance with established software asset management policies. For software programs requiring the media to reside at the user’s desktop computer, the user is accountable for ensuring the media is not illegally copied and is readily available if needed by the Service Desk.

7.1.6 Copies of state-owned, leased, or licensed software should not be created, kept, or installed on any DEP computer system if such copying violates the copyright or the license agreement with the software vendor.

7.1.7 Non-agency managed and personally owned hardware or software is prohibited from being connected to or installed on agency computers unless approved by the CIO after consultation with the ISM. At no time shall confidential information be allowed to be transported or stored on a personally owned asset.

7.1.8 Unauthorized access, disclosure, duplication, modification, diversion, destruction, loss, misuse, or theft of IT resources is prohibited.

7.1.9 All IT assets will be sanitized (Department of Defense ‘DoD’ level wiping) to remove data before release for maintenance, reuse, or disposal. If for any reason, DoD level wiping cannot be performed, other forms of acceptable methods of sanitization include using software to overwrite data on computer media (1 pass 0’s: Kill Disk), degaussing, or physically destroying media.

DEP 390

Page 13 of 59

March 13, 2012

7.1.10 Procedures for sanitization of agency-owned computer equipment will be

created and adhered to at all time.

7.1.11 File deletion and media re-formatting are not acceptable methods of sanitization.

7.1.12 Users shall take reasonable precautions to protect mobile computing devices in their possession from loss, theft, tampering, unauthorized access, and damage.

7.1.13 Employees will report loss of any IT assets immediately to the appropriate agency personnel.

7.1.14 Employees will immediately report lost security tokens, smart cards, identification badges, or other devices used for identification and authentication purposes.

7.2

7.2.1 Information classification will categorize information technology resources according to the Federal Information Processing Standards (FIPS) Publication 199. This process estimates the magnitude of harm that would result from unauthorized access, unauthorized modification or destruction, or loss of availability of a resource -- low-impact, moderate-impact, or high-impact relative to the security objectives of confidentiality, integrity, and availability.

Information Classification and Confidentiality

7.2.2 Information and software that is deemed confidential or exempt from disclosure will be identified under provisions of applicable state and federal laws.

7.2.3 Confidential and exempt information will be protected using appropriate administrative, technical, and physical controls (e.g., passwords, user IDs, firewalls, and encryption).

7.2.4 Data owners are responsible for identifying and classifying information.

7.2.5 Procedures for handling and protecting confidential and exempt information will be referenced in the Information Security Plan.

DEP 390

Page 14 of 59

March 13, 2012

7.2.6 Agreements and procedures must be in place before sharing, handling or

storing confidential data with entities outside DEP.

7.2.7 Timely destruction of confidential information must be achieved when authorized by the applicable retention schedule, regardless of media type, to reduce the risk of unnecessary compromise.

7.2.8 Employees attending a meeting in a conference room should be cognizant of others who may overhear statements, which may be sensitive in nature, and should take appropriate action to prevent accidental disclosure.

DEP 390

Page 15 of 59

March 13, 2012

Physical and Environmental Security Policy

Objective

DEP has invested a considerable amount of budget and human capital in information technology. With this in mind, the physical and environmental conditions and work areas that may affect these resources are also important to protect and safeguard against risks and threats. Employee’s access to DEP facilities, data and phone wiring, electrical, heat, air conditioning and ventilation requirements must also be managed in a way to prevent loss, damage, or compromise to IT resources. This policy section establishes the rules and procedures that are implemented to secure physical and environmental factors around IT resources.

:

Control

This policy exists to prevent unauthorized access, damage, compromise and interference to agency premises and information, assets, agency activities, and facilities.

:

Scope

The Physical and Environmental Security Policy applies to all employees and anyone accessing agency IT resources, facilities, administrative equipment and infrastructure.

:

Policy

8.0

:

8.1.1 All personnel admitted into agency work areas must have an access control key badge (card) or be signed in by a person authorized to admit visitors. Personnel may not by-pass sign-in procedures to admit anyone to DEP facilities. Control of physical access to the work place provides protection for IT resources.

Secure Areas (Work, Production and Lab, and Off-Premises)

DEP 390

Page 16 of 59

March 13, 2012

8.1.2 During non-working hours, employees in control of sensitive information

should lock up all information when not in use, keep desks clear and secure when possible.

8.1.3 Physical controls shall be appropriate for the size and criticality of the information technology resources.

8.1.4 Access to System Administrator staff offices, telephone wiring closets, IT resources machine rooms, network switching rooms, as well as areas containing sensitive and confidential information must be physically restricted.

8.1.5 Access to the computer data centers, server rooms, and closets housing network infrastructure equipment will be restricted to those responsible for maintaining these operations or related equipment. Visitors shall be recorded and supervised where appropriate. The System Administrator is responsible for determining which vendor maintenance/service personnel may be allowed to work without staff escort.

8.1.6 Access to back up data tape storage areas will be restricted to back up data tape librarians and authorized operating personnel.

8.1.7 Management responsible for the staff working in restricted areas must ensure an appropriate access control method (receptionist, metal key and combo locks, magnetic card readers and door locks) is employed.

8.1.8 The security policies outlined in this document are also applicable at remote locations and facilities, even though the appropriate method implemented to control these areas may vary based on location or facility.

8.1.9 Sensitive information should not leave DEP premises. However, if it is necessary to remove sensitive information, in electronic format, from DEP premises, this information must be encrypted. Please see encryption standards in the Information Development and Maintenance Policy.

8.2

8.2.1 Hardware and peripheral devices must be kept safe from physical harm including accidental damage, theft, abuse, or loss. The facility and physical location of DEP IT resources (hardware and other physical

Equipment Security

DEP 390

Page 17 of 59

March 13, 2012

assets) must provide adequate protection from unauthorized access and use (theft, vandalism and sabotage, etc.), prevent damage due to environment factors (excessive amounts of heat, moisture or electrical charge), and avoid accidental physical damage. Similarly, backup tapes must be stored away from magnetic fields or electrical pulses, in addition to preventing physical damage or loss.

8.2.2 IT resources must be placed in locked cabinets, locked closets, or locked computer rooms.

8.2.3 Employees must obtain authorization before taking information technology equipment, software, or information away from the agency facility.

8.2.4 Electrical, data, and voice network wiring must be planned and installed under the supervision of authorizes individuals. Other personnel may not alter, move or remove existing wiring.

8.2.5 The temperature and humidity within a central computer room will be monitored and controlled to ensure that the operational environment conforms to the manufacturer's specifications.

8.2.6 Heating, ventilation and air conditioning facilities must be coordinated by authorized personnel. Non authorized personnel may not modify controls, settings, or implement HVAC equipment.

DEP 390

Page 18 of 59

March 13, 2012

Access Control Policy

Objective

Only authorized individuals will gain access to agency information resources to perform approved official business, while minimizing the risk and subsequent impacts of unauthorized access or effect of such. This will be achieved by restricted access privileges of all users, systems, and automated processes based upon the ‘least privilege’ concept, in which a legitimate business requirement for access is granted and authorized by the appropriate management personnel.

:

Control

These policies lay out the requirements for access to information and prevent unauthorized access to information systems to ensure protection of networked services; to prevent unauthorized computer access and activities; and to ensure information security when using remote access.

:

Scope

The Access Control Policy applies to all employees and anyone accessing agency IT resources. This policy is broken up into the following sections: Business Requirements for Access; User Access Management and Responsibility; Network Access; Passwords; Services Account and Mobile Computing and Telecomputing.

:

Policy

9.0

:

9.1.1 Procedures will be established to ensure administrative rights for information technology resources are restricted to information technology workers who have received appropriate technical training and who are authorized based on job duties and responsibilities.

Business Requirements for Access Control

9.1.2 Identify users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or

DEP 390

Page 19 of 59

March 13, 2012

devices, as a prerequisite to allowing access to agency information and information technology resources.

9.1.3 Administrative account activities shall be traceable to an individual. Each user of an information resource accessible by multiple-users will be assigned a unique user identification and password.

9.1.4 Workstations and mobile computing devices shall have enabled a screensaver secured with a complex password and with the automatic activation feature set at no more than 10 minutes unless there is a business justification for exemption and if an exemption is given the requester must provide an alternative method of securing the devices.

9.1.5 Non-DEP individuals must first be authorized by an appropriate DEP representative, within established procedures, before access is given.

9.1.6 Before non-DEP individual(s) is granted access to an IT resource, the appropriate Systems Administrator will review the request and grant access, and will notify Information Security when the access request seems inappropriate.

9.1.7 Upon the decision to terminate an employee or an employee resignation, Human Resources will follow established process and procedures to make sure that the employee’s access to facilities and IT resources is revoked in a timely manner. (See Network Access Procedures)

9.1.8 Access accounts assigned to an individual will not be used in automated production programs, queries, scripts, or other automated system or operational processes. Instead request a service account for automated access to IT resources.

9.1.9 Modifying, changing, or updating access privileges to DEP IT resource via shared passwords or group accounts is prohibited.

9.1.10 Only Administrators will have authority to change permission levels on servers, network devices, server directories or folders, databases, or other IT resource.

9.1.11 Access privileges for accounts that have been found to be inactive for more that 60 days will be disabled.

DEP 390

Page 20 of 59

March 13, 2012

9.1.12 Access privileges will be set according to a ‘minimum security’ principle in which the level of access provided syncs up with the job functionality. System administrators are required to deploy technologies and procedures to enforce access restriction outlined in this policy.

9.1.13 Security requirements for network connection resources must include consideration for the interaction resources have with other systems on the network and internet.

9.2

9.2.1 Employees may not hack, capture, or otherwise obtain passwords, encryption keys or any other access control mechanism without approval from Information Security. Employees found to have violated this directive will be subject to immediate disciplinary action, including termination of employment.

User Access Management and Responsibility

9.2.2 Employees will not attempt to access data or programs housed on IT resources that are not part of their job function, and where authorization or explicit consent has not been granted.

9.2.3 Users will be held accountable and responsible for activities that occur under their assigned user ID.

9.2.4 Employees shall not share their agency accounts, passwords, personal identification numbers, security tokens, smart cards, identification badges, or other devices used for identification and authentication purposes.

9.2.5 Workers shall be authorized access to IT resources based on the principles of “least privilege” and “need to know.”

9.2.6 Data Owner will review access rights every 6 months based on risk, access account change activity, and error rate.

9.2.7 Accounts with administrative rights must be created, maintained, monitored and removed in a manner that protects information technology resources.

DEP 390

Page 21 of 59

March 13, 2012

9.2.8 Data Owners are responsible for authorizing access to information.

9.3

9.3.1 A computer user access to the network will have a unique user account ID and password.

Network Access Control (Login\Logout)

9.3.2 System Administrators need to ensure accounts with administrative rights are created, maintained, monitored and removed in a manner that protects information technology resources. (See Network Access Procedures)

9.3.3 To ensure compliance with agency security policies prior to allowing access to the network, a network connection agreement must be executed between DEP and non agency entities.

9.3.4 Network Administrators will maintain a centralized file of network connection agreements.

9.3.5 Wireless access into the agency network shall require user-authentication.

9.3.6 Scripts implementing automated access that attempts to bypass subsequent authentication or apply blanket authentication to multiple machines that are attached to the network are not permitted.

9.3.7 Where systems have the capability, IT resources will record all login and logout attempts.

9.3.8 Personnel must logout, sign out, or lock out access to their workstations for all IT resources when leaving there work area or going off shift.

9.4

9.4.1 All IT resources connected to the network, either permanently or intermittently must have password access controls.

Passwords

9.4.2 Passwords assigned to individuals must not be shared or revealed to anyone including a supervisor, upper management, or technical support personnel unless the employee consents to the request.

DEP 390

Page 22 of 59

March 13, 2012

9.4.3 Passwords must be changed immediately after a security breach has been

detected to the affected systems.

9.4.4 If there is any reason to believe that a password has been disclosed to anyone other than the authorized user or compromised in any way, the appropriate administrator(s) will immediately change the password.

9.4.5 Default, initial, or reset passwords will not use or contain simple passwords like ‘newuser1’, or ‘password1’ in any form or order and must be changed after first login.

9.4.6 As the system software permits, an initial or reset password issued to a user will be valid only for the user’s next log in. After that, the user must be prompted to change their password.

9.4.7 Passwords will not be stored in readable form (clear text) in batch files, automatic login scripts, software macros, or terminal function keys, nor sent unencrypted in email messages.

9.4.8 Passwords must never be written down.

9.4.9 Passwords must be strong and complex in design and will have these minimum characteristics:

(a) A length of 8 characters for operating systems and 10 characters for servers.

(b) Contain both upper and lower case letters and include numbers and\or special characters (e.g., 0-9!@#$%^&*(){}[] :”;’<>?,./).

(c) Will not consist of dictionary words in any language, slang, dialect, or jargon.

9.4.10 Passwords for IT resources will be set to expire every 90 days. However, Administrators and Information Security may schedule password changes more frequently.

9.4.11 Passwords will not be reused within a two year period.

9.4.12 Privileged user IDs and passwords are not to be hard coded or saved in scripts, login procedures or databases. These login procedures must

DEP 390

Page 23 of 59

March 13, 2012

require an individual to authenticate before a script or login procedure can be run.

9.4.13 User accounts will be suspended after three unsuccessful attempts to enter a password, within a 15 minute time period, and will require the password to be reset by the appropriate administrator.

9.4.14 After three failed attempts to access a resource by a service account, an alert email will be sent to the System Administrator. Furthermore, an alert should also be sent to Information Security when a service account has attempted to login to a computer or domain.

9.4.15 Information Security will review failed attempts to determine if there is a malicious user behind it and will pursue Office of Inspector General (OIG) and Office of General Counsel involvement if required.

9.5

9.5.1 Service accounts must be maintained in a manner that protects information technology resources.

Service Accounts

9.5.2 Service accounts may be exempted from agency password expiration requirements.

9.5.3 Service accounts shall not be used for interactive sessions.

9.5.4 Service accounts will be established for all production processes that require access to system resources that are account and password protected.

9.5.5 For automated access to IT resources, System Administrators must request and use service accounts.

9.6

9.6.1 Employees must take reasonable precautions to protect mobile computing devices in their possession from loss, theft, tampering, unauthorized access, and damage.

Mobile Computing and Remote Access Control

DEP 390

Page 24 of 59

March 13, 2012

9.6.2 Mobile computing devices shall require user authentication before access

is allowed on the device when used in a mobile, non-DEP network environment.

9.6.3 Mobile computing devices containing confidential information shall be encrypted using agency-approved encryption software or methods.

9.6.4 Mobile computing devices must be firewall protected when connected to a non-agency network.

9.6.5 Mobile computing devices shall be issued to and used only by agency-authorized users.

9.6.6 Users may remotely connect computing devices to the agency network only through agency-approved, secured remote access methods.

9.6.7 Remote access to IT resources will be granted only to personnel who have a justified business need. Remote access that is granted will be reviewed annually.

9.6.8 Remote access client connections shall not be shared.

9.6.9 Only authorized IT personnel may provide VPN addresses.

9.6.10 All remote access connection will pass though a firewall or Remote Access Server (RAS) and require user authentication before reaching a login prompt or banner.

9.6.11 Confidential information transmitted over the Internet must be encrypted.

DEP 390

Page 25 of 59

March 13, 2012

Network and Operations Management Policy

Objective

The Network and Operation Management Policy is designed to protect the operating environment and network in ‘real-time’. These policies are developed to also promote a stable and consistent service for all IT resources. The guidelines to this policy are to maintain the integrity and availability of information; ensure the protection of information in networks, including those networks that may span agency boundaries; maintain the security of information and software exchange within the agency; and make sure that systems are audited and monitored for unauthorized information processing activities.

:

This policy for securing IT resources is intended to be a reference to which Administrators must adhere but is not indented to circumvent Administrators’ use of sound judgment and creativity in matters of security.

Control

DEP will monitor, control, and protect agency information when transmitted across the agency’s network infrastructure.

:

Scope

The Network and Operations Management policy applies to all personnel and anyone using agency IT resources. This policy is broken up into the following sections: Operational Management and Responsibilities; Network Security Management; Backup and Recovery; Exchange of Information; and Audit and Monitoring

:

Policy

10.0

:

10.1.1 Virus checking software must be approved by the Office of Technology and Information Services (OTIS) and will be deployed on all systems susceptible to virus, and on all servers. These programs must be continuously enabled, updated and configured so non-Administrators

Operational Management and Responsibilities

DEP 390

Page 26 of 59

March 13, 2012

cannot disable them. Externally supplied software media may not be used on any computer running a Windows or Linux\Unix operating system unless it has been virus scanned. Furthermore, personnel may not intentionally write, generate, compile, copy, collect, propagate, execute, or attempt to introduce computer code designed to self-replicate, damage, or otherwise hinder the performance of or access any IT resource. (Please see Virus Protection Services documentation for more information)

10.1.2 Installed computer operating system and application hot fixes, service releases, and patches shall be installed on applicable computer systems in a timely manner in accordance with agency patch management guidelines. The status of these maintenance updates shall be maintained to facilitate the task of ensuring required updates are completed for all applicable systems within the designated timeframe. The National Institute of Standards and Technology (NIST) procedures for Handling Security Patches, Special Publication 800-40, shall be used as a guide.

10.1.3 The login prompt for IT resources must not reveal specific information about the agency, the network configuration, or other internal information until the user has successfully logged in.

10.1.4 In the case of login failure, the user must not be given any specific feedback indicating the source or type of failure, but instead just be informed that the process has failed.

10.1.5 Except in designated test environments, Tier 2 Service Desk support is responsible for the installation, download, or upgrade of all operating systems and application software on DEP IT resources.

10.1.6 The application development, test, and production infrastructure must be physically or logically separated.

10.1.7 Information technology resources shall be validated as conforming to agency standard configurations prior to production implementation.

10.1.8 Production confidential data shall not be used for testing or development. Copies of production data will not be used for testing unless the data has been desensitized or unless all personnel involved in testing are otherwise authorized access to the data.

DEP 390

Page 27 of 59

March 13, 2012

10.1.9 All program changes will go through change control management

procedures and be approved before implementation to determine whether they have been authorized, tested, and documented.

10.1.10 Development and test environments will not be permitted to establish connection with any production resource except under tight change control procedures. Any ongoing access between these environments and production must be documented and presented to the ISM for approval for continued use.

10.1.11 System Administrators should meet regularly to develop policies, discuss problems, and share information that may concern administrators for differing operating systems, platforms, or locations.

10.1.12 System Administrators who are asked to coordinate building or moving IT resources for which another administrative group has some responsibility to that resource must notify the other group and cooperate with that group for a successful implementation.

10.1.13 Desktop support will design minimum configuration images for desktop and laptops for each business unit so that all implementations of the operating system and application suite for a particular job function are identical.

10.1.14 System Administrators will devise a standard build process and minimum security configuration, and ensure implementation is identical for servers sharing the same process and functionality.

10.1.15 OTIS will develop and publish a list of approved and supported applications for agency desktop, laptop and server computers sorted by business units.

10.1.16 Job functions susceptible to fraudulent or other unauthorized activities must have ‘separation of duties’ so that no individual has the ability to control the entire process of those functions.

10.2

10.2.1 Computer users will not disable, alter, or circumvent agency workstation security measures.

Network Security Management

DEP 390

Page 28 of 59

March 13, 2012

10.2.2 No privately-owned devices (e.g., MP3 players, USB storage device of any

size, printers) shall be connected to state-owned information technology resources without documented agency authorization.

10.2.3 Firewall and router configuration standards must be established and include a current and complete network diagram with IP addresses and subnet masks.

10.2.4 Where possible, hardware firewalls will be preferred to software firewalls for connections. If a software firewall must be used, the host on which it runs must be hardened.

10.2.5 All connections of the internal network to external networks must be under the protection of a firewall. Demilitarized Zone (DMZ) networks require firewalls to protect their hosts from outside attacks, and their connections to other internal networks must have firewall protection.

10.2.6 Firewalls will be configured based on the level of risk imposed by the established connection.

10.2.7 Users must not extend or re-transmit network services in any way. This means no router, switch, hub, or wireless access point may be connected to the agency network without OTIS approval.

10.2.8 Clients connected to the agency network shall not be simultaneously connected to any other network.

10.2.9 Only agency-owned or agency-managed information technology resources may connect to the agency network; and only agency-owned or agency-managed mobile storage devices are authorized to store agency data.

10.2.10 Whenever resources are available, a risk assessment will be performed prior to introducing a new technology or application to the network.

10.2.11 Network access to an application containing critical or confidential data, and data sharing between applications, will be as authorized by the application owners and will require user authentication validation.

10.2.12 Owners of information resources served by networks will prescribe sufficient controls to ensure access to network services, host services, and their subsystems are restricted to authorized users and uses only. These controls will selectively limit services based upon: (1) User identification

DEP 390

Page 29 of 59

March 13, 2012

and authentication (e.g., password) or (2) Designation of other users, including the public where authorized, as a class (e.g., public access through dial-up or public switched networks), for the duration of a session.

10.2.13 Authorization at network entry on the basis of valid user identification code and authentication (e.g., password) will be provided under the framework of network services and controlled by the network management program.

10.2.14 Network folders must be established with the basic level of ‘Read’ permission for everyone not authorized with other folder level permissions for that folder, unless the folder has established Access Control Lists.

10.2.15 Only folder administrators can change folder access privileges.

10.2.16 Wireless access into the agency network shall require user-authentication.

10.2.17 Only agency approved wireless devices, services, and technologies may be connected to the agency network.

10.2.18 Network Administrators of wireless environments will change wireless vendor defaults, including default encryption keys, passwords, and SNMP community strings, and ensure wireless device security settings are enabled for strong encryption technology for authentication and transmission.

10.2.19 Wireless transmission of agency data shall be encrypted using industry best practices to implement strong encryption for authentication and transmission.

10.3

10.3.1 Confidential information sent by a messaging functionality will be encrypted.

Exchange of Information

10.3.2 Electronic transmission of confidential information will be encrypted when the transport medium is not owned or managed by the agency.

10.3.3 Passwords must be encrypted when transmitted across or stored on IT assets to prevent compromise.

DEP 390

Page 30 of 59

March 13, 2012

10.3.4 Agreements and procedures must be in place for sharing, handling or

storing confidential data with entities outside the agency.

10.3.5 While in transit, information which is confidential or information which in and of itself is sufficient to authorize disbursement of state funds will be encrypted if pending stations, receiving station, terminals, and relay points are not all under positive state control, or if any are operated by or accessible to personnel who have not been authorized access to the information, except under the following conditions:

(a) The requirement to transfer such information has been validated and cannot be satisfied with information which has been desensitized.

(b) The Secretary has documented the acceptance of the risks of not encrypting the information based on evaluation of a risk analysis, which evaluates the costs of encryption against exposures.

10.3.6 Under no circumstance shall two networks be connected (this includes peer to peer traffic). A simultaneous connection between DEP network and a non-DEP network connection (e.g., Comcast or other cable modem is considered a network connection) poses a security risk to the agency network from hackers and computer virus attacks.

10.3.7 Internal-to-Internal VPNs are not allowed under any circumstances.

10.3.8 The establishment of any VPN allowing access to DEP’s internal network requires written approval by the ISM and Network Administrator.

10.3.9 Employees will follow established guidelines for acceptable use of email and other messaging resources.

10.3.10 It is inappropriate to use email or other messaging functions for the distribution of malware, forging headers, propagate “chain” letters, and auto-forwarding agency messages to a non-agency address.

10.3.11 Employees shall use only approved electronic mail services. Approved e-mail services may not be used for unlawful activities, commercial purposes not under the auspices of the agency, personal financial gain or uses that violate other agency policies or guidelines.

DEP 390

Page 31 of 59

March 13, 2012

10.3.12 Employees shall not use e-mail services to represent, express opinions, or

otherwise make statements on behalf of the Department or any unit of the agency unless authorized to do so.

10.3.13 Employees shall not use e-mail services for purposes that could reasonably be expected to cause, directly or indirectly, excessive strain on any computing resources, or unwarranted or unsolicited interference with the use of e-mail or e-mail systems by others (e.g., animated email signatures).

10.3.14 Both the law and DEP policy prohibit the theft or abuse of computing resources. These prohibitions apply to electronic mail services and include unauthorized entry, use, transfer, or tampering with the accounts and files of others, interference with the work of others and with other computing resources or facilities.

10.3.15 Employees shall not use e-mail services to access, send, store, create or display inappropriate or illegal content, including sexually suggestive or explicit material, gambling, profanity, political activities, obscenity, harassment or discrimination regarding age, race, color, sex, religious belief, national origin, political opinion or disability.

10.3.16 Employees shall not send mass e-mails unless authorized. This restriction does not preclude an employee from sending multiple e-mails to a finite group for official business. Large attachments with graphics, streaming video, or sound effects are discouraged.

10.3.17 Employees will delete unsolicited e-mails.

10.3.18 Electronic mail is subject to the full range of laws applying to other communications, including copyright, breach of confidence, defamation, privacy, contempt of court, harassment, anti-discrimination legislation, the creation of contractual obligations, and criminal laws.

DEP 390

Page 32 of 59

March 13, 2012

10.4

10.4.1 The minimum requirements for audit logging of all IT resources are:

Audit and Monitoring

(a) Login and Logout

(b) Source IP\Workstation Name

(c) Time stamp

10.4.2 OITS will implement procedures to protect the integrity and confidentiality of audit logs.

10.4.3 OTIS will create, protect, and retain audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information and information technology resource activity.

10.4.4 The agency ISM, Inspector General (IG), Information Security Specialist or other specifically authorized personnel shall be granted access to review audit logs containing accountability details.

10.4.5 OTIS and Information Security reserve the right to audit the use of all IT resources to ensure compliance with this Security Policy. Auditing of IT resources may include, but not limited to, inspection of users access rights, examination of users access logs and electronic monitoring of users access by approved software tools.

10.4.6 All employee accounts, workspaces and storage areas are subject to periodic security audits. OTIS and Information Security may review archived electronic mail, private file directories, hard disk drives, and other information stored on agency information systems.

10.4.7 Audit activity will be periodic and\or event driven to assure compliance with internal policies, support the performance of internal investigations, and assist the management of information systems.

10.4.8 Employees suspected of misuse or violation may have their computer activity logged for further action.

DEP 390

Page 33 of 59

March 13, 2012

10.4.9 All monitoring will be logged and available to management upon request.

10.4.10 To the extent that systems and software permit, all significant security related events will be logged. Examples of security related events may include: User-ID switching during an on-line session, attempts to guess passwords, privilege escalation, and modification to production application software, system software or user privileges.

10.4.11 System and security logs containing production IT resource security events will be retained for at least 3 months on a specified server and have limited access by only authorized personnel.

10.4.12 A sufficiently complete history of transactions shall be maintained for each session involving access to critical information to permit an audit of the system by tracing the activities of individuals through the system.

10.4.13 OTIS and Information Security will establish procedures to ensure regular review of system activity logs.

10.4.14 ISM or designee shall be provided access to monitor any agency information technology resources.

10.4.15 Use of information technology resources constitutes consent to monitoring activities whether or not a warning banner is displayed.

10.4.16 Monitoring, sniffing, and related security activities shall be performed only by Information Security or designee based on job duties and responsibilities.

10.4.17 Technology managers shall monitor technology resources to ensure desired performance and facilitate future capacity-based planning.

10.4.18 OTIS will monitor for unauthorized information technology resources connected to the agency network. Unauthorized access points connected to the agency network shall be removed immediately.

DEP 390

Page 34 of 59

March 13, 2012

Application Security Policy

Objective

Computer security needs must be addressed as part of the Information Systems Development Methodology (ISDM) when developing new or making modifications to existing applications if the system or data affected by these applications must be protected from accidental or malicious access, use, modification, destruction or disclosure. Furthermore, to adequately protect DEP information systems, OTIS will employ system development life cycle processes that incorporate information security considerations; employ software usage and installation restrictions; and ensure that third-party providers employ adequate security measures to protect information, applications, and/or services outsourced from the organization.

:

Control

Appropriate security controls will be designed into applications, including user developed application to ensure correct processing of data. These controls will include validation of input data, internal processing and output of data, and adherence to strict coding guidelines.

:

Scope

The Application Security Policy applies to all employees and anyone using agency IT resources. This policy has two sections: Application Security and Coding and Code Review.

:

Policy

11.0

:

11.1.1 Application developers will develop procedures to ensure application security is addressed throughout the application procurement process and/or application development lifecycle.

Application Security

11.1.2 Application owners are responsible for defining application security-related business requirements.

DEP 390

Page 35 of 59

March 13, 2012

11.1.3 The application development team shall implement appropriate security controls to achieve the security requirements of the application owner and implement appropriate security measures to minimize risks to agency information technology resources.

11.1.4 OTIS will implement procedures to establish accountability for accessing and modifying mission critical applications.

11.1.5 A final application security review must be approved by the application owner, ISM and the CIO, or their respective designees, before an application is placed into production.

11.1.6 The application maintenance process shall include reviews of application security requirements and controls to ascertain effectiveness and appropriateness relative to new technologies and applicable state and federal regulations.

11.1.7 Application security documentation shall be maintained by the application owner and be available to the ISM.

11.1.8 For applications and technologies housed in a primary data center, an application security review shall be approved by the data center ISM (or their respective designees) before the new or modified application or technology is placed into production.

11.1.9 All software applications obtained, purchased, leased, or developed provide appropriate security controls to minimize risks to the confidentiality, integrity, and availability of the application, its data, or other information technology resources.

11.1.10 Before new in house or 3rd party vendor applications are implemented in production, they must undergo a security risk assessment. OTIS and Information Security can make arrangements for the assessment and should require documentation of the new application’s interface with the existing production environment. The assessment team will need information about which IT resources are involved, data flows, and Transmission Control Protocol\User Datagram Protocol (TCP\UDP) ports employed and data flows across the Internet. Software applications like Office, Adobe Acrobat, QuickTime, etc, do not have to undergo the risk assessment.

DEP 390

Page 36 of 59

March 13, 2012

11.1.11 Technology managers shall restrict and tightly control the use of utility

programs that may be capable of overriding system and application controls.

11.2

11.2.1 Developers should follow the approved coding standards, which provide for a consistent code base for developed applications:

Coding, Code Review and Classification (Protection from Malicious Code)

(a) Open Web Application Security Project for web based applications.

(b) CERT Secure Coding Standards from Carnegie Mellon for C, C++, and Java.

11.2.2 Application developers must incorporate validation checks into applications to detect data corruption that may occur through processing errors or deliberate actions.

11.2.3 All application will adhere to the Federal Information Processing Standards (FIPS) 199 categorization based on the criticalness to the agency’s mission and service deliveries.

11.2.4 Source code is to be reviewed throughout the application development, on regular bases as defined by the application owner, for deficiencies in the areas of security, reliability and operations.

DEP 390

Page 37 of 59

March 13, 2012

Information Development and Maintenance Policy

Objective

Information Development and Maintenance is the policy section that provides the framework for configuration management and will ultimately limit the exposure of production systems and other environments to vulnerabilities or inaccurate deployments. Information Security will periodically assess security controls to determine their effectiveness and appropriateness. Based on these assessments, Information Security will develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in information and information technology resources. It is not the intent of this policy to limit the creativity or productivity that application developers and system administrators have traditionally enjoyed, only to provide some context for engineering a more secure production environment.

:

Control

Information systems include operating systems, infrastructure, applications, off-the-shelf products, services and user developed applications. The design and implementation of information systems supporting the agency can be critical for security. Security requirements, risk analysis and maintenance will be identified prior to the development and implementation of information systems

:

Scope

The Information Development and Maintenance Policy extend to all employees and anyone using agency IT resources. This policy is broken up into the following sections: Security Requirements, Encryption, Risk and Vulnerability Management and Maintenance.

:

Policy

12.0

:

12.1.1 OTIS will develop, document, periodically update, and implement system security plans for information and information technology resources.

Security Requirements for Information Systems

DEP 390

Page 38 of 59

March 13, 2012

System security plans describe the security controls in place or planned for information technology resources and the rules of behavior for individuals accessing the information and information technology resources.

12.1.2 System Security Plans shall document controls necessary to protect production data in the production infrastructure and copies of production data used in non-production infrastructures.

12.1.3 Implement service level agreements for technology services within the agency and with 3rd

12.1.4 Establish and maintain baseline configurations and inventories of information technology resources (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

party vendors when appropriate to ensure appropriate security controls are established and maintained.

12.1.5 Identify and document information technology resources and associated owners and custodians.

12.1.6 Standard hardware and software configurations should be used to address vulnerabilities and must be consistent with industry ‘best practices’ when appropriate.

12.1.7 At a minimum, mobile computing devices and mobile storage devices shall conform to the following configurations:

(a) Mobile computing and storage devices used with confidential information require encryption.

(b) Mobile computing devices connecting to the agency network shall use current and up-to-date anti-virus software (where technology permits).

(c) Agency mobile computing devices shall activate an agency-approved personal firewall (where technology permits) when connected to a non-agency network.

(d) Only agency-approved software shall be installed on state mobile computing devices.

DEP 390

Page 39 of 59

March 13, 2012

12.1.8 Databases containing mission critical or confidential data shall be placed in

an internal network zone, segregated from the DMZ.

12.1.9 A change management process for modifications to production information technology resources will be created and maintained.

12.1.10 Access to production IT resources for the purpose of troubleshooting, deploying code, or running ad hoc queries must be coordinated and scheduled to undergo the change management process.

12.1.11 Changes to production server applications must follow established change control procedures and must be completed by the appropriate personnel.

12.1.12 Design of ad hoc database queries that modify data in a production database must be approved and certified by a Database Administrator before they can be used by any production IT resource. Controls shall be established to ensure the accuracy and completeness of data.

12.1.13 Changes to DEP’s internal, business partner gateway, and Internet gateway networks, such as loading of a new router or switch, changing of network addresses, configuring routers or switches, or installing new network hardware or connectivity must follow establish change management process.

12.2

12.2.1 Data that is considered sensitive, business critical or vulnerable to unauthorized disclosure of modification during transmission or while in storage should be encrypted. Owners of sensitive information must analyze the risk and determine whether to use cryptographic protection following these guidelines.

Encryption

12.2.2 Standard algorithms such as RSA (algorithm by Ron Rivest, Adi Shamir and Leonard Adleman) Advance Encryption Standard (AES), National Institute of Standards and Technology (Sha-2), Blowfish, Elliptic Curve Cryptography (ECC), and ElGamal and International Data Encryption Algorithm (IDEA) will be used as the basis for approved encryption technologies.

12.2.3 Encryption key lengths must be at least 128 bits or stronger.

DEP 390

Page 40 of 59

March 13, 2012

12.2.4 The use of proprietary encryption algorithms are not allowed for any

purpose, unless reviewed by qualified experts outside of the proprietary vendor and approved by Information Security.

12.2.5 OTIS will establish procedures to ensure agency cryptographic implementations are developed and maintained according to federal guidelines.

12.2.6 Key management processes and procedures for cryptographic keys used for encryption of confidential data will be fully documented and will cover key generation, distribution, storage, periodic changes, compromised key processes, prevention of unauthorized substitution.

12.2.7 Key management processes must be in place and verified prior to encrypting data at rest (including email messages, data files, hard drives, data backups).

12.3

12.3.1 Information Security will periodically assess the risk to agency operations (including mission, functions, image, or reputation), agency assets, and individuals, resulting from the operation of agency information and information technology resources and the associated processing, storage, or transmission of agency information.

Risk and Vulnerability Management

12.3.2 Information Security shall implement a documented risk management program, including risk and vulnerability assessments on information resources including, but not limited to, applications, operating systems, and processes and procedures.

12.3.3 OTIS will comply with AEIT’s Office of Information Security and will coordinate a comprehensive Security Program assessment to be conducted every three years.

12.3.4 The ISM shall monitor and document risk mitigation implementation and submit risk assessment findings to the AEIT Office of Information Security (OIS).

DEP 390

Page 41 of 59

March 13, 2012

12.3.5 The ISM will ensure that risk mitigation plans to reduce identified risks to

agency information technology resources and data are properly implemented.

12.3.6 Documentation of the information security risk analysis and risk mitigation plans is confidential pursuant to Section 282.318, Florida Statutes, except that such information shall be available to the agency Inspector General, the Auditor General, and the Agency for Enterprise Information Technology.

12.3.7 System Administrators, Application Owners and Database Administrators are responsible for the implementation of security procedures within their processes to protect agency information from loss, destruction, and unauthorized or improper modification.

12.3.8 Information Security should ensure that a risk analysis is performed prior to introducing a new technology and a risk analysis prior to modifying current technology, systems, or applications.

12.3.9 Information Security will identify and correct gaps in processes and procedures and information technology resource related to this security policy and the vulnerabilities created in a timely manner.

12.4

12.4.1 System Administrators will perform periodic and timely maintenance on agency information and information technology resources and shall provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information and information technology resource maintenance.

Maintenance

12.4.2 Information technology resources are to be correctly maintained to ensure continued availability and integrity.

12.4.3 Administration of hardware, software, or applications performed over a network shall be encrypted where technology permits.

DEP 390

Page 42 of 59

March 13, 2012

12.4.4 The application maintenance process shall include reviews of application

security requirements and controls to ascertain effectiveness and appropriateness relative to new technologies and applicable state and federal regulations.

12.4.5 Service level agreements for technology services will be implemented to ensure appropriate security controls are established and maintained.

DEP 390

Page 43 of 59

March 13, 2012

Information Security Incident Management Policy

Objective

Formal event reporting and escalation procedures must be in place and all employees and contractors will be aware of these procedures for reporting the events and weaknesses that might have an impact on the security of DEP IT assets. All employees and contractors will be required to report any actual or suspected information security events (however minor in nature) and as quickly as possible to the Service Desk.

:

Control

Information Security Incident Management Policy is established to ensure information security events and weakness associated with information systems are communicated in a manner allowing timely corrective action to be taken by the appropriate computer response personnel.

:

Scope

Information Security Incident Management Policy applies to all employees and anyone using agency IT resources. This policy is broken into the following section: Management of Information Security Incident and Reporting. For further information regarding information security incident please see: “Computer Security Incident Response Team Guidelines.”

:

Policy

13.0

:

13.1.1 OTIS will establish an operational Computer Security Incident Response Team (CSIRT) and document associated procedures to ensure adequate preparation, detection, analysis, containment, recovery, and response activities. The Computer Security Incident Response Team (CSIRT) will respond to suspected computer security incidents by identifying and controlling the incidents, notifying designated CSIRT responders, and reporting findings to agency management.

Management of Information Security Incidents and Reporting

DEP 390

Page 44 of 59

March 13, 2012

13.1.2 The CSIRT Team will track, document, and report incidents to appropriate

agency officials, and other State and/or law enforcement authorities according to AEIT OIS guidelines.

13.1.3 The CSIRT membership shall include at least one individual from the agency’s legal, human resources, inspector general, and information technology areas, as well as the Chief Information Officer and Information Security Manager.

13.1.4 The CSIRT under the direction of the Chief Information Officer, Inspector General or Information Security Manager, shall determine the appropriate response required for each suspected computer security incident.

13.1.5 Information Security must be notified of any suspected or confirmed computer security incidents, including suspected or confirmed breaches, within 24 hours of discovery.

13.1.6 Computer security incident documentation is exempt from public disclosure, pursuant to Section 282.318, Florida Statutes.

13.1.7 The CSIRT shall convene at least once a quarter.

13.1.8 The CSIRT shall provide regular reports to the agency Chief Information Officer.

13.1.9 Each suspected computer security incident, including findings and corrective actions, shall be documented and maintained as specified in the agency computer security incident procedures. The computer security incident response process will include notification procedures to be followed for incidents where investigation determines non-encrypted personal information was, or is reasonably believed to have been, accessed by an unauthorized person, pursuant to Section 817.5681, Florida Statutes.

13.1.10 Suspected computer security incidents shall be reported according to the Employee Computer Incident Reporting procedure.

13.1.11 Agency workers shall report loss of mobile devices immediately to the appropriate agency personnel.

DEP 390

Page 45 of 59

March 13, 2012

Business Continuity Management Policy

Objective

The Business Continuity Management Policy is the policy that establishes the standards for the protection of enterprise resources should a disaster strike and to help minimize the impact on DEP and recover from a loss of information assets (which may be the result of, for example, natural disasters, accidents, equipment failures, and malicious actions) to an acceptable level through the combination of preventive and recovery controls. This policy will aide DEP to identify the critical agency business process and integrate the information security management requirements of business continuity with other continuity requirements relating to such aspects as operations, staffing, materials, transportation and facilities.

:

Control

To counteract interruption to DEP’s activities and to critical DEP process from the effect of major failures and\or disasters, OTIS will establish, maintain, implement, and test plans for backup/standby/redundant operations and disaster recovery of DEP information and information technology resources to ensure the availability of critical information technology resources and continuity of operations in emergency situations.

:

Scope

Understanding the risks DEP is facing in terms of probability and impact in time, including an identification and prioritization of critical processes, a managed level of service will be developed and maintained for business continuity throughout the agency and will apply to all employees and anyone using agency IT resources. This policy is broken up into the following sections: Business Continuity Management and Backup and Recovery.

:

Policy

14.0

:

Business Continuity Management

DEP 390

Page 46 of 59

March 13, 2012

14.1.1 Information technology resources identified as critical to the continuity of

governmental operations shall have documented disaster recovery plans to provide for the continuation of critical agency functions in the event of a disaster.

14.1.2 Information Technology Disaster Recovery Plans (ITDRP) shall be tested at least annually; results of the annual exercise shall document those plan procedures that were successful and what work is required to correct the plan.

14.1.3 All OTIS IT resources will be subject to a business impact analysis based on the consequences of disasters, security failures, loss of service and service availability.

14.2

14.2.1 Data and software essential to the continued operation of critical agency functions shall be mirrored to an off-site location or backed up regularly with a current copy stored at an off-site location.

Back Up and Recovery

14.2.2 To prevent loss of data, agency users shall ensure agency data stored on workstations or mobile devices is backed up.

14.2.3 The agency shall ensure security controls over backup resources are appropriate to the criticality and confidentiality of the primary resources.

14.2.4 All sensitive, valuable, or critical information that is resident on DEP computer systems and networks must be periodically backed up. System Administrators working with application owners must define which information should be backed up, the frequency of backups and the method of backups.

14.2.5 Backup and archival media must be stored on a separate location from the system being backed up.

DEP 390

Page 47 of 59

March 13, 2012

Compliance Policy

Objective

Compliance is the policy section that provides the context for the implementation and adherence of security policies. These policies set the framework and standards at DEP, and allows for these policies to be monitored by Information Security. If employees do not follow these policies and do not obtain an authorized exception, then violations and disciplinary action will occur.

:

Control

The Compliance Policy was created to avoid breaches of any criminal or civil law, statutory, contractual obligation and security requirements; to ensure compliance of the security policies and standards; and to maximize the effectiveness of these policies in regards to agency IT resources.

:

Scope

The Compliance Policy applies to all employees and contractors and to anyone using agency IT resources. This policy contains two sections: Compliance and Exceptions to Security Policy.

:

Policy

15.0

:

15.1.1 All employees and contractors must read, understand and comply with this Information Security Policy.

Compliance

15.1.2 Employees and contractors failing to comply with agency security policies and procedures are subject to disciplinary action appropriate to the violation up to and including termination and/or criminal prosecution.

15.1.3 Employees and contractors are responsible for complying with applicable State and Federal security rules and laws.

DEP 390

Page 48 of 59

March 13, 2012

15.1.4 Employees and contractors will agree in writing, to comply with agency

acceptable use policies prior to using agency information technology resources.

15.1.5 Non-compliant employees, discovered in a routine Security Audit, or in the course of work, may have their access privileges temporarily revoked.

15.2

15.2.1 Limitations in resources and technical capabilities may prevent full compliance with some of the security requirements without introducing unacceptable business delays or work stoppage. When such cases arise, an Information Security Exception Request form must be submitted to the appropriate ISR for eventual ISM or Information Security approval. Approved exceptions shall be maintained by the ISM and regularly reviewed. When an exception is no longer valid, the ISM shall revoke the exception and the requester must come into full compliance in a timely manner. If the agency cannot comply with a state information security policy, the ISM will coordinate with the agency head to obtain the state’s approval for an exception

Exceptions to the Security Policies

15.2.2 Personnel may not proceed with the exception until the ISM or Information Security has confirmed in writing that the exception has been approved, and has outlined any attached conditions.

DEP 390

Page 49 of 59

March 13, 2012

Glossary

Access – the ability to acquire, read, write, or delete data or information; make use of an information technology resource; enter a room or facility.

Access Control – the enforcement of specified authorization rules based on user or system authentication.

Access Point – is a station that transmits and receives data (for example, a wireless access point).

Accountability – the principle stating that a specific action is traceable to a unique individual.

Agency worker – see Worker.

Agency-approved software – is software that has been reviewed and deemed acceptable by the agency for use with agency information technology resources.

Agency-managed device – a device that is not owned by the agency, but that is declared by the device owner and accepted by the agency to be compliant with agency standard configurations.

Anti-malware software – is software that detects and removes malicious software from a computer or network stream.

Application – information resources designed to satisfy a specific set of user requirements.

Application development life cycle (ADLC) – is a set of procedures to guide the development and modification of production application software and data items. A typical ADLC includes design, development, quality assurance, acceptance testing, maintenance, and disposal (also known as System Development Life Cycle – SDLC).

Application development team – is the entire set of people responsible for planning, designing, developing, installing, and maintaining applications. The roles represented include project managers, analysts, computer programmers, database administrators, data administrators, system administrators, network administrators, etc.

DEP 390

Page 50 of 59

March 13, 2012

Application owner – the business unit that requested the application be developed and/or purchased; the individual (usually a manager) from the business unit(s) for which an application is acquired who has responsibility and authority to make decisions related to the application, such as requirements, deliverable approvals, access, etc.

Application security review – an evaluation of an application’s security requirements and associated controls (planned or implemented) with the goal of determining if controls are sufficient to minimize risks to the confidentiality, integrity, and availability of the application, its data, or other information technology resources.

Audit logs – documentation of activity within a system incorporating, at a minimum, date, time, action, and user account associated with the action.

Authentication – the process of verifying that a user, process, or device is who or what it purports to be. Techniques for authentication fall into categories as follows:

(a) Something the user knows, such as a password or PIN;

(b) Something the user has, such as a smartcard or ATM card; and

(c) Something that is part of the user, such as a fingerprint, voice pattern or retinal scan.

Authorization – official or legal permission or approval.

Availability – the principle that authorized users have timely and reliable access to information and information technology resources.

Breach – unlawful and/or unauthorized access of computerized data that materially compromises the security, confidentiality, or integrity of personal information.

Chief Information Officer (CIO) – the person appointed by the agency head that coordinates and manages the agency information technology functions and responsibilities.

Compensating Control – a management, operational, or technical control (i.e., safeguard or countermeasure) employed by an organization in lieu of a recommended security control that provides an equivalent or greater level of protection for an

DEP 390

Page 51 of 59

March 13, 2012

information system and the information processed, stored, or transmitted by that system.

Complex password – a password that is at least eight characters and is comprised of at least three of the following categories: uppercase English letters; lowercase English letters, numbers 0-9, and non-alphanumeric characters.

Comprehensive risk assessment – the risk analysis required to be conducted by agencies every three years, in accordance with Section 282.318, F.S.

Computer user – any authorized entity that uses information technology resources (interchangeable with User).

Confidential information and/or confidential data – information not subject to inspection by the public that may be released only to those persons and entities designated in Florida statute; information designated as confidential under provisions of federal law or rule.

Confidentiality – the principle that information is accessible only to those authorized.

Continuity of Operations Plan (COOP) – the documented plan detailing how the agency will respond to incidents that could jeopardize the organization’s core mission pursuant to Section 252.365, F.S.

Critical information resources – the resources determined by agency management to be essential to the agency’s critical mission and functions, the loss of which would have severe or catastrophic adverse effect.

Cryptography – the discipline that embodies the principles and methods for the transformation of data in order to hide semantic content, prevent unauthorized use, or prevent undetected modification. Cryptography is a method to protect data and includes both encryption (which is reversible) and hashing (which is not reversible, or “one way”).

Data store – a collection of information organized so it can be accessed, managed, and updated.

Degaussing – a method of bulk erasing data from magnetic media. Degaussing demagnetizes the disk such that all data stored on the disk is permanently destroyed.

Demilitarized Zone (DMZ) – physical or logical sub-network or computer host that provides an additional layer between the Internet and an organization’s internal

DEP 390

Page 52 of 59

March 13, 2012

network so that external parties only have access to devices in the DMZ rather than the internal network.

Development infrastructure – a technical environment that is used for design, development, and/or piloting of new technical capabilities or applications. The development infrastructure is separated logically or physically from the production and test infrastructures.

Directly connect [to the agency internal network] – a device that is joined to and becomes an extension of the agency’s internal network. Dial-up and Virtual Private Network (VPN) connections to the agency are considered to be directly connected.

Disaster recovery plan – see Information Technology Disaster Recovery Plan.

Encryption – the reversible process of transforming readable text into unreadable text (cipher text).

Exempt Information – information an agency is not required to disclose under Section 119.07(1), F.S., but which the agency is not necessarily prohibited from disclosing in all circumstances.

Information owner – the manager of the business unit ultimately responsible for the collection, maintenance, and dissemination of a specific collection of information.

Information security – protecting information and information technology resources from unauthorized access, use, disclosure, disruption, modification, or destruction.

Information Security Manager (ISM) – the person designated to administer the agency’s information security program in accordance with Section 282.318, F.S.

Information security program – a coherent assembly of plans, project activities, and supporting resources contained within an administrative framework, to assure adequate security for agency information and information technology resources.

Information Technology Disaster Recovery Plan (ITDRP) – information technology resources and procedures to ensure the availability of critical resources needed to support the agency mission in the event of a disaster and to return to normal operations within an accepted timeframe. The ITDRP takes into account availability requirements, recovery time frames, recovery procedures, back-up/mirroring details, systematic and regular testing and training.

DEP 390

Page 53 of 59

March 13, 2012

Information technology infrastructure – network devices, server hardware, and host operating systems, database management systems, utilities, and other assets required to deliver or support IT services.

Information technology resources – a broad term that describes a set of technology related assets. While in some cases the term includes items such as people and maintenance, as used in this rule, this term means computer hardware, software, networks, devices, connections, applications, and data.

Information technology worker – an agency user whose job duties and responsibilities specify development, maintenance, or support of information technology resources (see User; Worker; Workforce).

Integrity – the principle that assures information remains intact, correct, authentic, accurate and complete. Integrity involves preventing unauthorized and improper creation, modification, or destruction of information.

Interactive session – a work session where there is an exchange of communication between a user and a computer.

Least privilege – the principle that grants the minimum possible privileges to permit a legitimate action in order to enhance protection of data and functionality from faults and malicious behavior.

Malware – malicious software; a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.

Management Controls – the security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information system security.

Media – physical devices or writing surfaces including but not limited to magnetic tapes, optical disks, magnetic disks, memory chips, printouts (but not including display media) onto which information is recorded, stored, or printed within an information system.

Mobile computing device – a portable device that can process data (e.g., laptop, personal digital assistant, certain media players and cell phones).

Mobile device – a general term describing both mobile computing and mobile storage devices.

DEP 390

Page 54 of 59

March 13, 2012

Mobile storage device – portable data storage media including external hard drives, thumb drives, floppy disks, recordable compact discs (CD-R/RW), recordable digital videodiscs (DVD-R/RW), or tape drives that may be easily attached to and detached from computing devices.

National Institute of Standards and Technology (NIST) – a non-regulatory Federal agency within the U.S. Commerce Department’s Technology Administration.

Need to know – the principle that individuals are authorized to access only specific information needed to accomplish their individual job duties.

Network – an interconnected group of information technology devices; a system that transmits any combination of voice, video and/or data between devices.

Network perimeter – the boundary of an agency’s information technology infrastructure.

Operational Controls – security controls (i.e., safeguards or countermeasures) for an information system that primarily are implemented and executed by people (as opposed to systems).

Operational information security plan – the agency plan governing the information security program. In addition to detailing the activities, timelines and deliverables for the security objectives that, subject to current resources, the agency will implement during the current fiscal year, the plan includes a progress report for the prior fiscal year, related costs that cannot be funded from current resources, and a summary of agency compensating controls.

Owner – the manager of the business unit ultimately responsible for an information technology resource.

Patch management – the process for identifying, acquiring, testing, installing, and verifying software updates, also known as patches.

Peer to peer – a communications model that allows the direct sharing of files (audio, video, data, and software) among computers.

Personal firewall – software installed on a computer or device which helps protect that system against unauthorized incoming or outgoing network traffic.

DEP 390

Page 55 of 59

March 13, 2012

Personal information – an individual’s first name, first initial and last name, or any middle name and last name, in combination with any one or more of the following data elements:

(a) Social Security Number.

(b) Driver’s license number or Florida Identification Card number.

(c) Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. Note: as provided in Section 817.5681, F.S., the term personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.

Privately-owned device – a device not purchased with agency funds; a device owned by a person or other non-agency entity and not configured, maintained, or tracked by the agency.

Production infrastructure – network devices, server hardware, and host operating systems that comprise an agency’s operational or real-time environment.

Public records act – refers to Chapter 119, F.S.

Remote access – any access to an agency’s internal network through a network, device, or medium that is not controlled by the agency (such as the Internet, public phone line, wireless carriers, or other external connectivity). A virtual private network client connection is an example of remote access.

Review – a formal or official examination of system records and activities that may be a separate agency prerogative or a part of a security audit.

Risk – the likelihood that a threat will occur and the potential impact of the threat.

Risk analysis – a process that systematically identifies valuable data, information, and information technology system resources and threats to those resources, quantifies loss exposures (i.e., loss potential) based on estimated frequencies and costs of occurrence, and recommends how to allocate resources to countermeasures so as to minimize total exposure. The analysis lists risks in order of cost and criticality, thereby determining

DEP 390

Page 56 of 59

March 13, 2012

where countermeasures should be applied first. (To be used interchangeably with risk assessment.)

Risk management – the ongoing process of risk analysis and subsequent decisions and actions to accept risk or to reduce vulnerabilities by either mitigating the risks or applying cost effective controls.

Security controls – the management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed to protect the confidentiality, integrity, and availability of information technology resources.

Security incident – any action or activity, whether accidental or deliberate, that compromises the confidentiality, integrity, or availability of agency data or information technology resources.

Security review – an examination of system records and activities to determine the adequacy of system controls to ensure compliance with established security policy and operational procedures, detect breaches in security, and recommend any indicated changes in any of the foregoing.

Separation of duties – the concept of having more than one person required to complete a task. This is a way to ensure that no one individual has the ability to control all critical stages of a process.

Service account – an account used by a computer process and not by a human (e.g., an account used by the backup process for file access). Normally service accounts may not log on to a system.

Session – the time during which two devices maintain a connection and are usually engaged in transferring data or information.

Smart card – a pocket-sized card with embedded circuits that can process data. Often smart cards are used as a form of authentication for single sign-on systems (also known as integrated circuit card).

Sniffing – capturing network data.

Special trust or position of trust – positions that, because of the special trust or responsibility or sensitive location of those positions, require that persons occupying those positions be subject to a security background check, including fingerprinting, as a condition of employment, pursuant to Section 110.1127, F.S.

DEP 390

Page 57 of 59

March 13, 2012

Standards – a specific set of practices or procedures to regulate how a system or organization provides services; required practices, controls, components, or configurations established by a recognized authority.

Standard configuration – the documentation of the specific rules or settings used in setting up agency hardware, software, and operating systems.

Standard hardware – an agency-approved hardware.

Standard software – agency-approved software.

State Chief Information Security Officer – the State of Florida executive responsible for the state government information security posture and direction. This position is appointed by the state Chief Information Officer and oversees the state Office of Information Security.

State Office of Information Security (OIS) – the State of Florida information security office, which guides, coordinates and assists state agencies in identifying threats to their information assets and mitigating their risks so effective security controls can be implemented. The OIS is part of the Agency for Enterprise Information Technology, pursuant to Section 282.318(3), F.S.

Strategic information security plan – the agency three-year plan that defines security goals, intermediate objectives, and projected agency costs for the strategic issues of information security policy, risk management, security training, security incident response, and survivability.

Strong cryptography – cryptography based on industry-tested and accepted algorithms, along with strong key lengths and proper key-management practices. Secure Hash Algorithm revision 1 (SHA-1) is an example of an industry-tested and accepted hashing algorithm. Examples of industry-tested and accepted standards and algorithms for encryption include Advanced Encryption Standard (AES) 128 bits, Triple Data Encryption Standard (TDES), minimum double-length keys, Rivest, Shamir and Adleman (RSA), 1024 bits and higher, Elliptic Curve Cryptography (ECC), 160 bits and higher, and ElGamal (1024 bits and higher).

Survivability – the capability of an organization to maintain or quickly recover critical business functions after a disaster or adverse event, minimize the effect of an event, reduce financial loss, and expedite the return to normalcy.

DEP 390

Page 58 of 59

March 13, 2012

System – a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, storing, reporting, printing, dissemination, or disposition of information.

System administrator – a person in charge of managing and maintaining computer or telecommunication systems.

System hardening – the process of securing a system. Hardening typically includes ensuring proper configurations based on intended function, removing non-essential programs and utilities, disabling certain accounts, and installing patches.

System security plan – the plan for an application or information technology resource that describes the security requirements, the controls in place or planned, and roles/responsibilities of all authorized individuals who use the system. A system security plan may also contain critical data policies, backup, disaster recovery, and user policies.

Technical controls – security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.

Test infrastructure – a technical environment that mirrors part or the entire production environment and is used for final testing of a technology or an application prior to production implementation. The test infrastructure is separated logically or physically from the production and development infrastructure.

Track – the documented assignment of an asset to a user and/or location.

User – any authorized entity that uses information technology resources (see Worker; Workforce; Information Technology Worker).

Virtual Private Network (VPN) – a communications network tunneled through another communications network.

Warning banner – a message displayed prior to or upon connection to a resource informing the user that activities may be monitored or access is restricted.

Worker – a member of the workforce; a worker may or may not use information technology resources (see User; Workforce; Information Technology Worker).

Workforce – employees, contractors, volunteers, trainees, and other persons whose conduct, in the performance of work for the agency, is under the direct control of the

DEP 390

Page 59 of 59

March 13, 2012

agency, whether or not they are paid by the agency (see User; Worker; Information Technology Worker). Rulemaking Authority 14.204(7), 282.318(3), 282.318(6) FS. Law Implemented s. 12, Ch. 2009-80, L.O.F. History–New 11-15-10.