Policy 7230A - Department of Administration

10.10.2014 Views
Table of Contents Introduction ................................................................................................. 1 2. Assessment & Security Planning ............................................................. 2 2.1. Risk and Privacy Assessment ...................................................................... 2 2.1.1. Perform Risk Assessment ......................................................................... 2 2.1.2. Perform Privacy Assessment.................................................................... 3 2.2. Security Planning ........................................................................................ 3 2.2.1. Create a Security Plan .............................................................................. 3 2.3. Maintain Records ....................................................................................... 5 3. Awareness & Training ............................................................................. 6 4. Access Control ........................................................................................ 7 4.1. Identification and Authentication .............................................................. 7 4.2. Account Management ................................................................................ 7 4.2.1. Configure User Accounts ......................................................................... 7 4.3. Session Management ................................................................................. 9 4.3.1. Configure Systems for Secure Access ...................................................... 9 4.3.2. Configure Systems for Secure Communication ..................................... 10 4.4. Maintain Records ..................................................................................... 11 5. Systems Configuration .......................................................................... 12 5.1. Configuration Management ..................................................................... 12 5.1.1. Build and Maintain a Systems Inventory ............................................... 12 5.1.2. Perform Systems and Data Classification .............................................. 13 5.1.3. Follow Process for Change Control ........................................................ 14 5.2. Systems Protection .................................................................................. 15 5.3. Data/Media Protection ............................................................................ 16 5.3.1. Securely Handle Data and Media........................................................... 16 5.4. Application Protection ............................................................................. 17 5.4.1. Apply Security Principles to Code Development ................................... 17 5.5. Maintain Records ..................................................................................... 18 6. Systems Operation ................................................................................ 19 6.1. Assessment Operations ............................................................................ 19 6.1.1. Perform Security Assessments .............................................................. 19 6.1.2. Perform Security Self Assessment ......................................................... 20 6.2. Integrity Operations ................................................................................. 21 6.2.1. Monitor System Security Controls ......................................................... 21

6.3. Maintenance Operations ......................................................................... 22 6.3.1. Plan for, and Provide Notification of, Security Operations ................... 22 6.3.2. Perform Patch and Vulnerability Management ..................................... 23 6.3.3. Securely Maintain Systems .................................................................... 24 6.4. Maintain Records ..................................................................................... 25 7. Systems Audit ....................................................................................... 26 7.1. Systems Audit ........................................................................................... 26 7.1.1. Configure Auditing Capabilities ............................................................. 26 7.1.2. Test Auditing Capabilities ...................................................................... 27 7.1.3. Operate Auditing Capabilities ....................................................... 27 7.2. Maintain Records ..................................................................................... 28 8. Incident Response ................................................................................. 29 8.1. Incident Response .................................................................................... 29 8.1.1. Build a Team and Provide Training ........................................................ 29 8.1.2. Build an Incident Response Capability ................................................... 30 8.1.3. Test the Plan .......................................................................................... 31 8.1.4. Operate the Plan .................................................................................... 32 8.2. Maintain Records ..................................................................................... 32 9. Contingency Planning ........................................................................... 33 10. Physical Security ................................................................................... 34 10.1. Physical Access Control ............................................................................ 34 10.1.1. Control Physical Access .......................................................................... 34 10.2. Physical Environmental Control ............................................................... 35 10.2.1. Provide Environmental Controls ............................................................ 35 10.3. Maintain Records ..................................................................................... 36 11. Personnel Security ................................................................................ 37 11.1. Acceptable Usage ..................................................................................... 37 11.2. Personnel Operations............................................................................... 37 11.2.1. Establish Pre-Hiring Processes ............................................................... 37 11.2.2. Hire Employees in a Structured Fashion ................................................ 38 11.2.3. Transfer Employees in a Structured Fashion ......................................... 39 11.2.4. Terminate Employees in a Structured Fashion ...................................... 40 11.3. Maintain Records ..................................................................................... 41 12. Secure Purchasing/Acquisition .............................................................. 42 12.1. Secure Purchasing .................................................................................... 42

Page 1 and 2: State of Kansas Kansas Information

Page 3 and 4: Table of Contents Introduction ....

Page 5 and 6: Introduction This Security Requirem

Page 7 and 8: • It will ensure that privileged

Page 9 and 10: G. Security Administrators Security

Page 11 and 12: 2 Assessment & Security Planning Se

Page 13 and 14: 3 Awareness & Training Section 3.1

Page 15 and 16: 4 Access Control Sections 4.1, 4.2,

Page 17 and 18: potential exists that legitimate us

Page 19 and 20: 5 Systems Configuration Sections 5.

Page 21 and 22: Collaborative computing infrastruct

Page 23 and 24: Where data requires encryption, tha

Page 25 and 26: 6 Systems Operation Sections 6.1, 6

Page 27 and 28: Only pre-approved maintenance tools

Page 29 and 30: ecorded logs. In the event of other

Page 31 and 32: event that an incident occurs, the

Page 33 and 34: 9.2 Contingency Infrastructure The

Page 35 and 36: 10 Physical Security Sections 10.1

Page 37 and 38: automatically shall notify appropri

Page 39 and 40: copy of the signed document will be

Page 41 and 42: 12 Secure Purchasing/Acquisition Se

Page 43 and 44: CA-1 Certification, Accreditation,

Page 45 and 46: PE-18 Location of Information Syste

Page 47 and 48: Appendix B - Matrix of Responsibili

Page 49 and 50: Part 2 - Non-IT Roles (See Page 3 f

Page 51 and 52: Appendix C - Supporting Document Cr

Page 53 and 54: Mandatory Non-Mandatory Procedures

Page 55 and 56: Integrity The second of the three g

Page 57 and 58: State of Kansas Mandatory Procedure

Page 59 and 60: 6.2. Integrity Operations .........

Page 61 and 62: 2. Assessment & Security Planning T

Page 63 and 64: 2.2. Create a Security Plan No appl

Page 65 and 66: 3.1.1.2 Create Training Materials O

Page 67 and 68: Operations Training is defined as t

Page 69 and 70: access individual system authentica

Page 71 and 72: 5. Systems Configuration These Syst

Page 73 and 74: 5.3.1.3 Restrict Access to Media No

Page 75 and 76: • When no longer required, data s

Page 77 and 78: 8. Incident Response These Incident

Page 79 and 80: Capture documentation appropriate t

Page 81 and 82: Different types of disruptions requ

Page 83 and 84: 9.3.2.1 Perform System Backup Back

Page 85 and 86: 11. Personnel Security These Person

Page 87 and 88: 12. Secure Purchasing/Acquisition N

Page 89 and 90: Table of Contents Introduction ....

Page 91 and 92: Introduction This Mandatory Baselin

Page 93 and 94: 2.1.2.c Information Protection •

Page 95 and 96: o Appropriate physical security mea

Page 97 and 98: 4. Access Control These Assessment

Page 99 and 100: 5. Systems Configuration These Syst

Page 101 and 102: 5.3.1.c Media Disposal Methods •

Page 103 and 104: 6.4. Maintain Records Agencies must


Page 107 and 108: 9.1.1.c Contingency Plan Update Fre

Page 109 and 110: Mandatory Baselines • Systems man

Page 111 and 112: 10. Physical Security No applicable

Page 113 and 114: • Data is to be used for its inte

Page 115: State of Kansas Non-Mandatory Proce

Page 119 and 120: Introduction This Non-Mandatory Pro

Page 121 and 122: 2.1.1.4 Likelihood Determination Es

Page 123 and 124: 2.2.1.5 Establish Appropriate Secur


Page 127 and 128: 4.3. Session Management The followi

Page 129 and 130: 4.3.2.2 Restrict Intra and Inter-Sy

Page 131 and 132: 5.1.1.3 Actively Maintain Inventory

Page 133 and 134: 5.1.3.3 Provide Implementation Docu

Page 135 and 136: • Place all media in a locked con

Page 137 and 138: 6. Systems Operation These Systems

Page 139 and 140: 6.2. Integrity Operations The follo

Page 141 and 142: 6.3.2. Perform Patch and Vulnerabil

Page 143 and 144: 6.4. Maintain Records Agencies shou

Page 145 and 146: 7.1.1.3 Require Authenticated Acces


Page 149 and 150: 8.1.2.2 Develop Supporting Strategi

Page 151 and 152: 9. Contingency Planning No applicab

Page 153 and 154: 10.1.1.2 Implement Physical Access


Page 157 and 158: • Review created accounts and ass

Page 159 and 160: 11.2.4.3 Recover all Organizational

Page 161 and 162: 12.1.1.3 Required Test and Validati

Page 163 and 164: State of Kansas Non-Mandatory Basel

Page 165 and 166: 6.2. Integrity Operations .........

Page 167 and 168: Introduction This Non-Mandatory Bas

Page 169 and 170: • High risk constitutes high like

Page 171 and 172: 2.3. Maintain Records Agencies shou


Page 175 and 176: • Systems that have very high ris

Page 177 and 178: 5.1.1.c System and Component Docume

Page 179 and 180: 5.2. Systems Protection No applicab

Page 181 and 182: o Passwords in the clear. o Violati

Page 183 and 184: o Penetration testing. o Password c

Page 185 and 186: o The individuals to be notified. o

Page 187 and 188: 7. Systems Audit These Systems Audi

Page 189 and 190: eviewed weekly and every system and

Page 191 and 192: 8.1.1.b IR Roles • IR Team Manage

Page 193 and 194: 8.1.2.e IR Plan Update Scheduling a

Page 195 and 196: 10. Physical Security These Physica

Page 197 and 198: 10.2.1.b Power Delivery Specificati


Page 201 and 202: 11.2.2. Hire Employees in a Structu

procedures

baselines

operations

mandatory

assessment

kansas

ensure

contingency

requirements

controls

administration

www.da.ks.gov

Policy 7230A - Department of Administration

Policy 7230A - Department of Administration ... View more Policy 7230A - Department of Administration

Delete template?

Save as template ?

Policy 7230A - Department of Administration Policy 7230A - Department of Administration