Policy 7230A - Department of Administration
Policy 7230A - Department of Administration Policy 7230A - Department of Administration
• Adjust baseline impacts according to organization specific requirements. 5.1.2.4 Assign Security Categorization to Each Information Type Complete information categorization by aggregating the security impact level for each information type across all three factors according to the highest impact level assigned: 5.1.2.5 Assign Aggregate Security Categorization to Each Information System Finalize the categorization process by assigning a security categorization to each information system according to the security categorization of the information stored or processed by the system: • For systems that house only a single type of information, assign a security categorization equivalent to that assigned to the information type. • For information systems that house multiple types of information, assign a security categorization equivalent to the highest assigned to any of the information types. 5.1.3. Follow Process for Change Control To ensure that the security that is engineered into systems and system components is maintained long term, Agencies should perform changes to those systems and components in a controlled manner: 5.1.3.1 Initiate Changes via Formal Request To properly control changes, requests must be made formally to allow for thorough review as well as the updating of both systems and documentation: • Ensure that appropriate documentation is assembled prior to request initiation including release notes, installation guides and any documented test results. • Submit a change request indicating the nature of the change and appropriate consent. 5.1.3.2 Perform Impact Analysis on Change Prior to completing implementation plans, risks associated with the change must be assessed and any inappropriate risks must be then mitigated: • Establish the existence of any dependencies that may have an impact on or be impacted by the change. • Identify and mitigate risks associated with the change. 14
5.1.3.3 Provide Implementation Documentation To ensure that changes are executed in a controlled manner, formal documentation that outlines roles, responsibilities and required tasks must be created and vetted by all stakeholders (see section 6.3.1 of these Non-Mandatory Procedures). 5.1.3.4 Execute Controlled Test of the Change Where appropriate test and development facilities exist, the change should be executed in this environment to validate the plan and identify any gaps: • Configure the test environment to mimic the to be changed production environment as much as possible including up and down stream dependent systems. • Execute the implementation in the controlled environment, noting any deficiencies with the set plan. • Update the plan as required reflecting lessons learned from the test implementation. 5.1.3.5 Implement the Change per the Plan Execute the change according to the outlined and vetted plan: • Implement tasks and communications as outlined in the plan. • Escalate where implementation errors or plan deficiencies are noted. • Upon completion of change update the Systems Inventory (see section 5.1.1 of these Non-Mandatory Procedures). 5.1.3.6 Perform Post-Implementation Validation and Review Once the change is finished, all systems impacted must be verified as appropriately functional and a post-implementation review completed: • Validate that the implementation has achieved the required change and has not yielded any unexpected results. • Perform a post implementation review to identify any lessons learned and to debrief staff around any deficiencies in the plan that had to be addressed during the implementation. 5.2. Systems Protection No applicable Non-Mandatory Procedures. 15
- Page 81 and 82: Different types of disruptions requ
- Page 83 and 84: 9.3.2.1 Perform System Backup Back
- Page 85 and 86: 11. Personnel Security These Person
- Page 87 and 88: 12. Secure Purchasing/Acquisition N
- Page 89 and 90: Table of Contents Introduction ....
- Page 91 and 92: Introduction This Mandatory Baselin
- Page 93 and 94: 2.1.2.c Information Protection •
- Page 95 and 96: o Appropriate physical security mea
- Page 97 and 98: 4. Access Control These Assessment
- Page 99 and 100: 5. Systems Configuration These Syst
- Page 101 and 102: 5.3.1.c Media Disposal Methods •
- Page 103 and 104: 6.4. Maintain Records Agencies must
- Page 105 and 106: 8. Incident Response These Incident
- Page 107 and 108: 9.1.1.c Contingency Plan Update Fre
- Page 109 and 110: Mandatory Baselines • Systems man
- Page 111 and 112: 10. Physical Security No applicable
- Page 113 and 114: • Data is to be used for its inte
- Page 115 and 116: State of Kansas Non-Mandatory Proce
- Page 117 and 118: 6.3. Maintenance Operations .......
- Page 119 and 120: Introduction This Non-Mandatory Pro
- Page 121 and 122: 2.1.1.4 Likelihood Determination Es
- Page 123 and 124: 2.2.1.5 Establish Appropriate Secur
- Page 125 and 126: 4. Access Control These Assessment
- Page 127 and 128: 4.3. Session Management The followi
- Page 129 and 130: 4.3.2.2 Restrict Intra and Inter-Sy
- Page 131: 5.1.1.3 Actively Maintain Inventory
- Page 135 and 136: • Place all media in a locked con
- Page 137 and 138: 6. Systems Operation These Systems
- Page 139 and 140: 6.2. Integrity Operations The follo
- Page 141 and 142: 6.3.2. Perform Patch and Vulnerabil
- Page 143 and 144: 6.4. Maintain Records Agencies shou
- Page 145 and 146: 7.1.1.3 Require Authenticated Acces
- Page 147 and 148: 8. Incident Response These Incident
- Page 149 and 150: 8.1.2.2 Develop Supporting Strategi
- Page 151 and 152: 9. Contingency Planning No applicab
- Page 153 and 154: 10.1.1.2 Implement Physical Access
- Page 155 and 156: 11. Personnel Security These Person
- Page 157 and 158: • Review created accounts and ass
- Page 159 and 160: 11.2.4.3 Recover all Organizational
- Page 161 and 162: 12.1.1.3 Required Test and Validati
- Page 163 and 164: State of Kansas Non-Mandatory Basel
- Page 165 and 166: 6.2. Integrity Operations .........
- Page 167 and 168: Introduction This Non-Mandatory Bas
- Page 169 and 170: • High risk constitutes high like
- Page 171 and 172: 2.3. Maintain Records Agencies shou
- Page 173 and 174: 4. Access Control These Assessment
- Page 175 and 176: • Systems that have very high ris
- Page 177 and 178: 5.1.1.c System and Component Docume
- Page 179 and 180: 5.2. Systems Protection No applicab
- Page 181 and 182: o Passwords in the clear. o Violati
5.1.3.3 Provide Implementation Documentation<br />
To ensure that changes are executed in a controlled manner, formal<br />
documentation that outlines roles, responsibilities and required tasks<br />
must be created and vetted by all stakeholders (see section 6.3.1 <strong>of</strong><br />
these Non-Mandatory Procedures).<br />
5.1.3.4 Execute Controlled Test <strong>of</strong> the Change<br />
Where appropriate test and development facilities exist, the change<br />
should be executed in this environment to validate the plan and<br />
identify any gaps:<br />
• Configure the test environment to mimic the to be changed<br />
production environment as much as possible including up and<br />
down stream dependent systems.<br />
• Execute the implementation in the controlled environment,<br />
noting any deficiencies with the set plan.<br />
• Update the plan as required reflecting lessons learned from<br />
the test implementation.<br />
5.1.3.5 Implement the Change per the Plan<br />
Execute the change according to the outlined and vetted plan:<br />
• Implement tasks and communications as outlined in the plan.<br />
• Escalate where implementation errors or plan deficiencies are<br />
noted.<br />
• Upon completion <strong>of</strong> change update the Systems Inventory<br />
(see section 5.1.1 <strong>of</strong> these Non-Mandatory Procedures).<br />
5.1.3.6 Perform Post-Implementation Validation and Review<br />
Once the change is finished, all systems impacted must be verified as<br />
appropriately functional and a post-implementation review<br />
completed:<br />
• Validate that the implementation has achieved the required<br />
change and has not yielded any unexpected results.<br />
• Perform a post implementation review to identify any lessons<br />
learned and to debrief staff around any deficiencies in the<br />
plan that had to be addressed during the implementation.<br />
5.2. Systems Protection<br />
No applicable Non-Mandatory Procedures.<br />
15