Policy 7230A - Department of Administration
Policy 7230A - Department of Administration Policy 7230A - Department of Administration
2.2.1.b System Responsibility Individuals • For all system responsible individuals, capture the following information: o Name. o Title and employing Agency/Department o Contact information. 2.2.1.c System Security Configuration • High impact systems should be afforded the highest level of system protection: o Systems should be patched and maintained on an at least weekly basis, or as often as the release of patches allows. o System logs should be reviewed on an at least daily basis. o Systems should be protected with anti-malware, data encryption and enhanced authentication solutions. o Systems should be placed on dedicated network segments that are provided with access controls, firewall protection and intrusion detection and prevention capabilities. • Medium impact system should be afforded a moderate level of system protection: o Systems should be patched and maintained on an at least monthly basis, or as often as the release of patches allows. o System logs should be reviewed on an at least weekly basis. o Systems should be protected with anti-malware and data encryption solutions. o Systems should be placed on networks that are provided with perimeter firewall protection and intrusion detection and prevention capabilities. • Low impact systems should be afforded a minimal level of system protection: o Systems should be patched and maintained on an at least quarterly basis, or as often as the release of patches allows. o System logs should be reviewed on an at least monthly basis. o Systems should be protected by anti-malware solutions. o Systems should be placed on networks that are provided perimeter firewall protection. 4
2.3. Maintain Records Agencies should capture documentation appropriate to all assessment and planning processes: • Document and retain copies of the outcome of all Risk Assessments. • Document and retain copies of all Security Plans. 5
- Page 119 and 120: Introduction This Non-Mandatory Pro
- Page 121 and 122: 2.1.1.4 Likelihood Determination Es
- Page 123 and 124: 2.2.1.5 Establish Appropriate Secur
- Page 125 and 126: 4. Access Control These Assessment
- Page 127 and 128: 4.3. Session Management The followi
- Page 129 and 130: 4.3.2.2 Restrict Intra and Inter-Sy
- Page 131 and 132: 5.1.1.3 Actively Maintain Inventory
- Page 133 and 134: 5.1.3.3 Provide Implementation Docu
- Page 135 and 136: • Place all media in a locked con
- Page 137 and 138: 6. Systems Operation These Systems
- Page 139 and 140: 6.2. Integrity Operations The follo
- Page 141 and 142: 6.3.2. Perform Patch and Vulnerabil
- Page 143 and 144: 6.4. Maintain Records Agencies shou
- Page 145 and 146: 7.1.1.3 Require Authenticated Acces
- Page 147 and 148: 8. Incident Response These Incident
- Page 149 and 150: 8.1.2.2 Develop Supporting Strategi
- Page 151 and 152: 9. Contingency Planning No applicab
- Page 153 and 154: 10.1.1.2 Implement Physical Access
- Page 155 and 156: 11. Personnel Security These Person
- Page 157 and 158: • Review created accounts and ass
- Page 159 and 160: 11.2.4.3 Recover all Organizational
- Page 161 and 162: 12.1.1.3 Required Test and Validati
- Page 163 and 164: State of Kansas Non-Mandatory Basel
- Page 165 and 166: 6.2. Integrity Operations .........
- Page 167 and 168: Introduction This Non-Mandatory Bas
- Page 169: • High risk constitutes high like
- Page 173 and 174: 4. Access Control These Assessment
- Page 175 and 176: • Systems that have very high ris
- Page 177 and 178: 5.1.1.c System and Component Docume
- Page 179 and 180: 5.2. Systems Protection No applicab
- Page 181 and 182: o Passwords in the clear. o Violati
- Page 183 and 184: o Penetration testing. o Password c
- Page 185 and 186: o The individuals to be notified. o
- Page 187 and 188: 7. Systems Audit These Systems Audi
- Page 189 and 190: eviewed weekly and every system and
- Page 191 and 192: 8.1.1.b IR Roles • IR Team Manage
- Page 193 and 194: 8.1.2.e IR Plan Update Scheduling a
- Page 195 and 196: 10. Physical Security These Physica
- Page 197 and 198: 10.2.1.b Power Delivery Specificati
- Page 199 and 200: 11. Personnel Security These Person
- Page 201 and 202: 11.2.2. Hire Employees in a Structu
2.2.1.b System Responsibility Individuals<br />
• For all system responsible individuals, capture the following<br />
information:<br />
o Name.<br />
o Title and employing Agency/<strong>Department</strong><br />
o Contact information.<br />
2.2.1.c System Security Configuration<br />
• High impact systems should be afforded the highest level <strong>of</strong><br />
system protection:<br />
o Systems should be patched and maintained on an at<br />
least weekly basis, or as <strong>of</strong>ten as the release <strong>of</strong> patches<br />
allows.<br />
o System logs should be reviewed on an at least daily<br />
basis.<br />
o Systems should be protected with anti-malware, data<br />
encryption and enhanced authentication solutions.<br />
o Systems should be placed on dedicated network<br />
segments that are provided with access controls,<br />
firewall protection and intrusion detection and<br />
prevention capabilities.<br />
• Medium impact system should be afforded a moderate level<br />
<strong>of</strong> system protection:<br />
o Systems should be patched and maintained on an at<br />
least monthly basis, or as <strong>of</strong>ten as the release <strong>of</strong><br />
patches allows.<br />
o System logs should be reviewed on an at least weekly<br />
basis.<br />
o Systems should be protected with anti-malware and<br />
data encryption solutions.<br />
o Systems should be placed on networks that are<br />
provided with perimeter firewall protection and<br />
intrusion detection and prevention capabilities.<br />
• Low impact systems should be afforded a minimal level <strong>of</strong><br />
system protection:<br />
o Systems should be patched and maintained on an at<br />
least quarterly basis, or as <strong>of</strong>ten as the release <strong>of</strong><br />
patches allows.<br />
o System logs should be reviewed on an at least monthly<br />
basis.<br />
o Systems should be protected by anti-malware<br />
solutions.<br />
o Systems should be placed on networks that are<br />
provided perimeter firewall protection.<br />
4