Policy 7230A - Department of Administration
Policy 7230A - Department of Administration Policy 7230A - Department of Administration
annual basis. This review should be structured such that one third of accounts per system are reviewed each year. 4.3. Session Management The following are the Non-Mandatory Baselines that support the Session Management section of the Default Security Requirements: 4.3.1. Configure Systems for Secure Access Agencies should ensure that systems are configured in such a way as to support and enhance user access and permission restrictions: 4.3.1.a System Use Notification • System use notifications should, at a minimum, specify that: o Access is to a system owned by the organization. o Access to and actions within the system are monitored, recorded and may be audited. o Unauthorized access is not permitted and is a criminal offence. o System use implies consent to these strictures. 4.3.1.b System Lock-Out • Session lock resulting from authentication failure should occur after five failed authentication attempts that occur within a fifteen minute time period and should last for a minimum of 30 minutes. 4.3.1.c Session Lock and Termination • Session lock should apply only to sessions that are initiated by end users and not to system-initiated sessions. Session lockout should occur after twenty minutes of inactivity. • Session termination should apply only to sessions that are initiated by end users and to system-initiated sessions. Session termination should occur after twenty minutes of inactivity. 4.3.2. Configure Systems for Secure Communication Agencies should limit the potential of security threats bridging systems and of data leaking inadvertently by restricting inter-system communications: 4.3.2.a Intra and Inter-System Authentication • Systems that have very low or low risk impact should be identified by TCP/IP address. • Systems that have moderate risk impact should be identified by MAC and TCP/IP address. • Systems that have high risk impact should be identified by TCP/IP and MAC address as well as either 802.1x or Radius authentication. 8
• Systems that have very high risk impact should be identified be identified by TCP/IP and MAC address as well as both 802.1x and Radius authentication. 4.4. Maintain Records Agencies should capture documentation appropriate to all access control processes: • Document and retain copies of system inter connection authorizations. 9
- Page 123 and 124: 2.2.1.5 Establish Appropriate Secur
- Page 125 and 126: 4. Access Control These Assessment
- Page 127 and 128: 4.3. Session Management The followi
- Page 129 and 130: 4.3.2.2 Restrict Intra and Inter-Sy
- Page 131 and 132: 5.1.1.3 Actively Maintain Inventory
- Page 133 and 134: 5.1.3.3 Provide Implementation Docu
- Page 135 and 136: • Place all media in a locked con
- Page 137 and 138: 6. Systems Operation These Systems
- Page 139 and 140: 6.2. Integrity Operations The follo
- Page 141 and 142: 6.3.2. Perform Patch and Vulnerabil
- Page 143 and 144: 6.4. Maintain Records Agencies shou
- Page 145 and 146: 7.1.1.3 Require Authenticated Acces
- Page 147 and 148: 8. Incident Response These Incident
- Page 149 and 150: 8.1.2.2 Develop Supporting Strategi
- Page 151 and 152: 9. Contingency Planning No applicab
- Page 153 and 154: 10.1.1.2 Implement Physical Access
- Page 155 and 156: 11. Personnel Security These Person
- Page 157 and 158: • Review created accounts and ass
- Page 159 and 160: 11.2.4.3 Recover all Organizational
- Page 161 and 162: 12.1.1.3 Required Test and Validati
- Page 163 and 164: State of Kansas Non-Mandatory Basel
- Page 165 and 166: 6.2. Integrity Operations .........
- Page 167 and 168: Introduction This Non-Mandatory Bas
- Page 169 and 170: • High risk constitutes high like
- Page 171 and 172: 2.3. Maintain Records Agencies shou
- Page 173: 4. Access Control These Assessment
- Page 177 and 178: 5.1.1.c System and Component Docume
- Page 179 and 180: 5.2. Systems Protection No applicab
- Page 181 and 182: o Passwords in the clear. o Violati
- Page 183 and 184: o Penetration testing. o Password c
- Page 185 and 186: o The individuals to be notified. o
- Page 187 and 188: 7. Systems Audit These Systems Audi
- Page 189 and 190: eviewed weekly and every system and
- Page 191 and 192: 8.1.1.b IR Roles • IR Team Manage
- Page 193 and 194: 8.1.2.e IR Plan Update Scheduling a
- Page 195 and 196: 10. Physical Security These Physica
- Page 197 and 198: 10.2.1.b Power Delivery Specificati
- Page 199 and 200: 11. Personnel Security These Person
- Page 201 and 202: 11.2.2. Hire Employees in a Structu
• Systems that have very high risk impact should be identified<br />
be identified by TCP/IP and MAC address as well as both<br />
802.1x and Radius authentication.<br />
4.4. Maintain Records<br />
Agencies should capture documentation appropriate to all access control processes:<br />
• Document and retain copies <strong>of</strong> system inter connection authorizations.<br />
9