Policy 7230A - Department of Administration

More documents

Recommendations

Info

11.2.1.b Risk Categorizations by Role • Very High risk roles constitute those that access at least one very high risk system or access mostly (greater than 50% of systems accessed) high risk systems. • High risk roles constitute those that access at least one high risk system or access mostly (greater than 50% of systems accessed) medium risk systems. • Medium risk roles constitute those that access at least one medium risk system or access mostly (greater than 50% of systems accessed) low risk systems. • Low risk roles constitute those that access at least one low risk system. • Very Low risk roles constitute those that access only very low risk systems. 11.2.1.c Screening Criteria by Categorization • For very low and low risk roles, the screening process should review applicant submitted documentation and verify accuracy: o Verify employment position and term with listed employers. o Verify education with listed educational facilities. o Verify listed certifications with certifying organizations. • For medium risk roles, the screening process should include the tasks outlined above plus contacting at least one listed reference. o Discuss applicant’s strengths and weaknesses. o Discuss applicant’s responses to pressure situations. • For high risk roles, the screening process should include the tasks as outlined above plus contacting one previous supervisor/manager: o Discuss applicant’s strengths and weaknesses. o Discuss applicant’s responses to pressure situations. • For very high risk roles, the screening process should include the tasks as outlined above plus a criminal background check: o Pay particular attention to activities that are indicative of questionable character or poor response to stressful situations. 34
11.2.2. Hire Employees in a Structured Fashion Upon initial hire, employee identity should be verified and accounts created with appropriate access rights and permissions: 11.2.2.a Account and Permissions Provisioning and Review • Account permission provisioning should be performed by one dedicated set of administrators. • Account and permission review should be performed by a second set of dedicated administrators. 11.2.3. Transfer Employees in a Structured Fashion Employees that change positions within the agency should be screened according to their new position and have system account access and permissions reviewed: 11.2.3.a Account and Permissions Revocation and Review • Review access to revoked accounts should be provided for no more than thirty days. • Data transfer orders should be provided in writing and should specify: o The data to be transferred. o The location to be transferred from. o The location to be transferred to. o The reason for the data transfer. • Permanent deletion orders should be provided in writing. 11.2.3.b Account and Permissions Provisioning and Review See section 11.2.2.a of these Non-Mandatory Baselines. 11.2.4. Terminate Employees in a Structured Fashion Employee termination should include the recovery of all issued materials and the closing of all established accounts: 11.2.4.a Account and Permissions Revocation and Review See section 11.2.3.a of these Non-Mandatory Baselines. 11.3. Maintain Records Agencies should capture documentation appropriate to personnel security processes: • Maintain copies of all submission and screening documents for applicants that are hired for future reference. • Maintain copies of all completed access agreements. • Maintain copies of all provisioned system access accounts and associated permission. • Maintain records of all issued agency owned materials. • Maintain copies of all exit interview documents. 35
Page 1 and 2:
State of Kansas Kansas Information
Page 3 and 4:
Table of Contents Introduction ....
Page 5 and 6:
Introduction This Security Requirem
Page 7 and 8:
• It will ensure that privileged
Page 9 and 10:
G. Security Administrators Security
Page 11 and 12:
2 Assessment & Security Planning Se
Page 13 and 14:
3 Awareness & Training Section 3.1
Page 15 and 16:
4 Access Control Sections 4.1, 4.2,
Page 17 and 18:
potential exists that legitimate us
Page 19 and 20:
5 Systems Configuration Sections 5.
Page 21 and 22:
Collaborative computing infrastruct
Page 23 and 24:
Where data requires encryption, tha
Page 25 and 26:
6 Systems Operation Sections 6.1, 6
Page 27 and 28:
Only pre-approved maintenance tools
Page 29 and 30:
ecorded logs. In the event of other
Page 31 and 32:
event that an incident occurs, the
Page 33 and 34:
9.2 Contingency Infrastructure The
Page 35 and 36:
10 Physical Security Sections 10.1
Page 37 and 38:
automatically shall notify appropri
Page 39 and 40:
copy of the signed document will be
Page 41 and 42:
12 Secure Purchasing/Acquisition Se
Page 43 and 44:
CA-1 Certification, Accreditation,
Page 45 and 46:
PE-18 Location of Information Syste
Page 47 and 48:
Appendix B - Matrix of Responsibili
Page 49 and 50:
Part 2 - Non-IT Roles (See Page 3 f
Page 51 and 52:
Appendix C - Supporting Document Cr
Page 53 and 54:
Mandatory Non-Mandatory Procedures
Page 55 and 56:
Integrity The second of the three g
Page 57 and 58:
State of Kansas Mandatory Procedure
Page 59 and 60:
6.2. Integrity Operations .........
Page 61 and 62:
2. Assessment & Security Planning T
Page 63 and 64:
2.2. Create a Security Plan No appl
Page 65 and 66:
3.1.1.2 Create Training Materials O
Page 67 and 68:
Operations Training is defined as t
Page 69 and 70:
access individual system authentica
Page 71 and 72:
5. Systems Configuration These Syst
Page 73 and 74:
5.3.1.3 Restrict Access to Media No
Page 75 and 76:
• When no longer required, data s
Page 77 and 78:
8. Incident Response These Incident
Page 79 and 80:
Capture documentation appropriate t
Page 81 and 82:
Different types of disruptions requ
Page 83 and 84:
9.3.2.1 Perform System Backup Back
Page 85 and 86:
11. Personnel Security These Person
Page 87 and 88:
12. Secure Purchasing/Acquisition N
Page 89 and 90:
Table of Contents Introduction ....
Page 91 and 92:
Introduction This Mandatory Baselin
Page 93 and 94:
2.1.2.c Information Protection •
Page 95 and 96:
o Appropriate physical security mea
Page 97 and 98:
4. Access Control These Assessment
Page 99 and 100:
5. Systems Configuration These Syst
Page 101 and 102:
5.3.1.c Media Disposal Methods •
Page 103 and 104:
6.4. Maintain Records Agencies must
Page 105 and 106:
Page 107 and 108:
9.1.1.c Contingency Plan Update Fre
Page 109 and 110:
Mandatory Baselines • Systems man
Page 111 and 112:
10. Physical Security No applicable
Page 113 and 114:
• Data is to be used for its inte
Page 115 and 116:
State of Kansas Non-Mandatory Proce
Page 117 and 118:
6.3. Maintenance Operations .......
Page 119 and 120:
Introduction This Non-Mandatory Pro
Page 121 and 122:
2.1.1.4 Likelihood Determination Es
Page 123 and 124:
2.2.1.5 Establish Appropriate Secur
Page 125 and 126:
4. Access Control These Assessment
Page 127 and 128:
4.3. Session Management The followi
Page 129 and 130:
4.3.2.2 Restrict Intra and Inter-Sy
Page 131 and 132:
5.1.1.3 Actively Maintain Inventory
Page 133 and 134:
5.1.3.3 Provide Implementation Docu
Page 135 and 136:
• Place all media in a locked con
Page 137 and 138:
6. Systems Operation These Systems
Page 139 and 140:
6.2. Integrity Operations The follo
Page 141 and 142:
6.3.2. Perform Patch and Vulnerabil
Page 143 and 144:
6.4. Maintain Records Agencies shou
Page 145 and 146:
7.1.1.3 Require Authenticated Acces
Page 147 and 148:
Page 149 and 150: 8.1.2.2 Develop Supporting Strategi
Page 151 and 152: 9. Contingency Planning No applicab
Page 153 and 154: 10.1.1.2 Implement Physical Access
Page 155 and 156: 11. Personnel Security These Person
Page 157 and 158: • Review created accounts and ass
Page 159 and 160: 11.2.4.3 Recover all Organizational
Page 161 and 162: 12.1.1.3 Required Test and Validati
Page 163 and 164: State of Kansas Non-Mandatory Basel
Page 165 and 166: 6.2. Integrity Operations .........
Page 167 and 168: Introduction This Non-Mandatory Bas
Page 169 and 170: • High risk constitutes high like
Page 171 and 172: 2.3. Maintain Records Agencies shou
Page 173 and 174: 4. Access Control These Assessment
Page 175 and 176: • Systems that have very high ris
Page 177 and 178: 5.1.1.c System and Component Docume
Page 179 and 180: 5.2. Systems Protection No applicab
Page 181 and 182: o Passwords in the clear. o Violati
Page 183 and 184: o Penetration testing. o Password c
Page 185 and 186: o The individuals to be notified. o
Page 187 and 188: 7. Systems Audit These Systems Audi
Page 189 and 190: eviewed weekly and every system and
Page 191 and 192: 8.1.1.b IR Roles • IR Team Manage
Page 193 and 194: 8.1.2.e IR Plan Update Scheduling a
Page 195 and 196: 10. Physical Security These Physica
Page 197 and 198: 10.2.1.b Power Delivery Specificati
Page 199: 11. Personnel Security These Person
show all

Policy 7230A - Department of Administration

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?