Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Collaborative computing infrastructure, such as video and teleconferencing<br />
systems, will be configured so that they prohibit remote activation. Further, when<br />
these systems are in an active state (capable <strong>of</strong> receiving or transmitting<br />
information) they must provide explicit indication <strong>of</strong> that active state to local<br />
users. Examples <strong>of</strong> explicit indication include audible tones or visible “on” lights.<br />
D. Change Control<br />
Any changes to an information system must be authorized, documented and<br />
performed in a controlled manner. They may only be made by appropriate<br />
administrative personnel that have approved access privileges.<br />
Configuration change control involves the systematic proposal, justification,<br />
implementation, test/evaluation, review, and disposition <strong>of</strong> changes to<br />
information systems, including upgrades and modifications.<br />
All proposed information system changes will be assessed for their potential<br />
security impact prior to being made. If the security impact increases the risk that<br />
must be accepted by the State, the changes must be revised or alternate security<br />
mitigation controls put in place prior to the change being made. After the change<br />
has been made the information system that was changed will be actively<br />
monitored for a pre-defined period <strong>of</strong> time to ensure that security has not been<br />
compromised.<br />
5.2 Systems Protection<br />
The State <strong>of</strong> Kansas requires that all information systems and all components <strong>of</strong><br />
information systems, whether they be for the exclusive internal use <strong>of</strong> the State <strong>of</strong><br />
Kansas or be publicly available, be protected by dedicated protection mechanisms.<br />
These requirements are equally applicable to information systems owned by the State<br />
<strong>of</strong> Kansas as well as those owned by third parties through which services are provided<br />
to the State <strong>of</strong> Kansas.<br />
Dedicated protection mechanisms allow information systems to be provided a greater<br />
level <strong>of</strong> security than can be achieved through configuration control alone by<br />
delivering enhanced security capabilities. Without dedicated protection mechanisms<br />
the potential exists that security vulnerabilities that cannot be mitigated by the<br />
capabilities inherent in the State’s information systems will be exploited leading to<br />
compromise <strong>of</strong> information system confidentiality, integrity and availability.<br />
A. Gateway/Boundary Protection Systems<br />
As limited a number <strong>of</strong> network access points as possible will be used to connect<br />
to external networks such as the Internet. Each <strong>of</strong> these network access points will<br />
be protected by boundary protection systems (generally a firewall) that monitor<br />
and control communications. These systems will be configured to deny<br />
communications by rule and allow by exception, to prevent public access to<br />
internal networks and to place controls on publicly accessible systems.<br />
17