Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Where data requires encryption, that encryption must be performed using a solution<br />
that meets established data standards. Further, where public key certificates are used<br />
they shall be issued by an internal certificate authority that has been cross-certified<br />
with an approved third party provider or be acquired directly from an approved third<br />
party provider.<br />
A. Data Classification<br />
To facilitate the application <strong>of</strong> appropriate data protection, all data<br />
owners/custodians responsible for State <strong>of</strong> Kansas data are required to classify<br />
that data in a hierarchical system such that data that is <strong>of</strong> greater value or<br />
sensitivity can be afforded a higher level <strong>of</strong> protection than data that is <strong>of</strong> lesser<br />
value or sensitivity.<br />
B. Protection <strong>of</strong> Data in Use<br />
Only personnel that have previously been authorized are allowed to enter<br />
information into an information system. Inputs will be restricted according to<br />
granted permissions, though these restrictions may be lifted on a temporary basis<br />
based on pre-defined project responsibilities. In such circumstances, additional<br />
authorization is required and must be granted before restrictions are lifted.<br />
Where possible, information systems will check entered information for accuracy,<br />
completeness, validity and authenticity. These checks will be performed as close to<br />
the point <strong>of</strong> information entry as possible and will attempt to ensure that data<br />
corruption does not occur or that entered information cannot be interpreted as<br />
system commands by the information system.<br />
C. Protection <strong>of</strong> Data in Storage<br />
Information systems will be configured such that they prevent unauthorized and<br />
unintended information transfer via shared system resources. Information <strong>of</strong> the<br />
highest data classification (section 5.3.1) that has been used by the system will be<br />
positively removed from all systems resources (such as memory, temp and swap<br />
drives, etc) once the use <strong>of</strong> that information is completed.<br />
Where information is transferred to media that media shall be stored securely<br />
within a controlled area and access to that controlled area shall be physically<br />
restricted to authorized personnel. Further, the mechanisms that enforce those<br />
access restrictions shall collect access information and shall include the ability to<br />
audit access attempts.<br />
D. Protection <strong>of</strong> Data in Transit<br />
Information systems will protect the integrity and confidentiality <strong>of</strong> transmitted<br />
information using some form <strong>of</strong> session authentication and, where necessary (i.e.<br />
in the case <strong>of</strong> Personally Identifiable Information), encryption.<br />
When content from the information system is output to some form <strong>of</strong> media that<br />
content and media must be handled, and stored in a secure manner.<br />
19