Policy 7230A - Department of Administration

More documents

Recommendations

Info

Appendix A – NIST SP 800-53 Rev. A Index AC-1 Access Control Policy and Procedures 4.0 AC-2 Account Management 4.2 AC-3 Access Enforcement 4.1 AC-4 Information Flow Enforcement 4.3 AC-5 Separation of Duties 4.2 AC-6 Least Privilege 4.2 AC-7 Unsuccessful Login Attempts 4.2 AC-8 System Use Notification 4.3 AC-11 Session Lock 4.3 AC-12 Session Termination 4.3 AC-13 Supervision and Review – Access Control 4.2 AC-14 Permitted Actions without Identification or Authentication 4.1 AC-17 Remote Access 4.3 AC-18 Wireless Access Restrictions 5.1 AC-19 Access Control for Portable and Media Devices 5.1 AC-20 Use of External Information Systems 4.3 AT-1 Security Awareness and Training Policy and Procedures 3.0 AT-2 Security Awareness 3.1 AT-3 Security Training 3.2 AT-4 Security Training Records 3.1 3.2 AU-1 Audit and Accountability Policy and Procedures 7.0 AU-2 Auditable Events 7.1 AU-3 Content of Audit Records 7.1 AU-4 Audit Storage Capacity 7.1 AU-5 Response to Audit Processing Failures 7.1 AU-6 Audit Monitoring, Analysis and Reporting 7.1 AU-7 Audit Reduction and Report Generation 7.1 AU-8 Time Stamps 7.1 AU-9 Protection of Audit Information 7.1 AU-11 Audit Record Retention 7.1 38
CA-1 Certification, Accreditation, and Security Assessment Policies 6.0 and Procedures CA-2 Security Assessments 6.1 CA-3 Information System Connections 4.3 CA-4 Security Certification 6.1 CA-5 Plan of Action and Milestones 2.2 6.1 CA-7 Continuous Monitoring 6.2 CM-1 Configuration Management Policies and Procedures 5.0 CM-2 Baseline Configuration 5.1 CM-3 Configuration Change Control 5.1 CM-4 Monitoring Configuration Changes 5.1 CM-5 Access Restrictions for Change 5.1 CM-6 Configuration Settings 5.1 5.1 5.1 CM-7 Least Functionality 5.1 CM-8 Information System Component Inventory 5.1 CP-1 Contingency Planning Policy and Procedures 9.0 CP-2 Contingency Plan 9.1 CP-3 Contingency Training 9.3 CP-4 Contingency Plan Testing and Exercises 9.3 CP-5 Contingency Plan Update 9.1 CP-6 Alternate Storage Site 9.2 CP-7 Alternate Processing Site 9.2 CP-8 Telecommunications Services 9.2 CP-9 Information System Backup 9.3 CP-10 Information System Recovery and Reconstitution 9.3 IA-1 Identification and Authentication Policy and Procedures 4.0 IA-2 User Identification and Authentication 4.1 IA-3 Device Identification and Authentication 4.3 IA-4 Identifier Management 4.1 IA-5 Authenticator Management 4.1 IA-6 Authenticator Feedback 4.1 IA-7 Cryptographic Module Authentication 4.1 39
Page 1 and 2: State of Kansas Kansas Information
Page 3 and 4: Table of Contents Introduction ....
Page 5 and 6: Introduction This Security Requirem
Page 7 and 8: • It will ensure that privileged
Page 9 and 10: G. Security Administrators Security
Page 11 and 12: 2 Assessment & Security Planning Se
Page 13 and 14: 3 Awareness & Training Section 3.1
Page 15 and 16: 4 Access Control Sections 4.1, 4.2,
Page 17 and 18: potential exists that legitimate us
Page 19 and 20: 5 Systems Configuration Sections 5.
Page 21 and 22: Collaborative computing infrastruct
Page 23 and 24: Where data requires encryption, tha
Page 25 and 26: 6 Systems Operation Sections 6.1, 6
Page 27 and 28: Only pre-approved maintenance tools
Page 29 and 30: ecorded logs. In the event of other
Page 31 and 32: event that an incident occurs, the
Page 33 and 34: 9.2 Contingency Infrastructure The
Page 35 and 36: 10 Physical Security Sections 10.1
Page 37 and 38: automatically shall notify appropri
Page 39 and 40: copy of the signed document will be
Page 41: 12 Secure Purchasing/Acquisition Se
Page 45 and 46: PE-18 Location of Information Syste
Page 47 and 48: Appendix B - Matrix of Responsibili
Page 49 and 50: Part 2 - Non-IT Roles (See Page 3 f
Page 51 and 52: Appendix C - Supporting Document Cr
Page 53 and 54: Mandatory Non-Mandatory Procedures
Page 55 and 56: Integrity The second of the three g
Page 57 and 58: State of Kansas Mandatory Procedure
Page 59 and 60: 6.2. Integrity Operations .........
Page 61 and 62: 2. Assessment & Security Planning T
Page 63 and 64: 2.2. Create a Security Plan No appl
Page 65 and 66: 3.1.1.2 Create Training Materials O
Page 67 and 68: Operations Training is defined as t
Page 69 and 70: access individual system authentica
Page 71 and 72: 5. Systems Configuration These Syst
Page 73 and 74: 5.3.1.3 Restrict Access to Media No
Page 75 and 76: • When no longer required, data s
Page 77 and 78: 8. Incident Response These Incident
Page 79 and 80: Capture documentation appropriate t
Page 81 and 82: Different types of disruptions requ
Page 83 and 84: 9.3.2.1 Perform System Backup Back
Page 85 and 86: 11. Personnel Security These Person
Page 87 and 88: 12. Secure Purchasing/Acquisition N
Page 89 and 90: Table of Contents Introduction ....
Page 91 and 92: Introduction This Mandatory Baselin
Page 93 and 94:
2.1.2.c Information Protection •
Page 95 and 96:
o Appropriate physical security mea
Page 97 and 98:
4. Access Control These Assessment
Page 99 and 100:
5. Systems Configuration These Syst
Page 101 and 102:
5.3.1.c Media Disposal Methods •
Page 103 and 104:
6.4. Maintain Records Agencies must
Page 105 and 106:
8. Incident Response These Incident
Page 107 and 108:
9.1.1.c Contingency Plan Update Fre
Page 109 and 110:
Mandatory Baselines • Systems man
Page 111 and 112:
10. Physical Security No applicable
Page 113 and 114:
• Data is to be used for its inte
Page 115 and 116:
State of Kansas Non-Mandatory Proce
Page 117 and 118:
6.3. Maintenance Operations .......
Page 119 and 120:
Introduction This Non-Mandatory Pro
Page 121 and 122:
2.1.1.4 Likelihood Determination Es
Page 123 and 124:
2.2.1.5 Establish Appropriate Secur
Page 125 and 126:
Page 127 and 128:
4.3. Session Management The followi
Page 129 and 130:
4.3.2.2 Restrict Intra and Inter-Sy
Page 131 and 132:
5.1.1.3 Actively Maintain Inventory
Page 133 and 134:
5.1.3.3 Provide Implementation Docu
Page 135 and 136:
• Place all media in a locked con
Page 137 and 138:
6. Systems Operation These Systems
Page 139 and 140:
6.2. Integrity Operations The follo
Page 141 and 142:
6.3.2. Perform Patch and Vulnerabil
Page 143 and 144:
6.4. Maintain Records Agencies shou
Page 145 and 146:
7.1.1.3 Require Authenticated Acces
Page 147 and 148:
8. Incident Response These Incident
Page 149 and 150:
8.1.2.2 Develop Supporting Strategi
Page 151 and 152:
9. Contingency Planning No applicab
Page 153 and 154:
10.1.1.2 Implement Physical Access
Page 155 and 156:
11. Personnel Security These Person
Page 157 and 158:
• Review created accounts and ass
Page 159 and 160:
11.2.4.3 Recover all Organizational
Page 161 and 162:
12.1.1.3 Required Test and Validati
Page 163 and 164:
State of Kansas Non-Mandatory Basel
Page 165 and 166:
6.2. Integrity Operations .........
Page 167 and 168:
Introduction This Non-Mandatory Bas
Page 169 and 170:
• High risk constitutes high like
Page 171 and 172:
2.3. Maintain Records Agencies shou
Page 173 and 174:
Page 175 and 176:
• Systems that have very high ris
Page 177 and 178:
5.1.1.c System and Component Docume
Page 179 and 180:
5.2. Systems Protection No applicab
Page 181 and 182:
o Passwords in the clear. o Violati
Page 183 and 184:
o Penetration testing. o Password c
Page 185 and 186:
o The individuals to be notified. o
Page 187 and 188:
7. Systems Audit These Systems Audi
Page 189 and 190:
eviewed weekly and every system and
Page 191 and 192:
8.1.1.b IR Roles • IR Team Manage
Page 193 and 194:
8.1.2.e IR Plan Update Scheduling a
Page 195 and 196:
10. Physical Security These Physica
Page 197 and 198:
10.2.1.b Power Delivery Specificati
Page 199 and 200:
11. Personnel Security These Person
Page 201 and 202:
11.2.2. Hire Employees in a Structu
show all

Policy 7230A - Department of Administration

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?