Policy 7230A - Department of Administration
Policy 7230A - Department of Administration Policy 7230A - Department of Administration
5.2.1.2 Implement Anti-Malware Protection Malware (including viruses, worms, Trojan Horses, spyware and spam) represents one of the most pervasive types of security threats and can be leveraged against the organization in many ways. Protection requires appropriate solutions: • Determine points of protection. • Select and implement solutions according to the requirements. • Establish standard configuration for implemented solutions. • Make changes as per change control processes (see section 5.1.3 of the Non-Mandatory Procedures). • Maintain as per maintenance processes (see section 6.3.3 of the Non-Mandatory Procedures). 5.2.1.3 Implement Security Monitoring To ensure the effectiveness of both the security controls inherent to the system as well as the security infrastructure external to the system ongoing monitoring is required: • Determine the nature of the monitoring information that is to be gathered and the manner in which it is to be presented. • Select and implement solutions according to the requirements. • Establish standard configuration for implemented solutions. • Make changes as per change control processes (see section 5.1.3 of the Non-Mandatory Procedures). • Maintain as per maintenance processes (see section 6.3.3 of the Non-Mandatory Procedures). 5.3. Data and Media Protection The following are the Mandatory Procedures that support the Data and Media Protection section of the Default Security Requirements: 5.3.1. Securely Handle Data and Media Protect data while it is in system, both in storage and use, as well as out of system in media, in both storage and transit: 5.3.1.1 Configure Transmissions for Confidentiality and Integrity Ensure both the integrity and confidentiality of electronic PII data transmissions through the use of cryptography. Cryptographic solutions must meet established standards. 5.3.1.2 Validate Data Inputs No applicable Mandatory Procedures. 13
5.3.1.3 Restrict Access to Media No applicable Mandatory Procedures. 5.3.1.4 Ensure Media is Securely Stored No applicable Mandatory Procedures. 5.3.1.5 Ensure Media is Securely Transported No applicable Mandatory Procedures. 5.3.1.6 Ensure Media is Securely Sanitized and Disposed of To provide on-going data protection once specific data points are no longer required to be stored on media, that media must be properly sanitized and/or disposed of: • Securely sanitize and dispose of digital media. • Securely dispose of non-digital media. 5.4. Application Protection No applicable Mandatory Procedures. 5.5. Maintain Records Capture documentation appropriate to all systems configuration processes: • Create and maintain a systems security architecture document. • Create and maintain system media handling logs. 14
- Page 21 and 22: Collaborative computing infrastruct
- Page 23 and 24: Where data requires encryption, tha
- Page 25 and 26: 6 Systems Operation Sections 6.1, 6
- Page 27 and 28: Only pre-approved maintenance tools
- Page 29 and 30: ecorded logs. In the event of other
- Page 31 and 32: event that an incident occurs, the
- Page 33 and 34: 9.2 Contingency Infrastructure The
- Page 35 and 36: 10 Physical Security Sections 10.1
- Page 37 and 38: automatically shall notify appropri
- Page 39 and 40: copy of the signed document will be
- Page 41 and 42: 12 Secure Purchasing/Acquisition Se
- Page 43 and 44: CA-1 Certification, Accreditation,
- Page 45 and 46: PE-18 Location of Information Syste
- Page 47 and 48: Appendix B - Matrix of Responsibili
- Page 49 and 50: Part 2 - Non-IT Roles (See Page 3 f
- Page 51 and 52: Appendix C - Supporting Document Cr
- Page 53 and 54: Mandatory Non-Mandatory Procedures
- Page 55 and 56: Integrity The second of the three g
- Page 57 and 58: State of Kansas Mandatory Procedure
- Page 59 and 60: 6.2. Integrity Operations .........
- Page 61 and 62: 2. Assessment & Security Planning T
- Page 63 and 64: 2.2. Create a Security Plan No appl
- Page 65 and 66: 3.1.1.2 Create Training Materials O
- Page 67 and 68: Operations Training is defined as t
- Page 69 and 70: access individual system authentica
- Page 71: 5. Systems Configuration These Syst
- Page 75 and 76: • When no longer required, data s
- Page 77 and 78: 8. Incident Response These Incident
- Page 79 and 80: Capture documentation appropriate t
- Page 81 and 82: Different types of disruptions requ
- Page 83 and 84: 9.3.2.1 Perform System Backup Back
- Page 85 and 86: 11. Personnel Security These Person
- Page 87 and 88: 12. Secure Purchasing/Acquisition N
- Page 89 and 90: Table of Contents Introduction ....
- Page 91 and 92: Introduction This Mandatory Baselin
- Page 93 and 94: 2.1.2.c Information Protection •
- Page 95 and 96: o Appropriate physical security mea
- Page 97 and 98: 4. Access Control These Assessment
- Page 99 and 100: 5. Systems Configuration These Syst
- Page 101 and 102: 5.3.1.c Media Disposal Methods •
- Page 103 and 104: 6.4. Maintain Records Agencies must
- Page 105 and 106: 8. Incident Response These Incident
- Page 107 and 108: 9.1.1.c Contingency Plan Update Fre
- Page 109 and 110: Mandatory Baselines • Systems man
- Page 111 and 112: 10. Physical Security No applicable
- Page 113 and 114: • Data is to be used for its inte
- Page 115 and 116: State of Kansas Non-Mandatory Proce
- Page 117 and 118: 6.3. Maintenance Operations .......
- Page 119 and 120: Introduction This Non-Mandatory Pro
- Page 121 and 122: 2.1.1.4 Likelihood Determination Es
5.3.1.3 Restrict Access to Media<br />
No applicable Mandatory Procedures.<br />
5.3.1.4 Ensure Media is Securely Stored<br />
No applicable Mandatory Procedures.<br />
5.3.1.5 Ensure Media is Securely Transported<br />
No applicable Mandatory Procedures.<br />
5.3.1.6 Ensure Media is Securely Sanitized and Disposed <strong>of</strong><br />
To provide on-going data protection once specific data points are no<br />
longer required to be stored on media, that media must be properly<br />
sanitized and/or disposed <strong>of</strong>:<br />
• Securely sanitize and dispose <strong>of</strong> digital media.<br />
• Securely dispose <strong>of</strong> non-digital media.<br />
5.4. Application Protection<br />
No applicable Mandatory Procedures.<br />
5.5. Maintain Records<br />
Capture documentation appropriate to all systems configuration processes:<br />
• Create and maintain a systems security architecture document.<br />
• Create and maintain system media handling logs.<br />
14