Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
6. Systems Operation<br />
These Systems Operation Mandatory Procedures support the Enterprise Security <strong>Policy</strong><br />
(ITEC 7230 Rev 1), and the IT Security Self Assessment <strong>Policy</strong> (ITEC 7310).<br />
15<br />
Mandatory<br />
Non-Mandatory<br />
Procedures Baselines Procedures Baselines<br />
6. Systems Operation <br />
6.1. Assessment Operations<br />
6.1.1. Perform Security Assessment (7 sets) (3 sets)<br />
6.1.2. Perform Security Self Assessment (4 sets) (2 sets)<br />
6.2. Integrity Operations<br />
6.2.1. Monitor System Security Controls (3 sets) (1 sets)<br />
6.3. Maintenance Operations<br />
6.3.1. Plan for, and Provide Notice <strong>of</strong>, Security Operations (4 sets) (1 sets)<br />
6.3.2. Perform Patch and Vulnerability Management (5 sets) (3 sets)<br />
6.3.3. Securely Maintain Systems (2 sets) (2 sets)<br />
6.4. Maintain Records <br />
6.1. Assessment Operations<br />
The following are the Mandatory Procedures that support the Assessment Operations<br />
section <strong>of</strong> the Default Security Requirements:<br />
6.1.1. Perform Security Assessments<br />
No applicable Mandatory Procedures.<br />
6.1.2. Perform Security Self Assessment<br />
To ensure compliance with Kansas Policies and Procedures, all Agencies must<br />
perform a Security Self Assessment.<br />
6.1.2.1 Identify the Target System<br />
Collect and document the information that defines the system.<br />
6.1.2.2 Execute the Plan<br />
Apply the established Security Self Assessment plan to the targeted<br />
system to determine and validate the existence <strong>of</strong> security<br />
compromises.<br />
6.1.2.3 Securely Manage Assessment Data<br />
Security self assessment data contains information that, if it fell into<br />
inappropriate hands, could be used to breach the security <strong>of</strong> the<br />
system and so must be protected as critical information:<br />
• Collect data into a central repository to allow for better<br />
analysis as well as greater control <strong>of</strong> the data.<br />
• Establish defined data storage parameters, controlling access<br />
and distribution <strong>of</strong> assessment data.<br />
• Where collected assessment data must be electronically<br />
transmitted, ensure the confidentiality and integrity <strong>of</strong> the<br />
data by password protecting with a strong password.