Policy 7230A - Department of Administration
Policy 7230A - Department of Administration Policy 7230A - Department of Administration
provided to all users responsible for the administration and maintenance of a system: 3.2.2.a Positional Roles Requiring Security Operations Training • The following roles types, at a minimum, require security operations training: o Roles with application implementation and/or administration responsibilities. o Roles with server implementation and/or administration responsibilities. o Roles with desktop/laptop implementation and/or administration responsibilities. o Roles with network infrastructure implementation and/or administration responsibilities. o Roles with storage infrastructure implementation and/or administration responsibilities. o Roles with security infrastructure implementation and/or administration responsibilities. 3.2.2.b Security Operations Training Frequency and Scheduling • Security operations training shall be provided for all employees with security operations responsibilities within 90 days of commencement of employment. • Security operations training shall be provided for all employees with security operations responsibilities within 90 days of the deployment of a new or significantly revised system. Where possible, employees will be trained together as groups. • Security operations training shall be provided thereafter for all employees with security responsibilities on an at least annual basis. Where possible, employees will be trained together as groups. 3.3. Maintain Records Capture documentation appropriate to all training processes: • Document and retain copies of employee completion of security awareness training. • Document and retain copies of employee completion of security operations training. Mandatory Baselines Page 6 of 25
4. Access Control These Assessment and Planning Mandatory Baselines support the Enterprise Security Policy (ITEC 7230 Rev 1) and the Default Security Requirements (ITEC 7230A). Mandatory Non-Mandatory Procedures Baselines Procedures Baselines 4. Access Control 4.1. Identification and Authentication 4.1.1. Manage Identification and Authentication (6 sets) (4 sets) 4.2. Account Management 4.2.1. Configure User Accounts (4 sets) (2 sets) 4.3. Session Management 4.3.1. Configure Systems for Secure Access (6 sets) (3 sets) 4.3.2. Configure Systems for Secure Communications (3 sets) (1 set) 4.4. Maintain Records 4.1. Identification and Authentication The following are the Mandatory Baselines that support the Identification and Authentication section of the Default Security Requirements: 4.1.1. Manage Identification and Authentication Agencies must ensure that only individuals that have the pre-established right to access systems can do so: 4.1.1.a Identity Verification • Users must be identified with government issued identifiers that include the following information: o Full name. o Signature. o Photograph. 4.1.1.b User ID Construction • User identifiers (User IDs) must be constructed in a consistent manner. 4.1.1.c User Authenticator Construction • Where passwords are used as user authenticators their length and the character sets from which they are constructed must be determined by the risk categorization of the system: o Very high and high risk systems must have passwords at least twelve characters in length that make use of all four of upper case letters, lower case letters, numbers, and special characters. o Medium risk systems must have passwords at least eight characters in length that make use of three of the Mandatory Baselines Page 7 of 25
- Page 45 and 46: PE-18 Location of Information Syste
- Page 47 and 48: Appendix B - Matrix of Responsibili
- Page 49 and 50: Part 2 - Non-IT Roles (See Page 3 f
- Page 51 and 52: Appendix C - Supporting Document Cr
- Page 53 and 54: Mandatory Non-Mandatory Procedures
- Page 55 and 56: Integrity The second of the three g
- Page 57 and 58: State of Kansas Mandatory Procedure
- Page 59 and 60: 6.2. Integrity Operations .........
- Page 61 and 62: 2. Assessment & Security Planning T
- Page 63 and 64: 2.2. Create a Security Plan No appl
- Page 65 and 66: 3.1.1.2 Create Training Materials O
- Page 67 and 68: Operations Training is defined as t
- Page 69 and 70: access individual system authentica
- Page 71 and 72: 5. Systems Configuration These Syst
- Page 73 and 74: 5.3.1.3 Restrict Access to Media No
- Page 75 and 76: • When no longer required, data s
- Page 77 and 78: 8. Incident Response These Incident
- Page 79 and 80: Capture documentation appropriate t
- Page 81 and 82: Different types of disruptions requ
- Page 83 and 84: 9.3.2.1 Perform System Backup Back
- Page 85 and 86: 11. Personnel Security These Person
- Page 87 and 88: 12. Secure Purchasing/Acquisition N
- Page 89 and 90: Table of Contents Introduction ....
- Page 91 and 92: Introduction This Mandatory Baselin
- Page 93 and 94: 2.1.2.c Information Protection •
- Page 95: o Appropriate physical security mea
- Page 99 and 100: 5. Systems Configuration These Syst
- Page 101 and 102: 5.3.1.c Media Disposal Methods •
- Page 103 and 104: 6.4. Maintain Records Agencies must
- Page 105 and 106: 8. Incident Response These Incident
- Page 107 and 108: 9.1.1.c Contingency Plan Update Fre
- Page 109 and 110: Mandatory Baselines • Systems man
- Page 111 and 112: 10. Physical Security No applicable
- Page 113 and 114: • Data is to be used for its inte
- Page 115 and 116: State of Kansas Non-Mandatory Proce
- Page 117 and 118: 6.3. Maintenance Operations .......
- Page 119 and 120: Introduction This Non-Mandatory Pro
- Page 121 and 122: 2.1.1.4 Likelihood Determination Es
- Page 123 and 124: 2.2.1.5 Establish Appropriate Secur
- Page 125 and 126: 4. Access Control These Assessment
- Page 127 and 128: 4.3. Session Management The followi
- Page 129 and 130: 4.3.2.2 Restrict Intra and Inter-Sy
- Page 131 and 132: 5.1.1.3 Actively Maintain Inventory
- Page 133 and 134: 5.1.3.3 Provide Implementation Docu
- Page 135 and 136: • Place all media in a locked con
- Page 137 and 138: 6. Systems Operation These Systems
- Page 139 and 140: 6.2. Integrity Operations The follo
- Page 141 and 142: 6.3.2. Perform Patch and Vulnerabil
- Page 143 and 144: 6.4. Maintain Records Agencies shou
- Page 145 and 146: 7.1.1.3 Require Authenticated Acces
4. Access Control<br />
These Assessment and Planning Mandatory Baselines support the Enterprise Security <strong>Policy</strong><br />
(ITEC 7230 Rev 1) and the Default Security Requirements (ITEC <strong>7230A</strong>).<br />
Mandatory<br />
Non-Mandatory<br />
Procedures Baselines Procedures Baselines<br />
4. Access Control <br />
4.1. Identification and Authentication<br />
4.1.1. Manage Identification and Authentication (6 sets) (4 sets)<br />
4.2. Account Management<br />
4.2.1. Configure User Accounts (4 sets) (2 sets)<br />
4.3. Session Management<br />
4.3.1. Configure Systems for Secure Access (6 sets) (3 sets)<br />
4.3.2. Configure Systems for Secure Communications (3 sets) (1 set)<br />
4.4. Maintain Records <br />
4.1. Identification and Authentication<br />
The following are the Mandatory Baselines that support the Identification and<br />
Authentication section <strong>of</strong> the Default Security Requirements:<br />
4.1.1. Manage Identification and Authentication<br />
Agencies must ensure that only individuals that have the pre-established right to<br />
access systems can do so:<br />
4.1.1.a Identity Verification<br />
• Users must be identified with government issued identifiers<br />
that include the following information:<br />
o Full name.<br />
o Signature.<br />
o Photograph.<br />
4.1.1.b User ID Construction<br />
• User identifiers (User IDs) must be constructed in a consistent<br />
manner.<br />
4.1.1.c User Authenticator Construction<br />
• Where passwords are used as user authenticators their length<br />
and the character sets from which they are constructed must<br />
be determined by the risk categorization <strong>of</strong> the system:<br />
o Very high and high risk systems must have passwords<br />
at least twelve characters in length that make use <strong>of</strong> all<br />
four <strong>of</strong> upper case letters, lower case letters, numbers,<br />
and special characters.<br />
o Medium risk systems must have passwords at least<br />
eight characters in length that make use <strong>of</strong> three <strong>of</strong> the<br />
Mandatory Baselines<br />
Page 7 <strong>of</strong> 25