Transcription of Information Security Policy, Procedures, Guidelines
1 Version Revised December 2017 | Office of Management and Enterprise Services | Information Services State of oklahoma Information Security policy , Information Security policy , Procedures, Guidelines Procedures, Guidelines Information Security Policies, Procedures, Guidelines Revised December 2017 Page 2 of 94 TABLE OF CONTENTS PREFACE .. 6 Information Security 7 INTRODUCTION .. 9 9 policy , PROCEDURES, Guidelines .. 9 AUDIENCE .. 10 Information .. 11 Information CONFIDENTIALITY .. 11 Information CONTENT .. 12 Information ACCESS .. 12 Information Security .. 13 Information AVAILABILITY .. 13 Security PROGRAM MANAGEMENT .. 14 CENTRAL Security 14 HOSTING AGENCY Security .
2 15 AGENCY Security .. 15 INCIDENT MANAGEMENT .. 15 EVENT LOGGING AND MONITORING .. 16 RISK MANAGEMENT .. 18 RISK ASSESSMENT .. 18 RISK MITIGATION .. 19 PERSONNEL/USER ISSUES .. 20 STAFFING .. 20 AWARENESS/TRAINING .. 20 PERSONAL COMPUTER USAGE .. 21 EMAIL USAGE .. 22 INTERNET/INTRANET Security .. 23 HELP DESK MANAGEMENT .. 26 Information Security Policies, Procedures, Guidelines Revised December 2017 Page 3 of 94 SUPPORT CALLS .. 26 PASSWORD RESETS .. 27 VOICE MAIL Security .. 27 PHYSICAL AND ENVIRONMENTAL Security .. 29 OPERATIONS CENTER .. 29 OPERATIONS MONITORING .. 29 BACK-UP OF Information .. 30 ACCESS CONTROL.
3 31 NETWORK .. 31 ELECTRONIC COMMERCE Security .. 34 MOBILE COMPUTING .. 35 REMOTE COMPUTING .. 36 EXTERNAL FACILITIES .. 37 ENCRYPTION .. 37 BUSINESS CONTINUITY .. 39 DISASTER RECOVERY PLAN .. 43 BUSINESS RECOVER STRATEGY .. 45 DATA CENTER MANAGEMENT .. 47 OPERATING PROCEDURES .. 47 OPERATIONAL CHANGE CONTROL .. 47 SEGREGATION OF DUTIES .. 48 SEPARATION OF DEVELOPMENT AND OPERATIONAL FACILITIES .. 48 SYSTEMS PLANNING AND ACCEPTANCE .. 49 CAPACITY PLANNING .. 50 SYESTEMS 50 OPERATIONS AND FAULT LOGGING .. 51 MANAGEMENT OF REMOVABLE COMPUTER MEDIA .. 51 DISPOSAL OF MEDIA .. 51 EXCHANGES OF Information AND SOFTWARE .. 52 PUBLICLY AVAILABLE SYSTEMS.
4 52 USE OF SYSTEM UTILITIES .. 53 Information Security Policies, Procedures, Guidelines Revised December 2017 Page 4 of 94 MONITORING SYSTEMS ACCESS AND USE .. 53 CONTROL OF OPERATIONAL SOFTWARE .. 55 ACCESS CONTROL TO SOURCE LIBRARY .. 55 CHANGE CONTROL PROCEDURES .. 56 RESTRICTIONS ON CHANGES TO SOFTWARE .. 56 INTRUSION DETECTION SYSTEMS (IDS) .. 57 CONTROLS ON MALICIOUS SOFTWARE .. 57 FIREWALLS .. 58 EXTERNAL FACILITIES MANAGEMENT .. 58 LEGAL REQUIREMENTS .. 60 SOFTWARE COPYRIGHT .. 60 PROTECTION OF Information .. 60 PRIVACY OF PERSONAL Information .. 61 COMPLIANCE WITH Security policy .. 62 APPENDIX A: GLOSSARY .. 63 APPENDIX B: SAMPLE CRISIS TEAM ORGANIZATION.
5 66 APPENDIX C: RESPONSIBILITY GRID .. 67 APPENDIX D: CONTINGENCY PLAN CONSIDERATIONS .. 69 APPENDIX E: PROCEDURES AND ACCEPTABLE USE .. 70 APPENDIX E, SECTION 1. COMPUTER (CYBER) INCIDENT REPORTING PROCEDURES .. 70 NOTIFICATION .. 71 RESPONSE ACTIONS .. 71 AGENCY 71 INCIDENT REPORTING FORM .. 73 APPENDIX E, SECTION 2. INCIDENT MANAGEMENT 74 OVERVIEW .. 74 INCIDENT RESPONSE TEAM ORGANIZATION .. 75 INCIDENT RESPONSE PROCEDURES .. 77 APPENDIX E, SECTION 3. MEDIA SANITIZATION PROCEDURES FOR THE DESTRUCTION OR DISPOSAL OF ELECTRONIC STORAGE MEDIA .. 82 INTRODUCTION .. 82 Information Security Policies, Procedures, Guidelines Revised December 2017 Page 5 of 94 policy .. 82 PROCEDURES.
6 82 APPROVED DESTRUCTION OR DISPOSAL METHODS .. 83 BACKGROUND AND Guidelines .. 85 APPENDIX E SECTION 4. REMOVABLE MEDIA: ACCEPTABLE USE policy .. 87 SOFTWARE ENCRYPTION ALTERNATIVES (MOBILE COMPUTING AND REMOVABLE MEDIA) .. 88 HARDWARE ENCRYPTION ALTERNATIVES (USB FLASH DRIVES OTHERS MAY BE ADDED IF APPROVED) - CURRENT APPROVED AND VETTED LIST OF DEVICES .. 89 APPENDIX E, SECTION 5. MOBILE COMPUTING DEVICES: ACCEPTABLE USE policy .. 92 Information Security Policies, Procedures, Guidelines Revised December 2017 Page 6 of 94 PREFACE The contents of this document include the minimum Information Security policy , as well as procedures, Guidelines and best practices for the protection of the Information assets of the State of oklahoma (hereafter referred to as the State).
7 The policy , as well as the procedures, Guidelines and best practices apply to all state agencies. As such, they apply equally to all State employees, contractors or any entity that deals with State Information . The Office of Management and Enterprise Services Information Services (OMES IS) will communicate the policy , procedures, Guidelines and best practices to all state agencies. In turn, all agencies are required to review the policy and make all staff members aware of their responsibility in protecting the Information assets of the State. Those agencies that require additional controls should expand on the content included in this document, but not compromise the standards set forth.
8 The policy and those procedures prefaced by "must" are mandatory as the system involved will be classified as insecure without adherence. Guidelines and best practices are generally prefaced with "should" and are considered as mandatory unless limited by functional or environmental considerations. It is recognized that some agencies have their own proprietary systems that may not conform to the policy , procedures, Guidelines and best practices indicated in this document. A plan for resolution of these system limitations should be created. Any exceptions are to be documented and be available on request. Other non-system related standards that do not require system modification should be instituted as soon as possible.
9 Revisions to this document are maintained collectively in Appendix E: Revisions, which includes a "Revision Table" describing each addition, change or deletion and the date it was implemented. All revisions are referenced using this procedure. The original document will remain intact. Information Security Policies, Procedures, Guidelines Revised December 2017 Page 7 of 94 STATE OF oklahoma Information Security policy Information is a critical State asset. Information is comparable with other assets in that there is a cost in obtaining it and a value in using it. However, unlike many other assets, the value of reliable and accurate Information appreciates over time as opposed to depreciating.
10 Shared Information is a powerful tool and loss or misuse can be costly, if not illegal. The intent of this Security policy is to protect the Information assets of the State. This Security policy governs all aspects of hardware, software, communications and Information . It covers all State Agencies as well as contractors or other entities who may be given permission to log in, view or access State Information . Definitions: Information includes any data or knowledge collected, processed, stored, managed, transferred or disseminated by any method. The Owner of the Information is the State Agency responsible for producing, collecting and maintaining the authenticity, integrity and accuracy of Information .
