Effective 23.2.1998

• vision, mission, objectives, and functions
• definitions
• role and responsibilities

• operational framework
• network connection
• security
• IP addressing
• domain naming
• services access
• technology standards

• data standard
• electronic government domain
• information update
• e-mail
• firewall
• state IT resource security
• use of approved software
• acceptable use
• anti-virus

State IT Resource Security

1. Control of Computers and Information Resources

Information resources are valuable assets of the State. The wilful and knowing unauthorised use, alteration, or destruction of these assets is a computer-related crime.

1. Access to data files and programs shall be limited to those individuals authorised to view, process, or maintain particular systems.

2. All information and communications resources leased or owned by the State and all time sharing services billed to the State shall be used only to conduct State business.

3. All computer software developed by State employees or contract personnel on behalf of the State or purchased for the use of the State is State property and shall be protected as such, unless the contract under which the software is developed specifically provides otherwise.

4. Sensitive information shall be accessible only to personnel who are authorised by the agency on the basis of strict "need to know" in the performance of their duties. Data containing any sensitive information shall be readily identifiable and treated as sensitive in its entirety.

5. When sensitive information from an agency is received by another agency in connection with the transaction of official business, the receiving agency shall maintain the confidentiality of the information in accordance with the conditions imposed by the providing agency.

6. A sufficiently complete history of transactions shall be maintained for each session involving access to critical and sensitive information, as determined by risk analysis, to permit an audit of the system.

2. Physical Security and Access to Data Processing Facilities

All State information processing areas must be protected by physical and environmental controls appropriate for the size and complexity of the operations and the criticality or sensitivity of the systems operated at those locations.

3. Logical and Data Access Controls

1. Except for public users of information resources where such access is authorised, or for situations where risk analysis demonstrates no need for individual accountability of users, each user of a multiple-user information resource shall be assigned a unique personal identifier or user identification. User identification shall be authenticated before access is granted.

2. A user's access authorisation shall be removed when the user's employment is terminated or the user transfers to a position where access to the information resource is no longer required.

3. Controls shall ensure that users of information resources can access stored software or system control data only if they have been authorised to do so.

4. Data and System Integrity

1. Controls shall be established to maximise the accuracy and completeness of data.

2. For tasks that are susceptible to fraudulent or other unauthorised activity, agencies should ensure adequate separation of functions.

3. Test functions shall be kept either physically or logically separate from production functions. Copies of production data shall not be used for testing unless the data has been desensitised or unless all personnel involved in testing are otherwise authorised access to the data.

4. After a new system has been placed in operation, all program changes shall be approved before implementation to determine whether they have been authorised, tested, and documented.

5. Network Security

1. Network resources participating in the access of sensitive information shall assume the sensitivity level of that information for the duration of the session. Controls shall be implemented commensurate with the highest risk.

2. Agencies shall prescribe sufficient controls to ensure that access to network services and host services and subsystems is restricted to authorised users and uses only. These controls shall selectively limit services based upon: user identification and authentication (e.g., password), or designation of other users, including the public where authorised, as a class (e.g., public access through dial-up or public switched networks), for the duration of a session.

3. While in transit, sensitive information shall be encrypted if sending stations, receiving stations, terminals, and relay points are not all under positive State control, or if any are operated by or accessible to personnel who have not been authorised access to the information, unless the requirement to transfer such information has been validated and cannot be satisfied with information which has been desensitised, and the agency head has documented acceptance of the risks of not encrypting the information based on evaluation of the costs of encryption against exposures to all relevant risks.

4. Selection of encryption algorithms and key management practices shall be based on documented risk analysis. Algorithms may incorporate one time ciphers, symmetric, or asymmetric encryption, or combinations of these methods. Where the algorithm or its implementation permits variable length keys, the determination of key length shall be based on documented risk analysis.

6. Backup and Recovery

1. Data and software essential to the continued operation of critical agency functions shall be backed up on regular intervals. The security controls over the backup resources shall be as stringent as the protection required of the primary resources.

2. All information resources identified as critical to the continuity of governmental operations shall have written and cost effective contingency plans to provide for the prompt and effective continuation of critical State missions in the event of a disaster, and these contingency plans shall be tested at least annually.

7. Personnel Security and Security Awareness

1. Every employee shall be held responsible for information resource security to the degree that his or her job requires the use of information resources. Fulfilment of security responsibilities shall be mandatory, and executive agencies are authorised to enforce compliance with security responsibilities through disciplinary actions, up to and including dismissal, civil penalties, or criminal penalties.

2. Agencies shall provide an on-going awareness and training program in information security and in the protection of State information resources.

3. Awareness and training in security shall not be limited to formal training sessions, but shall include on-going briefings and continual reinforcement of the value of security consciousness.

8. Systems Acquisition, Auditing, and Reporting

1. Appropriate information security and audit controls shall be incorporated into new systems.

2. An internal audit of the agency information security function shall be performed periodically.

3. Automated systems which process sensitive information should, to the degree practicable, provide the means whereby authorised personnel have the ability to audit and establish individual accountability for any action that can potentially cause access to, generation of, or affect the release of the information.

4. Security incidents and breaches shall be promptly investigated and reported to the appropriate authorities.

9. Level of Security

Unrestricted access. This level represents the unrestricted environment where there are no access controls and no assumptions can be made about anyone operating at this level. Essentially, there is no security at this level.

Audit and screening of unnecessary access. At this level simple auditing and screening procedures are established. To pass Level 1 security, the security manager generally provides systems that require simple logging of the access. Since there is no user authentication (passwords) at this level, the logging is generally accomplished by logging of network addresses or some other identifier. Security at this level may also exclude some traffic that has no reason to cross the boundary.

Audit and screening of illegal access. At this level logging is still only by address or some other identifier but now specific protocols or applications are prevented from passing. For a network this might mean All inbound TELNET is blocked. For a system this could be all dial-in traffic after 6:00 p.m. Data and systems in this environment are not critical and can be reconstructed in a reasonable amount of time if destroyed.

Audit, screening and loose authentication. At this level users are required to identify themselves by a basic mechanism, such as a password. This is "loose" because the user does not have to do much to prove they are who they say they are. Audit information now contains user identification as well as addresses. Data in this environment must be protected from unauthorized access. If seen by unauthorized personnel it is unfortunate, but not a major problem. Audit trails are very important so that security managers are aware that information has been accessed by unauthorized parties.

Audit and physical access only. At this level, more sophisticated authentication schemes are employed to ensure that the user is really who they say they are. This is generally accomplished by systems that utilize one time passwords, challenge/response systems, or physical identification. Data in this environment is extremely sensitive such that if the data is viewed by unauthorized personnel severe consequences would occur.

Audit and physical access only. This level is the most secure level. Access at this level is so strict that remote access is not allowed and only the most strenuous authentication is employed. This level of security would be employed to protect resources for which absolutely no illegal access can be tolerated without very severe consequences.