Main Menu Dept. of Technology Services Search

Enterprise Information Security Policy (Statewide)

DTS POLICY 5000-0002.1


Status: Revised
Effective Date: May 15, 2015
Revised Date: N/A
Approved By: Michael Hussey, CIO
Authority: UCA 63F-1-103; UCA 63F-1-206; Utah Administrative Code R895-7 Acceptable Use of Information Technology Resources


Document History

Originator: Boyd Webb, Chief Information Security Officer
Next Review:January 2019
Reviewed Date: January 2018
Reviewed By: Phil Bates, Chief Information Security Officer


2.1 Purpose

This policy provides the foundation for the State of Utah, Department of Technology Services enterprise security policy.

2.1.1 Background

This policy was developed in response to a comprehensive external audit involving all executive branch agencies and the enterprise network. The audit revealed security deficiencies not properly addressed in previous policy and standards documents. 
The Enterprise Information Security Policy will develop and establish essential and proper controls to minimize security risk; to meet due diligence requirements pursuant to applicable state and federal regulations; to enforce contractual obligations; and to protect the State of Utah’s electronic information and information technology assets.

2.1.2 Scope

This policy applies to all agencies and administrative subunits of state government as defined by UCA §63F-1-102(7), et seq.

2.1.3 Exceptions

The Chief Information Officer, or authorized designee, may acknowledge that under rare circumstances, some associates may need to employ systems that are not compliant with these policy objectives. The Chief Information Officer, or authorized designee, must approve in writing all such instances.

2.2 Definitions

Agency Policies
Departments and agencies under the State of Utah have the authority to establish internal policies related to information security objectives specific to the department or agency. Agency policies must be compatible with enterprise security policy, as well as federal and state statutory regulations.

Availability
Maintaining users access to data without unplanned interruptions.

Confidentiality
The concept of only allowing authorized users and processes to access data required for their duties.The confidentiality of data and protected information is one of the primary objectives of the information security triad; including confidentiality, integrity, and availability. 

Encryption
Cryptographic transformation of data (called “clear text”) into a form (called “ciphertext”) that conceals the data’s original meaning to prevent it from being known or used by an unauthorized person. If the transformation is reversible, the corresponding reversal process is called “decryption”, which is a transformation that restores encrypted data to its original state.

Integrity
The principle of ensuring the completeness and accuracy of data.

NIST
National Institute for Standards and Technologies

Risk Assessment
A process by which risks are identified and the impact of those risks are determined. Additionally, a process whereby cost-effective security/control measures may be selected by balancing the costs of various security/control measures against the losses that would be expected if these measures were not in place.

2.3 Policy

2.3.1 Media Protection

Summary: Information systems capture, process, and store information using a wide variety of media. This information is located not only on the intended storage media but also on devices used to create, process, or transmit this information. This media may require special disposition in order to mitigate the risk of unauthorized disclosure of information and to ensure its confidentiality. Efficient and effective management of information created, processed, and stored by an information system throughout its life (from inception through disposal) is a primary concern of a media protection strategy.

Purpose: The State of Utah is required by federal and state regulatory statute to provide a reasonable assurance, in proportion to the confidentiality of the data, that all digital, paper, and other non-electronic (such as microfilm and magnetic tapes) media containing information assets must be protected at all times from unauthorized access.

Policy Objectives: State of Utah, Departments and Agencies must: protect information system media, both paper and digital; limit access to information on information system media to authorized users; and sanitize or destroy information system media before disposal or release for reuse, consistent with National Institute of Standards and Technology, Special Publications 800-53 Rev4 MP1-6 (Appendix F-MP, Page F-119), 800-88.

Employees should only use State-owned encrypted media when downloading State data containing Personally Identifiable Information, Protected Health Information, Federal Tax Information, or Criminal Justice Information Services, or any other sensitive data to a removable media device such as, but not limited to, USB drives, tapes, CDs, and DVDs.

2.3.2 Access Control (Agencies are expected to be in compliance with Section 2.3.2 by January 1, 2017)

Summary: Access control, in one form or another, is considered by most organizations to be the cornerstone of their security programs. The various features of physical, technical, and administrative access control mechanisms work together to construct the security architecture so important in the protection of an organization’s critical and sensitive information assets.

Purpose: The administration of user access to electronic information is required to apply the principles of least privilege and “need to know”, and must be administered to ensure that the appropriate level of access control is applied to protect the information asset in each application or system.

Policy Objectives: State of Utah Departments and Agencies must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise, consistent with National Institute of Standards and Technology,Special Publications 800-53 Rev4 MP1-6 (Appendix F-MP, Page F-119), 800-88. Additionally, only authorized users will be granted administrative access to workstations in order to download, install and execute new applications.  

2.4 Policy Compliance

State of Utah, Departments and Agencies, employees, and contractors are expected to comply with this enterprise security policy. Additional policies and standards developed and implemented by State Departments and Agencies may include additional objectives or detail, but they must be compatible with the security objectives described in this policy document.

2.5 Enforcement

Individuals working in any State of Utah Department or Agency found to have violated this policy may be subject to legal penalties as may be prescribed by state and/or federal statute, rule, and/or regulation.