DTS POLICY 5000-0002.1
Policy Type: Enterprise
Section/Group: Security
Authority: UCA 63A-16-103; UCA 63A-16-206; Utah Administrative Code R895-7 Acceptable Use of Information Technology Resources
Document History
Original Submission
Submitted on: NA
Submitted by: Boyd Webb, Chief Information Security Officer
Approved by: Michael Hussey, CIO
Issue Date: NA
Effective Date: May 15, 2015
Revisions
Last Revised Date: 03/10/2020
Last Revised by: Ben Mehr
Last Approved by: Stephanie Weteling
Reviews
Reviewed Date: August 2022
Last Reviewed by: Ken Wheeler
Next Review: August 2023
1.0 Purpose
This policy provides the foundation for the State of Utah, Division of Technology Services enterprise security policy.
1.1 Background
This policy was developed in response to a comprehensive external audit involving all executive branch agencies and the enterprise network. The audit revealed security deficiencies not properly addressed in previous policy and standards documents.
The Enterprise Information Security Policy will develop and establish essential and proper controls to minimize security risk; to meet due diligence requirements pursuant to applicable state and federal regulations; to enforce contractual obligations; and to protect the State of Utah’s electronic information and information technology assets.1.2 Scope
This policy applies to all agencies and administrative subunits of state government as defined by UCA §63A-16, et seq.
1.3 Exceptions
The Chief Information Officer, or authorized designee, may acknowledge that under rare circumstances, some associates may need to employ systems that are not compliant with these policy objectives. The Chief Information Officer, or authorized designee, must approve in writing all such instances.
1.4 Annual Review
In order to ensure that this policy is current and effective, DTS will review the policy annually and will make changes as needed.
2.0 Definitions
Agency Policies
Departments and agencies under the State of Utah have the authority to establish internal policies related to information security objectives specific to the department or agency. Agency policies must be compatible with the Enterprise Information Security Policy, as well as federal and state statutory regulations.
Availability
Maintaining users access to data without unplanned interruptions.
Confidentiality
The concept of only allowing authorized users and processes to access data required for their duties.The confidentiality of data and protected information is one of the primary objectives of the information security triad; including confidentiality, integrity, and availability.
Encryption
Cryptographic transformation of data (called “clear text”) into a form (called “ciphertext”) that conceals the data’s original meaning to prevent it from being known or used by an unauthorized person. If the transformation is reversible, the corresponding reversal process is called “decryption”, which is a transformation that restores encrypted data to its original state.
Integrity
The principle of ensuring the completeness and accuracy of data.
NIST
National Institute for Standards and Technologies
Risk Assessment
A process by which risks are identified and the impact of those risks are determined. Additionally, a process whereby cost-effective security/control measures may be selected by balancing the costs of various security/control measures against the losses that would be expected if these measures were not in place.
3.0 Policy
3.1 Media Protection
Summary: Information systems capture, process, and store information using a wide variety of media. This information is located not only on the intended storage media but also on devices used to create, process, or transmit this information. This media may require special disposition in order to mitigate the risk of unauthorized disclosure of information and to ensure its confidentiality. Efficient and effective management of information created, processed, and stored by an information system throughout its life (from inception through disposal) is a primary concern of a media protection strategy.
Purpose: The State of Utah is required by federal and state regulatory statute to provide a reasonable assurance, in proportion to the confidentiality of the data, that all digital, paper, and other non-electronic (such as microfilm and magnetic tapes) media containing information assets must be protected at all times from unauthorized access.
Policy Objectives: State of Utah, Departments and Agencies must: protect information system media, both paper and digital; limit access to information on information system media to authorized users; and sanitize or destroy information system media before disposal or release for reuse, consistent with National Institute of Standards and Technology, Special Publications 800-53 Rev5 Control # MP-1-4 (Page 171)800-53 Rev5 Control # AC-1-22 (Page 18).
Employees should only use State-owned encrypted media when downloading State data containing Personally Identifiable Information, Protected Health Information, Federal Tax Information, or Criminal Justice Information Services, or any other sensitive data to a removable media device such as, but not limited to, USB drives, tapes, CDs, and DVDs.
3.2 Access Control
Summary: Access control, in one form or another, is considered by most organizations to be the cornerstone of their security programs. The various features of physical, technical, and administrative access control mechanisms work together to construct the security architecture so important in the protection of an organization’s critical and sensitive information assets.
Purpose: The administration of user access to electronic information is required to apply the principles of least privilege and “need to know”, and must be administered to ensure that the appropriate level of access control is applied to protect the information asset in each application or system.
Policy Objectives: State of Utah Departments and Agencies must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise, consistent with National Institute of Standards and Technology,Special Publications 800-53 Rev4 MP1-6 (Appendix F-MP, Page F-119). Additionally, only authorized users will be granted administrative access to workstations in order to download, install and execute new applications.
4.0 Policy Compliance
State of Utah, Departments and Agencies, employees, and contractors are expected to comply with this enterprise security policy. Additional policies and standards developed and implemented by State Departments and Agencies may include additional objectives or detail, but they must be compatible with the security objectives described in this policy document.
5.0 Enforcement
Individuals working in any State of Utah Department or Agency found to have violated this policy may be subject to legal penalties as may be prescribed by state and/or federal statute, rule, and/or regulation.
