Two-Factor Authentication is a security process in which the user provides two means of identification when accessing IT resources, one being a password and the other being a token which is either produced via a small (key-ring size) hardware device (‘hard token’), or a client application or smartphone device (‘soft token’).

Regardless of the type, each assigned token displays a six digit code that changes every sixty seconds.  These codes are synchronized with the user account on an authentication server.  The user must provide a valid password and correct token code to authenticate and access an application.  In addition, agencies may choose to require user to create an RSA passcode.  Users would then be required to provide a passcode + token to be authenticated, adding an additional level of security.

Features and Descriptions

SID 700 Token

The RSA SecurID 700 is a small key fob that connects easily to any key ring and fits into a user’s pocket or small carrying case.

Software Token

The RSA SecurID Software Token is an application that is installed on a desktop, laptop, or smart phone.  The application displays the current token code for the user to enter when accessing a resource requiring two-factor authentication. The Software Token can be paired with screen reading software such as JAWS and NV Access to support the needs of the vision impaired users.
**All tokens have an expiration date of 3 years.  When tokens expire, the agency would need to purchase new tokens.

Google App Authentication

Two-factor authentication can be implemented on most web application currently protected by the SiteMinder single sign on service.  When a user attempts to log in to the application they will be prompted for their AD username and password.  After successful AD authentication the user will then be prompted to provide their token code to complete authentication process.

VPN Authentication

When using two-factor authentication to create a Virtual Private Network (VPN) session via the Cisco AnyConnect VPN client, the user is prompted for their AD username and password along with their RSA username and token code.  The user will only be allowed to create the VPN session once both a valid password and token code are produced.

Desktop Authentication

Two-factor authentication may be added as an additional level of security for users authenticating to their desktop computers.  The user will be prompted for their network username and password along with their token code.  The user will not be able to access their computer without providing a valid password and token code.

Protecting other applications or resources

If an agency wishes to implement two-factor authentication on other applications or resources, additional costs for development and project management time my be required.  Contact the product manager for more information.

Ordering and Provisioning

Agencies who wish to implement two-factor authentication should contact the Enterprise Information Security Office (EISO).  The EISO will work with the agency to determine their requirements and develop an implementation plan.

DTS Responsibilities

DTS is responsible for the setup and maintenance of the infrastructure required for two-factor authentication including the authentication server and any interfaces accessing the server.

Agency Responsibilities

Agencies will be responsible for assigning and managing tokens for their users.  An agency designee or designees will be trained on how to access their users on the authentication server and assign, revoke or change tokens.

DTS Service Levels and Metrics

In an effort to improve service to our customer agencies, DTS will measure and report on the following enterprise metric goals:

• Application Availability
• Resolution Time
• Initial Response
• First Contact Resolution
• Customer Satisfaction Surveys

Application Availability

Application availability measures DTS’ efforts to ensure agency key business applications meet the percent of availability goals identified in the agency Service Level Agreements (SLA).  DTS will determine application availability based upon the collective measurement of the configuration items (both hardware and software) which are determinant to supporting the agency business services applications.  These metrics will be reported each month by agency with a cumulative report showing DTS’ efforts over several months and posted to the DTS Metrics web page at https://dts.utah.gov/metrics/index.html.

Times exclude those tickets in a “Pending” status waiting a known bug fix.

Resolution Time

Resolution time measure DTS’ efforts to resolve customer incidents within the timelines set below based upon urgent, high, medium and low priorities.  These metrics will be reported each month, by agency, with a cumulative report showing DTS’ efforts over several months.  These reports will then be posted on the DTS Metrics web page at: https://dts.utah.gov/metrics/index.html.

Initial Response

Initial response measure DTS’ efforts to respond to customer incidents within the timelines set below based upon urgent, high, medium and low priorities.  These metrics will be reported each month by agency with a cumulative report showing DTS’ efforts over several months. These reports will then be posted on the DTS Metrics web page at: https://dts.utah.gov/metrics/index.html.

First Contact Resolution

First contact resolution measures DTS’ efforts to resolve customer incidents on initial contact with either our help desk or a technical specialist.  These metrics will be reported each month, by agency, with a cumulative report showing DTS’ efforts over several months.  These reports will then be posted on the DTS Metrics web page at: https://dts.utah.gov/metrics/index.html.

Customer Satisfaction Surveys and Reporting

All users/customers whose technical incidents are resolved by DTS staff will be given the opportunity to respond to an on-line survey regarding their level of satisfaction with the support received from DTS. Responding to the survey is voluntary.

The chart below identifies DTS enterprise goals for customer satisfaction. Cumulative monthly reports will be created displaying the customer’s level of satisfaction with DTS support. These reports will then be posted on the DTS Metrics web page at: https://dts.utah.gov/metrics/index.html.

Customer Satisfaction Target

The Utah Division of Finance has authorized the State of Utah Executive Branch Agencies to obtain and operate credit card payment merchant identifications.  These allow agencies to accept credit card payments for services.

Seven authorized options were documented by the Division of Finance (Finance) and will be supported by the Division of Technology Services (DTS).  These options and associated fees are documented below.

Features and Descriptions

Option 1: Stand-alone card swipe on IP

This option entails a card swiping devices that is connected through the use of a wired network cable. This credit card traffic will traverse through the State’s network and the Internet to the payment processor.

In order to do this a firewall with an intrusion prevention system (IPS) will need to be ordered through DTS.  One firewall will be needed per geographic office or processing location.  The purpose of this firewall is to encrypt the traffic between the payment devices through our state network and on to the payment processing service.

Pricing

Option 2: Card swipe on phone line

This option entails a card swiping devices that is connected through a phone line only. All transaction traffic will traverse over the phone line carrier’s network until it reaches the credit card processing service, thus no additional equipment is needed.

Pricing

Monthly Expenses (for additional phone line) Per Unit Expenses

Option 3: PC to payment portal – state employee

This option is for state employees that are using a computer to enter payments through the Utah Interactive or Paymentech web services gateway.  Users will log onto a service with an Internet browser and enter credit card information and payment amounts through this service hosted by an outside party.

In this case, all traffic is encrypted with through the contractor’s web service, but we have the responsibility of protecting our end point devices used to access this service. In order to do this, these computers need to be protected by a Firewall with IPS with the option to segment them with their own services including Symantec endpoint point protection, Zenworks, Active Directory authentication and File integrity monitoring.

Pricing

Optional Services

Option 4: POS on a computer with attached card swipe

This option entails a card-swiping device attached to a computer with software integration. This option is needed when credit card data is integrated with a software application that accounts for each transaction such as what is used in a large retail store.

In order to do this a firewall with an intrusion prevention system (IPS) will need to be ordered through DTS per processing location. The purpose of this firewall is to encrypt the traffic between the payment devices through our state network and on to the payment processing service.

Additionally, all services to these devices will need to be isolated to the credit card processing environment including the following:

• Logging and monitoring
• Symantec endpoint protection
• Zenworks
• Any centralized authentication like active directory
• Patching
• File integrity monitoring services

File integrity monitoring service will also need to be installed on all computers connected to the environment.

Pricing

Option 5: Chase mobile

This option is selected when the agency would like to use a mobile device payment-processing device. These can currently be purchased for through Finance for most of the popular mobile phones and tablets.

No additional equipment purchases from DTS are need for this option. Mobile phones/tablets should be purchased through agency contacts.

Pricing

Option 6: Public kiosk

This option is used when agencies would like to create a public kiosk to collect payments for residents to use. Residents could then use the Internet browser on this kiosk to enter a transaction from one of the online payment services such as Utah Interactive or Paymentech.

In this case, all traffic is encrypted with through the contractor’s web service, but we have the responsibility of protecting our end point devices used to access this service. In order to do this, these computers need to be protected by a Firewall with IPS with the option to segment them with their own services including Symantec endpoint point protection, Zenworks, Active Directory authentication and File integrity monitoring.

Pricing

Optional Services

Option 7: e-commerce

This option is used when agencies select to have a contractor take payments on their behalf through an online service. In this case, no state employees are involved in the credit card transaction, rather the user enters their transaction on the vendor website.

Pricing

Features Not Included

Card swiping devices

Card swiping devices should be ordered through Finance and cannot be procured through DTS.

Paymentech services

DTS is dependent on Paymentech’s services being available for credit card purchases and application availability metrics may be affected by contractor service.

Ordering and Provisioning

New PCI services and changes to existing PCI services should be coordinated through each Agencies IT Director.

DTS Responsibilities

DTS is responsible for the hosting and application services as well as network connectivity.

These include the following:

• Firewall availability, support and maintenance
• Server availability, support and maintenance
• Desktop availability, support and maintenance

Agency Responsibilities

Agencies are responsible for keeping IT Directors on apprised on PCI needs and options selected. As detailed above, Agencies are responsible for ordering card swiping devices and merchant ID’s through Finance and obtaining mobile devices as needed.

Enterprise Information Security encompasses the provisioning and management of information security services and solutions to all Executive Branch agencies (defined by § 63F-1-206 of the Utah Technology Governance Act).  These services are available to all employees, contractors, partners or vendors who: connect to the State Wide Area Network (WAN), operate or manage telecommunication and information technology services, equipment or data supporting the State’s business functions.

Product Features and Descriptions

Strategic Planning and Management

Continuously ensure the enterprise’s information security program (principles, practices and system design) is in line with all state agency mission statements.

Information Security Management

The development and management of principles, policies, and procedures necessary to ensure the confidentiality, integrity, availability, and privacy of information in all forms of media (electronic and hardcopy) throughout the information life cycle.

Information Security Training & Awareness

The development and delivery of training and activities designed to instruct workers about their security responsibilities, and the delivery of information security processes and procedures for performing duties optimally and securely within related environments.

Quality Assurance and Compliance

The review, evaluation, analysis and periodic monitoring of processes against statutory requirements; information security laws; regulations; industry-wide best practices; and enterprise and agency security controls to achieve the State’s information security goals and assist agency’s in their effort to comply with applicable requirements (Agencies have primary responsibility for compliance)..

Vulnerability Management

The identification and testing of vulnerabilities to information assets, such as: databases, applications, desktops, servers, switches, routers, etc; the issuance of recommendation(s); and the management of mitigation strategies that achieve needed security at an affordable cost.

Risk Management

Provide a balanced approach to the identification and assessment of risks to information assets, and the management of mitigation strategies that achieve enterprise information security goals and assist agencies in complying with applicable requirements (Agencies have primary responsibility for compliance) at an affordable cost.

Incident Management

The development and issuance of processes and procedures to prepare and prevent, detect, contain, eradicate, recover and apply lessons learned from incidents impacting the mission of the State, and its agencies, including investigation and analysis used for recovering, authenticating, and analyzing electronic information to reconstruct events related to security incidents. E-discovery and data acquisition related to an investigation request is also included.

Security Operations and Maintenance

The maintenance, monitoring, control, hardening, and protection of the infrastructure, including servers and desktops, and the information residing on them to applicable State and agency requirements, during the operational phase of information systems and/or applications in production.

Network Security and Telecommunications

Provides security for basic network services and information and provides maintenance for the hardware layer on which it resides.

System and Application Security

Ensures that the operation of IT systems and software does not present undue risk to the enterprise, and its information assets, through the integration of information security into an IT system or application during the System Development Life Cycle (SDLC).

Procurement

The development and establishment of standards and contract language that promote the procurement of information products or services that meet the security requirements of the agencies.

Forensic Investigations

Investigate and forensically analyze potential violations of acceptable use policy. Investigation is conducted to maintain chain of custody and reporting. State and Non State Agencies can contract via a Special Billing Agreement with DTS for additional investigation services beyond acceptable use policy violations.

Features Not Included

Physical Security

Protect the agency’s personnel, equipment, and information from natural or manmade treats to physical facilities where information equipment is located or work is performed (e.g., computer rooms, work locations).

Personnel Security

Ensure the agency’s selection and management of employees and contractors are controlled to promote security.

Quality Assurance and Compliance

Primary responsibility for agency compliance with applicable federal and state regulations. Agencies maintain primary responsibility for their compliance.

Ordering and Provisioning

To obtain information and/or support regarding Enterprise Information Security services, contact the DTS Enterprise Information Security Office (EISO) via the DTS Customer Support Center at (801) 538-3440 or 1-800-678-3440.

DTS Responsibilities

It is the responsibility of DTS Enterprise Information Security Office to deliver effective enterprise focused security services by:

• Providing support during published hours for questions and/or problems.
• Provide support 24 x 7 in the event of an emergency.
• Maintain applicable vendor contracts for products and services provided.
• Notify customers of any changes to the product prior to changes whenever possible.

Agency Responsibilities

Ensure that Division/agency employees, contractors, partners and vendors who connect to the State Wide Area Network (WAN), operate or manage telecommunication and information technology services, equipment or data which supports the State’s business functions abide by DTS Enterprise Information Security policies, procedures, standards, and guidelines.

Develop and implement division/agency procedures and governance to ensure that incidents are captured and that work is recorded in a timely fashion.

Report suspicious activities associated with automation systems and/or applications to the DTS EISO as soon as possible.