Enterprise Information Security encompasses the provisioning and management of information security services and solutions to all Executive Branch agencies (defined by § 63F-1-206 of the Utah Technology Governance Act). These services are available to all employees, contractors, partners or vendors who: connect to the State Wide Area Network (WAN), operate or manage telecommunication and information technology services, equipment or data supporting the State’s business functions.
Product Features and Descriptions
Strategic Planning and Management
Continuously ensure the enterprise’s information security program (principles, practices and system design) is in line with all state agency mission statements.
Information Security Management
The development and management of principles, policies, and procedures necessary to ensure the confidentiality, integrity, availability, and privacy of information in all forms of media (electronic and hardcopy) throughout the information life cycle.
Information Security Training & Awareness
The development and delivery of training and activities designed to instruct workers about their security responsibilities, and the delivery of information security processes and procedures for performing duties optimally and securely within related environments.
Quality Assurance and Compliance
The review, evaluation, analysis and periodic monitoring of processes against statutory requirements; information security laws; regulations; industry-wide best practices; and enterprise and agency security controls to achieve the State’s information security goals and assist agency’s in their effort to comply with applicable requirements (Agencies have primary responsibility for compliance)..
The identification and testing of vulnerabilities to information assets, such as: databases, applications, desktops, servers, switches, routers, etc; the issuance of recommendation(s); and the management of mitigation strategies that achieve needed security at an affordable cost.
Provide a balanced approach to the identification and assessment of risks to information assets, and the management of mitigation strategies that achieve enterprise information security goals and assist agencies in complying with applicable requirements (Agencies have primary responsibility for compliance) at an affordable cost.
The development and issuance of processes and procedures to prepare and prevent, detect, contain, eradicate, recover and apply lessons learned from incidents impacting the mission of the State, and its agencies, including investigation and analysis used for recovering, authenticating, and analyzing electronic information to reconstruct events related to security incidents. E-discovery and data acquisition related to an investigation request is also included.
Security Operations and Maintenance
The maintenance, monitoring, control, hardening, and protection of the infrastructure, including servers and desktops, and the information residing on them to applicable State and agency requirements, during the operational phase of information systems and/or applications in production.
Network Security and Telecommunications
Provides security for basic network services and information and provides maintenance for the hardware layer on which it resides.
System and Application Security
Ensures that the operation of IT systems and software does not present undue risk to the enterprise, and its information assets, through the integration of information security into an IT system or application during the System Development Life Cycle (SDLC).
The development and establishment of standards and contract language that promote the procurement of information products or services that meet the security requirements of the agencies.
Investigate and forensically analyze potential violations of acceptable use policy. Investigation is conducted to maintain chain of custody and reporting. State and Non State Agencies can contract via a Special Billing Agreement with DTS for additional investigation services beyond acceptable use policy violations.
Features Not Included
Protect the agency’s personnel, equipment, and information from natural or manmade treats to physical facilities where information equipment is located or work is performed (e.g., computer rooms, work locations).
Ensure the agency’s selection and management of employees and contractors are controlled to promote security.
Quality Assurance and Compliance
Primary responsibility for agency compliance with applicable federal and state regulations. Agencies maintain primary responsibility for their compliance.
Ordering and Provisioning
To obtain information and/or support regarding Enterprise Information Security services, contact the DTS Enterprise Information Security Office (EISO) via the DTS Customer Support Center at (801) 538-3440 or 1-800-678-3440.
It is the responsibility of DTS Enterprise Information Security Office to deliver effective enterprise focused security services by:
- Providing support during published hours for questions and/or problems.
- Provide support 24 x 7 in the event of an emergency.
- Maintain applicable vendor contracts for products and services provided.
- Notify customers of any changes to the product prior to changes whenever possible.
Ensure that Division/agency employees, contractors, partners and vendors who connect to the State Wide Area Network (WAN), operate or manage telecommunication and information technology services, equipment or data which supports the State’s business functions abide by DTS Enterprise Information Security policies, procedures, standards, and guidelines.
Develop and implement division/agency procedures and governance to ensure that incidents are captured and that work is recorded in a timely fashion.
Report suspicious activities associated with automation systems and/or applications to the DTS EISO as soon as possible.