1 TAC §§202.1 - 202.8
The Department of Information Resources (department) proposes
new §§202.1, security standards definitions; 202.2, security standards
policy; 202.3, management and staff responsibilities; 202.4, managing security
risks; 202.5, managing physical security; 202.6, business continuity planning;
202.7, information resources security safeguards; and 202.8, user security
practices. Simultaneous with publication of these proposed rules, the department
is proposing the repeal of §201.13 information resource standards, so
that all information security standards are transferred from chapter 201, §201.13(a)
to chapter 202, §§202.1-202.8 of Title 1. The department is also
proposing, in different rulemakings, the transfer of §201.13(c), communications
wiring standards for state facilities, to new chapter 208, §208.1 and §208.2.
The department believes the public and agencies affected by the department's
rules can more easily locate the rules if they are grouped, by subject matter,
in discrete chapters between chapters 201 through 249 of Title I.
Proposed §202.1 contains the definitions applicable within chapter
202. The section contains many of the definitions from the department's information
resource standards rule located in §201.13(a). It also contains new definitions
of "business continuity planning," department," "information resources," "platform,"
and "vulnerability report." The new definitions are proposed to clarify the
rules and because they are referenced in the rules.
Proposed §202.1 also proposes amendments to the existing definitions
of "access," "confidential information," "control," "information security
program," "security incident or breach," and "security risk analysis." The
proposed amendment to the definition of "access," shortens and clarifies the
definition. The change proposed to "confidential information," is non-substantive.
The changes proposed to the other definitions are efforts to clarify the definitions.
Proposed §202.2 contains the same provisions relating to the State's
information resources security standards policy as currently exist in §201.13(a)(3).
Proposed §202.3, concerning management and staff responsibilities for
information resources, corresponds to existing §201.13(a)(5). The information
is presented more clearly in the proposed §202.3. The term "business
functional" is substituted for the term "program functional" information,
and a requirement is added that the owners of information resources specify
and ensure adequate controls to protect the information resources, including
information that is outsourced.
Proposed §202.3(d) requires designation of an information security
officer to administer the agency information security program. This individual
must report to executive level management thereby assuring appropriate executive
level management attention to information resources security. Existing §201.13(a)
provided for institution of an information security function. The proposed
provision is clearer and provides an organizational reporting structure for
the agency's information security officer. Proposed new §202.3(e) requires
an annual, rather than a biennial, as currently required, compliance review
of each agency's information security program so that adequate security measures
are maintained.
Proposed §202.4, which deals with managing security risks, is substantially
changed from the risk management section in existing §201.13(a)(6). As
proposed, security risk analyses must be updated based on inherent risk. Inherent
risk and frequency of the security risk analysis will be ranked, at a minimum,
as "high," "medium," or "low" based on defined criteria. Security risk assessment
results, vulnerability reports and similar information must be documented
and presented to the agency head or his or her representative. The agency
head must make the final security risk management decisions regarding accepting
exposures or protecting data according to the value and sensitivity of the
data. These provisions are intended to link the frequency and nature of security
risk analyses to the relative risk of a particular security risk. The criteria
are based on security standards adopted by the U.S. Treasury in its Treasury
Electronic Authentication Policy.
The physical security management provisions of existing §201.13(a)(8)
are strengthened in proposed §202.5. The department believes this is
critical given the terrorists attacks on our nation in the past six months.
Management and documentation of physical access to mission critical information
resources facilities are the responsibility of the agency head or his or her
representative. Physical security measures are to be reviewed annually rather
than periodically. Proposed §202.5(d) specifies that emergency procedures
must be in writing, and must be developed, updated and tested at least annually.
These requirements will help ensure that physical security is up to date.
Pursuant to proposed §202.5(e), agencies are to refer to the State Office
of Risk Management for applicable physical security rules and guidelines.
Proposed §202.6(a) provides that agencies should maintain written
business continuity plans, a copy of which must be maintained off-site, to
minimize the effects of a disaster and so that mission critical functions
can be maintained during or quickly resumed after the disaster. Elements of
the business continuity plan are laid out in the proposed rule. The presence
of a written disaster recovery plan is a required element of each business
continuity plan. Proposed §202.6(b) provides for the scheduled back-up
and off-site storage of mission critical data in a secure, environmentally
safe, locked facility that is accessible only to authorized agency representatives.
Proposed §202.7 concerns security safeguards applicable to information
resources. Its provisions are somewhat changed from the security safeguards
in existing 1 T.A.C. §01.13(a)(9). For instance, proposed §202.7(c)(4)
requires that information resources systems which use passwords shall be based
on documented agency security risk management decisions and industry best
practices, rather than on the existing federal standard. The existing provision
in 1 T.A.C. §201.13(a)(9)(F)(iv) is changed to delete the requirement
that the department's instructions for reporting security incidents must specify
that the reports must not contain any information which would itself compromise
the security of the reporting agency, and to delete the url at which the instructions
can be found. Proposed §202.7(e)(3), relating to auditing, requires that,
based upon a security risk assessment, a sufficiently complete history of
transactions shall be maintained to permit an audit of the information resources
system by logging and tracing the activities of the individuals through the
system. The Department believes that activation of the logging function should
assist law enforcement in criminal investigations, should such investigations
be necessary. Proposed §202.7(g) adds the requirement that information
security and audit controls be included in all phases of the system development
lifecycle or acquisition process.
Proposed §202.7(h), concerning security policies, is not in the department's
existing security rule. Proposed subsection (1) requires each agency head,
or his or her representative, and information security officer shall create,
distribute and implement information security policies. Policies to be included
within such policy are set forth in §202.7(1)(A) through (V). Proposed
subsection (i) requires each agency to establish a perimeter protection strategy
to include some or all of the components set forth in §202.7(i)(A) through
(D). Proposed subsection (j) requires that system identification/logon banners
shall include warning statements addressing the areas set forth in §202.7(j)(A)
through (D).
Proposed §202.8 requires that all authorized users of information
resources formally acknowledge they will comply with the security policies
and procedures of the agency or they will not be granted access to the information
resources. Devices designated for public access shall be configured to enforce
security policies and procedures without the requirement of formal acknowledgement.
Proposed §202.8(c) requires the agency executive director, or his or
her designee, to consider requiring execution of non-disclosure agreements
to protect information from disclosure by employees and contractors, and subsection
(d) requires agencies to provide an ongoing information security awareness
education program for all users. New employees shall be introduced to information
security awareness and information security policies and procedures at new
employee orientation.
Mr. Mel Mireles, director of the Enterprise Operations Division, has determined
that for each year of the first five years after adoption of the proposed
rules, there will be no fiscal implications for local government as a result
of adoption of the rules, because the rules are not applicable to local government.
He anticipates that there is a fiscal impact to state agencies in complying
with the rules. The impact will vary by state agency depending on the determination
each makes as to whether to maintain a business continuity plan, how much
of the information already exists and the costs charged by contractors to
provide the plan, if the agency elects to maintain a business continuity plan
and further elects to have the plan developed by contractors. Development
costs of a business continuity plan range between 0% to 2% of an agency operating
budget depending on risk and previous work performed by an agency. In addition,
security equipment costs per instance may range in cost as follows: firewalls-
$0.00 to $75,000.00, intrusion detection system - $0.00 to $15,000.00, and
routers - $0.00 to $26,000.00. In most cases, these security equipment costs
do not include training or maintenance and vary depending on agency risk and
equipment already acquired.
Mr. Mireles does not anticipate either a loss of, or increase in, revenues
to state or local government as a result of the proposed rules. There will
be no effect on small businesses and no additional anticipated economic cost
to persons as a result of adoption of the proposed rules. The public benefit
of adoption of the rules is increased security of state agency information
resources in the face of cyberterrorism.
Comments on the proposed new §§202.1-202.8 may be submitted to
Renee Mauzy, General Counsel, Department of Information Resources, via mail
to P.O. Box 13564, Austin, Texas 78711, or electronically to renee.mauzy@dir.state.tx.us
no later than 5:00 p.m. CST within 30 days after publication.
The new rules are proposed pursuant to §2054.052(a), Government
Code, which provides the department may adopt rules as necessary to implement
its responsibilities under the Information Resources Management Act.
The department is not aware of other statutes affected by the proposed
rules.
§202.1.Security Standards Definitions.
The following words and terms, when used with this chapter, shall have
the following meanings, unless the context clearly indicates otherwise.
(1)
Access--To approach, interact with, or otherwise make use
of information resources.
(2)
Business Continuity Planning--The process of identifying
critical data systems and business functions, analyzing the risks and probabilities
of service disruptions and developing procedures to restore those systems
and functions.
(3)
Confidential Information--Information that is excepted
from disclosure requirements under the provisions of applicable state or federal
law, e.g. the Texas Public Information Act.
(4)
Control--Any action, device, policy, procedure, technique,
or other measure that improves security.
(5)
Custodian of an Information Resource--A person responsible
for implementing owner-defined controls and access to an information resource.
(6)
Department--The Department of Information Resources.
(7)
Information Resources--Is defined in Section 2054.003(6),
Texas Government Code and/or other applicable state or federal legislation.
(8)
Information Security Program--The elements, structure,
objectives, and resources that establish an information resources security
function within an agency.
(9)
Mission Critical Information--Information that is defined
by the agency to be essential to the agency's function(s).
(10)
Owner of an Information Resource--A person responsible:
(A)
For a business function; and
(B)
For determining controls and access to information resources
supporting that business function.
(11)
Platform--The foundation technology of a computer system.
The hardware and systems software that together provide support for an application
program. (Ref: Practices for Protecting Information Resources Assets.)
(12)
Security Incident--An event which results in unauthorized
access, loss, disclosure, modification, or destruction of information resources
whether accidental or deliberate.
(13)
Security Risk Analysis--The process of identifying and
documenting vulnerabilities and applicable threats to information resources.
(14)
Security Risk Assessment--The process of evaluating the
results of the risk analysis by projecting losses, assigning levels of risk,
and recommending appropriate measures to protect information resources.
(15)
Security Risk Management--Decisions to accept exposures
or to reduce vulnerabilities.
(16)
User of an Information Resource--An individual or automated
application authorized to access an information resource in accordance with
the owner-defined controls and access rules.
(17)
Vulnerability Report--A computer related report containing
information described in Section 2054.007(b), Government Code, as that section
may be amended from time to time.
§202.2.Security Standards Policy.
It is the policy of the State of Texas that:
(1)
Information resources residing in the various agencies
of state government are strategic and vital assets belonging to the people
of Texas. These assets must be available and protected commensurate with the
value of the assets. Measures shall be taken to protect these assets against
unauthorized access, disclosure, modification or destruction, whether accidental
or deliberate, as well as to assure the availability, integrity, utility,
authenticity , and confidentiality of information. Access to state information
resources must be appropriately managed.
(2)
All agencies are required to have an information resources
security program consistent with these standards, and the agency head is responsible
for the protection of information resources.
(3)
All individuals are accountable for their actions relating
to information resources. Information resources shall be used only for intended
purposes as defined by the agency and consistent with applicable laws.
(4)
Risks to information resources must be managed. The expense
of security safeguards must be commensurate with the value of the assets being
protected.
(5)
The integrity of data, its source, its destination, and
processes applied to it must be assured. Changes to data must be made only
in an authorized manner.
(6)
Information resources must be available when needed. Continuity
of information resources supporting critical governmental services must be
ensured in the event of a disaster or business disruption.
(7)
Security requirements shall be identified, documented,
and addressed in all phases of development or acquisition of information resources.
(8)
Agencies must ensure adequate controls and separation of
duties for tasks that are susceptible to fraudulent or other unauthorized
activity.
§202.3. Management and Staff Responsibilities.
(a)
The agency head or his or her designated representative(s)
shall review and approve ownership of information resources and their associated
responsibilities.
(b)
The owner of an information resource, with the agency head's
concurrence, is responsible for classifying business functional information.
Agencies are responsible for defining all information classification categories
except the Confidential Information category, which is defined in 202.1 of
this chapter, and establishing the appropriate controls for each.
(c)
Owners, custodians, and users of information resources
shall be identified, and their responsibilities defined and documented by
the agency. In cases where information resources are used by more than one
major business function, the owners shall reach consensus and advise the information
security function as to the designated owner with responsibility for the information
resources. The following distinctions among owner, custodian, and user responsibilities
should guide determination of these roles:
(1)
Owner Responsibilities. The owner or his or her designated
representatives(s) are responsible for and authorized to:
(A)
Approve access and formally assign custody of an information
resources asset;
(B)
Determine the asset's value;
(C)
Specify data control requirements and convey them to users
and custodians;
(D)
Specify appropriate controls, based on risk assessment,
to protect the state's information resources from unauthorized modification,
deletion, or disclosure. Controls shall extend to information resources outsourced
by the agency.
(E)
Confirm that controls are in place to ensure the accuracy,
authenticity, and integrity of data.
(F)
Ensure compliance with applicable controls;
(G)
Assign custody of information resources assets and provide
appropriate authority to implement security controls and procedures.
(H)
Review access lists based on documented agency security
risk management decisions.
(2)
Custodian responsibilities. Custodians of information resources,
including entities providing outsourced information resources services to
state agencies must:
(A)
Implement the controls specified by the owner(s);
(B)
Provide physical and procedural safeguards for the information
resources;
(C)
Assist owners in evaluating the cost-effectiveness of controls
and monitoring; and
(D)
Implement the monitoring techniques and procedures for
detecting, reporting, and investigating incidents.
(3)
User responsibilities. Users of information resources shall
use the resources only for defined purposes and comply with established controls.
(d)
The Information Security Officer. Each agency head shall
designate an information security officer to administer the agency information
security program. The Information Security Officer shall report to executive
level management.
(1)
It shall be the duty and responsibility of this individual
to develop and recommend policies and establish procedures and practices,
in cooperation with owners and custodians, necessary to ensure the security
of information resources assets against unauthorized or accidental modification,
destruction, or disclosure.
(2)
The Information Security Officer shall document and maintain
an up-to-date information security program. The information security program
must be approved by the agency head.
(3)
The Information Security Officer is responsible for monitoring
the effectiveness of defined controls for mission critical information.
(4)
The Information Security Officer shall report, at least
annually, to the agency head the status and effectiveness of information resources
security controls.
(e)
A review of the agency's information security program for
compliance with these standards will be performed at least annually by individual(s)
independent of the information security program and designated by the agency
head or the Information Resources Manager.
§202.4.Managing Security Risks.
(a)
A security risk analysis of information resources shall
be performed and documented. The security risk analysis shall be updated based
on the inherent risk. The inherent risk and frequency of the security risk
analysis will be ranked, at a minimum, as either "High," "Medium," or "Low,"
based primarily on the following criteria:
(1)
High Risk-annual assessment - Systems that;
(A)
Involve large dollar amounts or significantly important
transactions, such that business or government processes would be hindered
or an impact on public health or safety would occur if the transactions were
not processed timely and accurately, or
(B)
Contain confidential or sensitive data such that unauthorized
disclosure would cause real damage to the parties involved, or
(C)
Impact a large number of people or interconnected systems.
(2)
Medium Risk-biennial assessment - Systems that;
(A)
Transact or control a moderate or low dollar value, or
(B)
Data items that could potentially embarrass or create problems
for the parties involved if released, or
(C)
Impact a moderate proportion of the customer base.
(3)
Low Risk-biennial assessment - Systems that;
(A)
Publish generally available public information, or
(B)
Result in a relatively small impact on the population.
(b)
A system change could cause the overall classification
to move to the High Risk category.
(c)
Security risk assessment results, vulnerability reports,
and similar information shall be documented and presented to the agency head
or his or her designated representative. The agency head shall make the final
security risk management decisions to either accept exposures or protect the
data according to its value/sensitivity. The agency head must approve the
security risk management plan. This information may be exempt from disclosure
under §2054.77(c), Government Code.
§202.5.Managing Physical Security.
(a)
Physical access to mission critical information resources
facilities shall be managed and documented by the agency head or his or her
designated representative(s).
(b)
Reviews of physical security measures for information resources
shall be conducted annually by the agency head or designated representative(s).
(c)
Information resources shall be protected from environmental
hazards. Designated employees shall be trained to monitor environmental control
procedures and equipment and shall be trained in desired response in case
of emergencies or equipment problems.
(d)
Written emergency procedures shall be developed, updated,
and tested at least annually.
(e)
Agencies will refer to the State Office of Risk Management
for applicable rules and guidelines.
§202.6.Business Continuity Planning.
(a)
Agencies should maintain a written Business Continuity
Plan so that the effects of a disaster will be minimized, and the agency will
be able to either maintain or quickly resume mission-critical functions. The
agency head shall approve the Plan. The Plan shall be distributed to key personnel
and a copy stored offsite. Elements of the Plan for information resources
shall include:
(1)
Business Impact Analysis to systematically assess the potential
impacts of a loss of business functionality due to an interruption of computing
and/or infrastructure support services resulting from various events or incidents.
The analysis shall address maximum tolerable downtime for time-critical support
services and resources including, but not limited to:
(A)
Personnel;
(B)
Facilities;
(C)
Technology platforms (all computer systems);
(D)
Software;
(E)
Information resources security utilities;
(F)
Data networks and equipment;
(G)
Voice networks and equipment;
(H)
Vital electronic records and/or data.
(2)
Security Risk Assessment to weigh the cost of implementing
preventative measures against the risk of loss from not taking action.
(3)
Recovery Strategy to appraise recovery alternatives and
alternative cost-estimates which shall be presented to management.
(4)
Implementation, testing, and maintenance management program
addressing the initial and ongoing testing and maintenance activities of the
Plan.
(5)
Disaster Recovery Plan-Each agency shall maintain a written
disaster recovery plan for information resources. The disaster recovery plan
will:
(A)
Contain measures which address the impact and magnitude
of loss or harm that will result from an interruption;
(B)
Identify recovery resources and a source for each;
(C)
Contain step-by-step instructions for implementing the
Plan;
(D)
Be maintained to ensure currency; and
(E)
Be tested at least annually.
(b)
Mission critical data shall be backed up on a scheduled
basis and stored off site in a secure, environmentally safe, locked facility
accessible only to authorized agency representatives.
§202.7.Information Resources Security Safeguards.
(a)
Access to information resources shall be managed to ensure
authorized use.
(b)
Confidentiality of data and systems.
(1)
Confidential information shall be accessible only to authorized
users. Information containing any confidential data shall be identified, documented,
and protected in its entirety.
(2)
Information resources assigned from one agency to another
shall be protected in accordance with the conditions imposed by the providing
agency.
(c)
Identification/Authentication.
(1)
Each user of information resources shall be assigned a
unique identifier except for situations where risk analysis demonstrates no
need for individual accountability of users. User identification shall be
authenticated before the information resources system may grant that user
access.
(2)
A user's access authorization shall be appropriately modified
or removed when the user's employment or job responsibilities within the agency
change.
(3)
Information resources systems shall contain authentication
controls that comply with documented agency security risk management decisions.
(4)
Information resources systems which use passwords shall
be based on industry best practices on password usage and documented agency
security risk management decisions.
(5)
For electronic communications where the identity of a sender
or the contents of a message must be authenticated, the use of digital signatures
is encouraged. Agencies should refer to guidelines and rules issued by the
department for further information. (Ref. SRRPUB13 and 1 T.A.C. §201.14).
(d)
Encryption. Encryption for storage and transmission of
information shall be used based on documented agency security risk management
decisions.
(e)
Auditing.
(1)
Information resources systems must provide the means whereby
authorized personnel have the ability to audit and establish individual accountability
for any action that can potentially cause access to, generation of, modification
of, or effect the release of confidential information.
(2)
Appropriate audit trails shall be maintained to provide
accountability for updates to mission critical information, hardware and software
and for all changes to automated security or access rules.
(3)
Based on the security risk assessment, a sufficiently complete
history of transactions shall be maintained to permit an audit of the information
resources system by logging and tracing the activities of individuals through
the system.
(f)
Security incidents.
(1)
Security incidents shall be promptly investigated, documented
and reported to the department within twenty-four hours.
(2)
If criminal action is suspected, the agency must contact
the appropriate law enforcement and investigative authorities immediately.
(3)
Each agency shall provide summary reports to the department
that contain information concerning violations of security policy of which
the agency has become aware. An agency shall not be required to report security
incidents unless it reasonably believes such incidents may involve criminal
activity under Texas Penal Code Chapters 33 (Computer Crimes) or 33A (Telecommunications
Crimes), and there is a substantial likelihood that such incidents could be
propagated to other systems beyond the control of the agency. Reports should
include:
(A)
Type of activity, including but not limited to:
(i)
Unwanted disruption or denial of service;
(ii)
Unauthorized use of a system for the processing or storage
of data; and
(iii)
Changes made to system hardware, firmware, data or software
without the agency's effective consent.
(B)
Time elapsed between initial detection of incident and
containment of the security breach or full restoration of adversely affected
functions, whichever is later;
(C)
Description of the agency's response to the incident; and
(D)
Estimated total cost incurred by the agency in containing
the security incident or restoring adversely affected functions.
(4)
Reports must be sent to the department on a monthly basis
no later than the fifth (5th) working day after the end of the month. Information
shall be reported in the form and manner specified by the department.
(5)
The department shall establish internal security procedures
regarding the receipt and maintenance of information pertaining to security
incidents. The department shall instruct agencies as to the manner in which
they must report such information.
(g)
Systems development, acquisition, and testing.
(1)
Test functions shall be kept either physically or logically
separate from production functions. Copies of production data shall not be
used for testing unless the data has been declassified or unless all state
and independent contractor employees involved in testing are otherwise authorized
access to the data.
(2)
Information security and audit controls shall be included
in all phases of the system development lifecycle or acquisition process.
(3)
All security-related information resources changes shall
be approved by the owner through a quality assurance process. Approval must
occur prior to implementation by the agency or independent contractors.
(h)
Security Policies
(1)
Each agency head or his/her designated representative and
information security officer shall create, distribute, and implement information
security policies. The following policies shall be required, but not limited,
based on the documented agency security risk management decisions and business
function. These policies are not all inclusive.
(A)
Acceptable Use-Defines scope, behavior, and practices;
compliance monitoring pertaining to users of information resources.
(B)
Account Management-Establishes the rules for administration
of user accounts.
(C)
Administrator/Special Access-Establishes rules for the
creation, use, monitoring, control, and removal of accounts with special access
privileges.
(D)
Backup/Recovery-Establishes the rules for the backup, storage,
and recovery of electronic information.
(E)
Change Management-Establishes the process for controlling
modifications to hardware, software, firmware, and documentation to ensure
the Information resources are protected against improper modification before,
during, and after system implementation.
(F)
Email-Establishes prudent and acceptable practices regarding
the use of email for the sending, receiving, or storing of electronic mail.
Ensure compliance with applicable statutes, regulations, and mandates.
(G)
Incident Management-Describes the requirements for dealing
with computer security incidents including prevention, detection, response,
and remediation.
(H)
Internet/Intranet Use-Establishes prudent and acceptable
practices regarding the use of the Internet and Intranet.
(I)
Intrusion Detection-Establishes requirements for auditing,
logging, and monitoring to detect attempts to bypass the security mechanisms
of Information resources
(J)
Network Access-Establishes the rules for the access and
use of the network infrastructure.
(K)
Network Configuration-Establishes the rules for the maintenance,
expansion, and use of the network infrastructure.
(L)
Password/Authentication-Establishes the rules for the creation,
use, distribution, safeguarding, termination, and recovery of user authentication
mechanisms.
(M)
Physical Access-Establishes the rules for the granting,
control, monitoring, and removal of physical access to Information resources.
(N)
Portable Computing-Establishes the rules for the use of
mobile computing devices and their connection to the network.
(O)
Privacy-Methodologies used to establish the limits and
expectations regarding privacy for the users of Information resources.
(P)
Security Monitoring-Defines a process that ensures Information
resources security controls are in place, are effective, and are not being
bypassed.
(Q)
Security Awareness and Training-Establishes the requirements
to ensure each user of information resources receives adequate training on
computer security issues.
(R)
Platform Hardening-Establishes the requirements for installing
and maintaining the integrity of a platform in a secure fashion.
(S)
Authorized Software-Establishes the rules for software
use on information resources.
(T)
System Development and Acquisition-Describes the security
and business continuity requirements in the systems development and acquisition
life cycle.
(U)
Vendor Access-Establishes the rules for vendor access to
information resources, support services (A/C, UPS, PDU, fire suppression,
etc.), and vendor responsibilities for protection of information.
(V)
Malicious Code-Describes the requirements for prevention,
detection, response, and recovery from the effects of malicious code (including
but not limited to viruses, worms, Trojan Horses, and unauthorized code used
to circumvent safeguards.)
(i)
Perimeter Security Controls
(1)
Each agency head or his/her designated representative and
information security officer shall establish a perimeter protection strategy
to include some or all of the following components based on the agency's security
risk management decisions:
(2)
DMZ (Demilitarized Zone)-The DMZ is the network area created
between the public Internet and internal private network(s). This neutral
zone is usually delineated by some combination of routers, firewalls, and
bastion hosts. Typically, the DMZ contains devices accessible to Internet
traffic, such as Web (HTTP) servers, FTP servers, SMTP (email) servers, and
DNS servers.
(3)
Firewall-A system designed to prevent unauthorized access
to or from a private network. Firewalls can be implemented in both hardware
and software, or a combination of both and are used to prevent unauthorized
Internet users from accessing private networks connected to the Internet,
especially Intranets. They can also regulate traffic between networks within
the same agency.
(4)
Intrusion Detection System-Hardware and/or software which
is installed on a network and compares network traffic and host log entries
to the known and likely methods of attackers. Suspicious activities trigger
administrator alarms and other configurable responses.
(5)
Router-A device or, in some cases, software in a computer,
that determines the next network point to which a packet should be forwarded
toward its destination. The router is connected to at least two networks and
decides which way to send each information packet based on its current understanding
of the state of the networks to which it is connected. A router is located
at any gateway where one network meets another.
(j)
System Identification/Logon Banner
(1)
System identification/logon banners shall have warning
statements that include the following topics:
(2)
Unauthorized use is prohibited;
(3)
Usage may be subject to security testing and monitoring;
(4)
Misuse is subject to criminal prosecution; and
(5)
No expectation of privacy.
§202.8.User Security Practices.
(a)
All authorized users (including, but not limited to, agency
personnel, temporary employees, and employees of independent contractors)
of the agency's information resources, shall formally acknowledge that they
will comply with the security policies and procedures of the agency or they
shall not be granted access to information resources. The agency head or his
or her designated representative will determine the method of acknowledgement
and how often this acknowledgement must be re-executed by the user to maintain
access to agency information resources.
(b)
Devices designated for public access shall be configured
to enforce security policies and procedures without the requirement for formal
acknowledgement.
(c)
Each agency head or his/her designated representative and
information security officer shall establish a strategy for the use of written
non-disclosure agreements to protect information from disclosure by employees
and contractors prior to granting access.
(d)
Agencies shall provide an ongoing information security
awareness education program for all users.
(e)
Agencies shall use new employee orientation to introduce
information security awareness and inform new employees of information security
policies and procedures.
This agency hereby certifies that the proposal has been reviewed
by legal counsel and found to be within the agency's legal authority to adopt.
Filed with the Office of
the Secretary of State on March 6, 2002.
TRD-200201365
Renee Mauzy
General Counsel
Department of Information Resources
Earliest possible date of adoption: April 21, 2002
For further information, please call: (512) 475-4750