Copyright(c), 1995 - Management Analytics and Others - All Rights Reserved
Implementation of these rules shall be in accordance with the following
schedule. Earlier implementation of any item would be advantageous to the
protection of state information resources.
(A) September 1, 1993 Establish an information security function, (ref
(b)(4)), to administer the agency information security program
which shall include:
(i) written internal policies and procedures for the protection
of information resources;
(ii) assignment of information asset ownership and custodianship
and the attendant responsibilities for all information
resources within the agency.
(B) September 1, 1993 Implementation of all required personnel
practices (ref (b)(6)).
(C) September 1, 1994 Completion of risk analysis, (ref (b)(5)), of all
information resources (including mainframes, minicomputers,
personal computers, local area networks and distributed processing
systems) used to collect, record, process, store, retrieve, display
and transmit confidential or sensitive information, including:
(i) documentation of risk analysis results;
(ii) recommended protective measures;
(iii) the degree of risk acceptance after such measures would be
implemented;
(iv) a written disaster recovery plan.
(D) September 1, 1994 Implementation of all physical security
requirements (ref (b)(7)):
(i) physical access controls;
(ii) identification of environmental hazards;
(iii) development of environmental control procedures;
(iv) emergency response training.
(E) September 1, 1995 Implementation and testing of agency disaster
recovery plans (ref (b)(5)(C)).
(F) September 1, 1996 Implementation of information resources
protective measures as identified by risk analysis including those
for mainframes, minicomputers, personal computers, local area
networks and distributed processing systems (ref (b)(8)):
(i) logical and/or physical access controls to all information
resources on a "need to know" basis;
(ii) user authentication (passwords);
(iii) data integrity controls;
(iv) audit trails;
(v) periodic internal audits;
(vi) documentation and investigation of security breaches.
(G) September 1, 1997 All remaining requirements consistent with these
standards.
(H) Waivers. The executive director of the department is hereby
delegated authority by the board to grant a requesting state agency
a compliance waiver from any implementation date of the schedule in
this subsection 12. Application for waiver will be made in writing
to the department by the agency information resources manager. The
agency must clearly demonstrate to the department through written
justification that the overall economic interests of the state in
matters of information security are best served by granting the
compliance waiver and the requesting agency must submit a new
written implementation schedule. The department will act on
requests for waivers based on the agency's compliance with other
information security standards not affected by the waiver, the
agency's newly submitted implementation schedule and the provision
that the executive director of the department will notify the board
when requests for waivers are received.