| Policy ID No. | Policy | Policy Text | Policy Commentary |
|---|---|---|---|
| 120.0 | Information Security is Overhead, Not a Charge-Back Item | Information security products and services are provided through Administration overhead budgets, and must not be charged-back to each agency. | This policy is intended to encourage the allocation of sufficient funds for information security within the State of Alaska. When charge-back systems are used to transfer the costs for information security, all too often unit managers will decide to reduce or eliminate information security. This is not a serious problem if each unit has independent and unconnected information systems, but if they are connected via a network (as they increasingly are), consistency is absolutely required if adequate security is to be achieved. Thus, by providing a central overhead budget, the compliance with internal information security standards is significantly enhanced. Separate organizational units can still go their own way with special approval -- if they wish to pay for custom systems. This policy helps ensure that all units have sufficient controls, no matter what their budget. This policy addresses one of the organizational design issues that often conspires to render information security ineffective, impotent, and/or irrelevant. |
| 122.0 | delete delete delete Overview of Tasks Performed by Computer Security Officers, both State and Agency | The Computer Security Officers are responsible for establishing and maintaining organization-wide information security policies, standards, guidelines, and procedures. The focus of these activities is on information, no matter what form it takes, no matter what technology is used to handle it, no matter where it resides, and no matter which people possess it. | One intention of this policy is to make it clear that the Computer Security Officers have organization-wide responsibility. Another intention is to clearly emphasize that the Computer Security Officers focuses on information per se, not on computers (it should no longer be called the "Computer Security Department"). Although it may organizationally report to the Chief Information Officer (CIO) of a large subsidiary or the Director of the Information Technology Department, the Information Security Department needs to be clearly seen as an authority throughout the organization. Another purpose of this policy is to clearly communicate to workers what the Information Security Department actually does. Many workers have an erroneous view that the Information Security Department will do everything related to information security, and that they need not be involved. The tasks outlined in the policy should be modified to reflect the organizational structure and design at State of Alaska. For example, the policy could be expanded to include investigations, compliance review, and other activities. Some organizations would prefer to put the material found in this policy in a mission statement (or charter) rather than a policy. Also see the policies entitled "Centralized Responsibility for Information Security," "Information Security is Every Worker's Duty," "Information Security Department Mission Supports State of Alaska Goals," and "Specific Tasks Performed by the Information Security Department." A: E; E: LMH. |
| 123.0 | Specific Tasks Performed by the Computer Security Officers, both State and Agency | The Computer Security Officers must provide the direction and technical expertise to ensure that State of Alaska's information is properly protected. This includes consideration of the confidentiality, integrity, and availability of both information and the systems that handle it. The Officers will act as liaisons on information security matters between all State of Alaska entities, and must be the focal point for all information security activities throughout the State of Alaska. The Officers must perform risk assessments, prepare action plans, evaluate vendor products, participate with in-house system development projects, assist with control implementations, investigate information security breaches, and perform other activities which are necessary to assure a secure information handling environment. | The intention of this policy is to provide specific information about the responsibilities of the Computer Security Officers. Because information security is a new field, many workers will be unclear about the duties of and the contribution to be made by an Information Security Department. This policy can help to eliminate arguments about and focus the work of the Computer Security Officers. |
| 124.0 | Annual Information Security Planning Process Required | Working in conjunction with the responsible management, the Information Computer Security Officers must annually prepare plans for the improvement of information security on all major State of Alaska information systems. | The intention of this policy is to require Agency Computer Security Officers and the State Computer Security Officer, to annually prepare a formal plan for improving information security. So much of the work in the information security field is "putting out fires" (handling urgent problems) that information security people need to periodically step back and take another look at what is now being done and what should be done. In other words, this policy requires that staff focus on what's important, not just what's urgent. Separately, this policy communicates that not only should information security people prepare the annual plan, but management should also participate. The policy also indirectly supports the periodic performance of a risk assessment (risk analysis); without specific knowledge of the current risks and vulnerabilities, an organization cannot prepare information security plans that truly respond to its unique business needs. Also see the policies entitled "Preparation and Maintenance of Computer Disaster Recovery Plans," "Preparation and Maintenance of Computer Emergency Response Plans," and "Annual Analysis of Information Security Violations & Problems." |
| 125.0 | Designated Agency Computer Security Officer | Every State of Alaska entitiy that maintains a computer network must have a designated Security Officer. The Security Officer is responsible for defining user privileges, monitoring access control logs, coordinating with the State Computer Security Officer and performing similar activities. | The intention of this policy is to make sure that a specific person is designated as the one responsible for security. When it is not clear who is responsible for security, often security tasks get neglected, and as a result the organization is unduly exposed to various problems. All computer systems that handle sensitive, critical, or valuable information should have some sort of access control system. Most often this will involve fixed passwords, but other technologies may also be used. There is no requirement that security officers do their job full-time; part-time security officers are often used in smaller organizations or for those systems which are managed by departments or other decentralized organizational units. Also see the policy entitled "Designated State Computer Security Officer." |
| 126.0 | delete delete delete Back-Up Security Administrator Must Be Designated and Trained | Every multi-user State of Alaska system with an access control system must have a designated employee who is responsible for user-ID assignment and user access privilege control. This systems administrator must also have a designated and trained back-up employee who can fill-in when necessary. | This policy is intended to prevent awkward situations where a security administrator does not have a designated and/or trained back-up person, in which case business activity may be impaired or interrupted. Separately, if a back-up administrator is ready to fill-in for a regular administrator, then it is unlikely that security systems will need to be compromised in order to continue necessary business activity. Note that both the regular and the back-up persons should be employees; this is because employees are generally more loyal and most often have a longer tenure with State of Alaska than contractors, consultants, temporaries, and the like. Furthermore, this policy can be used to obtain both necessary staffing and training resources. On another note, this policy assumes that the words "access control system" have been defined elsewhere; generally these words mean a fixed password user identification system with associated user access privilege controls, but many other options such as dynamic password tokens are also available. Also see the policy entitled "Designated Security Administrator for All Multi-User Systems." A: T; E: LMH. |
| 127.0 | The State Computer Security Officer Must Maintain and Update the State of Alaska Security Policy | The State Computer Security Officer must prepare, maintain, and disseminate the State of Alaska Security Policy which concisely describes State of Alaska information security policies. | The objective of this policy is to require the State Computer Security Officer to prepare and maintain the security policies of the State of Alaska. Without specific policies on information security, the State may have a difficult time securing it's networked data systems. Likewise, without specific written policies, the authority to conduct awareness and training efforts may be problematic. The State Computer Security Officer must ensure that all State of Alaska computer users are aware of and have convenient access to any necessary materials required to maintain information security. |
| 128.0 | Involvement of Agency Information Security staff | All information security problems must be handled with the involvement and cooperation of Agency information security staff. The use of external consultants, computer security response teams, or other outsiders is specifically prohibited unless these have been approved by the State Computer Security Officer. | This policy helps keep security problems inside the organization, lessening the probability that they will become known to unauthorized parties. The policy also fosters the use of the in-house information security group rather than alternative suppliers of information security services. It thus keeps costs down and also assures that in-house policies, standards, methods, and the like will be consistently applied. Although this policy does not require that all work be done by a central in-house information security group, it does require the group's approval. Outsourcing is therefore still an option, particularly when there are not enough in-house staff members to handle a certain project. |
| 129.0 | Designated State Computer Security Officer with Uncontested Statewide Authority | The State of Alaska must establish and support a Computer Security Officer placed in the organizational structure in such a position that they have the authority to enforce security policies and oversee information security practices. | The intention of this policy is to ensure that the State Computer Security Officer can be effective. The State Computer Security Officer must have uncontested authority over information security issues. This position must be more than a figurehead with no real authority. The policy is particularly important as the duties of the Agency Computer Security Officers are typically assigned on a part-time basis to workers performing other functions. The State Computer Security Officer must work with the Agency Computer Security Officers, support their activities and provide technical guidance. Other duties typical of the State Computer Security Officer are to prepare annual reports, coordinate the response to incidents, act as a central spokesperson to the user community on information security issues, and coordinate the flow of information among Agency Computer Security Officers. Also see the policy entitled "Designated Agency Computer Security Officer." |
| 150.0 | Restrictions on Tiger Team Activities and Release of Findings | Only the State Computer Security Officer may authorize Tiger Team activities and the release of their findings. | A Tiger Team is a group that attempts to break in to a computer network or otherwise access secured computing services using hacker style techniques. Tiger Team activities, by definition, attempt to compromise security. For this reason it is important that they only be done when necessary and with the authorization of the State Computer Security Officer. It is equally important that any results of a Tiger Team be kept confidential and be released only to the affected Agency Computer Security Officer or others on a need to know basis. |
| 151.0 | Agencies can write their own security policy as long as they are no less stringent than these | An Agency may develop a Security Policy but it must not subject the State to reduced security. | Some Agencies may find that the officially adopted State of Alaska Security Policy is inadequate for their needs. An agency may develop a policy but it is critical that the alternate Security Policy be no less stringent than the official policy. For an Agency to develop and adopt their own Security Policy it must be reviewed and approved by the State Computer Security Officer. |
| 152.0 | Annual Review of Computer Security Officers | An independent third party must perform an annual review of all Computer Security Officers to ensure they are enforcing the State of Alaska security policies and using industry standard best practices. The results of the reviews will be provided to the Commissioner of Administration and are to remain confidential. | The role of Computer Security Officers, both Agency and State, are vital to the implementation of the State of Alaska Security Policy. Security officers are responsible for ensuring the continued functioning of State networks in a secure fashion. An independent review must be performed so that that State can be assured that someone is "watching the watchers". |