STATE OF ALASKA
State Security and Privacy Committee
Security Policy Introduction
D R A F T
It is the intent of the State Security and Privacy Committee that this document and it’s forthcoming revisions be a continuing work of evolution through the valued input, suggestions and scrutiny of various state agencies, political sub-divisions, industry best practices and the State Security and Privacy Committee.
Table of Contents
Having identified the need for a more robust policy on security, the State of Alaska is implementing the following policy. The State of Alaska is aware of the multitude of various agencies, political sub-divisions, and the public’s desire for a secure government. The State of Alaska Security and Privacy Committee have determined the need to create a range of security policies, each defining security for a specific activity. Each activity applies to specific classes of users at three different risk categories.
The security policies have been organized into a database to help find the relevant policy to a particular situation. In this way, the database can provide a list of all policies that apply to Managers working with high-risk systems. Alternately, the database can provide a list of all policies that relate to Passwords, without regard to risk category or who it applies to.
The term “agencies” is used throughout this document. In the context of this document, agencies refer to State of Alaska Executive Branch Agencies such as the Dept. of Administration, Corporations, such as the Alaska Railroad Corporation and other entities such as the University of Alaska. The non Executive Branch Agencies, the Legislature and the Court System, are not obligated to be abide by these security policies. However, to the extent that the Legislature and the Court System are connected to the State of Alaska network it is important that they abide by 100% of these polices so as not to compromise Executive Branch networks.
State of Alaska information systems have security needs that can be categorized in three risk categories, Low, Medium and High.
· Low Risk: This category includes Information Systems that are intended for public access. Examples include Internet connected computers in public libraries, job service, public kiosks, public access computers in waiting areas, etc. These kinds of systems are not intended for use in accessing mission-critical systems but provide instead a conduit for Internet or other access for anyone who needs it. While these systems should be unimpaired and free from monitoring in terms of their access to public information, the State nevertheless has a legitimate interest in protecting them from being defaced, reconfigured, or employed directly or indirectly in hacking attacks.
Low risk computer systems must not store or have access to any information that could be considered private or confidential. Because low risk systems by nature are available to the public it is important that notices be placed within plain sight of the computers that notify users that there is no expectation of confidentiality or privacy on a low risk system. In addition, the notice must inform users that any files that they may store on the computer systems hard drives will be deleted. Inappropriate use of a State of Alaska low risk data system, such as: hacking; deliberate infection with a virus or worm; attempting to circumvent security or alter the system configuration, is unacceptable and may be a criminal offense.
· Medium Risk: Most State of Alaska systems fit in this category. These systems must be secured against common threats such as viruses, denial-of-service attacks, reconfiguration, defacing, and their being employed remotely as agents of indirect attack. Data on these systems, though valuable, is replaceable. Systems in the Medium category are not high profile targets, and while data loss would be inconvenient, such loss would not jeopardize life, health, safety or fiduciary responsibility. Information held in such systems is for the most part public (with specific exceptions) but must not be inappropriately altered. These systems are not usually available for direct public access, although the information may be offered to the public, usually through an intermediary system such as a web server.
· High Risk: This category includes systems hosting highly confidential information such as the Department of Public Safety’s criminal information repository, information protected under the Health Insurance Portability & Accountability Act (HIPAA), and financial high-risk targets such as the Alaska Permanent Fund Corporation. Security practices for some high risk information is defined by entities other than the State of Alaska, in the case of HIPAA for instance, while other entities in this category must arrive at an appropriate security approach that satisfies their own internal criteria.
· Management: This group consists of Managers and other Supervisors, regardless of their relationship to Information Technology. All State of Alaska managers should be familiar with the policies that relate to Management. Managers are responsible for those that work under them and as such must ensure that their staff is not taking actions that would compromise security.
· Technical: The Technical group is made up primarily of IT professionals who maintain and support Information Technology systems. While technical staff is typically in an IT division this is not always the case. Staff performing database administration and programming fit in the Technical category when performing those duties, even if they only perform those duties on a periodic basis.
· Users: This is the largest group and applies to anyone using State of Alaska computing resources. This category even includes members of the public who may make use of a State of Alaska computer, such as at a library. Workers who fall into the other categories are also considered “Users” when they are not performing their Management or Technical functions.
· Third Parties: There are many third parties who either make direct use of or connect to State of Alaska computer resources (such as consultants) or who are connected to and share information via a State of Alaska network (such as the Federal Government). Particular attention must be paid to third parties who are connected to the State of Alaska network to ensure that their systems do not compromise the integrity of the State network.
Each of the Security Policies is assigned a category that it applies to, such as “Passwords” or “Conduct”. The categories and their meaning are:
· Administrative Access: Applies to actions that primarily technical staff do for the maintenance and administration of computer systems.
· Administration: This category is for activities that relate to general administration of people. This is not to be confused with Administrative Access.
· Application Testing and Development: When either developing a new data systems, modifying an existing program or testing an application this policy category provides specific information that must be adhered to.
· Back-up: Policies on the back-up and retention of data fit into this category.
· Computer Security Officers: This group of policies calls for extensive oversight by Agency Computer Security Officers (at least one in each Agency) and a State Computer Security Officer. Please see the policy details that fall in this category for information on the duties of the security officers.
· Conduct: Expectations about worker conduct in relation to computer security are in this category.
· Data Security: Data is considered an important State of Alaska resource. Policies about the security of State data are in this category.
· E-Mail: E-Mail is a significant vector for a wide range of security vulnerabilities. The policies in this category address issues with ensuring that e-mail systems used by the State of Alaska are as secure as can reasonably be maintained.
· Encryption: Encryption is increasingly becoming a critical part of securing any computer systems, be it encryption over a “secure tunnel” or encryption of sensitive personnel files. This group of policies addresses critical factors in the use of encryption.
· Internet: The Internet represents the single most difficult aspect of computer security. Policies on the use of, connection to the Internet are contained in this category.
· Logs: An important aspect of managing security and responding to a security incident is the ability to review timely and accurate logs. Policies on the use, accessibility of and maintenance of logs are contained in this policy category.
· Monitoring: Monitoring of employees is a subject of much concern to workers. What the State of Alaska can and should do in regards to employee monitoring are in this category.
· Password Management: Passwords are usually the first bastion in securing a computer system. Policies that relate to password length, strength and use are in this category.
· Preparedness: Preparing for a disaster or security incident is critical. Items that must be considered during preparations are addressed in this category.
· Remote Access: Remote access is becoming more and more a mission critical need at many agencies. Remote access also opens up significant holes in any security framework. This category addresses issues related to securing a remote connection to a State of Alaska computer system.
· Security Incidents: We expect security incidents to occur, be they virus attacks, hacks or inappropriate conduct by an employee. How to respond, who responds, what employee responsibilities are the sort of activities that fall in this category.
· System Access: This group of policies relates to who can use State of Alaska computer resources, what their responsibilities are and how they can access those resources.
· Viruses and Testing: Viruses and their ilk have become a significant security problem. This category is targeted at minimizing the risk to State of Alaska computer resources from Viruses, Trojans and other malicious code.
· Wireless: Wireless is becoming a more and more popular option for network connectivity. Policies in this category address issues with wireless networking, such as the ability to read and decrypt wireless traffic by unauthorized persons.