Information TechnologySecurity Policy

KayJay Technologies

Kapricia Morris Jennifer Ward

IS4799 Capstone ProjectMarch 3, 2016

Introduction

User Domain & Classification

Workstation Domain & Compliance

Remote Access Domain

Virtual Private Network

Risk Assessment & Risk Management

Acceptable Use Policy

Backup and Storage Security Policy

Penalty for Security Violation

Table of Contents

Approval Date: 01/01/2016 SUBJECT: -----------------------

Revised Date: 12/01/2015 Review: Annually (As Needed)

Effective Date: 07/08/2007 Authorizing Signature:

State Government

Regulations and Security PoliciesRSP A.1 – C.1

Each Security Policy starts with an Header (Photo to the Right)

Each Header includes:• Regulations and Security Policies (RSP)• An Identifier (Example: A.1 – C.1)• Subject• Review (Monthly, Quarterly & Annually)• Approval Date• Revised Date • Effective Date• Authorizing Signature (Management Only)

IntroductionRSP A.1 – C.1

Goals and Objectives All desktop computing systems, servers, data storage devices, communication systems, firewalls, router, switches, hubs, personal

digital assistants (PDAs) and mobile devices (computing platforms) owned by the State where lawfully permitted. All data, information, knowledge, documents, presentations, databases or other information resource stored on the State’s computing

platforms and/or transferred by the State’s enterprise network. Any computing platforms, operating system software, middleware or application software under the control of third parties that connect

in any way to the State enterprise computing or telecommunications network. This document applies to all full-time and part-time employees of the State, all third parties, contractors or vendors who work on State

premises or remotely connect their computing platforms to the State’s computing platforms.

Definition Our goal as KayJay Technologies, is to create a well-defined and detailed security policy for the State Government’s information resources for an enterprise network of systems. KayJay Technologies will provide a layered security policy that focuses on the confidentiality, integrity, and availability of the State Government’s systems and information.

User Domain Security PolicyRSP D.1 – E.1.1

PolicyAll employees/end users are to use all government equipment whether internal or external devices should only utilized those devices for business use only. This will ensure that non-related job responsibilities shall not take place on the State’s enterprise network. If the user engages in such activities that are considered to be prohibited shall understand that disciplinary actions will take place accordingly (See Policy: M.1). Employees/End Users will be issued login credentials and a temporary password upon hiring stages. Login credentials are a part of a security feature to ensure confidentiality of State Government information and data.

PurposeThe purpose of this policy is to implement how users are to understand and apply the acceptable use of systems as well as the network within the State Government. These rules and regulations are to be taken serious in order to protect all users and the State Government’s information. Any misuse of the computer equipment that can cause unauthorized guest intrusion and compromise of the network systems and services will result in disciplinary action and/or legal issues.

Workstation Domain Security PolicyRSP F.1 – F.1.1

PolicyTo ensure confidentiality, integrity, and availability of sensitive information, including protection over health information (PHI); appropriate measures must be taken when in case of misuse of State’s workstations and systems. Only System Administrators can restrict access to sensitive information and grant authorization to trusted users.

PurposeThe purpose of this policy is to provide management and security over the State Government workstations in order to ensure that the information on the workstation is limited to whom may have authorized access. Additionally, the policy provides management to ensure the requirements of the HIPAA Security Rule.

Remote Access Domain Security PolicyRSP G.1 – G.1.2

PolicyEmployees, contractors, vendors, and authorized users have a strict limit for the general access to the internet for recreational use. When authorized users gains access to the State’s network from a remote location, it is their responsibility to prevent access to any computer resource or data by non-authorized users. When using remote access to the network, performing illegal activities are prohibited. Authorized users will not use the State’s enterprise network to access the Internet for outside business interests.

PurposeThe purpose of this policy is to make sure when connecting to the State’s enterprise network, all rules and requirements are defined by the host. The State Government restricts and protects against unauthorized use of their resources to avoid potential exposure to damages which are designed in the rules and requirements. Sensitive data and intellectual property can be lost or damaged as well as the internal systems. With result of these losses, can bring about the outcome of fines or other liabilities

Virtual Private NetworkRSP H.1

• All computers connected to State’s internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software); this includes personal computers.

• It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to State’s internal networks.

• VPN use is to be controlled using either a one-time password authentication such as a token device or a public/private key system with a strong passphrase.

PolicyApproved State Government employees and authorized third parties (customers, vendors, etc.) may utilize the benefits of VPNs, which are a "user managed" service. This means that the user is responsible for selecting an Internet Service Provider (ISP), coordinating installation, installing any required software, and paying associated fees. Further details may be found in the Remote Access Policy. (See Policy: G.1)

ComplianceRSP F.1.1

*The State Government Security Team are to approve any exceptions needed for approval*

The State Government Security Team will verify compliance by using a number of methods to ensure that all users are periodically monitored by internal and external audits. Identifying, detecting, preventing and defending are a few ways to ensure compliance while protecting the enterprise network. Compliance and risk management goes hand in hand with ways to ensure regulations are met of the policies and rules.

Compliance (Internal & External Audit) Risk Management

Define Processes of a risk Identify the risk(s)

Document Processes of a risk Categorize the risk(s)

Define Controls Assess the risk(s)

Document Controls Report the risk(s)

Remediate the risk(s) Mitigate the risk(s)

Any employee/user that has been identified of violating this policy may be subject to disciplinary action, up to and including termination of employment. (See Policy: M.1)

Risk Assessment & ManagementRSP I.1 – J.1

PurposeThe purpose of an Information Security Risk Assessment is to determine areas of vulnerability, and for the State’s security team to implement the appropriate mediation/mitigation of each risk.

Risk Level Risk Factor Risk Determination

EXTREME 16-20 In event of a risk occurring, it will have a severe impact on production causing critical downtime on production and funds.

HIGH 11-15 In event of a risk occurring, it will have a high impact on production and productions are under its acceptable limits.

MEDIUM 6-10 In event of a risk occurring, it will have minor impact on production but productions are well within acceptable limits.

LOW 1-5 In event of a risk occurring, it will have little to no impact on production. The risk is acceptable, production is not interrupted.

Acceptable Use PolicyRSP K.1 – K.1.6

This includes the following subjects:1. Monitoring Internet Use2. Monitoring Use of Systems3. System Administrator Access4. Special Access5. Connecting to Third-Party Networks6. Connecting Devices to the Network

Backup and Storage Security PolicyRSP L.1 – L.1.1

Personnel Responsible:System administrators are responsible for periodic backups, as far as scheduling backups in increments and in full. This is to ensure that vital or confidential data is backed up, and it must be stored on network servers on site and off site. All users are too responsible for backing up the information stored on their local computers.

In case of any malfunction, downtime, loss of service to data access, department directors or managers are initially responsible for restoring service for all users who were affected by the incident. To avoid any delay in restoring service for all, the IT department is responsible for preparing, testing and periodically updating the State’s enterprise network business contingency plans.

All sensitive information and documents are to be scheduled for daily backups and stored on a secured and updated server. While all vital information is being stored, data should be encrypted with encrypting methods to ensure confidentiality.

Penalty for Security ViolationRSP M.1

If employees are intentionally or unintentionally violating the use of the network systems and information resources of the State must understand that they can be disciplined if they violate this policy.

Upon violation of this policy, an employee of the State Government may be subject to disciplinary actions and/or termination.

Disciplinary actions are determined by a taking into consideration the nature and severity of the violation of the Security Policy, previous violations of the policy committed by the individual, state and federal laws and all other relevant information.

ANYQuestions / Comments / Concerns

KayJay Technologies