|
INTRODUCTION
|
| 1.0 |
General |
| 1.1 |
Objective |
| 1.2 |
Scope |
| 1.3 |
Applicability |
| 1.4 |
SSPM Organization and Content |
|
|
|
SECURITY ORGANIZATION
|
| 2.0 |
COT Mission Statement |
| 2.1 |
Roles and Responsibilities |
| 2.2 |
Data Owners |
| 2.3 |
Chief Information Officer |
| 2.4 |
Authorized Users |
| 2.5 |
Office, Division, or Branch Managers |
| 2.6 |
System/Network Administrators |
| 2.7 |
Supervisors/Team Leaders |
| 2.8 |
Chief Information Security Officer (CISO) |
| 2.9 |
Information Security Management Committee |
|
|
|
POLICIES AND PROCEDURES |
|
|
|
SUBJECT AREA: LOGICAL SECURITY
|
| 3.0 |
Software Security |
| 3.1 |
Overview |
|
|
| 3.2.0 |
Security Software Design |
| 3.2.1 |
Software Copyright |
| 3.2.2 |
Software Protection (Virus) |
|
|
| 3.3.0 |
Software Development |
| 3.3.1 |
Security in the System Development Life Cycle Process |
| 3.3.2 |
Software Testing |
| 3.3.3 |
Development Staff Access to Production Application Information |
| 3.3.4 |
Software Maintenance With Source Code |
|
|
| 3.4.0 |
Restricted Security Activities |
| 3.4.1 |
Probing/Exploiting Security Controls |
| 3.4.2 |
Exploiting Systems Security Vulnerabilites |
| 3.4.3 |
Using Honeypots |
| 3.4.4 |
Cracking Passwords |
| 3.4.5 |
Limiting Functionality for Tools |
| 3.4.6 |
Disabling Critical Components of Security Infrastructure |
|
|
| 4.0 |
Change Control |
| 4.1 |
Overview |
| 4.2 |
Software Changes/Configuration Management |
|
|
| 5.0 |
Data/Media Security |
| 5.1 |
Overview |
| 5.2 |
Data Classification |
| 5.3 |
External Markings |
|
|
| 5.4.0 |
Printing/Display |
| 5.4.1 |
Reproduction |
|
|
| 5.5 |
Storage |
|
|
| 5.6.0 |
Disposal/Destruction |
| 5.6.1 |
Shredders |
|
|
| 5.7 |
Shipping and Manual Handling |
| 5.8 |
Facsimile Transmission |
| 5.9 |
Electronic Transmission (E-mail, File Transfer Protocol, etc) |
|
|
| 6.0 |
Telecommunications Security |
| 6.1 |
Overview |
| 6.2 |
Telecommunications Changes/Configuration Management |
|
|
| 6.3.0 |
Dial-Up Controls |
| 6.3.1 |
Requesting Dial-Up Access Procedure |
|
|
| 6.4 |
Network Access Control |
| 6.5 |
Encryption |
| 6.6 |
Internet (Firewalls) |
|
|
| 7.0 |
Workstation Security |
| 7.1 |
Overview |
|
|
| 7.2.0 |
Mandatory Protection for all Workstations |
| 7.2.1 |
Protection for Sensitive Workstations |
| 7.2.2 |
Resident Protection from Malicious Software |
| 7.2.3 |
Erasure of Restricted/Confidential Information |
| 7.2.4 |
Workstations/Server/Device Equipped with Modems |
| 7.2.5 |
Unattended Workstation Processing |
| 7.2.6 |
Supplemental Encryption |
| 7.2.7 |
Authorized Applications |
| 7.2.8 |
Workstations that Employ Password Controls |
|
|
|
SUBJECT AREA: MANAGERIAL SECURITY
|
| 8.0 |
Administrative Security |
|
|
| 8.1.0 |
Overview |
| 8.1.1 |
Non Enforcement Does Not Imply Consent |
|
|
| 8.2.0 |
Access Control and Accountability |
| 8.2.1 |
Individual Access Authorization |
| 8.2.2 |
Individual Access Authorization for Contractors |
| 8.2.3 |
Individual Access Termination |
| 8.2.4 |
Monitoring of Email |
| 8.2.5 |
Communication Link Control |
| 8.2.6 |
Dial-Up Access Control |
|
|
| 8.3.0 |
UserID/Password Policy |
| 8.3.1 |
UserID Usage |
| 8.3.2 |
Password Usage |
|
|
| 8.4 |
Host Environment |
|
|
| 8.5.0 |
Network Environment |
| 8.5.1 |
Access to Shared File Storage Areas (Directories) |
| 8.5.2 |
Supervisor Capabilities |
|
|
| 8.6 |
Privileges |
| 8.7 |
Agency Security Contact |
|
|
| 9.0 |
Procedural Security |
| 9.1 |
Overview |
| 9.2 |
Separation of Duties |
| 9.3 |
Individual Accountability |
| 9.4 |
Output Distribution Controls |
|
|
| 9.5.0 |
Audit Capabilities |
| 9.5.1 |
Audit Trails |
| 9.5.2 |
Investigative Support |
| 9.5.3 |
Output Distribution Controls |
|
|
| 9.6.0 |
Security Violations |
| 9.6.1 |
Security Incident Reporting Procedure |
| 9.6.2 |
Additional Requirements for Specific Categories of Security Violations |
| 9.6.3 |
Security Incident Handling Procedure |
| 9.6.4 |
Specific Procedure for Hacker/Cracker Incidents |
| 9.6.5 |
State Agency Security Incident Reporting |
|
|
| 9.7 |
Risk Management and Security Alerts |
|
|
| 9.8.0 |
Personnel Security |
| 9.8.1 |
Employee Termination/Transfer Controls |
| 9.8.2 |
Agreement |
|
|
| 9.9 |
Data Privacy |
| 9.10 |
User Verification |
|
|
|
ENTERPRISE POLICIES AND STANDARDS |
|
|
|
| 10.0 |
Internet and Electronic Mail Acceptable Use |
| 11.0 |
Communications Standards |
| 12.0 |
Internet/World Wide Web Publishing Security Policy and Procedure |
|
|
|
SUBJECT AREA: PHYSICAL SECURITY |
|
|
| 13.0 |
Physical Access Control |
| 13.1 |
Overview |
|
|
| 13.2.0 |
Procedure to Obtain COT Security Badge |
| 13.2.1 |
Badge Approval |
|
Procedures for COT employees and COT Contracted Personnel |
|
Procedures for Vendors and other State Agency Personnel |
|
Restricted Access |
| 13.2.2 |
Badge Auditing |
| 13.2.3 |
Lost, Damaged or Forgotten Security Badge |
| 13.2.4 |
Changes in Security Badge Access |
| 13.2.5 |
Employee Termination |
|
|
| 13.3.0 |
Access Procedures for Non-COT Employees |
| 13.3.1 |
Resident Vendors |
| 13.3.2 |
Other Agency Personnel |
| 13.3.3 |
Visitors to the Commonwealth Data Center |
| 13.3.4 |
Attendees of Training Classes and Seminars |
| 13.3.5 |
Entrance into CDC Parking Lot |
| 13.3.6 |
Tours |
|
|
|
| 13.4 |
Visitor Logs |
|
|
|
| 13.5.0 |
Internal Controls |
| 13.5.1 |
Laptops |
| 13.5.2 |
Video Transmissions |
|
|
| 13.6.0 |
Facility Construction (Environmental Controls) |
| 13.6.1 |
Electrical |
| 13.6.2 |
Heat |
| 13.6.3 |
Humidity |
| 13.6.4 |
Water |
| 13.6.5 |
Dirt and Dust |
|
|
| 13.7.0 |
Hardware Security |
| 13.7.1 |
Inventory |
| 13.7.2 |
Rooms and Cabinets to Protect Equipment |
| 13.7.3 |
Workstation and Terminal Control |
| 13.7.4 |
Access Key Control |
| 13.7.5 |
Portable Equipment Control |
| 13.7.6 |
Hardware Changes/Configuration Management |
| 13.7.7 |
Theft Protection |
|
|
|
SUBJECT AREA:CONTINGENCY PLANNING
|
| 14.0 |
Backup Procedures |
| 14.1 |
Overview |
| 14.2 |
Data Backup |
| 14.3 |
Alternate Data Backup |
| 14.4 |
Emergency Response/Recovery Procedures |
| 14.5 |
Contingency Plan Maintenance and Exercising |
|
|
|
SUBJECT AREA: SECURITY AWARENESS PROGRAM
|
| 15.0 |
Security Awareness |
| 15.1 |
Establishing a Security Awareness Program |
| 15.2 |
Initial Security Awareness Training |
| 15.3 |
Periodic Security Awareness Training |
| 15.4 |
Record |
|
Data Classifications |
|
Kentucky Computer Crime Law |
|
Commonwealth of Kentucky Enterprise Security Policies |
|
Revisions |