CIO-074 Enterprise Network Security Architecture

Office of the Chief Information Office Enterprise Policy
CIO-074: Enterprise Network Security Architecture
Effective Date: 12/01/2002
Revision Date: 02/29/2019
Reviewed Date: 02/04/2019
Policy Statement: This policy establishes controls related to Network Security Architecture. It provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.
DMZ:   An intermediate zone between the Commonwealth’s network and the internet used to isolate and protect our resources by logically separating our proprietary network from untrusted networks. This also applies to internal zones that separate an agency’s user LAN from an internal server network.
KITS:   Kentucky Information Technology Standards
Split Tunneling:           Split tunneling is a method that allows access to different security domains—such as a local LAN and a public network—at the same time, using the same or different network connections.
The Commonwealth Office of Technology (COT) provides and manages the communications network as a shared resource for the Commonwealth of Kentucky.  COT shall manage the network and establish zones for appropriate access and security of Commonwealth systems and data. COT also regulates communication methods and protocols over the Commonwealth’s network to maximize security and minimize risk.
COT and agencies shall align their resources and access by hosting their systems in the appropriate, COT-designated zones. COT segregates the network and resources into these main zones:  Intranet, Agency, Server, E-Government (E-GOV), and Extranet. COT should assign resources into the appropriate zones whenever possible. COT may modify the use of these zones to tailor security, accessibility, and performance for the services within the zones. Agencies and non-state entities accessing our network may request exceptions to the placement of resources within the zones; however, COT retains final authority and responsibility for the placement of resources into these zones.
Intranet: This zone exists behind the Internet firewall and hosts the core shared services container for all consolidated agencies.  COT controls all policies and access within this zone.
Agency: This zone exists behind the Intranet, hosts various consolidated agencies with their own security zones, and allows the agencies to house their specific services and users. These zones have their own firewalls and related security services separating them from the Intranet zone.
Server: This zone is similar to the Agency zone in that it exists behind the Intranet and separates services from the Intranet zone. This zone houses project-specific firewalls.
E-Government (E-GOV): COT uses this zone to provide limited access and services to non-Executive Branch government agencies and their users, such as Legislative Research Commission, Administrative Office of the Courts, and Secretary of State’s Office. Entities in this zone shall provide firewall services for their zone or request firewall services from COT.
Extranet:  COT uses this zone to provide network access for quasi-state agencies that are not part of the state consolidated infrastructure. COT also provides this zone for external business partners to have limited connectivity into the state network infrastructure.
Other Restrictions:  COT restricts the use of unencrypted protocols for the means of file transfer. Agencies and users shall encrypt sensitive data traversing the Commonwealth’s network through approved secure protocols as outlined in the Enterprise Architecture Kentucky Information Technology Standards (KITS).
Agencies and staff shall not use unapproved file transfer or storage products (e.g., DropBox or SkyDrive).
COT prohibits the use of split tunneling for VPN connections.
Authority:  KRS 42.726 authorizes COT to develop policies and compliance processes to support and promote the effective applications of information technology within the executive branch of state government.
Applicability:  All executive branch agencies and non-executive branch agencies using COT-managed infrastructure or services must adhere to this policy.  This includes employees, contractors, consultants, temporaries, volunteers, and other workers within state government.
Responsibility for Compliance:  Each agency must ensure that staff within their organizational authority are made aware of and comply with this policy. The agency is responsible for enforcing it.  Unauthorized and/or neglectful actions regarding this policy may result in disciplinary action up to and including dismissal.  COT may require additional service charges for remediation efforts due to non-compliance with this policy.
Maintenance:  COT’s Office of IT Services and Delivery (OITSD) and Office of the Chief Information Security Officer (CISO) share responsibility for maintaining this policy.  Organizations may modify this policy to fulfill their responsibilities, but must obtain approval through an exception request.  Staff should refer to their internal policy, which may have additional information or clarification.
Review Cycle:  OITSD and CISO will review this policy at least every two years.
This page was last modified 3/1/2019 2:57 PM
Return to CIO Policies Home Page.