Policy Statement: This
policy establishes controls related to system and information integrity. The policy provides guidance for
decision-making and practices that optimize resources, mitigate risk, and
maximize return on investment.
Data Integrity – The accuracy and consistency of data,
indicated by the absence of any unauthorized alteration between data record updates
since it was created, transmitted, or stored.
Data integrity is imposed within a database during its design stage through the use of standard rules and procedures. It is maintained through the use of error
checking and validation routines.
Information Integrity – The assurance that the data being accessed
or read has neither been tampered with nor altered, whether intentionally or accidentally, or damaged through a system error, since the
time of the last authorized access.
Integrity – The state of a
system where it performs its intended functions without being degraded or
impaired by unauthorized changes or disruptions in its internal or external
environments, whether intentional or
accidental. System integrity is maintained by incorporating protection, detection, reaction,
and restoration capabilities in information systems
This policy outlines a framework of COT enterprise system
and information integrity measures, largely aimed at managing risks from system
flaws, vulnerabilities, malicious code, unauthorized code changes, and
inadequate error handling.
- Identify, report, and correct information system
- Test and install security-related software and
firmware updates and upgrades, within established timeframes following the
release of a system change or update.
- Incorporate flaw remediation into the Configuration
Management process. Employ automated mechanisms, at a pre-determined
interval (i.e., daily, weekly, monthly), to determine the state of
components with respect to flaw remediation.
- Employ malicious code protection at system entry
and exit points to detect and eradicate malicious code and address any
false positives. Specifically, configure malicious code protection to:
- Perform periodic scans of the system and real-time
scans of files from external sources at endpoints and network entry/exit
points, as the files are downloaded, opened, or executed, in accordance
with Agency policy.
- Block or quarantine malicious code and alert the
administrator in response to detection.
- Centrally manage and automatically update
malicious code protection whenever new releases of a protection are
available, in accordance with appropriate office-level procedures.
information system to detect attacks or indicators of potential attacks, as
well as unauthorized use of local, network, and remote connections.
devices strategically and at ad hoc locations within the information system, to
collect information about specific types of transactions of interest to the
information obtained from intrusion-monitoring tools, against unauthorized
access, modification, and deletion of that information.
Heighten the level
of information system monitoring activity whenever there is an indication of
increased risk to operations, assets, individuals, other organizations, or the
nation, based on law enforcement information, intelligence or other credible
opinion with regard to information system monitoring activities in accordance
with applicable federal laws, executive orders, directives, policies, or
mechanisms to alert security personnel of inappropriate or unusual activities
with security implications. Provide
monitoring information to designated Agency officials as needed.
and outbound communications traffic at the external boundary of the information
system, and at selected interior points within the network (e.g. subnetworks or
subsystems), to detect anomalies. For
example, large file transfers, long-time persistent connections, unusual
protocols or ports in use, and attempted communications with suspected
malicious external addresses.
personnel, such as system administrators, business/process/system owners, or
information security officers when indications of a compromise or a threat of a
compromise have occurred.
Alerts, Advisories, and Directives
- Receive information system security alerts,
advisories and directives from reliable industry sources, such as the US
Computer Emergency Readiness Team (US-CERT), Microsoft Safety and Security
Center, Homeland Security Cyber Security or other relevant organizations
- Generate internal security alerts, advisories and
directives as deemed necessary and disseminate to appropriate personnel,
such as management, system administrators, business/process owners,
information system security officers, etc.
- Implement security directives in accordance with
established time frames or notifies the issuing organization of the degree
Firmware, and Information Integrity
- Deploy integrity verification tools to detect
unauthorized changes to software, firmware and information. Incorporate the detection of
unauthorized security-relevant changes to the infrastructure into the Enterprise
Incident Response capability.
- Perform integrity checks of infrastructure
hardware, software, firmware and services at startup, shutdown, and restart;
and on demand by the system administrator.
- Employ spam protection at information system entry
and exit points to detect and take action on unsolicited messages.
- Centrally manage and automatically update spam
protection when new protection releases are available, in accordance with Configuration
Management policy and procedures.
Agency must check the integrity and validity of information being input into
and each Agency must generate error messages that provide information necessary
for corrective actions without revealing information that could be exploited by
adversaries. Reveal error messages to only to designated Agency personnel.
Handling and Retention
Agency must handle and retain information within the system and output from the
system in accordance with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and operational requirements.
Agency must implement security safeguards to protect memory from unauthorized
Authority: KRS 42.726 authorizes the Commonwealth
Office of Technology (COT) to develop policies and compliance processes to
support and promote the effective applications of information technology within
the executive branch of state government.
All executive branch agencies and non-executive branch
agencies using COT-managed infrastructure or services must adhere to this
policy. This includes employees, contractors, consultants, temporaries,
volunteers, and other workers within state government.
for Compliance: Each
agency must ensure that staff within their organizational authority are made
aware of and comply with this policy. The agency is responsible for enforcing
it. Unauthorized and/or neglectful actions regarding this policy may
result in disciplinary action up to and including dismissal. COT may
require additional service charges for remediation efforts due to
non-compliance with this policy.
Maintenance: COT’s Office of IT
Architecture & Governance
and the Office of the Chief Information Security Officer share responsibility
for maintaining this policy. Organizations may modify this policy
to fulfill their responsibilities, but must obtain approval through an
exception request. Staff should refer to
their internal policy, which may have additional information or clarification.
Review Cycle: COT’s Office of IT
Architecture & Governance and the
Office of the Chief Information Security Officer
will review this policy at least every two years.