Copyright(c), 1995 - Management Analytics and Others - All Rights Reserved
(A) Authorized use and ownership.
(i) All information and telecommunication resources leased or
owned by the state and all time-sharing services billed to
the state shall be used only to conduct state business.
(ii) All computer software programs, applications, source code,
object code, and documentation shall be deemed to be a work
made for hire and is state property and shall be protected as
such if developed:
(I) by state employees in the course and scope of their
employment or with the use of state equipment,
materials, or other resources, with the exception of
employees of universities and other institutions of
higher education, provided such university or
institution has an intellectual property policy in
place which addresses ownership rights regarding
software development; or
(II) by contract personnel acting under a contract with the
state, unless the contract under which the software or
documentation is developed specifically provides
otherwise; or
(III) with state funds.
(iii) All computer software programs, applications, and
documentation purchased forthe use of the state is state
property and shall be protected as such.
(B) Confidentiality of data and systems.
(i) Confidential information shall be accessible only to
personnel who are authorized by the owner on a strict "need
to know" basis in the performance of their duties. Data
containing any confidential information shall be readily
identifiable and treated as such in its entirety.
(ii) When confidential or sensitive information from one agency is
received by another agency in connection with the transaction
of official business, the receiving agency shall maintain the
confidentiality or sensitivity of the information in
accordance with the conditions imposed by the providing
agency.
(C)Integrity. Controls shall be established to ensure the accuracy and
completeness of data. User management shall ensure that data comes from
the appropriate source for the intended use.
(D) Passwords.
(i) Except for public users of systems where such access is
authorized, or for situations where risk analysis
demonstrates no need for individual accountability of users,
each user of a multiple-user automated system shall be
assigned a unique personal identifier or user identification.
User identification shall be authenticated before the system
may grant that user access to automated information.
(ii) A user's access authorization shall be removed from the
system when the user's employment is terminated or the user
transfers to a position where access to the system is no
longer required.
(iii) Systems which use passwords shall conform to the federal
standard on password usage contained in the Federal
Information Processing Standard Publication 112 (FIPS PUB
112), which specifies minimum criteria and provides guidance
for selecting additional password security criteria, when
appropriate. A current password standard compliance document
shall be maintained for each system which uses passwords,
specifying the criteria to be met for the ten factors which
address design, implementation, and use of access control
systems as contained in the FIPS PUB 112 standard.
(E) Auditability.
(i) Audit trails shall be maintained to provide accountability
for all accesses to confidential or sensitive information and
software and for all changes to automated security or access
rules.
(ii) An auditable, continuous chain of custody shall record the
transfer of confidential or sensitive information.
(iii) A sufficiently complete history of transactions shall be
maintained for each session involving access to confidential
or sensitive information to permit an audit of the system by
tracing the activities of individuals through the system.
(iv) Automated systems which process confidential or sensitive
information must provide the means whereby authorized
personnel have the ability to audit and establish individual
accountability for any action that can potentially cause
access to, generation of, or effect the release of the
information.
(F) Access controls. Controls shall ensure that legitimate users of the
computer cannot access stored software or data unless they have
been authorized to do so.
(G) Security breaches.
(i) Security breaches shall be promptly investigated.
(ii) If criminal action is suspected, the agency must contact the
appropriate local law enforcement and investigative
authorities immediately. Laws governing the admissibility of
evidence are very strict, and without professional advice the
agency may be jeopardizing possible legal actions.
(H) Systems development and testing.
(i) Test functions shall be kept either physically or logically
separate from production functions. Copies of production data
shall not be used for testing unless the data has been
declassified or unless all personnel involved in testing are
otherwise authorized access to the data.
(ii) Appropriate information security and audit controls shall be
incorporated into new systems. Each phase of systems
acquisition shall incorporate corresponding development or
assurances of security and auditability controls.
(iii) After a new system has been placed in operation, all program
changes shall be approved before implementation to determine
whether they have been authorized, tested, and documented.