BEST: Network Security Policy and Procedures

Network Security Policy and Procedures

Version: 2.1

Purpose
PolicyStatements
Planning and Reporting Responsibilities
Scope
Definitions

Purpose

The Chief Information Officer for the State of Connecticut and the Department of Information Technology have established this policy and reporting requirements, and associated standards to assure that critical information is protected and data flow is not interrupted by unauthorized access.

Policy Statements

The following policy statements are abstracted from the official State of Connecticut Network Security Policy.

  1. All information travelling Over State computer networks that has not been specifically identified as the property of other parties will be treated as though it is a State asset. If there is no primary agency designated to administer this information, DOIT will become the steward of this data until another agency is designated. It is the policy of the State to prohibit unauthorized access, disclosure, duplication, modification, diversion, destruction, loss, misuse, or theft of this information.
  2. In addition, it is the policy of the State to protect information belonging to third parties--that has been entrusted to the State in confidence--in the same manner as private sector trade secrets as well as in accordance with applicable contracts.
  3. All computers permanently or intermittently connected to State of Connecticut networks, and all DOIT computers that intermittently or continuously connect to an internal or external network must employ password-based access controls.   All users must be positively identified prior to being able to use any multi-user computer or communications system resources.
  4. The computer and communications system privileges of all users, systems, and independently operating programs (such as "agents") must be restricted based on the need-to-know.
  5. Participation in external networks as a provider of services that external parties rely on is expressly prohibited unless the Agency System Administrator has identified, in writing, the security risk involved and submitted those risks to the Security Oversight Committee, and the Chief Information Officer has expressly accepted these and other risks associated with the proposal.
  6. Any modification in existing Network/Systems configurations, that is in contrast to the Statewide Security policy must be submitted for approval to the Security Oversight Committee.
  7. Each agency that has existing dial-up lines/modems today must submit a request for consideration of approval to the Security Oversight Committee.
  8. Wireless communications, or other broadcast technologies, must not be used for data transmission containing State "confidential" or "restricted" data unless the connection is encrypted and has an acceptable level user authentication.
  9. Third party vendors must NOT be given dial-up privileges to State computers and/or networks unless the involved system administrator determines that they have a bone fide need. These privileges must be enabled only for the time period required to accomplish the approved tasks (such as remote maintenance).
  10. All users wishing to use the State internal networks, or multi-user systems that are connected to the State internal networks, must sign a compliance statement prior to being issued a user-ID.
  11. Confidential or restricted data in unencrypted format is prohibited on State mobile computing and storage devices. Please see the State Policy on mobile computing and storage devices for additional guidance and requirements.

Implementation of the Policy

An Implementation Committee, composed of DOIT and other agency IT staff, will assist agencies in gaining initial compliance with this policy. The Implementation Committee will review the following actions by agencies:

  1. Designate an information security liaison.
  2. Each agency must determine what agency information is confidential or restricted, and submit this information in writing.
  3. Each agency that has existing dial-up lines/modems today must submit a request for review and approval.

An Agency that has itís own Internet connection today, must submit the following information:

  1. Name of the Internet Provider and line speed of the circuit.
  2. Model and type of Firewall hardware and software.
  3. Port numbers that are opened in the Firewall.

The Security Oversight Committee will initially review:

  1. Agency developed security policies.
  2. Any modification in existing Network/Systems configurations that may not conform to the Statewide Security policy.

Agency Planning and Reporting Responsibilities

Planning:

  1. Each State agency will develop itís own network security policy. The agency security policy will address:
    1. System Access Control which includes how to choose passwords, how to set-up passwords and log-in/log-off procedures,
    2. System Privileges; limiting system access, process for granting system privileges and the process for revoking system privileges and Establishment of Access Paths;
    3. Computer Network Changes; conditions for participation in external networks, policy for initiating sessions via dial-up lines, establishing wireless communications and discussion of computer viruses, worms, and Trojan horses.
  2. Each agency, must determine what agency information is confidential or restricted
  3. The agency network security policy will be incorporated in the agency's Information Technology plan and architecture document.

Reporting:

  1. Any modification in existing Network/Systems configurations, that is in contrast to the Statewide Security policy must be submitted for approval to the Security Oversight Committee
  2. Any agency that has its own Internet connection today or will have in the future, must submit the following information to the Security Oversight Committee:
    1. Name of the Internet Provider and line speed of the circuit
    2. Model and type of Firewall hardware and software.
    3. Port numbers that are opened in the Firewall.

Compliance:

  1. Each agency must submit it's own Network Security Policy to the Security Oversight Committee for review and approval.
  2. Each State Agency must have a designated information security liaison. The name, telephone number and email address of the individual or individuals must be sent to Mark Reynolds at mark.reynolds@po.state.ct.us. This information must come from the Commissioner or IT Manager level.

Any modification in existing Network/Systems configurations, that is in contrast to the Statewide Security policy must be submitted for approval to the Security Oversight Committee.

Scope

This policy applies to the following entities: any State of Connecticut agency, institution, office, department, commission, council or instrumentality that utilizes State owned and maintained data networks in the conduct of its business.

Definitions

State Agency:
For the purposes of this policy, the term State Agency refers to any State of Connecticut agency, institution, office, department, commission, council or instrumentality.

Compliant:
For the purposes of this policy, an agency's network security policy will be considered compliant when it meets the criteria defined in, and/or performs as described in, the State Network Security Policy.