Title of Nomination: Security Policies and Standards Project/System Manager: Donna Crutcher Title: State Security Manager Agency: Department:

Transcription

1 Title of Nomination: Security Policies and Standards Project/System Manager: Donna Crutcher Title: State Security Manager Agency: Department: Information Technology Address: 505 East King Street, Room City: Carson City State: NV Zip: Phone: Fax: dcrutch@doit.state.nv.us CATEGORY: Security_and_Business_Continuity Person Nominating (if different): Linda Brunson Title: ISS III Address: 505 East King Street, Room 403 City: Carson City State: NV Zip: Phone: Fax: lpbrunson@doit.state.nv.us 1

2 STATE OF NEVADA Department of Information Technology Category: Security & Business Continuity Title of Project: Nevada s Security Policies & Procedures ( Project Implemented: March, 2001 Description of Project The State of Nevada Security Committee was established to facilitate interaction between state departments, divisions, boards and commissions on identifying and addressing security related policies, standards, problems and issues. The secondary mission of the Committee is to serve as an advisory committee participating in development of common security policy and standards at the State level, regardless of technology platform or agency size and to assist in promoting state level Security Standards. The Committee consists of 30 members representing 16 agencies including legislative, judicial, and elected officials. The Security Committee has created security policy and 20 supporting standards to assist and provide guidance in providing a common direction to state agencies in developing individualized Security Programs consistent with their IT operating environment. The Nevada IT Operations Committee (NITOC) is responsible for the day-to-day operation of the policy and oversight structure. NITOC is responsible for reviewing the security policy proposals to insure that they are consistent with each other, and generally acceptable to the Nevada IT community. Policies and procedures that are approved by NITOC are passed to the Governor s IT Oversight Committee for final approval. In the event that NITOC cannot reach substantial consensus on a policy issue, NITOC will provide summaries of the major contending positions for resolution by GITOC. The Nevada Governor is the chairman of the IT Oversight Committee (GITOC) and has final authority over all IT issues, or as otherwise provided by statute or Executive Order. The GITOC meets quarterly and the Governor selects members. The Security Committee has been highly successful in working with its members from the various agencies and has been very productive in establishing policy with no fiscal impact to the State of Nevada. All of the members have volunteered their time toward this project and have been highly motivated in achieving its goals. The State I/T Security Committee is sponsored by the Department of Information Technology (DoIT) and will be chaired by the I/T Security Program Manager located in the department. 2

3 There are three (3) major I/T security disciplines being addressed; Security Administration, Data Security and Access/Communications Security. The Committee established work groups for each of the defined security disciplines consisting of members of the committee and a work group leader. The State I/T Security Committee is responsible for providing all state agencies with policies, standards and user guides for securing their I/T resources. Other responsibilities of the I/T Security Committee include serving as an advisory committee to the State on I/T security issues, establishing state level I/T security policy and standards, identifying, reviewing and resolving state level I/T security problems and issues, functioning as a working body to define and develop common I/T security policy and standards that will apply to all agencies, all I/T platforms, processing and security of electronic records, and promoting I/T security understanding and awareness throughout the State, particularly members respective agencies. Below is a link to the Security Committee web site and a list of the policies being generated by their efforts during the past year. Section 4 - Security Committee Document Committee Approval NITOC Approved GITOC Approve d Effective 4.01 Security Charter 4.02 Policy: IT Security Policy 08/29/01 02/14/02 02/14/ Standard: ISO Roles & Responsibilities 08/29/01 02/14/02 02/14/ Standard: Personnel Security 08/29/01 02/14/02 02/14/ Standard: IT Security Awareness Training 08/29/01 02/14/02 02/14/ Standard: IT Risk Analysis 11/28/01 02/14/02 02/14/ Standard: IT Contingency Planning 11/28/01 04/11/02 04/11/ Standard: Electronic Records 12/19/ Standard: Security Evaluation 12/19/ Standard: Copyright 10/31/ Standard: Physical Security & Environmental Controls 10/13/01 Data Security Sub-Committee 4.30 Standard: Security for System Development 10/31/ Standard: Data Sensitivity 10/31/ Standard: Audit Trails & Reports 12/19/ Standard: Virus Protection 12/19/01 Communication Security Sub-Committee 4.60 Standard: Access Controls & Auditing 08/29/01 05/09/02 3

4 4.61 Standard: Passwords 08/29/01 05/09/02 05/09/ Standard: Data Communications & Remote Connections 12/19/01 05/09/02 05/09/ Standard: Network Perimeter Defense 12/19/01 05/09/02 05/09/ Standard: Hacking 10/31/01 05/09/02 05/09/ Standard: Personal Access 03/27/02 04/11/02 04/11/02 Significance to the improvement of the operation of government The State of Nevada Security Committee has created policies, standards and guidance for state agencies in order to have cohesion and understanding on security issues. This prevents redundant activities toward implementation of security safeguards and also ensures that best practices are used when addressing security issues. The IT Security policy establishes a minimum information technology (IT) security policy for the protection of State assets inclusive of information, computers and networks. The intent of IT is to ensure the availability of timely, accurate information for the delivery, of services and products to the citizens of the State of Nevada. The protection of State IT requires an approach that will result in implementation of balanced, cost-effective security disciplines and techniques commensurate with the identified risks and threats to the organization and its information technology. IT Contingency Planning standards establishes the Information Technology (IT) Contingency Planning standard for an agency s mission critical information and the IT resources that support the critical mission of the agency. Each agency must be able to continue to provide mission-critical services that are supported by IT resources should a situation occur that renders the IT resources inaccessible due to a system or application malfunction or hardware failure. Contingency planning includes, but is not limited to, the documentation, plans, and policies and procedures required to restore mission-critical IT functions to include mainframe, mini-computers, servers, microcomputers, voice and data communications services, applications systems and related data. Risk Management/Analysis standards offers a disciplined approach through which uncertain events can be identified, measured and controlled to minimize loss. Risk analysis provides the basis for risk management by identifying the risk(s). Agency management then can either accept the risk(s) or selects cost-effective controls and safeguards to reduce the risk(s) to an acceptable level. Risk analysis is a systematic process of evaluating vulnerabilities of a processing system, environment and data against the threats facing them. In addition, IT Security Awareness Training helps insure that employees, consultants and contractors are aware of their responsibilities in protecting State information and information technologies from accidental or unauthorized access, manipulation, modification or destruction. The users who are not informed of management s policy, procedures and commitment to IT 4

5 security are not likely to take steps to prevent occurrence of violations, make needed suggestions about improving security, nor recognize and report security threats and vulnerabilities. Security Policies and Procedures as well as committee descriptions can be found at Benefits realized by service recipients, taxpayers, agency, or state Establishing a state security committee comprised of volunteers from various agencies, in addition to including members from the judicial, legislative and elected offices, has benefited taxpayers, agencies and the state by not incurring additional expenses to create policies and standards to protect the state s assets. Taxpayers, agencies and the State of Nevada also realize the benefit of a vested interest in these documents since the agencies affected were included in their creation. Return on investment, short-term/long-term payback (include summary calculations). Projects must exhibit measurable operational benefit. The Nevada Security Committee members time is absorbed by their agency s normal operating/salary budgets. The policies, standards and guidelines are posted on the Internet with sensitive documents being posted on the State s Intranet. This allows the most current document to be available to employees who implement security for the State of Nevada without the added cost of printing and distributing the security documents. is used to notify agency heads responsible for dissemination information to the individual agencies. Developing IT security safeguards ensures that resources are not wasted on responding to security breaches, there are fewer disruptions to enterprise operations, and greater confidence from constituents when vital state assets are protected. 5

6 STATE OF NEVADA Department of Information Technology Category: Security & Business Continuity Title of Project: Nevada s Security Policies & Procedures ( Project Implemented: March, 2001 Executive Summary The Security Committee was established to facilitate interaction between state departments, divisions, boards and commissions on identifying and addressing security related policies, standards, problems and issues. The secondary mission of the Committee is to serve as an advisory committee participating in development of common security policy and standards at the State level, regardless of technology platform or agency size and to assist in promoting state level Security Standards. The Committee consists of 30 members representing 16 agencies including legislative, judicial, and elected officials. The Security Committee has created security policy and 20 supporting standards to assist and provide guidance in providing a common direction to state agencies in developing individualized Security Programs consistent with their IT operating environment. IT security policies and subsequent standards provide the minimum high-level policy and standards designed to provide direction for protecting State IT assets. The State of Nevada Security Committee has created policies, standards and guidance for state agencies in order to have cohesion and understanding on security issues. This prevents redundant activities toward implementation of security safeguards and also ensures that best practices are used when addressing security issues statewide. 6