Appropriate Use and Monitoring (SS-08-001)

Standards for appropriate use and monitoring of IT resources

Read more

Authorization and Access Management (SS-08-010)

Requires managed access to state facilities and information resources

Read more

Classification of Personal Information (SS-08-002)

Standards for categorizing personal information

Read more

Computer Operations Center Security (SS-08-016)

Minimum security requirements for computer operations centers

Read more

Contingency Planning (SS-08-045)

Requires plans to sustain or recover/restore critical operations in the event of a system disruption or disaster

Read more

Cryptographic Controls (SS-08-040)

Minimum requirements for the use of cryptographic controls

Read more

Cybersecurity Capability Maturity Model (SS-20-001)

Establishes an enterprise Cybersecurity Cabability Maturity Model to provide a structure for State agencies to baseline current capabilities in cybersecurity while establishing a foundation for consistent evaluation.

Read more

Data Categorization - Impact Level (SS-08-014)

Impact Level definitions and standards of information assets

Read more

Data Location and Access (SS-15-002)

Requires all data to be processed, stored, transmitted and disposed in the geographical United States

Read more

Data Security - Electronic Records (SS-08-003)

Electronic records are 1)relied upon as official records and 2) must adhere to records retention requirements and 3) must be protected from unauthorized destruction, modification or disclosure.

Read more

Digital Security Standard (SS-19-002)

Establish a common set of security protocols across all State digital properties (i.e. agency web pages)  to ensure the protection of sensitive information.

Read more

Disaster Recovery - System Backup (SS-08-046)

Requires backup and recovery procedures for critical software and data

Read more

Electronic Communications Accountability (SS-08-009)

Fixes accountability for content and transfer of information through electronic communications

Read more

Email Use and Protection (SS-08-011)

Standards for appropriate use and security of email

Read more

Facilities Security (SS-08-015)

Incorporates facilities security into overall protection of IT assets

Read more

Incident Response and Reporting (SS-08-004)

Requirements for information security incident response and reporting

Read more

Independent Security Assessments (SS-08-042)

Requires IT systems to be assessed by an independent third-party

Read more

Information Security Controls Standard (SS-17-001)

In accordance with the Information Security Control Policy, each agency operating within a shared-service environment is responsible for ensuring that applicable NIST 800-53 (rev. 4) security controls are implemented and operated effectively.

Read more

Information Security Infrastructure (SS-08-005)

Requirements for creating an information security program and infrastructure

Read more

Information Security Management Organization (SS-08-006)

Minimum standards for an information security management organization

Read more

Information Technology Reporting (SS-08-053)

Annual reporting requirements

Read more

International Teleworking and Remote Access (SS-22-001 )

This standard establishes minimum security requirements for teleworking and remotely accessing state information systems while traveling internationally.

Read more

IP Blocking Standard (SS-17-002)

Establishes criteria for blocking network traffic from IP addresses and IP address ranges at the boundary of the state network.

Read more

Log Management Infrastructure (SS-08-036)

Requires monitoring and analyzing systems logs to record events and detect anomalies

Read more

Malicious Code Incident Prevention (SS-08-033)

Establishes controls to protect systems against malicious software

Read more

Media Protection and Handling (SS-08-043)

Establishes physical, logical, and environmental protection requirements for system media.

Read more

Media Sanitization - Vendor Return (SS-08-035)

Establishes standards for sanitization and disposal of all electronic media subject to vendor return

Read more

Network Access and Session Controls (SS-08-048)

Requires control and monitoring of network sessions

Read more

Network Security - Boundary Protection (SS-08-047 )

Requires network boundary protection

Read more

Non-State Technology and Computing Devices (SS-12-002)

Rules of appropriate use and all other governance regarding information and data security apply to non-State issued technology devices used to access non-public State information and technology resources

Read more

Operational Change Control (SS-08-026)

Requires that changes to operational systems be controlled and monitored

Read more

Outsourced IT Services and Third-Party Interconnections (SS-08-044)

Requires third-party adherence to established State security requirements

Read more

Password Security (SS-08-007)

Establishes standards for protecting passwords

Read more

Personal Identification Verification (PIV) Cards (SS-19-001)

Specifies a reliable PIV system within which a common identity credential can be used to verify a claimed identity and to gain physical and logical access to state controlled facilities and information systems.

Read more

Personnel Identity Verification and Screening (SS-08-017)

Standards for verifying identities of state personnel and contractors

Read more

Privacy in the Workplace (SS-12-001)

No expectation of privacy shall be assumed when accessing non-public State information resources and assets

Read more

Prohibited Software & Services (SS-22-002)

Establishes restrictions on third-party vendors, software and services.

Read more

Risk Management Framework (SS-08-041 )

Adopts the NIST risk management framework

Read more

Secure Remote Access (SS-08-038)

Requires protection of systems from risks associated with remote access

Read more

Security Education and Awareness (SS-08-012)

Requires all employees and contractors to attend annual security awareness training

Read more

Separate Production and Development Environments (SS-08-031)

Establishes requirements for separating operational environments from test/development environments

Read more

Strong Password Use (SS-08-008)

Establishes standards for creating and using strong passwords

Read more

Surplus Electronic Media Disposal (SS-08-034)

Establishes statewide standard on disposition of surplus electronic media

Read more

System Implementation and Acceptance (SS-08-032)

Requires agencies to establish criteria for accepting a system from development to operations

Read more

System Lifecycle Management (SS-08-025)

Requires a formal lifecycle management program for systems in development or operations

Read more

System Security Plans (SS-08-028)

Requires data and system owners to create and maintain system security plans

Read more

Systems Operations Documentation (SS-08-027)

Requires agencies to document system operational procedures

Read more

Teleworking and Remote Access (SS-08-037)

Security requirements for telework and remote access to state information systems

Read more

Third-Party Security Requirements (SS-08-013)

Establishes security requirements for conducting business with contractors, outsourcing vendors and/or other third-parties

Read more

Web and E-Commerce Security (SS-08-049)

Requires control and management of web services

Read more

Wireless and Mobile Computing (SS-08-039)

Minimum security requirements for wireless network implementation

Read more