All Security Standards

Appropriate Use and Monitoring (SS-08-001)

Standards for appropriate use and monitoring of IT resources

Authorization and Access Management (SS-08-010)

Requires managed access to state facilities and information resources

Classification of Personal Information (SS-08-002)

Standards for categorizing personal information

Computer Operations Center Security (SS-08-016)

Minimum security requirements for computer operations centers

Contingency Planning (SS-08-045)

Requires plans to sustain or recover/restore critical operations in the event of a system disruption or disaster

Cryptographic Controls (SS-08-040)

Minimum requirements for the use of cryptographic controls

Cybersecurity Capability Maturity Model (SS-20-001)

Establishes an enterprise Cybersecurity Cabability Maturity Model to provide a structure for State agencies to baseline current capabilities in cybersecurity while establishing a foundation for consistent evaluation.

Data Categorization - Impact Level (SS-08-014)

Impact Level definitions and standards of information assets

Data Location and Access (SS-15-002)

Requires all data to be processed, stored, transmitted and disposed in the geographical United States

Data Security - Electronic Records (SS-08-003)

Electronic records are 1)relied upon as official records and 2) must adhere to records retention requirements and 3) must be protected from unauthorized destruction, modification or disclosure.

Digital Security Standard (SS-19-002)

Establish a common set of security protocols across all State digital properties (i.e. agency web pages) to ensure the protection of sensitive information.

Disaster Recovery - System Backup (SS-08-046)

Requires backup and recovery procedures for critical software and data

Electronic Communications Accountability (SS-08-009)

Fixes accountability for content and transfer of information through electronic communications

Email Use and Protection (SS-08-011)

Standards for appropriate use and security of email

Facilities Security (SS-08-015)

Incorporates facilities security into overall protection of IT assets

Incident Response and Reporting (SS-08-004)

Requirements for information security incident response and reporting

Independent Security Assessments (SS-08-042)

Requires IT systems to be assessed by an independent third-party

Information Security Controls Standard (SS-17-001)

In accordance with the Information Security Control Policy, each agency operating within a shared-service environment is responsible for ensuring that applicable NIST 800-53 (rev. 4) security controls are implemented and operated effectively.

Information Security Infrastructure (SS-08-005)

Requirements for creating an information security program and infrastructure

Information Security Management Organization (SS-08-006)

Minimum standards for an information security management organization

Information Technology Reporting (SS-08-053)

Annual reporting requirements

International Teleworking and Remote Access (SS-22-001 )

This standard establishes minimum security requirements for teleworking and remotely accessing state information systems while traveling internationally.

IP Blocking Standard (SS-17-002)

Establishes criteria for blocking network traffic from IP addresses and IP address ranges at the boundary of the state network.

Log Management Infrastructure (SS-08-036)

Requires monitoring and analyzing systems logs to record events and detect anomalies

Malicious Code Incident Prevention (SS-08-033)

Establishes controls to protect systems against malicious software

Media Protection and Handling (SS-08-043)

Establishes physical, logical, and environmental protection requirements for system media.

Media Sanitization - Vendor Return (SS-08-035)

Establishes standards for sanitization and disposal of all electronic media subject to vendor return

Network Access and Session Controls (SS-08-048)

Requires control and monitoring of network sessions

Network Security - Boundary Protection (SS-08-047 )

Requires network boundary protection

Non-State Technology and Computing Devices (SS-12-002)

Rules of appropriate use and all other governance regarding information and data security apply to non-State issued technology devices used to access non-public State information and technology resources

Operational Change Control (SS-08-026)

Requires that changes to operational systems be controlled and monitored

Outsourced IT Services and Third-Party Interconnections (SS-08-044)

Requires third-party adherence to established State security requirements

Password Security (SS-08-007)

Establishes standards for protecting passwords

Personal Identification Verification (PIV) Cards (SS-19-001)

Specifies a reliable PIV system within which a common identity credential can be used to verify a claimed identity and to gain physical and logical access to state controlled facilities and information systems.

Personnel Identity Verification and Screening (SS-08-017)

Standards for verifying identities of state personnel and contractors

Privacy in the Workplace (SS-12-001)

No expectation of privacy shall be assumed when accessing non-public State information resources and assets

Prohibited Software & Services (SS-22-002)

Establishes restrictions on third-party vendors, software and services.

Risk Management Framework (SS-08-041 )

Adopts the NIST risk management framework

Secure Remote Access (SS-08-038)

Requires protection of systems from risks associated with remote access

Security Education and Awareness (SS-08-012)

Requires all employees and contractors to attend annual security awareness training

Separate Production and Development Environments (SS-08-031)

Establishes requirements for separating operational environments from test/development environments

Strong Password Use (SS-08-008)

Establishes standards for creating and using strong passwords

Surplus Electronic Media Disposal (SS-08-034)

Establishes statewide standard on disposition of surplus electronic media

System Implementation and Acceptance (SS-08-032)

Requires agencies to establish criteria for accepting a system from development to operations

System Lifecycle Management (SS-08-025)

Requires a formal lifecycle management program for systems in development or operations

System Security Plans (SS-08-028)

Requires data and system owners to create and maintain system security plans

Systems Operations Documentation (SS-08-027)

Requires agencies to document system operational procedures

Teleworking and Remote Access (SS-08-037)

Security requirements for telework and remote access to state information systems

Third-Party Security Requirements (SS-08-013)

Establishes security requirements for conducting business with contractors, outsourcing vendors and/or other third-parties

Web and E-Commerce Security (SS-08-049)

Requires control and management of web services

Wireless and Mobile Computing (SS-08-039)

Minimum security requirements for wireless network implementation