Information Security Controls Policy (PS-17-001)
Information Security Controls
Effective Date: May 1, 2017
Review Date: 12/1/2020
The purpose of this policy is to improve how security controls are managed within the State’s shared-service environment. Security operations remains a top priority and is necessary to continue to advance security practices and processes. The definition of “ownership” within a shared-services environment has different dimensions. As it pertains to security, controls are often established by agency business owners but are typically executed by multiple parties. Often times the delineation of duties between multiple parties are not clearly understood resulting in inconsistencies in the execution of responsibilities. The Security Control Policy addresses this business challenge by establishing clearer lines of delineation between security controls, ownership and the overall responsibility of execution.
SCOPE and AUTHORITY
This policy covers the following:
Full service agencies who receive Infrastructure Services and Managed Network Services from the State Data Center
Agencies who receive only Managed Network Services from the State Data Center
Agencies who receive services from third-party service providers and those that own and operate their own Infrastructure/network services environment.
Information Technology Policies, Standards and Guidelines (PM-04-001) [or add: Enterprise Information Security Charter (PS-08-005)]
Agencies, Service Providers and Service Integrators will comply with all applicable NIST Security Controls (or any other Industry standards) that are required for state and federal compliance. These controls listed in standard SS 17-001 will be outlined in more detail within the NIST Control Families, Technical, Operational and Managerial Controls. Security controls will be determined and aligned using the State’s application/system classifications of Low, Moderate and High. After which each entity will work within this control framework to identify the appropriate security controls to support the application and system portfolio being managed. Once control ownership is identified, the controlling owner will be responsible for the implementation and management of the identified control(s). All controls identified as “shared” will be co-owned between two or more entities that together assume the responsibility for the execution of the control(s). The expectation is that agencies, service providers and service integrators will work together within the enterprise environment to promote, foster and ensure a viable enterprise security program. Agencies using third-party service providers are still responsible for ensuring that their applications are operating within the security control compliance outlined in this policy.
RELATED ENTERPRISE POLICIES, STANDARDS AND GUIDELINES
Information Security Control Standard (SS-17-001)
TERMS AND DEFINITIONS
Third Party Service Providers- Any person or entity that maintains, processes, or otherwise is permitted access to state-owned information through its provision of services. This includes all cloud-based technologies (i.e.):
- Software as a Service (SaaS) providers - companies that provide hosted application services.
- Infrastructure as a Service (IaaS) providers - companies that provide hosted data storage or processing services.
System Boundary – All the components of an information system or an interconnected set of information resources under the same direct management control and security support structure, that share common functionality (normally includes hardware, software, information, data, applications, communications, and people).
Controlled Interfaces - Mechanisms that facilitate the adjudication of different interconnected system security policies (e.g., controlling the flow of information into or out of an interconnected system such as but not limited to proxies, gateways, routers, firewalls, encrypted tunnels).