WVNET

WVNET Security Policy & Procedure

4.0 Policy

4.1 Administration

4.1.1

An ISO (Information Security Officer) role must be assigned. This individual must perform, contract, or delegate the necessary functions and responsibilities of the position. WVNET will appoint an ISO to be the primary contact person for all security concerns involving WVNET resources. (GOT ISG - sections 3.2 and 4.1)

4.1.2

At least one ISL (Information Security Liaison) must be assigned. This individual must perform the functions and responsibilities of the position. WVNET will appoint an ISL for its communications department. Each institution that uses WVNET computer resources to run their applications and is interested in being directly involved in WVNET security concerns may also appoint an ISL and WVNET will work with them on security matters. (GOT ISG - section 3.3)

4.1.3

All information resources, regardless of medium, will be used, maintained, disclosed, and disposed of according to law, regulation, or policy. (GOT ISG - section 7.3)

4.1.4

All WVNET employees and others who access WVNET computer systems will be provided with sufficient training in policies and procedures, including security requirements, correct use of information resources, and other organizational controls. Since WVNET provides services to a great many dial-up customers, a basic Security Pamphlet will be created and distributed to dial-up customers. This Security Pamphlet will provide basic knowledge and guidelines for users regarding computer security, password security and antivirus procedures. (GOT ISG - sections 4.1 and 11.0)

4.1.5

A documented risk analysis program will be implemented and a risk analysis will be conducted periodically. (GOT ISG - sections 4.1 and 6.0)

4.1.6

A cost effective incident response/business recovery plan will be maintained providing for prompt and effective continuation of critical missions in the event of a security incident. (GOT ISG - sections 4.1 and 9.0)

4.1.7

Procedures, guidelines, and mechanisms that are utilized during a security incident, along with the roles and responsibilities of the incident management teams, must be established and reviewed regularly by the ISO and management.

4.2 Access Controls
(GOT ISG - sections 4.2 and 5.0 - 5.5)

4.2.1

Access controls must be consistent with all state, federal, and local laws and statutes and will be implemented in accordance with this policy.

4.2.2

Procedures must be implemented to protect information resources from accidental, inadvertent, unauthorized, or malicious disclosure, modification, or destruction.

4.2.3

Appropriate controls must be established and maintained to protect the confidentiality of passwords used for authentication.

4.2.4

Individual users must have unique userids and passwords.

4.2.5

All employees must be accountable for their computer and userids for any actions that can be identified to have originated from these accounts.

4.2.6

All employees must use appropriate password settings on those accounts accessing the financial system or any other sensitive information. A secure password must meet the following minimum requirements:

4.2.6.1

The minimum number of alphabetic characters that
a password must contain is 5.

4.2.6.2

The minimum number of non-alphabetic characters
that a password must contain (where non-alphabetic
characters are any ASCII printable characters that are
non-alphabetic and are not national language
characters) is 1.

4.2.6.3

The maximum number of times a character can be used
in a password must not exceed 3.

4.2.6.4

When converting to a new password, the minimum
number of characters in the new password that were not
in the old password is 3.

4.2.6.5

WVNET requires you to change your password at least
every 12 weeks.

4.2.6.6

WVNET requires that a password be maintained for at
least 2 weeks unless a known breach of security has
occured.

4.2.7

When employees are transferred or their employment is terminated, userids and authorizations will be deleted immediately, where appropriate.

4.2.8

Confidential or sensitive data (i.e., credit card numbers, calling card numbers, log on passwords, etc.) must be encrypted before being transmitted through the Internet, where possible.

4.2.9

The network access firewall and/or secure gateway must be configured to deny all incoming services unless explicitly permitted.

4.2.10

Date and supporting software necessary for the continuation of WVNET functions will be backed up periodically.

4.2.11

All information assets must be accounted for and have an assigned owner. (GOT ISG - section 7.0)

4.2.11.1

Owners, custodians, and users of information resources must be identified and their responsibilities defined and documented.

4.2.11.2

All access to computing resources will be granted on a need-to-use basis.

4.2.12

The owner and custodian of information will determine its classification based on the circumstances and the nature of the information.

4.2.13

The owner and custodian will determine the protective guidelines that apply for each class of information. They include the following:

  • Access
  • Distribution within WVNET
  • Distribution outside WVNET
  • Electronic distribution
  • Disposal/Destruction

4.2.14

All programmable computing devices must be equipped with up-to-date virus protection software, where possible. All email will be scanned for viruses via the WVNET mail gateways.

4.2.14.1

Virus protection procedures will be developed to address system protection.

4.3 Personnel Practices
(GOT ISG - sections 4.3 and 10.0 - 10.8)

4.3.1

All IT assets, including hardware, software, and physical or virtual network that pass through these assets are owned by WVNET or operated for owner via contractual agreement.

4.3.2

Information resources are designated for authorized purposes only. WVNET reserves the right to monitor and review employee use as required for legal, audit, or legitimate authorized State operational or management purposes.

4.3.3

All employees must receive an appropriate (as determined by the information owner and ISO) background check.

4.3.4

All employees must sign a confidentiality statement indicating that they have read, understand, and will abide by WVNET policies and procedures regarding IT security.

4.3.5

All vendors and contractors must sign and abide by a contract/confidentiality statement to ensure compliance with state and WVNET information security policies and procedures. (GOT ISG - section 8.0)

4.3.6

All employees must abide by WVNET s Acceptable Use Policy.

4.4 Physical and Environmental Security
(GOT ISG - sections 4.4 and 12.0 - 12.6)

4.4.1

Information resource facilities will be physically secured by measures appropriate to their critical importance.

4.4.2

Security vulnerabilities will be determined and controls will be established to detect and respond to threats to facilities and physical resources. Where possible, this will include the use of Intrusion Detection Systems (IDS).

4.4.3

Critical or sensitive data handled outside of secure areas will receive the level of protection necessary to ensure integrity and confidentiality.

4.4.4

Equipment will be secured and protected from physical and environmental damage.

4.4.5

Equipment used outside State premises will be given the same degree of security protection as that of on-site information resource equipment.

To Section 2: Enforcement

Contents

Last updated Wednesday, February 01, 2006

[ Home | Site Map | Help Desk | Internet Search Tools ]

Search this site: