MINNESOTA STATE STANDARD

Similar documents
State of Minnesota. Enterprise Information Security Incident Management Standard. Office of Enterprise Technology. Enterprise Security Office Standard

State of Minnesota. Office of Enterprise Technology. Enterprise Security Management Control Policies. Enterprise Security Office Policy. Version 1.

Mobile Device Usage and Agreement Policy

State of Minnesota. Enterprise Security Program Policy. Office of Enterprise Technology. Enterprise Security Office Policy. Version 1.

State of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard

Cyber Self Assessment

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

Adams County, Colorado

Supplier Information Security Addendum for GE Restricted Data

Office of the Chief Information Officer

Other terms are defined in the Providence Privacy and Security Glossary

MUSC Information Security Policy Compliance Checklist for System Owners Instructions

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Guidelines for smart phones, tablets and other mobile devices

Miami University. Payment Card Data Security Policy

Dell s Five Best Practices for Maximizing Mobility Benefits while Maintaining Compliance with Data Security and Privacy Regulations

BYOD. and Mobile Device Security. Shirley Erp, CISSP CISA November 28, 2012

The CIO s Guide to HIPAA Compliant Text Messaging

Department of Homeland Security Management Directive System MD Number: 4900 INDIVIDUAL USE AND OPERATION OF DHS INFORMATION SYSTEMS/ COMPUTERS

Android support for Microsoft Exchange in pure Google devices

ADMINISTRATIVE POLICY # (2014) Remote Access. Policy Number: ADMINISTRATIVE POLICY # (2014) Remote Access

Newcastle University Information Security Procedures Version 3

FileCloud Security FAQ

Password Expiration Passwords require a maximum expiration age of 60 days. Previously used passwords may not be reused.

PimaCountyCommunityCollegeDistrict Standard Practice Guide Administrative Procedure

Ensuring the security of your mobile business intelligence

Information Technology Branch Access Control Technical Standard

Policy and Profile Reference Guide

PCI DSS Requirements - Security Controls and Processes

State of Vermont. User Password Policy and Guidelines

Information Systems. Connecting Smartphones to NTU s System

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices

Southwest Airlines 2013 Terms of Use Portable Devices Feb 2013

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

How To Protect Your Mobile Devices From Security Threats

When HHS Calls, Will Your Plan Be HIPAA Compliant?

ESAP Remote Access VPN

BlackBerry Business Cloud Services. Administration Guide

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Research Information Security Guideline

Human Subject Research: HIPAA Privacy and Security. Human Research Academy 101

CHIS, Inc. Privacy General Guidelines

Mobile Security Standard

State of South Carolina Policy Guidance and Training

Appendix H: End User Rules of Behavior

Virginia Commonwealth University School of Medicine Information Security Standard

How To Write A Health Care Security Rule For A University

Android Support on Galaxy Nexus, Nexus S, and Motorola Xoom for Microsoft Exchange Policies

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

MINNESOTA STATE POLICY

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

Controls for the Credit Card Environment Edit Date: May 17, 2007

Mobile Devices Policy

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

Catapult PCI Compliance

Use of tablet devices in NHS environments: Good Practice Guideline

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

Section 12 MUST BE COMPLETED BY: 4/22

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android

Montclair State University. HIPAA Security Policy

iphone in Business Security Overview

When enterprise mobility strategies are discussed, security is usually one of the first topics

County Identity Theft Prevention Program

North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP

Managing Your Windows Mobile Device through Outlook Web Access (OWA)

Encryption Security Standard

Estate Agents Authority

The City of New York

Virginia Commonwealth University School of Medicine Information Security Standard

Bring Your Own Device (BYOD) Policy

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

COLORADO STATE UNIVERSITY SYSTEM

plantemoran.com What School Personnel Administrators Need to know

`DEPARTMENT OF VETERANS AFFAIRS VA SOUTHEAST NETWORK Automated Information System User Access Notice

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

DHHS Information Technology (IT) Access Control Standard

BYOD BEST PRACTICES GUIDE

THE UNIVERSITY OF NORTH CAROLINA AT GREENSBORO IDENTITY THEFT PREVENTION PROGRAM

CREDIT CARD SECURITY POLICY PCI DSS 2.0

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

Security Architecture Whitepaper

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

Embarcadero Technologies, with contributions from Ron Lewis, Senior Security Analyst, CDO Technologies

This policy applies to all DRC employees, contractors, volunteers, interns and other agents of the state.

How To Protect Research Data From Being Compromised

MCPHS IDENTITY THEFT POLICY

Georgia Institute of Technology Data Protection Safeguards Version: 2.0

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

IDENTITY THEFT PREVENTION PROGRAM (RED FLAGS)

WIRELESS LOCAL AREA NETWORK (WLAN) IMPLEMENTATION

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android with TouchDown

CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

2. Begin gathering necessary documents for student (refer to Record Acknowledgement Form)

PRIVACY IMPACT ASSESSMENT

BYOD and Mobile Device Management

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Transcription:

Version: 1.00 Approved Date: 4/29/2011 Approval: Signature on file MINNESOTA STATE STANDARD From the Office of Carolyn Parnell Chief Information Officer, State of Minnesota Enterprise Security Portable Computing Device Standard Standard Statement Government entities must prevent the unauthorized disclosure of not public data on portable computing devices. Management of those devices must include: Reason for the Standard The disclosure of not public data poses a significant risk to the loss of the public s trust in the State. Recently there has been a notable increase in the use of portable devices by individuals and entities. These devices can provide increased flexibility for employee s productivity and to the delivery of State services. However, with the increase of the use of these devices comes an increased risk of devices being stolen or lost. To enable the option for agencies to use of portable computing devices (government or personally owned) this standard is necessary to reduce the risk of disclosure of not public data to an acceptable level. While there are a number of other issues government entities must consider (records management, litigation holds, etc.), this standard is designed to help the entities make a more informed decision around the information security risks. Individual government entities may have additional requirements for protecting their most sensitive information. Portable Computing Device Authorization Agencies must authorize the computing devices allowed to process or store not public data. Authorized portable computing devices are restricted to those devices that have the technical capability (natively or through third party products) to comply with the requirements of this standard. Authorized devices include those purchased by the State of Minnesota. Authorized devices can also include those that are personally owned, if permitted by the government entity. Encryption of Not Public Data All not public data stored on portable computing devices must be encrypted by one of the following means: An approved, third party product that is enforced through a controlled configuration and cannot be disabled by the user Encryption that is enforced through a technical policy or localized applications that cannot be overwritten by the user Password / Authentication Requirements

State of Minnesota Standards: Portable Computing Devices Page 2 of 5 All portable computing devices that contain not public data or synchronize with services that can access not public data must protect the data with user authentication. See Appendix A for authentication requirements by device type. Remote Data Wipe Portable computing devices that only use a Personal Identification Number (PIN) for authentication must have the capability to: Be remotely erased (or wiped) by the agency or service provider Automatically erase all data after a set amount of authentication attempts User Agreements All users of portable computing devices must sign-off and agree to the following requirements To physically protect the portable device when away from a secure location Proper escalation and notification procedures for when a portable device is lost or stolen, including the need to notify their agency before notifying a third party (e.g., AT&T, Sprint, etc.) For users of personal devices, understanding and agreeing to the terms in a personal use agreement. These terms will give the State the authority to: Remotely wipe data on the device, which potentially could include personal data Monitor activities on non-state devices Recover data or take possession of devices when legally necessary Records Management and Data Practices Considerations To be in compliance with statutory requirements, government entities extending data to portable computing devices must address record retention, record administration, and data practices requirements. 2.0 Roles & Responsibilities Office of Enterprise Technology (OET) Maintain this document Provide guidance to government entities on any conflicts or questions pertaining to compliance with this standard Provide subject matter expertise to MMD on matters pertaining to this standard and appropriate product selection Fulfill the requirements of the Government Entity for OET Government Entity Provide awareness of the requirements of this standard to users and administrators of portable computing device Authorize usage and approve connectivity to entity resources from portable computing devices Maintain signed agreements from users Maintain an escalation process to ensure lost or stolen devices are addressed promptly Create and maintain policies and procedures for using portable computing devices Determine and accept additional business risk for records management, litigation hold, and other regulatory or legal requirements State Of Minnesota Standards Accessibility Standard Page 2 of 5

State of Minnesota Standards: Portable Computing Devices Page 3 of 5 Related Information Applicability and Exclusions This standard is applicable to the government entities in the Executive Branch identified in the Enterprise Security Program Applicability Standard 2009-06. It is also offered as guidance to other government entities outside the Executive Branch. Agency Heads, Responsible Authorities, Chief Information Officers, Chief Information Security Officers, Data Practices Compliance Officials, and their designees who are responsible for responding to, management of, and reporting on entity security controls and/or compliance with data practices and records management laws must be aware of this standard. The requirements of this standard must be incorporated into agreements with third parties to ensure proper controls are in place for protection of state information assets. Devices connecting directly (wired or wirelessly) to an agency s secure network may have additional security control requirements that are beyond the scope of this standard. Devices connecting to government entity services that do not process or store Not Public data on the device are excluded from this standard. This standard supersedes the Enterprise Security Policy on Portable Computing Devices 2006-04 policy. Regulatory, Policy, Standards, & Guideline References Minnesota Statutes 2007 Chapter 16E (Office of Enterprise Technology) Minnesota Statutes, Chapter 13 (Data Practices Act) Minnesota Statutes, section 15.17 (Official Records Act) Minnesota Statutes, section 138.17 (Administration of Government Records) Enterprise Security Information Handling Policy Enterprise Security Authentication and Access Control Policy Forms, Templates, and Procedures Italicized terms can be found in the Enterprise Security Glossary of Terms Enterprise Security Exception Request Form User Agreement Form Template Compliance Compliance with this standard is required with approval date of the standard. Terms in italics can be found in the Enterprise Security Glossary document. State Of Minnesota Standards Accessibility Standard Page 3 of 5

State of Minnesota Standards: Portable Computing Devices Page 4 of 5 Appendices Appendix A: The following chart defines the authentication requirements for different device types: Laptop / Tablet Device Type (Broad Remote Access) Authentication Requirements Users must authenticate to the device with the following password requirements: Length of 6 or more characters Contains at least one letter and one number Expires at least every 90 days Cannot be changed by user for 7 days Cannot be reused for at least 15 changes Locks account after 10 attempts Requires administrative support to unlock account Inactivity lockout at 15 minutes Devices used to gain Remote Access must also: Use two-factor authentication to connect users to the network Connect through an approved, encrypted VPN solution Smart-Phone / Tablet (Limited Access) Users must authentication to the device with the following personal identification number (PIN) requirements: Length of 4 or more numbers Automatically wipes the stored data after 10 attempts Inactivity lockout at 15 minutes Broad Remote Access is defined as the portable devices that have remote access to State resources which is equivalent to the user s access while on a government entity s internal, secure network (e.g., IPSec VPN, SSL VPN). Limited Remote Access is defined as the portable devices that have access to a limited set of resources and leverages additional controls to ensure the security of State data (e.g., SSL encrypted data transmission by application, additional authentication by application, etc.) State Of Minnesota Standards Accessibility Standard Page 4 of 5

State of Minnesota Standards: Portable Computing Devices Page 5 of 5 History Revision History record additions as Major releases, edits/corrections as Minor Date Author Description Major # Minor # 05/05/2011 Eric Breece Initial Release 1 00 Review History periodic reviews to ensure compliance with program Date Reviewer Description Compliance n/a n/a Approval History record of approval phases Phase Description Date SME ESO Approval 02/22/2011 ISC Information Security Council Approval 03/02/2011 CIOC CIO Council Approval 04/28/2011

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information