Skip Maine state header navigation

Agencies | Online Services | Help

Maine State Government

Dept. of Administrative & Financial Services

Office of Information Technology

 

 

            Policy to Govern Information Security Risk Assessments of State Computer Systems and to Ensure the Prompt Remediation of Deficiencies

 

 

I. Statement

 

State computer systems will be assessed for security risks, and priority risks will be promptly addressed.

 

II. Purpose

 

The purpose of this policy is to document and clarify responsibilities and processes regarding security assessment of computer devices, their operating systems, and their applications, and subsequent remediation of deficiencies for all applicable information systems.  This policy expands upon the State of Maine Information Technology Security Policy approved by the CIO January 6, 2009.

 

III. Applicability

 

This policy applies to agencies within the Executive Branch of Maine State government, and to all its information systems irrespective of where they are hosted.   This policy also extends to those applications owned by all governmental branches and constitutional offices that are hosted on computer devices operated by the Office of Information Technology or traverse the State’s wide area network.

 

IV. Responsibilities

A. Chief Information Officer (CIO) - The CIO is required by Maine statutes[1] to protect information owned by State agencies.  Specifically 5 M.R.S.A. Section 1982 paragraph 9 reads:  “Protection of information files. The Chief Information Officer shall develop rules regarding the safeguarding, maintenance and use of information files relating to data processing, subject to the approval of the commissioner. The office is responsible for the enforcement of those rules. All data files are the property of the agency or agencies responsible for their collection and use.”

B. Enterprise Information Security Director - Under the direction of the CIO, the Enterprise Information Security Director will

1. Authorize scheduled and random use of information security and risk assessment tools to evaluate State computer devices, operating systems, and applications, including websites, for risk vulnerability as it pertains to confidentiality, integrity and availability.

2. Coordinate the application of risk assessment tools with the AITD of the agency which owns the system, agency policy influencing leaders, web coordinator and/or webmaster and the hosting organization in order to minimize disruptions to operations.   Whenever the Information Security Director feels the situation is of the highest risk, these assessments may be conducted without notice.

a. OIT employees and contractors will protect data supplied to evaluate risk, and will comply with all confidentiality requirements of the agency, including signing any necessary agreements.
b. If OIT employees and contractors are able to breach security while testing, they will not disclose any confidential or personal data, or the source of the vulnerability without written authorization of the Enterprise Information Security Officer.

3. Alert the Agency Information Technology Director or the Chief Technology Officer (CTO), and the policy influencing[2] leadership of the agency which owns the system, whenever a critical information security deficiency is discovered.

4. Promptly provide a report to the Agency Information Technology Director or CTO and policy influencing agency leadership and others.  The Director will work collaboratively with them to effect a remediation in a timely manner.  At his/her discretion, the Enterprise Information Security Director may remove the computer device or application from service until a satisfactory remediation is implemented.

5. Choose and use all practical methods, tools and techniques to evaluate the security of the State’s computer devices and the applications that run on them.    These may include, but are not limited to, tools that scan for common operating system and application configuration and program vulnerabilities.

6. In concert with the Chief Technology Officer and Agency Information Technology Directors, with input from lead technical managers from the Legislative and Judicial branches, establish and promulgate security vulnerability standards, procedures and best practices governing computer applications, enterprise network systems and operating systems.

7. Conduct security assessments on all new major applications in accordance with the Application Deployment Certification Policy.

8. Evaluate requests for exemption from this policy.  These requests must be received in writing and signed by the Agency Information Technology Director or CTO.  The request will include business reasons justifying why the risk assessment methods, tools and techniques should not be employed.  The Enterprise Information Security Director will decide each case on its merits, and appeals of his/her decision may be made to the CIO

C. Agency Information Technology Directors (AITD). AITDs are accountable for their agencies’ information technology security, both physical and logical.  AITDs will

1. Implement risk remediation findings required by the Enterprise Information Security Director.

2. Assist the Enterprise Information Security Director in maintaining the State’s enterprise information security.

3. Ensure all germane requests for proposals (RFPs) and resulting contracts with vendors contain language intended to enforce this policy and its standards.

4. Assess potential risks in existing systems and determine which should be evaluated for vulnerabilities and remediation.

D. OIT Employees Responsible for Systems Maintenance.  These employees are required to 

1. Implement the security vulnerability standards governing OIT’s applications, enterprise network systems and operating systems.

2. Assist the Enterprise Information Security  Director in the conduct of his/her duties regarding the implementation of this policy, its standards and procedures.

3. Regularly assess security, and remediate vulnerabilities within their responsibilities.

4. Alert the Enterprise Information Security Director and their direct supervisor of their remediation actions, and highlight issues that they are not able to remediate.

5. Alert the Enterprise Information Security Director and their direct supervisor whenever they discover, or suspect, a security vulnerability beyond the scope of their responsibilities.

E. Contractors. All information technology contractors must agree to recognize the State’s right to conduct vulnerability testing in accordance with this policy.

1. Contractors must agree to support this testing and collaborate with the State to implement security remediation findings in applications for which they are responsible.

2. With respect to systems implemented following the adoption of this policy, in accordance with the terms of their contract(s), vendors must agree to provide a secure environment for the hosting of the contracted application, to support periodic vulnerability testing conducted by the State of Maine and/or its agents, and to remediate significant security vulnerabilities in a timely manner for the term of the contract.

F. State Employees.  All State employees who suspect a breach of security has occurred will contact the OIT Customer Solutions Center, who will inform the Enterprise Information Security Director.  The Director will promptly work collaboratively with appropriate AITDs and technical experts to determine the appropriate course of action

V. Guidelines & Procedures

A. OIT will adopt and implement standards, procedures and best practices to minimize the risk of security breaches within the goals of this policy.

B. Lists of current critical application vulnerabilities are maintained by standards organizations including: OWASP[3] (Top 10 list), SANS[4] (Top 20 list) and the Web Application Security Consortium[5].  Organizations which currently track and publish the most critical operating system security patches include Microsoft[6] and Sun[7].

VI. Definitions

A. Computer Application - Application software is a loosely defined subclass of computer software that employs the capabilities of a computer directly to a task that the user wishes to perform. This should be contrasted with system software that is involved in integrating a computer's various capabilities, but typically does not directly apply them in the performance of tasks that benefit the user. The term application refers to both the application software and its implementation.  For the purposes of this policy websites are considered an application.  Examples of applications currently in use would include:  MS Exchange, TAMS, inet.state.me.us, www.maine.gov, IPHIS etc.

B. Computer Device – Computer device means an electronic, magnetic, optical, electrochemical, or other high-speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device[8]. Common examples currently in use include laptops, personal computers, servers, networks, hand-held devices, etc. 

For the purposes of this policy, personal digital assistants (PDA), cell phones and enterprise infrastructure components (e.g. routers, switches, smart hubs, firewalls, DNS/DHCP appliances etc.) are considered computer devices.

C. Operating System – The basic software used on Computer Devices that acts as an interface between the computer hardware and any applications used on that hardware.  Operating systems often have vulnerabilities or flaws that can be exploited by automated or manual methods, and must be assessed for these vulnerabilities.

D. Information Security – The definition of information security means the preservation of confidentiality, integrity, and availability of information

1. Confidentiality - Ensuring that information is accessible only to authorized users

2. Integrity - Safeguarding the accuracy and completeness of information and processing methods

3. Availability - Ensuring that authorized users have access to information and associated assets when required.

E. Information Security Deficiency – A weakness in an agency’s overall information systems security program or management control structure, or within one or more information systems that significantly restricts the capability of an agency to carry out its mission or compromises the security of its information, information systems, personnel, or other resources, operations, or assets.

F. Information Security Incident or Breach – An event that results in unauthorized access, loss, disclosure, modification or destruction of information resources whether accidental or deliberate.

G. Security Assessment – Assessment of threats to, impacts on, and vulnerabilities of information and information processing facilities.  Vulnerability tools discover and assess compliance with vulnerability standards of national organizations that track application system and operating system vulnerabilities.

VII. References

 

1.                  Department of Administrative and Financial Services Information Services Security Policy 12/2002 in listing of IT policies, standards and procedures adopted prior to April 2006: http://inet.state.me.us/oit/policies/practices.html

2.                  OIT Security Policy 2002 in listing of IT policies, standards and procedures adopted prior to April 2006: http://inet.state.me.us/oit/policies/practices.html

VIII. Document Information

1.                  Document Reference Number: 6

2.                  Category: Security, Applications and Privacy

3.                  Adoption Date: December 18, 2006

4.                  Effective Date:  February 9, 2009

5.                  Review Date:  December 18, 2010

6.                  Point of Contact:  Mark Kemmerle, Enterprise Information Security Director, Office of Information Technology, 207-624-8892.

7.                  Approved By:  Richard B. Thompson, Chief Information Office

8.                  Position Title(s) or Agency Responsible for Enforcement:  Mark Kemmerle, Enterprise Information SecurityDirector, Office of Information Technology, 207-624-8892

9.                  Legal Citation:  Title 17-A: MAINE CRIMINAL CODE   Part 2: SUBSTANTIVE OFFENSES, Chapter 18: COMPUTER CRIMES and Title 5: ADMINISTRATIVE PROCEDURES AND SERVICES   Part 4: FINANCE     Chapter 163: OFFICE OF INFORMATION TECHNOLOGY.   Section 1982

10.              Waiver Process (if applicable):  alskdfjasldkfj The CIO or his/her designee may authorize an exception on a case-by-case basis.

Apply for a waiver as follows:

Address an email to Richard B. Thompson and include as a CC: the Associate Chief Information Officer or the agency Agency Information Technology Officer. If you require assistance with determining the correct person, contact the CIO’s office at 624-8800.

Include the following in the email:

Document a compelling technical or business case that identifies the specific action and how it warrants exemption.

Include any supporting documentation you may have.

 

When a decision has been reached in granting or denying the waiver, the CIO will respond to the submitter, the AITD, and the following three designated people whose names are located on the policy/standard for which the waiver is being sought: Point of Contact, Approved By and Position Title(s) or Agency Responsible for Enforcement.

 




[1] http://janus.state.me.us/legis/statutes/5/title5sec1982.html

[2] http://janus.state.me.us/legis/statutes/5/title5sec932.html and subsequent sections

[3] http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

[4] http://www.sans.org/top20/

[5] http://www.webappsec.org/

[6] http://www.microsoft.com/security/default.mspx

[7] http://www.sun.com/security/

[8] Source Maine Criminal Code Chapter 18 Computer Crimes http://janus.state.me.us/legis/statutes/17-a/title17-asec431.html