information security user policy training business applications department october 2009
Post on 01-Apr-2015
219 Views
Preview:
TRANSCRIPT
Information Security Information Security User Policy TrainingUser Policy Training
Business Applications DepartmentBusiness Applications DepartmentOctober 2009October 2009
PurposePurpose
Provide acceptable information security Provide acceptable information security principles and practices for all MRC principles and practices for all MRC employees and contractorsemployees and contractors
Protect and safeguard information residing Protect and safeguard information residing within the MRC environmentwithin the MRC environment
Aligned with COV and State PoliciesAligned with COV and State Policies COV ITRM Policy SEC519-00, Information COV ITRM Policy SEC519-00, Information
Technology Security PolicyTechnology Security Policy
COV ITRM Standard SEC501-01, Information COV ITRM Standard SEC501-01, Information Technology Security StandardTechnology Security Standard
DHRM Policy 1.75, Use of Internet and DHRM Policy 1.75, Use of Internet and Electronic Communication SystemsElectronic Communication Systems
MRC Information Security Program and MRC Information Security Program and Continuity of Operations Plan (COOP)Continuity of Operations Plan (COOP)
ScopeScope
All MRC employees and contractors have All MRC employees and contractors have the responsibility to safeguard informationthe responsibility to safeguard information
All software and hardware used to process All software and hardware used to process electronic information should be protected electronic information should be protected from unauthorized use, destruction or theftfrom unauthorized use, destruction or theft
DefinitionsDefinitions
““PC” refers to both networked, standalone PC” refers to both networked, standalone and file server workstations and the data and file server workstations and the data stored on those workstations or computer stored on those workstations or computer mediamedia
IT system users are MRC personnel or IT system users are MRC personnel or contractors that require the access to and contractors that require the access to and use of PC resources managed for the use of PC resources managed for the CommissionCommission
Guiding PrinciplesGuiding Principles
Commonwealth of Virginia (COV) Data is:Commonwealth of Virginia (COV) Data is:
A critical asset that shall be protected by A critical asset that shall be protected by the concept of least privilegethe concept of least privilege
Restricted to authorized personnel for Restricted to authorized personnel for official useofficial use
Guiding PrinciplesGuiding Principles
Information security must be:Information security must be:
A cornerstone of maintaining public trustA cornerstone of maintaining public trust Managed to address both business and Managed to address both business and
technology requirementstechnology requirements Risk-based and cost-effectiveRisk-based and cost-effective The responsibility of all users of COV IT The responsibility of all users of COV IT
systems and datasystems and data
Key IT Security Roles and Key IT Security Roles and ResponsibilitiesResponsibilities
Steve Bowman, Commissioner, Agency Head:Steve Bowman, Commissioner, Agency Head: responsible for the security of the Agency's IT systems responsible for the security of the Agency's IT systems and dataand data
Erik Barth: Information Security Officer (ISO)Erik Barth: Information Security Officer (ISO): develops : develops and manages the Agency’s IT security programand manages the Agency’s IT security program
Linda Farris: Backup Information Security OfficerLinda Farris: Backup Information Security Officer: : assists in implementation of the Agency’s IT security assists in implementation of the Agency’s IT security programprogram
Jane McCroskey, Privacy Officer:Jane McCroskey, Privacy Officer: provides guidance on provides guidance on the requirements of state and federal Privacy lawsthe requirements of state and federal Privacy laws
Key IT Security Roles and Key IT Security Roles and ResponsibilitiesResponsibilities
Agency Division Heads, Data Owners:Agency Division Heads, Data Owners: responsible for the policy responsible for the policy and decisions regarding data and decisions regarding data
Erik Barth, System Owner/System Administrator:Erik Barth, System Owner/System Administrator: assists in the assists in the day-to-day administration of systems and implements security day-to-day administration of systems and implements security controls and other requirementscontrols and other requirements
Debbie Sparks, Agency Inventory Coordinator: Debbie Sparks, Agency Inventory Coordinator: responsible for responsible for maintaining accurate records for transfers and returns of maintaining accurate records for transfers and returns of hardware and software assets and off-site authorizationshardware and software assets and off-site authorizations
Key IT Security Roles and Key IT Security Roles and ResponsibilitiesResponsibilities
John Bull, FOIA CoordinatorJohn Bull, FOIA Coordinator, coordinates , coordinates Freedom of Information Act information requestsFreedom of Information Act information requests
Rick Lauderman, COOP CoordinatorRick Lauderman, COOP Coordinator, coordinates , coordinates Continuity of Operations Planning (Disaster Continuity of Operations Planning (Disaster Recovery)Recovery)
Brandy Battle, Records Retention ManagerBrandy Battle, Records Retention Manager, , maintains records retention policies and/or maintains records retention policies and/or proceduresprocedures
Key IT Security Roles and Key IT Security Roles and ResponsibilitiesResponsibilities
Data Custodians are individuals in physical or logical Data Custodians are individuals in physical or logical possession of data for Data Owners possession of data for Data Owners Terri Short, CFLS, Administrative Accounting SystemsTerri Short, CFLS, Administrative Accounting Systems Tony Watkinson, HMPTSTony Watkinson, HMPTS Ben Stagg, OGLS, CAD and GISBen Stagg, OGLS, CAD and GIS Warner Rhodes, LEDSWarner Rhodes, LEDS Joe Grist, FDSJoe Grist, FDS Lewis Gillingham, SWFTLewis Gillingham, SWFT Linda Hancock, HRLinda Hancock, HR Todd Sperling, Agency Web SiteTodd Sperling, Agency Web Site
Key IT Security Roles and Key IT Security Roles and ResponsibilitiesResponsibilities
System users include all employees and contractors that have System users include all employees and contractors that have access to Agency PC resourcesaccess to Agency PC resources
System users’ responsibilities include the following:System users’ responsibilities include the following: Read and comply with the User Security Policy Read and comply with the User Security Policy Report breaches of IT security, actual or suspected, to agency Report breaches of IT security, actual or suspected, to agency
management and/or the ISO management and/or the ISO Take reasonable and prudent steps to protect the security of IT Take reasonable and prudent steps to protect the security of IT
systems and data to which they have accesssystems and data to which they have access
SupervisorsSupervisorsAll supervisors shall conduct an annual position review of All supervisors shall conduct an annual position review of employees with IT roles and responsibilitiesemployees with IT roles and responsibilities
This annual review should be conducted in alignment with the This annual review should be conducted in alignment with the annual review of all Employee Work Profiles (EWP) in October annual review of all Employee Work Profiles (EWP) in October
Security related roles must be described in employee EWPsSecurity related roles must be described in employee EWPs
Risk ManagementRisk ManagementProtects COV IT systems and data based on sensitivity and Protects COV IT systems and data based on sensitivity and riskrisk
Allows each Agency to determine how these factors apply to Allows each Agency to determine how these factors apply to IT systems including system availability needsIT systems including system availability needs
Formal system risk assessments will be conducted at MRC Formal system risk assessments will be conducted at MRC
as necessary, but at least every three yearsas necessary, but at least every three years
Risk ManagementRisk Management
System users must report any activity they perceive may System users must report any activity they perceive may pose a risk to the security of information managed and pose a risk to the security of information managed and accessed by agency PC systems to their supervisoraccessed by agency PC systems to their supervisor
Supervisors shall report in writing any credible risks to the Supervisors shall report in writing any credible risks to the Data Custodian of the affected system and the ISOData Custodian of the affected system and the ISO
IT Contingency PlanningIT Contingency PlanningDefines processes and procedures that plan for and execute Defines processes and procedures that plan for and execute recovery and restoration of IT systems and datarecovery and restoration of IT systems and data
MRC Contingency Planning documents:MRC Contingency Planning documents: MRC IT Business Impact Analysis, Risk Assessment, MRC IT Business Impact Analysis, Risk Assessment,
Contingency Management, and Disaster Recovery PlanContingency Management, and Disaster Recovery Plan MRC Continuity of Operations Plan (COOP)MRC Continuity of Operations Plan (COOP)
IT Contingency PlanningIT Contingency Planning
System users that have been assigned a role in contingency System users that have been assigned a role in contingency planning must do the following:planning must do the following:
Read and comply with requirements described by Read and comply with requirements described by applicable Agency contingency plansapplicable Agency contingency plans
Treat contingency plans as sensitive dataTreat contingency plans as sensitive data Store contingency plans at a secure off-site locationStore contingency plans at a secure off-site location
Continuity of Operations and Continuity of Operations and Disaster Recovery Planning TeamDisaster Recovery Planning Team
The agency’s COOP Coordinator will focus on theThe agency’s COOP Coordinator will focus on the
following activities:following activities:
Updating the COOP ReportUpdating the COOP Report Determining the COOP/DRP team membersDetermining the COOP/DRP team members Testing the COOP Plan on an annual basisTesting the COOP Plan on an annual basis
IT Systems SecurityIT Systems Security
Defines the necessary steps for effective protection of Defines the necessary steps for effective protection of Agency IT systems Agency IT systems
Ensures security in the following areas:Ensures security in the following areas:
System HardeningSystem Hardening IT Systems Interoperability SecurityIT Systems Interoperability Security Malicious Code ProtectionMalicious Code Protection IT Systems Development Life Cycle SecurityIT Systems Development Life Cycle Security
IT Systems SecurityIT Systems SecuritySystems users or contractors should know and comply withSystems users or contractors should know and comply with
the following standards:the following standards:
Use systems for state business purposesUse systems for state business purposes Use virus and malware protection/detection software Use virus and malware protection/detection software Ensure that anti-virus and anti-malware software is properly Ensure that anti-virus and anti-malware software is properly
functioning and using up to date signature filesfunctioning and using up to date signature files Prevent the use of computer games on all state owned PC Prevent the use of computer games on all state owned PC
resourcesresources Delete or ask for assistance in deleting computer game software on Delete or ask for assistance in deleting computer game software on
newly purchased PC workstationsnewly purchased PC workstations
IT Systems SecurityIT Systems Security
All IT system users are prohibited from the following:All IT system users are prohibited from the following:
Intentionally developing or experimenting with malicious Intentionally developing or experimenting with malicious programs (e.g., viruses, worms, spyware, keystroke programs (e.g., viruses, worms, spyware, keystroke loggers, phishing software, Trojan horses, etc.)loggers, phishing software, Trojan horses, etc.)
Knowingly propagating malicious programs including Knowingly propagating malicious programs including opening email attachments from unknown sourcesopening email attachments from unknown sources
IT Systems SecurityIT Systems Security
Any employee or contractor involved in systemsAny employee or contractor involved in systems
development or systems installation for thedevelopment or systems installation for the
Commission must do the following:Commission must do the following:
Read and comply with the security requirements for Read and comply with the security requirements for systems development life cycle in the systems development life cycle in the MRC Information MRC Information Security ProgramSecurity Program
Logical Access ControlLogical Access Control
Defines the steps necessary to protect the confidentiality, Defines the steps necessary to protect the confidentiality, integrity, and availability of COV IT systems and data against integrity, and availability of COV IT systems and data against compromise compromise
Defines requirements in the areas of account management, Defines requirements in the areas of account management,
password management, and remote accesspassword management, and remote access
Logical Access ControlLogical Access Control
Commission employees and contractors are prohibited from Commission employees and contractors are prohibited from the following:the following:
Accessing data or systems for which they have not been Accessing data or systems for which they have not been granted authorization to accessgranted authorization to access
Using guest and shared accounts: please report any Using guest and shared accounts: please report any existing guest or shared accounts to the Agency ISOexisting guest or shared accounts to the Agency ISO
Logical Access ControlLogical Access ControlIT system users are required to do the following:IT system users are required to do the following:
Obtain formal authorization and a unique user ID and Obtain formal authorization and a unique user ID and password prior to using the Agency systems including password prior to using the Agency systems including Citrix remote access capabilitiesCitrix remote access capabilities
Prevent unauthorized use of unattended PC workstations Prevent unauthorized use of unattended PC workstations when confidential information is accessiblewhen confidential information is accessible
Use screen saver passwords or automatic Windows Use screen saver passwords or automatic Windows workstation locking (should not exceed ten minutes) workstation locking (should not exceed ten minutes)
Logical Access ControlLogical Access Control
IT system users are required to keep all passwords IT system users are required to keep all passwords confidential:confidential:
Passwords should not be posted or displayed or storedPasswords should not be posted or displayed or stored
Passwords are not to be included in any type of script, Passwords are not to be included in any type of script, batch login file or procedurebatch login file or procedure
Passwords shall not be transmitted electronically Passwords shall not be transmitted electronically without use of industry accepted encryption standardswithout use of industry accepted encryption standards
Immediately change passwords and notify the ISO if Immediately change passwords and notify the ISO if suspect their passwords have been compromisedsuspect their passwords have been compromised
All employees and contractors requesting system access All employees and contractors requesting system access accounts should do the following:accounts should do the following: Complete the Employee System Access form for the Complete the Employee System Access form for the
creation, modification or deletion of system accounts at creation, modification or deletion of system accounts at the following link:the following link:
http://www.mrc.virginia.gov/hr/http://www.mrc.virginia.gov/hr/ Provide the following signatures on the form: employee, Provide the following signatures on the form: employee,
supervisor, and system ownersupervisor, and system owner
The IT department will maintain all system access The IT department will maintain all system access informationinformation
Logical Access ControlLogical Access Control
Sensitive Systems (CFLS; FSS/FTS; SMS):Sensitive Systems (CFLS; FSS/FTS; SMS):
All employees and contractors that requestAll employees and contractors that request
access to agency sensitive systems must fill outaccess to agency sensitive systems must fill out
the non-disclosure form at: the non-disclosure form at:
http://www.mrc.virginia.gov/hr/http://www.mrc.virginia.gov/hr/
**This form requires the following signatures:**This form requires the following signatures:
Employee, Data Custodian, and ISOEmployee, Data Custodian, and ISO
Logical Access ControlLogical Access Control
Granting Sensitive or Non-Sensitive System Access for Granting Sensitive or Non-Sensitive System Access for
External UsersExternal Users
The Data Custodian for each sensitive/non-sensitive system The Data Custodian for each sensitive/non-sensitive system will do the following:will do the following:
Grant access for external users Grant access for external users Provide a signed copy of all non-disclosure forms to the ISO Office (as Provide a signed copy of all non-disclosure forms to the ISO Office (as
applicable to the sensitive system), or if the system is self-registering, users applicable to the sensitive system), or if the system is self-registering, users will electronically accept the terms of usage, including non-disclosure of will electronically accept the terms of usage, including non-disclosure of sensitive informationsensitive information
Conduct an annual review, verify and keep on file a listing of active external Conduct an annual review, verify and keep on file a listing of active external users requiring access to the sensitive system users requiring access to the sensitive system
Logical Access ControlLogical Access Control
Data ProtectionData Protection
Provides security safeguards for the processing and Provides security safeguards for the processing and storing of datastoring of data
Includes requirements in the areas of Media Includes requirements in the areas of Media Protection and EncryptionProtection and Encryption
Data ProtectionData ProtectionDataset Creators or Data Custodians are responsible for Dataset Creators or Data Custodians are responsible for protecting and identifying stored sensitive dataprotecting and identifying stored sensitive data
CFLS, FTS/FSS and SMS are the agency systems currently CFLS, FTS/FSS and SMS are the agency systems currently identified as sensitiveidentified as sensitive
Sensitive data may not be stored on mobile data storage Sensitive data may not be stored on mobile data storage media, local desktop or laptop computers media, local desktop or laptop computers UNLESSUNLESS properly properly encrypted and physically and logically secured in a encrypted and physically and logically secured in a reasonable manner and authorized in writing by the Agency reasonable manner and authorized in writing by the Agency HeadHead
Data ProtectionData Protection
Pickup, receipt, transfer, and delivery of all data Pickup, receipt, transfer, and delivery of all data storage media containing sensitive data is restricted storage media containing sensitive data is restricted to authorized personnel onlyto authorized personnel only
Sensitive data may not be transmitted without Sensitive data may not be transmitted without proper encryptionproper encryption
Data ProtectionData ProtectionData Custodians shall be responsible for submitting the Data Custodians shall be responsible for submitting the following authorizations to the ISO: following authorizations to the ISO:
Transporting sensitive data in hardcopy or on mobile Transporting sensitive data in hardcopy or on mobile storage mediastorage media
Storing sensitive data on local desktop or laptop computerStoring sensitive data on local desktop or laptop computer Authorizations should include names and a brief Authorizations should include names and a brief
description of the business needdescription of the business need
The ISO shall request written authorization from the agency The ISO shall request written authorization from the agency head and maintain authorization recordshead and maintain authorization records
Data ProtectionData Protection
Data storage media must be sanitized prior to disposal Data storage media must be sanitized prior to disposal or reuseor reuse
All data destruction shall be done in accordance with All data destruction shall be done in accordance with ITRM ITRM Removal of Commonwealth Data from Surplus Removal of Commonwealth Data from Surplus Computer Hard Drives and Electronic Media Standard Computer Hard Drives and Electronic Media Standard (ITRM Standard SEC2003-02.1)(ITRM Standard SEC2003-02.1)
Data ProtectionData Protection
Data Custodians shall be responsible for requesting in Data Custodians shall be responsible for requesting in writing from the ISO the destruction or sanitization of writing from the ISO the destruction or sanitization of data storage media with sensitive datadata storage media with sensitive data
The ISO or his designee shall be responsible for data The ISO or his designee shall be responsible for data destruction or sanitization and the documentation of destruction or sanitization and the documentation of suchsuch
Data ProtectionData ProtectionAll personnel with access to sensitive data systems must All personnel with access to sensitive data systems must sign a non-disclosure and security agreement :sign a non-disclosure and security agreement :
The agreement makes clear unauthorized disclosure of The agreement makes clear unauthorized disclosure of any sensitive data is prohibitedany sensitive data is prohibited
For all VITA-NG personnel and contractors the agency For all VITA-NG personnel and contractors the agency will accept non-disclosure and security agreements will accept non-disclosure and security agreements signed as a condition of their employment with VITA-NGsigned as a condition of their employment with VITA-NG
Data ProtectionData ProtectionIT system users are required to perform the following data IT system users are required to perform the following data protection measures:protection measures:
Regularly backup data files stored on local drivesRegularly backup data files stored on local drives Store backup copies of critical non-network data files Store backup copies of critical non-network data files
offsiteoffsite Be aware that data files stored on network directories will Be aware that data files stored on network directories will
be backed up by the Business Application Department be backed up by the Business Application Department each business dayeach business day
Store magnetic media (diskettes, tapes, CD-ROM) in a Store magnetic media (diskettes, tapes, CD-ROM) in a secure container away from extreme temperaturesecure container away from extreme temperature
Facilities SecurityFacilities Security
Requires planning and application of facilities security Requires planning and application of facilities security practices to provide a first line of defense for IT systems practices to provide a first line of defense for IT systems against the following:against the following:
Damage, theft, and unauthorized disclosure of dataDamage, theft, and unauthorized disclosure of data Loss of control over system integrityLoss of control over system integrity Interruption of computer servicesInterruption of computer services
Facilities SecurityFacilities SecurityAll employees are instructed to:All employees are instructed to: Maintain an office environment that employsMaintain an office environment that employs
practical, cost efficient safeguards to protectpractical, cost efficient safeguards to protect
against human, natural and environmental risksagainst human, natural and environmental risks
to Agency information resources to Agency information resources Report immediately any suspicious situations or Report immediately any suspicious situations or
problems related to facilities such as heating, cooling, problems related to facilities such as heating, cooling, water, electrical, fire suppression, security access water, electrical, fire suppression, security access systems and door lockssystems and door locks
Facilities SecurityFacilities Security
Employees must accompany visitors to areas of the Agency Employees must accompany visitors to areas of the Agency that house sensitive data, particularly the First Floor Network that house sensitive data, particularly the First Floor Network Room Room
If visitors are not accompanied by agency personnel they If visitors are not accompanied by agency personnel they must have proper authorization by the ISO or VITA-NG to be must have proper authorization by the ISO or VITA-NG to be working in those areasworking in those areas
Facilities SecurityFacilities SecurityEmployees and contractors should perform the following Employees and contractors should perform the following steps to protect equipment and data:steps to protect equipment and data:
Lock office areas when departing from an unattended Lock office areas when departing from an unattended main office suite or field officemain office suite or field office
Keep vaulted rooms locked when not in use to protect Keep vaulted rooms locked when not in use to protect sensitive datasensitive data
Lock vehicle, remove equipment and data from vehicles, Lock vehicle, remove equipment and data from vehicles, boats, or planes when not in useboats, or planes when not in use
Personnel SecurityPersonnel Security
Reduces risk to COV IT systems and dataReduces risk to COV IT systems and data
Specifies access determination and control requirements to Specifies access determination and control requirements to individuals who require sensitive data and systems as part of individuals who require sensitive data and systems as part of their job duties their job duties
Includes Security Awareness and Training requirements to Includes Security Awareness and Training requirements to provide all IT system users with an appropriate provide all IT system users with an appropriate understanding of policiesunderstanding of policies
Personnel SecurityPersonnel Security
All personnel and contractors shall:All personnel and contractors shall:
Complete agency security training at least annually or as Complete agency security training at least annually or as soon as practical after starting work for the Commissionsoon as practical after starting work for the Commission
Adhere to DHRM Adhere to DHRM Policy 1.75 – Use of Internet and Policy 1.75 – Use of Internet and Electronic Communication SystemsElectronic Communication Systems
Have no expectation of privacy: the Agency and COV Have no expectation of privacy: the Agency and COV reserve the right (with or without cause) to monitor, reserve the right (with or without cause) to monitor, access, and disclose all data on COV systemsaccess, and disclose all data on COV systems
Personnel SecurityPersonnel SecurityBackground checks:Background checks:
All new Business Application Systems employees of the All new Business Application Systems employees of the Agency, VITA-NG staff, and contractors are required to Agency, VITA-NG staff, and contractors are required to undergo pre-employment background checks and at least undergo pre-employment background checks and at least every two years after the initial hire dateevery two years after the initial hire date
Individual Agency divisions shall determine the need for Individual Agency divisions shall determine the need for background checks of personnel within their area of background checks of personnel within their area of
responsibility who have access to sensitive systemsresponsibility who have access to sensitive systems
Personnel SecurityPersonnel Security
It shall be the responsibility of the Human Resources Officer It shall be the responsibility of the Human Resources Officer to report, in writing, to the ISO all permanent and temporary to report, in writing, to the ISO all permanent and temporary employee terminations employee terminations
Agency supervisors shall report, in writing, transfers and Agency supervisors shall report, in writing, transfers and request modifications of user access rightsrequest modifications of user access rights
The ISO shall maintain a file documenting The ISO shall maintain a file documenting
terminations and associated removal of physical and logical terminations and associated removal of physical and logical access rights access rights
Threat ManagementThreat Management
Addresses protection of COV IT systems and data by Addresses protection of COV IT systems and data by preparing for and responding to IT security incidentspreparing for and responding to IT security incidents
Includes Threat Detection, Incident Handling, and IT Includes Threat Detection, Incident Handling, and IT Security Monitoring and LoggingSecurity Monitoring and Logging
Threat ManagementThreat Management
All system users must report immediately to their supervisors All system users must report immediately to their supervisors any unauthorized disclosure of data or incidents that any unauthorized disclosure of data or incidents that potentially could compromise datapotentially could compromise data Users are required to immediately logoff and shutdown Users are required to immediately logoff and shutdown
their computerstheir computers
Supervisors must report such incidents immediately to the Supervisors must report such incidents immediately to the ISOISO
Threat ManagementThreat Management
Security Incident Handling and Reporting Security Incident Handling and Reporting
The agency ISO will report all events within 24 hours that have a The agency ISO will report all events within 24 hours that have a real impact on the Commission to the CISO and VITA using the real impact on the Commission to the CISO and VITA using the following form:following form:
https://https://www.vita.virginia.gov/security/incident/secureCompIncidentForm/threatReporting.cfmwww.vita.virginia.gov/security/incident/secureCompIncidentForm/threatReporting.cfm
The agency ISO will keep all documented materials in the IT The agency ISO will keep all documented materials in the IT filesfiles
IT Asset ManagementIT Asset Management
Concerns protection of the components thatConcerns protection of the components that
comprise COV IT systems by managing them in acomprise COV IT systems by managing them in a
planned, organized, and secure fashionplanned, organized, and secure fashion
Includes IT Asset Control, Software LicenseIncludes IT Asset Control, Software License
Management, Configuration Management, andManagement, Configuration Management, and
Change ControlChange Control
IT Asset ManagementIT Asset Management
Installation of software on Agency IT systems is prohibited Installation of software on Agency IT systems is prohibited until approved by the Information Security Officer (ISO) or until approved by the Information Security Officer (ISO) or VITA-NGVITA-NG
Unauthorized installation, duplication and/or violation of the Unauthorized installation, duplication and/or violation of the software license agreement of copyrighted software is illegal software license agreement of copyrighted software is illegal and subject to a Group II Offense under the State Employee and subject to a Group II Offense under the State Employee Standards of Conduct: "Unauthorized Use or Misuse of State Standards of Conduct: "Unauthorized Use or Misuse of State Property or Records"Property or Records"
IT Asset ManagementIT Asset ManagementOnly authorized personnel in the Business Applications Only authorized personnel in the Business Applications Department or VITA-NG may procure or dispose of agency Department or VITA-NG may procure or dispose of agency hardware and software assetshardware and software assets
Appropriate property transfer documents containing information on Appropriate property transfer documents containing information on the returns of surplus hardware and software assets should be the returns of surplus hardware and software assets should be made to the ISO or when appropriate to VITA-NG personnelmade to the ISO or when appropriate to VITA-NG personnel
All returns (upon employee termination) and transfers of hardware All returns (upon employee termination) and transfers of hardware and software assets must be made with the appropriate property and software assets must be made with the appropriate property transfer documentation and thereby coordinated with the Agency transfer documentation and thereby coordinated with the Agency Inventory CoordinatorInventory Coordinator
IT Asset ManagementIT Asset ManagementPersonal IT assets, including hardware like laptops and media like Personal IT assets, including hardware like laptops and media like personal flash drives or usb hard drives, on Agency facilities are personal flash drives or usb hard drives, on Agency facilities are prohibitedprohibited
Removing assets from the agency:Removing assets from the agency:
Static COV IT assets (desktop PCs and printers), must have written Static COV IT assets (desktop PCs and printers), must have written authorization by each employees’ supervisor with notification to the authorization by each employees’ supervisor with notification to the Agency Inventory CoordinatorAgency Inventory Coordinator
Mobile COV IT assets (laptops, PDAs, and portable printers) are Mobile COV IT assets (laptops, PDAs, and portable printers) are intended to be used off Agency premises and shall not require any intended to be used off Agency premises and shall not require any additional authorization when assigned to an individual employee or additional authorization when assigned to an individual employee or contractor contractor
IT Asset ManagementIT Asset Management
The Agency Inventory Coordinator shall maintain the records The Agency Inventory Coordinator shall maintain the records of all returns, transfers and off-siteof all returns, transfers and off-site
authorizationsauthorizations
Annually, the Agency Inventory Coordinator shallAnnually, the Agency Inventory Coordinator shall
conduct a paper inventory audit of all IT assets,conduct a paper inventory audit of all IT assets,
supplemented with a random physical audit tosupplemented with a random physical audit to
ascertain the location of all COV IT assetsascertain the location of all COV IT assets
Records RetentionRecords Retention
The Agency Records Retention Manager shall maintain The Agency Records Retention Manager shall maintain records retention policies and/or proceduresrecords retention policies and/or procedures
Updated MRC Record Retention Procedures can be found Updated MRC Record Retention Procedures can be found obtained from Brandy Battle, Records Retention obtained from Brandy Battle, Records Retention Manager,757-247-2260; Manager,757-247-2260; Brandy.Battle@mrc.virginia.govBrandy.Battle@mrc.virginia.gov
Additional information can be obtained from the Library of Additional information can be obtained from the Library of Virginia at: Virginia at: http://www.lva.lib.va.us/whatwedo/records/http://www.lva.lib.va.us/whatwedo/records/
Thanks !Thanks !
Thanks for going through the training today.Thanks for going through the training today.
Information Security is critical at work and at home. We Information Security is critical at work and at home. We
appreciate you taking the time to learn the contents of this appreciate you taking the time to learn the contents of this
training and highly encourage you taking some time training and highly encourage you taking some time
regularly to read up on security topics – you can click on regularly to read up on security topics – you can click on
the security link at the bottom of our MRC web pages to the security link at the bottom of our MRC web pages to
visit the VITA-NG security web site at any time.visit the VITA-NG security web site at any time.
Please contact Erik Barth (x72262); Linda Farris (x72280) or your Please contact Erik Barth (x72262); Linda Farris (x72280) or your supervisor if you have any questions about this training or supervisor if you have any questions about this training or information security topics in general.information security topics in general.
top related