ESPSG - Texas Health and Human Services Commission

ahemcurrentΔίκτυα και Επικοινωνίες

21 Νοε 2013 (πριν από 3 χρόνια και 27 μέρες)

222 εμφανίσεις







HHS Enterprise

Information
Security


Standards and Guidelines

(E
I
SSG)

Version
4.
01


May 4, 2011


HHS Information Security Standards and Guidelines

i

11/21/2013


Table of Contents

The Security Policy of the HHS Enterprise

................................
................................
.................

3

Applicable State and Federal Laws, Rules and Regulatio
ns
................................
.......................

3

Revision History:

................................
................................
................................
........................

5

Information
Security Standards and Guidelines

................................
................................
..........

6

1.1

Acceptable Use

................................
................................
................................
........

6

1.2

Account Management
................................
................................
...............................

9

1.3

Administrative and Special Access

................................
................................
..........
11

1.4

Anti
-
Spam

................................
................................
................................
...............
12

1.5

Audit Logging

................................
................................
................................
..........
13

1.6

Back
-
up and Disaster Recovery

................................
................................
..............
14

1.7

Change Management

................................
................................
..............................
15

1.8

Data Classification

................................
................................
................................
...
16

1.9

Electronic File Transfers

................................
................................
..........................
17

1.10

E
-
mail Use

................................
................................
................................
...............
19

1.11

Exceptions

................................
................................
................................
...............
21

1.12

Imaging

Devices

................................
................................
................................
......
22

1.13

Incident Management

................................
................................
..............................
23

1.14

Incidental Use/Limited Use

................................
................................
......................
24

1.15

Internet/Intranet/Extranet Use

................................
................................
..................
25

1.16

Intrusion Detection / Prevention

................................
................................
...............
27

1.17

Malicious Code

................................
................................
................................
........
28

1.18

Network Access

................................
................................
................................
.......
29

1.19

Network Configuration

................................
................................
.............................
30

1.
20

Operating Systems

................................
................................
................................
..
31

1.21

Passwords

................................
................................
................................
...............
32

1.22

Physical Access

................................
................................
................................
......
34

1.23

Portable/Remote Computing

................................
................................
...................
36

1.24

Privacy Standards

................................
................................
................................
...
38

1.25

Removable Media

................................
................................
................................
...
39

1.26

Systems Development

................................
................................
.............................
40

1.27

System Configuration Hardening / Patch Management

................................
...........
42

1.28

Security Monitoring

................................
................................
................................
..
43

1.29

Security Training

................................
................................
................................
.....
44



HHS Information Security Standards and Guidelines

ii

11/21/2013


1.30

Vendor Access

................................
................................
................................
........
45

1.31

Virtual Private Network (VPN)

................................
................................
.................
47

1.32

Vulnerability and Risk Assessment

................................
................................
..........
48

1.33

Wireless Computing

................................
................................
................................
49

Appendix I
-

Definitions

................................
................................
................................
.............
52

Appendix II
-

Additional information about security References

................................
.................
58

Appendix III
-

Protecting Data

................................
................................
................................
...
60



HHS Information Security Standards and Guidelines

3

11/21/2013


THE SECURITY POLICY
OF THE HHS ENTERPRIS
E



Health and Human Services Commission (HHSC) Enterprise Security Management (ESM)
will develop and implement an Information Security Program for the HHS Enterprise that
meets both the applicable requirements of 1

TAC 202


and the requirements of federal
fun
ding partners.



HHS agency information security officers (ISOs) will develop and implement an Information
Security Program for their respective agencies that meets both the applicable requirements
of 1 TAC 202 and the requirements of federal funding partne
rs.



HHS agencies will develop and implement information security policies, standards, and
guidelines that are consistent with and will not limit the effectiveness of the Enterprise
Information Security Policy.

All authorized users (including, but not lim
ited to, HHS enterprise personnel, temporary employees,
interns, and employees of independent contractors) of HHS Enterprise's information resources must
comply with all policies, standards, processes, and procedures created in support of this program.


Us
ers who violate this policy will be subject to loss of access to information resources.

Employees of
the HHS Enterprise may be subject to disciplinary action in accordance with Chapter 10, Positive
Performance, and Chapter 11, Disciplinary Actions, of the

HHS Human Resources Manual.



APPLICABLE STATE AND

F
EDERAL
L
AWS,
R
ULES AND
R
EGULATIONS

These information security standards, guidelines, and definitions support the
Enterprise
Informati
on Security Policy
. Together, these two documents serve to protect Health and
Human Services (HHS) Information Resources (IR) in accordance with applicable state and
federal laws, rules, and regulations, including:



Chapter 202 of Title 1 of the Texas Administrative Code (1 TAC 202)
, Information Security
Standards.



Information Security Controls for State of Texas Data Center Services

(ISeC), is a Team
For Texas (TFT) produced document that identifies the security standards, polices and
controls that TFT will provide.

Other TFT documents also comprise the security standards,
policies and controls at HHS and include: the Security Desig
n Document (SDD), the
Technology Plan, and the State of Texas Data Center Services Polices & Procedures
Manual (PPM).



Federal Information Processing Standards (FIPS), which are non
-
waiverable federal
standards that all federal entities and anyone using f
ederal data or systems must follow.



Federal Information Security Management Act (FISMA)
, which
defines a comprehensive
framework to protect government information, operations, and assets
against natural or
human made threats.



HHS Information Security Standards and Guidelines

4

11/21/2013




Internal Revenue Service Publication 1075,
Tax Information Security Guidelines for
Federal, State, and Local Agencies and Entities
.



OMB
-
M
-
06
-
16 MEMORANDUM FOR THE HEADS OF DEPARTMENTS AND AGENCIES
,
Protection of Sensitive Agency Information, June 23, 2006.



National Institute of
Standards and Technology (NIST) Special Publications
, which present
the results of NIST studies, investigations, and research on information technology security
issues.



Social Security Administration’s
Information System Security Guidelines for Federal, St
ate,
and Local Agencies Receiving Electronic Information from the Social Security
Administration
.

(Attachment C)



Centers for Medicare and Medicaid Services (CMS) Policy for the I
nformation Security
Program

(
http://www.cms.hhs.gov/InformationSecurity/Downloads/PISP.pdf
)

for Medicaid
and the State Children’s Program.



The Health Insurance Portability and Accountability Act (HIPAA) Security Rule

(
ht
tp://www.cms.hhs.gov/SecurityStandard/Downloads/securityfinalrule.pdf
)
establishes
standards for the security of electronic protected health information.



The Health Information Technology
for Economic and Clinical Health (HITECH) Act
(http://edocket.access.gpo.gov/2009/pdf/E9
-
20169.pdf)

addresses the privacy and security
concerns associated with the electronic transmission of health information, in part, through
several provisions that str
engthen the civil and criminal enforcement of the HIPAA rules.



Supplemental Nutrition Assistance Program (SNAP) Regulations,
§

272.1
-
General Terms
and Conditions,
REQUIREMENTS FOR PARTICIPATING STATE AGENCIES
SNAP

Requirements

Please refer to References (
Appendix
II
) for further information on these laws, rules, and
regulations

or more information about protecting HHS data.




HHS Information Security Standards and Guidelines

5

11/21/2013


R
evision

H
istory
:

Numbering convention: version.revision as n.xx. Pre
-
publication drafts are 0.xx; first published
version is
1.00; for minor revisions to a published document, increment the decimal number (ex. 1.01);
for major content upgrades to a published document, increment the leading whole number (ex.2.00).

Revision

Date

Description

0.01

05
-
2007

Initial document distributed by ESM

0.02

05
-
2007

Updates based on review by: ISO’s and IRM’s

0.03

05
-
2007

Updates based on management review by: CIO

1.00

05
-
2007

First Published Draft of Security Standards and Guidelines

1.01

11
-
2007

Updates to
incorporate Federal Security Requirements sent for review to ISO’s and IRM’s

1.02

12
-
2007

Updates to incorporate Federal Security Requirements sent for review by: CIO

2.00

12
-
2007

Second Published Draft of Security Standards and Guidelines

2.50

06
-
2008

Updates to incorporate changes to physical security and address secure file transfer requirements sent for
review to IM&O, ISO’s and IRM’s

2.60

07
-
2008

Updates to incorporate changes to physical security, secure file transfer, remote access, and security
plan
requirements sent for review to ISO’s, IRM’s and other agency management.

2.70

08
-
2008

Updates to incorporate changes to Wireless Computing, and Privacy sections.

Included section for data
classification.

2.80

08
-
2008

Updates for addition of
Electronic Transfer Section and final review by ISO, IRM, CIO, TARB and EOB.

3.00

08
-
2008

Third Published Draft of Security Standards and Guidelines
.
(
Revisions to the
numerous

sections
)


3.10

10
-
2008

Minor revision to incorporate changes to

Portable/Re
mote Computing Section 1.23, Removable Media Section
1.25 and Wireless Computing Section 1.
33

4.00

11
-
2010

Fourth published draft of the Security Standards and Guidelines. (Revisions to the numerous sections

based
on the Audit of Confidential Data Transfe
rs
)

4.01

05
-
2011

Minor revision to incorporate changes to
Acceptable Use

Section
1.1
, Incidental Use/Limited Use Section 1.14




HHS Information Security Standards and Guidelines

6

11/21/2013


INFORMATION SECURITY

STANDARDS AND GUIDEL
INES

1.1

Acceptable Use

All electronic data, hardware, and software residing on HHS
networks are considered state
property (assets). All information passing through the HHS networks, which has not been
specifically identified as the property of other parties, will be treated as an HHS asset.
Unauthorized access, disclosure, duplication,

modification, diversion, destruction, loss,
misuse, or theft of these resources is prohibited. All User activity on HHS IR is subject to
logging and review.

Every information system privilege that has not been explicitly authorized is prohibited. Such
p
rivileges will not be authorized for any HHS business purpose until approved by the
information Owner, or designee, in writing or by electronic acknowledgement. Information
entrusted to HHS will be protected in a manner consistent with its confidentiality

and in
accordance with all applicable standards, agreements, and laws.

Any person or entity granted access to HHS IR, including HHS employees, volunteers, interns,
private providers of services, contractors, vendors, and representatives of other agencies
of
state government must comply with the standards set forth in this document. For purposes of
this document, the term “User” refers specifically to an HHS IR User.

1.1.1

Users may not attempt to access any data, program, or system for which they do
not have
authorization or explicit consent.

1.1.2

Users must not disclose confidential or sensitive data, or confidential or sensitive
agency system or network information.

1.1.3

Care must be taken to safeguard information, which is considered confidential, or
sensitive, inclu
ding Personally Identifiable Information (PII) and Protected Health
Information (PHI). Users must ensure that Confidential HHS materials are
appropriately protected at all times. Examples of confidential or restricted personal
information includes: soci
al security numbers, federal tax return information or other
medical information.
(
See also:
Appendix
III



Protecting Data
)

1.1.4

Any User who becomes aware of an incident of unauthorized access of confidential
information must report such to the agency Infor
mation Security Officer (ISO) or
designee
upon discovery, generally not to exceed 24 hours.

Additional

documentation may also be required. For example: the agency privacy office will
have a worksheet for reporting loss of Protected Health Information (PH
I) to the
Centers for Medicare & Medicaid Services, while the unauthorized access to
Federal Tax Information must be reported to the U.S. Treasury Inspector General
for Tax Administratio
n.

1.1.5

Users must not share their account identifiers, passwords, Person
al Identification
Numbers (PINS), Security/Access Tokens (e.g., Smartcards), or any other
information or device used for identification, authentication, authorization, or access
purposes.

1.1.6

Any User who becomes aware of a
computer security
incident,
weakness
,
misuse
or violation of any policy related to the security and protection of those resources


HHS Information Security Standards and Guidelines

7

11/21/2013


must report such to the agency Information Security Officer (ISO) or designee
upon
discovery, generally not to exceed 24 hours.

1.1.7

Software installed or run within t
he HHS systems and/or networks must be
approved by the Custodian responsible for that area.

1.1.8

Users must not download
\
operate a peer
-
to
-
peer (P2P) file sharing system such as
LimeWire, KaZaA,

BitTorrent,
Morpheus

or Gnutella

etc., available to the general
public to transfer files (including music or video files).


Risks associated with P2P use include the following:




By running a peer
-
to
-
peer (P2P) application, you may be sharing confidential
HHS information, consuming exce
ssive network bandwidth, inadvertently
sharing personal information and/or making your computer vulnerable.




Viruses and trojans are easily spread using P2P applications. Many P2P
applications include “malware” in the download, so you may be unintentionall
y
infecting your HHS computer.




Most P2P applications are configured so other users can access your hard
drive and share your files. This can put confidential HHS data at risk.





If you copy and distribute copyrighted material without the permission required
by law, you may be violating civil or criminal copyright infringement laws. Civil
penalties for Federal Copyright infringement range from $750 per song to
$150,000 in damages
for each willful act. Criminal penalties can run up to five
years in prison and $250,000 in fines.


1.1.9

Before leaving their computers unattended, Users must either lock access to their
workstations or logoff.

1.1.10

Users of HHS information resources must not enga
ge in any act that would violate
the purposes and goals of HHS as specified in its governing documents, rules,
regulations, and procedures.

1.1.11

Users must not intentionally access, create, store, or transmit any material that may
be offensive, indecent, or obs
cene. Materials required for research projects and
explicitly approved by HHS are excluded from this prohibition

1.1.12

A user may not engage in any activity that is harassing, threatening or abusive,
degrades the performance of IR, deprives or reduces an author
ized User’s access
to resources, or otherwise circumvents any security measure or policy.

1.1.13

A User shall not use any HHS IR to gain personal benefit.

1.1.14

Users must use appropriate safeguards to protect IR from damage, loss, or theft.

1.1.15

Any User of HHS owned or le
ased equipment who takes the resource off
-
site to an
environment out of the authority of HHS must follow the same security policies,
standards, and guidelines to protect the resource as required when in use at an
HHS location.



HHS Information Security Standards and Guidelines

8

11/21/2013


1.1.16

Any User of HHS owned or leas
ed equipment used in an environment out of the
authority of HHS must protect that equipment from theft, use or abuse by non
-
HHS
approved Users.

1.1.17

All users must sign or electronically acknowledge the HHS Enterprise
Computer
Use Agreement

(
http://hhscx.hhsc.state.tx.us/eit/security/is_forms/HR0314.pdf

CUA, Form HR0314) indicating they have read, understand and agree to comply
with the rules of behavior and this must be on file befor
e any access is grante
d.
(See Account Management Section 1.2
)



HHS Information Security Standards and Guidelines

9

11/21/2013


1.2

Account Management

Account Management establishes the standards for the creation, monitoring, control, and
removal of accounts. The Account Management standard shall apply equally to all User

accounts without regard to their status or category.

User accounts are the means by which access is granted to HHS IR. They are granted to
employees, volunteers, vendors, contractors, students and others determined to have need.
These accounts assist in

establishing accountability for systems use and are a key component
in the protection of data confidentiality and integrity.

1.2.1

All Users must sign or electronically acknowledge the HHS Enterprise
Computer
Use Agreement

(
http://hhscx.hhsc.state.tx.us/eit/security/is_forms/HR0314.pdf

CUA, Form HR0314) before access is given to any IR. Additional documentation
may also be required. For example, all Users with access to Federal Ta
x
Information must sign a
Form 4014
-
IRS CSA

and affirm the agreement annually

1.2.2

The appropriate access request processes must be completed and approved
before a User account is
created and the User is granted access rights to any HHS
IR.

1.2.3

The manager/supervisor of any HHS user must ensure that access to any HHS
information resource has been properly authorized and that such access is
sufficient to complete job functions or is base
d on a valid “need to know” and
intended system usage. In other words, users should only be granted access to
the extent that the user must have access to confidential information or resources
sufficient to accomplish official duties.

1.2.4

Access to protect
ed health information must be restricted to appropriate individuals
and entitled program areas only. Procedures must be in place to protect this health
information from unauthorized access by the organization at large.

1.2.5

Each User shall be assigned a unique

identifier except for situations where risk
analysis demonstrates no need for individual accountability of Users.

1.2.6

Application owners are responsible for ensuring that
a review of the

creation,
modification, disabling, and termination actions of each auth
orized user and
account access levels

is

conducted
. Account access levels will be reviewed, at a
minimum, every twelve (12) months for appropriateness. Application owners will
notify IR Custodians or other appropriate security administrators of changes t
o user
accounts or access levels upon completion of an annual review or when changes
occur.

1.2.7

Unsuccessful account access attempts must be monitored and accounts locked
after failed attempts as determined by a documented risk assessment.

1.2.8

All User accounts t
hat have not been accessed within ninety (90) days of creation
will be disabled. Exceptions to this include:

A.

Certain accounts held in suspense for the purpose of application maintenance.

B.

Accounts established for the purpose of quarterly, semiannual or
annual usage.



HHS Information Security Standards and Guidelines

10

11/21/2013


1.2.9

The manager/supervisor of any HHS IR user that shall be absent from the work
place for a period in excess of ninety (90) days must notify the Custodian
responsible for that area. The User’s account will be disabled during their absence
and r
eactivated upon notification of their return.

1.2.10

All accounts established for
employees
,
contractors, consultants, interns, vendors
and/or maintenance accounts must be disabled immediately upon termination or
completion of the contract period.

1.2.11

Accounts that

have been disabled due to a
user
termination will be deleted whe
n

technically feasible

within 90 days of disabling the account unless documented
exceptions exist
. Supervisors or internal HHS management of the terminated
employee, contractor, consultant,
intern,
or
vendor
s

must ensure that all files, data
or other electronic documents pertaining to State of Texas business are maintain
ed
in accordance with records retention requirements.

1.2.12

All HHS partner organizations (private providers, Community Centers, e
tc) must
sign an agreement that requires them to notify HHS when their User accounts
change due to termination or transfer. Upon notification, these accounts must be
disabled or reassigned in compliance with application specific requirements.

1.2.13

In the event

of involuntary terminations of employees, contractors, consultants,
interns or vendors contact the agency designated Information Security Officer (ISO)

or Enterprise Security Management

if immediate deactivation of security access is
warranted.

1.2.14

Custodians

or other designated staff:

A.

Must have a documented process(es) to manage accounts in the event of
User’s termination of employment or change in job status necessitating the
termination or modification of a User’s access.

B.

Must have a documented process(es
) to modify a User account to
accommodate situations such as name changes, accounting changes, and
permission changes.

C.

Are responsible for modifying or disabling the accounts of individuals who
change roles within HHS or are separated from their relationsh
ip with HHS.

D.

Must have a documented process(es) for periodically reviewing existing
accounts for approved access.

E.

Must maintain a current list of accounts for the systems they administer.

F.

Must provide a list of accounts for the systems they administer when

requested
by authorized HHS management.

G.

Must cooperate with authorized HHS management investigating
computer
security incidents.

H.

Must restrict access to privileged functions (deployed in hardware, software,
and firmware) and security
-
relevant informatio
n to explicitly authorized
personnel. Explicitly authorized personnel includes; system and security
administrators, network administrators and systems programmers, database
administrators or other personnel performing maintenance or system control
and mon
itoring.



HHS Information Security Standards and Guidelines

11

11/21/2013


1.3

Administrative and Special Access

On occasion, certain staff and/or consulting personnel may be granted levels of access to
HHS systems that exceed the account privileges granted the regular User. Typically, these
are positions providing techn
ical support and/or administrative functions. The nature of these
accounts requires a higher level of control and monitoring on the part of security administrators
throughout the HHS System.

The Administrative and Special Access standards establish those
parameters to which the
User granted this access must adhere in order to adequately protect the information resources
of HHS.

1.3.1

Prior to receiving access privileges to HHS systems, Users must sign the HHS
Enterprise Computer Usage Agreement (HR0314) and ot
her security and privacy
agreements appropriate to their status.

1.3.2

Each User of HHS Administrative/Special Access accounts shall be assigned a
unique identifier, except for situations where risk analysis demonstrates no need for
individual accountability of
Users.

1.3.3

Users with Administrative/Special Access must use the account privileges most
appropriate to the work they are performing. For example, they will not make use
of their administrator account to perform work more appropriately performed while
using
their standard User account.

1.3.4

Users with Administrative/Special Access will maintain a password for that account
in compliance with the HHS Password Standard
s
.

(
See also Section 1.
21
Passwords
)

1.3.5

Any password used in relation with a primary
Administrator/Special Access account
must be changed when any individual with knowledge of that password changes
duties such that they no longer require access, including change of job duties,
termination, etc. Any User of a primary Administrator account
(root, enterprise,
etc.) must participate in password escrow so that another approved User, other
than the original administrator may access that account in the event of an
emergency.

1.3.6

Any default administrative account must be renamed upon first use.

1.3.7

Any S
pecial Access account created on behalf of specialized research projects,
internal or external audit needs and requirements, software installation
, testing

or
development projects, or any other defined need must:

A.

Be authorized by the appropriate HHS staff
position or administrator,

B.

Be established with a specific and defined date of expiration, and

C.

Be removed when the work is completed or the expiration date is reached,
whichever is first.

D.

The process(es) for changing and amending Special Access accounts mus
t be
documented.



HHS Information Security Standards and Guidelines

12

11/21/2013


1.3.8

Remote administration accounts must be approved b
y the Chief Information Officer,
agency IRM
, or designee
. Where remote administration is justified, transmittal of
the administrator credentials and other administration activities
must

be encrypted.

(See 1.23.9)


1.4

Anti
-
Spam

As digital messaging (e
-
mail, cellular messaging, etc.) has become an integral part of the
business process, its abuse has also grown. This abuse often is manifested as “spam” or
“junk” messaging which has the
potential to, beyond its annoying nature, slow
-
down and/or
clog the infrastructure required to process electronic messages. In addition, “spam” is often
used as a transmission vehicle in the migration of malicious code infections.

1.4.1

HHS Management retains t
he right to examine any message item for subject and/or
content to determine abuse.

1.4.2

HHS Information Technology (IT) management, in consultation with other HHS
management, reserves the right to filter and/or block any message item, inbound or
outbound, whic
h is determined to place HHS, its systems, and/or networks at an
unacceptable level of risk.

1.4.3

HHS IT shall, in consultation and aligned with industry best practices, filter and/or
block any attachment or enclosure to any message that places the HHS systems
and/or networks at an unacceptable level of risk.

1.4.4

HHS IT shall identify a listing of key words and phrases that are common to “spam”
and shall filter those words and phrases on all inbound message items in order to
prevent those items from entering the HHS

systems and/or networks.

1.4.5

All Users of HHS messaging systems shall refrain from forwarding multiple copies
of received message items that are not directly connected to the HHS business
process without the explicit consent of the recipient.





HHS Information Security Standards and Guidelines

13

11/21/2013


1.5

Audit Logging


Audit logs must enable the tracking of activities taking place on the system. Ensure that the
following
minimum
audit trail capabilities exist.

Other audit log or audit trail requirements may
exist

depending on the system or application and the classi
fication of the data
.


1.5.1

Audit logging capability must be enabled and monitored

based on agency risk
management decisions
.

1.5.2

Audit records shall contain sufficient information to establish what events occurred,
when the events occurred (date and time), the sou
rce of the events (user or system
account), the cause of the events (service or process), and the event outcome.

1.5.3

The movement of production data from platform to platform is required to be
traceable.

1.5.4

Log files (audit trails) of each electronic file transf
er execution must be maintained
in accordance with records retention schedules or other State and Federal
requirements.


1.5.5

Information systems shall be configured
to allocate sufficient audit record storage
capacity to record all necessary auditable items.

1.5.6

All job execution audit trails are platform specific and independent of each other.

1.5.7

All electronic file transfers are to be performed by a job scheduled in
either
the
automated enterprise scheduler

or an approved alternative
.

1.5.8

Audit information and audit to
ols shall be protected from unauthorized access,
modification, and deletion.

1.5.9

The audit trail shall be restricted to personnel routinely responsible for performing
security audit functions.

1.5.10

The information system shall alert appropriate HHS organizational o
fficials in the
event of an audit processing failure and take the appropriate additional actions

for
prompt resolution
.

1.5.11

Audit logs and audit trails
must
enable the routine

review
of
audit records for
indications of unusual activities, suspicious activities

or suspected violations, and
report findings to appropriate officials.



HHS Information Security Standards and Guidelines

14

11/21/2013


1.6

Back
-
up and Disaster Recovery

Backing up data and applications is an HHS business requirement. It enables the recovery of
data and applications in the event of loss or damage (natura
l disasters, system disk and other
systems failures, intentional or unintentional human acts, data entry errors, or systems
operator errors). This standard applies to HHS IR and vendors who operate information
systems on behalf of an HHS agency.

1.6.1

The HHS business continuity and disaster recovery plans provide the required
frequency and extent of the backups. Frequency and extent may vary, depending
on data
classification and /or Owner requirements. The Info
rmation Resources
Manager (IRM)

or desig
nee
, Chief Information Officer (CIO)
or designee must
approve all backup and recovery plans and procedures.

1.6.2

Backup and recovery processes for all HHS information systems and resources
must be documented and periodically reviewed by the agency IRM

or desi
gnee
, the
CIO

or designee.

1.6.3

Offsite storage providers of HHS IR must be able to provide protection for the
highest risk level of information being stored. Physical access controls in use at
any offsite storage location must meet or exceed the physical ac
cess controls
defined for the source system.

1.6.4

Offsite storage facilities must be geographically located away from the primary
physical location of the HHS information resource so that a single disaster shall not
destroy the data at both sites. A minimum o
f 10 miles is recommended.

1.6.5

Identification data used in granting access to the offsite storage facility must be
reviewed on a regular basis and changed or updated to reflect changes brought
about by changes in authorized access personnel.

1.6.6

Media used in the
provision of backup storage must be protected in accordance
with the highest level of sensitivity of the information being stored.

1.6.7

All backups must be verified that they were successful.

1.6.8

Electronic information backups must be periodically tested to ensur
e recoverability.

1.6.9

Stored data must have, at a minimum, the following data clearly identifiable by
labels and/or other coding systems:

A.

System Name,

B.

Creation Date,

C.

Sensitivity Classification (based on applicable record retention regulations),

D.

HHS Contact In
formation.



HHS Information Security Standards and Guidelines

15

11/21/2013



1.7

Change Management

The Change Management Standard establishes a set of rules and administrative guidelines to
manage changes in a rational and predictable manner. In addition, it provides for the
necessary documentation of any changes made so
as to reduce any possible negative impact
to the Users of HHS IR systems. Changes include, but are not limited to implementation of
new functionality, interruption of service, repair of existing functionality, and the removal of
existing functionality.

1.7.1

C
hange management will be required based on Agency risk assessment. The risk
assessment shall include operating systems, computing hardware, networks, and
applications.

1.7.2

Any change affecting the IR computing environment (HVAC, water, plumbing,
alarms, etc.)

must be coordinated with the appropriate IT staff to ensure
compliance with the change management process.

1.7.3

Changes to IR must be documented and maintained according to Agency record
retention schedule(s) filed with Texas State Library and Archives.

1.7.4

The a
ppropriate staff and data Owner(s) must review scheduled changes prior to
the change. These review staff may deny or delay the change if it is determined
that the change has not been adequately planned for, suffers from inadequate
backup planning, will ne
gatively impact a key business process, or adequate
resources cannot be made available to support the change.

1.7.5

User notification, as appropriate to the specifics of the change, must be performed
for each scheduled change.

1.7.6

A change review process must follow

all scheduled, unscheduled or emergency
changes.

1.7.7

A change management log must be maintained for all changes and must be stored
as a part of Systems Development Life Cycle (SDLC) documentation.

1.7.8

Changes to HHS IR systems should follow the approved CM poli
cy and process
(
http://hhscx.hhsc.state.tx.us/tech/quality/cm_default.shtml
) to allow for risk
mitigation to prevent unplanned outages and minimize data risk.



HHS Information Security Standards and Guidelines

16

11/21/2013


1.8

Data Classification

Data Classification provides a framework for managing data assets based on value and
associated risks and for applying the appropriate levels of protection as required by state and
federal law as well as proprietary, ethical, operational, and privacy cons
iderations. All HHS
data, whether electronic or printed,
must

be classified. The data owner
should consult with
legal counsel on the classification of data as Confidential, Agency
-
Sensitive, or Public.
Consistent use of data classification reinforces w
ith users the expected level of protection of
HHS data assets in accordance with HHS security policies.

1.8.1

The HHS Data Classification Standard applies equally to all individuals who use or
handle any HHS Information Resource.

1.8.2

HHS data created, sent, printed,

received, or stored on systems owned, leased,
administered, or authorized by the HHS agency are the property of the HHS
agency and its protection is the responsibility of the HHS owners, designated
custodians, and users.

1.8.3

Data shall be classified as follow
s:

Confidential

S
ensitive data that must be protected from unauthorized disclosure or
public release based on state or federal law, (e.g. the Texas Public Information Act)

and other constitutional, statutory, judicial and legal agreements.

Examples of “Confidential”
data may
include

(but not limited to)
:



Personally Identifiable Information, such as:
Name, in combination
with
Social Security Number (SSN) and
/or

Financial Account
Numbers



Student Education Records



Intellectual Property, such as
: Copyrights, Patents and Trade
Secrets



Medical Records

Agency
-
Sensitive

Sensitive data that may be subject to disclosure or release
under the Texas Public Information
Act and that

requires some level of protection.

Examples of “Agency
-
Sensitive” data may
include

(but not limited to):




HHS operational information



HHS personnel records



HHS information security procedures



HHS internal communications

Public

Information intended or required for public release as described in the
Texas Public Information Act.


1.8.4

Information owned or under the control of the United States Government must
comply with the federal classification authority and federal protection requirements.

1.8.5

Violation of this policy may result in disciplinary action which may include
termination for e
mployees and temporaries; a termination of employment relations
in the case of contractors or consultants; dismissal for interns and volunteers; or


HHS Information Security Standards and Guidelines

17

11/21/2013


suspension or expulsion in the case of a student. Additionally, individuals are
subject to loss of HHS Infor
mation Resources access privileges, and to civil and
criminal prosecution.

1.9


Electronic File Transfers

When transmitting confidential or sensitive personal information; including PHI and PII, the
following information systems controls, or safeguards must be

in place.
For further information
on FTP processes in HHS, see
http://hhscx.hhsc.state.tx.us/tech/infrastructure/Processes.html
.
For more information
about protecting
confidential, sensitive, PII or PHI data see

Appendix
III



Protecting Data
.

1.9.1

HHS agencies are required to maintain an inventory of all confidential file transfers.
At minimum, the inventory should include
a brief description of the data, the sender
and re
ceiver,
the source, destination
,

and schedule of the transfers.

1.9.2

Any connections to the Internet, or other external networks or information systems,
shall occur through controlled interfaces. The operational failure of the boundary
protection mechanisms sh
all not result in any unauthorized release of information
outside of the information system boundary. Information system boundary
protections at any designated alternate processing site shall provide the same
levels of protection as those of the primary si
te.

1.9.3

Boundary protections include ensuring that only properly authorized network
interconnections external to the system boundaries are established. Carefully
consider the intrinsically shared nature of commercial telecommunications services
in the imple
mentation of security controls associated with the use of such services.
Commercial telecommunications services are commonly based on network
components and consolidated management systems shared by all attached
commercial customers, and may include third
party provided access lines and other
service elements. Consequently, such interconnecting transmission services may
represent sources of increased risk despite contract security provisions. Therefore,
when this situation occurs, either implement appropri
ate compensating security
controls or explicitly accept the additional risk.

1.9.4

All electronic file transfers must maintain transmission integrity and confidentiality.
Transmission integrity includes employing cryptographic mechanisms to recognize
changes
to information during transmission unless otherwise protected by
alternative physical measures. Transmission confidentiality includes employing
cryptographic mechanisms to prevent unauthorized disclosure of information during
transmission unless otherwise

protected by alternative physical measures.

1.9.5

All electronic file transfers must ensure the implementation of a managed interface
(boundary protection devices in an effective security architecture) with any external
telecommunication service, implementing
controls appropriate to the required
protection of the confidentiality and integrity of the information being transmitted.

1.9.6

All electronic file transfers must ensure that automated boundary protection
mechanisms are evaluated and that supporting procedures

shall be developed,
documented, and implemented effectively to monitor and control communications


HHS Information Security Standards and Guidelines

18

11/21/2013


at the external boundary of the information system and at key internal boundaries
within the system.

1.9.7

Encryption methods employed must meet acceptable standar
ds as designated by
Enterprise Security Management (ESM). The recommended encryption method to
secure data in transport is Advanced Encryption Standard
128
(AES) or triple DES
(DES3) if AES is unavailable.

When cryptography (encryption) is employed withi
n
the information system, the system must work to ensure these modules are
compliant with NIST guidance, including performing all cryptographic operations
using Federal Information Processing Standard (FIPS) 140
-
2 validated
cryptographic modules with appro
ved modes of operation.

1.9.8

All data files being electronically transferred are to follow a documented file naming
convention process as defined by agency operational environments
.

1.9.9

All script names (performing the electronic file transfer) on file transfer ser
vers are
to conform to documented job naming conventions as defined in by the agency
operational environment. All scripts used for FTP, or other data transmission
methods, are to be managed under software configuration management and reside
in a producti
on library management system as defined in by the agency operational
environment. If a data transmission process includes multiple platforms, then the
job on each platform must contain the name of the originating job, plus identification
of the server it i
s executing on.

1.9.10

The IP address, user
-
id, and password used for electronic file transfers are to
reside in a secure file environment. The IP address, user
-
id, and password must
not be displayed during the execution of the job performing an electronic file
transfer.

1.9.11

All production applications that include data file transfers are to have flowcharts that
document the entire process from point of origin to the final destination address.
Require support documentation on all jobs that perform electronic file tra
nsfers be
kept current.

1.9.12

All electronic file transfers are required to be properly tested and are not to
adversely impac
t performance on that platform.

When using production data for test
and development of a secure file transfer solution either encrypt or de
-
identify the
data before use. The electronic transfer of test data from platform to platform or to
an external entity must follow the same require
ments as for production data. No
electronic transfers of production data are to be performed manually. This includes
production data that is destined to be used in a test environment.

1.9.13

Confidential data files
must be deleted from electronic file transfer
servers
periodically based on agency risk management decisions
.



HHS Information Security Standards and Guidelines

19

11/21/2013


1.10

E
-
mail Use

The growth of use and the increase in vulnerabilities related to electronic communications has
seen a corresponding increase in the need for policies governing the use of, and pro
tections
directed to, those communications. This E
-
mail Standard applies to all Users of HHS e
-
mail
systems.

1.10.1

The following activities are prohibited:

A.

Sending e
-
mail that is intimidating or harassing,

B.

Using e
-
mail to gain personal benefit,

C.

Using e
-
mail for

purposes of political lobbying or campaigning,

D.

Violating copyright laws by inappropriately distributing protected works,

E.

Posing as anyone other than oneself when sending e
-
mail, except when
authorized to send messages for another when serving in an admini
strative
support role,

F.

The use of unauthorized e
-
mail software,

G.

Sending or forwarding chain letters,

H.

Sending unsolicited messages to large groups except as required to conduct
department business,

I.

Sending or forwarding e
-
mail that is likely to contain mal
icious code, and

J.

Using
stationery

in e
-
mail. These are backgrounds that are available through
most commercial e
-
mail software products. These take up excessive disk
space, and therefore their use is prohibited on HHS networks.

1.10.2

Confidential HHS material,
including PII and PHI or individual identifiers (
e.g.
,
name) used in conjunction with confidential or sensitive information must be
encrypted or otherwise protected as required by rule, regulation or law.
Examples
of
confidential or sensitive PII or PHI i
nformation includes: social security numbers,
federal tax return information or other medical records.
For more information about
protecting confidential, sensitive, PII or PHI data see
Appendix
III


Protecting Data

and Section 1.9

Electronic File Transfe
rs.

1.10.3

All User activity on HHS IR assets is subject to logging and review. HHS e
-
mail
Users shall have no expectation of privacy.

1.10.4

E
-
mail Users must not give the impression that they are representing, giving
opinions, or otherwise making statements on behalf

of any HHS agency or any unit
of an HHS agency unless appropriately authorized (explicitly or implicitly) to do so.

1.10.5

Individuals must not send, forward, or receive confidential HHS information through
non
-
HHS e
-
mail accounts, such as Yahoo, Hotmail, or Gma
il accounts.

1.10.6

Individuals must not send, forward, or store confidential HHS electronic information
utilizing non
-
state owned or leased mobile devices without the prior written
permission of the data Owner. These devices include, but are not limited to,


HHS Information Security Standards and Guidelines

20

11/21/2013


lap
top/notebook computers, personal data assistants or other hand
-
held devices,
two
-
way pagers or digital/cellular telephones.

1.10.7

Refer to
Chapter 4 of the HHS Human Resources Manual


(
http://hhscx.hhsc.state.tx.us/hr/HRM/contents.htm
)
for more information about E
-
mail use.



HHS Information Security Standards and Guidelines

21

11/21/2013


1.11

Exceptions

It is the intent of HHS Enterprise that all Owners, Custodians, and Users of HHS IR comply
with all HHS information security standards. However, there will be situations where the strict
application of a standard would significantly impair the functionalit
y of a service and the
standard must be modified to accommodate specific requirements. This standard provides a
method for documenting an exception to compliance with a published HHS standard.

Only temporary exceptions, where immediate compliance would di
srupt critical operations,
may be granted. The security exception reporting process is as follows:

1.11.1

A User or Custodian of HHS IR submits an exception request

to
the

appropriate
information
O
wner
.

The request must include:

a)

A description of the
non
-
compliance


b)

The anticipate
d

length of non
-
compliance

c)

A business case justifying the non
-
compliance

d)

A corrective a
ction plan to attain compliance

e)

Assessment of risk associated with non
-
compliance

f)

System(s) associated (for example, host names or IP addr
esses)

including
description of the type data impacted


g)

Review date to evaluate progress to
ward compliance

1.11.2

If the Owner determines the exception should be denied, the Owner documents the
rejection and notifies the requestor.

1.11.3

If the Owner believes the excep
tion should be granted, the Owner must then submit
the exception request to the agency IRM or the HHS Chief Information Officer
(CIO) if there is no designated agency IRM.

1.11.4

If the
agency
IRM denies the exception request, the
agency
IRM documents the
rejec
tion and notifies the requestor
.

1.11.5

If the IRM approves the exception request,
the IRM documents the exception

and
notifies the requestor,
the CIO
,

and the appropriate executive management.

Documentation of approved exception requests must include all elemen
ts of
section 1.
11
.1 above and a
formal acceptance of risk
.

1.11.6

The
HHS
CIO may, at his/her discretion, modify the agency IRM’s decision in order
to align with current HHS security initiatives.



HHS Information Security Standards and Guidelines

22

11/21/2013


1.12

Imaging Devices

The HHS Imaging Devices Security Standard mitigat
es risks associated with the increased
use of devices that have the capability to capture images for storage and/or transmission.
Such devices with camera capabilities, whether built in or attached, may include, but are not
limited to, cellular telephones
, Personal Digital Assistants (PDAs), laptop/notebook computers,
digital cameras, and/or digital video recording devices of any sort.

1.12.1

The use of such devices is allowed to the extent that there is an HHS business
reason. In any case, the Owner is responsi
ble for the protection of all sensitive,
confidential or information to which employees, contractors, vendors, visitors or
others may have access either as a granted right or by accidental exposure.

1.12.2

Any device that has the capability to capture, store and/
or transmit an image of any
document, person, or environment (still or in motion) under the authority of this
policy shall have the image capturing function disabled while in restricted HHS
environments. Restricted HHS environments are defined by Agency r
isk
management decision.

1.12.3

Exemptions to this policy include dedicated document scanning devices and other
equipment designed specifically to capture document images for archival storage.

1.12.4

Requests for any other exemptions to this policy must be approved in

writing prior
to use of the device. The exemption approval authority
shall be one or more of the
following:

A.

Chief Information Officer (CIO
), Chief Operations Officer (COO), or Chief
Executive Officer (CEO),

B.

IRM or Agency Designee,

C.

ISO, and/or

D.

Enterprise

Security Manager.



HHS Information Security Standards and Guidelines

23

11/21/2013


1.13

Incident Management

The Incident Management Standard establishes requirements for dealing with computer
security incidents. These security incidents include, but are not limited to: virus, worm and
Trojan detection, unauthorized use of

computer accounts and systems, and improper use of
resources as outlined in these standards related to E
-
mail, Internet and Acceptable Use.
Security incidents also include theft of hardware and/or data.

1.13.1

A Computer Incident Response Team (CIRT) shall be
established with membership
having pre
-
defined roles and responsibilities. These CIRT responsibilities may,
during a security incident, take priority over the members’ normal job functions.

1.13.2

The Incident Management procedures must be followed whenever a se
curity
incident is suspected or confirmed.

1.13.3

The ISO, or designee, is responsible for notifying the IRM
, or the CIO
, the Office of
Inspector General (OIG), the CIRT, and any Owner(s) involved in or affected by the
security incident, and shall initiate the ap
propriate incident management action(s).

1.13.4

The ISO, or designee, is responsible for initiating, completing, and documenting the
incident investigation with the assistance from the CIRT and shall report the
incident to the appropriate management at the Depart
ment of Information
Resources (DIR), as outlined in the requirements of Title 1 Texas Administrative
Code (TAC) Chapter 202, and the OIG as appropriate.

1.13.5

The appropriate technical personnel from the CIRT are responsible for monitoring
any damage resulting f
rom the security incident. In addition, they are responsible
for ensuring its repair or mitigation, and eliminating or minimizing, as appropriate,
the area of vulnerability.

1.13.6

The ISO, working with the IRM

or CIO
, shall determine if a widespread
communication related to the incident is required. If communication is required,
they are also responsible for its content and distribution.

1.13.7

The appropriate technical personnel from the CIRT are responsible for
communicating any relevant issues or vulnera
bilities to any vendor involved in or
affected by the security incident and for working with the vendor to eliminate or
mitigate these vulnerabilities.



HHS Information Security Standards and Guidelines

24

11/21/2013


1.14

Incidental Use/Limited Use

Incidental and Limited personal use of HHS IR by Users is permitted.

1.14.1

Limite
d personal use of e
-
mail and Internet access is allowed for employees and
other approved Users only. This use does not extend to visiting friends or relatives
of the approved User
.

1.14.2


Limited use must not result in any additional direct costs to HHS.

1.14.3

Limite
d use must not interfere with the normal performance of the Users' duties.

1.14.4

Storage of personal e
-
mail, voice
-
mail, files, and/or any other document by the
approved User must be kept to a minimum.

1.14.5

All messages, files, and/or documents located on any HHS IR
are owned by HHS
and may be accessed by appropriate HHS staff without notice to the User. Such
documents may be subject to open records requests. This includes any personal
messages, files, and/or documents.

1.14.6

Incidental personal use of Internet access is
permitted, but must not inhibit or
interfere with the use and/or functionality of network resources for business
purposes.

1.14.7

Incidental use of Instant Messaging (IM), social networking sites such as Facebook,
Orkut, My Space, and Twitter, and video
-
hosting/s
haring sites such as YouTube
are prohibited. Exceptions for use of IM or social networking sites for approved
HHS business purposes must be approved by the agency IRM, or the HHS Chief
Information Officer (CIO) if there is no designated agency IRM, using t
he exception
process in section 1.11 of the HHS Enterprise Information Security Standards and
Guidelines (EISSG). Prior to approval, a business justification is required. The

Social Networking Justification and Approval Process
” document can be found
her
e
http://hhscx.hhsc.state.tx.us/tech/policy/Social_Media_Process.doc



HHS Information Security Standards and Guidelines

25

11/21/2013


1.15

Internet/Intranet/Extranet Use

For the purpose of this standard, the term Internet shall include Intranet and/or Extranet.

1.15.1

Software for browsing the Internet is provided to Users for business and research
purposes, and is allowed for incidental/limited personal use only.

1.15.2

Incidental use

must not interfere with the normal performance of an employee’s
work duties.

1.15.3

Incidental use must not result in any direct costs to HHS.

1.15.4

All software used to access the Internet must be part of the HHS standard software
suite, or approved for use by the ap
propriate HHS authority.

1.15.5

All software used to access the Internet must incorporate vendor provided security
patches.

1.15.6

All files downloaded from the Internet must be scanned for viruses using the
approved current HHS virus detection software.

1.15.7

All files downl
oaded from the Internet must fall within the defined download
parameters allowed by the HHS Enterprise Information Security Policy.

1.15.8

All software used to access the Internet shall be configured to provide the highest
level of protection appropriate to the r
isk to HHS systems and networks.

1.15.9

All sites accessed on the Internet must comply with the HHS Enterprise Acceptable
Use Standard (see
Section 1.1 Acceptable Use)

1.15.10

All content on HHS Internet sites must comply with the HHS Enterprise Acceptable
Use Standard a
nd other sets of guidelines and standards developed in the
management of Internet content, such as accessibility standards.

1.15.11

No offensive or harassing materials may be linked through or posted to any HHS
Internet site.

1.15.12

No personal commercial advertising may

be linked through or posted to any HHS
Internet site.

1.15.13

Internet access provided by HHS may not be used for personal solicitation or gain.

1.15.14

Confidential HHS data or sensitive personal information; including PII and PHI,
transmitted over external network conn
ections must be
encrypted.
In general, this

includes any file or email containing
Federal Tax Information, Social Security
Information or
health information

that is linked to at least one of the following
:

(1) Name;

(2) Street address, city, county, preci
nct, zip code and equivalent geocodes;

(3) All elements of dates (except year) for dates directly related to an individual
and all ages over 89;

(4) Telephone number;

(5) Fax number;



HHS Information Security Standards and Guidelines

26

11/21/2013


(6) Electronic mail address;

(7) Social Security Number;

(8) Medical reco
rd numbers;

(9) Medical data, including diagnosis and past history of disease or disability;

(10) Health plan ID numbers;

(11) Any information received for verifying income eligibility and amount of
medical assistance payments

(12) Social and economic
conditions or circumstances;

(13) Demographic data related to an individual’s health;

(14) Account numbers

(15) Federal Tax IDs

(16) Federal Tax Returns or Return Information

(17) Agency evaluation of personal information;

(18) Certificate/license numbers
;

(19) Vehicle identifiers and serial numbers, including license plate numbers;

(20) Device identifiers and serial numbers

(21) Web addresses (URLs);

(22) Internet IP addresses;

(23) Biometric identifiers, including finger and voice prints;

(24) Full face
photographic images and any comparable images; and

(25) Any other unique identifying number, characteristic or code


For more
information about protecting confidential, sensitive, PII or PHI data see

also

Appendix
III



Protecting Data

and Sect
ion 1.9

Electronic File Transfers.



HHS Information Security Standards and Guidelines

27

11/21/2013


1.16

Intrusion Detection / Prevention

The purpose of the HHS Intrusion Detection/Prevention Standard is to describe requirements
to monitor events on the information system, detect attacks, identify unauthorized use of the
system an
d respond to intrusions.

1.16.1

The following must be enabled on all HHS systems as appropriate to the risks
determined for the particular system:

A.

Operating system, user accounting, and application software audit logging
processes,

B.

Alarm and alert functions of
any firewalls and other network perimeter access
control systems,

C.

Audit logging of any firewalls and other network perimeter access control
systems.

1.16.2

System integrity checks of firewalls and other network perimeter access control
systems must be performed
as appropriate to the risks determined for that system.

1.16.3

Audit logs for servers and hosts must be reviewed as appropriate to the risks
determined for that system.

1.16.4

Host based intrusion Detection/Prevention tools will be utilized and reviewed as
appropriate t
o the risks determined for that system.

1.16.5

All trouble reports shall be reviewed for symptoms indicating intrusive activities.

1.16.6

All suspected and/or confirmed instances of successful and/or attempted intrusions
must be immediately reported according to t
he Inc
ident Management Standard.
(see
Section
1.
13 Incident Management
)

1.16.7

Users should be trained to recognize and report any anomalies and signs of
wrongdoing. Refresher training
must

be
completed

at least annually.



HHS Information Security Standards and Guidelines

28

11/21/2013


1.17

Malicious Code

The purpose of the HHS Maliciou
s Code Standard is to describe requirements for dealing with
digital infections referred to as “malware” (including virus, worm, Trojan, spyware and other
similar infections), and their prevention, detection and cleanup.

1.17.1

All workstations (desktop, notebo
ok, laptop, wireless or any device capable of
digital interaction with HHS networks, systems and/or applications) whether
connected to the HHS network, or used remotely or stand
-
alone, must use malware
protection software and have configurations equivalent

to that of HHS computing
devices.

1.17.2

Each file server attached to the HHS network(s) must utilize HHS approved
malware protection software and setup to detect and clean malware.

1.17.3

Each e
-
mail gateway must use HHS approved e
-
mail malware protection software
and

must adhere to the agency architecture for its setup and use.

1.17.4

Malware protection software must not be disabled or bypassed without the approval
and involvement of appropriate HHS IT staff.

1.17.5

Settings for malware protection software must not be altered in an
y manner that will
reduce the effectiveness of the software.

1.17.6

All virus protection mechanisms (including the latest virus definitions) must be
updated when new versions or releases are available and appropriate testing is
completed.

1.17.7

Any automatic update fre
quency of the malware protection software designed into
the software or established as a batch process within the HHS network must not be
altered to reduce the frequency of updates.

1.17.8

Any malware that is not automatically cleaned by the software constitutes
a security
incident and must be reported to the appropriate Help Desk within HHS.



HHS Information Security Standards and Guidelines

29

11/21/2013


1.18

Network Access

The HHS Network Access Standard establishes security rules for the access and use of the
network infrastructure.

1.18.1

Network equipment, such as servers, firewalls
, routers, switches, wireless access
points, etc., shall be installed in a manner and location to prevent unauthorized
access and tampering.

1.18.2

Users are permitted to use only those network addresses and access points issued
to them by HHS IT.

1.18.3

Remote
Users
may connect to HHS IR using only those protocols approved by
HHS IT
.

(See also: Section 1.2
3

Portable/Remote Computing
)

1.18.4

Users must not extend or re
-
transmit network services without agency IRM
,

or the
CIO if no agency IRM exists,
or designee approval.

1.18.5

User
s must not install hardware or software that provides network services without
the approval of the agency IRM
, or the CIO if no agency IRM exists

or
a
designee.

1.18.6

Non
-
HHS systems that require network connectivity must conform to HHS
information security
policies, standards, procedures, and guidelines.

1.18.7

Users must not download, install or run application programs or utilities that reveal
or exploit weaknesses in the security of a system except as part of the official
systems security management process.

1.18.8

The

use of unapproved tools such as password cracking programs, packet sniffers,
network
-
mapping tools, or port scanners are prohibited except as part of the official
systems security management process.

1.18.9

Users must not alter network hardware without authoriza
tion from the appropriate
agency IRM
, the CIO if no agency IRM exists

or

a
designee.



HHS Information Security Standards and Guidelines

30

11/21/2013


1.19

Network Configuration

The HHS Network Configuration Standard establishes the rules necessary for the
maintenance, expansion, and use of the HHS network infrastructure.

1.19.1

HH
S IT is responsible for the oversight of the network
infrastructure.

The Wide
Area Network is maintain
ed

by the Department of Information Resources.

1.19.2

Networking development (including cabling) must be installed by appropriate HHS
personnel or an
approved

contractor.

1.19.3

Equipment connected to the HHS network must be configured to specifications
approved by HHS IT.

1.19.4

Any hardware connected to the HHS network infrastructure is subject to HHS IT
management process and standards.

1.19.5

Changes to the configurations of any

active network management device must not
be made without authorization from the

CIO,

agency IRM or designee.

1.19.6

The
CIO,
agency IRM or designee must approve any use of non
-
sanctioned
protocols.

1.19.7

Any connection to the HHS network infrastructure by third party

networks, including
telecommunications, must be approved by the
CIO,
agency IRM or designee.

1.19.8

The use of independently deployed firewalls or other non
-
standard tools is not
permitted without the written authorization of agency IRM
, the CIO if no agency
IRM

exists

or
a
designee.

1.19.9

Users must not install hardware or software that provides network services without
the approval of the
CIO,
agency IRM or designee.

1.19.10

Users must not alter network hardware without authorization from the
CIO,

agency
IRM or designee.



HHS Information Security Standards and Guidelines

31

11/21/2013


1.20

Op
erating Systems

The HHS Operating Systems Standard establishes the rules necessary for the installation and
maintenance of HHS operating system software.

1.20.1

Installation of operating system software shall be documented and reviewed.

1.20.2

All operating system soft
ware must have appropriate patches. Security
-
related
operating system or software application patches must be reviewed and installed in
a timely manner, consistent with the criticality and vulnerability of the resource.

1.20.3

Operating system software changes
shall be authorized, tested and approved in
accordance with HHS IR change management processes before being
implemented.

1.20.4

Operating system software will be installed with the minimum number of services
required to fulfill the designated function.

1.20.5

Operating
systems software will provide application software environments for all
non
-
operating system activities, which are separated from the operating system
environment.

1.20.6

Use of operating system functions and functionality by application software will be
through
specifically defined interfaces for those purposes.

1.20.7

Application software, as distinguished from operating systems software, will be
unable to assume access privileges normally reserved to the operating system.

1.20.8

Any use of host operating systems and
application environments that do not
conform to this standard will be phased out as soon as possible.



HHS Information Security Standards and Guidelines

32

11/21/2013


1.21

Passwords

The HHS Password Standard establishes rules related to the User authentication process,
including the creation, distribution, safeguarding, ter
mination and reclamation of those
mechanisms. Exceptions to this policy may be allowed temporarily for certain legacy systems.

1.21.1

All passwords must:



Be at least six (6) characters in length,
or be eight (8) characters when technically
feasible.



Contain both

upper and lower case characters (e.g., a
-
z, A
-
Z),



Have digits and special characters as well as letters,



Not be words in any dictionary including, slang, dialect, jargon, etc.

1.21.2

User chosen passwords must adhere to a minimum length, format as defined by
current agency password guidelines.

1.21.3

Users
shall
commit passwords to memory

and

must
not

write down passwords and
store them near their computer.

1.21.4

Users must not share their passwords.

1.21.5

If a password’s security is in doubt, it must be changed immediately.

1.21.6

If

a User suspects his/her password has been compromised, he/she must change it
immediately and notify his/her supervisor and the agency Help Desk of the
suspected compromise.

1.21.7

New or temporary passwords must be changed upon User’s receipt of the
password.

1.21.8

Al
l passwords must have an expiration period as defined by current agency
password guidelines. Subsequent passwords must be modified in accordance with
current agency password guidelines.

1.21.9

Passwords shall be changed every 90 days, at a minimum, for standard
user
accounts to reduce the risk of compromise through guessing, password cracking or
other attack
& penetration methods.

1.21.10

Passwords shall be changed every 60 days, at a minimum, for privileged user
accounts to reduce the risk of compromise through guessing
, password cracking or
other attack and penetration methods.
Privileged users are individuals who have
access to system control, monitoring, or administration functions (e.g., system
administrators, information system security officers, maintainers, system

programmers).

1.21.11

Password changes for standard and privileged users shall be systematically
enforced where possible.

1.21.12

Privileged users shall be able to override the minimum password age limit for users
only when necessary to perform required job functions.



HHS Information Security Standards and Guidelines

33

11/21/2013


1.21.13

HHS network administrators will not circumvent the password policy for the sake of
expediency.

1.21.14

Unsuccessful account access attempts must be monitored and accounts locked
after failed attempts as determined by a documented risk assessment.

Account
lockout
duration shall be permanent until an authorized system administrator
reinstates the user account. In some cases this may not be technically feasible;
such as certain web
-
systems that that lock users out for a period of time and then
open back up automatic
ally after a specified period of time. However, in this case
system administrators should monitor this activity and implement the control based
on risk assessed and current system functionality available.

1.21.15

Passwords shall be systematically disabled after 9
0 days of inactivity to reduce the
risk of compromise through guessing, password cracking or other attack and
penetration methods.

1.21.16

Where possible, Users shall be prohibited from using their last six passwords to
deter reuse of the same password.

1.21.17

Default ve
ndor passwords shall be changed upon successful installation of the
information system product.

1.21.18

Stored passwords must be encrypted.

1.21.19

User account passwords must not be divulged to anyone. HHS IT staff or its
contractors/representatives will not ask for
User account passwords except as
allowed by law.

1.21.20

Users may not circumvent password entry with auto logon, application
remembering, embedded scripts or hard coded passwords in client software.
(NOTE: Exceptions may be made for specific applications with th
e approval of the
HHS IT management. All exceptions must include a procedure to change the
password if necessary.)



HHS Information Security Standards and Guidelines

34

11/21/2013


1.22

Physical Access

The Physical Access Standard establishes rules for granting, controlling,
monitoring and
removing
physical access to HHS IR

facilities.


1.22.1

Physical security policy and procedures for all Data Centers must adhere to those
established in the
Information Security Controls for State of Texas Data Center
Services (ISeC), and associated contractual documents.

1.22.2

Physical security system
s must comply with applicable regulations such as building
codes and fire regulations.

1.22.3

Physical access to all restricted IR facilities or areas must be documented and
managed.

1.22.4

HHS IR must be physically protected in proportion to the importance of their
fun
ction within HHS and the confidentiality required by rule, regulation or law.

1.22.5

Access to IR facilities must be granted only to authorized Users whose job
re
sponsibilities require access.

1.22.6

The process for granting access, via key
-
card or otherwise, to informa
tion resource
facilities must include the approval of the IRM
, the CIO if no agency IRM exists

or
designated office or staff person responsible for the facility.

1.22.7

All access requests to data centers must be justified (not just 24 hour access); if
requesting

personnel do not perform direct support for the servers or other data
center equipment access will be denied.

1.22.8

Each User granted access to IR secured facilities must sign the appropriate access
and non
-
disclosure agreements.

Access and non
-
disclosure agre
ements must be
maintained in accordance with records retention requirements.

1.22.9

The applicable data or system Owner must initiate requests for access to secured
facilities.

1.22.10

Access to secured facilities and/or key
-
cards must not be shared or loaned.

1.22.11

Access mat
erials and/or key
-
cards that are no longer required must be returned to
the appropriate HHS IT representative. Under no circumstances is a “retired” card
to be passed directly to another User.

1.22.12

Functional capabilities for an access key
-
card must be deactiv
ated upon
termination of need.

1.22.13

Lost or stolen access key
-
cards must be reported to the appropriate facility
manager immediately upon the User becoming aware of the loss.

1.22.14

Any HHS IR secured facility that allows access to visitors will track visitors’ access

with a sign in/out log.

1.22.15

Visitors to controlled facilities must wear a visitor's badge, sign in and out at a
reception area, and be escorted when in restricted areas.



HHS Information Security Standards and Guidelines

35

11/21/2013


1.22.16

Access records, entry and exit logs, and visitor logs must be kept based on records
reten
tion or other state or federal requirements.

1.22.17

Visitor logs and access records must be reviewed at least quarterly by HHS
management.

1.22.18

Signs posted to inform of the restricted access to certain rooms or buildings must
be posted in a manner that serves their
purpose without drawing attention to the
secured nature of the site.



HHS Information Security Standards and Guidelines

36

11/21/2013