Data Security Scorecard - Florida Office of Early Learning

safetroubledΚινητά – Ασύρματες Τεχνολογίες

24 Νοε 2013 (πριν από 3 χρόνια και 6 μήνες)

74 εμφανίσεις

ACCOUNTABILITY UNIT

DATA SECURITY

(
DS
) SCORECARD

EARLY

LEARNING

COALITION

OF

___________


DS

S
CORECARD
V
ERSION
:

J
ULY
9,

2012


P
AGE
1

OF
7























R
EVIEW
A
NALYST
:

____________C
OMPLETION
D
ATE
:_________


L
EAD
R
EVIEWER
:_____________

C
OMPLETION
D
ATE
:____________


S
UPERVISOR
:__________

C
OMPLETION
D
ATE
:___________


F
INAL
S
CORECARD
D
ATE
:_______________


D
ATA
S
ECURITY
P
ROGRAM
A
DHERENCE
:

T
HE COALITION
AND

ITS
CONTRACTORS

SHALL ENSURE THAT AL
L DATA SYST
EMS USED FOR THE MAN
AGEMENT
OF EARLY L
EARNING PROGRAMS ARE

SECURE AND THE DATA
STORED IN THESE SYST
EMS ARE
NOT COMPROMISED
.

T
HIS INCLUDES DATA
USED FOR
AND
MAINTAINED BY
F
LORIDA

S
O
FFICE OF
E
ARLY
L
EARNING
,

RCMA
,

THE COALITIONS
,

AND
ANY SUB
-
CONTRACTOR
S
.

T
HE COALITION SHALL D
EVELOP AND
IMPLEMENT PROTOCOLS
OF THE
F
LORIDA

S
O
FFICE OF
E
ARLY
L
EARNING
'
S

POLICY
;

D
ATA
S
ECURITY
PROTOCOL S
ERIES
5.0
5
.

[
E
ARLY
L
EARNING
G
RANT
AGREEMENT

SECTION
(
11
)
.]

B
ACKGROUND SCREENING
OF ALL
C
OALITION PERSONNEL A
ND OF ANY
S
UB
-
R
ECIPIENT OR
C
ONTRACTOR
,

ASSIGNED TO
WORK THAT PERTAINS T
O THE GRANT AGREEMEN
T
,

MUST COMPLY WITH SCR
EENING
REQUIREMENTS

OF
F
LORIDA

S
O
FFICE OF
E
ARL
Y
L
EARNING
GRANT
AGREEMENT
SECTION
(45)
.


THE COALITION MUST COMPLY WITH

THE CONFIDENTIALITY PROVISIONS
AND THE RECORD RETENTION REQUIREMENTS OF
SECTIONS 119.021, 411.011, 456.057, AND 1002.72, FLORIDA STATUTES, WHERE APPLICABLE.


THE

INDICATORS

LISTED

BELOW

ARE

ONLY

BEING

REVIEW

DURING

THE

12
-
13

FISCAL

YEAR

IF

THE

COALITION

HAD

A

CAP

ITEM

PENDING

IMPLEMENTATION

1.

Security Training and Awareness


Florida’s
Office of Early
Learning

Protocol 5.
05.
02.
0
4:


The Federal Information Security Management Act (FISMA) requires
each federal agency to provide mandatory periodic information
security training to all associates involved in the use or management
of federal computer systems. Further, the Office of Managem
ent and
Budget (OMB) Circular A
-
130 requires that such training be completed
prior to the granting of access, and be provided for periodic
refreshment. Aside from compliance with legal requirements, a
Security Training and Awareness program is crucial to t
he
safeguarding of
Florida’s Office of Early Learning’s

information
resources. Information security protocol and standards cannot be
effective unless everyone at
Florida’s Office of Early Learning
,
coalitions, and their contractors, regardless of position
in the
organization, is aware of the importance of security, understands
security procedures, and performs required practices. To make
information security effective, standards and procedures must be
known, understood, believed to be beneficial, and be app
ropriately
and consistently practiced.

Achieved

Partially
Achieved


Not
Achieved


Not
Reviewed


Description of Compliance
:


















ACCOUNTABILITY UNIT

DATA SECURITY

(
DS
) SCORECARD

EARLY

LEARNING

COALITION

OF

___________


DS

S
CORECARD
V
ERSION
:

J
ULY
9,

2012


P
AGE
2

OF
7











2.

Contingency Planning



Florida’s Office of Early Leaning

Protocol
5
.05.02.10
:


In addition to being a legal mandate for federal agencies, contingency
planning is simply a good business practice, and part of the
fundamental mission of
Florida’s Office of Early Learning

as a
responsible and reliable public instit
ution. For the success of
Florida
Office of Early Learning’s

programs, the coalition’s information
systems must be available in the event of disruptions/disasters.
Information systems are vulnerable to a variety of disruptions,
ranging from mild (e.g., sho
rt
-
term power outage) to severe (e.g.,
equipment destruction, fire), and from a variety of sources ranging
from natural disasters to terrorists actions. While much vulnerability
may be minimized or eliminated through technical, management, or
operational s
olutions as part of
Florida’s Office of Early Learning

risk
management program, it is virtually impossible to completely
eliminate all risks. In many cases, critical resources reside outside
Florida’s Office of Early Learning’s

control (such as electric po
wer or
telecommunications), and the Agency may be unable to ensure their
availability. Therefore, effective contingency planning, execution, and
testing are essential to mitigate the risk of system and service
unavailability. Coalitions

and their
contracto
rs should do a partial
system backup daily and a full back up on weekends. Backup tapes
must be maintained in a secure location off site.

Achieved

Partially
Achieved


Not
Achieved


Not
Reviewed


Description of Compliance
:




3.

Access C
ontrol



Florida’s of Early Learning

Protocol 5.05.02.11
:


Users must have access to the information resources required to do
their jobs. However,
excessive or uncontrolled access can lead to the
unauthorized or unintentional disclosure, modification, or destruction
of those resources, as well as liability for negligence in protecting
those resources. Therefore, only authorized personnel who have a
l
egitimate need to use Agency resources may be granted access to
specific resources, and their access privileges will be limited to those
required to perform their duties.

Achieved

Partially
Achieved


Not
Achieved


Not
Reviewed


Description of

Compliance
:




4.

Identification and Authentic
ation



Florida’s Office of Early
Achieved

Partially
Achieved

ACCOUNTABILITY UNIT

DATA SECURITY

(
DS
) SCORECARD

EARLY

LEARNING

COALITION

OF

___________


DS

S
CORECARD
V
ERSION
:

J
ULY
9,

2012


P
AGE
3

OF
7











Learning
Protocol 5.05.02.12
:


In order to ensure that unauthorized persons do not have access to
confidential
Florida’s Office of Early Learning

information resources, it
is necessary to first establish the identity of the user who is attempting
to access the resource. Access controls can then be used to allow or
limit access based on the established user identity. The specific
method(s) of authen
tication used for each system shall be
commensurate with the level of confidentiality of the system to be
accessed.



Not
Achieved


Not
Reviewed


Description of Compliance
:




5.

Antivirus



Florida’s Office of Early Learning
Protocol 5.05.02.14

Computer viruses are programs that reproduce themselves and often
attempt to do harm to the computers that they infect. Viruses may
destroy
Florida’s Office of Early Learning

data,

make computers
unusable, use

Florida’s Office of Early Learning computers

t
o attack
other computer
s
, or perform a variety of other malicious activities.
There are many different types of computer viruses. Use of antivirus
software is essential for protecting

agency

resources from the danger
posed by computer viruses and other mal
icious programs. These
programs check for viruses on
agency

computers and attempt to
remove them before they can spread or perform
further

damage.
However, antivirus programs take time to learn about each new virus
that is created, during
which the virus c
an do serious damage.
Therefore, it is also important that users and system administrators be
aware of the risks posed by viruses, and take steps to minimize
exposure to them.




Achieved

Partially
Achieved


Not
Achieved


Not
Reviewed


Description of Compliance
:




6.

Personnel Secu
rity



Florida’s Office of Early Learning
Protocol
5.05.02.16

and Background Screening


Florida’s Office of Early
Learning Grant Agreement (45)



The greatest harm/disruption to a system comes from the actions of
Achieved

Partially
Achieved


Not
Achieved


Not
Reviewed


Description of Compliance
:

ACCOUNTABILITY UNIT

DATA SECURITY

(
DS
) SCORECARD

EARLY

LEARNING

COALITION

OF

___________


DS

S
CORECARD
V
ERSION
:

J
ULY
9,

2012


P
AGE
4

OF
7











individuals, both intentional and unintentional. Users, designers,
implementers, administrators, and managers are involved in many
important issues in securing information. It is important to ensure
that the personnel who have access to
Florida’s Office of

Early
Learning

information resources can be trusted to institute controls
over the access provided to those personnel, and to implement
procedures that minimize the personnel
-
related risks to
Florida’s
Office of Early Learning’s

resources.

A l l s t a f f e m p l
o y e d b y t h e
C o a l i t i o n a n d t h e i r S u b R e c i p i e n t/C o n t r a c t o r s h a l l f o l l o w t h e
b a c k g r o u n d s c r e e n i n g p r o v i s i o n s, a s s e t f o r t h i n F l o r i d a ’ s O f f i c e o f
E a r l y L e a r n i n g G r a n t A g r e e m e n t ( 4 5 ), s. 9 4 3.0 5 4 2 s. 4 3 5.0 4 a n d
4 3 5.0 3. D o c u m e n t s s h a l l b e m a i n t a i n e d f o r a p p r o p r i
a t e m o n i t o r i n g
a n d a u d i t p u r p o s e s, i n c l u d i n g v e r i f i c a t i o n t h a t a l l p e r s o n n e l
s u c c e s s f u l l y p a s s e d b a c k g r o u n d s c r e e n i n g s,
i n a c c o r d a n c e w i t h
F l o r i d a ’ s O f f i c e o f E a r l y L e a r n i n g
G r a n t A g r e e m e n t ( 4 5 ) ( a ) 3.






7.

Mobile Compu
ting



Florida’s Office of Early Learning
Protocol
5.05.02.22


The use of laptop computers and mobile devices (such as PDAs)
provide flexibility and enhanced communications that allow
Florida’s
Office of Early Learning

personnel to be more productive. However,
the use of these devices outside of the
Florida’s Office o
f Early
Learning

office poses risks to those devices and the information they
contain. These devices may also present a hazard to other
Florida’s
Office of Early Learning
resources upon their return to the

office (for
example, by spreading a virus that was

obtained outside the office).
These devices have the capability for direct connectivity to the
Internet or other networks outside of

Florida’s Office of Early Learning
network

which lack the protections afforded by
our
corporate firewall
and other perimet
er protections. Therefore, additional security
measures must be implemented to mitigate increased security risks
presented by mobile computing. This includes VPN access and any
other access to confidential information outside of the office (e.g., fax,
trav
el drives or other media devices, access work email or other work
Achieved

Partially
Achieved


Not
Achieved


Not
Reviewed


Description of Compliance
:




ACCOUNTABILITY UNIT

DATA SECURITY

(
DS
) SCORECARD

EARLY

LEARNING

COALITION

OF

___________


DS

S
CORECARD
V
ERSION
:

J
ULY
9,

2012


P
AGE
5

OF
7











related systems, like SPE/UWL, from a home computer, etc)

8.

Remot
e Access



Florida’s Office of Early Learning
Protocol
5.05
.02
.25:


Remote access provides many benefits; it allows personnel traveling
on business to connect to
Florida’s Office of Early Learning

information resources and provides the capability for telecommuting.
However, remote access via dialup or other connectivity po
ses a risk
of intrusion by unauthorized persons, as well as interception of the
data being transferred through the remote connection. Direct
connectivity to the Internet or other networks also lacks the
protections afforded by a corporate firewall and othe
r perimeter
protections. Additional security measures must be implemented to
mitigate the increased security risks presented by remote access.

Achieved

Partially
Achieved


Not
Achieved


Not
Reviewed


Description of Compliance
:







9.

Dat
abase Security


Florida’s Office of Early Learning
Protocol
5.05.02
.30:


The coalition has been entrusted with a variety of confidential data to
accomplish its goals. The success of the programs depends on the
availability, integrity and confidentiality of this data. In order to
protect this data,
Florida’s Office of Early Lear
ning

and the coalition
implement data security measures, such as data validation and
verification controls. These controls are used to protect data from
accidental or malicious alteration or destruction and to provide
assurance to the user that the informa
tion meets the expectations
about its quality and that it has not been altered. A coalition and its
contractors must safeguard confidential data such as names and
addresses, social security numbers, and federal employment numbers.
Unencrypted transfer of c
onfidential information by email is
prohibited as email transmission of data is not secure. This prohibition
applies to submissions to
Florida’s
Office of Early Learning

as well as
transmissions among contractors and coalitions. Coalitions should use
Share

Point to transmit confidential data to
Florida’s Office of Early
Learning.

Achieved

Partially
Achieved


Not
Achieved


Not
Reviewed


Description of

Compliance
:




10.


Media Ma
nagement



Florida’s Office of Early Learning
Protocol
5.05.02
.31:

Achieved

Partially
Achieved

ACCOUNTABILITY UNIT

DATA SECURITY

(
DS
) SCORECARD

EARLY

LEARNING

COALITION

OF

___________


DS

S
CORECARD
V
ERSION
:

J
ULY
9,

2012


P
AGE
6

OF
7














Florida’s Office of Early Learning

has been entrusted with a variety of
confidential data in order to accomplish its mission. This data, which is
stored on a

variety of media, must be protected from unauthorized
disclosure, damage, fraud, and abuse. To protect the security and
privacy of information,

Florida’s Office of Early Learning

will use a
variety of security mechanisms that provide protections for media.


Not
Achieved


Not
Reviewed


Description of Compliance
:




11.

Password Ma
nagement



Florida’s Office of Early Learning
Protocol 5.05.02
.32:


In order for passwords to be an effective tool for providing security,
they must be selected, stored, and administered appropriately. If
passwords are poorly chosen, they can easily be guessed and then
used by unauthorized persons. Likewise, password
s that are
inappropriately stored are subject to disclosure and misuse by
unauthorized persons.

Achieved

Partially
Achieved


Not
Achieved


Not
Reviewed


Description of

Compliance
:



12.

Memorandum of Understanding


Data Security Agreement

Florida’s Office of Early Learning
/ELC Grant Agreement (11) (h)
3:


All coalitions and contractors must co
mplete and comply with
Florida’s
Office of Early Learning Memorandum of Understanding and
Data Security Agreement form available at

http://awiportal/sites/coalitionszone/info
rmationsecurity/default.aspx
.
Each employee who has access to the Coalition’s data systems shall
have a signed and dated Data Security Agreement and a copy shall be
maintained at the coalition or contractors place of employment.





Achieved

Partially
Achieved


Not
Achieved


Not
Reviewed


Description of Compliance
:


13.

Records Confidentiality Compliance


Florida’s Office of Early
Learning

Grant Agreement (11)(d) and (24)(a
-
d):


Coalitions and Contractors shall follow confidentiality provisions and
record retention requirements of sections 119.021, 411.011, 456.057,
and 1002.72, Florida Statutes, and the current

Florida’s Office of Early
Learning

grant agreement, where applicable. All coalition records,
Achieved

Partially
Achieved


Not
Achieved


Not
Reviewed




ACCOUNTABILITY UNIT

DATA SECURITY

(
DS
) SCORECARD

EARLY

LEARNING

COALITION

OF

___________


DS

S
CORECARD
V
ERSION
:

J
ULY
9,

2012


P
AGE
7

OF
7















classified as public records, must be open and available for inspection
by any person. It is the responsibility of the coalition to maintain
records in a location

that is accessible to the public. The individual
records of children enrolled in SR and VPK programs provided under
section 411.01 and 1002.72, F.S., when held in the possession of the
coalition or
Florida’s Office of Early Learning
, are confidential and
exempt from the provisions of section 119.07, F.S.



Description of Compliance
: