60DD-2.001: Purpose; Definitions; Policy; Applicability; Agency Security Programs; Roles and Responsibilities; Risk Management
60DD-2.002: Control of Computers and Information Resources
60DD-2.003: Physical Security and Access to Data Processing Facilities
60DD-2.004: Logical and Data Access Controls
60DD-2.005: Data and System Integrity
60DD-2.006: Network Security
60DD-2.007: Backup and Disaster Recovery
60DD-2.008: Personnel Security and Security Awareness
60DD-2.009: Systems Acquisition, Disposal, Auditing, and Reporting
60DD-2.010: Standards Adopted
PURPOSE AND EFFECT: The purpose of the notice is to repeal the rules under Rule Chapter 60DD-2, F.A.C. Rule Chapter 60DD-2, F.A.C., contains the “Florida Information Resource Security Policies and Standards”, which were promulgated by the former State Technology Office of the Department of Management Services. The Office of Information Technology of the Agency for Enterprise Information Technology is proposing new rules under Rule Chapter 71A-1, F.A.C., which are intended to replace the policies and standards set forth in Rule 60DD-2.002, F.A.C. The Notice of Proposed Rulemaking for the proposed rules under Rule Chapter 71A-1, F.A.C., is contained in this edition of the Florida Administrative Weekly and intended to take effect when the rules under Chapter 60DD-2, F.A.C., are repealed.
SUMMARY: Rule Chapter 60DD-2, F.A.C., relating to “Florida Information Resource Security Policies and Standards”, is repealed.
SUMMARY OF STATEMENT OF ESTIMATED REGULATORY COSTS: A statement of estimated regulatory cost has not been prepared by the agency. The agency has determined that small businesses will not be impacted by the rule chapter repeal.
Any person who wishes to provide information regarding a statement of estimated regulatory costs, or provide a proposal for a lower cost regulatory alternative must do so in writing within 21 days of this notice.
SPECIFIC AUTHORITY: 282.102(2), (6), (16) FS.
LAW IMPLEMENTED: 120.54(8), 252.365, 282.0041, 282.101, 282.301, 282.318 FS.
IF REQUESTED WITHIN 21 DAYS OF THE DATE OF THIS NOTICE, A HEARING WILL BE SCHEDULED AND ANNOUNCED IN FAW.
THE PERSON TO BE CONTACTED REGARDING THE PROPOSED RULE IS: Renee Harkins, Project Analyst, Agency for Enterprise Information Technology, 4030 Esplanade Way, Suite 135, Tallahassee, Florida 32399, telephone (850)414-6771
THE FULL TEXT OF THE PROPOSED RULE IS:
60DD-2.001 Purpose; Definitions; Policy; Applicability; Agency Security Programs; Roles and Responsibilities; Risk Management.
(1) Purpose.
(a) Rules 60DD-2.001-.010, F.A.C., shall be known as the Florida Information Resource Security Policies and Standards.
(b) The purpose of the Florida Information Resource Security Policies and Standards is to:
1. Promulgate state policies regarding the security of data and information technology resources. Policies are broad principles underlying the state’s information resource security program.
2. Define minimum-security standards for the protection of state information resources. Standards are required administrative procedures or management controls, utilizing current, open, non-proprietary or non-vendor specific technologies.
(c) Nothing in this rule chapter shall be construed to impair the public’s access rights under Chapter 119, F.S., and Article I, Section 24 of the Florida Constitution.
(d) The policies and standards set forth in this rule chapter shall not affect the supervision, control, management or coordination of information technology and information technology personnel that any cabinet officer listed in s. 4, Art. IV, Florida Constitution, deems necessary for the exercise of his or her statutory or constitutional duties.
(2) Definitions.
(a) The following terms are defined:
1. Access – To approach, view, instruct, communicate with, store data in, retrieve data from, or otherwise make use of computers or information resources.
2. Access Control – The enforcement of specified authorization rules based on positive identification of users and the systems or data they are permitted to access.
3. Access password – A password used to authorize access to data and distributed to all those who are authorized similar access.
4. Access Point – A station that transmits and receives data.
5. Advanced Encryption Standard or “AES” – A Federal Information Processing Standard (FIPS 197) developed by NIST to succeed DES. Intended to specify an unclassified, publicly disclosed, symmetric encryption algorithm, available royalty-free worldwide, to protect electronic data.
6. Agency – Those entities described in Section 216.011(1)(qq), F.S.
7. Asymmetric Encryption – A modern branch of cryptography (sometimes called “public-key cryptography”) in which the algorithms employ a pair of keys (a public key and a private key) and use a different component of the pair for different steps of the algorithm.
8. Attack – An assault on system security that derives from an intelligent threat, i.e., an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to violate the security of a system.
9. Audit – See: Security Audit.
10. Authentication – The process that verifies the claimed identity or access eligibility of a station, originator, or individual as established by an identification process.
11. Authorization – A positive determination by the information resource/data owner or delegated custodian that a specific individual may access that information resource, or validation that a positively identified user has the need and the resource/data owner’s permission to access the resource.
12. Availability – The security goal that generates the requirement for protection against intentional or accidental attempts to perform unauthorized deletion of data or otherwise causes a denial of service of system resources.
13. Back Door – A hardware or software mechanism that provides access to a system and its resources by other than the usual procedure, was deliberately left in place by the system’s designers or maintainers, and usually is not publicly known.
14. Business Continuity Plan – See: Disaster-Preparedness Plan.
15. Best Practice – A technique or methodology that, through experience and research, has proven to reliably lead to a desired result. A commitment to using the best practices in any field is a commitment to using all the knowledge and technology at one's disposal to ensure success.
16. Block Cipher – An encryption algorithm that breaks plaintext into fixed-size segments and uses the same key to transform each plaintext segment into a fixed-size segment of cipher-text.
17. Central Computer Room – A facility dedicated to housing significant computing resources, such as mainframe computers and libraries; commonly referred to as a data center.
18. Client – A system entity that requests and uses the service provided by another system entity called a “server”.
19. Comprehensive Risk Analysis – A process that systematically identifies valuable system resources and threats to those resources, quantifies loss exposures (i.e., loss potential) based on estimated frequencies and costs of occurrence, and recommends how to allocate resources to countermeasures so as to minimize total exposure. The analysis lists risks in order of cost and criticality, thereby determining where countermeasures should be applied first.
20. Computer Security – measures that implement and assure security in a computer system, particularly those that assure access control; usually understood to include functions, features and technical characteristics of computer hardware and software, especially operating systems.
21. Confidential Information – Information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g., the Florida Public Records Act.
22. Confidentiality – The state that exists when confidential information is held in confidence and available only to a limited set of authorized individuals pursuant to applicable law. Confidentiality is the security goal that generates the requirement for protection from intentional or accidental attempts to perform unauthorized data reads.
23. Contingency Plan – A plan for emergency response, backup operations, and post-disaster recovery in a system as part of a security program to ensure availability of critical system resources and facilitate continuity of operations in a crisis. See: Disaster-Preparedness Plan.
24. Continuity of Operations Plan (COOP) – See: Disaster-Preparedness Plan.
25. Control – Any action, device, policy, procedure, technique, or other measure that improves security.
26. Critical Information Resource – That resource determined by agency management to be essential to the agency’s critical mission and functions, the loss of which would have an unacceptable impact.
27. Current – Most recent; not more than one year old.
28. Custodian of an Information Resource – Guardian or caretaker; the holder of data; the agent charged with the resource owner’s requirements for processing, communications, protection controls, access controls, and output distribution for the resource; a person responsible for implementing owner-defined controls and access to an information source. The custodian is normally a provider of services.
29. Data – A representation of facts or concepts in an organized manner that may be stored, communicated, interpreted, or processed by people or automated means.
30. “Data Encryption Algorithm” or “DEA” – A symmetric block cipher, defined as part of the United States Government’s Data Encryption Standard. DEA uses a 64-bit key, of which 56 bits are independently chosen and 8 are parity bits, and maps a 64-bit block into another 64-bit block.
31. “Data Encryption Standard” or “DES” – A United States Government standard (Federal Information Processing Standard 46-3) that specifies the data encryption algorithm and states policy for using the algorithm to protect data.
32. Data Integrity – The condition existing when the data is unchanged from its source and has not been accidentally or maliciously modified, altered or destroyed.
33. Data Security – The protection of data from disclosure, alteration, destruction, or loss that either is accidental or is intentional but unauthorized.
34. Data Security Administrator – The person charged with monitoring and implementing security controls and procedures for a system. Whereas each agency will have one Information Security Manager, agency management may designate a number of data security administrators.
35. Denial of Service – The prevention of authorized access to a system resource or the delaying of system operations and functions.
36. “Disaster-Preparedness Plan” or “Continuity of Operations Plan” – An effort within individual departments and agencies pursuant to Section 252.365, F.S., to ensure the continued performance of minimum essential functions during a wide range of potential emergencies. An operational and tested information technology continuity plan should be in line with the overall agency disaster-preparedness plan and its related requirements and take into account such items as criticality classification, alternative procedures, back-up and recovery, systematic and regular testing and training, monitoring and escalation processes, internal and external organizational responsibilities, business continuity activation, fallback and resumption plans, risk management activities, assessment of single points of failure, and problem management. Provisions should be documented in the plan and reviewed to establish back-up and off-site rotation of non-critical application software and job execution language libraries, data files, and systems software to facilitate restoration following recovery of critical applications.
37. Encryption – Cryptographic transformation of data (called “plaintext”) into a form (called “cipher-text”) that conceals the data’s original meaning to prevent it from being known or used. If the transformation is reversible, the corresponding reversal process is called “decryption”, which is a transformation that restores encrypted data to its original state. Encryption and decryption involve a mathematical algorithm for transforming data. In addition to the data to be transformed, the algorithm has one or more inputs that are control parameters: a key value that varies the transformation and, in some cases, an initialization value that establishes the starting state of the algorithm.
38. End User – A system entity, usually a human individual, that makes use of system resources, primarily for application purposes as opposed to system management purposes. This includes State employees, contractors, vendors, third parties and volunteers in a part-time or fulltime capacity.
39. Environment – The aggregate of physical, organizational, and cultural circumstances, objects, or conditions surrounding an information resource.
40. Exposure – Vulnerability to loss resulting from accidental or intentional unauthorized acquisition, use, disclosure, modification, or destruction of information resources.
41. FIPS PUB (NR.) – Federal Information Processing Standard Publication (Nr.), a federal standard issued by the National Institute of Science and Technology (formerly the National Bureau of Standards).
42. Information Custodians – Agency employees responsible for assisting Information Owners in classifying data and specifying and implementing the technical mechanisms required to enforce policy to a degree of certainty required, based on a comprehensive risk analysis that considers the probability of compromise and its potential operational impact.
43. Information Owners or “Owner of an Information Resource” – Agency managers who are responsible for specifying the security properties associated with the information their organization possesses and are responsible for the integrity and accuracy of that information. This includes what categories of users are allowed to read and write various items and what the operational impact of violations of policy would be.
44. Information Resources – Data, automated applications, and information technology resources as defined in subparagraph 60DD-2.001(2)(a)47., F.A.C. and Sections 282.0041(7) and 282.101, F.S.
45. Information Security Alert – A notice sent by state agencies pursuant to paragraph 60DD-2.006(6)(b), F.A.C., regarding potential information security abnormalities or threats.
46. Information Security Manager (ISM) – The person designated to administer the agency’s information resource security program and plans in accordance with Section 282.318(2)(a)1., F.S., and the agency’s internal and external point of contact for all information security matters.
47. “Information Technology,” “information technology resources” “information resources” or “information technology system” include any transmission, emission, and reception of signs, signals, writings, images, and sounds of intelligence of any nature by wire, radio, optical, or other electromagnetic systems and includes all facilities and equipment owned, leased, or used by all agencies and political subdivisions of state government, and a full-service information-processing facility offering hardware, software, operations, integration, networking, and consulting services.
48. Information Technology Security Plan or Information Resource Security Plan – A written plan periodically reviewed that provides an overview of the security requirements of the information systems and describes the controls in place or planned for meeting those requirements. It covers critical data policies, backup, disaster recovery, and user policies. Its purpose is to protect the integrity, availability, and confidentiality of IT resources (i.e., data, information, applications, and systems) and to support the missions of the State of Florida. The Information Technology Security Plan also encompasses policies, procedures and guidelines together with methodology employed for protection, e.g., firewalls, user authentication, data encryption, key management, digital certificates, intrusion detection systems (IDS), virus detection, and virtual private networks (VPN).
49. Information Technology Security Program or Information Resource Security Program – A coherent assembly of plans, project activities, and supporting resources contained within an administrative framework, whose purpose is to support the agency’s mission and establish controls to assure adequate security for all information processed, transmitted or stored in agency automated information systems, e.g., Information Technology Security Plans, contingency plans, security awareness and training and systems acquisition, disposal and auditing.
50. Integrity – The security goal that generates the requirement for protection against either intentional or accidental attempts to violate data integrity (the property that data has when it has not been altered in an unauthorized manner) or system integrity (the quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation).
51. Networks or Networking – Networks provide design, programming, development and operational support for local area networks (“LANs”), wide area networks (“WANs”) and other networks. Networks support client/server applications, telephony support, high-speed or real-time audio and video support and may develop and/or utilize bridges, routers, gateways, and transport media.
52. NIST – National Institute of Standards and Technology.
53. Password – A protected word or string of characters which serves as authentication of a person’s identity (“personal password”), or which may be used to grant or deny access to private or shared data (“access password”).
54. Personal Identifier or User Identification Code – A data item associated with a specific individual, that represents the identity of that individual and may be known by other individuals.
55. Personal Password – A password that is known by only one person and is used to authenticate that person’s identity.
56. Platform – The foundation technology of a computer system. The hardware and systems software that together provide support for an application program and the services they support.
57. Provider – Third party such as contractor, vendor, or private organization providing products, services or support.
58. Public Records Act – Section 119.01, et seq., F.S.
59. Remote Access – The ability to connect to a computer from a remote location and exchange information or remotely operate the system.
60. Review – A formal or official examination of system records and activities that may be a separate agency prerogative or a part of a security audit.
62. Risk Analysis – See: Comprehensive Risk Analysis. 61. Risk – The likelihood or probability that a loss of information resources or breach of security will occur.
63. Risk Assessment – See: Comprehensive Risk Analysis.
64. Risk Management – Decisions and subsequent actions designed to accept exposure or to reduce vulnerabilities by either mitigating the risks or applying cost effective controls.
65. Router Transport Service – The State-wide multi-protocol fully routed data communications service.
66. Security Audit – An independent formal review and examination of system records and activities to determine the adequacy of system controls, ensure compliance with established security policy and operational procedures, detect breaches in security, and recommend any indicated changes in any of the foregoing.
67. SSID – A Service Set Identifier – A sequence of characters that uniquely names a wireless local area network.
68. Security Controls – Hardware, software, programs, procedures, policies, and physical safeguards that are put in place to assure the availability, integrity and protection of information and the means of processing it.
69. Security incident or breach – An event which results in loss, unauthorized disclosure, unauthorized acquisition, unauthorized use, unauthorized modification, or unauthorized destruction of information resources whether accidental or deliberate.
70. Security Officer – See Data Security Administrator.
71. Security Risk Analysis – The process of identifying and documenting vulnerabilities and applicable threats to information resources.
72. Security Risk Management – See Risk Management.
73. Security Standard – A set of practices and rules that specify or regulate how a system or organization provides security services to protect critical system resources.
74. Security Vulnerability Assessment – An examination of the ability of a system or application, including current security procedures and controls, to withstand assault. A vulnerability assessment may be used to: identify weaknesses that could be exploited and predict the effectiveness of additional security measures in protecting information resources from attack. Systematic examination of a critical infrastructure, the interconnected systems on which it relies, its information, or product to determine the adequacy of security measures, identify security deficiencies, evaluate security alternatives, and verify the adequacy of such measures after implementation.
75. Sensitive Locations – Physical locations such as a data center, financial institution, network operations center or any location where critical, confidential or exempt information resources can be accessed, processed, stored, managed or maintained.
76. Sensitive Software – Software exempt under Section 119.07(3)(o), F.S.; those portions of data processing software, including the specifications and documentation, used to: collect, process, store and retrieve information which is exempt from the Public Records Act under Section 119.07, F.S.; collect, process, store and retrieve financial management information of the agency, such as payroll and accounting records; or control and direct access authorizations and security measures for automated systems.
77. Server – A system entity that provides a service in response to requests from other system entities called “clients”.
78. Session – The time during which two computers maintain a connection and are usually engaged in transferring data or information.
79. Site Survey – A report on the physical, architectural, geographical and electrical limitations of the site and their effect on a wireless solution.
80. Special Trust or Position of Trust – A position in which an individual can view or alter confidential information, or is depended upon for continuity of information resource imperative to the operations of the agency and its mission.
81. Standard – See: Security Standard.
82. Storage or Computer Storage – The holding of data in an electromagnetic form for access by a computer processor; the process of storing information in computer memory or on a magnetic tape or disk.
83. Symmetric Cryptography – A branch of cryptography involving algorithms that use the same key for two different steps of the algorithm (such as encryption and decryption, or signature creation and signature verification). Symmetric cryptography is sometimes called “secret-key cryptography” (versus public-key cryptography) because the entities that share the key, such as the originator and the recipient of the message, need to keep the key secret.
84. System Control Data – Data files such as programs, password files, security tables, authorization tables, etc., which, if not adequately protected, could permit unauthorized access to information resources.
85. Third Party – See Provider.
86. Triple Data Encryption Standard or “Triple DES” or “3DES” – A block cipher, based on DES, that transforms each 64-bit plaintext block by applying a data encryption algorithm three successive times, using either two or three different keys, for an effective key length of 112 or 168 bits.
87. Unauthorized disclosure – A circumstance or event whereby an entity gains access to data for which the entity is not authorized.
88. Universal Access Service – State sanctioned secure, single point of access to enterprise applications and information.
89. User – See: End User.
90. Virtual Private Network or “VPN” – A restricted-use, logical (i.e., artificial or simulated) computer network that is constructed from the system resources of a relatively public, physical (i.e., real) network (such as the Internet), often by using encryption (located at hosts or gateways), and often by tunneling links of the virtual network across the real network.
91. Vulnerability – A flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security.
92. Wi-Fi or Wireless Fidelity – The Wi-Fi Alliance certification standard signifying interoperability among 802.11b products.
93. Wireless – Wireless includes any data communication device (e.g., personal computers, cellular phones, PDAs, laptops, etc.) that is connected to any network of the State of Florida. This includes any form of Wireless communications device capable of transmitting packet data.
(b) Other terms shall have their commonly understood meaning.
(3) Policy. Information technology resources residing in the various agencies are strategic and vital assets held in trust and belonging to the people of Florida. It is the policy of the State of Florida that information system security ensure the confidentiality, integrity and availability of information. A loss of confidentiality is the unauthorized disclosure of information. A loss of integrity is the unauthorized modification or destruction of information. A loss of availability is the disruption of access to or use of information or an information system. Each agency shall develop, implement, and maintain an information technology security program to be reviewed by the State Technology Office as set forth in this rule. All documents regarding the development, implementation and maintenance of such programs shall be maintained by the agency’s Information Security Manager (ISM). Each agency shall develop, implement, and maintain an information resource security program that produces the following end products:
(a) Documented and distributed security policies that incorporate the following issues:
1. State information resources are valuable assets of the State of Florida and its citizens and must be protected from unauthorized modification, destruction, disclosure, whether accidental or intentional, or use. The acquisition and protection of such assets is a management responsibility.
2. Access requirements for state information resources must be documented and strictly enforced.
3. Responsibilities and roles of Information Security Managers and data security administrators must be clearly defined.
4. Information that, by law, is confidential or exempt must be protected from unauthorized disclosure, replication, use, destruction, acquisition, or modification.
5. Information resources that are essential to critical state functions must be protected from unauthorized disclosure, replication, use, destruction, acquisition, or modification.
6. All information resource custodians, users, providers, and his/her management must be informed of their respective responsibilities for information resource protection and recovery. These responsibilities must be clearly defined and documented.
7. All information resource custodians, users, providers, and his/her management must be informed of the consequences of non-compliance with his/her security responsibilities. These consequences must be clearly stated in writing.
8. Risks to information resources must be managed. The expense of implementing security prevention and recovery measures must be appropriate to the value and criticality of the assets being protected, considering value to both the state and potential intruders. Procedures for recording and responding to security breaches should be developed and disseminated to appropriate information resource custodians, users, providers, and their management, pursuant to each agency’s internal security procedures.
9. The integrity of data, its source, its destination, and processes applied to it must be assured. Data must change only in authorized, predictable, auditable, and acceptable ways.
10. Information resource custodians, users, providers and their management must be made aware of their responsibilities in disaster-preparedness plans required to continue critical governmental services, to insure that information resources are available.
11. Security needs must be considered and addressed in all phases of development or acquisition of new information processing systems.
12. The Information Resource Security Program or Information Technology Security Program must be responsive and adaptable to changing environments, vulnerabilities and technologies affecting state information resources.
13. The state should support and uphold the legitimate proprietary interests of intellectual property owners in accordance with applicable federal and state law.
14. Providers shall comply with the Florida Information Resource Security Policies and Standards.
(b) Implementation and maintenance of a documented ongoing training program for information resource security awareness. The training program will include initial security awareness training for all new information resource users, custodians, providers, and their management and ongoing reinforcement covering agency security program components and applicable security related job responsibilities. Each individual must be held accountable for his or her actions relating to information resources.
(c) A set of defined roles and responsibilities of Information Security Managers and data security administrators.
(d) Documentation of employees and providers acknowledgment and acceptance of agency’s security policies, procedures, and responsibilities. An individual acknowledgment of accountability shall be included in such documentation.
(e) Clearly defined and current security responsibilities for each information resource user, custodian, provider, and his/her management.
(f) Documentation for managing access criteria for information resources.
(g) Current lists of information resource owners approved and maintained by the agency or secretary of the agency.
(h) Current lists of information resource users approved and maintained by the agency or secretary of the agency. Except as permitted under paragraph 60DD-2.004(1)(a), F.A.C., information resource users shall be individually identified.
(i) Current lists of information resource custodians approved and maintained by the agency or secretary of the agency.
(j) Current documented procedures for conducting background checks for positions of special trust and responsibility or positions in sensitive locations approved and maintained by the agency or secretary of the agency.
(k) An ongoing documented program of risk management, including risk analysis for all critical information resources, and periodic comprehensive risk analyses of all information resources. Comprehensive risk analyses shall be conducted after major changes in the software, procedures, environment, organization, or hardware.
(l) Current identification of all agency critical information resources approved and maintained by the agency’s Information Security Manager (ISM). Agencies shall categorize all information and information systems in accordance with Federal Information Processing Standard 199, incorporated by reference at subsection 60DD-2.010(6), F.A.C., and Sections 119.07(3)(o) and 282.318, F.S.
(m) For all critical information resources, current documentation for implementing and maintaining auditable disaster-preparedness plans including: procedures for cross training of critical or unique skills; responsibilities and procedures for information resource custodians, owners, and users; procedures for maintaining current data on critical information resources (including hardware, software, data, communications, configurations, staff, special forms, and supplies); and interdependencies between and among resources (both internal and external).
(n) Current documentation for executing and maintaining test scenarios for disaster-preparedness plans.
(4) Applicability.
(a) The information security policies and standards of this rule chapter apply to those entities described in Section 216.011(1)(qq), F.S. They apply to state automated information systems that access, process, or have custody of data. They apply to mainframe, minicomputer, distributed processing, and networking environments of the state. They apply equally to all levels of management and to all supervised personnel.
(b) State information security policies and standards of this rule chapter apply to information resources owned by others, such as political subdivisions of the state or agencies of the federal government, in those cases where the state has a contractual or fiduciary duty to protect the resources while in the custody of the state. In the event of a conflict, the more restrictive security measures apply.
(c) Exceptions.
1. Heads of executive agencies are authorized to exempt from the application of paragraph 60DD-2.004(2)(b), subsection 60DD-2.004(4), paragraph 60DD-2.005(3)(a), 60DD-2.005(3)(b), or 60DD-2.005(4)(b), F.A.C., of this rule, information resources used for classroom or instructional purposes, provided the head of the agency has documented his or her acceptance of the risk of excluding these resources, and further provided that the information resources used for classroom or instructional purposes are not critical.
2. The head of an executive agency is authorized to exempt from the application of paragraph 60DD-2.004(2)(b), subsection 60DD-2.004(4), paragraph 60DD-2.005(3)(a), 60DD-2.005(3)(b), or 60DD-2.005(4)(b), F.A.C., of this rule, stand-alone end user workstations, provided these workstations are not used to process, store, or transmit critical information resources.
(5)(a) Agency Security Program. The purpose of agency security program is to ensure that the security of the information resources of the agency is sufficient to reduce the risk of loss, modification or disclosure of those assets to an acceptable level. As identified in the agency’s comprehensive risk analysis, the expense of security safeguards must be commensurate with the value of the assets being protected.
(b) Standard. Each agency shall develop an Information Resource Security Program that includes a documented and maintained current internal Information Resource Security Plan(s) approved by the agency Chief Information Office (CIO), and maintained by the agency’s Information Security Manager (ISM). The agency security program and plan(s) shall include written internal policies and procedures for the protection of information resources, be an instrument implementing the Florida Information Resource Security Policies and Standards, be applicable to all elements of the agency, and be signed by the agency head.
(6)(a) Responsibility; Security Audits. The State Technology Office, in consultation with each agency head, is responsible for the security of each agency’s information resources and for establishing information security requirements on an agency-wide basis. To assist the State Technology Office in carrying out security responsibilities, the duties and functions which management has determined to be appropriate for each agency need to be explicitly assigned. When necessary, based on the outcome of risk analysis, to ensure integrity, confidentiality and availability of state information and resources or to investigate possible security incidents to ensure conformance this rule chapter and Florida law, the State Technology Office shall conduct or contract with a third party to conduct a security audit on any system within the State of Florida networks to determine compliance with the Florida Information Resource Security Policies and Standards. Pursuant to Section 282.318(2)(a)5., F.S., the State Technology Office shall also ensure that each agency conducts periodic internal audits and evaluations of its Information Technology Security Plan.
(b) Standard. Pursuant to Section 282.318(2)(a)1., F.S., the State Technology Office shall, in consultation with each agency head, appoint in writing an Information Security Manager (ISM) to administer the agency information resource security program and shall prescribe the duties and responsibilities of the function for each agency.
(7)(a) Owner, Custodian, and User Responsibilities. The major objective of information resource security is to provide cost-effective controls to ensure that information is not subject to unauthorized acquisition, use, modification, disclosure, or destruction. To achieve this objective, procedures that govern access to information resources must be in place. The effectiveness of access rules depends to a large extent on the correct identification of the owners, custodians, and users of information. Owners, custodians, and users of information resources shall be identified, documented, and their responsibilities defined.
(b) Standard. Owner responsibilities. All information resources shall be assigned an owner. In cases where information resources are aggregated for purposes of ownership, the aggregation shall be at a level that assures individual accountability. The owner or his or her designated representative(s) are responsible for and authorized to:
1. Approve, access and formally assign custody of an information resources asset;
2. Determine the asset’s value;
3. Specify data control requirements and convey them to users and custodians;
4. Specify appropriate controls, based on risk assessment, to protect the state’s information resources from unauthorized modification, deletion, or disclosure. Controls shall extend to information resources outsourced by the agency;
5. Confirm that controls are in place to ensure the accuracy, authenticity, and integrity of data;
6. Ensure compliance with applicable controls;
7. Assign custody of information resource assets and provide appropriate authority to implement security control and procedures; and
8. Review access lists based on documented agency security risk management decisions.
(c) Standard. Custodian responsibilities. Custodians of information resources, including entities providing outsourced information resources services to state agencies or other providers, must:
1. Implement the controls specified by the owner(s);
2. Provide physical and procedural safeguards for the information resources;
3. Assist owners in evaluating the cost-effectiveness of controls and monitoring; and
4. Implement the monitoring techniques and procedures for detecting, reporting and investigating incidents.
(d) Standard. User responsibilities. Users of information resources shall comply with established controls.
(8) Risk Management. Risk analysis is a systematic process of evaluating vulnerabilities and threats to information resources. Risk analysis provides the basis for risk management; i.e., assumption of risks and potential losses, or selection of cost effective controls and safeguards to reduce risks to an acceptable level. The goal of risk analysis is to determine the probability of potential risks, in order to integrate financial objectives with security objectives.
(a) Standard. Agencies shall perform or update a comprehensive risk analysis of all critical information processing systems when major changes occur and as specified in subsection 60DD-2.001(3), F.A.C. Comprehensive risk analysis results shall be presented to the State Technology Office and to the owner of the information resource for subsequent risk management.
(b) Standard. Agencies shall implement appropriate security controls determined through comprehensive risk analysis to be cost effective in the reduction or elimination of identified risks to information resources. Any delegation by the agency head of authority for risk management decisions shall be documented.
(c) Standard. The State Technology Office shall evaluate potentially useful risk analysis programs and methodologies. Only those programs and methodologies approved by the State Technology Office shall be accepted as meeting the requirements for comprehensive risk analysis as specified in paragraph 60DD-2.001(8)(a), F.A.C.
(d) Standard. Agencies shall perform a risk analysis consistent with NIST Risk Management Guide for Information Technology Systems, Special Publication 800-30, incorporated by reference at subsection 60DD-2.010(7), F.A.C.
Rulemaking Specific Authority 282.102(2), (6), (16) FS. Law Implemented 282.0041, 282.101, 282.318 FS. History–New 8-10-04, Repealed________.
60DD-2.002 Control of Computers and Information Resources.
(1)(a) Use of State Information Resources.
(b) Standard. Access to data files and programs shall be limited to those individuals authorized to view, process, or maintain particular systems.
(2) Access to and Handling of Confidential or Exempt Information.
(a) Standard. Confidential or exempt information shall be accessible only to personnel who are authorized by the agency on the basis of the performance of responsibilities or as authorized by law. Data containing any confidential or exempt information shall be readily identifiable.
(b) Standard. An auditable, continuous chain of custody shall record the transfer of confidential or exempt information. When confidential or exempt information from an agency is received by another agency in connection with the transaction of official business, the receiving agency shall maintain the confidentiality of the information in accordance with the applicable law.
(3)(a) Audit Trails.
(b) Standard. Audit trails shall be maintained to provide accountability for all accesses to confidential and exempt information and software, for all modifications to records that control movement of funds or fixed assets, and for all changes to automated security or access.
Rulemaking Specific Authority 282.102(2), (6), (16) FS. Law Implemented 282.318 FS. History–New 8-10-04, Repealed________.
60DD-2.003 Physical Security and Access to Data Processing Facilities.
(1)(a) Central Computer Rooms. All state information processing areas must be protected by physical controls appropriate for the size and complexity of the operations and the criticality of the systems operated at those locations.
(b) Standard. Physical access to central information resources facilities shall be managed and documented by the agency head or his or her designated representative. Physical access to central information resources facilities shall be restricted to only authorized personnel. Authorized visitors shall be recorded and supervised.
(c) Standard. Reviews of physical security measures for information resources shall be conducted annually by the agency head or designated representative(s). Written emergency procedures shall be developed, updated, and tested at least annually in accordance with Rule 60DD-2.007, F.A.C.
(2)(a) Outside Central Computer Rooms.
(b) Standard. While handled or processed by terminals, communications switches, and network components outside the central computer room, confidential or exempt information shall receive the level of protection necessary to ensure its integrity and confidentiality. Physical or logical controls, or a mix thereof may achieve the required protection.
(c) Standard: Workstation use. Agencies shall implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation.
(d) Standard: Workstation security. Agencies shall implement physical safeguards for all workstations that access confidential or exempt information, to restrict access to authorized users.
(3)(a) Environmental Controls. One of the major causes of computer downtime is the failure to maintain proper controls over temperature, humidity, air movement, cleanliness, and power. Information resources shall be protected from environmental hazards. Environmental controls must also provide for safety of personnel.
(b) Standard. Employees and information resources shall be protected from environmental hazards. Designated employees shall be trained to monitor environmental control procedures and equipment and shall be trained in desired response in case of emergencies or equipment problems.
Rulemaking Specific Authority 282.102(2), (6), (16) FS. Law Implemented 282.318 FS. History–New 8-10-04, Repealed________.
60DD-2.004 Logical and Data Access Controls.
(1) Personal Identification, Authentication, and Access.
(a) Standard. Except for public web page information resources, each user of a multiple-user information resource shall be assigned a unique personal identifier or user identification. User identification shall be authenticated before access is granted.
(b) Standard. When a unique personal identifier or user identification has been assigned that user’s access authorization shall be removed when the user’s employment is terminated or the user transfers to a position where access to the information resource is no longer required.
(2)(a) Password Controls. Personal passwords are used to authenticate a user’s identity and to establish accountability. Access passwords are used to grant access to data and may be used where individual accountability is not required. Federal Information Processing Standards Publication 112 (FIPS PUB 112) (incorporated by reference at subsection 60DD-2.010(2), F.A.C.) specifies basic security criteria in the use of passwords to authenticate personal identity and data access authorization.
(b) Standard. Systems that use passwords shall conform to the federal standard contained in FIPS PUB 112. A current Password Standard Compliance Document that specifies the criteria to be met for the ten factors contained in the standard shall be maintained for all systems which use passwords.
(c) Standard: Agency Heads and Agency Chief Information Officers shall ensure that all personnel (including providers and end users who utilize State of Florida information technology resources) that have a user account on the State of Florida internal network have read and acknowledged a written password policy (or other authentication policy, if applicable) by signing through a physical or electronic process a Statement of Understanding. The Statement of Understanding shall indicate that the employee has read the policy and agrees to abide by it as consideration for continued employment with the State of Florida and that violation of password or other authentication policies may result in dismissal. Agency Heads and Chief Information Officers shall also ensure that information technology professionals enforce the parts of the policy within the scope of their capability, and that periodic compliance audits are performed.
(3) Standard. Authentication Controls. All agency authentication controls shall ensure that information is not accessed by unauthorized persons and that information is not altered by unauthorized persons in a way that is not detectable by authorized users.
(4) Standard. Access to Software and Data. Controls shall ensure that users of information resources cannot access stored software or system control data unless they have been authorized to do so.
(5) Encryption.
(a) Standard. Activities storing or transmitting confidential or exempt information shall require encryption processes approved by the State Technology Office if necessary to ensure that the information remains confidential. Individual users must use State Technology Office approved encryption products and processes for sending an encrypted e-mail, encrypting a desktop work file, protecting a personal private key or digital certificate, or encrypting a saved e-mail. Key escrow and Key recovery processes must be in place, and verified prior to encryption of any confidential or exempt agency data. Federal Information Processing Standard (FIPS) Pub 140-2, May 25, 2001 (http://csrc.nist.gov/cryptval/140-2.htm) incorporated by reference at subsection 60DD-2.010(3), F.A.C.
(b) Standard. Encryption keys should not be stored on the same electronic storage device as the information that has been encrypted using the keys. Access to encryption keys should be restricted to authorized users and authorized processes using an access control mechanism.
(c) Standard. Remote administration of hardware, software, or applications should be performed over an encrypted communications session consistent with the Florida Information Resource Security Policies and Standards.
Rulemaking Specific Authority 282.102(2), (6), (16) FS. Law Implemented 282.318 FS. History–New 8-10-04, Repealed________.
60DD-2.005 Data and System Integrity.
No end user of a state information resource, even if authorized, shall be permitted to make modifications to information resources in such a way that state data is lost or corrupted. It is the policy of the State of Florida that electronic data must be protected in all of its forms, on all media or devices, during all phases of its life cycle, from unauthorized or inappropriate access, use, modification, disclosure, or destruction. This policy applies to all data assets that exist in any State processing environments.
(1)(a) Standard. Controls shall be established to ensure the accuracy and completeness of data.
(2)(a) Separation of Functions. The purpose of separation of functions is to minimize the opportunity for any one person to subvert or damage information resources.
(b) Standard. For tasks that are susceptible to fraudulent or other unauthorized activity, departments shall ensure adequate separation of functions for controlled execution.
(3) Testing Controls and Program Maintenance.
(a) Standard. The test functions shall be kept either physically or logically separate from the production functions.
(b) Standard. After a new system has been placed in operation, all program changes shall be approved before implementation to determine whether they have been authorized, tested, and documented. Change management will be practiced for modifications to existing systems and applications to include the introduction of new systems and applications.
(4)(a) Transaction History. Automated chronological or systematic records of changes to data are important in the reconstruction of previous versions of the data in the event of corruption. Such records, sometimes referred to as journals, are useful in establishing normal activity, in identifying unusual activity, and in the assignment of responsibility for corrupted data.
(b) Standard. A sufficiently complete history of transactions shall be maintained for each session involving access to critical information to permit an audit of the system by tracing the activities of individuals through the system. Individuals accessing critical information will be uniquely identified through appropriate authentication and/or account and password controls.
Rulemaking Specific Authority 282.102(2), (6), (16) FS. Law Implemented 282.318 FS. History–New 8-10-04, Repealed________.
60DD-2.006 Network Security.
Networking, including distributed processing, concerns the transfer of information among users, hosts, servers, applications, voice, video and intermediate facilities. During transfer, data is particularly vulnerable to unintended access or alternation.
(1) Network Controls, General.
(a) Standard. Network resources used in the access of confidential or exempt information shall assume the sensitivity level of that information for the duration of the session. Controls shall be implemented commensurate with the highest risk.
(b) Standard. All network components under state control must be identifiable and restricted to their intended use.
(2)(a) Security at Network Entry and Host Entry. State owned or leased network facilities and host systems are state assets. Their use must be restricted to authorized users and purposes. State employees who have not been assigned a user identification code and means of authenticating their identity to the system are not distinguishable from public users and must not be afforded broader access.
(b) Standard. Owners of information resources served by networks shall prescribe sufficient controls to ensure that access to network services and host services and subsystems are restricted to authorized users and uses only. These controls shall selectively limit services based upon:
1. User identification and authentication (e.g., password); or
2. Designation of other users, including the public where authorized, as a class (e.g., public access through dial-up or public switched networks), for the duration of a session.
(c) Third Party Connections.
1. Agency third party connection agreements shall determine the responsibilities of the third party, including approval authority levels and all terms and conditions of the agreement.
2. All agency third party network connections must meet the requirements of the Florida Information Resource Security Policies and Standards. Blanket access is prohibited. Service provided over third party network connections is limited to services, devices and equipment needed.
(d) Internet connectivity. Internet connectivity is allowable only if the applicable service agreement permits.
(e) Any external individual or entity needing access to the state’s secure network inside state firewalls shall do so through Universal Access Service, Route Transport Service Extranet, Virtual Private Network or Frame Relay Network Extranet.
(f) Audits. Each agency shall audit third party network connections by conducting Security Vulnerability Assessments.
(3)(a) Application-level Security.
(b) Standard. Network access to an application containing confidential or exempt data, and data sharing between applications, shall be as authorized by the application owners and shall require authentication.
(4) Data and File Encryption.
(a) Security through encryption depends upon both of the following:
1. Proper use of an approved encryption methodology; and
2. Only the intended recipients holding the encryption key-variable (key) for that data set or transmission.
(b) Standard. While in transit, information which is confidential, exempt or information which in and of itself is sufficient to authorize disbursement of state funds shall be encrypted if sending stations, receiving stations, terminals, and relay points are not all under positive state control, or if any are operated by or accessible to personnel who have not been authorized access to the information, except under the following conditions:
1. The requirement to transfer such information has been validated and cannot be satisfied with information which has been sanitized; and
2. The agency head, or the designated official if the agency head has delegated authority for risk management decisions, has documented acceptance of the risks of not encrypting the information based on evaluation of the costs of encryption against exposures to all relevant risks.
(c) Standard. For systems employing encryption as required by paragraph 60DD-2.006(4)(b), F.A.C., procedures shall be prescribed for secure handling, distribution, storage, and construction of Data Encryption Standard (DES) key variables used for encryption and decryption. Protection of the key shall be at least as stringent as the protection required for the information encrypted with the key.
(d) Standard. Confidential or exempt data or information shall be encrypted pursuant to the Advanced Encryption Standard or “AES” defined in Federal Information Processing Standard Publication 197, incorporated by reference at subsection 60DD-2.010(5), F.A.C., or the Triple Data Encryption Standard known as “Triple DES” or “3DES”. Legacy systems not supporting the “AES” or “3DES” shall not store confidential or exempt data or information, but may use the federal Data Encryption Standard or “DES” defined in Federal Information Processing Standard Publication, (FIPS PUB 46-3), incorporated by reference at subsection 60DD-2.010(1), F.A.C., for other data or information as necessary.
(e) Standard. A minimum requirement for digital signature verification shall be in accordance with the Federal Information Processing Digital Signature Standard, (FIPS PUB 186-2), incorporated by reference at subsection 60DD-2.010(4), F.A.C.
(5)(a) Remote Access.
(b) Standard. For services other than public access, users of state dial-up services shall be positively and uniquely identifiable and their identity authenticated (e.g., by password) to the network accessed and to the systems being accessed.
(6)(a) Security Alerts.
(b) Standard. The State Technology Office will maintain the capability to monitor the Internet and appropriate global information security resources for any abnormalities or threats present on the Internet, including the detection of backdoors or hardware or software that is intentionally included or inserted in a system for a harmful purpose. Such abnormalities or threats will then be translated into Information Security Alerts and provided to state agencies. In response to each Information Security Alert, agencies shall log corrective actions and to implement the recommended remediation actions contained in the Information Security Alerts within the alert’s recommended time frame. Agencies shall notify the State Technology Office in writing when remediation is complete. The State Technology Office shall verify that agencies are implementing the requisite Information Security Alert remediation actions.
(c) Standard. The State Technology Office shall keep a log of all Information Security Alerts sent. The log shall contain tracking information on all formats of alerts issued, and the associated actions taken as reported by each agency. The State Technology Office shall report any non-compliance with Information Security Alerts to applicable agency heads.
(7)(a) Virus Detection and Prevention.
(b) Standard. All State computers and systems must have anti-virus software that provides protection to computer systems and media from computer virus intrusion, provides detection of computer viruses on an infected computer system or media, and provides for recovery from computer virus infection. Anti-virus software shall be installed and scheduled to run at regular intervals. Real-time scanning shall be enabled. The anti-virus software and the virus pattern files must be kept current. Virus-infected computers or systems must be removed from the network until they are verified as virus-free. This rule applies to State of Florida computers that are personal computer (“PC”)-based or utilize PC-file directory sharing, including desktop computers, laptop computers, servers (including domain controllers, proxy, ftp, file and print, etc.), and any PC-based equipment such as firewalls, intrusion detection systems (IDS), gateways, routers, and wireless devices.
(c) Standard. Each State agency is responsible for creating procedures that ensure anti-virus software is run at regular intervals and that computers and systems are verified as virus-free.
(8) Mobile Device Security.
(a) Standard. State agencies shall prepare written policies and procedures for mobile device use incorporating core security measures consistent with the Florida Information Resource Security Policies and Standards. Agencies shall, consistent with the capability of the device and its software, utilize a secure operating system offering secure logon, file level security, and data encryption. Agencies shall enable a strong password for mobile device use consistent with paragraphs 60DD-2.004(2)(a)-(c), F.A.C. Agencies mobile devices shall utilize anti-virus software consistent with paragraph 60DD-2.006(7)(b), F.A.C.
(b) Standard. Agencies shall asset tag or engrave laptops, permanently marking (or engraving) the outer case of the laptop with the agency name, address, and phone number or utilizing a metal tamper resistant commercial asset tag.
(c) Standard. Agencies shall register mobile devices with the manufacturer and retain the registration correspondence and any applicable serial numbers in the agency’s records.
(9) Wireless Connectivity.
(a) Wireless security is essential to:
1. Safeguard security of the State’s network systems and data.
2. Prevent interference between different agency implementations and other uses of the Wireless spectrum.
3. Ensure that a baseline level of connection service quality is provided to a diverse user community.
(b) Standard. A site survey shall be conducted prior to wireless implementation that includes identification of security risks and threats.
(c) Standard. If VPN services are used, split tunnel mode shall be disabled when connected to any wireless network.
(d) Standard. Strong mutual user authentication shall be utilized.
(e) Standard. When passing wireless traffic over public networks use of strong encryption or utilization of State of Florida sanctioned VPNs shall be used.
(f) Standard. The SSID name shall be changed from the default and administrative passwords shall be changed every 180 days.
(g) Standard. Security features of the Access Point vendors shall be enabled.
(h) Standard. Access points shall be Wi-Fi compliant pursuant to IEEE Standard 802.11, incorporated by reference at subsection 60DD-2.010(17), F.A.C. Standard 802.11 specifies medium access and physical layer specifications for 1 Mbps and 2 Mbps wireless connectivity between fixed, portable, and moving stations within a local area.
(i) Standard. IP forwarding shall be disabled on all wireless clients.
(j) Standard. Master keys shall be changed annually, and key rotation schemes shall be changed at least once every 15 minutes.
(k) Standard. Theft or loss of a wireless-enabled device shall be reported to the agency Information Security Manager in order to retire the device’s credentials.
(l) Standard. Wireless devices shall not be connected simultaneously to another wired or wireless network other than standard utilization of a commercial carrier signal.
(m) Standard. Wireless devices shall be password protected and must automatically time out in 15 minutes or less.
(n) Standard. Wireless devices having the features of personal firewalls and anti-virus capability shall be enabled.
(10) Web Servers and Network Servers.
(a) Security of Web Servers providing Public Internet access is essential to address:
1. Proper configuration and operation of the host servers to prevent inadvertent disclosure or alteration of confidential or exempt information.
2. Preventing compromise of the host server.
3. Users unable to access the Web site due to a denial of service.
(b) Standard. Agencies shall secure network and public web servers consistent with the Carnegie Mellon Software Engineering Institute’s Security Improvement Module, “Securing Network Servers” incorporated by reference at subsection 60DD-2.010(19), F.A.C., and NIST Guidelines on Securing Public Web Servers, Special Publication 800-44, incorporated by reference at subsection 60DD-2.010(10), F.A.C.
(c) Standard. Network Servers housed in the State Technology Office, Shared Resource Center shall be subject to a Security Vulnerability Assessment prior to connection to the State Technology Internal Network.
(11) Electronic Mail Security. Standard. Agencies shall utilize NIST Guidelines on Electronic Mail Security, Special Publication 800-45, incorporated by reference at subsection 60DD-2.006(11), F.A.C., as a standard for electronic mail security.
(12) Firewalls. Standard. Agencies shall utilize NIST Guidelines on Firewalls and Firewall Policy, Special Publication 800-41, incorporated by reference at subsection 60DD-2.010(9), F.A.C., as a standard for firewalls.
(13) Patching of Network Servers, Workstations and Mobile Devices. Standard. Agencies shall utilize NIST Procedures for Handling Security Patches, Special Publication 800-40, incorporated by reference at subsection 60DD-2.010(8), F.A.C., as a standard for patching of network servers, workstations and mobile devices.
Rulemaking Specific Authority 282.102(2), (6), (16) FS. Law Implemented 282.318 FS. History–New 8-10-04, Repealed________.
60DD-2.007 Backup and Disaster Recovery.
(1)(a) Backing up of Data. On-site backup is employed to have readily available current data in machine-readable form in the production area in the event operating data is lost, damaged, or corrupted, without having to resort to reentry from data sources, i.e., other electronic or hard copy records. Off-site backup or storage embodies the same principle but is designed for longer term protection in a more sterile environment, requires less frequent updating, and is provided additional protection against threats potentially damaging to the primary site and data.
(b) Standard. Data and software essential to the continued operation of critical agency functions shall be backed up. The security controls over the backup resources shall be as stringent as the protection required of the primary resources.
(2) Contingency Planning. Disaster-Preparedness Plans, as described in subparagraph 60DD-2.001(2)(a)36., F.A.C., specify actions management has approved in advance to achieve each of three objectives. The emergency component assists management in identifying and responding to disasters so as to protect personnel and systems and limit damage. The backup and disaster recovery plan specifies how to accomplish critical portions of the mission in the absence of a critical resource such as a computer. The overall Disaster-Preparedness Plan directs recovery of full mission capability.
(a) Standard. All information resource owner, custodian, and user functions identified as critical to the continuity of governmental operations shall have written and cost effective disaster-preparedness plans to provide for the prompt and effective continuation of critical state missions in the event of a disaster.
(b) Standard. Disaster-preparedness plans as required by paragraph 60DD-2.007(2)(a), F.A.C., shall be tested at least annually.
Rulemaking Specific Authority 282.102(2), (6), (16) FS. Law Implemented 252.365, 282.318 FS. History–New 8-10-04, Repealed________.
60DD-2.008 Personnel Security and Security Awareness.
(1)(a) End User Requirements, General.
(b) Standard. Every employee shall be held responsible for information resources security to the degree that his or her job requires the use of information resources.
(2)(a) Positions of Special Trust or Responsibility or in Sensitive Locations. Individual positions must be analyzed to determine the potential vulnerabilities associated with work in those positions. Agencies shall prepare written procedures for personnel in positions of special trust or having access to sensitive locations. Agencies shall utilize ISO/EC 17799-2000(E), 8.6.3, Information Handling Procedures, incorporated by reference at subsection 60DD-2.010(15), F.A.C., as a guide for development of procedures.
(b) Standard. Agencies shall establish procedures for reviewing data processing positions that are designated as special trust or are in sensitive locations.
(c) Standard. Agencies shall conduct background investigations for personnel in positions of special trust or having access to sensitive locations as set forth in Sections 110.1127 and 435.04, F.S.
(3) Security Awareness and Training. An effective level of awareness and training is essential to a viable information resource security program.
(a) Standard. Agencies shall provide an ongoing awareness and training program in information security and in the protection of state information resources for all personnel whose duties bring them into contact with critical state information resources. Security training sessions for these personnel shall be ongoing. Agencies shall utilize NIST Building an Information Security Technology Awareness and Training Program, Special Publication 800-50, incorporated by reference at subsection 60DD-2.010(12), F.A.C., as a guide for development of such programs.
(b) Standard. Awareness and training in security shall not be limited to formal training sessions, but shall include ongoing briefings and continual reinforcement of the value of security consciousness in all employees whose duties bring them into contact with critical state information resources.
(c) Standard. Departments shall apply appropriate sanctions against any employee who fails to comply with its security policies and procedures.
Rulemaking Specific Authority 282.102(2), (16) FS. Law Implemented 282.318 FS. History–New 8-10-04, Repealed________.
60DD-2.009 Systems Acquisition, Disposal, Auditing, and Reporting.
(1)(a) Systems Acquisition. Major system development decisions must be based on consideration of security and audit requirements during each phase of life cycle development.
(b) Standard. Appropriate information security and audit controls shall be incorporated into new systems. Each phase of systems acquisition shall incorporate corresponding development or assurances of security and auditability controls.
(2)(a) Systems Disposal. Device and media controls. Agencies shall implement policies and procedures that govern the receipt and removal of hardware and electronic media/devices that contain confidential or exempt information into and out of a facility, and the movement of these items within the facility.
(b) Implementation specifications: Agencies shall implement policies and procedures to address the final disposition of confidential or exempt information, and the hardware or electronic media on which it is stored.
(c) Media and Devices re-use or disposal. Agencies shall implement procedures for removal of confidential or exempt information from electronic media before the media are made available for re-use or disposal in accordance with ISO 17799-2000(E), 7.2.6, Secure disposal or re-use of equipment, and 8.6.2, Disposal of Media, incorporated by reference at subsection 60DD-2.010(15), F.A.C., and NIST Security Considerations in the Information System Development Life Cycle, Special Publication 800-64, incorporated by reference at subsection 60DD-2.010(13), F.A.C.
(3) Audits. The establishment and maintenance of a system of internal control is an important management function. Internal audits of information resource management functions, including security of data and information technology resources in accordance with paragraph 60DD-2.001(6)(a), F.A.C., are an integral part of an overall security program. The frequency, scope, and assignment of internal audits for security of data and information technology resources should be established to ensure that agency management has timely and accurate information concerning functions management is responsible to perform.
(a) Standard. An internal audit of the agency information security function shall be performed annually or when there are major system changes, or as directed by the head of the department.
(b) Standard. Automated systems which process confidential or exempt information must provide the means whereby authorized personnel have the ability to audit and establish individual accountability for any action that can potentially cause access to, generation of, or effect the release of the information.
(4) Incident Reporting.
(a) Continuous analysis of trends and types of security incidents and breaches is important to the integrity of agency and state information resource security programs. Security incident reporting provides a basis for a continuing evaluation of agency and state information security postures. The objective of such analysis is to refine security rules, policies, standards, procedures, guidelines, and training programs to assure their continued effectiveness and applicability.
(b) Standard. Security incidents and breaches shall be promptly investigated and reported to the appropriate authorities.
(c) Standard. The State Technology Office shall provide analysis and centralized reporting of trends and incidents to agencies, and shall initiate appropriate changes to state policies, rules, standards, guidelines, training programs, or statutes.
(d) Standard. Response teams. Each agency shall create an organized team to address cyber alerts and responses. Each team shall include at least one individual with expertise from the agency’s legal, human resources, inspector general and information technology areas, as well as the Chief Information Officer and the Information Security Manager of the agency. The team shall report computer security incidents to the State Technology Office’s Office of Information Security, convene as required upon notification of a reported computer security incident, respond to activities that may interrupt the information technology services of the area for which the team is responsible during duty and non-duty hours, classify, document and investigate agency security incidents, and maintain an awareness of and implement procedures for effective response to computer security incidents. The team shall provide regular reports to the agency’s Chief Information Officer and shall follow the direction of the Chief Information Officer during incident response activities.
Rulemaking Specific Authority 282.102(2), (16) FS. Law Implemented 281.301, 282.318 FS. History–New 8-10-04, Repealed________.
60DD-2.010 Standards Adopted.
(1) Federal Information Processing Standard Publication Number 46-3 – Data Encryption Standard, October 25, 1999, is hereby incorporated by reference.
(2) Federal Information Processing Standard Publication Number 112 – Password Usage, May 30, 1985, is hereby incorporated by reference.
(3) Federal Information Processing Standard Publication Number 140-2, Security Requirements for Cryptographic Modules, is hereby incorporated by reference.
(4) Federal Information Processing Standard Publication Number 186-2, Digital Signature Standard, is hereby incorporated by reference.
(5) Federal Information Processing Standard Publication Number 197, Advanced Encryption Standard, is hereby incorporated by reference.
(6) Federal Information Processing Standard Publication Number 199 – Standards for Security Categorization of Federal Information and Information Systems, December 5, 2003, is hereby incorporated by reference.
(7) NIST Risk Management Guide for Information Technology Systems, Special Publication 800-30, is hereby incorporated by reference.
(8) NIST Procedures for Handling Security Patches, Special Publication 800-40, is hereby incorporated by reference.
(9) NIST Guidelines on Firewalls and Firewall Policy, Special Publication 800-41, is hereby incorporated by reference.
(10) NIST Guidelines on Securing Public Web Servers, Special Publication 800-44, is hereby incorporated by reference.
(11) NIST Guidelines on Electronic Mail Security, Special Publication 800-45, is hereby incorporated, is hereby incorporated by reference.
(12) NIST Building an Information Security Technology Awareness and Training Program, Special Publication 800-50, is hereby incorporated by reference.
(13) NIST Security Considerations in Information System Development Life Cycle, Special Publication 800-64, is hereby incorporated by reference.
(14) Copies of these standards are available for downloading from the National Institute of Standards and Technology at www.nist.gov or by writing orders@ntis.gov or:
United States Department of Commerce
National Technical Information Service
5285 Port Royal Road
Springfield, Virginia 22161
(15) Section 7.2.6 (“Secure Disposal or Re-Use of Equipment”), Section 8.6.2 (“Disposal of Media”), and Section 8.6.3 (“Information Handling Procedures”) of International Organization for Standardization ISO/IEC Standard 17799 are hereby incorporated by reference.
(16) Copies of these sections of the standard are available from the American National Standards Institute at www.ansi.org or at info@ansi.org or by writing:
American National Standards Institute
25 West 43rd Street, 4th Floor
New York, New York 10036
(17) Institute of Electrical and Electronics Engineers Standard 802.11 is hereby incorporated by reference.
(18) Copies of this standard are available from the Institute of Electrical and Electronics Engineers, at www.ieee.org or at ieeeusa@ieee.org or by writing:
Institute of Electrical and Electronic Engineers
1828 L. Street, N.W., Suite 1202
Washington, D.C. 20036-5104
(19) The Carnegie Mellon Software Engineering Institute’s Security Improvement Module, “Securing Network Servers,” is hereby incorporated by reference.
(20) Copies of this security improvement module are available from the Carnegie Mellon Software Engineering Institute at www.cert.org or at webmaster@cert.org or by writing:
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, Pennsylvania 15213-3890
Rulemaking Specific Authority 282.102(2) FS. Law Implemented 120.54(8), 282.318 FS. History–New 8-10-04, Repealed________.