Notice of Change/Withdrawal

AGENCY FOR ENTERPRISE INFORMATION TECHNOLOGY
Office of Information Security
Rule No.: RULE TITLE
71A-1.004: Agency Information Technology Workers
71A-1.011: Configuration Management
71A-1.016: Media Protection
71A-1.017: Physical and Environmental Protection
71A-1.019: Personnel Security and Acceptable Use
NOTICE OF CHANGE
Notice is hereby given that the following changes have been made to the proposed rule in accordance with subparagraph 120.54(3)(d)1., F.S., published in Vol. 36 No. 24, June 18, 2010 issue of the Florida Administrative Weekly.

The changes published in this Notice of Change apply to the proposed rule published on June 18, 2010 and supersede changes to any previous versions of the same provisions.

71A-1.004 Agency Information Technology Workers.

(1) Agency heads are responsible to ensure information technology workers are managed appropriately and effectively.

(1)(2) Agency heads are advised to designate iInformation technology positions with access to information processing facilities, or positions that have system, database, developer, network, or other administrative capabilities for systems, applications, or servers with risk categorization of moderate or high as are positions of special trust.

(3) through (7) renumbered (2) through (6) No change.

71A-1.011 Configuration Management.

(3) The agency shall specify and document standard configurations used to harden software and hardware and assure the configurations address known security vulnerabilities and are consistent with industry accepted system hardening standards.

71A-1.016 Media Protection

(2) The agency shall maintain electronic data in accordance with the same applicable regulatory retention requirements that apply to agency data in non-electronic formats.

71A-1.017 Physical and Environmental Protection.

(5) Visitors shall be recorded and, in locations housing systems categorized as moderate impact or high impact, they shall be supervised. (See Rule 71A-1.020.)

71A-1.019 Personnel Security and Acceptable Use

(14) Users shall change their passwords at least every 60 days for high risk systems, every 90 days for moderate risk systems and every 180 days for low risk systems. (See Rule 71A-1.020.)