The changes published in this Notice of Change apply to the proposed rule published on June 18, 2010 and supersede changes to any previous versions of the same provisions.
71A-1.004 Agency Information Technology Workers.
(1) Agency heads are responsible to ensure information technology workers are managed appropriately and effectively.
(1)(2) Agency heads are advised to designate iInformation technology positions with access to information processing facilities, or positions that have system, database, developer, network, or other administrative capabilities for systems, applications, or servers with risk categorization of moderate or high as are positions of special trust.
(3) through (7) renumbered (2) through (6) No change.
71A-1.011 Configuration Management.
(3) The agency shall specify and document standard configurations used to harden software and hardware and assure the configurations address known security vulnerabilities and are consistent with industry accepted system hardening standards.
71A-1.016 Media Protection
(2) The agency shall maintain electronic data in accordance with the same applicable regulatory retention requirements that apply to agency data in non-electronic formats.
71A-1.017 Physical and Environmental Protection.
(5) Visitors shall be recorded and, in locations housing systems categorized as moderate impact or high impact, they shall be supervised. (See Rule 71A-1.020.)
71A-1.019 Personnel Security and Acceptable Use
(14) Users shall change their passwords at least every 60 days for high risk systems, every 90 days for moderate risk systems and every 180 days for low risk systems. (See Rule 71A-1.020.)