Documente Academic
Documente Profesional
Documente Cultură
DEP 390
Effective: March 13,2012
Approved by Secretary
Introduction
Information is an asset that, like other important assets, is essential to an agencys
mission and consequently needs to be protected. Information can exist in many
forms. It can be printed, written on paper, stored and transmitted electronically
through interconnected business environments. As a result of increasing
interconnectivity to share information, information is now exposed to a growing
number and a wider variety of threats and vulnerabilities. Information security is
the protection of information from a wide range of threats in order to ensure
agency continuity, minimize risk to an acceptable level to management, and
maximize agencys opportunities. Information security is achieved by implementing
a suitable set of controls, both physical and technical, and through policies.
2.
Purpose
The purpose of the Information Security Policy is to ensure that the security of
DEPs information resources is sufficient to reduce the risk of loss, modification or
disclosure of those assets to a level acceptable to DEP management. The agencys
adherence to these policies ensures compliance with the States information
security rules and offers DEP a set of best practices that assures the security of
information under the agencys responsibility to protect.
3.
Authority
Authority is derived from Florida Statute 282.318: Communications and Data
Processing and from Agency for Enterprise Information Technology (AEIT), Office
of Information Security (OIS) Rule 71A-1: Information Technology Resource
Security Policies and Standards.
4.
Scope
Information security policies and standards apply to all agency employees. They
also apply to contractors, vendors, private organizations and citizens that are
provided account access to the agency network and computer systems regardless
of how or where they connect to information technology. They also apply to agency
computing devices when connected to non-agency networks. They apply to DEP
automated information systems which access, process, or have custody of data.
DEP 390
Page 2 of 59
March 13, 2012
DEP 390
Page 3 of 59
March 13, 2012
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
Review and update the agency Strategic Information Security Plan (SSP)
and the Information Security Operational Plan (OSP) annually and will
submit an approved SSP and OSP to the State Chief Information Security
Officer.
5.1.10 With approval of the Secretary, the ISM may choose to appoint individuals
from agency offices, divisions and regional offices to be Information
Security Representatives (ISR) for their respective business units. To
ensure information systems under their respective divisions, offices, and
districts meet minimum security requirements, the ISR duties will include,
but are not limited to the following:
(a)
Supporting implementation,
requirements of approved
procedures, and practices.
(b)
(c)
DEP 390
Page 4 of 59
March 13, 2012
5.2
(d)
(e)
(f)
(g)
5.2.1
5.2.3
5.2.4
5.2.5
(a)
(b)
(c)
(d)
(e)
(b)
(c)
DEP 390
Page 5 of 59
March 13, 2012
5.2.6
5.3
(d)
(e)
(b)
5.3.1
5.3.2
Before any 3rd party device is connected to the agency network, nonagency entities must execute a network connection agreement stating
that the device has been recently scanned for viruses, malware and
spyware, has current anti-virus protection, and the operating system is at
appropriate patch level.
5.3.3
DEP 390
Page 6 of 59
March 13, 2012
During employment, to ensure that employees, contractors and third party users
are aware of information security threats and concerns and their responsibilities
and liabilities, an adequate level of awareness, education and training will be
provided to all users of DEP IT resources to help minimize possible security risks.
Upon termination, this policy is in place to ensure the employees, contractors, and
third party users exit from the agency or change in responsibilities is managed and
that return of all equipment and the removal of all access rights are completed.
Control:
Human Resources are responsible for providing accurate job descriptions and
security responsibilities shall be addressed in the terms and conditions of
employment. All candidates for employment will be adequately screened, especially
for positions of trust. Furthermore, management will require employees,
contractors and other users, to apply security in accordance with established
policies and procedures of the agency.
Scope:
This Human Resource Security Policy applies to all employees, contractors and
anyone using agency IT resources.
Policy:
6.0
Prior to Employment
DEP 390
Page 7 of 59
March 13, 2012
6.1.1
6.1.2
6.1.3
6.2
During Employment
6.2.1
6.2.2
6.3
6.3.1
6.3.2
6.3.4
DEP 390
Page 8 of 59
March 13, 2012
6.3.5
6.3.6
6.3.7
6.3.8
6.3.9
6.4
6.4.1
6.4.2
Personal use shall not interfere with the normal performance of a workers
duties.
6.4.3
6.4.4
Employees will refer to DEP Ethics Directive 202 regarding the use of IT
resources for profit or political activities.
6.4.5
6.4.6
DEP 390
Page 9 of 59
March 13, 2012
6.4.7
6.4.8
6.4.9
All users are expected to conduct themselves with the highest integrity in
Internet communications. Use of the Internet is subject to monitoring by
security and upper management. Use of the Internet is permitted as long
as:
(a)
(b)
(c)
(d)
(e)
6.5
Termination of Employment
6.5.1
6.5.2
DEP 390
Page 10 of 59
March 13, 2012
DEP 390
Page 11 of 59
March 13, 2012
7.1.1
7.1.2
7.1.3
DEP 390
Page 12 of 59
March 13, 2012
7.1.4
7.1.5
7.1.6
7.1.7
7.1.8
7.1.9
DEP 390
Page 13 of 59
March 13, 2012
7.2
7.2.1
7.2.2
7.2.3
7.2.4
7.2.5
DEP 390
Page 14 of 59
March 13, 2012
7.2.6
7.2.7
7.2.8
DEP 390
Page 15 of 59
March 13, 2012
Policy:
8.0
8.1.1
DEP 390
Page 16 of 59
March 13, 2012
8.1.2
8.1.3
Physical controls shall be appropriate for the size and criticality of the
information technology resources.
8.1.4
8.1.5
Access to the computer data centers, server rooms, and closets housing
network infrastructure equipment will be restricted to those responsible
for maintaining these operations or related equipment. Visitors shall be
recorded and supervised where appropriate. The System Administrator is
responsible for determining which vendor maintenance/service personnel
may be allowed to work without staff escort.
8.1.6
8.1.7
8.1.8
8.1.9
8.2
8.2.1
Equipment Security
Hardware and peripheral devices must be kept safe from physical harm
including accidental damage, theft, abuse, or loss. The facility and
physical location of DEP IT resources (hardware and other physical
DEP 390
Page 17 of 59
March 13, 2012
8.2.3
8.2.4
Electrical, data, and voice network wiring must be planned and installed
under the supervision of authorizes individuals. Other personnel may not
alter, move or remove existing wiring.
8.2.5
8.2.6
DEP 390
Page 18 of 59
March 13, 2012
9.1.1
9.1.2
DEP 390
Page 19 of 59
March 13, 2012
9.1.4
9.1.5
9.1.6
9.1.7
9.1.8
9.1.9
DEP 390
Page 20 of 59
March 13, 2012
9.2
9.2.1
9.2.2
9.2.3
Users will be held accountable and responsible for activities that occur
under their assigned user ID.
9.2.4
9.2.5
9.2.6
Data Owner will review access rights every 6 months based on risk,
access account change activity, and error rate.
9.2.7
DEP 390
Page 21 of 59
March 13, 2012
9.2.8
9.3
9.3.1
A computer user access to the network will have a unique user account ID
and password.
9.3.2
Procedures)
9.3.3
9.3.4
9.3.5
9.3.6
9.3.7
Where systems have the capability, IT resources will record all login and
logout attempts.
9.3.8
Personnel must logout, sign out, or lock out access to their workstations
for all IT resources when leaving there work area or going off shift.
9.4
Passwords
9.4.1
9.4.2
DEP 390
Page 22 of 59
March 13, 2012
9.4.3
9.4.4
9.4.5
9.4.6
9.4.7
Passwords will not be stored in readable form (clear text) in batch files,
automatic login scripts, software macros, or terminal function keys, nor
sent unencrypted in email messages.
9.4.8
9.4.9
Passwords must be strong and complex in design and will have these
minimum characteristics:
(a)
(b)
Contain both upper and lower case letters and include numbers
and\or special characters (e.g., 0-9!@#$%^&*(){}[] :;<>?,./).
(c)
9.4.10 Passwords for IT resources will be set to expire every 90 days. However,
Administrators and Information Security may schedule password changes
more frequently.
9.4.11 Passwords will not be reused within a two year period.
9.4.12 Privileged user IDs and passwords are not to be hard coded or saved in
scripts, login procedures or databases. These login procedures must
DEP 390
Page 23 of 59
March 13, 2012
9.5
Service Accounts
9.5.1
9.5.2
9.5.3
9.5.4
9.5.5
9.6
9.6.1
DEP 390
Page 24 of 59
March 13, 2012
9.6.2
9.6.3
9.6.4
9.6.5
Mobile computing devices shall be issued to and used only by agencyauthorized users.
9.6.6
9.6.7
9.6.8
9.6.9
9.6.10 All remote access connection will pass though a firewall or Remote Access
Server (RAS) and require user authentication before reaching a login
prompt or banner.
9.6.11 Confidential information transmitted over the Internet must be encrypted.
DEP 390
Page 25 of 59
March 13, 2012
DEP 390
Page 26 of 59
March 13, 2012
cannot disable them. Externally supplied software media may not be used
on any computer running a Windows or Linux\Unix operating system
unless it has been virus scanned. Furthermore, personnel may not
intentionally write, generate, compile, copy, collect, propagate, execute,
or attempt to introduce computer code designed to self-replicate, damage,
or otherwise hinder the performance of or access any IT resource. (Please
see Virus Protection Services documentation for more information)
10.1.2 Installed computer operating system and application hot fixes, service
releases, and patches shall be installed on applicable computer systems in
a timely manner in accordance with agency patch management
guidelines. The status of these maintenance updates shall be maintained
to facilitate the task of ensuring required updates are completed for all
applicable systems within the designated timeframe. The National
Institute of Standards and Technology (NIST) procedures for Handling
Security Patches, Special Publication 800-40, shall be used as a guide.
10.1.3 The login prompt for IT resources must not reveal specific information
about the agency, the network configuration, or other internal information
until the user has successfully logged in.
10.1.4 In the case of login failure, the user must not be given any specific
feedback indicating the source or type of failure, but instead just be
informed that the process has failed.
10.1.5 Except in designated test environments, Tier 2 Service Desk support is
responsible for the installation, download, or upgrade of all operating
systems and application software on DEP IT resources.
10.1.6 The application development, test, and production infrastructure must be
physically or logically separated.
10.1.7 Information technology resources shall be validated as conforming to
agency standard configurations prior to production implementation.
10.1.8 Production confidential data shall not be used for testing or development.
Copies of production data will not be used for testing unless the data has
been desensitized or unless all personnel involved in testing are otherwise
authorized access to the data.
DEP 390
Page 27 of 59
March 13, 2012
10.2
10.2.1 Computer users will not disable, alter, or circumvent agency workstation
security measures.
DEP 390
Page 28 of 59
March 13, 2012
10.2.2 No privately-owned devices (e.g., MP3 players, USB storage device of any
size, printers) shall be connected to state-owned information technology
resources without documented agency authorization.
10.2.3 Firewall and router configuration standards must be established and
include a current and complete network diagram with IP addresses and
subnet masks.
10.2.4 Where possible, hardware firewalls will be preferred to software firewalls
for connections. If a software firewall must be used, the host on which it
runs must be hardened.
10.2.5 All connections of the internal network to external networks must be
under the protection of a firewall. Demilitarized Zone (DMZ) networks
require firewalls to protect their hosts from outside attacks, and their
connections to other internal networks must have firewall protection.
10.2.6 Firewalls will be configured based on the level of risk imposed by the
established connection.
10.2.7 Users must not extend or re-transmit network services in any way. This
means no router, switch, hub, or wireless access point may be connected
to the agency network without OTIS approval.
10.2.8 Clients connected to the agency network shall not be simultaneously
connected to any other network.
10.2.9 Only agency-owned or agency-managed information technology resources
may connect to the agency network; and only agency-owned or agencymanaged mobile storage devices are authorized to store agency data.
10.2.10 Whenever resources are available, a risk assessment will be performed
prior to introducing a new technology or application to the network.
10.2.11 Network access to an application containing critical or confidential data,
and data sharing between applications, will be as authorized by the
application owners and will require user authentication validation.
10.2.12 Owners of information resources served by networks will prescribe
sufficient controls to ensure access to network services, host services, and
their subsystems are restricted to authorized users and uses only. These
controls will selectively limit services based upon: (1) User identification
DEP 390
Page 29 of 59
March 13, 2012
10.3
Exchange of Information
DEP 390
Page 30 of 59
March 13, 2012
(b)
DEP 390
Page 31 of 59
March 13, 2012
10.3.12 Employees shall not use e-mail services to represent, express opinions, or
otherwise make statements on behalf of the Department or any unit of
the agency unless authorized to do so.
10.3.13 Employees shall not use e-mail services for purposes that could
reasonably be expected to cause, directly or indirectly, excessive strain on
any computing resources, or unwarranted or unsolicited interference with
the use of e-mail or e-mail systems by others (e.g., animated email
signatures).
10.3.14 Both the law and DEP policy prohibit the theft or abuse of computing
resources. These prohibitions apply to electronic mail services and include
unauthorized entry, use, transfer, or tampering with the accounts and files
of others, interference with the work of others and with other computing
resources or facilities.
10.3.15 Employees shall not use e-mail services to access, send, store, create or
display inappropriate or illegal content, including sexually suggestive or
explicit material, gambling, profanity, political activities, obscenity,
harassment or discrimination regarding age, race, color, sex, religious
belief, national origin, political opinion or disability.
10.3.16 Employees shall not send mass e-mails unless authorized. This restriction
does not preclude an employee from sending multiple e-mails to a finite
group for official business. Large attachments with graphics, streaming
video, or sound effects are discouraged.
10.3.17 Employees will delete unsolicited e-mails.
10.3.18 Electronic mail is subject to the full range of laws applying to other
communications, including copyright, breach of confidence, defamation,
privacy, contempt of court, harassment, anti-discrimination legislation, the
creation of contractual obligations, and criminal laws.
DEP 390
Page 32 of 59
March 13, 2012
10.4
10.4.1 The minimum requirements for audit logging of all IT resources are:
(a) Login and Logout
(b) Source IP\Workstation Name
(c) Time stamp
10.4.2 OITS will implement procedures to protect the integrity and confidentiality
of audit logs.
10.4.3 OTIS will create, protect, and retain audit records to the extent needed to
enable the monitoring, analysis, investigation, and reporting of unlawful,
unauthorized, or inappropriate information and information technology
resource activity.
10.4.4 The agency ISM, Inspector General (IG), Information Security Specialist or
other specifically authorized personnel shall be granted access to review
audit logs containing accountability details.
10.4.5 OTIS and Information Security reserve the right to audit the use of all IT
resources to ensure compliance with this Security Policy. Auditing of IT
resources may include, but not limited to, inspection of users access
rights, examination of users access logs and electronic monitoring of users
access by approved software tools.
10.4.6 All employee accounts, workspaces and storage areas are subject to
periodic security audits. OTIS and Information Security may review
archived electronic mail, private file directories, hard disk drives, and other
information stored on agency information systems.
10.4.7 Audit activity will be periodic and\or event driven to assure compliance
with internal policies, support the performance of internal investigations,
and assist the management of information systems.
10.4.8 Employees suspected of misuse or violation may have their computer
activity logged for further action.
DEP 390
Page 33 of 59
March 13, 2012
10.4.9 All monitoring will be logged and available to management upon request.
10.4.10 To the extent that systems and software permit, all significant security
related events will be logged. Examples of security related events may
include: User-ID switching during an on-line session, attempts to guess
passwords, privilege escalation, and modification to production application
software, system software or user privileges.
10.4.11 System and security logs containing production IT resource security
events will be retained for at least 3 months on a specified server and
have limited access by only authorized personnel.
10.4.12 A sufficiently complete history of transactions shall be maintained for each
session involving access to critical information to permit an audit of the
system by tracing the activities of individuals through the system.
10.4.13 OTIS and Information Security will establish procedures to ensure regular
review of system activity logs.
10.4.14 ISM or designee shall be provided access to monitor any agency
information technology resources.
10.4.15 Use of information technology resources constitutes consent to monitoring
activities whether or not a warning banner is displayed.
10.4.16 Monitoring, sniffing, and related security activities shall be performed only
by Information Security or designee based on job duties and
responsibilities.
10.4.17 Technology managers shall monitor technology resources to ensure
desired performance and facilitate future capacity-based planning.
10.4.18 OTIS will monitor for unauthorized information technology resources
connected to the agency network. Unauthorized access points connected
to the agency network shall be removed immediately.
DEP 390
Page 34 of 59
March 13, 2012
Application Security
DEP 390
Page 35 of 59
March 13, 2012
DEP 390
Page 36 of 59
March 13, 2012
11.1.11 Technology managers shall restrict and tightly control the use of utility
programs that may be capable of overriding system and application
controls.
11.2
11.2.1 Developers should follow the approved coding standards, which provide
for a consistent code base for developed applications:
(a)
Security
Project
for
web
based
(b)
DEP 390
Page 37 of 59
March 13, 2012
12.1.1 OTIS will develop, document, periodically update, and implement system
security plans for information and information technology resources.
DEP 390
Page 38 of 59
March 13, 2012
(b)
(c)
Agency mobile computing devices shall activate an agencyapproved personal firewall (where technology permits) when
connected to a non-agency network.
(d)
DEP 390
Page 39 of 59
March 13, 2012
12.2
Encryption
DEP 390
Page 40 of 59
March 13, 2012
12.2.4 The use of proprietary encryption algorithms are not allowed for any
purpose, unless reviewed by qualified experts outside of the proprietary
vendor and approved by Information Security.
12.2.5 OTIS will establish procedures to ensure agency cryptographic
implementations are developed and maintained according to federal
guidelines.
12.2.6 Key management processes and procedures for cryptographic keys used
for encryption of confidential data will be fully documented and will cover
key generation, distribution, storage, periodic changes, compromised key
processes, prevention of unauthorized substitution.
12.2.7 Key management processes must be in place and verified prior to
encrypting data at rest (including email messages, data files, hard drives,
data backups).
12.3
12.3.1 Information Security will periodically assess the risk to agency operations
(including mission, functions, image, or reputation), agency assets, and
individuals, resulting from the operation of agency information and
information technology resources and the associated processing, storage,
or transmission of agency information.
12.3.2 Information Security shall implement a documented risk management
program, including risk and vulnerability assessments on information
resources including, but not limited to, applications, operating systems,
and processes and procedures.
12.3.3 OTIS will comply with AEITs Office of Information Security and will
coordinate a comprehensive Security Program assessment to be
conducted every three years.
12.3.4 The ISM shall monitor and document risk mitigation implementation and
submit risk assessment findings to the AEIT Office of Information Security
(OIS).
DEP 390
Page 41 of 59
March 13, 2012
12.3.5 The ISM will ensure that risk mitigation plans to reduce identified risks to
agency information technology resources and data are properly
implemented.
12.3.6 Documentation of the information security risk analysis and risk mitigation
plans is confidential pursuant to Section 282.318, Florida Statutes, except
that such information shall be available to the agency Inspector General,
the Auditor General, and the Agency for Enterprise Information
Technology.
12.3.7 System Administrators, Application Owners and Database Administrators
are responsible for the implementation of security procedures within their
processes to protect agency information from loss, destruction, and
unauthorized or improper modification.
12.3.8 Information Security should ensure that a risk analysis is performed prior
to introducing a new technology and a risk analysis prior to modifying
current technology, systems, or applications.
12.3.9 Information Security will identify and correct gaps in processes and
procedures and information technology resource related to this security
policy and the vulnerabilities created in a timely manner.
12.4
Maintenance
DEP 390
Page 42 of 59
March 13, 2012
DEP 390
Page 43 of 59
March 13, 2012
DEP 390
Page 44 of 59
March 13, 2012
13.1.2 The CSIRT Team will track, document, and report incidents to appropriate
agency officials, and other State and/or law enforcement authorities
according to AEIT OIS guidelines.
13.1.3 The CSIRT membership shall include at least one individual from the
agencys legal, human resources, inspector general, and information
technology areas, as well as the Chief Information Officer and Information
Security Manager.
13.1.4 The CSIRT under the direction of the Chief Information Officer, Inspector
General or Information Security Manager, shall determine the appropriate
response required for each suspected computer security incident.
13.1.5 Information Security must be notified of any suspected or confirmed
computer security incidents, including suspected or confirmed breaches,
within 24 hours of discovery.
13.1.6 Computer security incident documentation is exempt from public
disclosure, pursuant to Section 282.318, Florida Statutes.
13.1.7 The CSIRT shall convene at least once a quarter.
13.1.8 The CSIRT shall provide regular reports to the agency Chief Information
Officer.
13.1.9 Each suspected computer security incident, including findings and
corrective actions, shall be documented and maintained as specified in the
agency computer security incident procedures. The computer security
incident response process will include notification procedures to be
followed for incidents where investigation determines non-encrypted
personal information was, or is reasonably believed to have been,
accessed by an unauthorized person, pursuant to Section 817.5681,
Florida Statutes.
13.1.10 Suspected computer security incidents shall be reported according to the
Employee Computer Incident Reporting procedure.
13.1.11 Agency workers shall report loss of mobile devices immediately to the
appropriate agency personnel.
DEP 390
Page 45 of 59
March 13, 2012
DEP 390
Page 46 of 59
March 13, 2012
14.2
14.2.1 Data and software essential to the continued operation of critical agency
functions shall be mirrored to an off-site location or backed up regularly
with a current copy stored at an off-site location.
14.2.2 To prevent loss of data, agency users shall ensure agency data stored on
workstations or mobile devices is backed up.
14.2.3 The agency shall ensure security controls over backup resources are
appropriate to the criticality and confidentiality of the primary resources.
14.2.4 All sensitive, valuable, or critical information that is resident on DEP
computer systems and networks must be periodically backed up. System
Administrators working with application owners must define which
information should be backed up, the frequency of backups and the
method of backups.
14.2.5 Backup and archival media must be stored on a separate location from
the system being backed up.
DEP 390
Page 47 of 59
March 13, 2012
Compliance Policy
Objective:
Compliance is the policy section that provides the context for the implementation
and adherence of security policies. These policies set the framework and standards
at DEP, and allows for these policies to be monitored by Information Security. If
employees do not follow these policies and do not obtain an authorized exception,
then violations and disciplinary action will occur.
Control:
The Compliance Policy was created to avoid breaches of any criminal or civil law,
statutory, contractual obligation and security requirements; to ensure compliance of
the security policies and standards; and to maximize the effectiveness of these
policies in regards to agency IT resources.
Scope:
The Compliance Policy applies to all employees and contractors and to anyone
using agency IT resources. This policy contains two sections: Compliance and
Exceptions to Security Policy.
Policy:
15.0
Compliance
15.1.1 All employees and contractors must read, understand and comply with
this Information Security Policy.
15.1.2 Employees and contractors failing to comply with agency security policies
and procedures are subject to disciplinary action appropriate to the
violation up to and including termination and/or criminal prosecution.
15.1.3 Employees and contractors are responsible for complying with applicable
State and Federal security rules and laws.
DEP 390
Page 48 of 59
March 13, 2012
15.1.4 Employees and contractors will agree in writing, to comply with agency
acceptable use policies prior to using agency information technology
resources.
15.1.5 Non-compliant employees, discovered in a routine Security Audit, or in the
course of work, may have their access privileges temporarily revoked.
15.2
DEP 390
Page 49 of 59
March 13, 2012
Glossary
Access the ability to acquire, read, write, or delete data or information; make use of
an information technology resource; enter a room or facility.
Access Control the enforcement of specified authorization rules based on user or
system authentication.
Access Point is a station that transmits and receives data (for example, a wireless
access point).
Accountability the principle stating that a specific action is traceable to a unique
individual.
Agency worker see Worker.
Agency-approved software is software that has been reviewed and deemed
acceptable by the agency for use with agency information technology resources.
Agency-managed device a device that is not owned by the agency, but that is
declared by the device owner and accepted by the agency to be compliant with agency
standard configurations.
Anti-malware software is software that detects and removes malicious software from
a computer or network stream.
Application information resources designed to satisfy a specific set of user
requirements.
Application development life cycle (ADLC) is a set of procedures to guide the
development and modification of production application software and data items. A
typical ADLC includes design, development, quality assurance, acceptance testing,
maintenance, and disposal (also known as System Development Life Cycle SDLC).
Application development team is the entire set of people responsible for planning,
designing, developing, installing, and maintaining applications. The roles represented
include project managers, analysts, computer programmers, database administrators,
data administrators, system administrators, network administrators, etc.
DEP 390
Page 50 of 59
March 13, 2012
Application owner the business unit that requested the application be developed
and/or purchased; the individual (usually a manager) from the business unit(s) for
which an application is acquired who has responsibility and authority to make decisions
related to the application, such as requirements, deliverable approvals, access, etc.
Application security review an evaluation of an applications security requirements and
associated controls (planned or implemented) with the goal of determining if controls
are sufficient to minimize risks to the confidentiality, integrity, and availability of the
application, its data, or other information technology resources.
Audit logs documentation of activity within a system incorporating, at a minimum,
date, time, action, and user account associated with the action.
Authentication the process of verifying that a user, process, or device is who or what
it purports to be. Techniques for authentication fall into categories as follows:
(a) Something the user knows, such as a password or PIN;
(b) Something the user has, such as a smartcard or ATM card; and
(c) Something that is part of the user, such as a fingerprint, voice pattern or retinal
scan.
Authorization official or legal permission or approval.
Availability the principle that authorized users have timely and reliable access to
information and information technology resources.
Breach unlawful and/or unauthorized access of computerized data that materially
compromises the security, confidentiality, or integrity of personal information.
Chief Information Officer (CIO) the person appointed by the agency head that
coordinates and manages the agency information technology functions and
responsibilities.
Compensating Control a management, operational, or technical control (i.e.,
safeguard or countermeasure) employed by an organization in lieu of a recommended
security control that provides an equivalent or greater level of protection for an
DEP 390
Page 51 of 59
March 13, 2012
DEP 390
Page 52 of 59
March 13, 2012
network so that external parties only have access to devices in the DMZ rather than the
internal network.
Development infrastructure a technical environment that is used for design,
development, and/or piloting of new technical capabilities or applications. The
development infrastructure is separated logically or physically from the production and
test infrastructures.
Directly connect [to the agency internal network] a device that is joined to and
becomes an extension of the agencys internal network. Dial-up and Virtual Private
Network (VPN) connections to the agency are considered to be directly connected.
Disaster recovery plan see Information Technology Disaster Recovery Plan.
Encryption the reversible process of transforming readable text into unreadable text
(cipher text).
Exempt Information information an agency is not required to disclose under Section
119.07(1), F.S., but which the agency is not necessarily prohibited from disclosing in all
circumstances.
Information owner the manager of the business unit ultimately responsible for the
collection, maintenance, and dissemination of a specific collection of information.
Information security protecting information and information technology resources
from unauthorized access, use, disclosure, disruption, modification, or destruction.
Information Security Manager (ISM) the person designated to administer the agencys
information security program in accordance with Section 282.318, F.S.
Information security program a coherent assembly of plans, project activities, and
supporting resources contained within an administrative framework, to assure adequate
security for agency information and information technology resources.
Information Technology Disaster Recovery Plan (ITDRP) information technology
resources and procedures to ensure the availability of critical resources needed to
support the agency mission in the event of a disaster and to return to normal
operations within an accepted timeframe. The ITDRP takes into account availability
requirements, recovery time frames, recovery procedures, back-up/mirroring details,
systematic and regular testing and training.
DEP 390
Page 53 of 59
March 13, 2012
DEP 390
Page 54 of 59
March 13, 2012
Mobile storage device portable data storage media including external hard drives,
thumb drives, floppy disks, recordable compact discs (CD-R/RW), recordable digital
videodiscs (DVD-R/RW), or tape drives that may be easily attached to and detached
from computing devices.
National Institute of Standards and Technology (NIST) a non-regulatory Federal
agency within the U.S. Commerce Departments Technology Administration.
Need to know the principle that individuals are authorized to access only specific
information needed to accomplish their individual job duties.
Network an interconnected group of information technology devices; a system that
transmits any combination of voice, video and/or data between devices.
Network perimeter the boundary of an agencys information technology infrastructure.
Operational Controls security controls (i.e., safeguards or countermeasures) for an
information system that primarily are implemented and executed by people (as opposed
to systems).
Operational information security plan the agency plan governing the information
security program. In addition to detailing the activities, timelines and deliverables for
the security objectives that, subject to current resources, the agency will implement
during the current fiscal year, the plan includes a progress report for the prior fiscal
year, related costs that cannot be funded from current resources, and a summary of
agency compensating controls.
Owner the manager of the business unit ultimately responsible for an information
technology resource.
Patch management the process for identifying, acquiring, testing, installing, and
verifying software updates, also known as patches.
Peer to peer a communications model that allows the direct sharing of files (audio,
video, data, and software) among computers.
Personal firewall software installed on a computer or device which helps protect that
system against unauthorized incoming or outgoing network traffic.
DEP 390
Page 55 of 59
March 13, 2012
Personal information an individuals first name, first initial and last name, or any
middle name and last name, in combination with any one or more of the following data
elements:
(a) Social Security Number.
(b) Drivers license number or Florida Identification Card number.
(c) Account number, credit card number, or debit card number, in combination
with any required security code, access code, or password that would permit
access to an individuals financial account. Note: as provided in Section
817.5681, F.S., the term personal information does not include publicly
available information that is lawfully made available to the general public from
federal, state, or local government records or widely distributed media.
Privately-owned device a device not purchased with agency funds; a device owned by
a person or other non-agency entity and not configured, maintained, or tracked by the
agency.
Production infrastructure network devices, server hardware, and host operating
systems that comprise an agencys operational or real-time environment.
Public records act refers to Chapter 119, F.S.
Remote access any access to an agencys internal network through a network, device,
or medium that is not controlled by the agency (such as the Internet, public phone line,
wireless carriers, or other external connectivity). A virtual private network client
connection is an example of remote access.
Review a formal or official examination of system records and activities that may be a
separate agency prerogative or a part of a security audit.
Risk the likelihood that a threat will occur and the potential impact of the threat.
Risk analysis a process that systematically identifies valuable data, information, and
information technology system resources and threats to those resources, quantifies loss
exposures (i.e., loss potential) based on estimated frequencies and costs of occurrence,
and recommends how to allocate resources to countermeasures so as to minimize total
exposure. The analysis lists risks in order of cost and criticality, thereby determining
DEP 390
Page 56 of 59
March 13, 2012
where countermeasures should be applied first. (To be used interchangeably with risk
assessment.)
Risk management the ongoing process of risk analysis and subsequent decisions and
actions to accept risk or to reduce vulnerabilities by either mitigating the risks or
applying cost effective controls.
Security controls the management, operational, and technical controls (i.e.,
safeguards or countermeasures) prescribed to protect the confidentiality, integrity, and
availability of information technology resources.
Security incident any action or activity, whether accidental or deliberate, that
compromises the confidentiality, integrity, or availability of agency data or information
technology resources.
Security review an examination of system records and activities to determine the
adequacy of system controls to ensure compliance with established security policy and
operational procedures, detect breaches in security, and recommend any indicated
changes in any of the foregoing.
Separation of duties the concept of having more than one person required to
complete a task. This is a way to ensure that no one individual has the ability to control
all critical stages of a process.
Service account an account used by a computer process and not by a human (e.g., an
account used by the backup process for file access). Normally service accounts may not
log on to a system.
Session the time during which two devices maintain a connection and are usually
engaged in transferring data or information.
Smart card a pocket-sized card with embedded circuits that can process data. Often
smart cards are used as a form of authentication for single sign-on systems (also known
as integrated circuit card).
Sniffing capturing network data.
Special trust or position of trust positions that, because of the special trust or
responsibility or sensitive location of those positions, require that persons occupying
those positions be subject to a security background check, including fingerprinting, as a
condition of employment, pursuant to Section 110.1127, F.S.
DEP 390
Page 57 of 59
March 13, 2012
DEP 390
Page 58 of 59
March 13, 2012
DEP 390
Page 59 of 59
March 13, 2012
agency, whether or not they are paid by the agency (see User; Worker; Information
Technology Worker). Rulemaking Authority 14.204(7), 282.318(3), 282.318(6) FS. Law