Network Security Policy and Procedures

Version: 2.2
Date Issued (revised):  December 9, 2019
Date Effective: immediately
Supercedes: Version 2.1
Reason for Change: Eliminated all references to the Department of Information Technology (DOIT).

Purpose

The Office of Policy and Management (OPM) has established this policy and reporting requirements, and associated standards to assure that critical information is protected and data flow is not interrupted by unauthorized access.

Policy Statements

The following policy statements are abstracted from the official State of Connecticut Network Security Policy.

  1. All information traveling over state computer networks that has not been specifically identified as the property of other parties will be treated as though it is a state asset. If there is no primary agency designated to administer this information, the Department of Administrative Services, Bureau of Enterprise Systems and Technology (DAS-BEST) will become the steward of this data until another agency is designated. It is the policy of the State to prohibit unauthorized access, disclosure, duplication, modification, diversion, destruction, loss, misuse, or theft of this information.
  2. In addition, it is the policy of the State to protect information belonging to third parties--that has been entrusted to the State in confidence--in the same manner as private sector trade secrets as well as in accordance with applicable contracts.
  3. All computers permanently or intermittently connected to State of Connecticut networks, and all DAS-BEST computers that intermittently or continuously connect to an internal or external network must employ password-based access controls.   All users must be positively identified prior to being able to use any multi-user computer or communications system resources.
  4. The computer and communications system privileges of all users, systems, and independently operating programs (such as "agents") must be restricted based on the need-to-know.
  5. Participation in external networks as a provider of services that external parties rely on is expressly prohibited unless the Agency System Administrator has identified, in writing, the security risk involved and submitted those risks to DAS-BEST and the Chief Information Officer (CIO) has expressly accepted these and other risks associated with the proposal.
  6. Any modification in existing Network/Systems configurations, that is in contrast to the Statewide Security policy must be submitted for approval to DAS-BEST.
  7. Each agency that has existing dial-up lines/modems today must submit a request for consideration of approval to DAS-BEST.
  8. Wireless communications, or other broadcast technologies, must not be used for data transmission containing State "confidential" or "restricted" data unless the connection is encrypted and has an acceptable level user authentication.
  9. Third party vendors must NOT be given dial-up privileges to State computers and/or networks unless the involved system administrator determines that they have a bone fide need. These privileges must be enabled only for the time period required to accomplish the approved tasks (such as remote maintenance).
  10. All users wishing to use the State internal networks, or multi-user systems that are connected to the State internal networks, must sign a compliance statement prior to being issued a user-ID.
  11. Confidential or restricted data in unencrypted format is prohibited on State mobile computing and storage devices. Please see the State Policy on mobile computing and storage devices for additional guidance and requirements.

 

Agency Planning and Reporting Responsibilities

Planning

  1. Each State agency will develop it’s own network security policy. The agency security policy will address:
    1. System Access Control which includes how to choose passwords, how to set-up passwords and log-in/log-off procedures,
    2. System Privileges; limiting system access, process for granting system privileges and the process for revoking system privileges and Establishment of Access Paths;
    3. Computer Network Changes; conditions for participation in external networks, policy for initiating sessions via dial-up lines, establishing wireless communications and discussion of computer viruses, worms, and Trojan horses.
  2. Each agency, must determine what agency information is confidential or restricted
  3. The agency network security policy will be incorporated in the agency's Information Technology plan and architecture document.

Reporting

  1. Any modification in existing Network/Systems configurations, that is in contrast to the Statewide Security policy must be submitted for approval to DAS-BEST.
  2. Any agency that has its own Internet connection today or will have in the future, must submit the following information to DAS-BEST:
    1. Name of the Internet Provider and line speed of the circuit
    2. Model and type of Firewall hardware and software.
    3. Port numbers that are opened in the Firewall.

Compliance

  1. Each agency must submit it's own Network Security Policy to DAS-BEST for review and approval.
  2. Each State Agency must have a designated information security liaison. The name, telephone number and email address of the individual or individuals must be sent to DAS-BEST.  This information must come from the Commissioner or IT Manager level.

Any modification in existing Network/Systems configurations, that is in contrast to the Statewide Security policy must be submitted for approval to DAS-BEST.

Scope

This policy applies to the following entities: any State of Connecticut agency, institution, office, department, commission, council or instrumentality that utilizes State owned and maintained data networks in the conduct of its business.

Definitions

State Agency
For the purposes of this policy, the term State Agency refers to any State of Connecticut agency, institution, office, department, commission, council or instrumentality.

Compliant
For the purposes of this policy, an agency's network security policy will be considered compliant when it meets the criteria defined in, and/or performs as described in, the State Network Security Policy.