5/18/20065/18/2006

Department of Technology Department of Technology ServicesServices

Security ArchitectureSecurity Architecture

RequirementsRequirements

All non-essential services (not required for All non-essential services (not required for application functionalityapplication functionality and and operational operational monitoringmonitoring) must be turned off.) must be turned off.

All servers must have an unrestricted All servers must have an unrestricted connectivity from operational monitoring and connectivity from operational monitoring and security devices.security devices.

All operating system level access must use an All operating system level access must use an encrypted protocol.encrypted protocol.

Test/Development servers must be separate Test/Development servers must be separate from production server.from production server.

Requirements (cont.)Requirements (cont.)

All servers must have a clean vulnerability scan All servers must have a clean vulnerability scan report or vulnerability mitigation prior to being report or vulnerability mitigation prior to being placed into production.placed into production.

OS and Applications must have the capability to OS and Applications must have the capability to do password security enforcement.do password security enforcement.

It is recommended that applications be It is recommended that applications be segmented into an n-tier model separating at a segmented into an n-tier model separating at a minimum the Presentation, Application/Business minimum the Presentation, Application/Business Logic and Database layers.Logic and Database layers.

Requirements (cont.)Requirements (cont.)

All systems shall allow for periodic system All systems shall allow for periodic system security reviews that provide assurance security reviews that provide assurance that management, operations, personnel, that management, operations, personnel, and technical controls are functioning and technical controls are functioning effectively and providing adequate levels effectively and providing adequate levels of protection.of protection.

The reviews may include technical tools and The reviews may include technical tools and security procedures such as virus scanners, security procedures such as virus scanners, vulnerability assessment products and vulnerability assessment products and penetration testing.penetration testing.

Data ClassificationData Classification

CriticalCritical: IT Infrastructure devices (routers, DNS servers, : IT Infrastructure devices (routers, DNS servers, etc.)etc.)

ConfidentialConfidential: Confidential, sensitive or personal data as : Confidential, sensitive or personal data as designated by the customer. As custodians this is the designated by the customer. As custodians this is the default classification unless clarified by the customer.default classification unless clarified by the customer.

PrivatePrivate: Data essential to the on-going operation of the : Data essential to the on-going operation of the organization and its subsidiaries.organization and its subsidiaries.

RestrictedRestricted: Data that is intended for internal use within : Data that is intended for internal use within an organization.an organization.

PublicPublic: Public records data.: Public records data.

Device Network LocationDevice Network LocationBased on Data ClassificationBased on Data Classification

CriticalCritical: Server must reside behind a firewall : Server must reside behind a firewall with IP and port specific access controls.with IP and port specific access controls.

ConfidentialConfidential: Must reside on the “inside : Must reside on the “inside network” or “tiered firewall”.network” or “tiered firewall”.

PrivatePrivate: Must reside on the “inside network” : Must reside on the “inside network” or “tiered firewall”.or “tiered firewall”.

RestrictedRestricted: Must reside on the “inside : Must reside on the “inside network” or “tiered firewall”.network” or “tiered firewall”.

PublicPublic: Must reside in the “DMZ network”.: Must reside in the “DMZ network”.

Security QuestionsSecurity Questions

The following ten questions are used as a The following ten questions are used as a guideline by DTS Security Management guideline by DTS Security Management Division when evaluating new projects.Division when evaluating new projects.

A “Yes” response to any question would A “Yes” response to any question would result in further examination or explanation result in further examination or explanation of the topic area because of the potential of the topic area because of the potential increased risk.increased risk.

Security QuestionsSecurity Questions

1.1. Is the project requesting exemption from or Is the project requesting exemption from or modification to established information security modification to established information security policies or standards?policies or standards?

2.2. Does this project cut across multiple lines of Does this project cut across multiple lines of business in a new or unique manner for which business in a new or unique manner for which no approved security requirements, templates no approved security requirements, templates or design models exist?or design models exist?

3.3. Does this project have privacy implications Does this project have privacy implications because of the use of customer or internal because of the use of customer or internal personal information?personal information?

Security Questions (cont.)Security Questions (cont.)

4.4. Does this project include applications and Does this project include applications and information with regulatory compliance information with regulatory compliance significance (or other contractual conditions significance (or other contractual conditions that must be formally complied with) in a new that must be formally complied with) in a new or unique manner for which no approved or unique manner for which no approved security requirements, templates or design security requirements, templates or design models exist?models exist?

5.5. Is the project being run on an emergency or Is the project being run on an emergency or expedited delivery schedule?expedited delivery schedule?

Security Questions (cont.)Security Questions (cont.)

6.6. Is there new technology involved, never Is there new technology involved, never before used by the agency?before used by the agency?

7.7. Does this project include third-party Does this project include third-party service providers conducting business on service providers conducting business on behalf of the organization, trading behalf of the organization, trading partners, clearinghouses, and so on?partners, clearinghouses, and so on?

8.8. Will this project involve a major change Will this project involve a major change to the network infrastructure?to the network infrastructure?

Security Questions (cont.)Security Questions (cont.)

9.9. Will there be a need to modify established Will there be a need to modify established identity and access management identity and access management processes and infrastructure, for example, processes and infrastructure, for example, new roles, new approvals, and so on?new roles, new approvals, and so on?

10.10.Will this project have an impact on current Will this project have an impact on current business continuity, disaster recovery business continuity, disaster recovery processes and/or infrastructure?processes and/or infrastructure?