UtahFutures.org Security Notice

DTS POLICY 5000-0002 ENTERPRISE INFORMATION SECURITY POLICY: Authority: UCA 63F-1-103; UCA 63F-1-206; Utah Administrative Code R895-7 Acceptable Use of Information Technology Resources

2.1 Purpose

This policy provides the foundation for the State of Utah, Department of Technology Services enterprise security policy.

2.1.1 Background
This policy was developed in response to a comprehensive external audit involving all executive branch agencies and the enterprise network. The audit revealed security deficiencies not properly addressed in previous policy and standards documents. The Enterprise Information Security Policy will develop and establish essential and proper controls to minimize security risk; to meet due diligence requirements pursuant to applicable state and federal regulations; to enforce contractual obligations; and to protect the State's electronic information and information technology assets.

2.1.2 Scope
This policy applies to all agencies and administrative subunits of state government as defined by UCA ยง63F-1-102(7), et seq.

2.1.3 Exceptions
The Chief Information Officer, or authorized designee, may acknowledge that under rare circumstances, some associates may need to employ systems that are not compliant with these policy objectives. The Chief Information Officer, or authorized designee, must approve in writing all such instances.

2.2 Definitions

Agency Policies
Departments and agencies under the State of Utah have the authority to establish internal policies related to information security objectives specific to the department or agency. Agency policies must be compatible with enterprise security policy, as well as federal and state statutory regulations.

Confidentiality
The confidentiality of data and protected information is one of the primary objectives of the information security triad; including confidentiality, integrity, and availability.

Encryption
Cryptographic transformation of data (called "plaintext") into a form (called "ciphertext") that conceals the data's original meaning to prevent it from being known or used. If the transformation is reversible, the corresponding reversal process is called "decryption", which is a transformation that restores encrypted data to its original state.

NIST
National Institute for Standards and Technologies

Risk Assessment
A process by which risks are identified and the impact of those risks determined. Additionally, a process whereby cost-effective security/control measures may be selected by balancing the costs of various security/control measures against the losses that would be expected if these measures were not in place.

2.3 Policy

2.3.1 Media Protection
Summary: Information systems capture, process, and store information using a wide variety of media. This information is located not only on the intended storage media but also on devices used to create, process, or transmit this information. This media may require special disposition in order to mitigate the risk of unauthorized disclosure of information and to ensure its confidentiality. Efficient and effective management of information created, processed, and stored by an information system throughout its life (from inception through disposal) is a primary concern of a media protection strategy.

Purpose: The State of Utah is required by federal and state regulatory statute to provide a reasonable assurance, in proportion to the confidentiality of the data, that all digital and paper media containing information assets must be protected at all times from unauthorized access.

Policy Objectives: State of Utah, Departments and Agencies must: protect information system media, both paper and digital; limit access to information on information system media to authorized users; and sanitize or destroy information system media before disposal or release for reuse, consistent with National Institute of Standards and Technology, Special Publications 800-53 Rev3 MP1-6 (Appendix F, Page F-71), 800-88.

Employees should only use State-owned encrypted media when downloading State data containing PI, PHI, FTI, or CJIS, or any other sensitive data to a removable media device such as, but not limited to, USB drives, tapes, CDs, and DVDs.

2.4 Policy Compliance

State of Utah, Departments and Agencies, employees, and contractors are expected to comply with this enterprise security policy. Additional policies and standards developed and implemented by State Departments and Agencies may include additional objectives or detail, but they must be compatible with the security objectives described in this policy document.

2.5 Enforcement

Individuals working in any State of Utah Department or Agency found to have violated this policy may be subject to legal penalties as may be prescribed by state and/or federal statute, rule, and/or regulation.

Security

The State of Utah and UtahFutures.org take Internet security very seriously. Our technology and policies are designed to make your online transactions safe, private, and secure. Rigorous policies and procedures are utilized to safeguard your personal information. Internal security groups as well as third party security assessors scan UtahFutures.org servers and the various online services regularly. UtahFutures.org is routinely monitored for threats and appropriate precautions are taken to mitigate known threats.

We encourage all UtahFutures users to use strong passwords and change them regularly to minimize risk. The following security measures have been taken to protect your private information:

State of the Art SSL (Secure Socket Layer) Encryption - This enables the encryption of sensitive information during an online session. Information sent via SSL can no longer be read as plain text.
Secure Internal Networks - Data transferred between databases is done using a secure protocol. For example, in many cases FTP or Virtual Private Networks (VPN) are utilized to ensure that only authorized users can access the network and no one can intercept data.
Physical Location Security - All physical locations where hardware and software are located are physically secured and only accessible by individuals with proper credentials.
Application Security - Software tools are employed to scan for individual application vulnerabilities.