60DD-2.004. Logical and Data Access Controls (Transferred to 71A-2.004)  


Effective on Tuesday, August 10, 2004
  • 1(1) Personal Identification, Authentication, and Access.

    7(a) Standard. Except for public web page information resources, each user of a multiple-user information resource shall be assigned a unique personal identifier or user identification. User identification shall be authenticated before access is granted.

    42(b) Standard. When a unique personal identifier or user identification has been assigned that user’s access authorization shall be removed when the user’s employment is terminated or the user transfers to a position where access to the information resource is no longer required.

    85(2)(a) Password Controls. Personal passwords are used to authenticate a user’s identity and to establish accountability. Access passwords are used to grant access to data and may be used where individual accountability is not required. Federal Information Processing Standards Publication 112 (FIPS PUB 112) (incorporated by reference at subsection 13460DD-2.010(2), 135F.A.C.) specifies basic security criteria in the use of passwords to authenticate personal identity and data access authorization.

    153(b) Standard. Systems that use passwords shall conform to the federal standard contained in FIPS PUB 112. A current Password Standard Compliance Document that specifies the criteria to be met for the ten factors contained in the standard shall be maintained for all systems which use passwords.

    200(c) Standard: Agency Heads and Agency Chief Information Officers shall ensure that all personnel (including providers and end users who utilize State of Florida information technology resources) that have a user account on the State of Florida internal network have read and acknowledged a written password policy (or other authentication policy, if applicable) by signing through a physical or electronic process a Statement of Understanding. The Statement of Understanding shall indicate that the employee has read the policy and agrees to abide by it as consideration for continued employment with the State of 293Florida 294and that violation of password or other authentication policies may result in dismissal. Agency Heads and Chief Information Officers shall also ensure that information technology professionals enforce the parts of the policy within the scope of their capability, and that periodic compliance audits are performed.

    339(3) Standard. Authentication Controls. All agency authentication controls shall ensure that information is not accessed by unauthorized persons and that information is not altered by unauthorized persons in a way that is not detectable by authorized users.

    376(4) Standard. Access to Software and Data. Controls shall ensure that users of information resources cannot access stored software or system control data unless they have been authorized to do so.

    407(5) Encryption.

    409(a) Standard. Activities storing or transmitting confidential or exempt information shall require encryption processes approved by the State Technology Office if necessary to ensure that the information remains confidential. Individual users must use State Technology Office approved encryption products and processes for sending an encrypted e-mail, encrypting a desktop work file, protecting a personal private key or digital certificate, or encrypting a saved e-mail. Key escrow and Key recovery processes must be in place, and verified prior to encryption of any confidential or exempt agency data. Federal Information Processing Standard (FIPS) Pub 140-2, May 25, 2001 (http://csrc.nist.gov/cryptval/140-2.htm) incorporated by reference at subsection 51160DD-2.010(3), 512F.A.C.

    513(b) Standard. Encryption keys should not be stored on the same electronic storage device as the information that has been encrypted using the keys. Access to encryption keys should be restricted to authorized users and authorized processes using an access control mechanism.

    555(c) Standard. Remote administration of hardware, software, or applications should be performed over an encrypted communications session consistent with the Florida Information Resource Security Policies and Standards.

    582Specific Authority 282.102(2), (6), (16) FS. Law Implemented 590282.318 FS. 592History–New 8-10-04.

     

Rulemaking Events:

Related Statutes: