 |
Florida Administrative Code (Last Updated: April 18, 2024) |
 |
60. Department of Management Services |
|
60DD. State Technology Office |
|
60DD-2. Florida Information Resource Security Policies And Standards |
1Networking, including distributed processing, concerns the transfer of information among users, hosts, servers, applications, voice, video and intermediate facilities. During transfer, data is particularly vulnerable to unintended access or alternation.
31(1) Network Controls, General.
35(a) Standard. Network resources used in the access of confidential or exempt information shall assume the sensitivity level of that information for the duration of the session. Controls shall be implemented commensurate with the highest risk.
71(b) Standard. All network components under state control must be identifiable and restricted to their intended use.
88(2)(a) Security at Network Entry and Host Entry. State owned or leased network facilities and host systems are state assets. Their use must be restricted to authorized users and purposes. State employees who have not been assigned a user identification code and means of authenticating their identity to the system are not distinguishable from public users and must not be afforded broader access.
151(b) Standard. Owners of information resources served by networks shall prescribe sufficient controls to ensure that access to network services and host services and subsystems are restricted to authorized users and uses only. These controls shall selectively limit services based upon:
1921. User identification and authentication (e.g., password); or
2002. Designation of other users, including the public where authorized, as a class (e.g., public access through dial-up or public switched networks), for the duration of a session.
228(c) Third Party Connections.
2321. Agency third party connection agreements shall determine the responsibilities of the third party, including approval authority levels and all terms and conditions of the agreement.
2582. All agency third party network connections must meet the requirements of the Florida Information Resource Security Policies and Standards. Blanket access is prohibited. Service provided over third party network connections is limited to services, devices and equipment needed.
297(d) Internet connectivity. Internet connectivity is allowable only if the applicable service agreement permits.
311(e) Any external individual or entity needing access to the state’s secure network inside state firewalls shall do so through Universal Access Service, Route Transport Service Extranet, Virtual Private Network or Frame Relay Network Extranet.
346(f) Audits. Each agency shall audit third party network connections by conducting Security Vulnerability Assessments.
361(3)(a) Application-level Security.
364(b) Standard. Network access to an application containing confidential or exempt data, and data sharing between applications, shall be as authorized by the application owners and shall require authentication.
393(4) Data and File Encryption.
398(a) Security through encryption depends upon both of the following:
4081. Proper use of an approved encryption methodology; and
4172. Only the intended recipients holding the encryption key-variable (key) for that data set or transmission.
433(b) Standard. While in transit, information which is confidential, exempt or information which in and of itself is sufficient to authorize disbursement of state funds shall be encrypted if sending stations, receiving stations, terminals, and relay points are not all under positive state control, or if any are operated by or accessible to personnel who have not been authorized access to the information, except under the following conditions:
5011. The requirement to transfer such information has been validated and cannot be satisfied with information which has been sanitized; and
5222. The agency head, or the designated official if the agency head has delegated authority for risk management decisions, has documented acceptance of the risks of not encrypting the information based on evaluation of the costs of encryption against exposures to all relevant risks.
566(c) Standard. For systems employing encryption as required by paragraph 57660DD-2.006(4)(b), 577F.A.C., procedures shall be prescribed for secure handling, distribution, storage, and construction of Data Encryption Standard (DES) key variables used for encryption and decryption. Protection of the key shall be at least as stringent as the protection required for the information encrypted with the key.
622(d) Standard. Confidential or exempt data or information shall be encrypted pursuant to the Advanced Encryption Standard or “AES” defined in Federal Information Processing Standard Publication 197, incorporated by reference at subsection 65460DD-2.010(5), 655F.A.C., or the Triple Data Encryption Standard known as “Triple DES” or “3DES”. Legacy systems not supporting the “AES” or “3DES” shall not store confidential or exempt data or information, but may use the federal Data Encryption Standard or “DES” defined in Federal Information Processing Standard Publication, (FIPS PUB 46-3), incorporated by reference at subsection 71060DD-2.010(1), 711F.A.C., for other data or information as necessary.
719(e) Standard. A minimum requirement for digital signature verification shall be in accordance with the Federal Information Processing Digital Signature Standard, (FIPS PUB 186-2), incorporated by reference at subsection 74860DD-2.010(4), 749F.A.C.
750(5)(a) Remote Access.
753(b) Standard. For services other than public access, users of state dial-up services shall be positively and uniquely identifiable and their identity authenticated (e.g., by password) to the network accessed and to the systems being accessed.
789(6)(a) Security Alerts.
792(b) Standard. The State Technology Office will maintain the capability to monitor the Internet and appropriate global information security resources for any abnormalities or threats present on the Internet, including the detection of backdoors or hardware or software that is intentionally included or inserted in a system for a harmful purpose. Such abnormalities or threats will then be translated into Information Security Alerts and provided to state agencies. In response to each Information Security Alert, agencies shall log corrective actions and to implement the recommended remediation actions contained in the Information Security Alerts within the alert’s recommended time frame. Agencies shall notify the State Technology Office in writing when remediation is complete. The State Technology Office shall verify that agencies are implementing the requisite Information Security Alert remediation actions.
921(c) Standard. The State Technology Office shall keep a log of all Information Security Alerts sent. The log shall contain tracking information on all formats of alerts issued, and the associated actions taken as reported by each agency. The State Technology Office shall report any non-compliance with Information Security Alerts to applicable agency heads.
975(7)(a) Virus Detection and Prevention.
980(b) Standard. All State computers and systems must have anti-virus software that provides protection to computer systems and media from computer virus intrusion, provides detection of computer viruses on an infected computer system or media, and provides for recovery from computer virus infection. Anti-virus software shall be installed and scheduled to run at regular intervals. Real-time scanning shall be enabled. The anti-virus software and the virus pattern files must be kept current. Virus-infected computers or systems must be removed from the network until they are verified as virus-free. This rule applies to State of Florida computers that are personal computer (“PC”)-based or utilize PC-file directory sharing, including desktop computers, laptop computers, servers (including domain controllers, proxy, ftp, file and print, etc.), and any PC-based equipment such as firewalls, intrusion detection systems (IDS), gateways, routers, and wireless devices.
1117(c) Standard. Each State agency is responsible for creating procedures that ensure anti-virus software is run at regular intervals and that computers and systems are verified as virus-free.
1145(8) Mobile Device Security.
1149(a) Standard. State agencies shall prepare written policies and procedures for mobile device use incorporating core security measures consistent with the Florida Information Resource Security Policies and Standards. Agencies shall, consistent with the capability of the device and its software, utilize a secure operating system offering secure logon, file level security, and data encryption. Agencies shall enable a strong password for mobile device use consistent with paragraphs 121660DD-2.004(2)(a)-1217(c), F.A.C. Agencies mobile devices shall utilize anti-virus software consistent with paragraph 122960DD-2.006(7)(b), 1230F.A.C.
1231(b) Standard. Agencies shall asset tag or engrave laptops, permanently marking (or engraving) the outer case of the laptop with the agency name, address, and phone number or utilizing a metal tamper resistant commercial asset tag.
1267(c) Standard. Agencies shall register mobile devices with the manufacturer and retain the registration correspondence and any applicable serial numbers in the agency’s records.
1291(9) Wireless Connectivity.
1294(a) Wireless security is essential to:
13001. Safeguard security of the State’s network systems and data.
13102. Prevent interference between different agency implementations and other uses of the Wireless spectrum.
13243. Ensure that a baseline level of connection service quality is provided to a diverse user community.
1341(b) Standard. A site survey shall be conducted prior to wireless implementation that includes identification of security risks and threats.
1361(c) Standard. If VPN services are used, split tunnel mode shall be disabled when connected to any wireless network.
1380(d) Standard. Strong mutual user authentication shall be utilized.
1389(e) Standard. When passing wireless traffic over public networks use of strong encryption or utilization of State of Florida sanctioned VPNs shall be used.
1413(f) Standard. The SSID name shall be changed from the default and administrative passwords shall be changed every 180 days.
1433(g) Standard. Security features of the Access Point vendors shall be enabled.
1445(h) Standard. Access points shall be Wi-Fi compliant pursuant to IEEE Standard 802.11, incorporated by reference at subsection 146360DD-2.010(17), 1464F.A.C. Standard 802.11 specifies medium access and physical layer specifications for 1 Mbps and 2 Mbps wireless connectivity between fixed, portable, and moving stations within a local area.
1492(i) Standard. IP forwarding shall be disabled on all wireless clients.
1503(j) Standard. Master keys shall be changed annually, and key rotation schemes shall be changed at least once every 15 minutes.
1524(k) Standard. Theft or loss of a wireless-enabled device shall be reported to the agency Information Security Manager in order to retire the device’s credentials.
1549(l) Standard. Wireless devices shall not be connected simultaneously to another wired or wireless network other than standard utilization of a commercial carrier signal.
1573(m) Standard. Wireless devices shall be password protected and must automatically time out in 15 minutes or less.
1591(n) Standard. Wireless devices having the features of personal firewalls and anti-virus capability shall be enabled.
1607(10) Web Servers and Network Servers.
1613(a) Security of Web Servers providing Public Internet access is essential to address:
16261. Proper configuration and operation of the host servers to prevent inadvertent disclosure or alteration of confidential or exempt information.
16462. Preventing compromise of the host server.
16533. Users unable to access the Web site due to a denial of service.
1667(b) Standard. Agencies shall secure network and public web servers consistent with the Carnegie Mellon Software Engineering Institute’s Security Improvement Module, “Securing Network Servers” incorporated by reference at subsection 169660DD-2.010(19), 1697F.A.C., and NIST Guidelines on Securing Public Web Servers, Special Publication 800-44, incorporated by reference at subsection 171460DD-2.010(10), 1715F.A.C.
1716(c) Standard. Network Servers housed in the State Technology Office, Shared Resource Center shall be subject to a Security Vulnerability Assessment prior to connection to the State Technology Internal Network.
1746(11) Electronic Mail Security. Standard. Agencies shall utilize NIST Guidelines on Electronic Mail Security, Special Publication 800-45, incorporated by reference at subsection 176860DD-2.006(11), 1769F.A.C., as a standard for electronic mail security.
1777(12) Firewalls. Standard. Agencies shall utilize NIST Guidelines on Firewalls and Firewall Policy, Special Publication 800-41, incorporated by reference at subsection 179860DD-2.010(9), 1799F.A.C., as a standard for firewalls.
1805(13) Patching of Network Servers, Workstations and Mobile Devices. Standard. Agencies shall utilize NIST Procedures for Handling Security Patches, Special Publication 800-40, incorporated by reference at subsection 183260DD-2.010(8), 1833F.A.C., as a standard for patching of network servers, workstations and mobile devices.
1846Specific Authority 282.102(2), (6), (16) FS. Law Implemented 1854282.318 FS. 1856History–New 8-10-04.
