TEXAS WORKFORCE COMMISSION
Enterprise Information Security Program
It is the policy of the Texas Workforce Commission that the Commission and its employees will protect the Information Resources (IR) of the Commission in accordance with the Texas Administrative Code (TAC), Title 1, Part 10, Chapter 202 Information Security Standards and the Information Resources Management Act (Texas Government Code Chapter 2054). The Commission will also protect the IR of the Commission in accordance with other applicable state and federal laws.
Version 1.0 02-06-2007
Information Security Program Purpose The Information Security Program (ISP) is established to provide a consolidated security environment and requirements for those Information Technology (IT) systems and resources currently owned, or acquired in the future, and under the ownership or the direct authority of the Texas Workforce Commission. In addition, through the ISP, specific responsibilities and behaviors are identified and expected for all users of TWC’s IT systems and resources. The ISP identifies, establishes and documents security controls that support the authorization of this ISP and supplement, compliance with state and federal policies, assessment reporting and audit responses. As such, the ISP is revised and updated to support deployment of new technologies, respond to legislative or administrative policy changes and to address new and developing threats to IT assets. TWC’s ISP is an enterprise effort designed to protect the organization’s business interested, personnel and public by ensuring the confidentiality, integrity and availability of information resources and services. To achieve this, four primary areas are focused on: user education and training, information systems accreditation, intrusion protection and detection, and standards, guidelines and procedures. However, these are not all-inclusive and all areas of IT security are within the scope of the ISP. By emphasizing the importance of IT security, there will be a significant impact on the effectiveness of IT security within TWC. By standardizing on a consolidated approach to security policies, standards, guidelines and procedures, TWC will have simplified IT security management while ensuring appropriate safeguards to IT assets and creating a consistent security environment throughout the TWC enterprise.
Importance Maintenance of Trust The public and employers of the State of Texas entrust large amounts of information to TWC on a daily basis. Compliance with simplified and standardized security policies, standards and guidelines will enhance the protection of this information including the information resources of the State of Texas and will enforce the reputation of TWC as an institution deserving of this trust. Continued Operations TWC is committed to the delivery of its services through the effective use of technology, information and automation. Compliance with information security standards will ensure the continuous availability and integrity of the technological assets critical to its ability to perform its mission. Protecting Investments TWC information resources represent a large financial investment in technologies and in information that cannot be easily replicated. These resources are critical to the mission of TWC and the State and must be protected.
Texas Workforce Commission - Information Security. Enterprise Information Security Program
p. 2 of 7
Version 1.0 02-06-2007
Compliance TWC information security policies, standards, guidelines and procedures are designed to ensure the highest levels of compliance with government requirements and best business practices. These include, but are not limited to: Texas Administrative Code, Title 1, Part 10, Chapter 202, Information Security Standards Title 20, CFR, Section 603.6 and 603.7, Protection of Confidentiality Public Law 100-235, Computer Security Act of 1987 Federal Information Security Management Act of 2002 (FISMA) Best Practices In addition, particular attention is paid to recommendations of the National Institute of Standards and Technology (NIST) and International Standards Organization (ISO).
Mission The Texas Workforce Commission is committed to creating and maintaining an environment that protects its information resources from accidental or intentional unauthorized use, modification, disclosure, destruction, or denial of services resulting from internal failure, human error, attack, or natural catastrophe. In order to meet this commitment, information security policies and practices are developed that reflect business and industry best practices, support compliance with applicable rule and law and hold executives, managers and all resource users accountable.
Principles The following principles guide the development and implementation of Texas Workforce Commission information security policies, standards, guidelines and practices: Information is: A critical asset that must be protected, and Restricted to authorized personnel for authorized use. Information security is: A cornerstone of maintaining public trust, and is A business issue – not solely a technical issue, and is Risk-based, cost effective, and aligned with business goals and objectives, and is Aligned with TWC priorities, best business practices and compliance requirements, and is Directed by policy but implemented by business owners, and most importantly Information Security is everyone’s business.
Texas Workforce Commission - Information Security. Enterprise Information Security Program
p. 3 of 7
Version 1.0 02-06-2007
Structure The TWC Enterprise Security Program includes, but is not limited to, the following subprograms: Information Security Policies, Standards, Guidelines and Procedures. The creation, evaluation, implementation and oversight of computer security policies, standards, guidelines and procedures to support TWC Enterprise-wide information security programs that incorporate best business practices. Information Security Awareness. Management and guidance to ensure that all employees are aware of their security responsibilities and the secure use of TWC information resources. Certification and Accreditation. Provide business impact assessments by which the sensitivity and criticality of each resource is determined and the appropriate security requirements are identified. Provide security evaluation and management approval processes to ensure identified information resources are secure at levels appropriate to their criticality and sensitivity designation based on identified risks. Identify any residual risks prior to any information resource being placed into production and, periodically, over the life of the resource. Identify and implement requirements for periodic testing and evaluation of the effectiveness of protection mechanisms. Security Architecture. In cooperation with programming, development, operations and other functional area staff, manage and develop the security architecture to ensure the confidentiality, integrity and availability of TWC information resources. Review, evaluate and recommend security technologies for implementation. Make recommendations for the deployment of new security products in a responsible manner. Security Administration. In consultation with the appropriate functional areas provide overall policy and management to ensure system access permissions are appropriate to the job function, and granted or removed in a timely manner. Network Security. In consultation with appropriate functional areas provide overall policy and consulting support for TWC networks. Determine criteria for the evaluation of firewalls; recommend encryption solutions, review servers, business partner connectivity and appropriate public access. Business Continuity and Contingency Planning. In consultation with the appropriate functional areas provide policy support for effective planning to assure continued business operations under adverse conditions and situations. Information Security Incident Management. In cooperation with the appropriate areas of authority provide policy and consulting support for detection, responding to, and reporting information security incidents. Receive and track information security incident reports through resolution, escalate serious incidents, and incorporate “lessons-learned” into ongoing awareness and training programs. Provide support, as requested, in response to any information security incident. Compliance. Provide consulting support on industry and government best practices concerning inspections and evaluations, recommend remedial actions to address any significant deficiencies. Conduct security compliance reviews. Provide audit and other support to all internal and external oversight agencies and authorities.
Texas Workforce Commission - Information Security. Enterprise Information Security Program
p. 4 of 7
Version 1.0 02-06-2007
Persons Affected Information Resources – This ISP with its associated policies, standards, guidelines and procedures apply to all information, in any form, related to Texas Workforce Commission business activities, employees, or customers, that has been created, acquired, or disseminated using the Texas Workforce Commission’s resources, name, or funding. These policies apply to all technologies associated with the creation, collection, processing, storage, transmission, analysis, and disposal of information. These policies, standards, guidelines and procedures also apply to all information systems, applications, products, services, telecommunications networks, and related resources, which are sponsored by, operated on behalf of, or developed for the benefit of the Texas Workforce Commission. Organizations and Personnel – These policies, standards, guidelines and procedures apply to all Texas Workforce Commission components and personnel, which include Texas Workforce Commission employees, Local Workforce Development Boards, contractors, vendors, business partners, and any other authorized users of non-public Texas Workforce Commission information systems, applications, telecommunication networks, data, and related resources.
Responsibilities The state agency head has ultimate responsibility for all technology functions. These responsibilities, as allowed by the Texas Administrative Code, are delegated, in lieu of other written delegations, to certain agency functional area staff as follows: Director, Information Technology The Director, Information Technology or his designee, is the agency official responsible for developing and maintaining an agency-wide (Enterprise) information security program and has the following responsibilities for system security planning: •
Designates a Chief Information Security Officer who shall carry out the Director’s responsibilities for system security planning,
•
Oversees the development and maintenance of information security policies, procedures and controls to address system security planning,
•
Oversees the management of identification, implementation and assessment of common security controls,
•
Ensures that personnel with significant responsibilities for system security plans are adequately trained, and
•
Ensures that sufficient financial resources are available to comply with federal and state regulations.
Director, Data Processing The Director, Data Processing is the agency official with operational authority for specified information and responsibility for establishing the controls for the generation, collection, processing, dissemination and disposal of that information. The Director, or his designee, has the following responsibilities related to system security plans: •
Establish rules related to appropriate use and protection of TWC data and/or infrastructure,
Texas Workforce Commission - Information Security. Enterprise Information Security Program
p. 5 of 7
Version 1.0 02-06-2007
•
Provides input to systems/data owners related to security requirements and controls,
•
Oversees access management including privileges and rights to data and systems, and
•
Oversees the identification and assessment of common security controls.
Chief Information Security Officer The Chief Information Security Officer (CISO) is the senior agency information security official and is the designee for system security responsibilities for the Director, Information Technology and the Director, Data Processing. The CISO also serves as the primary liaison to Information Owners and Data Custodians. The CISO is responsible for the implementation and oversight of the agency Information Security Program. The CISO has the following responsibilities: •
Carries out the Director, Information Technology’s responsibilities for system security planning,
•
Carries out the Director, Data Processing’s responsibilities for system security planning,
•
Serves as the Information Security Officer for the agency as required by the Texas Administrative Code,
•
Coordinates the development, review, acceptance, implementation and enforcement of system security plans with appropriate staff,
•
Coordinates the identification, implementation and assessment of security controls,
•
Assists operational/functional area information security staff in the identification, implementation and assessment of security controls, and
•
Coordinates the development and maintenance of the agency system security program.
Information (Systems) Owners The Information (Systems) Owners are defined by the Texas Administrative Code as the person responsible for a business function and for determining controls and access to information resources supporting that business function. The Owners are responsible, in cooperation with all appropriate agency staff, for: •
Classifying business functional information,
•
Establishing appropriate controls for data classifications,
•
Approve access and formally assign custody of information resources,
•
Determine the value of an information assets,
•
Specify data control requirements,
•
Confirm that controls are in place to ensure the accuracy, authenticity and integrity of data,
Texas Workforce Commission - Information Security. Enterprise Information Security Program
p. 6 of 7
Version 1.0 02-06-2007
•
Ensure compliance with all applicable controls,
•
Assign custody of information resource assets and provide appropriate authority for the implementation of controls and procedures,
•
Review all access lists based on documented security risk management decisions, and
•
Communicate any discovery of situations and/or events which may have an impact on areas of systems security to the office of the CISO as appropriate. This includes, but is not limited to, all potential and/or actual breaches of IT assets, loss of IT assets, and unauthorized access or alteration, theft or disclosure of information resources.
Rules of Behavior All users of non-public Texas Workforce Commission Information Resources are required to exercise appropriate caution in the use of those resources in order to assure the highest levels of protection to networks, systems and data held in trust by The Texas Workforce Commission. All users of non-public Texas Workforce Commission Information Resources must sign, and have on file, the appropriate Information Resource Usage Agreement for their user category. The Information Resources Usage Agreement clearly delineates user’s responsibilities and expected behavior when making use of any non-public Texas Workforce Commission Information Resource. The Information Resources Usage Agreement clearly states the consequences of inappropriate behavior or noncompliance with system security policy and procedure. The Information Resources Usage Agreement is made available to all users prior to gaining access to any non-public TWC Information Resource. These rules of behavior are not a complete copy of the security policies, standards and guidelines of TWC, but rather they cover at a high level only those controls and behavioral expectations related to: • • • • • • • • • •
Access and access protection/management Copyright protections, approved software, “illegal” installations Official vs. unofficial use of state resources/limited personal use Expectations of privacy and/or No expectations of privacy Individual accountability and responsibility Password usage Protection of privacy and confidentiality Asset Protections Data Protections “Clear Screen – Clear Desk” Protections
All users of non-public Texas Workforce Commission information resources shall have access to the complete Information Security Program which includes the most current Program, Policy, Standards and Guidelines documents. The Information Security Program, Policy, and Standards and Guidelines shall be the document(s) of authority in any decision making process related to the security of TWC Information Resources. Texas Workforce Commission - Information Security. Enterprise Information Security Program
p. 7 of 7
