Department of Technology Services

1
Department of Technology Services

• Security Architecture

2
Requirements

• All non-essential services (not required for
  application functionality and operational
  monitoring) must be turned off.
• All servers must have an unrestricted
  connectivity from operational monitoring and
  security devices.
• All operating system level access must use an
  encrypted protocol.
• Test/Development servers must be separate from
  production server.

3
Requirements (cont.)

• All servers must have a clean vulnerability scan
  report or vulnerability mitigation prior to being
  placed into production.
• OS and Applications must have the capability to
  do password security enforcement.
• It is recommended that applications be segmented
  into an n-tier model separating at a minimum the
  Presentation, Application/Business Logic and
  Database layers.

4
Requirements (cont.)

• All systems shall allow for periodic system
  security reviews that provide assurance that
  management, operations, personnel, and technical
  controls are functioning effectively and
  providing adequate levels of protection.
• The reviews may include technical tools and
  security procedures such as virus scanners,
  vulnerability assessment products and penetration
  testing.

5
Data Classification

• Critical IT Infrastructure devices (routers, DNS
  servers, etc.)
• Confidential Confidential, sensitive or personal
  data as designated by the customer. As custodians
  this is the default classification unless
  clarified by the customer.
• Private Data essential to the on-going operation
  of the organization and its subsidiaries.
• Restricted Data that is intended for internal
  use within an organization.
• Public Public records data.

6
Device Network LocationBased on Data
Classification

• Critical Server must reside behind a firewall
  with IP and port specific access controls.
• Confidential Must reside on the inside network
  or tiered firewall.
• Private Must reside on the inside network or
  tiered firewall.
• Restricted Must reside on the inside network
  or tiered firewall.
• Public Must reside in the DMZ network.

7
Security Questions

• The following ten questions are used as a
  guideline by DTS Security Management Division
  when evaluating new projects.
• A Yes response to any question would result in
  further examination or explanation of the topic
  area because of the potential increased risk.

8
Security Questions

1. Is the project requesting exemption from or
   modification to established information security
   policies or standards?
2. Does this project cut across multiple lines of
   business in a new or unique manner for which no
   approved security requirements, templates or
   design models exist?
3. Does this project have privacy implications
   because of the use of customer or internal
   personal information?

9
Security Questions (cont.)

1. Does this project include applications and
   information with regulatory compliance
   significance (or other contractual conditions
   that must be formally complied with) in a new or
   unique manner for which no approved security
   requirements, templates or design models exist?
2. Is the project being run on an emergency or
   expedited delivery schedule?

10
Security Questions (cont.)

1. Is there new technology involved, never before
   used by the agency?
2. Does this project include third-party service
   providers conducting business on behalf of the
   organization, trading partners, clearinghouses,
   and so on?
3. Will this project involve a major change to the
   network infrastructure?

11
Security Questions (cont.)

1. Will there be a need to modify established
   identity and access management processes and
   infrastructure, for example, new roles, new
   approvals, and so on?
2. Will this project have an impact on current
   business continuity, disaster recovery processes
   and/or infrastructure?