The Department of Human Services' (DHS) technical resources and information are available to all authorized users regardless of location and platform. This being the case, DHS provides security in such a manner that DHS's information infrastructure is protected and accessible while, at the same time, its functionality is unimpeded and it's business services are always readily available. With the continued development of uniform security standards and policies, DHS continues to meet these goals.
Policy
- Commonwealth Auditing and Monitoring —
Ensuring administrators do not misue their authority (Management Directive 245.18) - Commonwealth Enterprise Network Security Policy
- Commonwealth Information Technology Acceptable Use Policy (Management Directive 205.34)
- Commonwealth Mobile Device Security Policy
(ITP-035 Mobile Device Security Policy) - Cryptology Policy
- DHS Information Security and Privacy Policies
- DHS IT Security Incident Reporting
- Configuration Management Policy
- Incident Reporting and Response Policy
- Information Privacy Policy
- Maintenance Personnel and Vendor Access
- Media Protection Policy
- Network Security Policy
- Physical and Environmental Security Policy
- Role Lifecycle Management
- Security Audit Logging Policy
- Security Awareness Training Policy
- System and Information Integrity Policy
- System Maintenance Policy
- User Identity and Access Management Policy
Standards
Procedures
Security Standards & Policies
Management Practices
Specifies the principles set in place regarding security organization. Standards in this area involve the layout of DHS' security organizational structure, the importance of security from all aspects of one's work, and other security-specific techniques for DHS employees.
Organizational Structure
Defines DHS' hierarchy of security personnel.
- Policy
- Commonwealth Enterprise Network Security Policy —Defines the roles and responsibilities of Commonwealth information systems users.
- Commonwealth Enterprise Network Security Policy —Defines the roles and responsibilities of Commonwealth information systems users.
- Standards
- Commonwealth Desktop and Laptop Technology Standards (Information Technology Bulletin ITB-PLT001) — Identifies the software and hardware that will be supported and provides desktop policy standards regarding best practices for support team members as well as end-users.
- Commonwealth Desktop and Laptop Technology Standards (Information Technology Bulletin ITB-PLT001) — Identifies the software and hardware that will be supported and provides desktop policy standards regarding best practices for support team members as well as end-users.
Security Awareness
Throughout DHS are banners, bulletins, and advertisements that promote security awareness. This is a way for DHS to educate its employees about the importance of keeping sensitive information (passwords, login IDs, confidential business information) secure. This section details the procedures and guidelines surrounding the security awareness training methods.
- Policy
- Commonwealth Enterprise Network Security Policy - Defines the roles and responsibilities of Commonwealth information system users.
- Commonwealth Enterprise Network Security Policy - Defines the roles and responsibilities of Commonwealth information system users.
OA/OIT Security Policies
The Governor's Office of Administration/Office of Information Technologies (OA/OIT) has security standards and procedures in place for all Commonwealth agencies. Users may view the entire list of Commonwealth Information Technology Bulletins or Management Directives:
- Information Technology Bulletins (ITB’s)
- Management Directives
- Policy
- Commonwealth — Information Security Officer Policy (Information Technology Bulletin ITB-SEC016)
- Security & Digital Certificate Policy and Encryption & Internet Browser Standards for e-Government Web Sites & Applications (ITB B.5) — Commonwealth standards and policy for e-Government Web Sites and applications.
- Commonwealth Policy for Minimum Contractor Employee Background Checks (ITB-SEC009)
- Commonwealth Security Information and Event Management Policy (ITB-SEC021)
- Commonwealth Security Assessment and Testing Policy (ITB-SEC023)
- Management Directive
- Electronic Commerce Initiative and Security (Management Directive 210.12) — Commonwealth-wide policy, responsibilities, and procedures for the implementation of the Electronic Transaction Act (Act 69 of 1999)
- Electronic Commerce Initiative and Security (Management Directive 210.12) — Commonwealth-wide policy, responsibilities, and procedures for the implementation of the Electronic Transaction Act (Act 69 of 1999)
- Standards
- Commonwealth Security and Digital Certificate Policy (ITB B.5) — Security assessment and associated levels of authentication, authorization, non-repudiation, and so forth.
- Commonwealth Security and Digital Certificate Policy (ITB B.5) — Security assessment and associated levels of authentication, authorization, non-repudiation, and so forth.
- Guidelines
- Electronic Commerce Interface Guidelines (ITB B.2) — Guidelines for development and implementation of electronic commerce technologies that facilitate enterprise-wide interoperability and standardization.
Cryptography
The practice of creating and using a cryptosystem, or cipher to prevent all but the intended recipient(s) from reading or using the information or application encrypted. A cryptosystem is a technique used to encode a message. The recipient can view the encrypted message only by decoding it with the correct algorithm. Cryptography is used primarily for communicating sensitive material across computer networks. This section describes the cryptographic techniques deployed at DHS and standards surrounding the use of encryption while communicating with DHS and DHS' business partners.
- Standards
- DHS n-tier Web Application Configuration Guide — Various standards related to hosting web applications
- Data Encryption Standards
- Encryption Standards for Data at Rest (Information Technology Bulletin ITB-SEC020) — Commonwealth encryption standards for data at rest
- Commonwealth Encryption Standards for Data in Transit (Information Technology Bulletin ITB-SEC031) Telecommunications and Network Security
Telecommunications and Network Security
Three crucial characteristics of telecommunications and network security are confidentiality, integrity, and availability. Confidentiality is the use of authorization protocols and access codes to assure that only authorized users can access message content. Integrity is the use of message linking between valid source and destination nodes to guarantee messages are complete and unmodified. Availability refers to the use of redundancy, back-ups, and fault tolerance methods to ensure a high level of server and application operability.
Firewalls and Proxies
A firewall is a system designed to prevent unauthorized access to and/or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls prevent unauthorized Internet users from accessing private networks connected to the Internet, Intranet and other agency networks. All messages entering or leaving the protected network must pass through the firewall, which examines each message and blocks those that do not meet specified security criteria.
A proxy is a local server that sits between a client application, such as a web browser, and a web server. The proxy intercepts all requests to the webserver to see if it can fulfill the requests itself. If not, it forwards the request to the real server. A Proxy server has two primary purposes: to improve performance and to filter requests. It improves performance by caching web pages viewed by network users. A proxy server can filter user requests to restrict access to specific web sites.
- Policy
- Commonwealth – Enterprise Firewall Rule Set (Information Technology Bulletin ITB-SEC034) - Provides a baseline enterprise firewall rule set by identifying the common needs throughout the enterprise.
- Standards
- Outbound Internet Proxy and Content Filtering — Establishes the standard for outbound Proxy devices and content filtering software/databases with DHS.
- Enterprise Policy and Software Standards for Agency Firewalls (Information Technology Bulletin ITB-SEC011) - Establishes Enterprise-Wide Firewall Software Standard.
VPN Security
A virtual private network (VPN) is a secure network constructed by using public networks to connect nodes. Typically, VPNs allow two or more secure networks to communicate over untrusted networks such as the Internet by establishing a secure tunnel or "pipeline" through the untrusted network. These systems use encryption and authentication mechanisms to ensure that only authorized users can access the secure tunnel.
- Standards
- Commonwealth Virtual Private Networks Analysis (Information Technology Bulletin ITB-SEC010)
Wireless Security
Computer systems and applications need to deploy adequate levels of security to guard against a variety of possible attacks. Similar to network security, applications and systems security have three crucial characteristics – confidentiality, integrity, and availability. Confidentiality is the use of authorization protocols and access codes so that application and system contents remain secure. Integrity is the use of message linking between valid source and destination nodes to guarantee that application messages are complete and unmodified. Availability refers to the redundancy, backups, and fault tolerance methods used to ensure close to 100% operability. When all of such characteristics are present, access to information is private and accurate.
- Standards
- Wireless LAN Technology (Information Technology Bulletin ITB-NET001) - Detailed overview of Wireless LAN Technologies.
- Wireless LAN Technology (Information Technology Bulletin ITB-NET001) - Detailed overview of Wireless LAN Technologies.
Applications and Systems Security
Computer systems and applications need to deploy adequate levels of security to guard against a variety of possible attacks. Similar to network security, applications and systems security have three crucial characteristics – confidentiality, integrity, and availability. Confidentiality is the use of authorization protocols and access codes so that application and system contents remain secure. Integrity is the use of message linking between valid source and destination nodes to guarantee that application messages are complete and unmodified. Availability refers to the redundancy, back-ups and fault tolerance methods used to ensure close to 100% operability. When all of such characteristics are present, access to information is private and accurate..
Data Classification
Data Classification refers to the sensitivity of certain information at DHS. Data is classified according to the security needed for it.
- Policy
- Commonwealth Commerce Interface Guidelines (Information Technology Bulletin ITB-B.2)
- Commonwealth Security & Digital Certificate Policy and Encryption & Internet/Intranet Browser Standards for e-Government Web Sites & Applications (Information Technology Bulletin ITB B.5)
- Standards
- Data Classification Standards
- Development of Information Technology - Enterprise Continuity/Recovery plans (Management Directive 245.11) - Data storage and disaster recovery
- Data Exchange Guidelines
Enterprise Platform
Security standards and policies regarding DHS' enterprise computing platforms. The enterprise platform maintains critical applications residing on a large operating environment. DHS uses enterprise servers for multi-user access to a range of applications, from mainframe applications to web applications. The types of operating systems supported on the enterprise platform include Unisys OS 2200, Sun Solaris, and Microsoft Windows 2000.
- Policy
- Commonwealth Enterprise Security Policy — Detailed overview and reference for Commonwealth security policies.
- Establishing Alternate Processing Sites for Commonwealth Agencies (Information Technology Bulletin ITB SYM004) — Commonwealth policy for establishing alternate processing sites for essential Commonwealth facilities and assets.
- Standards
- Development of Information Technology - Enterprise Continuity/Recovery Plans (Management Directive 245.11) - Data storage and disaster recovery
- Development of Information Technology - Enterprise Continuity/Recovery Plans (Management Directive 245.11) - Data storage and disaster recovery
- Guidelines
Desktop
Security standards and policies for DHS' desktop computing platforms. The desktop platform is specifically engineered for client applications running on desktop operating systems, and has adequate hardware to support one user. The "end-user" typically operates on a client, or desktop, platform when performing any type of computer related work. The current desktop platform at DHS uses Microsoft's Windows 2000 Professional operating system. This operating system uses multiprocessing, multithreading, and multitasking technology. Windows 2000 uses Windows NT technology for network communication, file system structure, security, and other kernel specific features. For its interface, Windows 2000 uses Windows 95/98 technology.
- Policy
- Desktop and Server Software Patching Policy (Information Technology Bulletin ITB-PLT002) - In an effort to better secure the Commonwealth network and computing infrastructure, all server and desktop platforms are to be kept up-to-date with service packs and security patches.
- Commonwealth of Pennsylvania Data Cleansing Policy (Information Technology Bulletin ITB-SYM009) - Provides information pertaining to the sanitization and/or destruction of leased or state-owened computer system hardrives, removeable media and hand-held devices.
- Desktop and Server Software Patching Policy (Information Technology Bulletin ITB-PLT002) - In an effort to better secure the Commonwealth network and computing infrastructure, all server and desktop platforms are to be kept up-to-date with service packs and security patches.
- Standards
- Standard for Use of Portable Storage Devices and Media — Provides detailed information regarding the use of portable storage devices and media within DHS.
- Commonwealth Desktop and Laptop Technology Standards (Information Technology Bulletin ITB-PLT001) — Provides information regarding the use of desktop technology by Commonwealth agencies.
- Standard for Use of Portable Storage Devices and Media — Provides detailed information regarding the use of portable storage devices and media within DHS.
Web
Standards and policies pertaining to web security at DHS. Such standards involve several security techniques regarding user access and interaction with the web, Commonwealth Internet Access, e-mail communication, web development, etc.
- Policy
- Commonwealth External Web Site Linking Policy (Information Technology Bulletin ITB APP007) - Commonwealth agencies, boards and commissions under the Governor’s jurisdiction are to establish a policy for including links to external (non-Commonwealth) Web sites.
- Commonwealth External Web Site Linking Policy (Information Technology Bulletin ITB APP007) - Commonwealth agencies, boards and commissions under the Governor’s jurisdiction are to establish a policy for including links to external (non-Commonwealth) Web sites.
- Standards
- Commonwealth Internet Access (Management Directive 205.29) - General directives regarding acceptable use of Internet access and e-mail systems. Allows for "limited, occasional, and incidental" personal use of the Internet
- DHS Internet Policy - General policies
- Commonwealth Internet Access (Management Directive 205.29) - General directives regarding acceptable use of Internet access and e-mail systems. Allows for "limited, occasional, and incidental" personal use of the Internet
Virus Protection
Virus protection utilities are on both servers and desktops throughout DHS and is part of the base image for all Department PCs. Virus protection is also available to employees for home personal computers to ensure a maximum amount of protection when working from home.
- Standards
- Enterprise Host Security Suite Software Standards (Information Technology Bulletin ITB-SEC001) - Standard for use of the Commonwealth's Antivirus agent, Host Intrusion Prevention agent and Patch Management agent
- DHS Enterprise Host Security Suite Software Standards
- Policy
- Commonwealth Host Security Software Suite Policies and Standards (Information Technology Bulletin ITB-SEC001) - Standards for use of the Commonwealth’s antivirus agent, host intrusion prevention agent (host-based intrusion prevention system), and patch management agent for all servers, workstations, and laptops connecting to the Commonwealth network, and to define related policy for enterprise host intrusion prevention software for servers at the Office of Administration/Office for Information Technology/Bureau of Infrastructure and Operations/Enterprise Server Farm.
- Commonwealth Host Security Software Suite Policies and Standards (Information Technology Bulletin ITB-SEC001) - Standards for use of the Commonwealth’s antivirus agent, host intrusion prevention agent (host-based intrusion prevention system), and patch management agent for all servers, workstations, and laptops connecting to the Commonwealth network, and to define related policy for enterprise host intrusion prevention software for servers at the Office of Administration/Office for Information Technology/Bureau of Infrastructure and Operations/Enterprise Server Farm.
- Guidelines
Physical Security
The physical controls that exist at DHS to restrict access to information resources. The security guards permit access to approved individuals in certain buildings, data centers, and county assistance offices. Certain buildings have restricted areas (Willow Oak Data Center). Such locations are locked and are protected by security card readers, which require a higher level of security clearance. Persons requiring access to tape libraries, server rooms, and other secure areas must also have additional security clearance.
- Policy
- Off-Site Storage for Commonwealth Agencies (Information Technology Bulletin ITB-SYM003) - Establishes Commonwealth policy for the implementation of an Enterprise Continuity of Government Plan that ensures the storage of vital records in off-site facilities in the event of an emergency.
- Policy for Establishing Alternate Processing Sites for Commonwealth Agencies (Information Technology Bulletin ITB-SYM004) - Policy for establishing alternate processing sites for essential Commonwealth facilities and assets.
- Security for Commonwealth Owned Building Personnel and Visitors (General Order 4.1) - establishes policies and procedures for protecting the security of Commonwealth owned/controlled buildings and property within the jurisdiction of the Pennsylvania Capitol Police.
- Physical Security Policy for IT Resources (Information Technology Bulletin ITB-SEC029) - Commonwealth policy to ensure that IT facilities and resources are protected by physical security measures that prevent physical tampering, damage, theft, or unauthorized physical access.
- Standards
- Vital Records Disaster Planning (Manual 210.8) - Disaster avoidance and recovery planning.
- Willow Oak Building Security
Unified Security
All formal DHS standards and policies regarding the implementation of the Unified Security Solution
- Procedures
- Guidelines
- Forms
- IT Security Incident Reporting Form
- Commonwealth IT Resources Acceptable Use Policy User Agreement (Management Directive 205.34) - located at end of document
- Guidelines