State of Oklahoma Information Security Policy
The state of Oklahoma has a cybersecurity policy addressing all aspects of information, communications, software, and hardware that all state agencies and their contractors must abide by.
Oklahoma’s Office of Management and Enterprise Services Information Services
To safeguard the state’s information, Oklahoma’s Office of Management and Enterprise Services Information Services (OMES IS) instituted minimum security standards –described in the State of Oklahoma Information Security Policy – that all state agencies and contractors with state agencies must comply with. Information is defined as “any data or knowledge collected, processed, stored, managed, transferred or disseminated by any method.”
State’s information security is divided into three layers:
- OMES IS is the central organization that leads the security effort and provides direction.
- State agencies that host data services are accountable for creating system-specific policies and custom guidelines per their internal information storage and data systems.
- All state agencies are responsible for developing policies and procedures to ensure that information is not lost or misused.
The policy sets minimum standards for the following categories:
- information security and internal controls
- software and hardware acquisition
- hardware requirements and compatibility
- systems development methodology
- systems planning
- operating systems compatibility
- database compatibility
- contingency planning and disaster recovery
All agencies must support frequent compliance reviews to ensure their security procedures and processes adequately reflect the state’s information security policy requirements.
Major components of the policy are:
- Management of a Security Program that requires a Service Level Agreement detailing available hours and time to respond as well as mandating that (a) all backups are current and safeguarded according to other policy standards, (b) all data can be recovered if breached or lost, and (c) sufficient technical support to handle all systems including databases.
- Incident management / event logging and monitoring that includes
- documenting policies and procedures for system failures, service loss, denial of service, confidential/privacy breaches, and other related errors
- compiling of audit trails
- root cause analysis
- remediation plans and implementation
- communication to pertinent parties
- reporting to necessary internal and external stakeholders
- Risk management that incorporates risk assessment, mitigation, evaluation and assessment.
- Personnel/user issues reflecting issues related to staffing, awareness training, personal computer and email usage as well as internet and intranet security.
- Data Center Management
Other sections include:
- Security, confidentiality, content, access, and availability of information.
- Physical and environmental security such as the running of an operations center, operations monitoring, data backup, encryption, access control, network safeguards, e-commerce security as well as mobile and remote computing.
- Business continuity that addresses contingencies plans, disaster recovery plans, and business recovery strategies.
- Help desk management including support calls, password resets, and voicemail security.
- Legal requirements such as protection of information, privacy of personal information, and software copyrights.
Within the policy document, the state provides guidance as to organizing a crisis team and an example responsibility grid. Further, assistance as to incident management procedures including a proposed incident response team organization and example reporting forms are offered.