CORE Security

Memo Announcing Security Policy, Procedures and Guidelines

July 12, 2004

The CORE Security Team is seeing several violations of the State and OSF Security Policy. Below are some points from both the policy and the CORE OSF 301 Form provided as a reminder to your end users.

The Office of State Finance will adhere to all Security Policies for all applications in which they provide service, including all the PeopleSoft applications which are currently or planned to be installed. There will not be any tolerance of a policy breach and any breach will be handled in accordance with the published Security Policies.

State and OSF Security Policy

2.1 Information Confidentiality

The overriding premise is that all information hosted or created by a State Agency is property of the State. As such, this information will be used solely for performance of position related duties. Any transfers or disclosures are governed by this rule.

The confidentiality of all information created or hosted by a State Agency is the responsibility of all State Agencies. Disclosure is governed by legislation, regulatory protections, rules as well as policies and procedures of the State and of the owning State Agency. The highest of ethical standards are required to prevent the inappropriate transfer of sensitive or confidential information.

Release of information is strictly for job related functions. Confidentiality is compromised when knowingly or inadvertently, information crosses the boundaries of job related activities.

Users must be required to follow good security practices in the selection and use of passwords. Passwords provide a means of validating a user’s identity and thereby establish access rights to information processing facilities or services. All agency staff must be advised to:

• keep passwords confidential,
• avoid keeping a paper record of passwords, unless this can be stored securely,
• change passwords whenever there is any indication of possible system or password compromise,
• select quality passwords with a minimum length of eight characters which are:
  • easy to remember,
  • not based on anything somebody else could easily guess or obtain using person related information, e.g. names, telephone numbers and dates of birth etc.,
  • free of consecutive identical characters or all-numeric or all-alphabetical groups,
• change passwords at regular intervals (passwords for privileged accounts should be changed more frequently than normal passwords),
• avoid reusing or cycling old passwords,
• change temporary passwords at the first log-on,
• not include passwords in any automated log-on process, e.g. stored in a macro or function key, and
• not share individual user passwords.

2.4 Information Security

The State Agency Director whose Agency collects and maintains (owns) the information is responsible for interpreting all confidentiality restrictions imposed by laws and statutes as well as establishing information classification and approving information access. The hosting State Agency will staff a Security Administration function whose responsibility will be operational control and timely implementation of access privileges.

System limitations may prevent all of the following procedures to be implemented, however, when possible, these rules apply:

• Passwords will be required to be a minimum of 8 characters long, containing at least one (1) numeric character.
• Passwords will expire in a maximum of 90 days.
• Passwords will be deactivated if not used for a period of 60 days.
• Passwords for a given user should not be reused in a 12 month period.

The State Agencies that access the systems have the responsibility to protect the confidentiality of information which they use in the course of their assigned duties.

6.2 Password Resets

Password resets are the responsibility of the hosting state agency’s help desk function. Identities of requestors will be verified by the help desk, logged and confirmed back to the user at the respective State Agency.

It is the responsibility of the requestor from all State Agencies, in requesting a password reset, to confirm their identity. This may be accomplished by:

• Providing their name
• Answering a unique question and answer submitted on sign up, such as: place of birth, mother’s maiden name, etc.)
• Providing additional information as may be requested, such as:
  • Agency
  • Phone number

The responsibility of the host agency’s Help Desk is to:

• Confirm the identity of the requestor
• Report all suspicious activity to the security Administrator immediately. Discrepancies in answers, inability to provide the correct User ID, frequent requests for changes to the same User ID, or obvious password sharing constitute security breaches and will be reported.
• Reset the password
• Log details of the call
• Confirm the password reset to the user registered to the User ID via e-mail
• Report activity monthly to each State Agency involved.

OSF 301 Form Security Section

"Users are responsible for protecting their access authorization and must take steps to prevent others from using their User ID. Users will construct good passwords and manage them securely, keeping their passwords secret and not sharing them with others. If a user has reason to believe that others have learned his/her password, the user will change the
password and notify the Help Desk of the situation. Users will not attempt to use the logons and passwords of others."

"If a user finds that they have access to data they believe they are not authorized to view, they will exit from that data and report the problem to OSF Security."

If you have any questions concerning the policy or OSF Form 301, please call the OSF Help Desk at (405) 521-2444.