Home / About /security policy

State of Oklahoma Information Security Policy, Information and Guidelines

Information is a critical State asset. Information is comparable with other assets in that there is a cost in obtaining it and a value in using it. However, unlike many other assets, the value of reliable and accurate information appreciates over time as opposed to depreciating. Shared information is a powerful tool and loss or misuse can be costly, if not illegal. The intent of this Security Policy is to protect the information assets of the State.

This Security Policy governs all aspects of hardware, software, communications and information. It covers all State Agencies as well as contractors or other entities who may be given permission to log in, view or access State information.

Definitions:
  • Information includes any data or knowledge collected, processed, stored, managed, transferred or disseminated by any method.
  • The Owner of the information is the State Agency responsible for producing, collecting and maintaining the authenticity, integrity and accuracy of information.
  • The Hosting State Agency has physical and operational control of the hardware, software, communications and data bases (files) of the owning Agency. The Hosting Agency can also be an Owner.
The confidentiality of all information created or hosted by a State Agency is the responsibility of that State Agency. Disclosure is governed by legislation, regulatory protections and rules as well as policies and procedures of the owning State Agency. The highest of ethical standards are required to prevent the inappropriate transfer of sensitive or confidential information.

All information content is owned by the State Agency responsible for collecting and maintaining the authenticity, integrity and accuracy of the information. The objective of the owning State Agency is to protect the information from inadvertent or intentional damage, unauthorized disclosure or use according to the owning Agency's defined classification standards and procedural guidelines.

Information access is subject to legal restrictions and to the appropriate approval processes of the owning State Agency. The owning State Agency is responsible for maintaining current and accurate access authorities and communicating these in an agreed upon manner to the security function at the State Agency hosting the information. The hosting State Agency has the responsibility to adhere to procedures and put into effect all authorized changes received from the owning State Agencies in a timely manner.

Information security - The State Agency Director whose Agency collects and maintains (owns) the information is responsible for interpreting confidentiality restrictions imposed by laws and statutes, establishing information classification and approving information access. The hosting State Agency will staff a security function whose responsibility will be operational control and timely implementation of access privileges. This will include access authorization, termination of access privileges, monitoring of usage and audit of incidents. The State Agencies that access the systems have the responsibility to protect the confidentiality of information which they use in the course of their assigned duties.

Information availability is the responsibility of the hosting State Agency. Access to information will be granted as needed to all State Agencies to support their required processes, functions and timelines. Proven backup and recovery procedures for all data elements to cover the possible loss or corruption of system information are the responsibility of the hosting State Agency.

The hosting State Agency is responsible for securing strategic and operational control of its hardware, software and telecommunication facilities. Included in this mandate is the implementation of effective safeguards and firewalls to prevent unauthorized access to system processes and computing / telecommunication operational centers. Recovery plans are mandatory and will be periodically tested to ensure the continued availability of services in the event of loss to any of the facilities.

Development, control and communication of Information Security Policy, Procedures and Guidelines for the State of Oklahoma are the responsibility of the Office of Management and Enterprise Services. This Policy represents the minimum requirements for information security at all State Agencies. Individual agency standards for information security may be more specific than these state-wide requirements but shall in no case be less than the minimum requirements.

View the entire Information Security Policy, Procedure, Guidelines