Security Domain

Purpose

The Security Domain maintains technical standards and policies that apply to protecting DHS' computer information systems and resources.It includes areas such as management and operational security, cryptography, application and network security, and physical security.

DHS' technical resources and information are available to all authorized users regardless of location and platform. This being the case, DHS provides security in such a manner that DHS' information infrastructure is protected and accessible while, at the same time, its functionality is unimpeded and its business services are always readily available. With the continued development of uniform security standards and policies, DHS continues to meet these goals.

Policy

Standards

Procedures

This section consists of security standards and policies in the following areas:

  • Management Practices - Specifies the principles set in place regarding security organization. Standards in this area involve the layout of DHS' security organizational structure, the importance of security from all aspects of one's work, and other security-specific techniques for DHS employees.
     
  • Cryptography - the practice of creating and using a cryptosystem, or cipher to prevent all but the intended recipient(s) from reading or using the information or application encrypted. A cryptosystem is a technique used to encode a message. The recipient can view the encrypted message only by decoding it with the correct algorithm. Cryptography is used primarily for communicating sensitive material across computer networks. This section describes the cryptographic techniques deployed at DHS and standards surrounding the use of encryption while communicating with DHS and DHS' business partners.
    Standards
  • Telecommunications and Network Security - Three crucial characteristics of telecommunications and network security are confidentiality, integrity, and availability. Confidentiality is the use of authorization protocols and access codes to assure that only authorized users can access message content. Integrity is the use of message linking between valid source and destination nodes to guarantee messages are complete and unmodified. Availability refers to the use of redundancy, back-ups, and fault tolerance methods to ensure a high level of server and application operability.
    Firewalls and Proxies
    A firewall is a system designed to prevent unauthorized access to and/or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls prevent unauthorized Internet users from accessing private networks connected to the Internet, Intranet and other agency networks. All messages entering or leaving the protected network must pass through the firewall, which examines each message and blocks those that do not meet specified security criteria.
    A proxy is a local server that sits between a client application, such as a web browser, and a web server. The proxy intercepts all requests to the web server to see if it can fulfill the requests itself. If not, it forwards the request to the real server. A Proxy server has two primary purposes: to improve performance and to filter requests. It improves performance by caching web pages viewed by network users. A proxy server can filter user requests to restrict access to specific web sites.
    Policy
    Standards
    VPN Security
    A virtual private network (VPN) is a secure network constructed by using public networks to connect nodes. Typically, VPNs allow two or more secure networks to communicate over untrusted networks such as the Internet by establishing a secure tunnel or "pipeline" through the untrusted network. These systems use encryption and authentication mechanisms to ensure that only authorized users can access the secure tunnel.
    Standards Wireless Security
    Computer systems and applications need to deploy adequate levels of security to guard against a variety of possible attacks. Similar to network security, applications and systems security have three crucial characteristics – confidentiality, integrity, and availability. Confidentiality is the use of authorization protocols and access codes so that application and system contents remain secure. Integrity is the use of message linking between valid source and destination nodes to guarantee that application messages are complete and unmodified. Availability refers to the redundancy, backups, and fault tolerance methods used to ensure close to 100% operability. When all of such characteristics are present, access to information is private and accurate.
    Standards
    • Wireless LAN Technology (Information Technology Bulletin ITB-NET001) - Detailed overview of Wireless LAN Technologies.
  • Applications and Systems Security - Computer systems and applications need to deploy adequate levels of security to guard against a variety of possible attacks. Similar to network security, applications and systems security have three crucial characteristics – confidentiality, integrity, and availability. Confidentiality is the use of authorization protocols and access codes so that application and system contents remain secure. Integrity is the use of message linking between valid source and destination nodes to guarantee that application messages are complete and unmodified. Availability refers to the redundancy, back-ups and fault tolerance methods used to ensure close to 100% operability. When all of such characteristics are present, access to information is private and accurate..
    This section consists of the following areas: Policy
    • Commonwealth Host Security Software Suite Policies and Standards (Information Technology Bulletin ITB-SEC001) - Standards for use of the Commonwealth’s antivirus agent, host intrusion prevention agent (host-based intrusion prevention system), and patch management agent for all servers, workstations, and laptops connecting to the Commonwealth network, and to define related policy for enterprise host intrusion prevention software for servers at the Office of Administration/Office for Information Technology/Bureau of Infrastructure and Operations/Enterprise Server Farm.
    Guidelines
  • Physical Security  - The physical controls that exist at DHS to restrict access to information resources. The security guards permit access to approved individuals in certain buildings, data centers, and county assistance offices. Certain buildings have restricted areas (Willow Oak Data Center). Such locations are locked and are protected by security card readers, which require a higher level of security clearance. Persons requiring access to tape libraries, server rooms, and other secure areas must also have additional security clearance.
    Policy Standards

Forms

Guidelines