The Security Domain maintains technical standards and policies that apply to protecting DHS' computer information systems and resources.It includes areas such as management and operational security, cryptography, application and network security, and physical security.
DHS' technical resources and information are available to all authorized users regardless of location and platform. This being the case, DHS provides security in such a manner that DHS' information infrastructure is protected and accessible while, at the same time, its functionality is unimpeded and its business services are always readily available. With the continued development of uniform security standards and policies, DHS continues to meet these goals.
This section consists of security standards and policies in the following areas:
- Management Practices - Specifies the principles set in place regarding security organization. Standards in this area involve the layout of DHS' security organizational structure, the importance of security from all aspects of one's work, and other security-specific techniques for DHS employees.
- Organizational Structure - defines DHS' hierarchy of security personnel.
- Commonwealth Desktop and Laptop Technology Standards (Information Technology Bulletin ITB-PLT001) - Identifies the software and hardware that will be supported and provides desktop policy standards regarding best practices for support team members as well as end-users.
- Security Awareness - Throughout DHS are banners, bulletins, and advertisements that promote security awareness. This is a way for DHS to educate its employees about the importance of keeping sensitive information (passwords, login IDs, confidential business information) secure. This section details the procedures and guidelines surrounding the security awareness training methods.
- OA/OIT Security Policies - The Governor's Office of Administration/Office of Information Technologies (OA/OIT) has security standards and procedures in place for all Commonwealth agencies.
Users may view the entire list of Commonwealth Information Technology Bulletins or Management Directives: Policy Management Directive Standards Guidelines
- Electronic Commerce Interface Guidelines (ITB B.2) - Guidelines for development and implementation of electronic commerce technologies that facilitate enterprise-wide interoperability and standardization.
- Cryptography - the practice of creating and using a cryptosystem, or cipher to prevent all but the intended recipient(s) from reading or using the information or application encrypted. A cryptosystem is a technique used to encode a message. The recipient can view the encrypted message only by decoding it with the correct algorithm. Cryptography is used primarily for communicating sensitive material across computer networks. This section describes the cryptographic techniques deployed at DHS and standards surrounding the use of encryption while communicating with DHS and DHS' business partners.
- Telecommunications and Network Security - Three crucial characteristics of telecommunications and network security are confidentiality, integrity, and availability. Confidentiality is the use of authorization protocols and access codes to assure that only authorized users can access message content. Integrity is the use of message linking between valid source and destination nodes to guarantee messages are complete and unmodified. Availability refers to the use of redundancy, back-ups, and fault tolerance methods to ensure a high level of server and application operability.
Firewalls and Proxies
A firewall is a system designed to prevent unauthorized access to and/or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls prevent unauthorized Internet users from accessing private networks connected to the Internet, Intranet and other agency networks. All messages entering or leaving the protected network must pass through the firewall, which examines each message and blocks those that do not meet specified security criteria.
A proxy is a local server that sits between a client application, such as a web browser, and a web server. The proxy intercepts all requests to the web server to see if it can fulfill the requests itself. If not, it forwards the request to the real server. A Proxy server has two primary purposes: to improve performance and to filter requests. It improves performance by caching web pages viewed by network users. A proxy server can filter user requests to restrict access to specific web sites.
A virtual private network (VPN) is a secure network constructed by using public networks to connect nodes. Typically, VPNs allow two or more secure networks to communicate over untrusted networks such as the Internet by establishing a secure tunnel or "pipeline" through the untrusted network. These systems use encryption and authentication mechanisms to ensure that only authorized users can access the secure tunnel.
Standards Wireless Security
Computer systems and applications need to deploy adequate levels of security to guard against a variety of possible attacks. Similar to network security, applications and systems security have three crucial characteristics – confidentiality, integrity, and availability. Confidentiality is the use of authorization protocols and access codes so that application and system contents remain secure. Integrity is the use of message linking between valid source and destination nodes to guarantee that application messages are complete and unmodified. Availability refers to the redundancy, backups, and fault tolerance methods used to ensure close to 100% operability. When all of such characteristics are present, access to information is private and accurate.
- Wireless LAN Technology (Information Technology Bulletin ITB-NET001) - Detailed overview of Wireless LAN Technologies.
- Applications and Systems Security - Computer systems and applications need to deploy adequate levels of security to guard against a variety of possible attacks. Similar to network security, applications and systems security have three crucial characteristics – confidentiality, integrity, and availability. Confidentiality is the use of authorization protocols and access codes so that application and system contents remain secure. Integrity is the use of message linking between valid source and destination nodes to guarantee that application messages are complete and unmodified. Availability refers to the redundancy, back-ups and fault tolerance methods used to ensure close to 100% operability. When all of such characteristics are present, access to information is private and accurate..
This section consists of the following areas:
- Data Classification - Data Classification refers to the sensitivity of certain information at DHS. Data is classified according to the security needed for it.
- Enterprise Platform - Security standards and policies regarding DHS' enterprise computing platforms. The enterprise platform maintains critical applications residing on a large operating environment. DHS uses enterprise servers for multi-user access to a range of applications, from mainframe applications to web applications. The types of operating systems supported on the enterprise platform include Unisys OS 2200, Sun Solaris, and Microsoft Windows 2000.
Policy Standards Guidelines
- Desktop - Security standards and policies for DHS' desktop computing platforms. The desktop platform is specifically engineered for client applications running on desktop operating systems, and has adequate hardware to support one user. The "end-user" typically operates on a client, or desktop, platform when performing any type of computer related work.
The current desktop platform at DHS uses Microsoft's Windows 2000 Professional operating system. This operating system uses multiprocessing, multithreading, and multitasking technology. Windows 2000 uses Windows NT technology for network communication, file system structure, security, and other kernel specific features. For its interface, Windows 2000 uses Windows 95/98 technology.
- Desktop and Server Software Patching Policy (Information Technology Bulletin ITB-PLT002) - In an effort to better secure the Commonwealth network and computing infrastructure, all server and desktop platforms are to be kept up-to-date with service packs and security patches.
- Commonwealth of Pennsylvania Data Cleansing Policy (Information Technology Bulletin ITB-SYM009) - Provides information pertaining to the sanitization and/or destruction of leased or state-owened computer system hardrives, removeable media and hand-held devices.
- Web - Standards and policies pertaining to web security at DHS. Such standards involve several security techniques regarding user access and interaction with the web, Commonwealth Internet Access, e-mail communication, web development, etc.
- Commonwealth External Web Site Linking Policy (Information Technology Bulletin ITB APP007) - Commonwealth agencies, boards and commissions under the Governor’s jurisdiction are to establish a policy for including links to external (non-Commonwealth) Web sites.
- Commonwealth Internet Access (Mangagement Directive 205.29) - General directives regarding acceptable use of Internet access and e-mail systems. Allows for "limited, occasional, and incidental" personal use of the Internet
- DHS Internet Policy - General policies
- Virus Protection - Virus protection utilities are on both servers and desktops throughout DHS and is part of the base image for all Department PCs. Virus protection is also available to employees for home personal computers to ensure a maximum amount of protection when working from home.
- Commonwealth Host Security Software Suite Policies and Standards (Information Technology Bulletin ITB-SEC001) - Standards for use of the Commonwealth’s antivirus agent, host intrusion prevention agent (host-based intrusion prevention system), and patch management agent for all servers, workstations, and laptops connecting to the Commonwealth network, and to define related policy for enterprise host intrusion prevention software for servers at the Office of Administration/Office for Information Technology/Bureau of Infrastructure and Operations/Enterprise Server Farm.
- Physical Security - The physical controls that exist at DHS to restrict access to information resources. The security guards permit access to approved individuals in certain buildings, data centers, and county assistance offices. Certain buildings have restricted areas (Willow Oak Data Center). Such locations are locked and are protected by security card readers, which require a higher level of security clearance. Persons requiring access to tape libraries, server rooms, and other secure areas must also have additional security clearance.
- Unified Security - all formal DHS standards and policies regarding the implementation of the Unified Security Solution