1.0 TITLE: Information Technology Security Self-Assessment
1.1 EFFECTIVE DATE: July 22, 2004 Revised: April 11, 2007
1.2 TYPE OF ACTION: Update
1.3 KEY WORDS: Enterprise Security Assessment, Security Self-Assessment, IT security Assessment
2.0 PURPOSE: To annually determine the status of information systems security through a self-adminsistered assessment
3.0 ORGANIZATIONS AFFECTED: All Branches, Boards, Commissions, Departments, Divisions, and Agencies of state government, hereafter referred to as entities.
4.1 K.S.A. 1998 Supp. 75-7203 authorizes the ITEC to: Adopt information resource policies and procedures and provide direction and coordination for the application of the state's information technology resources for all state entities.
4.2 ITEC Policy 7300R1 - Information Technology Security Council Charter
4.3 ITEC Policy 7230R1 - Default Information Technology Enterprise Security Policy
4.4 ITEC Policy 5300R1 - Business Contingency Planning
4.5 ITEC Policy 5310R1 - Business Contingency Planning Implementation
4.6 Federal Information Security Management Act (FISMA) of 2002
4.7 NIST Special Publication 800-14, Generally Accepted Principles and Practices for Security Information Technology
4.8 NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems
4.9 National Institute of Standards and Technology (NIST) Special Publication 800-26 Security Self-Assessment Guide for Information Technology Systems
4.10 NIST Special Publication 800-30, Risk Management Guide for IT Systems
4.11 NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems
4.12 NIST Special Publication 800-53A, Guide for Accessing the Security Controls in Federal Information Systems
4.13 Federal Information Processing Standards (FIPS) PUB 199 Standards for Security ...............
4.14 Federal Information Processing Standards (FIPS) PUB 200 Minimum Security .....................
5.1 Self-Assessment - Adequate security of information and the systems that process it is a fundamental management responsibility. Self-Assessments provide a method for entity officials to determine the current status of their information security programs and, where necessary, establish a target for improvement.
5.2 Confidentiality - The completed Self-Assessment shall be considered confidential under the Open Records Act.
6.1 ALL entities shall complete the Self-Assessment and submit it to the ITEC Security Council or the Kansas Board of Regents, in the case of Regents Institutions.
7.1 As detailed procedures will evolve over time, entities should consult the document entitled Procedures for State of Kansas Information Technology Security Self- Assessment for the latest version. This document is available on the Internet at http://da.state.ks.us/itec/itsec/
8.1 Heads of agencies are responsible for ensuring their organization's compliance with the requirements of this policy.
8.2 The Kansas Information Technology Office is responsible for the maintenance of this policy.
9.0 CANCELLATION: None