1.0 TITLE: Security Policy and Procedures for the KANWIN Network.
1.1 EFFECTIVE DATE: October 14, 1999 Revised: April 27, 2006
1.2 TYPE OF ACTION: Update
1.3 KEY WORDS: Security policy, KANWIN, communications network, Internet, TCP/IP, IPX, routers, LAN, audit, and modem.
2.0 PURPOSE: To define responsibilities for security on the state multi-protocol network (KANWIN - Kansas Wide area Information Network) and the security policy that will be implemented by DISC for KANWIN.
3.0 ORGANIZATIONS AFFECTED: All Branches, Boards, commissions, Departments, Divisions, and agencies of state government, hereafter referred to as entities.
4.1 K.S.A 75-4709 provides that the Secretary of Administration shall make provision for and coordinate all telecommunications services for all divisions, departments and agencies of the state pursuant to policies established by the Information Technology Executive Council.
4.2 K.S.A 21-3755
5.1 Security policy is defined as a collection of statements about the sensitivity of information on a system or LAN, the requirements for how that data must be protected, and the actions to be taken in the event the protection is violated.
5.2 KANWIN is the KANsas Wide area Information Network, a wide area data network spanning the state of Kansas. This network is used or will be used by state entities, municipalities, and other local government entities. This is a multi-protocol data network meaning that data can be transmitted in more than one form (protocol). KANWIN supports (transports) TCP/IP (open systems, Transport Control Protocol/Internet Protocol), IPX (Novell, Internet Exchange Protocol), SNA (IBM, Systems Network Protocol).
5.3 Router is defined as a communications device that 'decides' which path or circuit collections of data (packets) should be sent. Decisions are made based on what is the 'best' path to send a packet to its destination address. Best can be determined by many factors such as line speeds, cost of service (leased versus phone lines), and other factors.
5.4 Dialup is defined to mean the use of a data modem and a normal dial phone line to create a temporary connection from a user site to an access point in the KANWIN network. Dialup speeds are considerably less than what is available over a frame relay circuit but are also considerably cheaper when the frequency of using the network is very low.
5.5 The Internet is defined as the international formal Department of Defense data network formed during the late 60's and early 70's. This network interconnects millions of computers world-wide. The protocol used on this network is strictly TCP/IP. There is a standardized naming and addresses policy for any site connected to this network. KANWIN follows this standard which also means all sites connected to KANWIN must follow the standard as well. DISC maintains a registry of addresses and legal names (domain names) for use by state entities.
5.6 Shared portion of KANWIN is defined to be that network infrastructure shared by multiple entities. This includes circuits, DISC routers, DISC hubs (LAN wiring devices), our Internet link, and DISC network management systems and associated devices. Entity LANs are NOT part of the shared network nor are entity (versus DISC) hubs.
5.7 Audit is defined as the collection and periodic review of network or system access information. This assumes some computer or other device records access elated information in a secure place that can be reviewed at a later time.
5.8 Authentication is defined as the act of requiring the 'person' requesting access to a network, LAN, or system to identify themselves through one or more identification schemes. Screening only makes decisions based on source and destination addresses. Authentication makes decisions based on 'who' was at the source. Authentication can be as simple as a computer id and password or as complex as one time passwords, challenge response passwords, or physical identification (retinal, voice, image, etc).
5.9 A boundary control device is defined as a computer or other communications device used to control access to/from a network or computer. The device shields a system from potential attacks by unauthorized individuals.
5.10 TELNET is a TCP/IP application that enables PC's to 'emulate' or mimic the function of a terminal across a TCP/IP network (such as KANWIN or the Internet) for accessing a remote computer.
6.1 Statement of Responsibility:
Entities are responsible for the protection of their data and LANs connected to KANWIN. DISC will be responsible for the security of the shared portion of the KANWIN (backbone routers and circuits). That is, the network responsibility ends at the router port to which the entity LAN is connected.
6.2 Network policy for KANWIN:
It is important to remember, that no system is absolutely secure and any network or system can be violated given enough time. Therefore, to balance security and usability, DISC will provide high security of the network infrastructure such as routers and switches but minimal security with regards to access into and out of KANWIN at the Internet.
7.1 DISC will insert a boundary control device(s) at the external entry ports into KANWIN. The boundary control device(s) will filter at the packet level those protocols that have no reason to be crossing the network boundary including probes commonly used by hackers. Specific filtering rules will not be published for security reasons. Questions about allowed access should be addressed to DISC.
7.2 Valid traffic through the boundary control device will be permitted, but logged. All other traffic through the boundary control device shall be blocked.
7.3 DISC shall implement additional security features in site routers as necessary to secure KANWIN and its users. This could include encryption or additional filters to restrict types of outbound or inbound traffic (e.g. if there are unsecured dial modems on the LAN, we may not want to allow unrestricted TELNET from the LAN into KANWIN).
7.4 Audit: All sessions established through the boundary control devices will be recorded to an audit log. In the event of unauthorized access into KANWIN, this information will be provided to all relevant law enforcement agencies for investigation and prosecution under applicable law.
8.1 Heads of entities are responsible to establish procedures for their organizations to comply with the requirements of this policy.
8.2 The Chief Information Technology Officer, Executive Branch is responsible for the maintenance of this policy.
9.0 CANCELLATION: Replaces ITEC Policy 4220