1.0 TITLE: General Information Technology Enterprise Security Policy
1.1 EFFECTIVE DATE: August 2001 Revised: April 27, 2006
1.2 TYPE OF ACTION: Update
1.3 KEY WORDS: Enterprise Security Policy, Information Security, User Security, Physical Security, Security Requirements, Network Security, Security Administration, Security Incident Response.
2.0 PURPOSE: To define the requirements for enterprise information technology security policy.
3.0 ORGANIZATIONS AFFECTED: All branches, boards, commissions, departments,divisions and agencies (excluding Regents Institutions) of Kansas state government, hereafter referred to as Entities.
4.1 K.S.A. 75-4709 under Article 47.--INFORMATION SYSTEMS AND COMMUNICATIONS provides that the Secretary of Administration shall make provision for and coordinate all telecommunications services for all entities of the state pursuant to policies established by the Information Technology Executive Council.
5.1 Security policy is defined as a collection of statements about the sensitivity of information on a system or LAN, the requirements for how that data must be protected, and the actions to be taken in the event the protection is violated.
5.2 Default Information Technology Security Requirements [attachment 7230A] is defined as the document published by the Kansas Information Technology Executive Council that all agencies will adopt and implement that do not have their own information technology security policies
5.3 Minimum Security Requirements is defined as follows: If there is a conflict between the Default Information Technology Security Requirements and the entity’s information technology security policy document, the document with the more stringent controls will take precedence.
6.1 Statement of Responsibility:
Entities are responsible for their own security policy and procedures and implementing such policy.
6.2 Minimum Security Requirements:
Entities’ information security policy must be at least as stringent as the Default Information Technology Security Requirements.
6.3 Default Security Requirements:
Entities that do not have their own Information Technology Security Policy are to adopt and implement the Default Information Technology Security Requirements as their own Security Policy.
7.0 PROCEDURES: Entities without security policies should refer to Section 6.2 and 6.3 of this Policy.
8.1 Heads of entities are responsible to establish procedures for their organizations to comply with the requirements of this policy.
8.2 The Chief Information Technology Officer, Executive Branch is responsible for the maintenance of this policy.
9.0 CANCELLATION: Replaces ITEC Policy # 4230 titled, ‘General Information Technology Enterprise Security Policy’.