Management Security Standards

200. 
     Information Classification: Owners of information shall classify all information under their control. The criteria set forth in State Administrative Manual (SAM) Section 5320.5 shall be utilized to classify SCO information.
     
201. 
     Critical Application Classification: For disaster recovery and business continuity planning purposes, owners of information shall determine which information technologies they utilize are critical applications. A critical application is defined as an information technology so important to the SCO’s mission and business that its loss or unavailability is unacceptable. With a critical application, even short-term unavailability of the information or service provided by the application would have a significant negative impact on the health and safety of the public or state workers; on the business, fiscal or legal integrity of SCO or state operations; or on the continuation of essential SCO programs.
     
202. 
     Security and Privacy Assessment: For all information technology projects that involve the processing of information classified as confidential or sensitive, or result in the development of a critical application, a security assessment must be conducted by the SCO Information Security Office to determine the information security impact level of the project. As part of the assessment, the ISO will provide recommended appropriate information security controls (i.e., safeguards or countermeasures) for inclusion in the Project’s System Security Plan (SSP) to ensure security objectives (e.g., privacy, confidentiality, integrity, and availability).
     
203. 
     Project System Security Plans: For all information technology projects that involve the processing of information classified as confidential or sensitive, or results in the development of a critical application, the project shall develop and document a System Security Plan (SSP). A SSP provides an overview of the security requirements, approved by the owner of information, for the information system and describes the security controls in place or planned for meeting those requirements. Updates to SSPs should occur once every three years or when significant changes occur to the system.
     
204. 
     Security Certification and Accreditation: For all information technology projects that involve the processing of information classified as confidential or sensitive, or result in the development of a critical application, the SCO ISO shall conduct a security certification. A security certification is an evaluation of the security control features (i.e., safeguards or countermeasures) of a system. The ISO shall provide the appropriate owner of information with a security certification report for owner production accreditation purposes. Any significant changes occurring to a system or to its physical environment, users, etc., or deviations from SSP specifications, shall require a review of the impact
     

200. 
     Security Vulnerability Scanning: All SCO web systems and applications, and servers shall undergo quarterly vulnerability scanning or when significant changes are made to the system, application, or server.
     
201. 
     System Interconnectivity / Information Sharing: Written authorization from the applicable owner of information shall be obtained prior to connecting an information asset with other systems and/or sharing confidential or sensitive information.
     
202. 
     System Inventory: Owners of information, supported by custodians, shall develop and maintain an inventory of all systems that process confidential or sensitive information, or are critical applications, under their control. Inventories shall be updated annually or when significant changes occur to the system. Copies of the inventory shall be made available to the SCO Information Security Office and Information Systems Division for risk and enterprise management purposes and documentation.
     
203. 
     Information Security Standard Violation Disciplinary Action: The appropriate appointing authority is responsible for conducting any disciplinary or adverse actions against SCO contractors or personnel who violate SCO ISPM standards.